fbpx

Remember that last time you posted a picture on Facebook and it automatically suggested to tag other people on the photo? Nothing unusual. You’ve tagged these people before, right? You’ve trained the machine learning face-recognition algorithm. And now Facebook can spot where they are on your picture.

 

Now, even if you refuse to tag anyone, this doesn’t mean Facebook never stores this information somewhere. Like, “person A is potentially present on picture B”. Actually, I’m almost 100% sure they do store it. Hell, I would if I was them.

I bet you already see where I’m going with this.

Now imagine you take a selfie in a crowded place. Like an airport or a train station. There are some people walking on the background. Hundreds of them. Some of them facing the camera. Guess what: the Facebook’s AI has just spotted them.

Even if you’re extremely cautious, even if you never post anything on Facebook, even if you have “location services” disabled on your phone at all times etc. etc. Facebook still knows where you are. You can’t stop other people from taking selfies in an airport.

Now all these Jason Bourne movies don’t look so ridiculous any more, do they? All the stupid scenes with people in a control room shouting “OK, we need to find this guy, quick, oh, there he is, Berlin Hauptbahnhof arrival hall just 20 minutes ago, send the asset!” or something like that.

“DeepFace”

This is not just me being paranoid. Various sources indicate that

Facebook uses a program it calls DeepFace to match other photos of a person. Alphabet Inc.’s cloud-based Google Photos service uses similar technology.

The efficiency is astonishing

 

According to the company’s research, DeepFace recognizes faces with an accuracy rate of 97.35 percent compared with 97.5 percent for humans — including mothers

Face recognition is being built into surveillance systems and law enforcement databases for a while now.

We could soon have security cameras in stores that identify people as they shop (source)

Even being in “readonly” mode doesn’t help

Every time you simply check Facebook without actually posting anything — the app generates a post draft for you, ever saw this? If you have a link or a picture saved in your clipboard, it even offers to attach that to your post. And of course, it has your location.

How can you be sure, it does not communicate that data to the servers?

Actually, I’m pretty sure it does since the app generates that “preview image” of the link stored in your clipboard (you know, that nicely formatted headline with the cover image).

There’s even more. Some evidence suggests that Facebook collects your keystrokes before you actually hit the “Post” button! If you then choose to backspace everything you’ve typed — too late…

Facebook has about 600 terabytes of data coming in on a daily basis (source, 2014).

If I was NSA I would definitely approach Facebook for this data.

UPDATE: a little privacy tip: use Facebook in mobile Safari, with an adblocker, and delete the iOS native app — helps a lot AND saves you from tons of ads and 3rd party cookie tracking. Not to mention wonders for the battery. I’m sure there’s a similar solution for Android.

On a desktop — use an extension like Disconnect to block 3rd party cookie tracking.

Author : Alex Yumashev

Source : https://medium.com/@jitbit/facebook-is-terrifying-8dc4a016b64b#.w0mdkcfp1

Categorized in Social

Would it be upsetting to learn that the public’s personal information — including age, birth month, family members, addresses and phone numbers — is accessible online for free?

FamilyTreeNow.com, a genealogy website that started in 2014, caused quite the stir on social media recently after Anna Brittain, of Birmingham, Alabama, found out about the site and tweeted instructions on how to remove one’s personal information.

By the end of the day, Brittain’s Twitter post on FamilyTreeNow had thousands of retweets.

“The site listed my 3- and 5-year-olds as ‘possible associates,’” Brittain told The Washington Post.

 

Because of so much traffic to the site, FamilyTreeNow’s profile-removal widget crashed, causing many manual requests through the website’s contact link.

FamilyTreeNow is just one “people-search” site in an elaborate network of online services that compile, store and sell personal data. Similar to the coveted Ancestry.com service, users can search for people by entering a first and last name followed by a state in which they’ve been associated with.

The service then begins collecting information as soon as the user views or interacts with the site, when a new account is created or when a user voluntarily interacts with third-party services also available through the site, according to FamilyTreeNow’s website.

Furthermore, the website collects information through Internet cookies and other technologies, which are used to acquire and store IP addresses, device identifiers, browser types, operating systems, mobile carriers and Internet service providers.

One former Pocatello resident who still has ties to the area, Kari Shaw, caught on to the craze via Facebook and said she expected it to be like every other genealogy website.

“But then I looked myself up on it and it had more info than I thought it would,” said Shaw, who now lives in Utah. “More info than I have ever seen on other genealogy websites, and I was scared anybody in the world could find out information on me and my family.”

The service does allow users to opt out by finding a small link buried in their privacy statement. After one more search of the name in question, users click the matching record and a red link appears that reads “Opt Out This Record.”

If completed successfully, a message appears indicating that the request is being processed and to allow up to 48 hours for completion.

Advertised on their website, FamilyTreeNow, wants to “create the best free genealogy site in the world. We want it to be super easy to use for new users yet powerful for experienced genealogists.”

It’s unclear whether opting-out removes individuals’ information from the website’s records entirely or simply conceals information from public searches. Though it might offer some peace of mind, that action alone won’t even put a dent into people’s online digital footprint.

A plethora of similar sites collect, save and disseminate personal information, including Spokeo, Whitepages.com and InstantCheckmate.

Most of these sites are backed by sizeable, shadowy data brokers without publicly accessible search features, which track the personal data of millions of people, according to The Atlantic.

In 2014, during the course of writing her book “Dragnet Nation,” journalist Julia Angwin tried to remove her information from the databases of every data broker and people-search engine she could find.

She came across more than 200 brokers, and fewer than half of them provided opt-out options at all, with several requiring her to submit identification.

Shaw said that she was aware of sites similar to FamilyTreeNow, adding that any attempt to remove the information would be futile.

“Yes, I know there are others, but finding them all feels impossible,” she said. “Everything is on the Internet now. Erasing all your info from the Internet would be very hard with all the social media and everything else out there.”

Bannock County Sheriff Lorin Nielsen said his wife has used genealogy websites in the past, but the information available is usually more than 100 years old so that you’re dealing with people who are deceased.

“That information makes me really concerned about the privacy issues of any citizen,” Nielsen said about the services offered by FamilyTreeNow. “An organized crime figure could potentially use this information to intimidate.”

He continued, “I know I would like to opt-out as would all of my officers and many other people would, too, because we do have a right to privacy.”

Few protections exist, however, that prevent publicly available information from being abused. A legion of potential threats could include a disgruntled employee searching for their former boss, a criminal seeking revenge on an arresting officer or a stalker trying to discover the whereabouts of their victim.

Idaho’s U.S. Marshal Brian Underwood said he is confident in how the Witness Protection Program, a division administered by the United States Department of Justice and operated by the United States Marshals Service, handles the identity of protected witnesses, adding that today’s information age is much different than when he was growing up.

 

“We do live in a time when everybody is pretty much an open book,” he said. “When I was in school, we didn’t even have cellphones. Now, high school kids can find out pretty much anything about anyone with the touch of a button.

Though FamilyTreeNow includes a disclaimer in its terms of service that advises users they cannot use the information obtained “to transmit any commercial, advertising or promotional materials, harass, offend, threaten, embarrass, or invade the privacy of any individual or entity,” there’s little these sites can do to enforce these guidelines.

Danielle Citron, a law professor at the University of Maryland and the author of “Hate Crimes in Cyberspace,” told The Atlantic that this creates a “Wild West” where brokers and people-search engines aren’t regulated.

Ironically, Saturday is National Data Privacy Day, and in recognition of the event, the Idaho Falls Bank of Commerce is urging consumers and business owners to take an active role in protecting their data.

“Our first priority is to protect our customers’ money and financial data,” said Tom Romrell, CEO and president of The Bank of Commerce. “We use a combination of safeguards to protect our customers’ information, and we encourage our customers to partner with us in that effort.”

The Bank of Commerce suggests tips to help ensure the safety of people’s personal information.

No. 1: Create complicated passwords. This means avoiding birthdays, pet names and simple passwords like 12345. It is also important to change passwords at least three times a year.

No. 2: Keep tabs on your accounts. Check account activity and online statements often, instead of waiting for the monthly statement. You are the first line of defense because you know right away if a transaction is fraudulent.

No. 3: Stay alert online. Be sure computers and mobile devices are equipped with up-to-date anti-virus and malware protection. Never give out your personal financial information in response to an unsolicited email, no matter how official it may seem.

No. 4: Protect your mobile device. Use the passcode lock on your smartphone and other devices. This will make it more difficult for thieves to access your information if your device is lost or stolen.

Scott Long is a detective with the Pocatello Police Department that specializes in cellphone and electronic forensics. When it comes to cyber security, he also recommends the use of good passwords that are updated periodically.

“And be sure to check the Wi-Fi network you’re connected to, and I recommend not connecting to guest Wi-Fi accounts,” he said. “You should be on a network that requires a password, and be sure to install a good firewall if you’re browsing from home.”

While these measures offer protection from cyber security threats, nothing can completely erase public information floating in some dark corner of the Internet.

Author : Shelbie Harris

Source : http://idahostatejournal.com/members/threatening-privacy-genealogy-website-provides-free-info-online/article_9e5caae1-9b41-521b-b436-82c0072cce53.html

Categorized in Internet Privacy

Ever since the Snowden relevations, privacy search engines and privacy in general has been a boom on the Internet.

Search engines focused on privacy have seen a rise in daily searches. While they are still nowhere near popular as Google Search or Bing, the two main search services in most parts of the world, they have shown that there is a market for these kind of services.

Oscobo is a new privacy focused search engine that shares similarities with established players such as Startpage or DuckDuckGo.

The creators of the search engine promise that they don't track users and don't set cookies on user computer systems, and that users are not profiled in any shape or form.

Oscobo review

The search engine's current address is https://oscobo.co.uk/ which highlights one of the limitations in place currently as it is focused on users from the UK at the moment.

