Kalyani M., Author at The Privacy Post - Page 2 of 23

4

Cryptowall Ransomware Spreading through Malicious Advertisements

Posted by on Jun 9, 2014

Cryptowall ransomware restricts access to important documents and files until a ransom amount is paid to the hacker.

As predicted by security researchers, 2014 is really turning out to be the year for new forms of ransomware attacks. Ransomware is a form of malware that takes over your system and restricts access to your files and folders until you pay the ransom amount to the malware author. Without the knowledge of the victim, the malware slowly manages to encrypt all the files, folders and documents present on the victim’s machine. Your system will not show any sign of infection, as it will take hours to encrypt all the files and folders.  Once all your files and folders are encrypted, a message with a timer will pop up on your computer screen asking you to pay a ransom amount or to lose access to your important files forever. Last year, a ransomware perpetuator named “Cryptolocker” managed to infect nearly 250,000 computers, stealing millions of dollars. Cryptolocker was very successful, as it was extremely difficult to detect.

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

8

Lessons to Be Gained from the Recent eBay Data Breach

Posted by on Jun 3, 2014

ebay headquarters

The eBay data breach led to a huge amount of sensitive user data to be compromised.
Image from Leon7 via wikimedia.org

The occurrence of security breaches at large companies appears to be on the rise. Last year, we saw massive data breaches at Target and Adobe affecting millions of customers. The personal data of many people were at stake as a result of the incidents. Data breaches are the stuff of nightmares for any enterprise. They not only suffer huge financial loss, but also lose the trust of their customers. Recently, eBay became the latest victim of a major data breach, with a database containing encrypted passwords and other personal data becoming compromised. The hacker followed the usual practice of using employee credentials to gain access to the eBay network and steal the personal details of millions of eBay customers. Last week, the company notified users via email to change their passwords in order to prevent further damage due to the breach.

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

3

Examining Lavaboom’s Email Service Security Against NSA Surveillance

Posted by on May 29, 2014

lock and key

Secure key management is extremely important for email security and protection against NSA surveillance.
Image source: Flickr user Janet Ramsden

In light of NSA surveillance, finding a truly secure email service presents a challenge. The PRISM revelations have made us aware of government surveillance programs targeting the email communications of millions of Americans for mass data collection, and as a result, many of us are more concerned about the privacy and security of our data in the electronic medium. The majority of email services store our correspondence with third party services, and, as a result, are vulnerable to surveillance and interception. Apart from that, there is also the possibility of the emails being hacked or scanned by advertisers. With the NSA targeting popular email services like Yahoo and Gmail, how can we ensure secure communications over the Internet?

Encryption is one form of protection against surveillance, however there are few concerns with this method, as well. Encryption only works if it is implemented properly, and the encryption keys are securely managed and stored. The NSA has been successful in circumventing the majority of the encryption technologies on the web. But when it comes to cracking strong encryption standards, like AES, the NSA is facing some level of difficulty. Keeping all these surveillance concerns in the forefront, a German-based company, Lavaboom, has come up with a secure email service that ensures protection against government snooping activities.

Lavaboom is named after Lavabit, an encrypted email service that was used by former NSA contractor Edward Snowden for communication. Lavabit shut down their operations last year when they were requested by the government to hand over the private SSL keys that would have allowed the government to decrypt all encrypted emails. When the NSA finds it difficult to get through a tightly secured application, it sends request notices to the service providers for access to user data. In Lavabit’s case, the NSA was after the encryption keys, as they could not find a way to bypass the strong security controls implemented in the email service.

The biggest lesson gained from Lavabit’s case is that, apart from establishing strong encryption standards, email service providers need to come up with a way to effectively handle their secret keys to prevent unauthorized access. Lavaboom’s secure email service purports to take care of this issue. Their end-to-end email encryption method allows only the users to take charge of the key needed to decrypt the emails they receive from others. It is based on PGP encryption standards, which is considered one of the most robust and hard-to-crack encryption methods by far. PGP is a unique combination of traditional encryption and public key cryptography. In public key cryptography, a user’s public key is available to the public for use, but the private is only available to the user. When sending any message to the user, the sender needs to encrypt the message with the user’s public key. The encrypted message can only be read by the user when using the private key to decrypt the message.

Lavaboom encrypts your emails on your computer, therefore Lavaboom’s servers never hold any unencrypted emails. Even their employees cannot decrypt your emails, as the key to those encrypted messages resides only on your computer. The emails are encrypted and decrypted locally using JavaScript code inside users’ browsers, instead of Lavaboom’s servers. Lavaboom is an example of a service that is including extra layers of security while attempting to avoid any negative effects to the user experience.

