Smartphone Bluetooth Interface Security

This post is a continuation of the series on smartphone interfaces and will cover Bluetooth interface security. Let me begin by saying that Bluetooth security is not as bad as it once was. As with the other articles in the series I will cover both the security and privacy concerns around this interface. Continue reading “Smartphone Bluetooth Interface Security”

Smartphone Wi-Fi Security

Recently reader asked me to write a post about the implications of Cellular, Wi-Fi, Bluetooth, and Near Field Communication (NFC) radios in smartphones, and the privacy and security implications of each. I will, and it will be in several parts. Today I am going to cover smartphone Wi-Fi security and privacy. I’m sure you’re heard that you should leave your smartphone Wi-Fi turned off when it’s not in use – but why? Continue reading “Smartphone Wi-Fi Security”

Self Destructing Cookies for Firefox

If you have read any of my previous writing on internet browsers, you probably know I don’t like cookies.  Unfortunately, they are a necessary evil.  Without cookies most of the internet services we love would be impossible.  This is great when you need a website to remember login credentials, the items in your cart, or the pages you’ve already visited.  Cookies have a downside, however.  They allow websites to track your browsing.  This tracking is not limited to the first-party site you visited.  Once you have a cookie from a site it can see the other sites you visit, as well.  It can also share this information, making your history and habits well known.  Sites like Facebook even track non-users.  I work to prevent this to the extent possible.  I recently discovered an add-on for Firefox that is my new favorite for deleting cookies.  It is called Self Destructing Cookies. Continue reading “Self Destructing Cookies for Firefox”

3DSC Day 16: Smartphone Security I

Today we are going to shift gears a bit from desktop machines and online accounts, to smarphone security.  Today’s task is to encrypt your device and put a (better) passcode on it.  I realize that most of you probably have a passcode on your mobile phone, but many out there don’t.  Even if you do I want to make those passcodes better; this is a critical step in smartphone security.  Phones are much more easily lost or stolen than your laptop and they carry a wealth of information about you.  I don’t mean to wade into a hot-button issue here, but recent events have proven encryption works. You should use it to protect the data that is on your phone.

While a password on a smartphone would be better than a passcode, the inconvenience of a tiny keyboard is hard for even me to tolerate.  We can make passcodes better though.  To make them better, make them longer.  You don’t need to go crazy; even a one-digit increase in length makes your passcode stronger by a power of ten.  You passcode should not be a simple four- or six-digit passcode (especially in iOS, see below).

Android-specific:  If you have an Android device you have several options for unlocking your phone.  First, and most importantly, I recommend NOT using a pattern to unlock your device.  Patterns leave traces of themselves on your screen, and most of them are notoriously predictable.

You should also encrypt your Android phone.  I have written fairly exhaustively about this (both here and in Complete Privacy & Security) but many Android phones are still shipping without encryption enabled.  To encrypt your Android phone open Settings >> Security >> Encrypt.  If your phone is already encrypted this option will be greyed out.  If it is not, you will need to charge your phone to at least 80%.  Leave it plugged in and choose encrypt; if your phone allows the option of encrypting the SD card, you should.

Smartphone Security I

iOS:  If you are using an iOS device your information is encrypted by default, but you only get the benefit of this encryption if you use a strong passcode.  In iOS it is important to use a longer passcode than the standard older four- or newer six-digit “Simple Passcode”.  This is because the simple passcode lets anyone picking your phone up know exactly how many characters are in the passcode. To set or change a passcode open Settings>>Touch ID and Passcode.  To use a longer passcode, toggle the “Simple Passcode” slider off.  If you only use numerals in your passcode, the unlock screen will only present a numerical keyboard instead of the full keyboard as shown below.

Smartphone Security

I also recommend disabling Touch ID.  This feature has been defeated in several tests, and your fingerprints are very likely on your phone’s screen, anyway.  One final feature you should enable is Erase Data.  This is at the very bottom of the passcode settings.  As has been widely publicized due to recent events involving the San Bernardino phone, entering 10 incorrect passcode attempts will wipe the phone’s data, ensuring it does not fall into the wrong hands.

 

Privacy and Security Considerations when Upgrading to Windows 10

With free upgrades to Windows 10 fully out in the wild the migration to the new OS has been, by all accounts, a resounding success for Microsoft.  Though Windows 7 will doubtlessly remain king of the hill for the immediate future, with 75 million downloads in the last month Win10 is making serious inroads.  Though popular out of the gate, it has not been received without some legitimate complaint.  There are some major privacy issues with the new OS.

Windows_logo_-_2012.svg

Express Settings:  When going through the  upgrade process, do NOT choose the “Express settings” option.  In Express settings mode you are not allowed the opportunity to change privacy and security settings and they are set to defaults.  Worse, allowing the Express settings can cause an encrypted version of your Wi-Fi password to be shared with your friends through Wi-Fi Sense so they can use your Wi-Fi if and when they are at your house.  Instead choose the “Customize settings” option.

