November 2013 - The Privacy Post

7

Healthcare.gov Website Vulnerable to Cyber Attacks

Posted by on Nov 29, 2013

Healthcare.gov website poses security risks. Image from http://www.reuters.com/

Healthcare.gov website poses security risks. Image from http://www.reuters.com/

In a previous blog, I had outlined the technical glitches and security flaws with the Healthcare.gov website. As we know, people have experienced various technical difficulties while accessing the Healthcare.gov website – slow and sluggish operation of the website, receiving error messages and getting their data compromised. To top it all, now security experts have warned us against the possible security breaches that could happen due to vulnerabilities in the website. Security testers claim that website did not follow basic security principles and proper actions were not taken to resolve security issues before releasing the website. It seems the website lacks basic security controls that can be detected by any software tester with knowledge of website coding.

The website contains private data of millions of Americans including addresses, birthdates, Social Security Numbers and income. So, it is obvious that it will attract the attention of cybercriminals. According to a report, hackers have attempted about 16 attacks at the Healthcare.gov website. However, none of them have been successful so far according to the investigation report.

Distributed Denial Of Service Tool. Image from arstechnica

Distributed Denial Of Service Tool. Image from arstechnica

Besides that, authorities are also investigating a tool designed to launch “denial of service attack” on the website. Arbor Networks reported that distributed denial of service (DDOS) program called “Destroy Obama Care” was seen on a “torrent” file sharing webpage. They do not have any evidence whether the program has been launched or not. The DDOS tool aims at putting a strain on the website by alternating requests to the https://www.healthcare.gov and https://www.healthcare.gov/contact-us addresses. If repeated requests are sent to the website within a short period of time then it will slow down the performance of some critical applications. The experts at Arbor Network believe that the DDOS tool is designed to launch attacks in protest against the government policies and actions. Here is a screenshot of the tool message:

“Destroy Obama Care.

This program continually displays an alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.

The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.

You can open as many copies of the program as you want. Each copy opens multiple links to the site.

ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience!”

Taking all of the above security concerns with the Healthcare.gov website into consideration, when a group of IT experts were asked whether Americans should use the website, their answer was a resounding NO. They agreed that lack of proper testing and complexity of codes in the healthcare website has left it open to a lot of vulnerabilities. The website has 500 million lines of codes, so it is extremely difficult to fix any issues that come up with it. If you fix one code then something might go wrong somewhere else, and you might open up new vulnerabilities as well. Fixing the code might be extremely time consuming and expensive. So, it is very difficult to conduct an end-to-end security assessment of the website.

David Kennedy addresses the security concerns with Healthcare.gov. Image from https://cyberarms.wordpress.com

David Kennedy addresses the security concerns with Healthcare.gov. Image from https://cyberarms.wordpress.com

David Kennedy the founder of TrustedSec, an online security firm, offered some recommendation to the Congress regarding the security concerns with the Healthcare.gov website. As per Kennedy, the best option is to redesign another website “Healthcare.gov 2” that will work along with the original website. Another option is to take the website offline and fix the issue with the code, which will take a long time. He pointed out that the personal information of users that has already been entered in the website is vulnerable to security attacks. As the website deals with personal data of so many people, strong action should be taken to restore the privacy and security of the users.

Keep your health information secured

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!

 

November 2013 - The Privacy Post

3

Recent Security Breaches Highlight the Importance of Strong Passwords

Posted by on Nov 28, 2013

Strong passwords are important to maintain your privacy. Image from http://www.itpro.co.uk/

Strong passwords are important to maintain your privacy. Image from http://www.itpro.co.uk/

We have been advised about the importance of strong passwords many times. Sadly, very few of us implement those advises in real life. Often, it is seen that weak passwords are one of the biggest reasons behind major security breaches. Not only do we use simple and easy to guess passwords, but we also tend to use the same password for all our online services. Therefore, if an intruder gets access to one of the servers containing user’s password and login information, the impact of the attack can be even worse. Two major security breaches were reported this month. The data breaches at GitHub and online dating site Cupid exposed the usernames and passwords of millions of users.