Some people are under the impression that the use of security tools on the Internet will put them under extra scrutiny by the NSA. This is simply not true. By not using security tools, you are opening the doors for other kinds of cyber attacks, like phishing and identity theft. Imagine the amount of personal and sensitive data stored in your inbox- bank statements, credit card information, medical information, and much more. An intruder can take advantage of this sensitive information and carry out fraudulent activities. Therefore, it is in your best interest to use the appropriate services to encrypt your email messages.

Secure cloud storage service that protects your data from surveillance

 SpiderOak believes in zero-knowledge privacy and establishing defenses against any individual or organization attempting to compromise your  privacy. It is our belief that privacy is a right, and it is our mission to protect yours.

It provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers reliable products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today.

 

 

 

Kalyani M., Author at The Privacy Post - Page 2 of 23

0

Protecting Data Against SQL Injection Attacks

Posted by on May 27, 2014

SQL Injection

There are several security vulnerabilities that can lead to SQL injection attacks.

Data attacks have unfortunately become commonplace these days, with new reports of penetrated security systems being reported on a seemingly regular basis. SQL injection is the most commonly used form of attack by intruders to compromise enterprise data, as it is highly effective and successful in gaining access. The SQL injection vulnerability has been around for ages, and could be easily fixed during the development life cycle. SQL injection attacks have been on the rise for the past few years. “According to Neira Jones, former head of payment security for Barclaycard, some 97 percent of data breaches worldwide are still due to SQL injection somewhere along the line.” Many well-known companies, like LinkedIn, Yahoo, and the Federal Bureau of Investigation have become victims of this form of attack.

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

7

NSA Surveillance Spurred Tech Firms to Tighten Security- Examining the EFF Survey Report

Posted by on May 22, 2014

The EFF survey report reveals those websites with excellent security and protection against NSA surveillance. Image from allfacebook.com

The PRISM revelations served as a wake-up call for tech firms in terms of privacy, security, and NSA surveillance. The documents leaked by Edward Snowden indicates that the NSA has left no stone unturned in getting access to a huge amount of sensitive user data. They have been successful in circumventing the majority of encryption technologies over the web by partnerships with security companies, court orders, and backdoor methods. The NSA works closely with security vendors to understand the vulnerabilities in commercial products and exploits them to carry out surveillance activities. There are times when the spy agency asks companies to deliberately make changes to their products in undetectable ways, like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

2

Considering Your Most Vulnerable Security Links- How to Combat Social Engineering Attacks

Posted by on May 21, 2014

mind game

Social Engineering is the smartest form of attack, as it tricks users to provide personal details by gaining their trust.
Image source: Flickr user tharealMrGreen

Enterprises invest huge sums of money on developing security mechanisms to protect company assets and networks against cyber attacks. With ever-emerging security threats, it becomes imperative for any organization to bolster their security controls. Organizations tend to focus on introducing new technical upgrades, improving encryption technologies, better threat detection, and prevention tools for preventing unauthorized access to their company resources. However, there is one popular means of gaining access that completely bypasses technologies and security systems. Social Engineering is a form of attack in which the attacker uses a variety of psychological tricks on a user to gain access to a computer or network.

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

8

Protection against Mobile Phishing Attacks- Avoid Being the Target of a Scam

Posted by on May 15, 2014

Widespread use of mobile Smartphones has made them vulnerable to phishing attacks.
Image source: Intel Free Press via Wikimedia.org

In today’s age of technology, it is safe to say that the mobile phones have surpassed desktop PCs in terms of popularity and usability. You can get all your tasks accomplished on a small portable device, rather than sitting in front of a static computer for hours. You can surf the Internet, pay your bills, do shopping, and socialize with your friends, all from your smartphone. Besides being easy and convenient to use, another major reason behind the popularity of mobile devices is the availability of apps. There is an app for almost everything these days, from banking to health and fitness. With smartphones, all kinds of services are just a click away. However, because of their widespread use and popularity, mobile phones are vulnerable to cyber attacks.

Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

4

Security in the Age of Telecommuting: Ensuring Remote Access Connections Are Protected

Posted by on May 13, 2014

There are security risks to address with remote data access. Make sure your company is taking the necessary steps.
Image from Ludovic.ferre via wikimedia.org

There has been significant growth in the number of individuals working remotely or telecommuting in recent years. Remote connections, also called VPNs, are an attractive alternative for many businesses; they increase employee productivity, save company expenses, and require less maintenance. In order for this large workforce to carry out business effectively and efficiently, it is important to focus on the security of remote access technologies. It is necessary to extend the concept of “confidentiality, integrity, and availability” to the remote access devices that have direct connections to corporations’ secure data and network resources.

