July 2013 - Page 3 of 3 - The Privacy Post

0

Is Your Government A Source of Malware?

Posted by on Jul 3, 2013

Many enterprises are already familiar with malware. IT teams regularly provide maintenance on devices and best practices for avoiding contracting malware on a corporate network. But according to recent news, malware isn’t just coming from hackers these days, but from big governments around the world. Protect your sensitive company and consumer data from government backed malware and legal snoops by shielding information in a private cloud service that provides user anonymity.

Government Malware

Photo courtesy of cnmeonline.com

According to a recent Reuters special report, the United States government has become the largest single buyer of malware in the world, sparking a wave of protest and concern from both consumers and enterprises. The securities industry has voiced concerns over the government’s refusal to register purchased vulnerabilities, which would help enterprises and consumers to fight against malware developments. Instead, the government has used such exploits to develop spy technologies and cyber weapons to wage an ongoing cyber war against foreign networks. However, according to former White House cyber security advisor Richard Clarke, this aggressive cyber defense strategy has left American consumers and enterprises vulnerable to hacking and security breaches from their own government. Clarke said, “If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users.” And a recent New York Times report revealed that the Obama administration has established the right to stage a pre-emptive cyber attack against any perceived threat under the guise of defense.

Malware Infections

Image courtesy of Microsoft.com

Such developments have whittled away at consumer confidence in the possibility of a more private Internet. And the justified paranoia doesn’t just stop at the NSA’s notorious PRISM program, with reports that such data mining isn’t limited to those nine major technology firms, with thousands of finance, technology, and manufacturing companies willingly handing data over to the U.S. government on a routine basis in return for benefits like access to classified data. According to Bloomberg’s Michael Riley, such companies and firms have ongoing agreements with agencies like the NSA, FBI, and CIA to provide data the could potentially bolster national security while helping develop offensive strategies against suspected enemies of the U.S. Even programs that purportedly only cover infrastructure can undermine privacy as shown in the NSA program called Einstein 3. Originally developed to protect government devices against hackers, Einstein 3 monitors billions of emails between government computers to check for malware.

But the threat of malware doesn’t just come from the U.S. government as malware has been traced to governmental sources all around the world. One example is found in the discovery by Trend Micro researchers of Brazilian government websites that have served malware variants to site visitors under the guise of Flash Player and Adobe updates. The malware drops an executable and Java file disguised as a generic .GIF file. Once the malware alters the system’s security settings, it begins downloading additional files including a .JAR file that establishes a new administrator account. This account enables multiple remote desktop sessions, giving hackers remote access over the computer.

Malware Around the World

Image courtesy of securelist.com

Another instance of government-backed malware is the dangerous NetTraveler, which has infiltrated the systems of more than 300 victims in forty countries. Targets included government agencies and private organizations involved in sectors like communications, nanotechnology, and nuclear power. According to Kaspersky, NetTraveler dates back to 2004 and is likely traced to China as a cyber-spying tool. Many targets are Uigher and Tibetan activists and according to a Kaspersky spokesperson, “Based on collected intelligence, we estimate the group size to about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language,” said a spokesperson for Kaspersky. The Kaspersky spokesperson also said, “NetTraveler is designed to steal sensitive data as well as log keystrokes, and retrieve file system listings and various Office or PDF documents.” NetTraveler infiltrates victims through spear-phishing emails with Microsoft Office attachments. The malicious attachments targeted the CVE-2010-3333 and CVE-2012-0158 vulnerabilities that have since been patched by Microsoft.

Shielding Private Data with SpiderOak

A great way to shield sensitive consumer and corporate data from any snooping eyes is through storing and syncing with a private cloud service provider. For enterprises looking for a truly private cloud, SpiderOak Blue offers fully private “public” and onsite server deployment options for full flexibility. Choosing the right third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks, malware, and legal snooping. But SpiderOak sets itself apart from the rest of the market by providing a fully private cloud service featuring all of the benefits of cloud storage along with 100% data anonymity.

SpiderOak protects sensitive enterprise data through 256-bit AES encryption so that sensitive files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices, as SpiderOak never hosts plaintext data. SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this one of the only cross-platform solutions on the market.

July 2013 - Page 3 of 3 - The Privacy Post

0

Shielding Yourself from the PRISM

Posted by on Jul 2, 2013

In the past few weeks privacy advocates around the world have launched a fury of anger and frustration across the web in response to PRISM and the recent NSA scandal. PRISM is a classified program spearheaded by the United States National Security Agency. The program monitors online data through the governmental data mining of nine major Internet companies like Google, Apple, and Facebook. The PRISM program is under the classified jurisdiction of the Foreign Intelligence Surveillance Court and a leaked PowerPoint presentation exposing the program has kicked off growing international and domestic calls for greater governmental transparency and a global standard for online privacy rights. PRISM surveillance even went so far as to collect data on suspected Europeans, making this monitoring program one of the most extensive in U.S. history.

PRISM

Image courtesy of vr-zone.net

According to the government, the controversial PRISM program only targets digital information on foreign suspects. Under the program the NSA has gathered data on file transfers, photos, chat records, videos, and e-mails from leading tech giants. Even more disturbing are the allegations of how the NSA accessed such data, with claims from major publications that PRISM has allowed the NSA and FBI to directly mine data from the central servers of some of the most iconic Internet companies in the United States. Such companies have scrambled to justify or refute their compliance with PRISM to try to calm their frustrated consumers.

NSA

Image courtesy of electricfeast.com

Recently, Google Chief Architect Yonatan Zunger went so far as to write, “the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals…it would have been challenging — not impossible, but definitely a major surprise — if something like this could have been done without my ever hearing of it…We didn’t fight the Cold War just so we could rebuild the Stasi ourselves.” And as Rob Bell said, “The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false…Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive.” Both of these corporate retorts don’t come right out and deny involvement, they only work to obfuscate the controversy by diminishing the importance of such an unprecedented attack on consumer privacy rights.

Timeline of the PRISM Program

Image courtesy of ABCNews.com

According to iconic Facebook CEO Mark Zuckerberg, “Facebook is not and has never been part of any program to give the U.S. or any other government direct access to our servers.” And a statement by Microsoft echoed such denial, “We only ever comply with orders for requests about specific accounts or identifiers…If the government has a broader voluntary national security program to gather customer data, we don’t participate in it.” The wave of PRISM denial hit Apple as well, with spokesman Steve Dowling going so far as to say, “We have never heard of PRISM…We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”

For consumers, this distancing and categorical denial is confusing and major brands have been severely damaged regardless of the truth of the allegations. Through a leak by whistleblower Edward Snowden, the companies implicated in the PRISM scandal include Google, Skype, Paltalk, AOL, Yahoo!, Microsoft, Apple, and Facebook. According to Scott Cleland, President of Precursor, this rejection of responsibility is routine with corporate policies that seek to keep their executives in a position of plausible deniability. Cleland says, “The companies are smart…They would have broadly delegated authority for their company’s NSA compliance to a very small number of individuals supervised by a company legal official of some kind; and only those few people would get the security clearances necessary to know what is transpiring.” And John Simpson, Privacy Project Director for Consumer Watchdog, echoes the sentiment, “The massive database that Google has is a honeypot for the NSA, and the snoops wouldn’t be using unconstitutional overreaching surveillance tactics if Google didn’t have this data and retain for so long.”

Protecting a brand’s reputation lies in the hands of corporations and enterprises, not the government. In an era in which both citizen and consumer confidence is at a low, it’s important that consumer data stays protected. Those companies that choose to take extra steps to protect their consumers at all costs will be rewarded with consumer trust, brand awareness, and long term relationships. One of the best ways to protect consumer and corporate data is through using a private cloud service for storage and sync.

Securing Consumer Privacy with SpiderOak

Finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave private corporate and consumer data wide open to third party attacks and even governmental spying. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises with fully private cloud storage and sync, featuring all of the benefits of the cloud along with 100% data privacy, so even if the government accessed servers all they would get is unreadable blocks of data. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server.

SpiderOak protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if PRISM continues unchanged, consumers can rest easy knowing that their data is truly protected. SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

July 2013 - Page 3 of 3 - The Privacy Post

0

Lock it Up: Security Onsite & in the Cloud

Posted by on Jul 1, 2013

After the fallout of the NSA PRISM scandal, companies have flocked to encryption services in droves. But many major enterprises still hesitate to fully protect their data. A recent Kaspersky Lab and B2B International survey of over 5,000 senior IT managers found that 35% of participating companies don’t properly encrypt data onsite, leaving massive gaps that expose sensitive consumer and corporate data to a security breach. Leaks, corporate espionage, and governmental snooping can permanently damage a brand, so companies looking to leverage technology in their favor stay ahead of the competition by encrypting sensitive data and utilizing private third party cloud services for storage and sync.

Onsite Encryption

Image provided by macobserver.com

Encryption technology has come a long way. In 1995, A U.S. intelligence official reported that “The ability of just about everybody to encrypt their messages is rapidly outrunning our ability to decode them.” Now, the National Security Agency has developed ways to tap into central servers to mine for mega data on consumers under the guise of security protocols in the war on terror. In the controversial PRISM program, the NSA has seized, stored, and analyzed big data on millions of consumers. But consumers and enterprises that trust their data to a truly private cloud service can have peace of mind knowing that even in the case of a subpoena or governmental snooping through PRISM, all that U.S. spies would be able to see are unreadable blocks of data. This is because encryption goes hand in hand with encryption keys, which are the catalyst for decoding encrypted blocks of data. According to the Princeton University computer scientist Ed Felten, “A key is supposed to be associated closely with a person, which means you want a person to be involved in creating their own key, and in verifying the keys of people they communicate with.” Many cloud services host plaintext data as well as encryption keys, which means that the company has access to information that some consumers and enterprises might think are private. So it’s important to choose a third party cloud service that doesn’t store plaintext and that uses peer-to-peer encryption with keys exclusively stored on approved user devices or servers so that the company doesn’t even have a copy.

PRISM Program

Image courtesy of idownloadblog.com

According to the Electronic Frontier Foundation’s Seth Schoen, the NSA scandal should be of concern to all users and enterprises. Some might not see any problem with governmental access to such mega data like IP addresses and phone logs, but even such seemingly innocuous information could be used to exploit and even blackmail citizens, consumers, and enterprises. And according to Justin Johnson of Late Labs, the PRISM controversy “is an important reminder that what we share online and communicate to others via technology can, and sometimes will, be seen by people that we didn’t intend to see it.” Both enterprises and consumers must be proactive in securing their sensitive data, for as John Simpson, Director of the Privacy Project at Consumer Watchdog, says, “These tech companies, and the government, know more and more about people’s private lives.”

Aaron Swartz, co-creator of Strongbox

Photo courtesy of ProgressiveVoices.com

Such a climate has sent a wave of paranoia through the web community as enterprises scramble to right truly private solutions in an attempt to win loyalty through positioning themselves as liberty and privacy advocates. One such attempt can be found in The New Yorker’s Strongbox. In an age when reporters have to worry about being monitored and whistleblowers can’t be assured of protections, Strongbox allows people to post tips and stories with a general amount of anonymity. The private uploading service operates like a private cloud and was developed on the open-source code DeadDrop by Kevin Poulsen and Aaron Swartz. Such steps show a high market demand for services that offer true data privacy and user anonymity.

Protecting Corporate and Consumer Privacy

But finding a truly protected third party cloud service can be a challenge as many third party cloud services on the market have vulnerabilities that leave private corporate and consumer data wide open to third party attacks and even governmental spying. One cloud storage and sync company that sets itself apart from the rest of the market is SpiderOak for general users and SpiderOak Blue for enterprises. This service provides users and enterprises with fully private cloud storage and sync, featuring all of the benefits of the cloud along with 100% data privacy, so even in the case of a PRISM breach all the NSA would seize is unreadable blocks of data.

SpiderOak protects user and enterprise data through two-factor password authentication and 256-bit AES encryption so that all files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data whatsoever. This way, even if the PRISM program is allowed to continue, consumers and enterprises can relax knowing that their data and brand is fully protected. SpiderOak’s cross-platform private cloud services are available for users and enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.