At this point I think that any person that joins a free social network is probably aware that nothing is really free. Even though no money changes hands, when you sign up for a social network account a transaction is initiated. Your personal data in exchange for access to the network. If the social network provides an understanding of how your data is used, and provides clear instructions for using privacy and opt-out features there is little to object to. You want free services, both parties agree on a payment method and the transaction is completed.

The folks at naked security sum it up this way:

You’re really agreeing to sell those organisations the right to accumulate, index, commercialize, and in some cases sell on to third parties, information about who you are, what you do, when you do it, and how you choose to talk about it online. You get to populate the databases from which they make revenue; in return you get to use the service.

In that sense, you aren’t so much a user or a customer of most “free” sites. You’re really just an informal employee, paid in kind. That’s worth remembering.

The level of transparency as to how and when your data is used has been in constant evolution since the Internet was born, but clear examples from recent history include the legal challenges faced by Google and Facebook as they continue to grow. To date, LinkedIn has not met the same strenuous legal challenges as their competitors and this is surprising since they appear to walking down the same path as Facebook and Google.

Facebook had a variety of confusing privacy settings and they have simplified them and made efforts to provide clear explanations about how data is shared on the network. Google has several social media platforms and a while back they consolidated privacy policies and user privacy setting. Some people objected to this, claiming it actually compromised privacy but if we accept Google’s explanation at face value, it seems they are trying to eliminate confusion resulting from different settings on different networks.

I can’t really say that Facebook or Google are model citizens when it comes to your privacy, but they do make the relationship clear and offer options that allow you to reduce your exposure and opt-out of certain features. By leaving optional fields like employment and address blank, combined with prudent choices about what you share as comments and posts you can exercise a good bit of control over your exposure.

By comparison, LinkedIn seems stuck in the 90′s with a convoluted system of member privacy settings that offer little documentation to help members understand how to use them properly. You can get an idea of how LinkedIn prioritizes member privacy by looking at where it is placed in the navigation menu. Both Facebook and Google+ have “Privacy” or “Privacy Settings” prominently displayed in the first level of menu selections. On LinkedIn, you must click settings, before you can see Privacy Controls by selecting the Profile tab. This may seem trivial but to me the design of the menu indicates priority, and privacy gets no mention up front.

LinkedIn recently launched a Safety Center. The Safety Center offers advice on external threats like phishing and malware but does not have a section that offers advice on personal security and privacy settings for member accounts. The section on Identity Protection discusses external threats like email but provides no information about how to protect your identity on LinkedIn or how to manage your privacy settings. If you are trying to find the new Safety Center, you would have to navigate to the Help Center first (under “More”), then you see a link to the Safety Center.

Let’s compare LinkedIn, Google+ and Facebook to determine which networks provide the most useful information on managing privacy settings.

• Google+ : Know your Google security and privacy tools.
• Facebook: Privacy – Get the information you need to control your sharing on Facebook.
• LinkedIn: Privacy Policy (Last revised on June 16, 2011)

LinkedIn does have a Privacy Policy, but it’s more of a PR/Legal document and it includes some statements that do not appear to be accurate based on how the site actually functions. (Examples provided below, keep reading.)

Facebook and Google take a beating on privacy issues and they have certainly earned it. Not many people would think of LinkedIn the same way but that’s not because LinkedIn has better privacy. It’s because LinkedIn just ignores member complaints about stalking, harassment and privacy. They don’t talk about it, they don’t address it. LinkedIn seems reluctant to tackle any issue that might not reflect well on the LinkedIn brand.

LinkedIn has a tiered privacy system that restricts data visible to members that are not connections, but there are different levels within your “personal network” where your data may be revealed to persons even if they aren’t a direct connection. I’ve never found any documentation that offers a comprehensive breakdown that explains this and it’s clear that LinkedIn members find this system confusing. The Help Center has a page titled “Your Network and Degrees of Connection” but that page does not explain which member activities or profile details are revealed to the different levels. Remember that, depending on your settings you may also be broadcasting changes to your job title, employment, groups you have joined, new connections, etc.

Harassment and Stalking

That issue pales in comparison to serious issues like harassment and stalking. LinkedIn claims to be “world’s largest professional network” and the intricate connection system gives members the impression that it’s a safe environment. Many people treat LinkedIn like an electronic resume and provide details they would never consider adding to their Facebook page or Google profile. Some members subscribe to paid premium accounts with the presumption this provides better access to customer service.

You would think that LinkedIn would respond quickly to any reports of harassment or stalking and that they would provide members with the tools needed to protect themselves. That is not the case. If you are being harassed or stalked on LinkedIn you have little recourse. In fact, there are no blocking mechanisms available to LinkedIn members at all. Even if you create a support ticket to report harassment you will be told by customer service that they can not block another member from contacting you or viewing your profile.

Here’s a response from LinkedIn Customer Service regarding a recent experience of my own:

Unfortunately, you can’t block a specific group member from messaging you. You can prevent all group members from sending you messages through the group from the “Your Settings” option in the group’s More tab. If you do not share a group and are not connected, they can’t contact you, except through InMail or Open Messaging.

In my case, communication was initiated through a LinkedIn group and if you reviewed the page titled: “Your Network and Degrees of Connection” you see that LinkedIn says that fellow group members are considered part of your network. Ok, not a problem I guess if a group member becomes abusive or a stalker joins a group to harass me I can just leave the group and break contact, right? Actually no. Here’s another excerpt from the same customer service inquiry.

