Category Archives: Privacy and Security

5 Common pitfalls that greatly compromise your privacy

Yesterday, Apple announced that the recent leak of photos from celebrities’ accounts is not caused by any kind of breach into their systems. In other words, they are saying that the attack was done through “guessing” and “phishing”.

So what does that mean? guessing is self-explanatory. As for phishing attacks, they are the kind of attacks where the victim sees a fake interface (that looks similar to that of a famous website), once you enter your login credentials into that website, they are sent to whoever designed this trick.

You can find tons of articles online about protecting your accounts, but I am going to take it from a user’s perspective and focus on 5 common types of mistakes I see around me that people often miss.

Know that – If you are not careful enough, it won’t really require “hacking skills” for someone to hack into your account.

First thing you need to know, is that there are tons of people out there who know loads of information about you, enough to perform successful guessing attacks on your accounts. If you are not careful enough, it won’t really require any “hacking skills” for someone to hack into your account.

Know that – “But.. I have nothing to hide” does not apply on anyone!

“If you really think that you have nothing to hide. Please make sure that’s the first thing you tell me, because then I know that I should not trust you with any secrets, because obviously you can’t keep a secret.” Mikko Hyppönen, a computer security specialist.

There is a common concept in security, “the security of a network is as low as the least secured entity in that network.”. In our world, this would mean that if you compromise your privacy, then you are compromising the privacy of everyone who trusts you.

Take Facebook as an example. You might have nothing to hide, I doubt that, but even if you do, if you give away your Facebook password for example, then whoever was telling you about their personal secrets online, and those who decided to share things with you specifically (because they trust you), have all gotten their privacy compromised. So you’d better realize that you’ve got stuff to hide.

Pitfall 1 – Your “Secret” Question

A really stupid idea that seems to me that it is only there to allow hackers to get you, is the so-called secret question (maybe that was considered secure long time ago, because its inventors did not value the amount of stalking psychopaths who are going to be using the internet in the future).

This thing is very common with Yahoo and Hotmail/Live or whatever it is called now. And now since most of the online services are connected, you can recover your an account’s password from another account if you connect them. Recall the least-secure concept!

The thing is, 15 years ago when you created your email account, probably you thought a question like: “Where was your grandmother born?” to be secure enough.. But guess what, now your grandmother is on Facebook, where everyone can see that she is your grandmother and know where she was born! So someone can answer your secret question on some account, reset the passwords of every other connected account, and you’re wasted!

If you insist on using a secret question, use a real ‘secret’ question! or better yet, get rid of this primitive thing for good! We tend to set less complicated secret questions, and it is very easy to collect information about anyone online now, plus, there are tons of better alternatives out there (check 2-step verification for example).

Pitfall 2 – Lock your computer!

Whether it is at work, at home (especially if you have visitors) or basically anywhere, always lock your PC when you are not attending it, and set it to automatically lock when its idle!

You cannot imagine the amounts of problems you can get into if you forget that, I know someone who forgot his PC unlocked, his co-worker sent an invitation for dinner at the victim’s place! the poor victim started getting “Thank you for the invitation” messages and had no idea what was going on.

Another guy at a reputable company actually sent a resignation email to everyone in the team on behalf of some guy who forgot his PC unlocked!

Bonus info: These kinds of attacks are called: “workstation hijacking” btw.

Pitfall 3 – Your browser was so nice to save all your passwords in one place

Browsers save your passwords to make it easier to log-in next time. The problem is, now workstation hijackers know where to look!

Lock your computer, and as an extra precaution, set a password to this page as well. Google chrome uses your system’s password (the one you use for unlocking) before unveiling any saved password. Not sure about other browsers, but I am sure there is a way to set passwords in any decent browser, if your browser does not provide that feature, then you’re better off with a different one!

Pitfall 4 – Don’t use the same password everywhere!

Just don’t.. otherwise uncovering one password would mean uncovering all your accounts.

Pitfall 5 – Keep an eye for phishing attacks

I cannot really give advice on how to do that, but things like: “You won’t believe what happens in this video”, “hey you look so funny in this photo!”, “Hey I didn’t know you work in the porn industry!”.. these things should look fishy to you, take care of the way messages with links are written, you can usually tell that it is not your friend’s style (and thus it could be a program writing these messages). Think before downloading .exe files or installing apps, why would viewing a video require installing a facebook app? or simply just ask the friend before accessing suspicious links

Have any other tips? share them!

Who viewed your email?

A few months ago, a company called Streak announced a plug-in for Google Chrome. The plug-in makes it possible for gmail users to be notified once someone reads the emails they sent.

Sounds scary, right? It even works when emailing non-gmail users! You basically get a notification telling you “Someone viewed your email”. You won’t be able to tell who viewed it in case there were multiple receivers, but it does also show you the location from which your email was accessed, so it’s up to your guesses and stalking-skills to know who exactly viewed it.

But how does it work?

The trick is simple, the plug-in attaches an invisible 1×1 pixels image to every email you send. Most of the email clients will display the images in an email once you open it. When the receiver’s client tries to display the small image, it finds that the image is actually a link, so it requests the image by accessing the link, which (guess what?) sends the request to Streak’s servers.

Streak’s servers learn that someone accessed this particular image, they can tell that this was the image they attached to your email. They collect information about the location from which they received the image request, and by knowing that someone accessed this image, they conclude that someone accessed your email, and hence notify you.

How can it be countered?

So now that you understand how it works, you probably guessed that the plug-in can’t do its job unless the client accesses the images. You are right, and that’s the simple solution!

Just make sure your client doesn’t automatically display images. This way if you receive an email from someone using that plug-in, it won’t work because the image is not displayed, which means that the request to Streak’s servers was not made, which means that they couldn’t collect information about you.

The reactions to such a plug-in are really interesting. It’s pretty annoying to know that a server can be collecting information about you without your consent, but on second thought, this basically happens whenever you access any email with pictures! the only difference is that Streak announces that they will give that information to the email’s sender, unlike advertising companies for example, who will also gather this information but keep it to themselves.

I wonder if this is perceived differently than SMS delivery reports, it’s not exactly the same of course because delivery reports tell you when the SMS reaches the other device and not when it is “accessed”.

But does it really annoy you? Share your thoughts!