October 2013 - Page 3 of 3 - The Privacy Post

0

Should You Recycle Your Yahoo ID?

Posted by on Oct 3, 2013

yahoo.com Passwords

Image from yahoo.com

 

Have you ever thought of changing your Yahoo ID to something short, simple, and easy to remember? If yes, then you have the option of doing so with Yahoo’s new move of recycling dormant Yahoo IDs, and assigning them to active users. In mid June, Yahoo announced that the User IDs that are inactive for over a year would be reassigned to current users. Yahoo will alert the dormant account holders to login in to their accounts within 48 hours if they want to keep them or else their accounts will be recycled and up for grabs. Yahoo also opened up a wish list for current users to name their top five choices of usernames, and if one of those user IDs was available then Yahoo would contact them and send instructions to claim that ID.

Unfortunately this email-recycling scheme of reengaging old users and rewarding active ones is not as easy and cut-and-dry as it looks. There are a lot of security surprises hidden for you in this move of Yahoo. Some of the users who had received recycled IDs say they have received emails intended for the original account holder. Those emails contain all kinds of information starting from marketing emails to emails containing personal information like social security number and credit card details.

 

Identity theft will recycled Yahoo IDs.

Recycled Yahoo IDs can promote identity theft. Image from spideroak.com

 

In an interview given to InformationWeek, Tom Jenkins, an IT security professional who has received a recycled ID says  “I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s weddings. The identity theft potential here is kind of crazy.”

Several security researchers and data privacy advocates have opposed Yahoo’s move, saying reassigning IDs can be extremely critical to the privacy and security of user data. There might be a potential risk of identity theft during this process. In response to the concerns of security experts, Yahoo says it has taken proper precautionary measures before assigning the old IDs and is confident of safeguarding user data during this process. These are some the steps Yahoo has taken in order to protect the privacy of its account holders.

  •  As per Yahoo, they have attempted to contact inactive account holders in multiple ways to log on to their accounts, or else their account will recycled.
  • Private data from previous accounts were deleted and bounce-back e-mails were sent to the senders for 30-60 days to let them know that the account does not exist and to unsubscribe from the commercial mailing list.
  • Yahoo is also working on a new feature called “ Not My Email”, where users report an email that is not intended for them.
  • Yahoo will take proper security measures to ensure that emails of previous account holders remain private.
Not My Email

Not My Email: Image from spideroak.com

 

Protect your Yahoo account

 As a user you can also protect your account by:

  • Logging on to your account from time to time If you do not want your account to become inactive and then later recycled as per Yahoo’s new policy
  • If you want to relinquish your account then make sure your personal stuff or subscriptions are not directed to that account. For example, most online accounts needs your email address to reset the password. They end up sending the new password or activation link to the email address on file. Make sure that you update your email address for all your online accounts.

On contrary to Yahoo, Google offers an interesting feature called “Inactive Account Manager” to manage the inactive accounts effectively. You can tell Google what to do with your Gmail messages and data from other Google services if your account becomes inactive. Google offers two options to deal with your inactive account – it will alert you to delete your account after three, six, nine or 12 months of inactivity or ask you to select trusted contacts to receive some or all of your data from the following services: 1s; Blogger; Contacts and Circles; Drive; Gmail; Google+ Profiles, Pages and Streams; Picasa Web Albums; Google Voice and YouTube. Before taking any action on your account Google will warn you by sending a text message to your cellphone and emailing to the secondary address you have provided.

Image from google.com

Image from google.com

 

Secure your Emails with SpiderOak

 Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

October 2013 - Page 3 of 3 - The Privacy Post

0

Virginia Tech Data Breach Reveals Private Data

Posted by on Oct 2, 2013

Password protection

Image from detroit.cbslocal.com

Several institutions of higher learning have been experiencing security breaches lately. Every other day, it seems,  there is some news about information being accessed illegally from the servers of well-known universities and colleges. Last week Virginia Tech announced that one of their servers in the Human Resource department was illegally accessed. The server contained private and sensitive information of about 145,000 job applicants. And the sad part is that the leak could have been easily prevented. As per the university’s Associate Vice President for University Relations, Lawrence Hincker, the server was placed in service without proper cyber-protection protocols. This security loophole allowed the hacker to get into the system. A minor oversight allowed somebody to access such confidential information of so many people.

This data breach exposed personal information like name, address, employment history, education history and prior convictions of job applicants from 2003 to present. So anyone who has applied for a job using the online system at Virginia tech within this time frame had some data exposed. Although some of the key personal data like SSN and date of birth were not affected in this process, the hacker did have access to the driver’s license of thousands of job applicants. The university’s breach statement states, “the online application does ask applicants to “indicate your professional licenses, certificates, or other authorizations to practice a trade or profession”. In response to that question, 16,642 of the 144,963 job applicants had provided their drivers license number.

 

Identity theft

Image from http://sugarbabydaily.files.wordpress.com

 

Let’s focus on what led to such an attack. The minor issue that left the server vulnerable for hours was a weak password setting. The Administrator account password was not strong enough, and did not follow VT’s password strength rules. Therefore, it was easy for the hackers to guess and crack the password. The University came to know about the data leak hours later when it was alerted that its computers were making password probes on another person or company. In response to the attack, the security team at VT immediately disconnected the system from the network and constantly monitored the network using cybersecurity monitors to trace the path of attack. After a thorough analysis and monitoring it was concluded that the attacks came from a server in Italy and accessed personally identifying information of thousands of job applicants. The University has taken significant action in this regard by providing identity insurance and access to a credit monitoring service for a year to individuals whose driver license numbers were accessible during the breach.

 

Security

Image from publicpolicy.telefonica.com

 

Computerworld states that “Statistics maintained by Privacy Rights Clearinghouse shows that through Sept. 24, there have been 29 breaches involving about 371,137 records at educational institutions around the country. In contrast, universities reported a total of 85 breaches involving over 1.7 million data records in 2012”. Here are some of the lessons learnt from these security breaches:

  • Use strong passwords:Password cracking is a very common security attack. In order to crack a password you need encrypted password file and encryption algorithm. Two common methods that are used to crack passwords are “Brute force attack” and “Dictionary attack”. The attacker uses a combination of known passwords or possible decryption keys to guess your password. You can avoid password cracking by using large and complex passwords (at least 8-digits long and combination of letters, numbers and special characters), and changing them after a specified period (30 or 90 days).
  •  Do not collect or store unneeded information on your servers: Only collect and store data on your database server that is required. Get rid of the unnecessary information. Personal information related to SSN, credit card or driver’s license should not be collected unless it is extremely needed. Referring back to the Virginia tech incident, there was no need of storing the personal data of all the job applicants on the University servers for such a long time. They only needed to store and secure the personal identifying information of employees they hire. Similarly, it is not at all necessary to provide driver’s license information while applying to a job online.
  •  Follow your organization’s security policy and procedures: Strictly follow your organization’s security policies and procedures to maintain data privacy and confidentiality. Companies must develop security guidelines to sort through the requirements, develop processes for handling data, and design applications that include appropriate safeguards, such as encryption and restricted access, for each location.
  •  Encrypt stored and backup data: Use strong encryption standards to protect stored and backup data. AES cryptographic algorithm using 256 bit keys should be used to encrypt sensitive information. Covered data transmitted over email should be secured using strong email encryption like PGP or S/MIME.
  • Enable security controls: Use strong network protocols like Secure Socket Layer (SSL) or Transport Layer      Security (TLS) to secure data in transit. Below is a list of insecure network protocol with their secured alternatives:

 

Important keys for protection

Image from security.berkeley.edu

 

  • Update and maintain security patches: The security patches should be kept current and should be updated in regular intervals. This is one area where administrators fall short and which subsequently leads to data breaches. Websites that are rich in third party applications, widgets, plug-ins and add-ons are extremely vulnerable to cyber attacks and needs to be patched frequently.
  • Be careful in sharing your information: The HR department of any organization is usually responsible for handling sensitive data with people inside and outside of the organization. This sharing of information often leads to data leaks. To prevent such leaks use automatic encryption and multilayered protection. These techniques will safeguard any electronically transmitted data.

 

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

October 2013 - Page 3 of 3 - The Privacy Post

3

Dropbox joins the call for NSA transparency

Posted by on Oct 1, 2013

Dropbox and the NSA

Image from www.pcworld.com/

Cloud storage services are used by many of us to store and share our files or photos. While using this extremely convenient and easy to use file-sharing service, there are valid questions, such as “what if the service providers can access our data?” or “what if somebody hacks into their servers?” Recently, the online cloud storage service Dropbox was in the news for being a target of the NSA’s requests to reveal user’s data stored in their servers. Dropbox has joined hands with other tech companies like Google, Yahoo, Microsoft and Facebook in their quest for permission to publish a transparent report of number of data requests made by US government under national security laws. In a brief filed with foreign intelligence surveillance (FISA) last week, Dropbox seeks permission to report the exact number of data requests it has received, and the number of users affected by the requests. It supports the motions filed with FISA by other tech giants like Google, Microsoft, and Yahoo. According to these companies, their inability to make public the number of data requests they have received is harming their reputation. As per the brief, Dropbox has been denied permission by the government to publish the precise number of national-security requests it receives. The only way it can publish the number of such requests is if it combines NSA requests with regular-law enforcement requests, and then rounds the total figure to the nearest thousand. Since Dropbox received fewer than 100 regular law enforcement requests last year, reporting in the government’s format will decrease the reporting resolution. Let us now take a look at the online transparency report that Dropbox has released. It states that the company has received 87 requests for user information in the U.S. in 2012, and those were specific to 164 user accounts. Out of this it responded to 82% of the requests. As per the report, there were less than 20 non-US requests for user data in the same time frame, specific to 20 unique user accounts. The company has not responded to any of the non-US requests, as it currently requires data requests to go through the U.S judicial system.

Dropbox transparency records

Image from https://www.dropbox.com/transparency

Dropbox has also included the court brief in the transparency report page. The brief uses very strong words and even accuses the government of violating the First Amendment. “There is no statute, nor any other law, supporting the government’s demands,” Dropbox said. “To the contrary, the proposed gag order violates the First Amendment, as it interferes with both the public’s right to obtain truthful information about a matter of substantial public debate and service providers’ rights to publish such information.”  And these are the reasons why the company has agreed to the motions of other service providers and asks the court to “publish accurate information about the number of national-security requests received within a reporting period, along with the number of accounts affected by those requests”. How secure is Dropbox? Now the obvious question that will arise in your mind is how secure is your data in Dropbox, especially in the light of PRISM revelations. There is no doubt that Dropbox is a robust and convenient service that allows you to backup and access your data anytime and from anywhere. But you have the right to know how Dropbox stores and secures your data, irrespective of what the NSA wants. In the last few years Dropbox is under the scrutiny of security researchers as the privacy of user data is under question. There are certain security risks in this widely used cloud storage system:

  • The privacy policy of Dropbox states that  “ it automatically [records] information from your Device, its software, and your activity using the Services. This may include the Device’s Internet Protocol (IP) address, browser type, the Web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Service.” What that means is, be ready to share some of your data and browsing habits while using Dropbox.
  • The data stored is Dropbox is encrypted and no body can read your encrypted data. However having the data encrypted is of no value if the keys are with Dropbox. Anybody who has access to the keys can compromise your data.

Spideroak Vs Dropbox

Spideroak v Dropbox

Image from http://i1099.photobucket.com

Despite several similarities there are significant differences between SpiderOak and Dropbox.

  • SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.
  • SpiderOak allows you to forego the instant backup and instead backs up your files during the night where it does not have to borrow extra processing power from other applications.
  • You can select any folder to be backed up by SpiderOak in contrast to using only one folder called “ My Dropbox”.
  • In addtion to the cloud storage feature, the desktop version of Spideroak allows you to sync between hard drives and flash drives.

Why choose Spideroak over Dropbox? Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs. SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. Interested in SpiderOak Products? SpiderOak carved its niche as the top choice for those most concerned with privacy.The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.