I’m sorry for the frustration this is causing. If the line of communication was opened while sharing a group, the communication may continue.

Other major social networks have a blocking mechanism, LinkedIn doesn’t. Even an appeal to customer service is futile, they basically just put their hands up and say sorry we can’t do anything about it. My experience with this issue is minor compared to women who are victims of stalking and harassment that are trying to use LinkedIn professionally, yet find they are completely exposed by the lack of protection LinkedIn offers.

One member points out that the only solution presently available is for her to increase her profile privacy settings to such a degree that it becomes pointless to even have a LinkedIn membership:

I notice many complaints from Women who are often harassed on sites such as this. It is a real issue that should be addressed. Women should not have to worry about someone stalking her without jeopardizing her professional profile. Women in this situation may have to set her privacy so high that it negates the point of this site. Blocking one person would solve that problem. Please reconsider.

As she points out, in many cases the victims know who is stalking them and just want the ability to block a specific member account from viewing their profile or contacting them.

Another member makes this observation:

This is a negligent practice that LinkedIn is conducting. Stalkers have access to your current employer which can give them all kinds of information such as addresses and telephone numbers. I would suggest that LinkedIn make this change. I believe not having this function available is irresponsible on LinkedIn behalf by not recognizing the seriousness of this issue and contributing to possible criminal activities.

There are a number of discussions in the Help Forum that bring up this issue and the complaints aren’t just from women who are victims of stalking and harassment. One gentleman offers these thoughts:

LinkedIn is lacking some key privacy features, which is one reason I hardly use this site, and rarely recommend others. Members should easily be able to block messages from any individual member, and also should block profiles from any individual member.

Take a close look at this excerpt from the LinkedIn privacy policy.

LinkedIn Privacy Policy – excerpt

I’ve used an image so you can see where LinkedIn has emphasized points in bold.

You decide how much or how little you wish to communicate to individuals or groups

Based on member experiences in the Help Forum and the examples I’ve provided from Customer Service responses to my own support tickets, does this seem like a true statement to you?

Connection Privacy

One of the features that sets LinkedIn apart from other networks is the amount of control you have over who you connect with and who can connect with you. LinkedIn puts up a number of hurdles to potential contacts, and if you have ever tried to connect with someone you have had to prove to LinkedIn that you know that person. Every time we try to connect with someone, LinkedIn gently reminds us:

Important: Only invite people you know well and who know you.

LinkedIn: Invite to connect

LinkedIn subverts their own system when they present you with “People you may know“. You’ve probably seen this pop up after you accept a connection invite and this screen presents you with the option to send a connection invite to any member displayed through a single mouse click.

This is one method that a complete stranger can use to send you a connection invitation.

Think about that for a minute… you could actually know someone and if you initiate the connection invite, LinkedIn will ask you to prove that you know them. On the other hand, if LinkedIn thinks you may know someone, you can bypass all the useless formalities. I have no idea who most of the people are that are presented during these opportunities, many seem to have no common interest, shared group or demographic. So much for privacy through exclusivity. During these moments, LinkedIn also seems to toss their own advice out the window… “Only invite people you know well and who know you.“

Some people have learned the hard way that using LinkedIn to manage contacts is a very bad idea. Here are a few recent examples from the Help Forum:

• Inbox showing invites I never sent.
• STOP AUTO INVITES
• How do I stop Linkedin sending out invitation email to my gmail contacts?

It seems there are a few issues going on in these discussions and some may be cases where individuals authorized LinkedIn to import contacts and failed to notice an option to send invitations to contacts that aren’t on LinkedIn. If you examine the comments closely you will see that many members claim that is not what happened to them.

Linkedin is sending invitations out & accepting invitations on my account to / from people I have never heard of or had any contact with. This is absolutely unacceptable, must be corrected, apologized for, and corrected expediently!

When this happens, LinkedIn will send an invitation to join LinkedIn and two reminder emails.

I have more than 1500 contacts and all my contacts are receiving LinkedIn invites on my behalf, i have received complaints from many of my contact who very pretty upset with this recurrent reminders.

Your business associates and friends that do not have LinkedIn accounts may forgive you for sending a single invitation by accident. We all mess up and they may have done the same thing themselves. I did something similar a while back when I was working on organizing my contacts in Google+ and I sent about 200 people invites to join that network.

The problem is that LinkedIn sends an invitation and two reminders. Your contacts will consider that spam, and they are going to blame you.

This is a blog post about privacy, and you are probably wondering how this invitation issue/glitch pertains to that, right? Well consider the previous information about victims of harassment and stalking as you read this member comment in the discussion titled: “STOP AUTO INVITES“

I have gone on this site because the same thing has just happened to me. Only I didn’t realise it had happened until many hours later and now one of the invites I have unwittingly sent has gone to an identity thief whose email address was unbeknown to me still in my hotmail account from 5 years ago. I am terrified that this man, having had access to all my links for most of a day (bearing in mind he accepted of course, no doubt immediately) will do something dreadful to me again. I have to find a way of knowing whether he has sent connection requests to my contacts, if all else fails I will have to close my account too.

Note that you might have contacts in your email address book that you didn’t add personally. Depending on settings, addresses could be added to contacts if you reply to them or take other action.  Depending on the option you choose, the LinkedIn import connections function may pull contacts from an online webmail account instead of your local email client. Review listed contacts and purge any un-wanted contacts before you use this feature. Example: You may have deleted your ex-boyfriend’s email address from Outlook, but he could still be in your contacts online in your Gmail account. If you import those contacts and send him an invitation to join LinkedIn – he may think it’s “on” again.

Is this a user error, software glitch, or an intentional breach of trust to exploit member contacts to bring more members to LinkedIn? Before any accusations are leveled at LinkedIn we should review their response to the issue.

There is no response, they appear to be ignoring this issue completely.

I reviewed every page of the discussions linked to above and I could not find one comment by a LinkedIn Help Forum moderator. The Help Forum is a replacement to the Answers forum and for the most part its members helping members so there is no requirement for a moderator to address any issue. Moderators participate in some discussions, offering a link or talking about upcoming features. Sometimes they offer advice or correct mis-information provided by other members. I just want to point out that their assistance is conspicuously absent from these discussions.

Many members have indicated they submitted a support ticket for this issue, and when they could not get a decent answer to their request for help from Customer Service, they joined the member discussion in the Help Forum. You would think that with this many unhappy members LinkedIn would move quickly to resolve the issue and provide clear instructions on managing connection invites.

There is some hope for individuals that authorized LinkedIn to connect to their Gmail account and have caught this issue early on – you can revoke LinkedIn’s connection to your Gmail account. Follow these steps to revoke access:

1. Log into your Gmail/Google account and select Privacy
2. Under “Connected applications and sites” click “Manage access”
3. Under “Authorized Access to your Google Account” find LinkedIn and click “Revoke Access”
4. Here’s the direct link.

Breaking the connection with LinkedIn will stop the second and third round of invites from being sent out if you catch it soon enough. The first round of invites will already be in the email in-boxes of your contacts.

Members can withdraw connection requests but this must be done for each invitation. Members who sent hundreds of requests can submit a support ticket and ask LinkedIn to withdraw the requests but one seasoned member notes that:

If you opt to let LinkedIn Customer Service do the “withdraw” process, bear in mind it now takes LinkedIn Customer Service staffers at least 7-10 days to get to and process any service ticket, and all service tickets are handled on a strict FIFO basis regardless of where the service ticket originates. In the meantime LinkedIn will continue to send out reminders, which are sure to prompt even more recipients to click on the “I Don’t Know” option, and that will make it even more likely LinkedIn will restrict your account.

Another serious issue hinted at in that member’s comment is that LinkedIn only allows members a lifetime quota of 3,000 invites. To add insult to injury, current LinkedIn members that receive automatically generated invites can select “I don’t know this person” as a reply to your invite. The number of “IDK’s” you receive is used by LinkedIn as a flag that marks you as a “connection spammer”. This is one of the types of spam addressed in the Safety Center.

Privacy in Members Only Groups

There are two types of groups on LinkedIn: Members-Only and Open Groups and LinkedIn states that in members only groups: “Discussions are visible to group members only.“

I’ll get back to that in a second, first a quick review. We know that when you join a group, other group members are considered part of your network. Discussions you start in open groups can be viewed by anyone on the Internet and can be indexed by search engines. If you’re worried about privacy, you should already be well aware of the fact that anything you say in a discussion, comment, or status update on any social network is something that could end up being viewed by anyone. People get fired for the stupid stuff they say on Facebook and Twitter.

If you join a members-only group (sometimes referred to as a closed group) on LinkedIn, you might feel that you have an additional layer of privacy because LinkedIn states that: “Discussions are visible to group members only.“

That’s not really true because:

• Anyone that is a member of the group, including competitors, your boss, jealous spouse, etc. can just copy/paste your comments to the group. They can also print entire discussions to a PDF file or use their browser print function. You should already know this but some people forget this and LinkedIn doesn’t go to any effort to point this out in their information about groups in the Help Center or Safety Center.
• All groups produce an email digest. As a group member you can change you settings to turn off digest emails so that you don’t receive them, but they are still available to everyone else. The group owner has no control over this and there is no option in the group administration settings to switch off digests for an entire group. That means that the comment you made about how big an idiot your boss is can be forwarded to him via email in a couple of mouse clicks. It doesn’t even matter if your boss isn’t on LinkedIn, someone else can just forward the email digest. Maybe you don’t talk trash about your boss. Good for you! Maybe you are a member of an industry group and you are discussing company procedures with your peers. Do you realize that your competitors may be listening in on that conversation?

You should be smart enough to think of these things and protect yourself, but I also think that LinkedIn could offer some practical privacy advice in their Safety Center. Why don’t they? I don’t think that’s a priority for them, do you?

Bugs in LinkedIn Cause Privacy Issues

If you’re one of the many people annoyed by the fact that other members can view your profile anonymously, here’s a glitch that offers a bit of karmic payback to profile stalkers. LinkedIn has a lot of bugs and glitches and if you use the site on a daily basis you probably are no stranger to error messages and features that seem to break for a while then start working again. In the image above you can see that I’ve clicked the notification flag and it is displaying information on people who have recently viewed my profile. See John on the left? When I click on “Who’s viewed your profile” his identity was hidden. It seems that John didn’t want me to know he was checking out my profile, but a glitch in the notification system gave him away.

I haven’t been able to get this glitch to repeat but I’ve seen similar issues when navigating the group administration menu. Individuals that had their profile pictures hidden, are revealed under certain circumstances when I review group discussions. Just remember, you might think nobody can see your profile photo, but that doesn’t mean a bug in the LinkedIn website won’t reveal it anyway.

