Newsletter – Secure browsing for social networks, uninstalling old programs, and more – SSO-NL2012-001
16 January 2012
Newsletter January 2012 (File size: 1574Kb)
The purpose of the Newsletter is to provide general advice about online security issues and help you learn to better manage the security of your computer and information when online.
This month’s newsletter will cover how to enable secure web browsing on social networks Facebook and Twitter, how to uninstall old, unused or out of date programs from your computer, a tool which makes it easier to keep windows based computer’s software up to date, and a warning regarding unsolicited technical support phone calls often purporting to be from Microsoft.
Thank you to those subscribers who have provided feedback to our Alerts, Advisories and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
SSL Secure web browsing for Facebook and Twitter
SSL/HTTPS provides the following security features to your web session when implemented correctly.
* The ability to check the web site digital certificate to verify the identity of the web site. The purpose of this is to help provide assurance that you are connected to the correct web site and not a fake impersonation.
* The use of encryption to conceal the content of the traffic sent between your computer and the web server (including passwords and other sensitive information).
* The ability to protect the integrity of the traffic to make sure it is not modified en route.
In this Newsletter, we provide instructions for how to enable the use of SSL/HTTPS in Facebook. There are however a number of caveats:
* Firstly, you need to be logged in before you can turn this feature on. In some circumstances (described in the December 2010 newsletter) your personal information could already be exposed. We believe it should be on by default.
* Secondly, it can be deactivated without your knowledge, if you wish to connect to a Facebook page which does not support HTTPS.
In brief the feature, allows you to opt-in to use SSL “whenever possible”. To turn on this feature, follow these steps:
1. Log into Facebook.
2. Click on the ‘Down Arrow’ in the top right corner of the Facebook page, and then select ‘Account Settings’ from the top right menu, as shown in figure 1 below.
Figure 1 – Facebook ‘Account Settings’
3. Select ‘Security’ from the menu on the left and then click ‘Edit’ on the right side of ‘Secure Browsing’, as shown in figure 2 below.
Figure 2 – Facebook ‘Security settings’
4. Tick the box next to “Browse Facebook on a secure connection (https) when possible”, and the click the ‘Save Changes’ button, as shown in Figure 3 below.
Figure 3 – Facebook ‘Secure browsing’
We recommend you activate this feature, but be aware that if you use any number of the hundreds of Facebook applications, you may find your HTTPS settings are turned off and not automatically reactivated when HTTPS becomes possible again. The result is that you your personal identifying information could be captured in some circumstances when you think it is being protected.
Remember – if you don’t see https in the web address (only http), then the traffic is being sent without encryption and potentially can be captured by third parties.
Similarly to Facebook, Twitter also allows the use of SSL/HTTPS, but unlike Facebook it is enabled by default for Twitter. If you browse to “https://twitter.com”, the website will automatically redirect you to “https://twitter.com”, ensuring that the login process takes place using SSL/HTTPS. However, it is still possible to deactivate secure browsing from within the Twitter ‘Settings’ page, so it is a good idea to ensure that this setting is activated at all times.
To check that this feature is enabled within Twitter, follow these steps:
1. Log into Twitter
2. Click on the ‘Head and Shoulders with Down Arrow’ in the top right corner of the Twitter page, and then select ‘Settings’, as shown in Figure 4 below.
Figure 4 – Twitter ‘Settings’
3. At the bottom of the ‘Settings’ page, ensure that the box next to ‘HTTPS Only’ is ticked to ‘Always Use HTTPS’, and then click ‘Save’, as shown in Figure 5 below.
Figure 5 – Twitter ‘HTTPS Only’ Setting
Remember, just as with Facebook – if you don’t see https in the web address (only http), then the traffic is being sent without encryption and potentially can be captured by third parties.
You can read more about SSL in the SSO Factsheet – What is a web site digital certificate and why is it important to check?
Removing old, unused or out of date programs from your computer
We have often discussed the importance of updating software that is installed on your computer to the latest version to ensure that you are protected from any potential vulnerabilities which may exist in older versions. But what about those old programs you don’t use any more, and what about old versions of software that you’ve updated but the old version hasn’t been removed automatically during the update process? For example, often Java will leave previous versions on your computer even after you upgrade. These too could contain vulnerabilities that may be exploited by criminals to attack your computer, even if you are not actively using the programs themselves.
The following instructions will help you remove old, out-of-date, unwanted or unused programs from Microsoft Windows 7, Microsoft Windows Vista, Microsoft Windows XP, Apple Mac OS X, Apple Mac OS X Lion and Ubuntu.
