The Importance of Using Anonymous Website Services Online

Anonymous Website Services
Anonymous Website Services

In a world that is becoming more interconnected with more and more powerful governments and corporations moving through it by the day, anonymous internet services are becoming increasingly more and more critical. Here’s some information about these types of services, including why they are important and how they can be used.

Internet Hosting Anonymity Services Tips: Overview and Bitcoin

Anonymity should be one of the most important things you focus on when you go to look at potential web host options. After all, this is going to be one of the areas where you could have your identity revealed or have sensitive information get out if this is something that you’re worried about currently.

This means that you have to focus on a few particular options within this area in order to from the basis of your decision. For example, one question that it’s worth asking early is whether or not a hosting company takes Bitcoin or not.

This is important for a number of reasons. It’s important for the obvious reason, which is that this would allow you to pay for your hosting with Bitcoin, which is a more anonymous way to pay for everything than the other common means of payment which often include PayPal and credit cards right at the top of the list.

These aren’t especially anonymous because they both tend to require that you hand out full details about yourself such as address and name. In the case of PayPal, there’s even a push to connect it with a bank account in order to get full functionality.  When it comes to credit cards, many of them even ask for a whole lot of information such as your social security system in the United States, for example.

But, with Bitcoin, once you fund your wallet, you can divorce the payment from yourself a bit. There are strategies to swap around coins too in order to make it even more anonymous. You can pay with cash at certain terminals that accept conversion from cash to Bitcoin directly.

Internet Hosting Tips: Other Markers to Look For

Besides Bitcoin or other anonymous options, there are other services within the hosting service that can be important in your determination about whether a company is going to be worth it to you if anonymity is your primary concern. For example, the country that a company is located in can make a major difference in terms of how safe you feel getting hosting services from them.

One example of this is OrangeWebsite, which has operations in Iceland. This country is often lauded for their privacy laws so this could be a good choice if you check out Iceland yourself and come to the same conclusion. Other people might simply try to avoid hosting services in countries they don’t trust due to poor privacy laws. There are also other nations out there that might be good for this such as Canada, which has user privacy protections, or Switzerland, which is often known for being neutral and not accepting demands for information from other countries that easily.

Anonymous Website Services

VPN Services

Another important privacy service worth mentioning is a Virtual Private Network. This is something that connects your computer’s Internet to a third party before it connects to a website. As a result, you’re able to make it seem like a different IP address, that is, a different computer other than yours connects to wherever online.

This extends to all of your connections, including anything you download or upload with other programs, for example. It can protect the security and privacy of a Skype video call, Facebook Facetime, or anything else that you want to keep protected. These services often use much higher level encryption than they would have otherwise, even the AES 256-bit encryption that’s known as being so secure plenty of corporations used it. This is actually important with services like Skype because they don’t really offer encryption on their own much of the time. The person you’re talking to will also not automatically get your IP address so you can keep it private.

Many people online speak of the importance of making sure that you pay for a VPN, because if you try to use a free one, there’s always the chance that the VPN is selling your information because, the idea is, if they don’t sell a product, then the product could be you and your data.

If you have some reason especially to make sure you can’t be traced, such as dealing with a government that has reason to snoop on you, then it’s important to try to have the whole package deal when it comes to your security and anonymity. That’s exactly why it’s helpful to pair a privacy and security conscious hosting service with a VPN for added security when you’re running a website and are trying to make sure that you can say what you want without being snooped on by governments, third party organizations, hackers, or anyone else that has no business looking into yours.

Proxy Services

One alternative to a VPN if you don’t need or don’t want to secure every connect, is to instead use another type of Internet privacy service called a proxy. These will mostly just secure your web browsing itself directly.

It can be a secondary option that will work well for you if you find one in a country you trust with a company you trust so that you can do what you have to do online anonymously, including running your website through a reputable company, for example.

For more information on privacy services including secure hosting and others, please contact us today.

The Increasing OAuth Phishing Threat

OAuth Phishing Threat
OAuth Phishing Threat

OAuth Phishing Threat

People are gradually growing more careful about phishing schemes that impersonate websites and ask for their passwords. But what if they don’t have to give a password to let an unauthorised party get at their data? That’s exactly what happened in a recent phishing campaign aimed at Google users. Hard numbers aren’t available on how many people were affected, but Google said the number was “fewer than 0.1% of Gmail users,” which could be as many as a million.