Forced Updates:  Perhaps the fiercest complaint about Win10 is that updates are mandatory, not optional.  While I strongly encrourage staying up-to-date, the ability to opt-out of select updates should be everyone’s right.  This ability is especially importan when updates are buggy or cause system instability as has been the case with some updates for 10.  Windows 10 users have no choice in the matter, though.  At least now Windows actually offers some transparency and explains what these updates do.  Before upgrading you should seriously consider whether you are willing to accept mandatory updates whether you want them or not.

Privacy Policy:  Windows 10’s privacy policy has been described by Ars Technica as “the new normal“.  While all operating systems send some information back some information the data collected and transmitted by Windows 10 is fairly significant by comparison but is, as Ars also points out, part of a continuing evolution of increasing data collection.

Data Collection by Default:  Windows 10’s data collection is enabled on the OS by default.  The new Cortana feature (the competitor to Apple’s Siri and Google’s Now) constantly records you and your actions to “get to know you”.  Windows 10 also has a very intuitive, very user-friendly Settings menu that contains a well laid-out Privacy section (shown below).  Unfortunately most of these privacy settings are enabled to collect data by default.  I strongly recommend going through these privacy settings immediately upon installing the new OS.  These settings are not complete; there are .  For more information on setting up the initial Privacy and Security settings in Windows 10 visit https://fix10.isleaked.com/.

Screenshots of my Win1o Privacy settings are attached a the end of this post.  Note that for most of these settings you must enable the global setting before disabling individual apps.  After you have disabled every app I recommend once again disabling the global settings.  Also note that these settings are not a substitute for using basic best practices and security utilities like encyrption and antivirus.

Some good news:  Windows 10 will still work with the security applications we know and love, like TrueCrypt, Password Safe, and others.  In fact, aside from OS-specifics, nearly everything I detailed in Your Ultimate Security Guide: Windows 7 Edition is still applicable.  Just one quick word of warning: if you are full-disk encrypted, DECRYPT YOUR HARD DRIVE before upgrading and re-encrypt upon completion of the upgrade.  I learned this the hard way.

Everyone loves the appeal of a new operating system.  Even I was excited at the prospect of an entirely new look when the computer finally finished installing 10.  But the more rational side of me dislikes change just for the sake of change.  After I complete the next installment of the Your Ultimate Security Guide series which will cover Windows 10 (look for it in March 2016) I plan to revert back to either Windows 7 or, much more likely, go full-time with a Linux distro.

12345678910111213

 

Privacy Compromising Updates in Windows 7/8.1

Since the release of Windows 10 it has been no secret that Windows is collecting a great deal of data about its adopters be default.  Though some of this tracking cannot be opted out of most of it can, and this blog will cover these techniques for Win10 next week.  What is more alarming (at least to me) is that Windows is quietly installing some of these privacy-invading “features” on Windows 7 and 8.1 machines in the form of updates.  These updates send a great deal of information about your usage back to Microsoft.  Fortunately for users of Windows 7 and 8.1 these updates can be quickly and easily uninstalled.

The updates are (each is hyperlinked to a full description at microsoft.com) :

To uninstall these updates navigate to Control Panel>>System and Security>>Windows Update.  Click “View Update History”, and the click “View Installed Updates”.  This will open a list of the updates that have been installed on your machine.  Search for each of the four updates listed above.  If you find that any of them have been installed, right click on the update and select Uninstall.  You will be asked to confirm your decision.

Win7 Privacy UpdateI am disappointed that Microsoft has chosen to hold user privacy in such disregard, though my disappointment does not rise to the level of surprise.  This is a great example of something I talked about in Your Ultimate Security Guide: Windows 7 Edition.  Allowing updates to download and install automatically can have some serious negative consequences.  I prefer to download updates automatically but choose when to install them.  This gives you the chance to avoid updates like these that are not in your best interest.

Fixing Firefox’s WebRTC Vulnerability

Earlier this year a major vulnerability called the WebRTC vulnerability was discovered in Windows machines running Chrome and Firefox.  This vulnerability can compromise your privacy by allowing websites to see your true IPv6 address despite the use of a VPN.  When using a VPN any site you visit should only see the IP address of the VPN’s exit server.  This prevents them from correlating you with your visit with your geographic location, and building profiles based on your IP address.  To test your system and see if your IP is leaking you can visit https://ipleak.net/.

Thankfully this vulnerability is very easy to correct in Firefox but it cannot be corrected through the “Options” dialogue.  To correct it go to your URL bar in Firefox and type “about:config.”  This will open a menu where power-users can make many adjustments to the application (many of these adjustments can be made through the Settings, but many cannot).  Bypass the warning and scroll down to “media.peerconnection.enabled.” This setting is “true” by default.  Double-click this line which will toggle the value to “false.”  This is all that is required to turn off WebRTC and secure this vulnerability.

WebRTC Vulnerability

There are add-ons for Chrome (WebRTC Leak Prevent and ScriptSafe) that are intended to defeat the WebRTC vulnerability.  It has been reported that these add-ons can be bypassed by a malicious adversary and should not be relied on.  However, if you must use Chrome you should enable one of these add-ons.

For full protection use Firefox and adjust as described above.  Using NoScript may also help mitigate this vulnerability.