Google

6 search engines that abuse your privacy (and 3 that actually preserve it)

The following is a share from the folks over at @Techwarn – Enjoy

With the rise of modern browsers, search engines have become seamlessly integrated into our internet experience. Gone are the days of typing out “www.google.com”—now one only needs to type a query into the search bar (or address bar, in many cases), and in come the results.

Because of this streamlined experience, we’re less likely to think critically about what search engines we use. On Chrome? Sure, Google will do. Internet Explorer? Take me away, Bing!

The problem with this laissez-faire attitude is that it has a sizeable effect on how we experience the internet. Not only do search engines vary in their algorithms, thus impacting search results, but they also have radically different privacy policies. Depending on who you’re doing your searching with, you could be putting random facts about yourself up for sale.

The Naughty List

Google

The scope of data collection: Enormous (don’t forget, Google follows you on YouTube)
Ads: Yes
Noteworthy characteristics: It probably knows everything about you *sinister laugh*

Google may be the most popular search engine around—in 2014 it hosted 67.5% of all searches in the U.S.—but it’s a terrible choice when it comes to privacy.

As the search engine’s privacy policy informs visitors, Google tracks just about everything, including your search queries, your IP address, your phone number, your hardware settings—and more!

According to Google, all of this data collection is done for the benefit of users:

“We collect information to provide better services to all of our users – from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.”

If that degree of intrusiveness makes you queasy, though, fear not: You can always make Google forget about you. You can also prevent Google from knowing your location data in the future by using a VPN extension on Chrome.

Once you clear your slate, you might also want to check out one of the search engine options on the Nice List.

Yahoo

The scope of data collection: Large
Ads: Yes
Noteworthy characteristics: Its affiliated email system was recently hacked

Things have not been good for Yahoo lately, what with the disclosure that some 500 million Yahoo Mail accounts were hacked. That event alone turned many privacy-minded individuals away from the company.

Yahoo’s search engine isn’t anything to write home about (it’s “powered by Bing”), but it does have an ad interest manager that lets you stop Yahoo from tailoring the ads you see. It doesn’t stop ads from appearing altogether, but it at least makes the browsing experience slightly less stalkerish.

Bing

The scope of data collection: Large
Ads: Yes
Noteworthy characteristics: It knows almost as much about you as Google does

The second most popular search engine in the U.S. (partially because it “powers” other search engines), Bing also records your search queries and other relevant information. However, because it is not integrated with as many popular platforms like Google (like YouTube), it could be seen as slightly less intrusive.

That still isn’t saying much. A visit to Bing’s privacy page paints a detailed picture of all the lovely things you share when you do a search:

“When you conduct a search, or use a feature of a Bing-powered experience that involves conducting a search or entering a command on your behalf, Microsoft will collect the search or command terms you provide, along with your IP address, location, the unique identifiers contained in our cookies, the time and date of your search, and your browser configuration.“

All in all, that’s some fairly identifiable non-identifiable information.

AOL

The scope of data collection: Large
Ads: Yes
Noteworthy characteristics: Filled with nostalgia for anyone online in the 90s

AOL (sometimes written as Aol.) is similar to Yahoo in that it is “powered by Bing.” It’s also similar to its purple competitor in that it faced a privacy scandal of its own: In 2006, the company published the search histories of 650,000 users.

Frustratingly, AOL’s privacy page is far less detailed than those of other search engines. Rather than giving you a list of exactly what data it collects, the page remarks, “We collect and receive information about you and your device when you give it to us directly when you use our Services, and from certain third-party sources.” There are no hyperlinks for further explanation, no pleasant footnotes.

Basically, use AOL at your privacy’s risk.

Ask

The scope of data collection: Large
Ads: Yes
Noteworthy characteristics: Its search toolbar is often bundled with other software, and it’s hard to get rid of

Ask (known as Ask Jeeves in another life) has grappled with its identity during its 20-year existence. Sometimes a question and answer site, sometimes pure search, it has lately slunk to the back of the pack in terms of volume.

Thankfully, it’s much more straightforward than AOL when it comes to letting you know what information it collects, including, “your mobile device’s geographic location (specific geographic location if you’ve enabled collection of that information, or general geographic location automatically).” Reassuring stuff.