Microsoft Windows 7
1. Click on the Windows 7 ‘Start Menu’, and then select ‘Control Panel’, as shown in Figure 6 below.
Figure 6 – Microsoft Windows 7 ‘Start Menu’
2. Below ‘Programs’, click on ‘Uninstall a program’, as shown in Figure 7 below.
Figure 7 – Microsoft Windows 7 ‘Control Panel’
3. Select a program from the list of installed programs, and then click on ‘Uninstall’, as shown in Figure 8 below.
Figure 8 – Microsoft Windows 7 ‘Programs and Features’
Microsoft Windows Vista
1. Click on the Windows Vista ‘Start Menu’, and then select ‘Control Panel’, as shown in Figure 9 below.
Figure 9 – Microsoft Windows Vista ‘Start Menu’
2. Below ‘Programs’, click on ‘Uninstall a program’, as shown in Figure 10 below.
Figure 10 – Microsoft Windows Vista ‘Control Panel’
3. Select a program from the list of installed programs, and then click on ‘Uninstall’, as shown in Figure 11 below.
Figure 11 – Microsoft Windows Vista ‘Programs and Features’
Microsoft Windows XP
1. Click on the Windows XP ‘Start Menu’, and then select ‘Control Panel’, as shown in Figure 12 below.
Figure 12 – Microsoft Windows XP ‘Start Menu’
2. Click on ‘Add or Remove Programs’ within the Control Panel, as shown in Figure 13 below.
Figure 13 – Microsoft Windows XP ‘Control Panel’
3. Select the program you would like to uninstall and click the ‘Remove’ button, as shown in Figure 14 below.
Figure 14 – Microsoft Windows XP ‘Add or Remove Programs’
Apple Mac OS X
1. Navigate to “Applications”
2. Select the program you’d like to uninstall, and either drag the application icon to the “Trash”, or right-click and select “Move to Trash”, as shown in Figure 15 below.
Figure 15 – Apple Mac OS X ‘Applications’
While these simple instructions should cover removal of most programs under Apple Mac OS X, in some rare cases, such as some software from Adobe or Microsoft, some programs include their own uninstall applications. In these cases the specific uninstall applications for the program must be used to remove the software, and depending on the program itself, these can often be found in the original DMG file or on an original installation CD or DVD.
Apple Mac OS X Lion
1. Open the “Launchpad”
2. Click on and hold the mouse button on the icon of the application you would like to uninstall.
3. When the application icon begins to move, click on the black cross icon that appears, as shown in Figure 16 below.
Figure 16 – Apple Mac OS X Lion
As with Apple Mac OS X, in rare cases some programs installed on Apple Mac OS X Lion may include their own uninstall applications.
For users of Ubuntu, the “Advanced Packaging Tool” provides functionality to check for updates to installed packages, and also to clean up unused packages from the operating system.
To check for updates to already installed software, simply type ‘apt-get check’ at the console.
To perform a clean-up of unused packages from the operating system, simply type ‘apt-get autoclean’ at the console.
Figure 17 – Ubuntu ‘Terminal Window’
Additionally, certain versions of Ubuntu also include graphical tools which can perform these actions without requiring the use of the console, however the functionality of these may vary from version to version. Most other distributions of Linux also come with similar package management solutions, either text based or graphical – users of other Linux distributions should check the appropriate documentation that accompanies their distribution.
Secunia’s Personal Software Inspector 2.0
A free tool which checks to ensure that you have the latest version of plug-ins and a wide range of other software for Microsoft Windows, is Secunia’s Personal Software Inspector (PSI) 2.0 for home users only, available from:
Secunia has other products for businesses. To use this tool you will need to install software on your computer, but it checks for a wide range of vulnerable software – for the operating system, applications and plug-ins. It will report changes in the vulnerability of your software over time. According to the user instructions:
It constantly monitors your system for insecure software installations, notifies you when an
insecure application is installed, and even provides you with detailed instructions for
updating the application when available.
Additionally, it will report on software, which is the latest version, but is known to contain security bugs for which the vendor has not yet released a newer version which fix the security bugs. The following screenshot provides a sample of the output which would appear as the “Scan Results” after performing a scan of your PC.
Figure 18 – PSI Results displaying a number of out of date programs and offering solutions to update
This tool covers a wide range of software and can be a useful aid to checking and keeping your software up to date. Remember that if you have plug-ins or application software installed that is less common, then these may not be routinely included in the Secunia PSI check.
Criminals contacting potential victims by telephone to “repair” their computers
We have received reports that Australian Internet users are continuing to be contacted by telephone as part of scams involving their computers.
The scammer calls people at their home by telephone and claims to have information that their computer has a problem – that it is infected with a virus, that it is running slow, or that the computer software is corrupted. In many cases, the scammer often claims to work Microsoft or for a company that can fix the problem and seeks to persuade potential victim to pay for a remote repair service via credit card and also seeks to install remote access software on the victim’s computer. Sometimes the criminals involved in these scams establish web sites to give the appearance they are a legitimate business but the web site is established to facilitate the scam.
If you agree to install such software (even on a trial basis), you will give the criminal remote access and control over your computer and all data on it and may provide them continuing access for
malicious purposes, even after the software is uninstalled. Remote access software should only be installed when you know and have good reason to trust the party concerned.
For further information about how to detect such scams refer to the information in the June 2009 Stay Smart Online Newsletter.
If you believe your computer has problems that you are unable to fix, then look up the yellow pages to find a reputable local business to investigate and fix the problem for you, or if the problem affects software or hardware that is under warranty, contact the appropriate vendor. This way, if you experience any problems, such as fraud, then knowing the physical location and identity of the business involved will give you greater rights and recourse for law enforcement action under Australian law than if you do “business” with an entity that has its presence only ‘online’.
In August 2010 Microsoft published a warning to Australians regarding scams of this nature on their website which is still very relevant: