Mozilla Offers Free Secure File-Sharing Service

Mozilla on Tuesday announced Firefox Send, a free encrypted file-sharing service that works in any browser.

To share a file, you simply visit the Send site and drag your file to a box on the Web page. Unregistered users may upload up to 1 gigabyte in files, while registered users have a 2.5 GB allowance.

After uploading your files, you choose an expiration time for the link used to share them. Expirations can be set for number of downloads — one to five, 50 or 100 — or in increments of time, from five minutes to one hour, one day, or seven days.

You can protect the link with a password.

You then click the upload button, and you’re given a URL. The URL contains a link to the file and a key for decrypting it.

The person receiving the URL can click on it to download the file, decrypt it, and store it on a computer — or on a mobile phone when the Send app for Android becomes available. It is currently in beta.

There are no hoops for recipients to jump through, noted Nick Nguyen, Mozilla’s vice president of product strategy.

“They simply receive a link to click and download the file,” he wrote in an online post. “They don’t need to have a Firefox account to access your file. Overall, this makes the sharing experience seamless for both parties, and as quick as sending an email.”

Ephemeral Storage

A service like Send has a number of uses for consumers.

“Imagine the last time you moved into a new apartment or purchased a home and had to share financial information like your credit report over the Web. In situations like this, you may want to offer the recipient one-time or limited access to those files,” wrote Nguyen.

“With Send, you can feel safe that your personal information does not live somewhere in the cloud indefinitely,” he added.

There are other services for sharing files — notably, Dropbox, Box, Google Drive and Microsoft OneDrive — but they don’t have the ephemeral quality of Send.

“They’re geared toward more permanent file storage,” said Ross Rubin, principal analyst at Reticle Research, a consumer technology advisory firm in New York City.

“They’re trying to get you to pay for more permanent storage,” he told TechNewsWorld. “That’s how they make money, so they don’t have much interest in helping you effectively manage your space.”

Niche Targeted

There are other cloud services similar to Send, Nguyen conceded, but not with Mozilla’s commitment to privacy and security.

“We know there are several cloud sharing solutions out there, but as a continuation of our mission to bring you more private and safer choices, you can trust that your information is safe with Send,” he wrote.

“As with all Firefox apps and services, Send is Private By Design, meaning all of your files are protected and we stand by our mission to handle your data privately and securely,” Nguyen continued.

The privacy issue will draw some people to Send, observed San Jose, California-based Kevin Krewell, principal analyst at Tirias Research.

“Firefox is going after a niche audience that doesn’t trust the larger corporate cloud services,” he told TechNewsWorld.

“It’s not going to pose much of a threat to companies focusing on the transfer of large files, but it is a good alternative to consumers looking for an easy way to send files securely,” added Reticle’s Rubin.

“There have been free tools to secure files for a long time,” he continued, “but they haven’t been easy to use or from a source that consumers know and trust.”

While Send may not threaten the bigger players in the market, it could open an opportunity for Mozilla.

“They could partner with mail providers to provide a way for them to handle larger attachments,” Rubin suggested.

Complacent About Security

Because Send works inside any browser, it makes things easier to organize and send, noted Tanner Johnson, a senior analyst at IHS Markit, a research, analysis and advisory firm headquartered in London.

That doesn’t mean that consumers will be rushing to share their files securely, however.

“Unfortunately, we live in a very complacent society, security-wise,” Johnson told TechNewsWorld, “so a lot of these services — unless they’re very user-friendly and require little input and setup from the user — won’t be adopted quickly.”

“You’d be surprised how many people refuse to enact two-factor authentication on their devices because setting up the account and configuration is just too taxing,” he said, “so they throw their hands in the air and just give up.”

One drawback to Send is that when recipients have an unencrypted copy of a file, they can do anything with it.

“You need to trust the individual you’re sending the information to,” Johnson said. “If you have something you want to conceal or keep private, you have to trust that person won’t turn around and share it with someone else.”

