The choice between browser security and privacy…

Enhanced Protected Mode of Internet Explorer 10 is defense in depth feature that helps prevent attackers from installing software or modifying system settings, if they manage to run exploit code. It’s an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. The Enhanced Protection Mode also disables plugins that can be activated temporarily by the end user on a site-by-site basis. And this is the point where it interfere with privacy plugins…

Neither DoNotTrackMe from Abine, nor Ghostery are comparable IE10 64-bit version with Enhanced Protected Mode enabled. While the installation of these plugins proceed without warning, the first time IE starts after installing DoNotTrackMe, it pops up this message:

DoNotTrackMe warning!

More of the same for Ghostery:

Ghostery warning!

The download page for Ghostery provides some information about the incompatibility with IE10 running on 64-bit OS:

64-bit MS OS

IE10 64-bit mode with Enhanced Protection Mode active disables these plugins, rightfully so, based on the security risk that logging with administrative account level access poses to the system. Disabling the Enhanced Protection Mode is an option at the expense of security.

IE10 32-bit mode with Enhanced Protection Mode active does not disable these plugins; however, it may provide an easy attack vector for hackers for exploiting the system with the “built-in” administrative access.

Seemingly, these IE plugins did not keep up with OS and browser advancements, they are pretty much stuck in the 32-bit software world. As such, if your system is based on 64-bit Windows with IE10, you have a choice to make. Would you prefer security over privacy, or privacy over security?

Though call…

Browser activity tracking…

Browser activity tracking has been in existence since, well, we have browsers. The first tracking method had been based on browser cookies, that provided limited local storage of 4,096 bytes or 4K. For tracking and marketing purposes the provided provided by the cookie has not been sufficient and Local Storage Objects (LSO), or Flash cookies had made its way to the end user’s PC. This method required Flash installed on the PC and the end users had/have some control over the Flash cookies. These cookie types were tied to the individual site in question, in another word there has been no collection of tracking information from all websites into a central depository.

Centralizing browser tracking information was made possible by JAVA scripts and third-party provided services, such as Google Analitics (GA). Initially, Google’s “free” service was intended to webmaster and provided detailed website statistics for the sites that opt-in to this service. In the process, Google amessed a central depository of browser activity tracking information that proved to be valuable for advertisment purposes and as such, the information is being sold to marketing companies. The “free” GA is still available and most webmesters do use this service, that provides continuous update for Google’s central depository. Google actually derives 90-95% of their income from selling advertisers the collected information. There are number of other companies that rely on the same method for generating their income and collect browser tracking information without the end user’s consent.

Running hidden scripts on the end user’s system and collecting information about the end user at the very least is a privacy risk. The information collected may include sensitive private details, location, interests, age, sexual orientation, sexual habits, relationship status, religion, political views, health concerns, employment status, and more. Increasingly, the collected online information, or end user profile, is being correlated to offline information for better success rate of the advertisement campaign.

The profile based on Internet activities certainly can provide some benefits for end users and will trigger behavioral based ads showing up in the browser or email. If you’re looking for the item being advertised, you may even find this great or just cannot resist the sale price. The problem isn’t buying products on the web, rather the profile in itself. That profile maybe used by big corporations and health insurance companies to make decisions about you, that can literally affect your life and livelihood. You may not get the job where the interview went great, or your health insurance application is denied because of your “established” profile. This profile has its own life and the individual in the profile cannot change it easily, or at all.

The security risk isn’t that clear, but consider this. Hackers use the same iframe method to install malware on your computer. How it works is rather simple. The hackers gain control of the website and inserts an iframe, a.k.a. web beacon or one pixel white image, to the site’s HTTP code. The web beacon points to the malicious script, the browser downloads this script when the users visits the site, and executes it in the background on the unsuspecting end user’s PC. Much like how the tracking scripts work that also could be used for malicious purposes. In certain view, tracking scripts collecting privacy information about the unsuspecting end user is already malicious enough…

Disabling iframe will prevent tracking; however, the Internet browsing experience will suffer greatly. So, what can you do to prevent companies tracking your Internet activities?

The Do Not Track (DNT) HTTP header standard will not prevent advertisers collecting information about as posted earlier. The proposed DNT standard is heavily influenced by advertisers and as such, it protects their interest and does not care much about the end user’s privacy.