GitHub security breach compromised accounts with weak passwords Image from http://www.thewhir.com/

GitHub security breach compromised accounts with weak passwords Image from http://www.thewhir.com/

GitHub is a popular online source code repository for open source projects. Major free software projects like Linux, WordPress and Android are hosted here. Github was hit by a bruteforce password guessing attack that compromised accounts of users with weak passwords. The hacker used 40,000 unique IP addresses to guess the passwords of GitHub users. As a result, user accounts with weak passwords and reused passwords from other compromised sites were compromised due to the attack. However, it has not been revealed exactly how many accounts were compromised in the attack. In response to the data breach, GitHub has notified the users whose account have been compromised, and has reset their passwords and revoked any third party keys. Users have also been advised to review their account’s Security History page to look for changes made to their repository or failed login attempts and to implement two factor authentication for better security. GitHub plans to strengthen its security by preventing the users from using weak passwords. It recommends the users to use passwords that need to be at least 7 characters long with at least one lower case letter and one numeral. If you end up trying passwords that meets these criteria like q1w2e3r4, password1 and iloveyou2 you will get a message saying those passwords are “commonly guessed by hackers”.

Cupid Media security breach compromised millions of user accounts. Image from hreatpost.com.

Cupid Media security breach compromised millions of user accounts. Image from hreatpost.com.

Similarly, another major password leak breach took place at Cupid Media, an online dating site. The hacker accessed 42 million user accounts containing personal information such as names, emails, birthdays and unencrypted passwords. Sadly, the user passwords were stored in plaintext form. The hackers did not even have to crack any codes to access the passwords. The hacker can carry out further attacks such as phishing and identity theft by exploiting this weakness. Security expert Brian Krebs revealed, “nearly 2 million of users had chosen “123456” as password, while 1.2 million users used “11111”. Some 37,000 creatively chose “password” for their secret code. And somewhat heartwarming, 90,000 of the dating site users opted for “iloveyou.”  Cupid Media also took the same corrective action as GitHub, that is notifying affected customers and resetting passwords. The motivation behind this attack is still unknown. Andrew Bolton, the managing director of Cupid Media said that the company had noticed suspicious activities on their network recently. Majority of the compromised accounts were either deleted or inactive. The lesson to be learnt from this incident is that the data still remains on the company’s server even the account is closed and can be compromised in case of an attack. The company has started hashing the passwords and has recommended users to use strong passwords. Another interesting fact that came up during the investigation regarding this security breach was that the hackers who were involved in the Adobe data breach were responsible for the breach at Cupid Media as well. Brian Krebs found the Cupid Media data on the same server where the Adobe data was dumped.

These data breaches clearly indicate how important it is to have strong passwords in order to maintain your privacy on the Internet. As per the recommendations of security experts, passwords should be strong, complex and difficult to guess. You need to change your passwords frequently and use different passwords for different accounts. You can use some of the tips recommended by SpiderOak to create a strong password.

Secure your data with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service likeSpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

 

November 2013 - The Privacy Post

0

Yahoo to Implement Encryption Between Data Centers

Posted by on Nov 27, 2013

Yahoo to implement strong security controls. Image from https://leaksource.wordpress.com

Yahoo to implement strong security controls. Image from https://leaksource.wordpress.com

NSA’s privacy intrusive “MUSCULAR” program revealed how the spy agency and its British counterpart tap into the data center links of major Internet companies like Yahoo and Google. This program seemed to be more intrusive in comparison to the PRISM program because the spy agencies performed their operation of mass data collection without the knowledge of the companies. Unlike PRISM they do not have to issue a court warrant to the companies for data collection. They just hacked on to the international fiber links that connect the data centers of Yahoo and Google to collect user data. The IT giants were extremely disappointed by the NSA’s  “MUSCULAR” program and clarified that they did not give any government the access to their systems. The companies have also decided to implement strong security controls to protect the privacy of their users from government’s surveillance programs.

According to the documents leaked by Edward Snowden, Yahoo Mail service provided easy access to the government for data collection, due to lack of SSL encryption in place. “The Washington Post revealed that government spooks had collected twice as many contacts from Yahoo Mail as all of the other major web mail services combined. No reason was given for this, but one likely cause could be due to Yahoo Mail’s lack of SSL encryption.” Yahoo has taken various steps to strengthen the security of the majority of its online applications. Yahoo has announced to introduce default SSL encryption in its email service by default. Yahoo has confirmed that it will enable HTTPS encryption by default for Yahoo Mail by January 8, 2014. Besides encrypting the email service, Yahoo has also announced to encrypt the traffic between its data centers, and apply SSL encryption across all its sites by March 2014. In response to the NSA’s surveillance program, Yahoo’s CEO Marissa Mayer said in a blog post:

Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever.There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL – Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014.