The site does not set cookies which you can verify by opening the Developer Tools of the web browser you are using and checking the resources of the site.

oscbobo

While that is the case, results include English pages outside the UK as well. The results page looks like any other search engine for the most part but displays results from Twitter next to the actual results which can be interesting as these results are usually not as old (but may be more spammy).

oscobo search

The top lists options to switch from Web searches to videos, images or news, and you may find advertisement listed on the results page as well.

The only information used to determine which advertisement to display are the search term and the user's locations (using the IP address), and both are not recorded by the search engine.

It is quite difficult to spot the ad as it uses the same format as organic results. Only the small "ad"  link underneath the description field indicates advertisement.

 

Like DuckDuckGo, search results are taken from Bing/Yahoo. Using data from one or multiple of the big search engines out there appears to be the only financially viable solution for privacy focused search companies.

It will be interesting to see how Oscobo will fare when they enter non-English markets, as localized Bing results are usually not that good.

Users who like the search engine can make it the default search engine for their browser, add it to their browser, or install the extension. The options are displayed on the homepage, but only if the browser used is supported.

The extension seems to be only available for Chrome-based browsers right now for instance.

Closing Words

Oscobo or DuckDuckGo? The two search engines are very similar in many regards: both use Bing to power their results, both don't track or profile users, and both use advertisement for revenue generation.

If you look closer, you find distinguishing factors. DuckDuckGo concentrates on the US market, while Oscobo on UK (and in the future other European markets). DuckDuckGo certainly has the edge when it comes to features, its !bang syntax is excellent for instance and Oscobo does not support a feature like the zero-click information that DuckDuckGo may display on top of the results.

Author : Martin Brinkmann

Source : http://www.ghacks.net/2016/01/07/oscobo-a-new-privacy-focused-search-engine/

Categorized in Search Engine

An independent security researcher discovered a severe remote code execution vulnerability on Facebook's website that earned him a record $40,000 bug bounty, while another uncovered a privacy issue that reveals private phone numbers linked to Facebook users' accounts.

According a blog post by Russia-based web application security researcher Andrey Leonov, the remote code execution flaw can be exploited using a bug in the image-processing software ImageMagick that was originally discovered in April 2016.

Although this vulnerability, dubbed ImageTragick, was patched shortly after its discovery, it was still impacting Facebook when Leonov reported the issue last Oct. 16. Facebook promptly patched the issue and rewarded Leonov with the substantial bounty – the largest the social media giant has ever bestowed.

 

The ImageTragick vulnerability, officially designated as CVE-2016-3714, stems from the insufficient parameter filtering of user-added files that contain external libraries. This flaw makes it possible for bad actors to execute a shell command injection, resulting in remote code execution during the conversion of certain file formats. In other words, hackers can embed malicious code into seemingly benign image files in order to gain control of a machine. 

“I am glad to be the one of those who broke the Facebook,” wrote Leonov in his blog post. Facebook confirmed that the researcher's account of his findings is accurate.

Meanwhile, news outlets are also reporting that Belgian security researcher Inti De Ceukelaire has found a privacy flaw in a Facebook search application, which adversaries could use to reveal the private numbers that users enter when registering with the social media platform.

According to an International Business Times report citing the Belgian media, De Ceukelaire claims his technique makes it possible within 30 to 45 minutes to determine the phone number linked to an individual Facebook account. However, the trick is only effective if the person comes from a country with a small population that employs telephone numbers of 12 digits or fewer.

De Ceukelaire told SC Media that the issue specifically resides in Facebook's Graph Search, a semantic search engine that responds to queries with written answers instead of links. Entering an arbitrary phone number into this engine reveals whose account that number belongs to, unless the account holder adjusts his privacy settings to forbid this action by non-friends. 

Under normal circumstances, such a query would be relatively harmless because the search is random. However, De Ceukelaire said that he can turn these queries into highly targeted searches against specific individuals by using the flaw he discovered to narrow down the list of possible phone numbers that are associated with any given Facebook user.

“It's actually three tricks combined,” De Ceukelaire said in an interview via Twitter. “First, I eliminate numbers to reduce the amount of possible numbers. Then I use a flaw to reduce the amount of numbers another time. And then I end up with a couple of possible numbers – let's say 10 numbers. Then I check them using the graph search.”

De Ceukelaire said that the technique allowed him to successfully look up the specific politicians' and celebrities' phone numbers that were not displayed on their public Facebook pages.

 

Author : Bradley Barth
Source : https://www.scmagazine.com/facebook-alerted-to-remote-code-execution-bug-search-engine-privacy-issue/article/632419

 

Categorized in News & Politics

It’s one thing that most people struggle with when it comes to the web, and that’s how to protect yourself from the intrusion of prying government eyes. No one likes being spied on, and the fact that this happens on a daily basis has put many people off in terms of surfing the web or being connected to the internet in any other way. Government officials, white hat hackers, and criminal hackers are all constantly monitoring things that we do on the web. Whether it’s what we write, read, or buy, there’s always the chance that someone’s watching when you’re connected to the web. But, what can you do about it? The first step is to keep reading. 