There is no doubt about the fact that virtualization has made our life easier by providing access to corporate home bases, anytime from anywhere. The remote services allow us to get our tasks done without having to be physically present in the office. This is an excellent option for employees with a lengthy commute between office and home, and those who need to care for children or family members. Unfortunately, remote access services are one of the most exploited IT resources in today’s time and age. Enterprises invest huge amounts of money to provide remote services; however, much less is invested to make the connections secure. Vulnerable remote access connections provide easy access to any intruder hoping to gain entry to a company’s sensitive information. From a lack of secure network configuration, to weak passwords and poor endpoint security, there are several loopholes that can lead to major data breaches.

Let us take a look at the security risks associated with remote access services:

  • Use of third party services for data storage: Many businesses prefer to store their data on third party storage devices, requiring a remote connection to access this information. Oftentimes, it is seen that, when data is stored in cloud-based services, enterprises lose the control over the security of the information. It comes down to the security controls and defenses implemented by the third party vendor for the security of data in their storage systems. Whenever it is decided to move data to the cloud, it is important to go through the service level agreement thoroughly, determine what security controls are implemented by the provider, examine whether or not they comply with HIPAA or PCI DSS rules and regulations, and look closely at how they store and manage data. A few years back, a vulnerability left Dropbox user accounts open and accessible to anyone with the technical skill to exploit it. There was a significant lack of proper patch management. Imagine the amount of personal data somebody could have accessed by exploiting this technical glitch. The biggest lesson learned from this incident is that the remote connections need to be monitored continuously to keep track of vulnerabilities and implement the necessary mitigation strategies to resolve them.
  • Poor configuration: There are a variety of remote access solutions available, from command-line based to visually driven packages. Remote access solutions come with a certain level of security gaps that can be exploited to gain unauthorized access. Some of these vulnerabilities arise due to improper configuration of remote access connections. These devices need to configured in such a way that they comply with all security rules and regulations, like HIPAA and PCI DSS, just the same as the devices used within a company’s offices are set up.
  • Weak Passwords: Weak passwords are another major area of concern that could lead to remote access devices being compromised. In order to connect to the corporate network or data, employees are asked to provide credentials. Employees should have strong passwords to protect their accounts and corporate data from unauthorized access. These should be at least 8 characters long, and include a combination of letters, numbers, and special characters. They need to be changed frequently (after 30 or 60 days) in order to maintain strength against hackers. Enterprises should implement these practices in their security policies.
  • Lack of monitoring and patch management: Remote access connections should be monitored and scanned on a regular basis to detect any security loopholes and new threats. Software needs to be updated and patched as soon as new versions and fixes are released. Proper monitoring and patch management protects remote access solutions from being compromised by unauthorized users.

It appears that virtual workspaces and cloud computing are here to stay. As long as giving employees the option to work remotely pays off for companies, there will be a need fo remote access connections. Therefore, enterprises should invest in strengthening remote access solutions, in order to ensure better security and confidentiality of corporate data.

True Privacy with SpiderOak: Secure remote access requires implementation of best security practices for better security of data. SpiderOak believes in “zero-knowledge” privacy, and implements strong security controls, such as 256 bits AES and two factor authentication for protection of sensitive information. It allows you to encrypt your files and folders before sending them to the cloud. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak offers amazing products, like SpiderOak Hive and SpiderOak Blue, to help you secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.

 

Kalyani M., Author at The Privacy Post - Page 2 of 23

1

Protecting Student Data in the Cloud

Posted by on May 8, 2014

college students working in computer lab

Educational institutions should take measures to make sure student data in the cloud is protected.
Image source: University of Salford Press Office via wikimedia.org

Cloud computing provides effective connectivity and easy access to the latest computing resources. This technology has become extremely popular among businesses because of its flexibility and cost effectiveness. Gradually, the education sector is also making a transition to cloud services. Many school districts are embracing cloud computing to improve academic delivery and learning, provide personalized student attention, and reduce infrastructure costs. Schools are encouraging students to use commercial cloud services for sending emails, storing and sharing documents, and for other educational purposes. By outsourcing email and data storage services, school districts are saving a lot of money that was earlier spent on server space, hardware, software, and technical support. Continue reading…

Kalyani M., Author at The Privacy Post - Page 2 of 23

2

Managing PCI DSS Compliance in Cloud Computing

Posted by on May 6, 2014

It’s important for cloud services to comply with PCI DSS standards.
Image from Flickr user Sean MacEntee

Credit card hacks and data breaches are on the rise these days. Recently, retail giant Target became a victim of a massive data breach that affected millions of customers. Cyber criminals are also using the cloud environment for launching cyber attacks. As more businesses are moving towards adopting cloud-based services, the risk of security breaches increases.

Continue reading…