I recently signed up for Pinterest.com, a hip, trendy pin board style website that allows beefed up sharing of your interests with friends via a large visual bulletin board style forum where fans of a particular subject can post what they find compelling, and want to share. Then other friends can weigh in on the subject “pinned”, thereby creating a crowd-ranked list of what folks in that sector are talking about, with the more popular, relevant, and timely pins rising toward the top. The service is heavily integrated with other social media venues, specifically Facebook and Twitter. In fact, you’ll need your account information from one of them to sign up. This means much of the personalized information you may already have on Facebook, for example, might be used to form a composite of what you might also be interested in on Pinterest.

Is it popular? The numbers have been going crazy lately. Who knew? Other than some half-starved startup team somewhere who hit it big, the idea is sickly engaging and addictive, likely because the site is all about you and what others following your same interests find, well, interesting. I also thought Twitter was a hard sell, but now, well, the numbers speak for themselves on that crazy 140 character status update app that's also addictive and successful.

Here in this article we dive into Pinterest.com, show you what's involved in signing up, securing your profile and feeling your way around the world of Pinterest, with an eye toward your own privacy, security, and best practices.

One thing to note: If you're in a hurry and just click through the default options without an eye for security, privacy, and the possible spread of personal information (either semi-automatically or inadvertently aided by unwitting friends), you may end up with more than you bargained for. Allowing your information to be shared with nearly everyone by default might cause heartache down the road, so locking things down a bit seems like a good stance to take.

Let’s Get Started

If you haven't signed up already, it's tougher than it looks. First, you have to sign up for a waiting list to be invited, or better yet, get someone on the service already to invite you. This hearkens back to the early days of gmail, which was pretty successful as well, despite the curious process.

Once you’ve received your invite, continue the process like:

creating an account – facebook login prompt

I opted in this test to sign up using Facebook, so when you click the Facebook link, you are directed to the Facebook login on behalf of Pinterest.com, like:

facebook login for pinterest

Once you login, you are faced with the option to go back to Pinterest, or fine tune your Facebook interface settings. Notice the default selection is to share with friends.

default settings for friend sharing

Note the notification that says by default this app will share “other activity” on Facebook. That seems like a very broad term for information sharing. If you are more privacy/security conscious, it may be a good idea to restrict the visibility like:

update friend preferences

I changed it to look like this:

share to “only me”

When you are finished customizing your Facebook sharing settings, select the “Go to App” button and it will take you back to the Pinterest.com signup page to continue the process of creating an account there.

create pinterest account

Since there really isn’t a way to sign up without a Facebook or Twitter account as well, it would be difficult to totally isolate the information flow from those sources. Your best bet is to review your account settings in Facebook, and make sure you’re only sharing what you intend to share, as default permissions tend to be set more lenient than security/privacy fans might prefer.

Now you’ll have a chance to tell Pinterest.com what interests you might have:

define likes

This will continue to build a profile of what/who you might be interested in following.

You now have a chance to create your own Boards:

create your own boards

On the same screen it will highlight those who you may be already following. Next there is a screen where you can customize your tastes, again building the profile the service will target for specific interests:

create your first pinboard

Once you enter your interests, the next time you visit, you’ll see more subjects presented that relate to these preferences.

You now have an option to integrate Pinterest preferences with your browser, for another level of integration:

add to browser

Now let’s look at some of the settings you might choose to adjust. You have access the settings under the menu shown below:

user settings

On the settings page you will see options to control how Pinterest.com integrates with Facebook/Twitter:

link to facebook / twitter

Notice that they are set to integrate by default. For those who want more privacy/security, it may be wise to disable the buttons above, thereby segregating the services a bit more. Notice how tightly the sharing may be integrated, including a feature to tap into your Facebook Friends yet another way.

Summary:

While Pinterest grabs market share and your friends become familiar with the service, expect more fine-tuned controls to be available. Being aware of these settings may help you have a more secure profile and sharing stance while using the service. It also may prevent sharing more information than you planned on, both now and in the future.