The Google Docs spoof

People received a message on their Gmail accounts, usually from an address they knew, asking them to open a “Google Doc.” If they did, it asked them to give Google Docs certain permissions, including permission to “read, send, delete, and manage your email.” No password confirmation was necessary, since the victim was already logged in. The only trouble was that the application wasn’t Google Docs but a malicious lookalike web app.

If the victim gave permission, the attacker could then use the account to send the same email to the victim’s contacts. This could have spread without limit if Google hadn’t promptly shut the application down.

The deception took advantage of design and implementation weaknesses in the widely used OAuth2 specification, which allows one Web application privileged access to another. Researchers had warned in 2011 that this kind of spoofing was possible, creating a proof-of-concept application. The 2017 attack may have drawn directly on that code.

What made the attack plausible

A combination of design issues with OAuth, social factors, and implementation choices by Google made the spoofing plausible to anyone without a strong understanding of security issues. The application was in fact hosted on Google, which lets users develop applications for public use. It was a reasonable imitation of Google Docs; the URL was wrong, but it was a Google URL. The mail came from trusted accounts.

The application was called “Google Docs.” Until very recently, Google didn’t prevent user applications from using its name. It still doesn’t provide any warning when an application making this type of request isn’t under Google’s control.

There’s no good reason Google Docs should ask for access to the user’s Gmail account, but people are used to wildly excessive requests for authorization. Websites that let your account connect to a LinkedIn account often ask for permission to post on your behalf. Most people apparently grant it without worrying.

OAuth Phishing Threat

The trouble with OAuth

The deeper problems, which aren’t restricted to Google, lie in the OAuth standard. It’s an authorization system which is weak on authentication. Without strong protections, it makes it easy to trick users into giving untrustworthy applications access to their private data.

In brief, OAuth2 lets a client application request permissions from a server. Only authorized applications can make requests. An application that’s allowed to use OAuth receives a client ID, which is public information, and a client secret (or key), which is confidential.

When the client app invites the user to give it permission, it redirects the user to a server URL. The server will inform the user of the request and give a choice of denying or allowing authorization. If the user allows it, the server redirects back to the client and sends an authorization code, which the client has to retain for as long as it wants to keep the permission. This could be just for a session or permanent. The server can limit its duration.

An obvious problem with this arrangement is that the server needs to trust a client over which it has no control. The client might be trustworthy at the time it gets permission, but a change of policy or a malware infection could change that. Theoretically, users should trust only applications in which they have very high confidence, but many people are far too trusting. The organization operating the server needs to carefully limit the clients it will give access to.

A poor implementation lets a client pretend to be a trusted application. The server has some control over this, since it knows what application is making the request, but it may or may not make it obvious to the user. If it just displays the application’s self-selected name, that’s weak protection.

Users who authorize a rogue application may not even realize there’s a problem. Google and other sites that use OAuth normally make a list of authorized applications available to the user and allow revocation, but it’s buried somewhere in the user settings.

Future risks

It’s a lucky thing that the Gmail attack apparently did little damage. One thing Google did right was to catch the rogue application and revoke its credentials within an hour. We can be sure others will try similar tricks, sometimes with services that don’t react so quickly. Any organization that uses OAuth to grant third-party applications access to its site should review its implementation and policy to make sure it isn’t vulnerable.

The most important precaution is to screen applicants for credentials carefully. A lot of users will give permission to any application that seems to do something useful, so it isn’t enough to trust them to exercise discretion.

Even if what an application currently does is legitimate, the applicant’s reputation needs to be good enough that it isn’t likely to misuse its authorization in the future. Clients should be periodically reviewed to make sure they still deserve trust. If there’s any sign they don’t, it’s important to follow up quickly and, if necessary, revoke authorization. Even an honest organization could have its credentials stolen or its code infected.

The organization should think carefully about what kinds of access it should authorize. The power to speak for the user can be used for fraudulent purposes. The power to read private data could allow theft of secrets. There needs to be a convincing case that the benefits from the application justify the risks.

Authorizing third-party applications can greatly increase the value of a service, but it carries serious responsibility. Anyone who implements it needs to be aware of its dangers and make choices that minimize the chances of abuse.

If you’re concerned with the security of your planned website, OrangeWebsite will provide hosting that will satisfy  your needs. Contact us to learn more.

UK’s Internet Troll Policy: A threat to Freedom of Speech or a Better Protection for Individuals?