Foiling Middleman

Send is designed to foil a man-in-the-middle attack, in which an unauthorized person snatches a message from a sender before it reaches a recipient.

With Send, “even if a message is intercepted, it’s illegible because it’s encrypted,” Johnson explained.

While secure file-sharing hasn’t gained wide consumer acceptance, demand for it has been growing, he noted.

“As more stories appear about mismanagement of data,” Johnson continued, “visibility will grow, which will drive adoption.”

Send will attract security-minded individuals, as well as those concerned with basic, digital security hygiene.

“It’s an interesting product,” said Phil Zimmermann, creator of PGP encryption and an associate professor at Delft University of Technology in the Netherlands.

“It’s certainly better than a service that uploads files without encryption,” he told TechNewsWorld, “or uploads encrypted files with the key to decrypt them.”

Although Mozilla’s browser fortunes have been declining, Send is an example of its strategy to remain relevant.

“At Mozilla, we are always committed to people’s security and privacy,” wrote Nguyen. “We are continually looking for new ways to fulfill that promise, whether it’s through the browser, apps or services.

Read More
admin March 20, 2019 0 Comments

Court: Cops Can’t Compel the Use of Body Parts to Unlock Phones

Authorities can’t force people to unlock their biometrically secured phones or other devices, a federal judge in California ruled Thursday.

“The Government may not compel or otherwise utilize fingers, thumbs, facial recognition, optical/iris, or any other biometric feature to unlock electronic devices,” Magistrate Judge Kandis A. Westmore wrote in an opinion for the U.S. District Court for Northern California.

An attempt by law enforcement authorities in Oakland, California, to force two suspected extortionists to unlock their mobile phones with biometrics violated Fifth Amendment protections against self-incrimination, Westmore found.

Passcodes used to unlock devices already are protected by the Fifth Amendment, which prevents the government from forcing people to testify against themselves, she explained.

“Biometric features serve the same purpose of a passcode, which is to secure the owner’s content, pragmatically rendering them functionally equivalent,” Westmore wrote. “It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”

More Than Physical Evidence

While compelling someone to give up their fingerprints or DNA to law enforcement is an accepted practice, Westmore argued they’re not the same as compelling someone to unlock a phone with a biometric security feature.

“Requiring someone to affix their finger or thumb to a digital device is fundamentally different than requiring a suspect to submit to fingerprinting,” she wrote.

“A finger or thumb scan used to unlock a device indicates that the device belongs to a particular individual. In other words, the act concedes that the phone was in the possession and control of the suspect, and authenticates ownership or access to the phone and all of its digital contents,” Westmore noted.

“The act of unlocking a phone with a finger or thumb scan far exceeds the ‘physical evidence’ created when a suspect submits to fingerprinting to merely compare his fingerprints to existing physical evidence (another fingerprint) found at a crime scene, because there is no comparison or witness corroboration required to confirm a positive match,” she wrote.

“Instead, a successful finger or thumb scan confirms ownership or control of the device, and, unlike fingerprints, the authentication of its contents cannot be reasonably refuted,” Westmore found.

Step Forward for Privacy Rights

The protection of personal phone data and control over biometric information are two of the most important emerging privacy issues in the criminal justice system, said Alan Butler, senior counsel with the Electronic Privacy Information Center, a civil liberties advocacy group in Washington, D.C.

“The decision from the Northern District of California is an important step forward for constitutional privacy rights,” he told TechNewsWorld.

“The judge rightly recognized that traditional constitutional principles must be adapted as technology changes in order to preserve privacy and other rights ensured by the Fourth and Fifth Amendments,” Butler said.

“Law enforcement officials are charged with upholding the Constitution and cannot act contrary to its limitations, so there cannot be any legitimate law enforcement activity that violates these important Constitutional rights,” he maintained. “The government must use legitimate means subject to proper judicial oversight if they want to obtain evidence for an investigation.”

Think Outside the Phone

Although Westmore rejected law enforcement’s reasoning for forcing suspects to unlock their phones by using a part of their anatomy, she wasn’t insensitive to law enforcement’s position.