What else to watch for:

As with many websites that soar to popularity, we are already seeing scams like fake apps bundled with borderline or outright malicious functionality that users could download for smartphones like Android. The folks at gottabemobile.com point out an app, purportedly for using Pinterest on Android, was not an app at all, but a platform for scams. Many users would simply click through the installation prompts, only to find out later they’ve gotten more than they bargained for.

As Pinterest.com continues to catch on, expect more scams that try to do things like tricking users into revealing credentials through fake notifications, spam texts to your mobile devices, efforts at phishing and other emerging scams. As Pinterest.com grows, we will revisit this in a security series about the platform, helping to keep users safe online.

Read this article:
Pinterest.com security – step by step howto

Computer security is not created, nor is it improved, by calling people stupid. That's the conclusion I have arrived at after more than two decades in computer security and auditing. To put it another way, we should stop dropping the “S” bomb, especially when it comes to people who don't know any better.

Consider the phenomenon of people posting photos of credit cards on Facebook, a sort of self-inflicted security breach. Your first reaction might be “Is that stupid or what?”

In my opinion the “or what?” is a fair question, one that I thought about this President's Day, a day when a lot of credit cards in America get a good workout (with the notable exception of the one in this picture).

Note that what you're seeing is a doctored version of what actually appeared on Facebook, where the details on the front of credit card were clearly visible. These have been masked in this screenshot, along with other identifying information (I have tried to find out who produced the above image in order to give them credit, as it were, but so far I've not succeeded).

Also note that the person who posted the pic does not seem to be the card owner, so it's not a case of “stupid kid posts photo of his first credit card” which is how some bloggers described it (although I am sure there are cases of that kind as well). No, this is just a case of a person, possibly a parent, being proud of that “first credit card” moment, and wanting to share it with friends and family. This person was probably in the same state of mind as many other Facebook users who:

A. Think of Facebook as a place to share things with a few select friends, but have not adjusted their “share” settings accordingly, and;

B. Under-estimate the number of people who are willing to take advantage of their fellow human beings.

In other words “they don't know any better” and possibly lack the kind of life experiences that make other people think twice about putting a photo like that online. Now, I don't know what percentage of Facebook's 800+ million users are currently A+B positive, so to speak, but they represent a rich vein of potentially exploitable persons. Fraudsters and scam artists are keen to mine that vein, as evidenced by the constant appearance of new deceptions documented by websites like Facecrooks.

What should really be of concern to companies, and society at large, is that these A+B folks are not just a target on Facebook. Criminals are targeting users who lack security awareness across a wide range of information systems. They are crafting attacks that rely on exploiting digital device users who have little or no security training.

So the next time you hear infosec professionals bemoaning the stupidity of users you need to ask: “Are they stupid because they are ignoring the security training they received, or are they doing stupid things because we have failed, as an organization, and as a society, to teach them to know better?”

And while we're at it, what say we cut Shannon and Dustin a break!

See the original post here:
Security awareness, security breaches, and the abuse of “stupid”

The implementation of comprehensive e-mail virus scanning as a standard feature benefits business customers Logo2.gif Kaspersky Labs (www.kaspoersky.com), an international an international data security software developer, and Aramiska (www.aramiska.com), the leading alternative European…

See more here:
Kaspersky Lab and Aramiska Deliver Enhanced Security For Businesses

Recently, the anonymizing network system TOR’s (The Onion Router) traffic was ratcheted to a standstill in Iran, prompting a comparison by one of the TOR project developers to an emerging “arms race”. Users of the service, hoping to evade state censorship/snooping, encrypt the traffic that then gets routed anonymously around the globe. But it seems Iran has caught on, and started shutting down the traffic.

This, the latest in a continuing escalation globally of attempts to crackdown on Internet traffic, matched by zealous competing efforts from those in favor of a more open system of communication. Nation states are being tapped to control what may be perceived as threatening communication, ala recent efforts in the UK to tag Internet traffic as a more likely propagator of potential “violent radicalisation” activity than any other, including religious institutions, prisons, universities, etc.

But TOR had an “ace up its sleeve” according to developer Jacob Applebaum with the project. Apparently, they had anticipated the increased scrutiny on the SSL/TLS traffic that TOR communication generates, and have developed an add-on called obfsproxy, which works around it, making the encrypted traffic appear more like normal Internet traffic, thereby avoiding unwanted attention.