 

Firstly, to make sure that only the person intended to get your message gets access to it you need an end-to-end encryption. This is where your message is sent across as encoded text and is only decrypted once it’s arrived at its intended destination. Both WhatsApp and Signal use end-to-end encryption and are free to download for both Android and iOS. The only stipulation for this to work correctly is that both the sender and recipient are using the same app. So that’s calls and texts covered, now it’s on to emails. Two of the best services that offer end-to-end encryption in email are Tutanota and ProtonMail. But, bear in mind that if those you are sending emails to are not using a secure email service, then these may not be encrypted.

When it comes to being untraceable on the internet, that’s not quite so easy to do. You can, however, get a free piece of software called a browser extension that will block sites from tracking your visit. Two of these that are available free and are worth looking into are Privacy Badger and uBlock Origin. You can also use a VPN to encrypt any data you are sending, but there are charges involved. One that’s recommended by many is Freedome by F-Secure. It works with mobile devices; it’s easy to use, and only costs a few bucks a month. Also, if you don’t want anyone to be able to see what you’ve been searching for online then try out DuckDuckGo or F-Secure Safe Search. The first is a search engine that doesn’t record search queries, and the second will provide a safety rating for each search result, making it more child-friendly.

 

For adding extra security to your social media account, email, or other online accounts, get 2FA (two-factor authentication) enabled. For extra protection, this will require a username and password, and one other piece of information too (usually a pin code sent to your phone), before you’ll be allowed to log in. Facebook, Google, and loads of other companies support 2FA and will work for both Android and iOS. Lastly, make sure you don’t give out any unnecessary information to anyone. Also, whenever you sign up for new accounts, use a throwaway email address and a Google Voice number to ensure if the company is ever hacked, your personal details aren’t compromised.

Author : Andrew Thomas

Source : http://trendintech.com/2017/01/08/how-to-protect-your-digital-privacy/

Categorized in Internet Privacy

The United States government has started asking a select number of foreign travelers about their social media accounts.

The news came on Thursday via Politico and was confirmed to Mashable by a spokesperson for Customs and Border Protection (CBP) after the new procedure reportedly began earlier in the week. 

The process dovetails with what has been expected for months and has been slammed by privacy advocates.

Here's what we know about the basics of the program. 

Whose information is the agency collecting?

CBP is asking for social media info from anyone traveling to the U.S. through the Visa Waiver Program, which means they'd be able to travel about the country for 90 days of business or pleasure without a visa.

The social media request is a part of the Electronic System for Travel Authorization (ESTA) form, which travelers looking for a visa waiver have to fill out before they get to the U.S. The form is used to assess "law enforcement or security risk," according to the CBP's website. 

Travelers from 38 countries are eligible for a visa waiver, including those from the United Kingdom, Belgium, France and Hungary. 

What kind of information are they looking for?

 

 

 

The form reportedly asks for account names on prominent social networks such as Facebook, Twitter, YouTube, Instagram and LinkedIn, as well as networks many people don't think much about, such as Github and Google+.

Is it mandatory?

No one has to fill out their social media information to get into the country, and CBP has reportedly said it won't bar anyone from the U.S. just because that person didn't want to give their Twitter handle to the government.

Privacy advocates have decried the policy, since many travelers are likely to fill it out just in case.

That said, privacy advocates have decried the policy, since many travelers are likely to fill it out just in case. A number of groups including the ACLU signed an open letter in October warning of the forthcoming changes.

"Many of these travelers are likely to have business associates, family, and friends in the U.S., and many of them will communicate with their contacts in the U.S. over social media.

This data collection could therefore vacuum up a significant amount of data about Americans’ associations, beliefs, religious and political leanings, and more, chilling First Amendment freedoms."

Why do they want social media information?

The U.S. has long tried to spot radicals and radical sympathizers online, especially anyone affiliated with the Islamic State (ISIS). 

ISIS has long had a prolific and disparate social media presence, especially on Twitter, which they've used to spread messages and recruit those who might be hundreds or thousands of miles away from fighting in Syria and Iraq. 

Initially, government officials wanted ISIS sympathizers to keep tweeting, because agencies were able to gather bits of information from those tweets. Then, however, the government got tired of how many ISIS members and sympathizers there were on Twitter and other platforms, so they ramped up pressure on those social networks to shut down such accounts. 

 

 

For the government, this is the next step in working out which potential travelers to the U.S. have "connections" to ISIS. Of course, it's unclear what language the CBP would find alarming, and whether their alarm bells would be warranted. 

How long will they hold onto the information?

Assuming the social media information will be used just like the rest of the information on the ESTA form travelers have to fill out for a visa waiver, the Department of Homeland Security will keep it readily available for up to three years after it's been filled out. Then the information is "archived for 12 years," but still accessible to law enforcement and national security agencies.

Can they share the social media information with others?

Homeland security and the CBP can share your social accounts with "appropriate federal, state, local, tribal and foreign governmental agencies or multilateral governmental organizations responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order or license, or where DHS believes information would assist enforcement of civil or criminal laws," according to the CBP website. 

In other words, assuming the social information is treated like all the other information they collect form those with a visa waiver, homeland security could potentially share it with any law enforcement agency on the planet. They just have to "believe" the information might be of use in solving some type of legal violation

So once you type out your Twitter handle and send in the application, that information is hardly yours. 

BONUS: Pushing the Boundaries: Immigration and Esports

 

Author: COLIN DAILEDA
Source: http://mashable.com/2016/12/23/us-government-social-media-travelers/?utm_cid=mash-prod-nav-sub-st#mBjkEomtpmqO

Categorized in Internet Privacy

As we’ve become more and more reliant on devices and the internet in our day-to-day lives, the more of our data and information has been uploaded to the web. Not only that, but many of us rely on the internet for work or play — and internet security is essential to that. Whether you’re worried about nefarious hackers, government spying, or nosy advertisers, you can help protect your data by following a few easy steps and using a few different (and free) tools.

Here are the cybersecurity essentials — used by everyone from security experts to journalists — to get you started.

Ground Rules

If you’re worried about privacy and protecting your information, you can follow some simple rules to make sure you have a head start against any would-be spies.

First, use a strong password. The best kind of password doesn’t contain words or fragments, but rather a random assortment of letters, numbers and special characters. You can also use a password manager like LastPassPassword Safe, or KeePass1Password is a popular option for iOS. Additionally, don’t use the same password across all of your accounts.

Next, make sure not to over-share information on social media. You really don’t need your phone number, email address or birth dates readily accessible to the public, do you?

Set up a Google alert for your name, so you can keep tabs on how your identity is being perceived or used without your consent. Don’t like advertisers gathering information about you? Use a non-tracking search engine like DuckDuckGo.

Lastly, try to enable two-factor authentication whenever you can. In that case, your accounts will have an extra layer of security even if your passwords become compromised.

Message Safer

There are many options when it comes to encrypted messaging services, but two of the best are WhatsApp and Signal.

 

WhatsApp is a popular messaging app, and it might be one that you already use. But what you might not know is that WhatsApp actually features end-to-end encryption: the messages you send are scrambled, ensuring that only you and the recipient have the key needed to read them.

Signal is another excellent choice, and is popular among journalist and security experts. Along with end-to-end encryption, it also features disappearing messages — meaning that there will be no record of the conversation after the messages expire.

Signal is arguably better encrypted, but a messaging app is only useful if you use it — and you probably have more friends on WhatsApp.

Get a Secure Email Client

If you’re worried about various entities reading your email, you should look into Proton. It’s a free, secure email client based in Switzerland — meaning that it falls under Swiss, rather than American, privacy laws. That means the U.S. government can’t force Proton to give up your data. Forbes famously called it “the only email system NSA can’t access.

All emails sent through the service are end-to-end encrypted, and the client never logs your IP address. Besides a browser-based version, the service also has an Android and iOS app so you can take your secure emails on-the-go.

Some other options are Tutanota and KolabNow. Both are open-source and free-to-use. For something a bit more feature-packed, Berlin-based Posteo.de is held in very high regard among security experts. It doesn’t ask for any information when you sign up, it features two-factor authentication, and it allows you to pay others anonymously. Unfortunately, it’s not free.

Download TOR

If you’re serious about encrypting your online activities on your computer, there’s The Onion Router, also known as the TOR project.

TOR Browser is a lightweight program, available to download for both PC and Mac, that obscures your online browsing via a proxy network. When you use TOR, your computer doesn’t directly access a site — the program sends your request through various servers spread across the world. That way, the site you’re accessing never actually sees your IP address.

Of course, this security doesn’t work if you’re accessing a site that asks for login or other personal information — like Facebook or other account-based services. While your computer and IP address might be anonymous, TOR doesn’t hide the specific, possibly compromising activities that could give your identity away.

Use a VPN

A VPN works by extending a private network over the public connections we use daily. VPNs use a series of discrete networks or computers to secure and encrypt communication when using the internet. A user logging into a VPN would typically access it via a client/browser window, log-in with special credentials (really similar to how you’d log into your email) and voila — once inside the VPN, the user is secure from any eavesdropping or spying.

Any time you’re doing something on the internet, you’re exchanging and sending data to another source. A VPN ensures that each time you do so, all the data that’s being sent from your end is encrypted, and safe from people seeking to steal it.

Additional Considerations

Even with using privacy services like TOR, some of your DNS traffic might still leak through, potentially compromising your anonymity. To find and plug those leaks, you can use DNSLeakTest.com.

Similarly, you can see just how much information your computer web browser is giving away by going to BrowserLeaks.com or Panopticlick. You can take notes and additional steps to plug those leaks, too — like turning off cookies and disabling site tracking.

Many apps on the iPhone use location services — while this can be great for remembering exactly where you took that iPhone picture, it also means that your data might have scarily specific locations attached to them. For example, the Exif data embedded into your bathroom selfie can potentially let attackers know exactly where you live. Paranoid? Just turn off location services for any or all apps via Settings > Privacy > Location Services.

Author:  Mike Peterson

Source:  https://www.idropnews.com/how-to/how-to-remain-private-or-anonymous-online/28441

Categorized in Internet Privacy

Do you still have a Yahoo Mail account? The tech company made its way onto the scene in 1994 and became a popular search engine and email service. However, it's had a very rough year.