Today we are announcing that we will extend that effort across all Yahoo products. More specifically this means we will:

  • Encrypt all information that moves between our data centers by the end of Q1 2014;
  • Offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014;
  • Work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled.”
Yahoo CEO Marissa Mayer responds to NSA surveillance programs. Image from atic2.businessinsider.com.

Yahoo CEO Marissa Mayer responds to NSA surveillance programs. Image from atic2.businessinsider.com.

On contrary to Yahoo, Google has already moved to encrypt all its searches earlier this fall. Google will protect the privacy of its users by hiding the search queries performed by them. The company has also enabled SSL encryption by default for its users logged on to its service since 2011. Google has all these changes aiming at providing extra protection to its users from government surveillance programs.

Implementation of security controls by Internet companies like Yahoo and Google is definitely comforting to the users, as many of us use their services regularly. We do not want our data to be monitored or accessed by anybody else other than the intended recipients. It is great to see that more and more companies are taking security seriously after the PRISM revelations to ensure that their customer data is safe.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product immediately!

November 2013 - The Privacy Post

0

How To Maintain Your Privacy In the Age of Tracking?

Posted by on Nov 26, 2013

Online Privacy. Image from http://www.smartplanet.com

Online privacy is one of the leading ocncerns of our fast-moving time. Image from http://www.smartplanet.com

The recent PRISM revelations have shown how top Internet companies like Google, Apple, Facebook, and Yahoo collects user data and share it with the National Security Agency (NSA) upon receiving a court order. Before the revelations, as users, we completely trusted these companies for the protection of our private data, and shared almost everything on the Web. The surveillance programs by the spy agency have definitely put security in the forefront of many users. We have become more careful regarding what to and what not to share. On one hand there is the government surveillance program that tracks Internet users for national security. On the other hand the Internet companies track every click or cursor movement of the users for targeted ads. These days Internet companies generate a lot of revenue due to targeted advertisements. They monitor your activities on the Internet and send you the ads that interest you. A lot has been said and written about privacy of users on the Internet. People are gradually becoming aware about the security risks that come with the Internet and have started implementing security controls to maintain their privacy.

Let us first understand why our personal information is more valuable than what we think. Many companies collect information about people, their demographics, income, habits and interests to get a clear picture about who they are and how to convince them to buy their products. As Alex Henry wrote on Lifehacker, “The real money is in taking your data and teaming up with third parties to help them come up with new ways to convince you to spend money, sign up for services, and give up more information. Relevant ads are nice, but the real value in your data exists where you won’t see it until you’re too tempted by the offer to know where it came from, whether it’s a coupon in your mailbox or a new daily deal site with incredible bargains tailored to your desires. “

These are some of the steps that you can take to browse the web safely:

  • Use Tor to browse the web anonymously: Tor allows you to browse the Internet without revealing your IP address or other identifying information.  Tor conceals the user’s identities and their network activity by separating the identification and routing information. The data is transmitted through multiple computers via network relays run by volunteers around the globe. The routers employ encryption in multiple layers during the data transmission to maintain privacy between the relays, thereby providing users with anonymity in a network location.
Tor conceals user identity. Image from www.eff.org

Tor conceals user identity. Image from www.eff.org   

  • Ghostery:Ghostery blocks the invisible tracking cookies and plug-ins on many websites and shows it all to you. It gives you the option to block them one by one or all together. It is available for Firefox, Chrome and Safari browser
  •  Install Adblock Plus: Adblock plus is an open source content filtering and ad blocking application. It prevents social networking sites like Facebook and Twitter from transmitting your data after you leave those sites. Here’s how to install Adblock plus. After the installation make sure to change your filter preferences to Easy Privacy. To do this go to the Adblock Plus website and click on the link to “Add EasyPrivacy to Adblock Plus”. This will take you to Adblock plus website. Click on “Add” and you are all set.
AdBlock blocks ads. Image from www.eff.org