An image of a man's mouth sealed with 'freedom' note

Freedom of Speech is a serious matter. United Kingdom however are trying to, via new online laws, protect individuals who has felt threatened through social media. Will it violate Freedom of Speech?

The United Kingdom recently introduced new sentencing measures for Internet trolls found guilty of sending threatening or abusive messages online. However, many worry the new legislation may infringe on the civil liberties and freedom of speech of those simply expressing their opinions in an emphatic manner. The new legislation will allow serious offenses to be decided by the Crown Courts with a maximum sentence of 24 months, four times the previous standard sentence. Currently, these offenses are handled by local magistrates.

Why the Harsher Sentences?

The increase in penalties for internet trolls is directed at those who threaten to rape or kill through online communication. The threatening of celebrities and other high-profile figures has brought the issue to the forefront. For example, Chloe Madeley, the daughter of UK talk show host Judy Finnegan, recently received threatening tweets after she defended her mother’s comments about a rape case involving a footballer. Lawmakers feel the stiffer sentencing is warranted because “we would not permit such venom in person,” stated Justice Secretary Chris Grayling.

Concerns over Freedom of Speech

Although no one is defending online rape and death threats, experts warn that the new law could punish those that are simply expressing criticism. The legislation lacks balance in differentiating between abusers and those expressing their opinion. These concerns are not far-fetched. Even without the new maximum sentences, there have been cases where authorities have prosecuted people under the Public Order Act for questionable reasons.

For example, the 2012 case of Paul Chambers hinged on what he thought was a joke. After realizing the Robin Hood Airport was closed due to weather, he tweeted, “Crap! Robin Hood airport is closed. You’ve got a week and a bit to get your [expletive] together otherwise I’m blowing the airport sky high!!” He was convicted by a district judge and two judges upheld the conviction on appeal. A high court ultimately reversed his conviction, but not before he lost two jobs and spent the better part of two years engaged in his legal battle.

Many civil-liberties experts assert that true threats to an individual’s safety should be pursued through harassment laws, not communication legislation that can potentially infringe on the rights of those vehemently expressing their opinion or making what they think is a joke. Advocates for freedom of speech are concerned about comments from legislators like former Conservative MP Edwina Currie who stated that “people should learn to show restraint when making online comments.” While “showing restraint” may be an admirable goal, and direct threats should be taken seriously, who knows how slippery this slope is?

OrangeWebsite’s professionals closely monitor freedom of speech laws and cases around the world. We’ll closely watch the results of this legislation as it makes its way through Parliament. Contact us to learn more about our services.

How Safe are your Personal Data in Modern Online Society?

An image of hand writing 'online privacy' with black marker on transparent wipe board.

There is nothing wrong in being cautious when submitting your Personal Data on the Internet.

Facebook and Google are two of the biggest names on the internet today. What lots of people don’t know is how these websites who don’t sell anything can possibly make so much money.

The answer is advertising. But it goes a little bit deeper than that.

How Deep Does It Go?

The commodity that both Facebook and Google have in common is you, the users. These websites pay attention to the things that you like and dislike, which allows them to tailor ads to fit your taste and then to put those ads in bold colours right on your screen. That’s how these companies earn billions of dollars revenue annually: by working with companies to make sure you see the right ads that persuade you to go and buy their products.

Shouldn’t I Get Some Privacy on The Internet?

Lots of people wonder whether tracking their internet activity isn’t a violation of their privacy. The issue is that by using these services you’ve already given your consent for the sites to log and use most of your information.

You know those long, complicated user agreements that most of us just pass right over so we can finish setting up our accounts? If you read Facebook’s a little more carefully you find all sorts of things. For instance, if you don’t opt out of their advertising program then your name and profile image can be used to promote ads for pages you’ve liked. Additionally, information about your online activity can be sold, provided Facebook doesn’t give your name or other, more personal information out. What you like and the events that get your attention is all fair game.

While Facebook is a huge source of information, Google might be called the king of data mining. The search engine analyses what’s sent over Gmail and searched for on Google in order to determine what is trending at the moment. This information is then used to target ads and to try and get client products in front of a buying audience.

So What’s The Big Deal?

Data mining is primarily used for sales and advertising, but it can be used for more than that. Data mining can create a digital profile that makes it possible to assess job candidates, whether someone should be awarded custody of his or her children, or even (if some apps are to be believed) if someone is cheating on their spouse.