Overview of LinkedIn Privacy Settings

LinkedIn privacy settings – profile

Most of the privacy settings can be accessed from the Profile tab after you click Settings from the main page. Something to note, you actually have two profiles on LinkedIn. One that LinkedIn members can view, and a public profile. Your public profile can be viewed by anyone on the Internet and may be indexed by search engines so pay close attention to your settings.

Under the Groups, Companies & Applications tab you can review the list of applications connected to your account. Remove any that you do not recognize or that you no longer use.

LinkedIn privacy settings – account

Additional settings are listed under the Account tab. Protect your account with a strong password!

LinkedIn privacy settings – https

Under the Account tab you will also find the setting to enable HTTPS access. If you access LinkedIn on a laptop over a wi-fi network you need to have this enabled. In fact, there really isn’t any reason I can come up with to not have this enabled so just do it.

Groups – display icon

If you’re worried about stalking or harassment you might also want to turn off group logos that are displayed on your profile. Remember that according to LinkedIn, fellow group members are considered part of your network so a stalker could just look at what groups you’re a member of, then join them to send harassing messages to you. Remember my experience with customer service? Once someone initiates contact through a group, you can’t break that contact even if you leave the group. And… there is no block function so if you’re worried about stalkers, hide your groups. You have to change that setting in each group you are a member of. The group logo is visible by default when you join a new group so remember to turn it off.

Wouldn’t it be nice if all of those privacy settings were organized on a single page?

Wouldn’t it be nice if the Safety Center explained how they work? Some settings offer no explanation of what they do or how they impact your privacy. Take a look at “Turn on/off data sharing with 3rd party applications” under the groups tab. What does that do? It sounds important doesn’t it? Should I have to go digging around in the Help Forum or create a Customer Service ticket to ask what a profile setting does?

Thanks for reading through to the end. Your comments are welcome. Sometimes I have problems with comment spammers on my WordPress blog and while Akismet is great about catching them I still hate cleaning them up – so I will also make a partial re-post to Google+ and you can add your comments there if you prefer.

Has spam gone on holiday?
Lately, in the groups with whom I work, there has been a very noticeable absence of spam. Sometimes we go several days in a row with no bot activity and no spam profiles as new members. (These are large groups and previously attracted a lot of bots.) Are your groups experiencing the same thing?

While I agree that some of the high volume spammers are gone, I don’t think we are out of the woods yet. My reply posted to the LGPF and shared here…

I’ve seen a general decrease in some of the high-volume spam. Top-paying-jobs no longer hits any groups I mod/manage. After contacting an exec at Indeed.com and providing them with the account numbers of affiliate sites that were spamming my groups, there has been a reduction in spam from Indeed affiliate sites. While Indeed can’t shut down the sites, they can turn off payment to the affiliate so that might have had a chilling effect on some of the job-spammers. I am thankful to the folks at Indeed for being proactive in this.

Right now the remaining offenders consist of certain well-known LinkedIn experts that use a network of affiliates or cleverly crafted fake accounts to spam groups. LinkedIn seems reluctant to dislodge these folks from the network even though many are using free LinkedIn accounts to build their fortunes while destroying our groups with spam.

There is also a rise in spam from affiliate bloggers for the Empower Network. I’ve posted a couple of bulletins about them at GreenNotice.net

Faster Than The Speed Of Thought!
Peeing on Live Webinars?

There are other offenders that use affiliate programs such as Tradepub which uses the offer of various free publications to solicit a large amount of personal/business information which they use/sell for marketing purposes.

The sites that offer affiliate programs are often promoted by suspicious LinkedIn member accounts. Some are obvious bots, others are either well-crafted bots or real people who set up new LinkedIn accounts just to promote the “product”. The use of affiliate programs is very clever. You can trace the money back to the site owner, which is often a LinkedIn member (or company) but they can maintain plausible deniability since they can claim the affiliates are the ones spamming the groups. Even if the affiliates are all bots, the site owner can still claim that someone else is creating the bot accounts to profit from their affiliate program.

IMHO the best way to deal with LinkedIn members that are gaming the system is to boot them from LinkedIn. It would be a bit harder to sell webinars promoting services as a LinkedIn expert, if that person were not a LinkedIn member, right?

I’ll also point out that creating the posting tools is a profitable business in its own right. The latest versions can even create fake LinkedIn accounts as well as spam links to groups.

LinkedIn group owners have asked for better group management tools, including something similar to a “profanity filter”. Anyone familiar with online forums or gaming software has probably seen the feature where a user can specify words/phrases they want blocked automatically.

Group owners and managers are on the front lines and as indicated in posts by LinkedIn staff, the data we provide by flagging posts and blocking members is used by LinkedIn to analyze member accounts to determine if they are violating the LinkedIn User Agreement.

Since group owners clearly see the threats as they emerge, let us block URL’s in our own groups that we feel are promoted in off-topic posts, or by spam-bot accounts. When the spammers realize they are completely shut of a group out within minutes of their first spam campaign, the economics will kick in. No more easy money = no more spam. Nobody will buy the auto-posting tools because they will no longer work. Nobody will set up sites to spam LinkedIn groups because they know that after that effort they will quickly find that URL blocked.