“While the Court sympathizes with the Government’s interest in accessing the contents of any electronic devices it might lawfully seize, there are other ways that the Government might access the content that do not trample on the Fifth Amendment,” she wrote.

In the case before the court, Facebook Messenger was used in a suspected extortion attempt. Law enforcement officials could have obtained the information they wanted from Facebook under the federal Stored Communications Act or through a warrant based on probable cause, Westmore suggested.

“While it may be more expedient to circumvent Facebook, and attempt to gain access by infringing on the Fifth Amendment’s privilege against self-incrimination, it is an abuse of power and is unconstitutional,” she wrote.

“Law enforcement is creative and diligent,” said Justin Kay, an attorney in the Chicago law office of Drinker Biddle & Reath.

“Law enforcement will find a way to get in even when they can’t get in through cooperation,” he told TechNewsWorld.

SCOTUS Bound?

Although Westmore’s opinion doesn’t have the weight of a higher court decision, it could be very influential.

“Defendants and potential defendants are going to be citing this,” Kay said, “and other courts will invoke its reasoning.”

For the most part, the issue of passwords and unlocking electronic devices has been kicking around lower federal courts and state courts — but that could change.

“As the judge in this case acknowledges, there have been other decisions concerning compelled disclosure of passwords, and this decision is consistent with many earlier judgments,” EPIC’s Butler observed.

“However, this issue does come up more frequently each year, given the widespread use of mobile devices with biometric locks,” he observed. “So I would expect that courts of appeals — and eventually the U.S. Supreme Court — will weigh in on this in the near future.”

Legislative Inertia

The reason the courts have had to take an aggressive stance on electronic device privacy is that lawmakers have failed to address the problem.

“Our legislative system is not keeping up with the rate of technological change,” said French Caldwell, CFO of The Analyst Syndicate, an IT research and analysis group based in Washington, D.C.

“The courts are saying, ‘We can’t wait for the legislature to sort all this out,’ so they’re being forced into a position of creating new law because there’s no law on this,” he told TechNewsWorld.

The issue eventually will land before the Supreme Court, Caldwell sid, and “it’s going to take a long time before it gets to the Supreme Court, which gives legislators time to act.”

Aside from protecting citizens’ rights, there may be a security lesson to be learned from Westmore’s decision.

“Biometric authentication is just one layer in what should be multifactor authentication,” said Drinker Biddle’s Kay. “The technology should be used with a passcode. It should be used to make sure that the person inputting the passcode is the person that should be inputting the passcode.” 

Read More
admin March 20, 2019 0 Comments
464574381

How Can I Identify a Phishing Website or Email?

What Is Phishing?

Fraudsters send fake emails or set up fake web sites that mimic Yahoo!’s sign-in pages (or the sign-in pages of other trusted companies, such as eBay or PayPal) to trick you into disclosing your user name and password. This practice is sometimes referred to as “phishing” — a play on the word “fishing” — because the fraudster is fishing for your private account information. Typically, fraudsters try to trick you into providing your user name and password so that they can gain access to an online account. Once they gain access, they can use your personal information to commit identity theft, charge your credit cards, empty your bank accounts, read your email, and lock you out of your online account by changing your password.

If you receive an email (or instant message) from someone you don’t know directing you to sign in to a website, be careful! You may have received a phishing email with links to a phishing website. A phishing website (sometimes called a “spoofed” site) tries to steal your account password or other confidential information by tricking you into believing you’re on a legitimate website. You could even land on a phishing site by mistyping a URL (web address).

Is that website legitimate? Don’t be fooled by a site that looks real. It’s easy for phishers to create websites that look like the genuine article, complete with the logo and other graphics of a trusted website.
Important: If you’re at all unsure about a website, do not sign in. The safest thing to do is to close and then reopen your browser, and then type the URL into your browser’s URL bar. Typing the correct URL is the best way to be sure you’re not redirected to a spoofed site.