AdBlock blocks ads. Image from www.eff.org

  • Install HTTPS Everywhere: HTTPS Everywhere maximizes the use of HTTPS and prevents your private conversations from being snooped or tampered. “HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation.” To use it you need to install it. Once it is installed it does its work invisibly by encrypting your Internet communications.
  • Secure search:  You can use a secure search engine like Duck Duck Go to protect your Internet searches. “DuckDuckGo distinguishes itself from other search engines by not profiling its users and by deliberately showing all users the same search results for a given search term”.
  • Secure cloud storage: Use secure cloud storage services like SpiderOak to protect your private data. SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server.  The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

November 2013 - The Privacy Post

4

Is Your Smart TV Spying On You?

Posted by on Nov 25, 2013

LG Smart TV collects user viewing information. Image from http://www.huffingtonpost.ca/

LG Smart TV collects user viewing information. Image from http://www.huffingtonpost.ca/

Many households these days own “Smart TVs”. Sometimes we forget that these TVs are also connected to the Internet, and they are capable of collecting and transmitting our data. We seem to be a lot more concerned about surveillance programs that spy on our web browsing activities, email conversations, or our interactions on social media. We worry about what security controls we need to implement on our systems to avoid being tracked. However, very little has been said or revealed about the data collection activities of Smart TVs.  Recently, a U.K based information technology consultant, Jason Huntley, revealed in a blog post how LG smart televisions send customer-viewing information to LG Electronics Inc. According to his post, the LG Smart TV model LG 42LN575V sent unencrypted data over the Internet. He has included screenshots of the data transmitted by LG Smart TV.

In his tests, Huntley found out that the information was sent out every time he changed the channel. The TV also has an option in the system settings called “Collection of watching info” which is ON by default. He decided to turn off that option and do some traffic analysis to see if it is possible for the TV to send data. Unfortunately, the answer was yes. It seems the viewing information was sent regardless of whether “Collection of watching” option was set ON or OFF. The traffic sent over the Internet also included the names of files stored on a USB drive connected to the LG television. To prove this, Huntley carried out an experiment where he created a mock video file and loaded it to the USB drive, and plugged it into his TV. When he analyzed the network traffic, he found out that the file name was transmitted unencrypted in HTTP traffic, and sent to the address GB.smartshare.lgtvsdp.com. In some cases, he said, the file names for an entire folder were transmitted, and other times nothing at all was sent. He never determined the rules that controlled when data was or wasn’t sent. Other data collected by the Smart TV includes customer names of files, unique identification customer information, and specialized tracking numbers for specific TV.

LG Smart TV collects your data even when "Collection of watching info" is OFF. Image from http://doctorbeet.blogspot.co.uk/

LG Smart TV collects your data even when “Collection of watching info” is OFF. Image from http://doctorbeet.blogspot.co.uk/

However, the addresses in the HTTP POST request returned 404 errors, which means the personal information in the request may not have been logged on to the server. Even if the information is not stored on the server, tracking of user information is an intrusion of user privacy. As the LG TV is sending unencrypted data, it is easy for someone on the same network to monitor the communications. Also there is no guarantee that the information is not logged on the LG servers. “Despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored,” said the blogger.

Network data analysis. Image from http://doctorbeet.blogspot.co.uk/

Network data analysis. Image from http://doctorbeet.blogspot.co.uk/

In response to Jason Huntley’s blogpost, LG responded saying: “The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.”

Similarly, another security researcher also revealed a vulnerability in Samsung Smart TVs that allows an intruder to take control of the devices that are connected to the same network. He demonstrated how it is possible to remotely access USB files and install malicious apps, and use the TV’s microphone and camera to spy on users.

If you want to check how your Internet connected devices such as a Smart TV transfers your data across the Internet, then you can install a network analysis tool such as Wireshark. Wireshark is an open source packet analyzer that is used for network analysis and troubleshooting. By plugging Wireshark packet sniffing program into your home network, you can monitor and analyze all the data packets travelling through your router.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

November 2013 - The Privacy Post

0

SpiderOak Tops EFF’s Crypto Survey Report

Posted by on Nov 22, 2013

Secure data storage with SpiderOak. Image from www.spideroak.com

Secure data storage with SpiderOak. Image from www.spideroak.com

Revelations about the National Security Agency’s (NSA) surveillance programs are posing a serious threat to the reputation of technology companies. The documents revealed by Edward Snowden indicate that leading tech companies like Apple, Google, Yahoo, and Microsoft cooperated with the NSA in their mass data collection program, PRISM, by providing information about their customer data. The companies received a severe backlash from the privacy advocates and the general public for invading the privacy of their customers. To restore their reputation and win the trust of their customers, the tech companies teamed up against the U.S government’s surveillance programs. They requested the court to allow them to publish a transparent report of data requests made by the NSA. Besides fighting against NSA’s surveillance programs, the tech companies also started implementing strong security measures to ensure their customers that their data is safe from surveillance.

Data collection under PRISM program. Image from http://cloudstoragebuzz.com

Data collection under PRISM program. Image from http://cloudstoragebuzz.com

In the light of the NSA, it is extremely important for organizations to implement strong encryption technologies to protect user data. Even though the Internet users are using encryption for secure communications between their computer and the public facing Websites, the unencrypted internal data flows of the companies allow the NSA to obtain millions of records each month, including both metadata and content like audio, video, and text. The recently revealed MUSCULAR program allows the spy agencies to perform their operation of mass data collection without the knowledge of the tech companies. The NSA successfully taps onto the data center links of the companies without issuing a court warrant.

Keeping NSA’s surveillance activities and user privacy in mind, the Electronic Frontier Foundation (EFF) conducted a survey to determine how the technology companies are protecting their user data against spying activities of the NSA. As part of the survey, EFF recommended the service providers to implement strong encryption in every step of the way for a communication on its way to, or within, a service provider’s systems. These are the five-encryption steps recommended by EFF:

  1. Encrypt links between datacenters: All companies with data centers in the cloud should immediately encrypt all traffics between their datacenters.
  2.  Enable HTTPS by default: The companies should encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. As a result when a user connects to their website the whole communication will be carried out on a secure channel.
  3.  Enable HTTP Strict Transport Security (HSTS): HSTS is a security policy that insists the users to interact with the web server using only HTTPS connection.     
  4.  Implement STARTTLS for email transfer: STARTTLS is an encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard.
  5. Forward secrecy: A strong key is extremely important for encryption. But what if the key gets compromised? Forward secrecy ensures that access to the encryption key will not compromise user data.
EFF's Survey Report. Image from https://www.eff.org/files/

EFF’s Survey Report. Image from https://www.eff.org/files/

In a recent report, EFF declared that Google, SpiderOak, Dropbox and Sonic.net are the Web companies that met all five of the communications encryption steps recommended by EFF. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.

Twitter was a close runner up as out of the 18 surveyed Internet companies as it implemented four of the recommended encryption steps. Twitter also confirmed that it has encryption of data center links in progress. “Facebook and Tumblr have provided further information to supplement the Encrypt the Web Report. We’re pleased to report that Tumblr is planning to upgrade its web connections to HTTPS this year and implement HSTS by 2014, and Facebook is working on encrypting data center links and implementing STARTTLS”.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

 

 

 

 

 

 

November 2013 - The Privacy Post

5

Snaphack App Lets You Save Snapchats Without Notifying the Sender

Posted by on Nov 21, 2013

Snaphack saves Snapchat messages. Image from http://cdn.hightechdad.netdna-cdn.com

Snaphack saves Snapchat messages. Image from http://cdn.hightechdad.netdna-cdn.com

Many of us use Snapchat for sharing photos and videos with our friends. People consider this as a secure medium to share their photos with others because once the receiver opens the photos or videos; they will automatically disappear within 10 seconds or less. The photos will also be deleted from Snapchat’s server after the user has opened them. That means the photos are not saved anywhere permanently. Surely Snapchat sounds like a very secure application for photo sharing as no one other than the receiver can access and view the photos, and the photos are deleted within a short timeframe. However, this new app “Snaphack” defeats the whole purpose of using Snapchat for photo sharing. With Snaphack you can save Snapchat photos and messages for an indefinite period of time without notifying the sender. Now you have to think twice before sending anything embarrassing on Snapchat.