Chasing bots and trying to flag those accounts is a useless waste of time. Let the spammers create 10,000 bots and just block the URL’s instead.

Reposted from GreenNotice.net by permission.

Currently I am tracking LinkedIn group-spam from 53 domains.
Since I have access to several groups, I have the opportunity to compare posts and this makes it possible to spot:

• When the same bot account is promoting different websites.
• When bots promoting different sites post at the same time, and the same daily interval.

In the image I’ve provided, you can see that three different websites are being promoted at the same time. I ask you to consider the following and decide which is more likely:

1. Three LinkedIn members posted links to their favorite websites at the same time.
2. Three different automated bots posted links promoting websites, at the same time by coincidence.
3. The three bots are run by the same bot-master who has them set to run in a batch.

I’m going with #3. So I think it’s the same bot-master running scripts to promote these websites. If you perform a whois lookup on the three domain names you will find that two have privacy protection enabled, but one reveals the owner of the website. I’ll let you do the legwork.

Considering the previous question, I am offering two possible conclusions:

1. There is one bot-master, promoting sites for multiple clients and he runs his scripts at the same time.
2. All three sites are owned/operated by the same person.

I’ll let you decide, and of course there may be other possibilities. Consider that I’ve just shown you one sample and I may review hundreds of these posts on a daily basis.

In some cases the similarities between sites, bots, schedule are so close that I start looking for other details to link them together. I’m not going to say anything more, except that on the Internet, there is no place to hide and ultimately no privacy.

The man behind the mask is always revealed.

Originally published at GreenNotice.net

Here’s an excerpt:

The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,200 times in 2012. If it were a Dreamliner, it would take about 5 trips to carry that many people.

Click here to see the complete report.

Online security is about not making yourself the low hanging fruit. That’s a concept I’ve spoken about before and just taking a few measures to set yourself apart from the rest of the pack can really work to protect your online assets like email and social media accounts. (Twitter, Facebook, G+, etc.)

Here are some steps you can take now:

Change the passwords for all of your online accounts to unique, secure passwords.

Use a password generator to make strong passwords. PC Tools provides a free secure website for this.

Use a password vault program to store multiple strong passwords so you’re not writing them on paper or forgetting them. KeyPass is excellent user-supported software that can store and organize your passwords securely. You just remember one strong passphrase that secures the vault. KeyPass can be set up to work from a USB stick and there are Windows and Linux versions.

Review the privacy settings for your social media accounts.

As you log into each social account to change your password, it’s the perfect time to review privacy settings.

Facebook is famous for making changes to settings and if you’re prone to posting photographs of your New Year’s celebrations to your FB friends, you might want to review your settings first to make sure you are sharing them with the right people. Sharing everything publicly often comes back to haunt folks.

Google Plus allows you to put contacts in circles, and that is a great way to share information with close friends without exposing information to the public. Take a few minutes to set up different circles that allow you to separate “work friends” and “play friends”. You can always specify multiple circles for posts to Google+.

Take an inventory of the apps and plug-ins that have access to your social media accounts.

As you log into each account, review what apps have authorization to access your account. If it’s something you don’t use anymore, or don’t remember installing – revoke the authorization.

Remember that these apps may have permission to read your posts, or even post as you so think twice before you grant access to your Twitter, Facebook, LinkedIn or other account.

Remember that third-party apps can present security issues and may end up in your account being hi-jacked.

If you have social media accounts that you no longer use, close them.

If you’re not checking an account on a regular basis, you may not notice if any unusual activity occurs.

Secure your primary email account with a strong password.

So maybe you say you’re too busy to re-set all of your passwords, but you should take the time to lock down your primary email address. I’m talking about the email address you used when you set up your Facebook, G+, Twitter, etc. accounts. If anyone guesses or cracks that account password, they will use that email account to request password resets from your other online accounts. All of those re-set links get sent to your email account, and now the hacker has control of all of your online accounts. Don’t be that guy. Lock down your email account.

Remove credit card information from online accounts that you don’t use frequently.

Did you make a purchase from a website 6 months ago? Did that site store your credit card information? Go log back in right now and delete that information. Most sites will allow you to delete billing information while retaining your account. You can never be too sure what security procedures are taken by sites to protect user data and if you’re not planning on using a site to make regular purchases, don’t leave your credit card details sitting around. If someone hacked that account, they could use that information to make purchases or if the servers are hacked, all of the user data for that company could be exposed.

Have a safe, happy and prosperous New Year!

WiFi is the term for a wireless Internet connection. In most cases, this technology is in use when you use your laptop to access the Internet and it is not plugged into anything to make the connection. In earlier times we all connected using a Modem (“dial-up”), and had a wire going into the phone jack of our home or a network cable at work for the office LAN. Either way, there was a wire coming out of your computer that made the connection to the Internet.

So if you are viewing web pages or sending email from a laptop that doesn’t have a wire plugged into something, you are using a WiFi connection. (There are possible exceptions to this but I promised to keep it simple so I won’t go into those.)

Your laptop may not be the only computer you have that uses a WiFi connection. It is possible that your home network uses a wireless router and the computers in your house connect to the Internet this way. This type of connection is common in homes with multiple computers. If you travel a lot you may use the WiFi Internet connection offered by a hotel or restaurant to check email or review your bank balance.

The first thing we need to think about when we discuss WiFi security is that it is a radio transmission. The signals that connect you to the Internet are broadcast between your laptop and the host just like a walkie-talkie or a cell-phone. This means that other people can listen in on your computer’s conversation as it sends your data around the Internet (your emails, passwords for banking accounts, etc). Many folks assume that these communications are secure or that only someone like James Bond could figure out how to intercept these signals. Not true, so first let’s talk about using WiFi safely for your home network.

At home you have a little box with an antenna sticking out of it. That is your wireless router and in most cases it has a cable to make the Internet connection provided by your local Internet Service Provider (ISP). It then broadcasts this signal so your computers can connect. Your router is set up with a network name called the Service Set Identification (SSID). If you have ever used your laptop at a public hotspot the utility software that makes the initial connection would display a list of all the nearby networks and those names are the SSID’s.

If you want a secure WiFi network at home the first step is to hide your SSID. Your can change your wireless router settings so that it does not broadcast the SSID for your system. Anyone that can see that SSID, knows you have an active wireless network. They can connect through your network to use the Internet.

Hide your SSID

An important step is to make sure your network is secured using some type of encryption. If you take another look at the local networks displayed in the example, you’ll see they have a padlock symbol next to them. This means that this is an encrypted signal and only people that know the network key or password can connect to this network.

Remember that I promised I would not get technical so I am not explaining how to set up your network. In this article the goal is to make you aware of these settings and show you how to determine the security of any WiFi network you connect to.

As a basic security precaution, your home network should hide the SSID and use encryption. These are the minimum requirements to having a safe home network. Not taking these steps is like leaving your wallet on the table at a restaurant while you visit the restroom. Maybe your wallet will be there when you get back, but you can’t complain if it’s gone – it’s your fault for not securing your property.

Read this, then decide if you want your home network open to everyone in range of the signal: “Mistaken FBI Porn Raid Underscores Wi-Fi Privacy Risks“

It’s not just your neighbors you have to worry about. There are folks that drive around looking for unsecured networks. This is called Wardriving. Cyber-criminals aren’t going to use their own connection to conduct their illegal business. They will use public hotspots or unsecured home WiFi networks for this.

Now let’s talk about public WiFi “hotspots”. It is common for hotels, restaurants and even the local public library to offer a free Internet connection to customers. It’s convenient to not have to mess with cables, the staff doesn’t have to bother with setting up accounts and passwords. It’s a nice perk to offer that helps bring in customers.

The same issues I’ve just described for your home network also apply to public hotspots. If you can just turn on your laptop, select the SSID and connect without supplying a password, then you are on an un-secured network. Remember we are dealing with radio signals here and that means that all of the communication between computers and the host network can be “listened” to. It does not require expensive and sophisticated hardware or software to do this. Someone could be eavesdropping on your signal to lift important personal information.

You should not conduct any financial transactions or confidential emails using a public WiFi hotspot.

There are some precautions you can take to protect your information but as a rule, wait until you can access a secure network (hopefully at home) before you conduct any financial or confidential communication using WiFi.

HTTPS secure browser connection.

If you have to connect, check the address bar in your browser and make sure you have a secure connection. The website address will start with https:// and you will see a padlock icon. Depending on the browser this may appear to the left or right of the address. When you have made a secure connection using your browser, any information you transmit is encrypted on your computer and decrypted at the destination site. Most banks use this protocol and if you are making a purchase online you should always make sure it uses a secure connection. If you are at a WiFi hotspot and you buy something from a website, make sure that padlock icon and “https” are displayed or you are sending your credit card number in the clear as plain text anyone can read.

Let’s say you were making a purchase using your cell phone. Would you say your credit card number out loud in a room full of strangers? What about your address or Social Security number? If you wouldn’t say it out loud then make sure you are using a secure connection to send the same information at a hotspot or using your home WiFi network.

These are some basic steps you can take to protect yourself. Hopefully by leaving out all of the technical stuff, you were at least able to make it through to the end of the article. I realize that many people are intimidated or confused by “tech-talk” so if you want to learn more please ask.

An exploit for Java is taking off quickly and there is no word from Oracle if they plan to put out an emergency patch to address the issue before their regular updates come out in October.

According to CERT (United States Computer Emergency Readiness Team):

This vulnerability is being actively exploited in the wild, and exploit code is publicly available.

Leading malware researchers are telling users to turn off the Java plug-in in their browser. For some browsers this is not that complicated but for Internet Explorer the process is more involved. The link provided to CERT has detailed instructions on how to disable the Java plug-in for all major browser types. Please take action immediately to protect yourself.

Update: The ESET Threat Blog has instructions for disabling Java in several browser types including screen images of the settings pages.

Researchers suggest this exploit could affect Java users for Windows, Mac and Linux.

As if that weren’t bad enough the popular Adobe Flash browser plug-in also has major security issues. This goes back to May but if you’re don’t have automatic updates enabled you will need to get this update manually from Adobe.

As you can see, this has a priority rating of 1 for Windows users so take a moment and visit the Adobe site and check to see if your version is current.

Also consider that even if you have automatic updates enabled, if you don’t have your computer powered on and connect to the Internet the auto-updater can not work properly. If you rarely connect to the Internet or use a laptop that is turned off when not in use, take a moment to verify that your system has received all of it’s required updates. If your system runs Windows, you should check for critical updates using the option in the Internet Explorer browser.

A while back I helped a friend with a minor computer issue, then just for kicks I ran Windows Update. They were sorely behind as their laptop was never on during the hours they had set to receive updates. Windows Update includes fixes for critical security issues and also includes updates for the Malicious Software Removal Tool supplied by Microsoft.

While you’re at it, make sure your Anti-Virus/Malware protection software is up to date as well, and run a full system scan. Stay safe.

In the previous post in this series, I covered steps to take that secure your website starting on your home system. In this post we will examine the .htaccess file and some simple changes you can make to this file to increase the security of your website. It’s possible that your web host doesn’t support .htaccess or may not allow you to access this file since this file can allow a number of advanced settings that might get some users in trouble. In many cases your host may allow you to access an .htaccess file via control panel icon. They may not even call it .htaccess but that’s what you’re making changes to.

.htaccess via cPanel

If your webhost provides cPanel access you might be presented with some .htaccess options in the form of icons in your control panel. The layout may vary with different hosts but here you can see a section of the cPanel from an InMotion Hosting account. Often these icons are provided for customer convenience and as you will see in a moment you can either use these to update specific functions or just edit your .htaccess file.

The functions presented in this menu allow quick changes to indexing, password protection of directories and blocking specific IP addresses from visiting your site.

First, lets talk about indexing.

Have you ever visited a site (maybe yours) and instead of viewing a web page, you are presented with a file list? When someone types a URL usually a special file called index.html is displayed by default. If the URL path entered does not contain an index.html file a file list for that folder is shown by default. If you actually want to present your visitors with access to files in that folder, then that’s a good thing. However hackers can use this to examine files on your site for possible exploits. You can prevent this by creating an index.html file for every folder on your site, but this is tedious work and completely unnecessary if you make a simple change to .htaccess.

If we hop on over to POWWEB we can see their control panel setup is different and there is an icon labeled “.htaccess” right in plain view.

POWWEB .htaccess icon

As you can see, it’s possible for hosting providers to provide different methods of changing the .htaccess configuration. Like InMotion Hosting, POWWEB will first offer you a one-click solution to some of the typical .htaccess commands. In both cases the hosting provider is taking steps to allow you to edit certain features without making it necessary for you to edit the .htaccess file manually.

There are a lot of things you can change via .htaccess and you should examine and backup your current .htaccess file before making changes.

It’s probably a good idea to make a backup of any file you plan on editing when you are working on your website, just in case the changes don’t come out as planned. This is a priority when making changes to .htaccess since this file can change how your entire site will function. You should also include your .htaccess file in your site backups.

Before we make our first change to .htaccess you should also know that these changes are recursive. This means that if you make a change to the .htaccess file at the root of your website (top-level directory) those changes will apply to all of the underlying folders. Things get a bit more complicated if you want different behavior in sub-folders but you can create .htaccess files in those as well to provide specific functions in any given folder. Just remember that anything you don’t specify in the sub folder .htaccess file will inherit properties from above.

The rest of this post will involve direct edits to your .htaccess files so if your hosting provider offers some of the one-click solutions listed above and you aren’t comfortable editing .htaccess you could start by reviewing your hosts support website for examples specific to that system.

If you have a website, you probably already know how to open and edit files on your webhost. One thing to remember, the .htaccess file is a hidden file by default so you will need to select the option to display hidden files in whatever file manager your using. Using Filezilla, you can right-click on .htaccess and select view/edit to open the file.

Let’s take a look at a simple .htaccess configuration:

# Protect .htaccess files from hackers
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Turn off directory indexes
Options All -Indexes

The first line is a comment. Just as you should comment your .html files when you work on your website, you should also comment changes to .htaccess so later you remember why you added certain commands.

Lines 2-5 specify that the .htaccess file is not accessible by visitors to your site. This will help protect you from hacks that exploit changes to .htaccess for re-directs, etc.

The last line deals with indexing. Earlier in the post I explained how visitors to your site might see a list of files displayed for a folder, Add the last line and you can prevent that from happening.

These are some simple changes you can make to keep your site from becoming the low hanging fruit that hackers love to devour. If you use a CMS (Content Management System) such as WordPress, you can deploy even more changes that will help harden your WordPress installation. The folks at Dynamic Net, Inc. have written a highly detailed blog post titled: Making WordPress More Secure.

If you use a different CMS like Drupal, or Joomla you should review the information on secure installations first. You may find tips for .htaccess modifications that will make that CMS more secure. I know it’s tempting to just read the quick start guide and perform a “5 Minute Installation” but you may find that using a default installation sets up a common configuration that hackers are well aware of.

In the next blog post I’ll examine permissions and some specific tips for hardening popular Content Management System installations.

You may wonder why criminals would care about your blog or website. They don’t. Criminals want access to your Internet hosting account so they can use that as a platform to spread malware, launch spam email campaigns and engage in other criminal activities that they don’t want traced back to them. Your hosting account is a very valuable tool for them. If your website is popular and attracts a lot of visitors that is just icing on the cake; but it really doesn’t matter to them if you only get one visitor a month. Your hosting account is a platform they can exploit for their criminal activity.

Bear in mind that just like you, your website has a reputation and if your site is marked as infected by major search engines, or identified as a source of spam email you will ostracized by the Internet. You may be dropped from the search engine rankings, or your site visitors could be greeted by a dire warning and asked if they really want to proceed. You may suddenly find that emails sent from your domain name are being bounced back from your friends and customers. I’m not making this stuff up. Have you ever visited a site and had your browser warn you that it might have malicious content? What happens if folks trying to visit your website start seeing this warning? You lose customers, that’s what. If your hosting account is taken over and used to send spam email, you can be assured that your account will be suspended by your host. Resource abuse is a major concern of hosting companies and if they see your account sending (tens of) thousands of emails you may find they have little sympathy for you. It was your responsibility to secure your site and your passwords.

So how does securing your home computer help protect your website?

You may be storing the passwords to your website hosting account or blog in plain view on your computer.

Think about this for a moment. Your computer is constantly at risk every time you go online. Even popular websites that you think are secure can be infected with malware – this happens more often than most people realize. In this blog I try to advocate taking personal responsibility for your online security. Use anti-virus/malware products provided by reputable vendors and keep your operating system and software up to date.

Windows update can keep your operating system up to date automatically, but you still have to make sure that other software on your system is current.

If you maintain a website you probably use software to transfer files to your host via FTP or a Content Management System (CMS) that allows you to edit your web pages and automatically upload the changes. These programs need the password to your hosted account to transfer files. Did you check the little box that allows the program to save your password? Do you know how that program saves your password? You might be surprised to find that some very popular programs will store your password in plain text on your hard drive. This matters because criminals also know about this and if your personal computer is compromised by malware such as a keylogger or  a Trojan that allows remote access to your computer the criminals now have the keys to your website. Don’t think for a second they won’t use this information.

So in this installment I’m not going into any fancy security tricks for protecting your site on the webhost. The lesson today is fundamental to the security your entire online ecosystem: Secure your computer!

Use secure passwords and protect them.

I’ve covered Internet security in broad strokes before. Last year I crafted a post titled: “The Four Horsemen of your Internet Apocalypse” where I discussed password security so review those recommendations when you get a moment. What I want to emphasize in this post is taking extra steps to secure your passwords to your online hosting accounts. These are gems to criminals who will either exploit them for their own use or pass your credentials on to their friends to exploit.

Keeping track of multiple passwords to online accounts is difficult and if you use different passwords for every account it can get confusing as well. So let’s start with a simple tool that is secure and that works to protect and organize all of those passwords. KeyPass stores your passwords in an encrypted file that you secure with a single strong password. Now you only have to remember one password to access all of your passwords securely. KeyPass is cross-platform and runs on Linux, Windows and Mac so you can create a single password file that you can share among all of your devices. I’ve used both Windows and Linux versions and have never had a problem.

When you create an entry, you can specify a URL to a login page so when you open KeyPass you can navigate quickly to any website by clicking the URL for that entry and then copy your username and password. KeyPass can also be configured to automatically enter your login credentials for you. If you use Norton 360 you have ID Safe at your disposal. However this will only be available on computers with a licensed copy of Norton’s software.

After you’ve configured your KeyPass database, copy the file to another computer or thumb drive as a backup just in case you accidentally delete or corrupt your main password file. Although you can use a thumb drive for a portable copy, I don’t recommend using this as your primary copy.

The next step is to go back and delete any passwords you may have stored using un-secure FTP programs or your browser. I never feel secure letting my browser store passwords. Does the browser encrypt these stored passwords? I don’t know so I just let KeyPass handle all of the password storage. Since KeyPass has a built-in password generator you could change the passwords on your key accounts to more secure passwords. That way even if you let your FTP program store passwords previously, you don’t have to worry if those copies are still on your hard drive. Just change the passwords, store them using KeyPass and move on.

On a final note, you may have noticed I talk about criminals not hackers. “Hacker” is one of those terms that has many meanings and unfortunately when the news-folk use the term they are always referring to the worst kind of hacker. The criminals who gain unauthorized access to computer systems. Since this is illegal (criminal) activity I just call these people criminals. I don’t glorify their actions with any other terms.

Many home computer users may also have a business of their own and it’s likely that they have set up a website to promote products or services online. Even if folks aren’t promoting a business, they may have a personal website to promote an interest, hobby, local group or to provide professional credentials such as a CV and portfolio.

Security issues in a hosted web environment often trace back to the personal security habits of the person setting up and managing the website. if an individuals home computer is compromised by password stealing malware and that could take the hackers directly to their websites which are prime real-estate.

If you have a website, some things to consider:

• If you store your passwords in a plain text file on your personal computer and it’s compromised by malware, you have handed all of your credentials to the hacker.
• Some software commonly used for website maintenance stores passwords in plain text. Does yours?
• How you access your website to make changes can expose information to potential hackers. There are some steps you can take to make it tougher for them to intercept your credentials.
• Since the default settings for many CMS (Content Management Systems) are widely known, often just making simple changes during setup can discourage hackers from attempting to penetrate your site through known exploits.

You may think that your website is safe from hacking because you just keep a personal journal, or family pictures. It’s not the content that the hackers are after, they want commandeer your site for their purposes. Sending spam email, hosting and distributing malicious files and other nefarious purposes.

You may not even realize what is going on until your hosting provider suspends your account or you friends start telling you that their browser displays a “malicious site” warning when they try to visit. By then, your Internet reputation has been trashed and your hosting service might not be very sympathetic either. Their solution will be to just delete or quarantine the files that have been compromised. They will not fix your site for you.

An ounce of prevention is worth a pound of cure.

To this end, I will craft a series of posts that focus on issues related to personal website security. Steps to take at home and on the hosted environment will be covered. Please subscribe to the blog or follow @internetlock on Twitter for announcements regarding new posts.