First we learned of a massive data breach that could have impacted billions of users. Then we found out Yahoo was allegedly complying with a government security agency's request to spy on all incoming emails. Now, there is more troubling news coming out about the tech giant.

Security researcher Jouko Pynnonen recently discovered a severe security vulnerability with Yahoo Mail. The flaw would allow an attacker to access the victim's email account.

This was a cross-site scripting (XSS) attack, similar to the one discovered by Pynnonen around the same time last year. Watch this video to see a brief detail of last year's discovery:

Why this flaw is so alarming

What's terrifying about this is the victim wouldn't even need to click on a malicious link to be affected. You only had to view an email sent by the scammer for your Yahoo Mail account to be compromised.

Yahoo filters HTML messages, which is supposed to keep malicious code from making its way into a user's inbox. However, Pynnonen discovered a vulnerability that kept the filters from catching all malicious code. It had to do with different types of attachments that could be added to emails.

The good news is once Pynnonen reported the flaw, Yahoo fixed it. The tech giant also paid him $10,000 for discovering the vulnerability through its Bug Bounty Program.

Even though these flaws have been patched, it's been a rough stretch for Yahoo. If all of these problems worry you, you might want to close your Yahoo accounts. Here are instructions on how to do that:

  • How to close your Yahoo account:
  • Go to the "Terminating your Yahoo account" page.
  • Read the information under "Before continuing, please consider the following information."
  • Confirm your password - if you forgot your password, you can recover it with the Yahoo Sign-in Helper.
  • Click Terminate this Account.

Remember, if you do close your Yahoo account, you will not be able to use services associated with it. So if you decide to keep your account, at the very least make sure you have a strong password. Here are three proven formulas for creating hack-proof passwords.

You can also enable two-step verification, set up a Yahoo Account Key, or use a password manager. It's always better to be safe than sorry!

Author:  Mark Jones

Source:  http://www.komando.com/

Categorized in Internet Privacy

Two years ago, Google introduced the mobile-friendly label. Then we witnessed ‘mobilegeddon’, where Google began prioritizing these mobile sites. Now, they are cracking down on mobile sites offering a substandard user experience.

On January 10th 2017, any sites with intrusive interstitials may lose ranking juice. The key question then is, what counts as an intrusive interstitial? Essentially, it’s any extraneous content that appears over the majority of the page proper. Call them silly, but Google assumes visitors enjoy seeing the information they clicked for.

At this point you may well have further questions; fortunately, I am here to answer them. In this post, I will help you decide exactly what will and won’t count as an intrusive interstitial by Google. Let’s get straight to it!

What Is an Intrusive Interstitial?

Intrusive interstitials are essentially popup ads. They tend to block most or all of a page, leading to a bad user experience for desktop and mobile users alike.

google examples of intrusive interstitials

Google’s own examples of intrusive interstitials.

These types of ads make it frustrating at best to access the page as intended. The general exception to the rule is when there are legally required (or ethically advised) notifications, such as popups for age verification.

 

The kicker is that while popups are moderately annoying on desktops, there is even less screen real estate to work with on mobile devices. In these cases, it can completely ruin the user experience. Here are a few examples of how this goes wrong:

  1. The interstitial covers most or all of the content on a page.
  2. The interstitial is not responsive. That means it is difficult or impossible to close it on a mobile, rendering the page useless for mobile users.
  3. The interstitial is not triggered by an action, such as “Click here to subscribe.” Rather, it pops up on its own without prompting, creating an unpleasant surprise for the mobile viewer.

As you can see, the issue is not only the annoyance of popups but their role in ruining the user experience. If you find an interstitial on your own site that you’re not sure of, we find it best to err on the side of a pleasing experience for the user.

Why Are Intrusive Interstitials Being Targeted?

Our first clue that Google was shifting from banning app interstitials to allinterstitials was August 2015, when Gary Illyes confessed to the world that he’d love to use them as a negative ranking factor one day. Back then, he said, “But we don’t have anything to announce at the moment.”

By now, you already have a bit of insight into Google’s decision. For a better understanding of what exactly is under scrutiny as January 10th races towards us, we can look at the factors that play a role in the market.

As frustrating as users find popups, companies continue to use them because they are effective. In one recent study of 1,754,957,675 popups, there was an average 3.09% conversion rate, with high-performing popups performing on average at 9.28%.

However, mobile traffic is growing, and Google seems to be leaning into it hard. In 2015, Google reported that access via mobile was higher than desktop searches in ten countries. Meanwhile, it’s worth noting that 56% of traffic on major sites comes from mobile.

HubSpot’s Senior Product Marketing Manager, Marcus Andrews, recently gave us a friendly reminder that “Google is very focused on the user.” He notes, “Marketers are always looking for hacky ways to increase traffic and conversion rates, and every once in a while, Google needs to make a correction to improve the user experience.”