The tracking companies have a standardized method for calling and executing their scripts hidden from the end users. The method is basically an HTTP link that includes the website’s identification number. For example Google’s JAVA script is referenced as:

try {
var pageTracker = _gat._getTracker(“XX-0000000-0″*);
*Actual site ID number is removed and the full script is not shown

For people who do not want to have their Internet activities tracked, there are free browser add-ons that blocks known tracking company scripts being executed. While it is a possibility that these add-ons track browser activities, nonetheless, they do block about 1,400 known tracking companies from collecting browser activity information.

Albine DNT+

The Do not Track Plus is a corporation supported closed source browser add-on that will block tracking companies from collecting end users’ information. DNT+ should not be mistakenly identified with the proposed DNT standard; while the naming can be confusing, they have no relation whatsoever. DNT+ does actually block tracking and end user controlled vs. DNT that is voluntery at the current time and does not provide end user control. The interface displayed on the left is pretty straight forward. DNT+ can block social networking site tracking, advertisement company, and tracking company scripts. The configuration is pretty simple, under “Settings” just click on “Block all” and you’re done. DNT+ also displays the number of tracking scripts that has been blocked. And yes, the more than 13,000 number is correct and had been reached after about three month.

DNT+ is available from Abine free of charge and currently supports Firefox, Internet Explorer, Chrome, and Safari on Windows and MACs. DNT+ currently does not have mobile device offering, but it’s in the works.

The automated installation package can be downloaded here

Ghostery is a community supported open source browser add-on that is also available for free. It supports all major browser for PCs and MACs.


The interface displayed on the right isn’t as “pretty”, but just as effective as DNT+, if not more. The configuration is simple, just select “Block all” within the “Settings” pages and it will block all known tracking scripts.

Ghostery does not display the number of scripts that had been blocked. This might be beneficial for the end users since this number can also be used for tracking purposes. One benefits of Ghostery is the knowledge pages that displays a number of interesting information about the tracking company. Among other information, the knowledge page displays the type of information collected, retention and sharing policy, privacy policy link, the number websites using the tracking company, etc.

Ghostery installation source can be downloaded from here

The images display the number of tracking companies being blocked when visited a single web page. Why there are so many companies tracking a single page?

The answer is how the web page in question had been created. Most web pages nowadays utilize “iframe” to insert contents from other websites without actually writing the content. When these other contents inserted in the visited page, they also load their tracking companies’ scripts as well. In another word when a single page is visited, there might be 10-15 other pages visited and the same number of blocked tracking scripts show up in these browser add-ons.

It is up to you, if you want blocking these tracking scripts. While certainly tracking companies already have your profile; however, stale profile is not valuable for marketing companies. As such, stale profiles are removed from their central depositories even it is not actually deleted.

Warning: Neither of the browser add-ons will block hacker’s scripts, they only block known ad, social networking, and tracking companies’ scripts.

Collusion for Firefox…

Collusion for Firefox is a browser add-on that, quote:

“Collusion is an experimental add-on for Firefox that allows you to see which sites are using third-party cookies to track your movements across the Web. It shows, in real time, how that data creates a spider-web of interaction between companies and other trackers.”

Firefox plugin

Currently the add-on somewhat informative and displays a visual presentation of tracking sites, see image on the left.

The final version of Collusion will add capabilities for blocking cookies for any node in the graph. It is somewhat interesting to see the companies tracking your Internet activities, and how your activities might be shared between these companies.

The better option is to collectively block tracking altogether by other add-ons, such as DNT+, Ghostery, No-Scripts, etc. DNT+ supports most browsers, except Opera, and Ghostery supports all browsers. The No-Scripts add-ons is available for Firefox only.

If tracking your Internet activity is a concern of yours, you do not need to wait for the final version of Collusion. Other add-ons are available now and do a good job at disabling of your Internet activities tracking.

W3C DNT Draft..

Do Not Track, or DNT, is a W3C proposed HTTP header field standard that request the web server, well, not to monitor end-user Internet activity. The DNT header field standard defines three values:

    1. Value not set: Default setting for browser installation, HTTP DNT header not sent, tracking allowed.
    2. Value set to zero (0): End user explicitly opts-in, HTTP DNT header not sent, tracking allowed.
    3. Value set to one (1): End-user explicitly opts-out, HTTP DNT header sent, tracking is disabled.