What makes Ask a bit more aggravating, however, is its occasional role as a “browser hijacker.” Sometimes when you download an application from the internet, it will bundle in a “helpful” Ask search toolbar which you’ll install because you didn’t read the conditions when you were blindly clicking “Accept, Accept, Accept…” The result: Ask becomes your automatic search engine on all your browsers.

Even if such practices aren’t malware per se, they can still be pretty annoying, especially given all the data Ask can suddenly get its hands on.

Lycos

The scope of data collection: Large
Ads: Yes
Noteworthy characteristics: It’s still around

Lycos has gone through many iterations since the Dotcom Bubble and has even been sighted trying to spin off a brand of wearables. Will this new incarnation work? You be the judge.

Like other search engines on the naughty list, Lycos harvests a lot of data, including your IP, browser, and platform. It makes a point of saying that it collects “aggregate search terms,” which at least suggests that individual searches are not tied to your IP (hopefully).

The Nice List

Ixquick

The scope of data collection: Non-existent
Ads: No
Noteworthy characteristics: Open search results with proxy service

ExpressVPN is no stranger to Ixquick. The search engine has been wowing the privacy-minded since 1998, and despite having slower loading speeds than other services, it offers relatively strong results.

One feature that sets Ixquick apart is that it gives users the option to open search results in a proxy window, thus allowing them to view pages anonymously. The load times can be fairly slow, however, so it might not be practical for those on a deadline.

Ixquick takes a reassuring approach to privacy. The site proclaims, “You have a right to privacy,” and, “The only real solution is quickly deleting your data or not storing them to begin with.”

ExpressVPN wholeheartedly agrees.

StartPage

The scope of data collection: Non-existent
Ads: Yes
Noteworthy characteristics: The performance of Google without privacy infringement

StartPage is an offshoot of Ixquick that queries Google, basically acting as a go-between. That means you get all the power of a Google search minus the disclosure of your personal information. The only downside is that you still get ads, but at least they aren’t aimed at you.

StartPage, like Ixquick, offers a proxy option for exploring search results. However, it is still somewhat slow and sometimes results in page rendering errors.

Another great thing about StartPage? It stopped recording users’ IP addresses in 2009.

DuckDuckGo

The scope of data collection: Non-existent
Ads: No
Noteworthy characteristics: It offers a Tor service (3g2upl4pq6kufc4m.onion)

ExpressVPN previously reviewed DuckDuckGo and loved it. It doesn’t collect your IP address or other information, but it does record searches—it just aggregates them without affiliating them with other data.

DuckDuckGo is also unique in that it offers an onion service. This characteristic, along with its speed, makes it a top pick.

Of course, DuckDuckGo’s algorithm opts for the crowd-sourced over the corporate. A search on the current U.S. presidential election in the “News” category brought up Wikipedia articles as the top two hits, so be sure to look further down the list if you want more variety.

Source: https://www.expressvpn.com/blog/6-search-engines-abuse-your-privacy/

Goodbye, Google+

Con te partirò , Google+

It’s been truly a fun ride, from private testing to the public launch. great hopes for Google+ as an alternative to other mainstream social media options.  Campaigning to get friends and family over to the social network,  but getting traction against those other platforms was next to impossible.

This all comes to a head as Google announced the shutting down of Google+ after failing to disclose user data breaches for an undisclosed period of time.  Its reported that the Company didn’t disclose leak for months to avoid a public relations headache and potential regulatory enforcement.

In a blog post about the shutdown, Google disclosed the data leak, which it said potentially affected up to 500,000 accounts. Up to 438 different third-party applications may have had access to private information due to the bug. Google apparently has no way of knowing whether they did because it only maintains logs of API use for two weeks.

“We found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any profile data was misused,” Ben Smith, the vice-president of engineering, wrote in the blog post.  Smith defended the decision not to disclose the leak, writing: “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”

Now the question I have: Are these cloud and these large-scale platforms too large to secure and protect our data?  Personally, I started self-hosting, securing my own data and information as much as possible. The attack surface with Facebook, Google, Facebook, cloud storage such as Box, Dropbox, Onedrive and email systems such as Office365, Yahoo, Outlook.