It’s no surprise then that Google is focusing its resources on mobile, rather than desktop. It’s where the majority of users are — that’s just good business. Between this and its Accelerated Mobile Pages (AMP) project, it’s fair to say Google wants webmasters to offer a seamless user experience for mobile users.

It’s important to note that Google is currently only looking at interstitials that show up when the user first lands on the website from a search result. This means the important part is ensuring that any traffic coming from Google isn’t served these interstitials until the user has clicked further into the site.

 

“What we’re looking for is really interstitials that show up on the interaction between the search click and going through the page and seeing the content. What you do afterward like if someone clicks on stuff within your website or closes the tab or something like that then that’s kind of between you and the user,” John Mueller from Google Webmaster Central announced during an office-hours Google+ hangout.

How to Identify Intrusive Interstitials

Google has already decided that all interstitials ruining the user experience will negatively impact that site’s ranking signal.

What you need now is a blueprint to check your own site against. How can you tell which interstitials are okay, and which aren’t? Keep reading!

Intrusive Interstitials That Will Be Penalized

The examples of penalized interstitials provided by Google are relatively straightforward. So far, we know of three types of interstitials that will be problematic.

The first is a regular popup, or a modal window blocking the content of the page. These often come with a dark semi-transparent background dimming the rest of the content. These are perhaps the most traditional popups, in that they appear to literally pop up over the rest of the page.

An example of an intrusive popup from Google

An example of an intrusive popup from Google: a regular popup, or a modal window blocking the content of the page.

 

You can see how the background dims to a dark gray for the modal popup:

example of an intrusive popup
A real-life example of a regular intrusive popup.

The second is a standalone, full-screen interstitial that sits above the header of the website. These interstitials typically force your browser to scroll up to see it before letting you see the rest of the content.

An example of an intrusive standalone interstitial from Google

An example of an intrusive standalone interstitial from Google: a standalone, full-screen interstitial that sits above the header of the website.

 

The last is also a standalone, but essentially a full-screen modal window blocking the content.

Another example of an intrusive standalone interstitial from Google

Another example of an intrusive standalone interstitial from Google: essentially a full-screen modal window blocking the content.

Its functionality is like that of a regular popup, but you get no preview of what content lies below. In practice, they look exactly the same as the previous standalone popup. Here’s a real-life example:

a real-life example of an intrusive standalone interstitial

A real-life example of an intrusive standalone interstitial that blocks the content.

However, in some cases, it doesn’t seem so cut and dry. For example, what if you have a live chat box that automatically appears to help the guest? This isn’t a direct advertisement, but it does still ruin the user experience if all they want to do is read the content they came for.

In these cases, think about the popup in its purest form — a box that appears over the actual page content. If it’s not a necessity, there’s a good chance it’s going to be penalized.

 

Intrusive Interstitials That Shouldn’t Be Penalized

It’s important to remember that not all interstitials will be an issue. Depending on your website and country, you may have legal or ethical reasons to display interstitials. Google knows this, and isn’t planning to punish you for it.

Google provides two predominant examples of these legally required interstitials, the first being legally required age verification blockers. These help create a shield for age-sensitive content such as websites featuring alcohol or adult content. The second example is cookie consent notifications, as they are required in the EU.

Finally, and perhaps most importantly, any banners taking up a “reasonable amount of space” should be safe. Though an exact size is not provided, it is better to play it safe and assume less is more. If you keep it to 15% or less, even landscape mode devices will still have enough room to read several lines of text.

This goes to show that you can still keep your ads, but you may need to switch up your approach by respecting the user’s screen space first and foremost. Try redesigning interstitials you can’t part with so they take up a small amount of the page, perhaps reducing them to a link that leads to a separate page entirely. In a last-ditch effort, you could change them to be inline ads. If you’re not sure what works best, try A/B testing to find an effective middle ground.

All this said, there is no guarantee of what will or will not be counted against you. Google only notes that these, when used responsibly, will not be affected.

Conclusion

As the deadline draws near, we urge you to check your interstitials and ensure they follow Google’s new guidelines. Though it’s not clear how strong this new ranking signal will be, Google shows a definitive preference for mobile. We recommend that you don’t underestimate its power.

It is relatively straightforward to identify your intrusive interstitials and take action:

  1. Review required interstitials, such as age-verification popups and cookie notifications. You’ll leave these live, but ensure they are easy to use on mobile devices.
  2. Find the interstitials on your site, leading directly from Google search, that act as advertisements.
  3. If these are so effective that you can’t justify getting rid of them, try modifying them to take up a small amount of screen space for mobile devices. Otherwise, we recommend removing them entirely.

What are your fears about the new intrusive interstitial ranking signal? Ask any further questions you have in the comments section below!

Author:  Aleh Barysevich

Source:  https://www.searchenginejournal.com

Categorized in Internet Privacy

Last week, I set out my reasons for expecting serious civil liberties and privacy problems under a Trump presidency. I strongly recommended that you take steps to protect yourself — steps I’m going to outline shortly.

We now live under conditions that would make the great authoritarians of yore salivate with envy. Government’s capacity to monitor us has never been greater. And, as that capacity advances, politicians and bureaucrats adjust their understanding of privacy and constitutional liberties in ways that allow them to use it.

The only thing that prevents them from defining those things out of existence entirely is the residual respect for constitutionality held by those in key positions. As I argued last week, evidence of such respect is very thin indeed in the incoming Trump administration.

San Francisco transport system Headphone Yahoo Hack Facebook crime

That’s why, love him or hate him, you need to be prepared…

Privacy Is Your Responsibility

No matter who’s in charge, government always finds a way to justify new methods to invade our privacy.

For example, the Justice Department’s legal rationale for monitoring our emails and phone calls is based on the old-fashioned postal letter. Back when snail mail was king, courts ruled that any information on the outside of a letter — addressee, return address, place of posting — was in the public domain, and therefore available to government investigators. That’s why the post office scans and records every single piece of mail in the U.S. … every day.

That logic now applies to the metadata of every call you make and every email you send. Soon it may apply to your Web browsing history as well. I simply don’t trust Trump’s key appointees to resist that logic. So, here’s what I recommend:

  1. Get Signal and/or WhatsApp for mobile messages:Signal is a sophisticated Swiss messaging app that fully encrypts all your text messages. It requires both parties to use it, so it isn’t ideal for everything. Nevertheless, Moxie Marlinspike, the founder of Open Whisper Systems, Signal’s developer, says there has been a huge expansion in their user base since the election. So you’ll probably find more Signalers on your contact list as time goes on.WhatsApp is an alternative that encrypts your messaging and VoIP calls. It isn’t as secure as Signal because it’s owned by Facebook, whose approach to court orders is uncertain, but for ordinary purposes it will prevent real-time monitoring of your communications.
  2. Encrypt your computer’s hard drive: As I describe in Privacy Code 2.0, full disk encryption makes the contents of your computer totally unintelligible to anyone without the password. For example, if you are stopped by Homeland Security upon return to the U.S., your laptop can be searched before you officially enter the U.S. But if it’s encrypted, no law says you must divulge the password.Both Apple and Windows computers have automatic encryption built in if you activate it. That’s fine for most purposes, but if you want added security, a free, easy to use open-source encryption utility can be found here.
  3. Get a password manager: Using secure apps and utilities like those above means having passwords — lots of them. Don’t write them on your palm. Get a password manager that stores them (encrypted, of course) in one place and generates and even changes passwords for you.Personally, I use Dashlane. Other good password managers are 1Password and KeePass. I don’t recommend LastPass, another popular one, because they allowed themselves to be hacked last year. That’s just not good enough.
  4. Use two-factor authentication: Most email programs, cloud storage utilities, banking apps, social media and other sensitive applications these days offer two-factor authentication (TFA). TFA requires that every time you sign in, you go through a secondary layer of security: a code to enter at login that is sent to your phone via text message. Some offer such codes via email, but don’t use it. If hackers gain access to your email, they can get access to your accounts by having TFA codes sent to them.
  5. Use HTTPS Everywhere: My friends at the Electronic Frontier Foundation developed a browser plug-in for Firefox and Chrome that forces websites you visit to use the most secure connection protocol. If encryption is available on the site you visit, your connection to the site will be encrypted, and you will be protected from various forms of surveillance and hacking during that session.
  6. Don’t rely on your browser’s “incognito mode” to do things it wasn’t meant to do: Browsers like Chrome, Safari, Opera, Firefox and Microsoft Edge allow you to start a browsing session that doesn’t record anything you do during that session. Any websites visited, cookies downloaded or other connection stats will be wiped clean when you end the session.“Private” browsing modes thus protect you from searches of your computer. But unless you’re connecting to an encrypted site (via HTTPS Everywhere, for example), whoever operates the site can collect all your browsing data anyway since it is recorded by the site’s server.
  7. Use DuckDuckGo for sensitive searches: If you’re not convinced that Google’s motto “do no evil” is anything more than a marketing ploy, use DuckDuckGo, an alternative search engine that doesn’t record your searches or anything else about you. It produces great results, so you won’t really lose much by using it instead of Google.
  8. Use a virtual private network (VPN): As my privacy report explains, a VPN is the best all-around protection you can get on the Internet, because it encrypts everything you do, including your identity and location. VPNs can be used on both your computers and your phones. That’s important, because as Eva Galperin, global-policy analyst at the Electronic Frontier Foundation, says, “Logging into airport Wi-Fi without using a VPN is the unprotected sex of the Internet.”As a bonus, you can also use a VPN to spoof your location and gain access to region-locked streaming content, like Amazon Prime, when you are abroad. The only downside is that they slow your connection a bit. VPNs are provided by specialized hosting companies that charge about $5 a month for the service. A good selection can be found here.

 

These techniques make some or all of your electronic communications and data instantly invisible to anyone. They use levels of encryption that would take a bank of supercomputers hundreds of years to break.

When it comes to protecting your privacy, now is the time … because afterward is too late.

Author:  The Sovereign Investor

Source:  http://www.valuewalk.com/

Categorized in Internet Privacy
Page 7 of 8

AOFIRS

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media