In practice, the web server reads the DNT header value, if present, and enables/disables tracking of the individual accessing the website. The DNT standard has not been finalized and honoring the DNT settings is voluntary at the time of writing. As such, users are not guaranteed privacy since advertisers are not legally required to comply with the DNT request and many don’t. Even compliance to DNT standard does not guarantee privacy for the end user; the websites will be allowed to track visitors for “research purposes”, regardless of the DNT setting, after the standard had been finalized.

The draft W3C DNT standard is in line with US privacy laws, where “explicit opt-out” required for individuals to protect their privacy. The privacy laws in Europa point to “explicit opt-in” that contradicts the proposed DNT standard. Quote from the W3C DNT standard draft:

An ordinary user agent MUST NOT send a Tracking Preference signal without a user’s explicit consent.

The draft seemingly complies with both the US and European requirements; however, that is certainly not case. If the user agent is not configured, default installation requirement for the browser, tracking is enabled. The explicit opt-in setting is the same as the default installation, no HTTP DNT header is sent and tracking enabled.

Most of the people accessing the Internet do not know about the privacy risk posed by tracking their activity on the web. For that matter, most of them don’t even know about advertisers tracking them. Those people will not “bother” changing the browsers’ default settings either, due to their limited knowledge of the browsers’ settings.

Ignorance is a bliss and loved by marketing alliances, such as DAA and DMA. These alliances and other businesses had pushed W3C to “water down” the standard to the point, where the finalized DNT standard retains the “status-quo”. That’s good news for US online advertising, estimated to be 40 billion dollars per year.

Connecticut Security Breach Law Update…

On June 15, 2012, Connecticut Governor Dan Malloy signed Connecticut House Bill 6001; it includes amendments to the Connecticut General Statute §36a-701b, a.k.a. Security Breach Law.

The most significant amendment to the Security Breach Law has added a requirement of reporting breaches to the Connecticut Attorney General, in addition to notifying Connecticut residents of the data breach. The updated statue will become effective on October 1, 2012 and the Attorney General can be notified of the security breach via email at, as stated in the Attorney General’s Press Release. Failure to notify the Office of Attorney General could constitute a CUTPA violation.

Connecticut Unfair Trade Practices Act, or CUPTA, defined as, quote:

The Connecticut Unfair Trade Practices Act (CUTPA) allows the Commissioner of Consumer Protection to legally pursue persons or businesses who have used unfair or deceptive trade practices with consumers. It grants the court the discretion to award punitive damages, costs, and reasonable attorney’s fees, as well as other relief such as an injunction, which the court determines.

Businesses covered by the Connecticut breach notification law should ensure that they add Attorney General reporting to their breach response procedures.

Spear phishing in your “Inbox”…

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, or individual, seeking unauthorized access to confidential data. The information sought after can be trade secrets in case of organization, personal bank account credentials for financial fraud, or a mix of the two intents.

In the “good old times”, it was relatively easy to spot spear phishing. Nowadays, you should know that you do not have a recently deceased, wealthy relative in Nigeria, nor do you have a package from FEDEX/UPS that you didn’t order. The format and spelling errors in these types of emails made it easy to detect fraud. Most of the antivirus software detects this type of antiquated fraud as well.

The sophistication of spear phishing has reached a level, where identifying email based fraud is pretty much becoming impossible. Antivirus software is mostly useless when it comes to this level of sophistication. Before you start arguing with me; tell me if the email below is fraud or real?

It is a spear phishing email and you did know that, right :)? The question is, will you be able to identify it in your “Inbox” when you’ve just ordered some great SSD drive on sale at Newegg?

Newegg, PayPal,etc., will spell out your full name in emails addressed to you, instead of the general “Dear Customer”. They will not place any links to your account in the body of the email. The other method of detecting a spear phishing attempt is to move your mouse pointer over one of the link without clicking on the links. This is what you’ll see:

The link of “” makes it easy to spot the fraudulent email. Your email client display this for you to determine, if the link is legitimate. There is no software solution that is 100% accurate at detecting these links and as such, it is you who needs to make the decision of “to click, or not to click”. Failure to make the right decision may have dire consequences to your financial status.

The sophistication of this email fraud is quite evident, once all of the links checked:

The link framed in green point to “”. You can safely click on these links.

The links framed in red point to “”, where presumably the malicious code is waiting for your click to become active. Bad things can happen to your computer if you click on these links.

With this kind of sophistication, the success rate of spear phishing bound to increase substantially. Learn from the description of this type of email fraud and follow Newegg’s advice, quote:

How do I identify Phishing or Spoofed E-mails?

How do I identify Phishing or Spoofed E-mails? Know that does not and will never ask you for the following information in an e-mail communication:

Your social security number or tax identification number
Your credit card number, PIN number, or credit card security code (including “updates” to any of the above)
Your mother’s maiden name
Your password
Your address, phone number or other personal information

Occasionally, if you place an order with incorrect information, you may receive an email from giving you the opportunity to correct your shipping/billing information. When this occurs you will have to log into the website to input this info. We will not provide you with a link on the e-mail notification to ensure you are responding to a valid communication from Newegg. Another method of identifying a phishing or spooked e-mail is to place your cursor on links or images without clicking. If the hyperlink is an IP address or other than, DO NOT CLICK the link. Go to directly and logon. Never submit the information mentioned above directly through an email.

Well said Newegg…

Disclaimer: The email evaluated here has been picked randomly from forwarded emails and did not originate from Newegg as presented in the fraudulent emails. Newegg is a great online merchant with excellent reputation; this post has no intent to undermine their reputation.

Digital identity, gone…

In one form or other, we all use cloud-based identity where we rely on the cloud service provider for keeping our identity and data secure. Some of the cloud service providers are obvious (like iCloud from Apple), while others (such as Amazon, Google, and Microsoft) are not as obvious. In both cases, these services may offer you email accounts, storing pictures, documents, and sometime even online backup of your systems for free and/or at minimal cost to you. The chances are that you have a number of accounts for these cloud-based services (such as Amazon, Apple, Gmail, etc.) that represent your digital identity on the internet.

Most of your accounts are “daisy chained” together and hackers getting into one could allow them access and control of all of your accounts. Once hackers gain access to your digital identity, it can be exploited for financial gains, ruin your reputation or just erase your digital identity. None of these outcomes are desirable for you but the threat of this happening is very real.

Certainly, using the same weak password for these cloud-based services makes it easy to steal your digital identity; however, even different and strong passwords do not secure your digital identity. The simple reason for this lack of security is the authentication systems used for resetting your password by the cloud service providers. These authentication systems rely on your email and billing address, phone number, last four digits of your credit card number on file, Social Security number, etc. The problem is that these are identifiers and not authenticators. Some of that information is publicly available on the web – such as email, physical addresses and phone numbers. The last four digits of a credit card may be insignificant for one service provider, while others use it as authenticator. For example, Amazon treats the last four digits of your credit card number as insignificant, while Apple uses the same number as proof of identity. It should also be noted that the last four digits of your credit card number commonly appear on the numerous receipts that most people collect in a day and simply discard.

Hackers do not need to guess your password or obtain it by other means; they simply exploit the different authentication systems of the service providers to gain control of your online identity. It recently happened to a tech writer, Wired employee, Mat Honan. Just as the cloud accounts are daisy chained, the hackers used this daisy chain to gain access to the Mat’s digital identity by:

  1. Collecting the name of the target, an associated e-mail address, and the billing address for Amazon;
  2. Calling Amazon customer service with this information and add a new credit card number to the account;
  3. Calling back Amazon customer service and tell them that you no longer have access to the email address on file;
  4. With the name, billing address, and the new credit card number from step two, Amazon will change the email address on file to your “new” email address given to them;
  5. Requesting password reset online for the Amazon account that will be sent to the email specified in step four;
  6. Login to the Amazon account and view the last four digits of the credit card numbers on file;
  7. Calling AppleCare and request a password reset for the “” email account;
  8. AppleCare will require to provide name, address, the last four digit of the credit card number from step six, and resets the password over the phone;
  9. Use the web based Gmail password reset that is sent to the “” email address;
  10. Accessing any other cloud services, such as Twitter, that relies on Google identity;
  11. Once done with the stolen digital identity, erasing digital identity. Deleting Amazon/Google accounts and using “Find My iPhone, iPad, MacBook” to remotely erase these devices

While most people believe that their data is secure with cloud-based services that is not the case, as the current event underline that point. Erasing the digital ID of an individual has consequences; however, erasing the digital ID of a business would be catastrophic for the business. And that could happen to businesses that use the “free” cloud services, such as WordPress that hosts your business website and your business email address ends with “”, “”, “”, etc. And when it does, your business disappears from the web and your customers cannot reach you by email. If you use iPhone for your business, and possibly Android and Windows-based smartphones as well, your customers will not be able reach you by phone either.

The cloud service providers will certainly make changes to their authentication system for disabling the “daisy chain” type hacking of digital identity. That will force hackers to change their method of stealing digital identity which, in return, will trigger additional changes in the authentication systems. Regardless how the authentication systems are changed, it is the owner of the digital identity who needs to protect their digital identity, especially for the businesses.

In addition to backing up business data “offline”, the business should ensure that it does not use:

  1. Free email services, such as Gmail, Hotmail, AOL, etc., to conduct business;
  2. Free web hosting services for web presence;
  3. Same credit card number for all cloud service providers;
  4. “Find my device and erase it” type of services

Most businesses already have a domain name, such as “”. If yours doesn’t have one, create one. Have your domain hosted by web hosting service that provide email services and use the “” email address to conduct business. The additional benefit is that your business email address of “” looks more professional to potential customers than “”. Free services are certainly beneficial for the bottom line of the business; however, stolen digital identity is one of the prices that the business may need to pay for in the near future. Due to technological advances, domains hosted by web hosting services are no longer prohibitively expensive, even for small businesses.

You should not wait to secure your business until it is too late. You need to do it now, with the information that we currently have and constantly update your technological security plan as the online environment evolves.

WordPress security…

WordPress has become the most widely used blogging software that runs about 10% of all of the websites on the Internet. The popularity had been fueled by easy installation and management of WordPress based sites. That’s the good news..

The bad news is that the majority of the people using WordPress don’t change the default administrator account (“Admin”) and database prefix (“wp_) at the time they install WordPress. Why is that a bad news? Well, hackers automated scripts/bots use the default values to insert content and links to your site using SQL injection. Just by changing the default administrator account and database prefix at the time of installing will prevent most if not all automated scripts/bots changing your site content.

If you didn’t change the default values, like most WordPress users, you can change them without much impact to your “live” site. Prior to making any changes to the default values, do backup your WordPress database, and pay attention to the syntax of various command that you’ll execute.

Let’s change the default administrator account of “Admin” first:

  1. Login to your blog as “Admin” and create a new user account “Newadmin”, a name of your choice, and assign the role of Administrator
  2. Logout as “Admin” and login with you new administrator account
  3. Delete the first administrator account, named “Admin”

While you could use the suggested new user account of “Newadmin”, change the name to a word you’d like to use.

Changing the database prefix is easier, just use the:

Better WordPress Security plugin

Among other nifty security checks and configuration changes, this plugin can backup the database, change the database prefix, and modify the wp-config.php file to reflect the “newprefix”; do change the “newprefix” to a word you’d want to use.

Unfortunately, the WebsiteDefender does not replace the database prefix of “wp_” inside in the options and usermeta tables. You can verify this by running the the SQL queires of:

Select *  
FROM %newprefix%_options
WHERE `option_name`  LIKE '%wp_%'
Select *  
FROM %newprefix%_usermeta
WHERE `meta_key`  LIKE '%wp_%'

You can use the phpMyAdmin GUI to change the database prefix inside the “%newprefix%”_options and “%newprefix%_usermeta” tables; it is about 20-30 entries that need to be renamed. Alternatively, run some more SQL queries.

If you don’t feel comfortable running SQL queries, have someone do it for you. Depending on the version of MySQL you have, the syntax below may require modifications.The %newprefix% in the script below indicates the prefix name changed in the previous step.

Replace the “wp_” prefix inside in “%newprefix%_options table:

UPDATE %newprefix%_options
SET %newprefix%_options = REPLACE (option_name  'wp_', '%newprefix%_');

And finally, replace the “wp_” prefix inside in “%newprefix%_usermeta table:

UPDATE %newprefix%_usermeta
SET %newprefix%_usermeta = REPLACE (meta_key,  'wp_', '%newprefix%_');

Will changing WordPress default values make your blog hacker proof? Well not really, you’ve just made your blog more immune to hackers automated scripts/bots. Jokes are good to explain things:

Joe and Tom go camping and setup the tent in the woods. Late at night, they hear some worrysome noise in the forest and they see a grizzly coming toward them. Joe panics, while Tom calmly puts on his sneakers.
Joe looks at him and says, “What are you doing, you are not going to outrun the bear?”
Tom replies, “I don’t have to, I just need to outrun you…”

When you replace the default WordPress values, you’ve just put on your sneakers….