That’s the big deal regarding data mining, and Google and Facebook are at the forefront of the practice. It’s why many people who have realized how exposed social networking makes them have opted to share less and less of their information with the online community as well as the corporations who run it. It’s hard to maintain their privacy, but one of the chief methods they use is by giving away as little as they possibly can.

Learn more about information on online privacy, and how you can make changes to take extra caution, contact us today!

Understanding the Right for Privacy on the Internet

An image of young girl working on laptop at home covering man's face with hand.
An image of young girl working on laptop at home covering man's face with hand.

Limiting the amount of personal information on the internet can help to minimize the possible risks.

It seems like every time you check your newsfeed, there’s another story about someone’s privacy being violated online. Whether it was the GamerGate movement handing out Felicia Day’s personal information, the NSA collecting aggregate data from people online, or the hacktivist group Anonymous handing out information users thought was secure, it seems that online privacy is an easily-breached fence.

Just because privacy is regularly breached however doesn’t answer the bigger, more important question, do you have a right to privacy on the Internet?

What is Right to Privacy?

For those looking for the right to privacy in the American Constitution, stop searching because it’s not in print. The idea of the right to privacy is something that the U.S. Supreme Court has said is implied by other amendments in it, including the 4th, 5th, 6th, and 9th. The court argues that people have a right to keep their private lives private from the government. They have a right to not consent to unreasonable, warrantless searches, and to remain silent when they’re being asked questions without a representative.

What does It Mean on the Internet?

Most western governments have some sort of privacy law – but whether they’ve caught up with modern technology is another matter. The main issue when it comes to privacy on the internet isn’t only about government spying – by large, people’s information is not even being stolen from them, rather most people’s personal information is already out there for anyone who knows how to find it.

Let’s take an obvious example, Facebook. When you join the social network you agreed to its terms of service. This includes collecting your information, keeping records of everything that you post and keeping things you’ve deleted on file for 90 days or more in many cases. It also means that your information as a user – what you like, what you follow, your age, gender, pretty much of everything including your name and other personal details – can be sold to the highest bidder. This is called data mining and advertisers are typically use it to figure out what target audience likes, so they can create the best possible ads to entice those groups. Anyone who has ever seen an ad in their feed obviously targeted to them has probably figured this out by now.

That’s not all that is going on in a social network. For instance, you may have your privacy settings so that only friends can see your contents. But if just one of your friends likes or shared a post, then the control is out of your hand and now anyone in that friend’s network can see what happened. This was a major issue of a teacher whose pictures of herself at a brewery cost her job, even though she was certain none of her students could access her Facebook page or photos because of her privacy settings. They couldn’t, but it was a parent who found her page.

One Great Big Modern Mess

Just as British children today might not see why Brave New World is a terrifying book – since there are cameras everywhere and invasion of privacy is commonplace. It is often difficult for people to understand what they’re giving up in the age of the Internet. As soon as a picture, status or piece of personal information is put up somewhere on the web, it is actually been logged, archived and stored. If someone can legitimately find that information without violating any user agreements, that is not a violation of your privacy on the internet because you are the one who put it out there in the first place – it is also why law enforcement can use your Facebook feed to track you down and apprehend you. Same goes for corporate data mining – nothing you put up on a social network hosted by someone else is truly belongs to you anymore.

No Data Online is 100% Secure

An important thing for internet users is to understand that no data that is connected to world-wide-web is 100% secure. No matter if the service where the information is submitted, is using the latest security software and patches, hackers may still have their way to break in – and it has happened before numerous times with well-known internet services. If you have highly classified data, including pictures or documents you don’t want ANYONE to see, keeping those on offline storage is the only completely secure solution.

So What Can I Do?

For starters what you can do is limiting or stop putting your information out there if you don’t want the world to see it. Most of us are not willing to do that, so at the very least you should know how your information is being used and make sure you know what you’re actually agreeing to.

Finally, there are examples where invasion of privacy on the internet contributes a real crime. For instance, finding someone’s home address by checking public records is not illegal. Indiscriminately dispersing that information along with associated threat had constituted several crimes, like the rape and death threats faced by many online feminist activists. At a minimum level, threats like this should get the user banned and the individual may also be brought on charges like reckless endangerment, libel, or defamation of character, depending on the circumstances.

So even if you don’t always have a right to privacy on the internet, you do still have a right to safety. Many believed that is just not enough and numerous questions remain about digital law enforcement, at least it’s a good awareness to start with.

Find out more information about improving your privacy on the internet, please contact us. We will be happy to answer your questions and help you any way we can with this process.