Snaphack is an iPhone app designed by Darren Jones who has produced a few other apps under the name DAP Logic. He has launched another app Iconical few months back that allows the users to create their own icons for the home screen of any Apple device. In an interview given to Mashable, Jones said, “I wanted to prove that nothing was 100 percent secure once uploaded to the Internet. He also wanted to point out the dangers in sending images that you don’t want other people to see. As per Jones, he is not the first one who has launched a Snapchat –saver. In the past Sepia software had also designed an application called Screenshot save which also saves Snapchat messages. Besides the above-mentioned apps, Snapchat is also vulnerable to anyone who can take a quick screenshot of the chat messages or pictures. Jones had already submitted a new version of the app to Apple that will allow users to send saved Snapchat messages to other users via email. Snaphack does not have an Android version yet.

Let’s take a look at how the Snaphack app works? First of all you need to download the Snaphack app from the App store. Then log in with your Snapchat  credentials. “When you get a notification of a new snap all you have to do is open up the Snaphack app, refresh the app and get the new pictures and videos. Snaps can be opened up individually and then saved onto the handset.” I tested the Snaphack app by sending a photo on Snapchat to me. I took the photo of this vase on Snapchat and selected myself as the recipient. Once I received the photo on Snapchat, I closed Snapchat without opening the photo. Then I opened Snaphack using the login details of my Snapchat account.

Photo taken on Snapchat. Image by author.

Photo taken on Snapchat. Image by author.

When I clicked on the green item on Snaphack, I was able to view the Snapchat that I sent to myself. The image was permanently saved on Snaphack and I could access the image anytime I want. On the contrary, I could not view the items highlighted in red because I had opened those photos on Snapchat earlier.

Snapchat photos on Snaphack. Image by author.

Snapchat photos on Snaphack. Image by author.

Besides that it also gave me the option to save the photo to the camera roll, forward to friends and send via email.

Snaphack allows you to share Snapchat photos. Image by author.

Snaphack allows you to share Snapchat photos. Image by author.

Given these developments you need to be careful while sending photos on Snapchat because somebody might be able to save your private stuff from the other end. Snapchat is not as secure as it claims to be. In the past we have seen that the company has handed over photos to the US law enforcement agencies on receiving a court order. While it is true that Snapchat deletes snaps from its servers once they are opened, the unopened snaps remain on the company’s server for 30 days and can be turned over to the authorities if needed. In case you want to share some sensitive information, take proper security measures before sending them.

Protecting your photos with SpiderOak

 SpiderOak allows you to conveniently store photos online without having to worry about attacks or monitoring. This truly private storage and sync service is 100% anonymous, meaning that no one, not even the company’s own employees, can access the plaintext data uploaded to its servers. SpiderOakprotects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

November 2013 - The Privacy Post

8

Google to Implement Encryption for Secure Searches

Posted by on Nov 20, 2013

Google Search. Image from www.google.com

Google Search- trying to give users more privacy. Image from www.google.com

Google has made a change, aimed at providing “extra protection” for Google searchers. The company has announced it will  encrypt all search activity, except the click-on ads, to maintain the privacy and security of Internet users. Back in October 2011, Google had made the announcement that it will encrypt the searches of anyone who was logged on Google account. Google made this change to protect the online privacy of Google users by hiding the search queries performed by them. Now Google is expanding on providing online privacy by encrypting the searches of people who are not signed in to Google account. Google has confirmed this new move, saying:

“We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in. We’re going to con­tinue expand­ing our use of SSL in our ser­vices because we believe it’s a good thing for usersThe moti­va­tion here is not to drive the ads side — it’s for our search users.”

Encrypted Google search. Image from www.google.com

Encrypted Google search. Image from www.google.com

Let us first understand how web analytics work to capture keyword data from search engines. When we search something on the search engine the search keyword is typically visible in the HTTP referer field of the page request. For example if you search “information security” on Google.com, the referer part of the HTTP request will look like:

http//www.google.com/search?q=information+security

Now when you click on a page listed in the search result, then you will leave Google and arrive at the page that you selected. This page will now get a copy of the above URL. As a result the owner of the page can find out using web analytics software that you landed up on their page by searching the keyword “information security”.

But when the searches are encrypted the search terms that are passed on to the page owner/publisher after someone clicks on their link on Google is withheld. “In Google Analytics, the actual term is replaced with a “Not Provided” notation”. In the past few years there has been a steady growth in “Not Provided” activity due to the use of encryption in searches.  “Not Provided Count, which tracks 60 sites to chart the rise of the keyword “(not provided),” has been reporting on the effects of encrypted keywords over time. In the chart below, you’ll notice a spike starting around the week of September 4. Today, the chart indicates that nearly 74% of search terms are being encrypted”.

Analysis by Not Provided Count. Image from http://www.notprovidedcount.com/

Analysis by Not Provided Count. Image from http://www.notprovidedcount.com/

Of course the obvious question that comes to our mind is: what could be the reason behind this change? What prompted Google to make such a change all of a sudden? Google claims that it is implementing this new change for maintaining the privacy of its users. However this move might be aimed towards blocking the spying activities of the NSA. Google was accused of providing the NSA direct access to the search data through the PRISM spying program. Even though the company has strongly denied this accusation, it has been criticized a lot by the security experts. The PRISM revelations have harmed the reputation of high profile tech companies like Google, Apple, Yahoo and so on. In order to gain the trust of its users, Google had also joined hands with other major tech companies in their quest for permission to publish a transparent report of the number of data requests made by US government under national security laws. These companies are requesting the government to allow them to be more transparent to the general public regarding the data requests and clarify some of the misconceptions regarding mass data collection.

Another reason behind this move could be to increase Ad Sales. As per this blog post, the publishers can see the actual terms that have been withheld over time through the Google AdWords system. Google will not withhold the search terms entirely. The publishers can see these terms by going to Google Webmaster Tools area. In August, Google made a change to Google AdWords. According to the change the publishers can store the search terms for as long as they want and can access them any time as long as they use Google’s ad system. So, Google won’t archive the search terms in the tool built for non-advertisers i.e Google Webmaster Tools but store them through its ad system. This clearly indicates that the terms are withheld to create new advertisers.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

 

November 2013 - The Privacy Post

0

MacRumors Security Breach Exposes 860,000 User Passwords

Posted by on Nov 19, 2013

Image from http://cdn.itproportal.com

The security breach was, unfortunately, not just a rumor. Image from http://cdn.itproportal.com

We have been hearing a lot about so many security breaches these days. Every day millions and millions of user data is compromised due to lack of proper security controls, weak passwords or human errors. Recently MacRumors posted a notice that its user forums have been breached and the hackers have stolen cryptographically protected passwords of 860,000 users. Site Editorial Director Arnold Kim advised the users to change their passwords for MacRumors accounts and any other website that is protected by the same password.

 The hacker managed to gain access of a moderator account and was able to escalate their privileges to steal user login credentials. MacRumors is still investigating how the hackers managed to compromise the privileged account. After examining the log files, the investigators feel that the intruder tried to access the password database to steal the passwords. So far it looks like the hackers have not caused any further damage and there is no sign that they have accessed any other data belonging to the user forum.

Image from http://cdn.arstechnica.net

While you can hope you weren’t affected, it is always best to plan as if you were. Image from http://cdn.arstechnica.net

Kim stated that the attack is similar to the Ubuntu security breach in July. Ubuntu’s data breach compromised the security of 2 million users. The Ubuntu data breach seems to be indirectly related to the latest breach, as both MacRumors ad Ubuntu forums rely on Vbulletin’s forum software. Both Ubuntu and MacRumors forum uses the MD5 algorithm, along with a per-user cryptographic salt, to convert plaintext passwords into a one-way hash. This is the standard protection provided by Vbulletin on both the forums. However as per many security experts MD5 with or without salt is inadequate for password protection. “They say that while per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little or nothing to delay the cracking of small numbers of hashes”. Therefore it is not difficult for the hackers to decode the hashes of the stolen passwords.

In the meantime the group that hacked MacForums has declared that they are not going to use the password data to compromise the accounts of people who use the same login credentials on other sites. In this post, the hacker included the partial cryptographic hash corresponding to the password of MacRumors Editorial Director Arnold Kim, as well as the cryptographic salt used to increase the time required to crack it in order to claim that they are the ones who responsible for this breach. They mentioned that the attack was not designed to cause any harm to the MacRumor users but to sharpen the skills of the hacker and MacRumor.

We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),” the user known simply as Lol wrote. “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”

The hacker confirmed that the MacRumors password hashes totaled to 860,106, of which 488,429 had a salt that was 3 bytes long. The lesser the salt length the easier it is to be guessed. Salts are random strings of number or characters that are appended to the plaintext password before it goes through a one-way hash function. Salts increases the time required to crack large number of hashes by making the attacker to make a guess against each individual hash rather than all at once.

The post also stated that the fault lied within a single moderator and that led to the breach. “The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”

In my opinion, the MacRumors users should not take this post by the hacker seriously that their accounts on other sites like gmail or yahoo would not be compromised. They should follow Arnold Kim’s advice and change their passwords for MacRumors accounts and any other website that is protected by the same password.

Keeping your data safe

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!

 

November 2013 - The Privacy Post

8

Facebook Plans to Track Your Cursor Movements

Posted by on Nov 18, 2013

Image from http://www.infotales.com

How much does Facebook know about us? The amount may be increasing. Image from http://www.infotales.com

The most popular social networking site, Facebook, already has a huge amount of user data to begin with. Even so, the company wants to know more about its users. According to the Wall Street Journal, Facebook is testing a brand new technology that would allow it follow user’s mouse movements on the social networking site. With the new cursor tracking technology the company can figure out where we click, where we pause, where we hover, and for how long. The biggest driving force behind implementing the cursor tracking technology is to track how long a user’s cursor hovers over revenue generating ads.

Ken Rudin, the analytics chief for Facebook, revealed to The Wall Street Journal, “The social network may start collecting data on minute user interactions with its content, such as how long a user’s cursor hovers over a certain part of its website, or whether a user’s  News Feed is visible at a given moment on the screen of his or her mobile phone.” Facebook may start collecting data based on your interactions with the content of the website. As mentioned earlier, it will collect information such as how long your cursor hovers over a particular part of its website or whether your news feed is visible at a given moment on your mobile phone’s screen. Then store all this captured information in a data analytics warehouse and make sure that you are getting targeted ads related to the stuff you hover your cursor the most. Basically, Facebook collects two kinds of data – demographic and behavioral. The demographic data include information beyond the network like where you live or went to school.  The behavioral data that is captured real time on your network like your “Friends” on Facebook or “Likes”. The ongoing test will mainly focus on the behavioral data that is collected. “Facebook should know in the coming months whether incorporating the new data collection makes sense for a slew of uses, be it product development or more precise targeting of ads”, Rudin said.

Image from http://www.innvio.com

Here are the companies most interested in user behavior. Image from http://www.innvio.com

Media, advertisers and social networks have been tracking your Internet behavior for web analytics for a long time. Back in 2011, Microsoft came up with an easy way to use the cursor movement to understand and improve search results. “The researchers developed a technique to track the gaze direction of an unlimited number of remote users’ attention on any website, with nothing but a standard web browser. They accomplished this feat (pdf) with a single Javascript that weighs in at less than 1k and can be run invisibly on any page without slowing its load time or your browser’s performance”. As per their innovation they can track where your cursor is at a given time. It seems there is a correlation between what we look on the web pages and where we place our cursor. Therefore tracking cursor movements give more information about search results than simple click data.

Facebook is not the only company planning to track users based on their cursor movement. Shutterstock Inc, a marketplace for digital images, records everything that its user does on the website. It uses open source Hadoop distributed file systems to track and analyze user data such as where do they place their cursor or how long do they hover over a particular section on the site before making a purchase. Facebook also uses a modified version of Hadoop to manage large volumes of data. The data that is in the analytics of the warehouse is separate from the company’s user data and has not been disclosed yet. The marketers can use this data for targeted advertising, provided the data become accessible to them. However this new data mining experiment of Facebook is still in its testing phase and Facebook is still evaluating how it can be valuable to the company. Rudin himself pointed out that collection of massive amounts of data would not help Facebook unless it can figure out how to make use of it.

Amidst PRISM revelations and issues with Facebook’s privacy policy, introduction of the cursor tracking technology can raise a lot of security questions regarding privacy and security of Facebook users.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOakBlue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.