 

 

Privacy & Google Search Alternatives

When it comes to privacy, using Google search is not the best of ideas. When you use their search engine, Google is recording your IP address, search terms, user agent, and often a unique identifier, which is stored in cookies.

Here are a few Google search alternatives

 

DuckDuckGo is a US-based search engine that was started by Gabriel Weinberg in 2008. It generates search results from over 400 sources including Wikipedia, Bing, Yandex, and Yahoo. DuckDuckGo has a close partnership with Yahoo, which helps it to better filter search results. This is a great privacy-friendly Google alternative that doesn’t utilize tracking or targeted ads.

Searx is a very privacy-friendly and versatile open source metasearch engine that gathers results from other search engines while also respecting user privacy. One unique aspect with Searx is that you can run your own instance

Qwant – is a private search engine that is based in France and was started in 2013. Being based in Europe, the data privacy protections are much stricter, as compared to the United States.

Metager – is a private search engine based in Germany, implementation of free access to knowledge and digital democracy. Ref: https://metager.de/en/about

StartPage – StartPage gives you Google search results, but without the tracking.
Ref: https://classic.startpage.com/eng/protect-privacy.html#hmb

 

Meltdown & Spectre Vulnerabilities

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer.  Malicious programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs obtaining passwords, logon details and what was once thought to be secured information.

Meltdown and Spectre work on personal computers, mobile devices, and in the Cloud – AWS, Azure, and other 3rd party Cloud / IaaS Providers.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an un-patched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

 

Vendor recommendations:

Information on the vulnerabilities:

 

Current known list of affected vendors and their respective advisories and/or patch announcements below

Vendor Advisory/Announcement
Amazon (AWS) AWS-2018-013: Processor Speculative Execution Research Disclosure
AMD An Update on AMD Processor Security
Android (Google) Android Security Bulletin—January 2018
Apple HT208331: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
HT208394: About speculative execution vulnerabilities in ARM-based and Intel CPUs
ARM Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Azure (Microsoft) Securing Azure customers from CPU vulnerability
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
Chromium Project Actions Required to Mitigate Speculative Side-Channel Attack Techniques
Cisco cisco-sa-20180104-cpusidechannel – CPU Side-Channel Information Disclosure Vulnerabilities
Citrix CTX231399: Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Debian Debian Security Advisory DSA-4078-1 linux — security update
Dell SLN308587 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
SLN308588 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
F5 Networks K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
Google’s Project Zero Reading Privileged Memory with a Side-Channel
Huawei Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
IBM Potential CPU Security Issue
Intel INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
Lenovo Lenovo Security Advisory LEN-18282: Reading Privileged Memory with a Side Channel
Microsoft Security Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities
Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
Mozilla Mozilla Foundation Security Advisory 2018-01: Speculative execution side-channel attack (“Spectre”)
NetApp NTAP-20180104-0001: Processor Speculated Execution Vulnerabilities in NetApp Products
nVidia Security Notice ID 4609: Speculative Side Channels
Security Bulletin 4611: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels
Security Bulletin 4613: NVIDIA Shield TV Security Updates for Speculative Side Channels
Raspberry Pi Foundation Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
Red Hat Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
SUSE SUSE Linux security updates CVE-2017-5715
SUSE Linux security updates CVE-2017-5753
SUSE Linux security updates CVE-2017-5754
Synology Synology-SA-18:01 Meltdown and Spectre Attacks
Ubuntu Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
VMware NEW VMSA VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
Xen Advisory XSA-254: Information leak via side effects of speculative execution

Google+ posts from my WordPress blog posted as private

Wow!  And I learn something new every day…

I have been using the publicize feature for a long time now to only find out that my post sent to Goolge+ have been private or limited to those in my circles. Now that was unexpected!

What I have learned was by default, Google+ sets the visibility of your posts to “Only You”.

To change this I needed to do the following:

Enter the account Settings, locate Manage apps & activities in Google+ and change WordPress to be public.

Who knew… I for one did not.

 

I hope you enjoyed this #techshort and thanks for visiting – jermal