Signs you May have Received a Phishing Email:

If you receive an email from a web site or company urging you to provide confidential information, such as a password or Social Security number, you might be the target of a phishing scam. The tips below can help you avoid being taken in by phishers.

Unofficial “From” address. Look out for a sender’s email address that is similar to, but not the same as, a company’s official email address. Fraudsters often sign up for free email accounts with company names in them (such as “ysmallbusiness@yahoo.com”). These email addresses are meant to fool you. Official email from Yahoo! always comes from an “@yahoo-inc.com” email address.

Urgent action required. Fraudsters often include urgent “calls to action” to try to get you to react immediately. Be wary of emails containing phrases like “your account will be closed,” “your account has been compromised,” or “urgent action required.” The fraudster is taking advantage of your concern to trick you into providing confidential information.

Generic greeting. Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as “Dear Customer” or “Dear Member”.

Link to a fake web site. To trick you into disclosing your user name and password, fraudsters often include a link to a fake web site that looks like (sometimes exactly like) the sign-in page of a legitimate web site. Just because a site includes a company’s logo or looks like the real page doesn’t mean it is! Logos and the appearance of legitimate web sites are easy to copy. In the email, look out for:

  • Links containing an official company name, but in the wrong location. For example: “https://www.yahoo.com is a fake address that doesn’t go to a real Yahoo! web site. A real Yahoo! web address has a forward slash (“/”) after “yahoo.com” — for example, “https://www.yahoo.com/” or “https://login.yahoo.com/.”

Legitimate links mixed with fake links. Fraudsters sometimes include authentic links in their spoof pages, such as to the genuine privacy policy and terms of service pages for the site they’re mimicking. These authentic links are mixed in with links to a fake phishing web site in order to make the spoof site appear more realistic.

  • And look for these other indicators that an email might not be trustworthy:
  • Spelling errors, poor grammar, or inferior graphics.
  • Requests for personal information such as your password, Social Security number, or bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
  • Attachments (which might contain viruses or keystroke loggers, which record what you type).

 

Signs you May be on a Phishing Site:

Phishers are becoming more and more sophisticated in designing their phony websites, follow these  steps if you think you’ve  been phished. There’s no surefire way to know if you’re on a phishing site, but here are some hints that can help you distinguish a real website from a phishing site:

Check the Web address. Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site:

  • Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
  • “http://” at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
  • A missing forward slash. To verify that you’re on a legitimate Yahoo site, make sure a forward slash ( / ) appears after “yahoo.com” in the URL bar, for example, “https://www.yahoo.com” is a fake website address.

Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.

Give a fake password. If you not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to be signed in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because your fake password is rejected, don’t assume the site is legitimate.

Use a Web browser with antiphishing detection. Internet Explorer, Mozilla Firefox, Web browsers have free add-ons (or “plug-ins”) that can help you detect phishing sites.

Be wary of other methods to identify a legitimate site. Some methods used to indicate a safe site can’t always be trusted. A small unbroken key or locked padlock at the left of the URL bar of your browser is not a reliable indicator of a legitimate website. Just because there’s a key or lock and the security certificate looks authentic, don’t assume the site is legitimate.

 

Read More
admin March 20, 2019 0 Comments

Removing Pop-ups, Viruses, Adware, or Spyware

If you suspect that your computer is infected with a virus or other malicious software, remove it as soon as possible.

Unlike other software, malware can’t be completely removed by using your operating system’s feature for add/remove programs. Some bits of malware may still be hiding on your hard drive, doing damage behind the scenes. To remove malware, use software specifically designed to find and delete it.

Many solutions are available for ridding your computer of malicious software. Find these programs by searching the Web for virus protection or contact us for high security protection. Whatever software you choose, be sure to keep it up to date.
In some extreme cases, antivirus programs may not be able to remove all malware. It may be necessary to reformat your hard drive and reinstall its operating system. If you’re using a laptop computer, installing the operating system from the partition backup may not completely remove malware. Instead, be sure to get installation disks for your operating system from your hardware vendor, and use them to reinstall your operating system.

Read More
admin March 20, 2019 0 Comments