October 2013 - The Privacy Post

2

Mobile apps vulnerable to HTTP Request Hijacking

Posted by on Oct 31, 2013

Image from http://blog.farreachinc.com

Image from http://blog.farreachinc.com

Like many people, I like to start my day by selecting the news app on my Smartphone, and reading about what’s going on around the world. I totally trusted my news application for reading the daily news, until I stumbled upon this blogpost that talks about vulnerabilities in mobile phone apps. According to the researchers of Israel-based Skycure, large numbers of iPhone and iPad apps are susceptible to hacks that will cause them to interact with a malicious server instead of a legitimate one. The majority of the mobile apps interacts with the server to send or retrieve data.

An attacker can carry out an attack by altering the server URL from which the app loads its data and redirect victim’s app to a malicious server. By redirecting to a malicious server, the apps that display news, social media content, or stock quotes can be manipulated to display fraudulent contents. Also the data sent by the end user can be intercepted. Once an app is tampered, it will continue to connect to the hacker-controlled server for a prolonged time.

The team at Skycure came across this redirection bug in their own app. Soon after that, they tested a bunch of high profile apps and found out that about half of the apps were vulnerable to such attacks. This kind of vulnerability or weakness is called an HTTP request hijacking (HRH) and is estimated to affect at least 10,000 titles in the Apps Store.

Browsers and apps store HTTP redirections in a cache, so that they can use the updated address if the end user wants to visit the old address. An app or browser receives an HTTP response known as 301 Moved Permanently status code when an URL address is changed. The hacker can exploit this Moved Permanently HTTP response to alter and control the applications without the victim knowing about it. It is not possible for us to visually figure out which server we are connecting to while using a mobile app. On the contrary, the address-forwarding mechanism can be easily noticed in the address bar of Web browsers.

Image from http://www.skycure.com

Image from http://www.skycure.com

In order to conduct this attack, a hacker first performs a Man-In- the-Middle attack on an unsecured Wi-Fi connection. When a user opens a vulnerable app the attacker intercepts the HTTP request it sends and responds with a fake 301 status response. From now on the app will connect to the hacker-controlled server even though it is connected to a trustworthy network. As per the research of Skycure team, this kind of attack can only happen if – the attacker is physically near to victim for initial poisoning (the next steps of the attack does not depend on the location of the victim) and HTTP connection is used to connect to the server. Apps that use HTTPS protection correctly is less likely to fall prey of such an attack. However a victim can be socially engineered to install a malicious profile that includes fraudulent digital certificates. Besides iOS, apps that run on Android and Microsoft’s Window Phone are also vulnerable, but the security researchers at Skycure have not performed enough testing to be sure.

How to protect yourself from HTTP Request Hijacking attacks?

  • If you are suspicious that one of their connections is hacked then they should immediately remove the app and reinstall it.
  • Always use apps that use HTTPS connection, that way you will be protected against malicious attacks. HTTPS encrypts the communication channels over the Internet. Therefore, it is difficult to break into an HTTPS connection compared to an HTTP connection.
  • Skycure recommends a remediation method for app developers, that is to create a new subclass object NSURLCache that avoids 301 redirection caching.
Image from http://www.skycure.com

Image from http://www.skycure.com

 Secure your data with SpiderOak

 For most developers and users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, developers can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

 

October 2013 - The Privacy Post

4

How the NSA is Controlling the Internet

Posted by on Oct 30, 2013

Image from http://raymondpronk.files.wordpress.com

Image from http://raymondpronk.files.wordpress.com

Recently, I came across an interesting article by security researcher, Bruce Schneier titled the “ The Battle for Power on the Internet”. The article talks about the battle for power in the cyberspace between the traditional and institutional bodies like the government, and the cyber criminals (i.e. hackers). From the recent revelations about the NSA’s PRISM program, it looks like the government is winning this battle big time. The NSA has the power and resources to spy on each and every one of us. They have been successful in circumventing the majority of security controls on the web in order to gain control over Internet communications. In my previous blogs, we have seen how the government has joined hands with technology giants like Google, Apple, Facebook and other well -known companies to get access to user data that it couldn’t have accessed otherwise. Most of these companies provide information to the government, betraying their users’ trust. Besides that, the NSA also works with security vendors to understand the vulnerabilities of widely used commercial products and later exploits them for surveillance purposes.

Image from http://www.theatlantic.com/

Image from http://www.theatlantic.com/

On the other hand, cybercriminals are very quick at taking advantage of new technologies to accomplish their goals. During the early ages of the Internet, cybercriminals became more powerful because they could use this new technology to carry out cyber crimes before the government could think of a better way to use it. A new technology always benefits a hacker more than institutional powers, because the hackers are not hindered by bureaucracy or by ethics and laws. Therefore they evolve faster than the institutional powers. However when the powerful big institutions figure out a way to harness the Internet, they become even more powerful. For example “while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents to arrest.” We saw the launch of new iPhone 5S with fingerprint detector recently. Guess what? Two days after the smartphones went on sale, a Germany based hacker group, Chaos Computer Club (CCC) claimed that they have bypassed the fingerprint reader of iPhone 5S. The group confirmed the bypass on its website saying: “A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with Touch ID.”

Image from http://www.4pointsecurity.com

Image from http://www.4pointsecurity.com

I totally agree with Schneier’s statement – “it is a battle between the quick and the strong”.

After reviewing the strengths and weaknesses of both hackers and the government, I feel that as the technology advances this battle is going to get worse. As a result, there will be more risks to the privacy of common people using the Internet. We do not have the technical ability to protect our data from government snooping, or avoid hackers from preying on us. With the rise in cloud computing we do not have the control over our data anymore, as they are stored in the servers of tech companies like Apple, Google, Microsoft and so on. From the PRISM revelations, it is clear that the government can get access to our data whenever they want by just issuing a warrant to these companies. In such a situation, what needs to be done to maintain the privacy of the users on the Internet? Firstly, the government needs to be transparent about its usage of user data. The more we learn about how our data is being handled by the government, the more we can trust that they are not abusing their authority. “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we’re going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”

Secondly, the technology companies also need to be transparent about their cooperation with the NSA in handling user data. We have seen in the past that technology companies are teaming against the NSA to publish a transparent report of user data requests made by the government. A detail report explaining what information they provided in response to National Security Letters and other government demands will help these companies in gaining the trust of their users. Also the cloud storage companies should implement strong security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data.

Lastly, we as users needs to be aware of the security risks that comes with the Internet and take proper security measures to protect our data from unauthorized access.

Secure your personal data with SpiderOak

 Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

October 2013 - The Privacy Post

10

Facebook Changes Privacy Setting for Teenagers

Posted by on Oct 29, 2013

Image from http://blogs.lse.ac.uk

Image from http://blogs.lse.ac.uk

 

Facebook has recently made some changes to its privacy rules for teenagers. According to the new policy, teenagers between the ages 13 and 17 can now share their posts with everyone on the Internet. They can post status updates, images and videos that can be seen by anyone, and not just their friends or people who know their friends.These changes might help Facebook to become more competitive against other social media networks that appeal to young users. Also, having public data on teenagers, and their likes/dislikes will attract more advertisers.

When an underage user signs up for a Facebook account their posts will be shown to a narrower audience by default –only to Friends. If teenagers decide to choose “Public” in the audience selector setting then they will see a reminder that the post can be seen by anyone, not just people they know, with an option to change the post’s privacy. And if they continue to post publicly, they will get another reminder saying that anyone in the public can see their posts now. Default settings for existing teenagers with profiles won’t change or affect past posts. Besides giving warnings to the users while changing their setting to private, Facebook also maintains the privacy of teenagers online by:

  • Designing features that will remind them of who they are sharing their information with and to limit interaction with strangers.
  • Protecting sensitive information of minors from appearing in the public like contact info, school and birthday.
  • Reminding minors that they should only accept friend request from people they know.
Image from www.facebook.com

Image from www.facebook.com

 

In a blog post, Facebook says that it has loosened the privacy restrictions to make its service more enjoyable for teenagers, and give them an opportunity to express their views and opinions in a public platform. Justifying its new move, Facebook states “Teens are among the savviest people using social media, and whether it comes to civic engagement, activism, or their thoughts on a new movie, they want to be heard. So, starting today, people aged 13 through 17 will also have the choice to post publicly on Facebook.”

Image from http://therealtimereport.com/

Image from http://therealtimereport.com/

Although Facebook has implemented many security measures to protect teenagers, there are still certain risks that need to be addressed. Security risks with the new change in privacy policy for teen:

  • Technological advances have made it possible to analyze large amounts of data and identify patterns. Facebook collects massive amounts of personal data and its search engine allows users to filter through a trove of information, including “status updates, photo captions, check-ins and comments.” So, the more information teenagers share in public the easier it will for unintended parties to find them. Some of the searches on Facebook might reveal controversial or embarrassing views, relationships and experiences of underage users.
  • Teenagers might become a victim of targeted advertisement by sharing their interests on food, clothing or technology in public. The businesses that depend on social media for reaching out to their customers will be hugely benefited from this move. Valuable data on teen’s interests will help them in shaping marketing efforts for their businesses. For example “Favorite teen retailer Forever 21 engages its Facebook fans by posting pictures of models wearing its clothing on city streets. Customers can then purchase the items by clicking on a link that leads directly to its store. Since teenagers are statistically more susceptible to peer pressure than older Facebookers, seeing these outfits in action is more likely to prompt them to click through to see the items in the photo.”
  • Kids can bypass parental control and permission, and might end up offering sensitive information to strangers online. Cyberbullies can use that information to harass, blackmail or demean children. Through private profiles or fake identities, bullies can make outrageous claims and attacks without having to worry about retribution or consequences of any kind.
  • Facebook does not have a reliable way of verifying if somebody signing up a Facebook account is a minor or not. Millions of kids fake their age to get on to Facebook. Therefore Facebook needs to implement controls to verify user’s age and provide younger children with a safe, secure and private experience that allows them to interact with verified friends and family members without having to lie about their age.

Social Media & Security Through SpiderOak

Social media users should be aware of how their data is collected and used before using any social media site or platform. Don’t upload anything you don’t want shared and exploited for advertising purposes. And be sure to exclusively store anything sensitive to a secure cloud provider. For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that photos, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access

 

 

October 2013 - The Privacy Post

10

Snapchat Not Safe From NSA Surveillance

Posted by on Oct 28, 2013

Image from http://s1.ibtimes.com

Image from http://s1.ibtimes.com

Snapchat is a photo sharing application that allows users to share images that disappear from devices after a set amount of time. You can take a picture or record a video, draw something on it and send it to your Snapchat pal. Once the receiver opens the photo or video, it will automatically disappear within 10 seconds or less. The photos will also be deleted from Snapchat’s server after the user has opened them. The unopened photos remain on the company’s server, which are run by Google for 30 days.

Given the short amount of time that images are available to the recipient it seems impossible that any third party could intercept them. However the company admitted in a blogpost that it will and had already handed over photos to US law enforcement agencies:

“Since May 2013, about a dozen of the search warrants we’ve received have resulted in us producing unopened snaps to law enforcement. That’s out of 350 million snaps sent every day.”

In the blogpost, Snapchat’s head of trust and safety, Micah Schaffer had explained how Snapchat handles user data. It is true that Snapchat deletes snaps from its servers after they are opened by the recipients. But what happens to the snaps before they are opened?  Snapchat’s unopened photos are kept on Google’s cloud computing service, App Engine, and Snapchat is capable of retrieving snaps from the App Engine’s datastore. So, in order to deliver desired snaps to receiver they have to retrieve the snaps from the datastore. This whole process of data retrieval is automated and the company does not look at user data under ordinary circumstances. However under certain circumstances they have to retrieve the photos manually using an in-house tool:

“For example, there are times when we, like other electronic communication service providers, are permitted and sometimes compelled by law to access and disclose information. For example, if we receive a search warrant from law enforcement for the contents of Snaps and those Snaps are still on our servers, a federal law called the Electronic Communications Privacy Act (ECPA) obliges us to produce the Snaps to the requesting law enforcement agency”.

The blog posting also states that the company sometimes has to preserve some snaps for longer periods of time. It would do this in cases where law enforcement was considering whether or not to make a formal request to access the images via the search warrant procedure. Currently only two people in the company have access to the in-house tool used for manually retrieving unopened snaps- Micah Schaffer and the company’s CTO and co-founder, Bobby Murphy.

Also, even though Snapchat deletes your snaps within 10 seconds after somebody views them, but some tech savvy user can take a screenshot of the photos within the10 second timeframe and can post them on social media sites. This is a huge risk to the privacy of users using Snapchat for photo sharing.

Image from http://www.idownloadblog.com/

Image from http://www.idownloadblog.com/

Here are some of the steps you can take to maintain your privacy while using online photo sharing applications:

  • Do not upload any pictures that you might regret later. Services like Snapchat might delete your snaps in 10 seconds but during this timeframe somebody can take a snapshot and share it on social media.
  • Use strong and hard to crack passwords in your photo sharing applications. Your password should be at least eight digits long and a combination of letters, numbers and special characters.
  • The photo sharing apps usually have a setting that allows you to share your photos only with your friends and families. You can limit unauthorized access to your photos by only sharing photos with people you know.
  • Last but not the least, use a trustworthy and completely secure cloud storage provider like SpiderOak for storing and sharing your photos online.

 

Protecting your photos with SpiderOak

 SpiderOak allows you to conveniently store photos online without having to worry about attacks or monitoring. This truly private storage and sync service is 100% anonymous, meaning that no one, not even the company’s own employees, can access the plaintext data uploaded to its servers. SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

October 2013 - The Privacy Post

3

How Does The NSA Identify Tor Users?

Posted by on Oct 25, 2013

Image from http://topinfopost.com

Image from http://topinfopost.com

Tor (The Onion Router) is an open source application that maintains the privacy of Internet users from the prying eyes of surveillance programs or other tracking software. Tor conceals the user’s identities and their network activity by separating the identification and routing information. The data is transmitted through multiple computers via network relays run by volunteers around the globe. The routers employ encryption in multiple layers during the data transmission to maintain privacy between the relays, thereby providing users with anonymity in network location. There are a lot of benefits of using Tor: it protects your privacy from potential identity thieves and marketers, hides any sensitive information you are researching on and conceals your location from anyone conducting surveillance.

Image from http://cdn3.tnwcdn.com

Image from http://cdn3.tnwcdn.com

The Tor program came in to prominence because of the recent revelations of the NSA’s PRISM program. As we know that the NSA has been successful in cracking majority of the encryption technologies on the Internet, now the question is how the NSA surveillance impacts Tor? So far the NSA has been successful in invading the privacy of Tor users by exploiting vulnerabilities in the Tor browser bundle- a collection of programs designed to make it easy for people to install and use the software. It attacks Tor users by implanting malicious code on the computer of Tor users who visits a particular website. The malicious code exploits the vulnerabilities in the version of Firefox that’s in the Tor Browser Bundle.

Tor is a high-priority target for NSA and they are working on developing ways to defeat the security of this tool. As per security researcher, Bruce Schneier, these are the following steps by which NSA exploits the vulnerabilities in Tor users network or computer:

  • Firstly, the NSA identifies the Tor users by monitoring the Internet traffic. It creates fingerprints for Tor users that detect any http request from Tor networks to any server.
  • These fingerprints are loaded to the NSA ‘s database systems where the powerful data analysis tools sift through the enormous amount of Internet traffic, looking for Tor connections.
  • After identifying a Tor user, the NSA redirects those users to a set of secret internal servers known as FoxAcid to infect user’s computer.  “FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems”.
  • Once the user’s system is compromised, it secretly calls FoxAcid server, then carries out further attacks on the target and makes sure that the system remains compromised for a prolonged time to provide eavesdropping information back to the NSA.
  • The NSA places secret servers codenamed “Quantum” at the key places of Internet backbone. As a result these servers intercepts the requests for legitimate sites and responds before the legitimate servers reply. The response of the Quantum servers redirects the user to a NSA controlled web server that sends the browser malware.

If there is one thing that can be concluded from all these efforts of NSA, it’s that it is difficult to compromise the core security of Tor. In order to invade Tor user’s privacy, the NSA has to look for loopholes in its browser. The technique used by NSA to target Tor users with vulnerable software on their computers was called EgotisticalGiraffe. Here the attack was conducted by exploiting the vulnerabilities in the version of Firefox that’s in the Tor Browser Bundle. “According to the documents provided by Edward Snowden, the particular vulnerabilities used in this type of attack were inadvertently fixed by Mozilla Corporation in Firefox 17, released in November 2012 – a fix the NSA had not circumvented by January 2013 when the documents were written. So, the users who have not updated their software might become victims of such attacks.

Again the NSA can target individuals with browser exploits but if it attacks too many users then it will become noticeable. So, they have to be selective about which tor user they want to spy on, rather than tracking everyone. Tor hidden services are arbitrary communications endpoints that are resistant to both metadata analysis and surveillance. It is not possible to go to a single party and obtain the full metadata, communications frequency, or contents. One top-secret presentation, titled ‘Tor Stinks’, states: “We will never be able to de-anonymize all Tor users all the time.” It continues: “With manual analysis we can de-anonymize a very small fraction of Tor users,” and says the agency has had “no success de-anonymizing a user in response” to a specific request.

Tor conceals your identity from your recipent and conceals your recipient and your content from observers on your end. It does not protect your communication content once it leaves Tor network. Therefore Tor recommends its users to use Tor in combination with some other tools for better security. For example you can use HTTPS Everywhere in Tor Browsers to secure your online communications. You can also use a combination of tools like TorBirdy and EnigmailOTR, and Diaspora along with Tor to  protect your communications content in cases where the communications infrastructure (Google/Facebook) is compromised.

Secure cloud storage service that protects you data from surveillance

Similar to Tor, SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

October 2013 - The Privacy Post

1

Impact of Surveillance on U.S Cloud Industries

Posted by on Oct 24, 2013

Image from http://xcluesiv.com/

Image from http://xcluesiv.com/

The cloud is a driving force behind today’s IT industry. However, the recent revelations about US government’s PRISM program has badly affected the reputation of US-based cloud industries. The ongoing public debate about privacy issues at the FISA court has raised concerns among foreign customers. As per international cloud customers, “if the FISA court can issue a “national security letter” to gain access to US-based Internet companies’ servers, any foreign company’s data stored on these servers could be accessed by the US government”.

The rivals of US cloud computing services were initially under the suspicion that the data is shared with surveillance agencies. The PRISM revelations in June, confirmed their suspicions; that the data stored on US servers can be accessed by the government. “Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers,” and should stop using American companies such as Google and Facebook, said German Interior Minister Hans-Peter Fredrich in July.US is a global leader in providing cloud computing services but the NSA leaks could cause a shift away from leading data storage providers like Google, Yahoo and IBM.

Image from http://www.washingtonpost.com

Image from http://www.washingtonpost.com

A report released by the Information Technology and Innovation Foundation (ITIF) claims that the  NSA’s PRISM program could cost the US cloud computing industry anywhere between $22 billion and $35 billion over the next three years. The news about the NSA cracking encryption of common online security products and placing secret doors at the access points can further undermine the confidence of foreign businesses. The NSA has been successful in cracking the majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders, and behind-the-scenes persuasion to crack the standard encryption technologies. Apart from cracking encryption of online products,  the NSA has devised programs to deliberately insert vulnerabilities in commercial products, so that they can collect more information by exploiting those vulnerabilities. Basically the NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.

Image from www.theguardian.com

Image from www.theguardian.com

However these predictions can be considered as mere estimates, as various thought leaders in the cloud computing market has argued that they do not think that customers will be less inclined to put their data and IT operations online given the PRISM revelations. Brian Okun, regional sales director at Prevalent Networks in Warren, N.J said that “I think there will always be people who don’t feel safe putting data in the cloud, just as there are individuals who want to move to the cloud. First, you’re never going to be a 100 percent secure online. Second, you need a layered, multipronged approach to security. And third, you need to be an early adopter of new security technology instead of a laggard.”

People who have been enjoying the benefits of high quality US based cloud services will think twice before moving to alternate services. Many well-known and high profile cloud storage companies are making changes to their business model to remain competitive in the market, keeping the NSA surveillance in consideration. For example, Amazon Web Services have cut down prices by 80% because they fear that NSA’s revelations would turn their customers away. The losses were fairly marginal in reality. So, saying that the PRISM revelations would lead to an industry shift can be an exaggeration.

Similarly, companies are incorporating better security practices in order to protect customer data and live up to the trusts of their customers. They are implementing stronger encryption standards, larger keys, and complex hash algorithms to maintain the confidentiality and integrity of user data. Recently Yahoo has announced that it will enable default HTTPS encryption in its email service to keep the email messages private.

Under this situation, there are huge benefits for companies that provide client server security to protect customer data from government surveillance. Cloud startups whose prime goal is to secure their customer data will see a huge growth in their business in the near future.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

 

 

 

October 2013 - The Privacy Post

4

How secure is Apple iMessage?

Posted by on Oct 23, 2013

Image from http://www.imore.com

Image from http://www.imore.com

After the revelations made about NSA’s PRISM program by Edward Snowden in June, Apple claimed that conversations taking place over iMessage and FaceTime  “are protected by end-to-end encryption, so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, map searches or Siri requests in any identifiable form.”

However according to the recent findings of the security researchers at QuarlsLab, Apple’s iMessage is not as secure as it claims to be. “Apple can read your iMessages if they choose to, or if they are required to do so by a government order,” QuarksLab said in a white paper presented last Thursday at the Hack in the Box conference. Since Apple controls the encryption keys to encrypt the iMessage communication between the sender and receiver, it can theoretically conduct a “Man-in–the-Middle attack” on the two. While the sender and receiver will be chatting with each other assuming that the communication is secured, Apple can monitor their communications. Apple’s iMessage uses public-private key encryption system, where the public key is stored in Apple’s server and the private key on each device is linked to their accounts. The public and private key pair is generated when you create an account in iCloud. So, if you want to send a iMessage to someone then the message is encrypted using the public key of the recipient, which is retrieved from Apple’s server. The receiver who has the private key can only decrypt and read the message.

The problem with this system is that you do not have the control over the public key of the receiver that is used to encrypt the message. You are accessing the keys through Apple’s server, so it is possible for someone from Apple to monitor your communications or to send your messages to third parties like the NSA.

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

The researchers emphasized that hacking iMessage to impersonate users, read and intercept private messages is only possible if the third party is a very skilled attacker. In this slide presented at Hack in the Box the conference it is discussed how it is technically possible to break into iMessage encryption?

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

Independent security researcher Ashkan Soltani said, “I think what their presentation demonstrates is that it’s very difficult, but not impossible, for an outside attacker to intercept messages if they’re able to control key aspects of the network. Probably not something that just any actor can do, but definitely something a state/government actor or Apple themselves could do, if motivated.”

Quarkslab also shared information regarding a tool called “iMTM protect” (available for download on GitHub) that will allow the iMessage users to protect themselves from security issues. Unfortunately, this tool is ready for highly skilled computer users only. At this point, it might be difficult for average iMessage users to use this tool properly.

Image from http://www.quarkslab.com/

Image from http://www.quarkslab.com/

Responding to the findings of QuarksLab, Apple clarified that it is not possible for them to break into the iMessage encryption and read user messages. “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

True Privacy with SpiderOak

The findings of QuarksLab revealed that in order to keep your data completely secured it is extremely important to have a properly implemented public/private key management system. Also even if the public key is available to the third party, there should be proper security controls to prevent unauthorized access to any plaintext data. At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

 

 

October 2013 - The Privacy Post

0

PR Newswire breach linked to Adobe exploit

Posted by on Oct 22, 2013

Image from http://www.dataprivacynetwork.com

Image from http://www.dataprivacynetwork.com

In a previous blog, I discussed the data breach at Adobe Systems from earlier this month. That breach exposed the personal information of 2.9 million customers and the source code of major Adobe products like Adobe Acrobat, Cold Fusion and others. From the recent revelations made by KrebsOnSecurity, it looks like the same hacker group was responsible for the security breach at press release distribution service PR Newswire. The hackers managed to steal a database containing usernames and encrypted passwords from PR Newswire. The stolen data was found on the same hacker server where the stolen source code of Adobe was found recently.

As per a blogpost by Hold Security, the same group of cybercriminals were responsible for data breaches at Dun and Bradstreet, LexisNexis and Kroll Background America. The PR Newswire archive that was found on the hacker’s server appears to be from March 8th 2013; however, it is still unclear if the hack happened on the same date or later because the archive was created on April 22nd. Hold Security worked with independent journalist Brian Krebs who alerted PR Newswire regarding the security breach.

PR Newswire notified Krebs that there were approximately 10,000 user records in the compromised database, but the number of affected users might be less because people generally maintain multiple accounts. The company said in a recent statement that they are “conducting an extensive investigation” to the breach and from the preliminary investigation it looks like the customer payment data was not compromised as a result of the attack.

“We recently learned that a database, which primarily houses access credentials and business contact information for some of our customers in Europe, the Middle East, Africa and India, was compromised. We are conducting an extensive investigation and have notified appropriate law enforcement authorities. Based on our preliminary review, we believe that customer payment data were not compromised.

As a precautionary measure, we have implemented a mandatory password reset for all customers with accounts on this database. As a general practice, we recommend that our customers use strong passwords and regularly update them, not just on PR Newswire but on any website requiring login credentials. From an internal perspective, we continue to implement security improvements and additional protocols to help further protect user portals and customer and proprietary information”.

If the passwords were cracked, it might have been possible for the hackers to upload false earning warnings or similar fake news in order to manipulate stock prices and profit from the resulting confusion. However, nothing like this has happened so far. Another interesting thing that was revealed from this hack, was attack based on ColdFusion exploits. It seems earlier this year attack based on ColdFusion exploits was launched against multiple PR Newswire networks. The security breach might be the result of that attack. There is a coincidence between the Adobe and PR Newswire data breaches, as in both cases the hackers targeted vulnerabilities in the ColdFusion web application development platform.

Image from http://informationsecurityhq.com

Image from http://informationsecurityhq.com

In response to the data breach, the company has implemented mandatory password reset for its customers because the database containing encrypted user password was stolen. The passwords were hashed, so it is difficult to decrypt it and retrieve the original plaintext information. But the hash can be used to validate information inputted at a later time by rehashing it and comparing the results. However some hash can be cracked using brute-force attack method. The only way to resist such attacks is by creating strong and hard to crack password, using complex hashing algorithms, and other strengthening methods like salts. Therefore it is always a good practice to use strong passwords (at least 8-digit long and combination of letters, numbers and special characters). In case the password or password hash is stolen, the account owners should change the passwords for all websites where they might have used them.

Ninan Chacko, PR Newswire’s CEO said that “as a general practice, we recommend that our customers use strong passwords and regularly update them, not just on PR Newswire but on any website requiring login credentials.”

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

 

October 2013 - The Privacy Post

4

Yahoo’s new move towards email encryption

Posted by on Oct 21, 2013

 

Image from www.yahoomail.com

Image from www.yahoomail.com

 

Yahoo has made significant cosmetic improvement to its user interface, but there are security flaws that still need to be addressed. It has been under the scrutiny of security experts because of the changes it has made to its email service lately. This summer Yahoo launched an email-recycling program, giving current users access to old email addresses from the accounts that are no longer active. Unfortunately this scheme of reengaging old users and rewarding active ones led to serious risks to user privacy. Some of the users with recycled Yahoo IDs received emails intended for the previous account holders. They were able to access all information intended for the original user including sensitive information like Social Security Number and credit card information of previous users.

Another issue related to this program was that Yahoo removed contacts from user’s contact lists without their consent. In doing so, Yahoo’s intent was to remove invalid addresses from people’s contact lists, so that they do not get any mails intended for previous account holders. However this move was not executed properly, and in some cases, Yahoo ended up deleting valid addresses. It also raised security concerns among the users, as Yahoo could get into their account and managed their contact details without their authorization. If Yahoo could delete their contact addresses, it is very likely that it can access some other critical information from the user accounts without their consent. Yahoo has acknowledged both of these issues, and steps have been taken to resolve them.

Image from www.pcworld.com

Image from www.pcworld.com

Unlike Google or Microsoft, Yahoo does not have default SSL encryption setting for Yahoo Mail users. Yahoo allows users to login into their accounts via SSL and then changes into an unencrypted connection during regular email sessions. As a result any email you send via Yahoo mail can be intercepted easily over public Wi-Fi connections. Yahoo has suffered a fair amount of criticism for not moving to SSL encryption, given the recent revelations by former NSA contractor Edward Snowden. “Interestingly, the Washington Post revealed that government spooks had collected twice as many contacts from Yahoo Mail as all of the other major web mail services combined. No reason was given for this, but one likely cause could be due to Yahoo Mail’s lack of SSL encryption”.

In a case study it was found that any non-protected SSL email could be hacked by using a Firefox add-on called Firesheep. Firesheep steals login IDs from the targeted PC and allows the attacker to gain access to your account for the duration of the current login period. During this time frame, the attacker will be able to read all your email messages and can access your contact data. Firesheep is just one example that shows how unencrypted email services can be hacked; there are various other tools that can be used to hijack unprotected online accounts.

Keeping all these security concerns into consideration, Yahoo has decided to introduce default SSL encryption in its email service. Yahoo has confirmed to The Washington post that it will enable HTTPS encryption by default for Yahoo Mail starting from January 8, 2014. The security experts have appreciated Yahoo’s move of implementing HTTPS encryption for Web email services. Amie Stepanovich, Director of the Domestic Surveillance Program at the Electronic Privacy Information Center commended Yahoo for the move. “It’s always a positive thing when companies take steps to protect their customers’ information,” she said, but noted,  ”Unfortunately, this often only happens after a harmful event.”

Yahoo has offered an option to opt –in to SSL encryption through Yahoo Mail’s setting during late 2012 or early 2013. However, it is disabled by default. But you can activate it by yourself by taking the following steps:

  • Click on the settings cog upper right corner of the Yahoo Mail Inbox.
  • Select “Settings” from the dropdown menu and then select “Security”.
  • In the “Security” section, tick the “ Always use HTTPS” checkbox and then press “Save”.
Screenshot by  author

Screenshot by author

  • Once the above-mentioned steps are completed, your Inbox tab will refresh and you will be able to see the lock icon on the left side of the address bar along with the letters “https”.

 

Secure your data with SpiderOak

 In this age of PRISM revelations, users sometimes find that selecting a truly protected third party cloud service can be a challenge. As most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

October 2013 - The Privacy Post

0

Lavabit’s security battle with NSA

Posted by on Oct 18, 2013

Image from http://lavabit.com/

Image from http://lavabit.com/

Lavabit, the secure email service provider, abruptly shut down its doors in August due to the Government’s request for data intrusion. Lavabit provided secured email service by encrypting the email messages and preventing anybody else from reading them, other than the sender and the receiver. The US government was after Lavabit to monitor the real time email usage of a single user. But when they found out that it is not possible to tap into the email of the user they were after, they asked Lavabit to hand over the SSL key, which would allow them to monitor every Lavabit user. The Lavabit email user the government wanted to monitor is believed to be Edward Snowden. “The government became embroiled with Lavabit in May, which is when Snowden disappeared from his job at Booz Allen Hamilton and the feds started looking for him”.

The District court for the eastern district of Virginia demanded Ladar Levison , the founder of Lavabit, to hand over the encryption keys. When he refused to comply with the court’s order, the court threatened him with a fine of $5000 per day. Ultimately Levison handed over the keys to the government but shuttered his 10-year old company to protect his customer’s information. He also filed an appeal against the court for forcing him to turn over the encryption keys. “The government would still be able to use Lavabit’s private keys to decrypt and access data that it had already intercepted (including customers’ usernames, passwords, and the contents of their emails),” the appeal details, “but Lavabit was forbidden from communicating this security breach to its customers or business partners.”

The government says it is entitled to get Lavabit’s private keys because of three reasons: Pen Resister Statute, Stored Communication Act and grand jury subpoena. Lavabit counteracts three of these arguments in its appeal.

  • Lavabit states that the Pen Register Statute only requires that a company can help government to install a “pen-trap” upon receiving a warrant from the court. It does not include handing over encryption keys, which interferes with the way Lavabit provides a secure service to its users. Also unlike telecom businesses, email businesses do not need to be wiretap enabled.
  • The Stored Communication Act allows the government to seize the contents of a particular communication. Lavabit argues that in this case private keys are not particular communication.
  • As per the industry standard Lavabit needs to keep its private keys private. Once it was revealed that the provider keys were shared with the government, Lavabit’s registrar, GoDaddy revoked its security certificate.

Lavabit is opening up temporarily to give its users a chance to recover their data. The data recovery service is expected to begin from October 18. Before the data becomes publicly available users can reset their passwords by logging on to https://liberty.lavabit.com. This move has become possible after Levison obtained a new SSL key to authenticate its server and encrypt the data travelling to and from the site. Lavabit has published its SSL certificate fingerprint and serial number on the password change page. The users are encouraged to verify the new SSL certificate before using the site.

You can take the following steps to verify the SSL certificate fingerprint and serial number in Chrome:

  • Go to https://liberty.lavabit.com/. It will take you to the “Change Password” page, where you can find the serial number and fingerprint of the new SSL certificate. Now click on the padlock icon on the left corner of the address bar. It will give you a dropdown window.
Screen shot 2013-10-17 at 2.49.08 PM

Screenshot by author

  • Click on the “Connection tab” in the drop down window. It will give you the option to verify the Certificate information.
Screen shot 2013-10-17 at 2.52.25 PM

Screenshot by author

  • Next click on the “Certificate information” and click “Details” and there you can check the serial number and fingerprint. Serial number is one of the first entries that you will see. To verify the fingerprint you have to scroll all the way down till “Fingerprints” entry and then match the Chrome fingerprint with the fingerprint on the “Change Password” page.
Screen shot 2013-10-17 at 3.01.45 PM

Screenshot by author

Fingerprint verification:

Screen shot 2013-10-17 at 3.04.22 PM

Screenshot by author

True Privacy with SpiderOak

After going through the story of Lavabit’s fight with NSA in order to secure it’s customer’s data, the question arises – how can businesses ensure that their customer data remains protected from NSA surveillance? It is possible with SpiderOak. SpiderOak does not have any key or plaintext data to handover to the government. At SpiderOak, sensitive user data is protected using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.