And so it goes. Last month TOR operators noticed Chinese state actors apparently sensing TOR traffic and blacklisting the TOR onramp “relays” so others couldn’t connect. What is interesting is the way it was detected and blacklisted, causing speculation that the methodology used near-linespeed realtime Deep Packet Inspection (DPI) to snoop the traffic, a non-trivial feat to be sure, especially at speeds fast enough to avoid creating excessive latency, a telltale sign that the traffic may be monitored. TOR communications, while tunneled across a standard SSL port, is unlike traditional SSL negotiations which only last short periods. TOR, on the other hand, would show a continual stream of SSL traffic for longer periods of time.

What is also interesting is that Iran is second only to the U.S. In use of the TOR network (according to the project’s statistics), suggesting a level of cyber sophistication in that region that is far above average. We also read that other middle eastern nation states are ratcheting up cyber attack rhetoric and posturing more reminiscent of traditionally military actions. It’s easy to draw parallels to a new emerging cyber arms race, as mentioned by Mr. Applebaum.

This promises to be a long haul, technologically, with privacy and anti-censorship efforts coming into full focus in the coming months, as states attempt to control dialog – for whatever reason – and citizens attempt to exercise their power to communicate freely, both for good and evil.

Read this article:
Iranian TOR “arms race” a shadow of things to come?

In response to recent reports that malicious apps may have made their way into the official Android Market, Google has responded by announcing a new program to more proactively scan the Market and developer accounts for seemingly malicious apps and highlights and/or remove them before users experience trouble.

Traditionally, the barriers of entry for developers in the Android ecosystem have been low to get their apps placed in the official Market. This was by design, allowing Android to sprint past other smartphone platforms in adoption rates, since many apps that users wanted were likely to be there before they hit other platforms. The downside is that app authors choosing to bundle malicious, or borderline malicious apps had an easier time with distribution.

By contrast, the iPhone ecosystem represented a more closed, vetted, and more expensive environment for developers to launch their apps. This resulted in steady growth, but the more rigid process of an app making it to their official App Store deterred the more unsavory app developers from spending the extra effort to circumvent controls. In short, it was easier to spread bad things, or borderline bad things on the Android smartphones.

The new effort, called Bouncer, aims to silently scan the marketplace for rogue and borderline apps, largely transparently to the user. When a new app upload is attempted by the developer, Bouncer will do a preliminary scan to determine whether it acts malicious, or borderline.

Hiroshi Lockheimer, VP of Engineering, Android, explains in his blog on the subject that the effort “provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.”

Bouncer aims to run each app in a simulated cloud-base environment to watch for malicious activity. It will also scan for changes in existing apps. If it detects an app has changed, it will red flag it for scanning, keeping existing apps (hopefully) more malware-free. Additionally, developers exhibiting a pattern publishing malicious apps may be blacklisted. Is it working? In the second half of 2011, Mr. Lockheimer says “we saw a 40% decrease in the number of potentially-malicious downloads from Android Market,” so progress seems positive.

With an estimated 11 million apps available for Android, and a year-over-year growth rate of 250% according to Mr. Lockheimer, there’s a lot of scanning to be done. But this also speaks toward the success and ubiquity of the platform, and perceived value to users. In that department, Android has done quite well indeed.

Link:
Google responds to Android app Market security with stronger scanning measures

A few years ago, from time to time I used to visit the school where my wife taught IT, to talk to some of their students about IT security. In fact, we wrote a paper at that time(along with my good friend Eddy Willems), based on some research data we gathered between us in the UK and Belgium about student knowledge of and attitude towards security issues: Teach Your Children Well – ICT Security and the Younger Generation.

Here are some recently released podcasts by ESET Rearchers, addressing current topics such as the recent VeriSign hacks, the takedown of MegaUpload, and the problems with using good malware to catch the bad guys:

1. VeriSign, Credit Card Processor, Hacked Multiple Times

2. Mega Upload Website Shutdown by U.S. Department of Justice

3. Is The Stop Online Piracy Act Good or Bad for Businesses and Consumers?

4. Hacker Activist Group Anonymous Strikes Again

5. Can We Use Good Malware To Catch The Bad Guys

We hope you get a chance to take a listen to them. We'd love to know what you think. Also, if you have a suggested topic for a future program, drop us a line here in the comments section. Enjoy!

Link:
ESET Research podcast round up

I have a theory that says improving information system security–the security of our operating systems, network connections, and applications–just means the bad guys will focus more attention on our endpoints, the digital devices we use to access the information and systems we need to do our work.

Furthermore, as we improve endpoint security technology, the people that use the endpoints will be targeted more and more by bad guys who see end users as the weak link in our data defenses. To put it another way, the real endpoint is between the ears. You need security-savvy users on your side as well as good security technology on your endpoints.

That's my take on why all aspects of endpoint security are so important today and I just finished recording a webinar that captures my thoughts on the subject quite well. You can access the recording of the webinar here.

When you have some time–about 50 minutes or so–I hope you can take a look and a listen. I''m keen to know what you think about this theory, and the practical advice I offer towards the end of the webinar about how to protect endpoints today. You will need to register to see the webinar but it only takes a moment and you won't have to divulge a whole lot of information to do so.

BTW, that same link will lead you to a range of recorded information security webinars that may be of interest, as well as notices about upcoming sessions you might like to attend. We also have a page that provides links to all the latest ESET security resources in one place. We hope you find it helpful.

Go here to read the rest:
Endpoint Security Webinar: Protecting your network at the sharp end

So you browse your favorite restaurant review site and settle on a great Mediterranean restaurant, and “magically” a variety of preferences get fed back to your Facebook profile, to be shared, re-shared and re-shared, ricocheting around the internet to form purportedly value-added experiences elsewhere you visit. That’s great news if you want your preferences bounced around, giving websites and apps information that could possibly provide a more personalized experience wherever you visit. It’s also bad – trying to protect maddeningly automatic Personally Identifiable Information (PII) and preference sprawl, all at the speed of light.

There is a macro trend flooding the interwebs that almost EXPECTS users’ information to be fed and cross-fed elsewhere online. When I signed up on pinterest.com, it expected (and indeed required) me to provide Facebook or Twitter logins, so the ooze of my information back and forth begins, in order to give me customized output based on it.

This “frictionless sharing” can make it devilishly difficult to control personal privacy sprawl. I have a friend who – a few years back – determined to keep his own identity completely off of the internet. This included no pictures, signing up for mandatory online services using aliases, etc. It was simpler then. Moving forward, my friend will have quite a time as more and more online services move to a 2-factor authentication scheme where users have to provide things like passwords, along with – you guessed it – Facebook/Twitter logins, which are then linked to everything else.

Aside from the obvious parallel of my friend feeling like he’s being forced to sign up for the Matrix, mostly to volunteer to be invaded by curiously personal floods of advertising, should he have a right to keep his own private life pretty much to himself?

Advertisers, on the other hand, are creatively looking for ways to get in front of more targeted eyeballs than just wide net venues like traditional TV. One of those ways is invading the app world and embedding revenue models into things people are already doing, and monetizing the data. Your data. Well, sort of, really more like a snapshot of someone just like you, aggregatized and sold as a pile of targeted data. My friend would argue that doesn’t seem very anonymous in the traditional sense. And he wouldn’t be alone.

For those who value their own privacy, it’s a tough road ahead. Someone remarked that we are seeing the end of the age of privacy, but at what price? Those who have had experiences with personal information spreading wildly out across the internet to those they don’t know, ala racy tropical vacation pictures involving margaritas and double-dares, know the pain incurred and subsequent reputation damage that can happen firsthand. But what can you do once your data is out there besides change your identity, and possibly lay off the margaritas? Good question, and one that lots of folks will wrestle with as the app sprawl goes wild, taking your information with it, and then trying to get it back.

My colleague Stephen Cobb points out an article showing how a single breached Facebook account became a potential leverage point for scams aimed at the myriad friends that account owner had. This highlights that your security/privacy is only as strong as its weakest link, which might be a close friend who’s not particularly interested in either privacy or security – until they get burned, and then you do too.

See more here:
Facebook/app data privacy – sharing gone wild