Kalyani M., Author at The Privacy Post - Page 4 of 21

5

Email Security in Light of NSA Surveillance

Posted by on Jan 14, 2014

Email Encryption ensures protection against NSA surveillance, identity theft and phishing attack. Image from Arstechnica.net

When Edward Snowden was asked if someone wants to stay off the NSA’s radar, could he or she encrypt emails and send them without arousing any suspicion? His response was “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Encryption has time and again proved to be the one of the most effective ways of protecting online communications from unauthorized access. However, as Snowden indicated, only properly implemented and strong encryption standards work against NSA surveillance. The NSA has been successful in circumventing majority of the encryption technologies on the web. But when it comes to cracking strong encryption standards like AES the NSA is facing some level of difficulty. The PRISM revelations have made us more responsible to towards the privacy and security of our data in the electronic medium. One of the most intriguing questions is how secure is our email communications? Nobody wants their private messages to be scanned by the spy agency.

There is no foolproof method to secure your email communications from NSA surveillance, but there are a few tools and techniques that you can use to maintain your privacy. PGP is one of the most secure email encryption services that you can use to encrypt your email messages. While it may or may not protect your emails from NSA, it can ensure protection against hackers trying to hijack your email accounts, crack your passwords or phishing attacks. PGP is a unique combination of traditional encryption and public key cryptography. For exchange of secure email messages both sender and receiver need to have PGP, so that they can exchange public keys in order to read each other’s email.

PGP is one of the most secure email encryption services that ensures protection against NSA surveillance. Image from Gawkerassets.com

Let’s take a look at how PGP works. First, PGP compresses a plain text message. That way it reduces the patterns found in plaintext, which can be exploited by cryptanalysis. Once the plain text is compressed, PGP generates a one time secret key called “session key”. The session key is basically a random number generator that is generated by the movements of your mouse or your keystrokes. The session key works with a cryptographic algorithm to produce a cipher text by encrypting the plain text message. After encryption of the plaintext, the session key is encrypted with the recipient’s public key. Now the encrypted message along with the session key is sent to the recipient.

Encryption and Decryption using PGP. Image from Goanywheremft.com

On the recipient side, the recipient uses his/her private key to decrypt the session key. Once the session key is decrypted, it decrypts the traditionally encrypted cipher text. With the combination of two encryption methods and large encryption keys, PGP is a robust email encryption technique that protects your data from government snooping. There are several instances in the past that indicates that the NSA has not been successful in breaking PGP encrypted email messages. As a result, they force the service providers to hand over the encryption keys in order to read the encrypted emails. Therefore, it is extremely important for the secure email service providers to be transparent about the data requests made by the NSA in order to gain the trust of their customers.

Some people are under the impression that the use of security tools on the Internet will put them under extra scrutiny by the NSA. This is not true. By not using security tools you are opening the doors for other kinds of cyber attacks like phishing and identity theft. Imagine the amount of personal and sensitive data stored in your Inbox- bank statements, credit card information, medical records and many more. An intruder can take advantage of this sensitive information and carry out fraudulent activities. So, it is in your best interest to encrypt your email messages.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

 

Kalyani M., Author at The Privacy Post - Page 4 of 21

6

Dropbox Hack Hoax Reveals Cloud Security Concerns

Posted by on Jan 13, 2014

Security of cloud storage services is extremely important as they store our personal and sensitive information. Image from  http://www.freewaregenius.com/

Security of cloud storage services is extremely important as they store our personal and sensitive information. Image from http://www.freewaregenius.com/

It seems like hardly a day goes by without hearing about data breaches or cyber attacks somewhere. There is an even greater impact if one of these breaches is of a cloud storage system. Many of us rely on different cloud storage systems like Dropbox, SpiderOak, or SugarSync to store and backup our important files and documents. We value the security of cloud storage systems more than anything else, as we store our personal and sensitive details in them. When it comes to cloud storage, nothing can be more important than secure data storage and backup. Any news or discussions regarding security of cloud storage systems on social media sites becomes headlines and draws maximum traffic. That shows how much people care about the privacy and security of their data in cloud systems.

Two days back there was a huge buzz on many of the tech news sites about Dropbox being hacked by cyber criminals. Almost every news site was reporting about the hack and updating on a regular basis. In short, the internet was in a panic. Many people rely on Dropbox for sensitive business and personal information, and it being compromised was a huge scare.  But here’s what actually happened.

Dropbox went down late Friday evening for a few hours because of some routine maintenance. People who tried to access the Dropbox website from 6 p.m to 8 p.m PT were directed to a webpage acknowledging the issue. That’s pretty normal.  However, just a few minutes before the outage a hacker group named “the 1775Sec” claimed that they are responsible for the Dropbox hack on Twitter. The hacker group tweeted that they compromised the Dropbox website in honor of late programmer Aaron Swartz on the eve of his death anniversary. The surprising thing is how quickly this Twitter jibe transformed into headlines at many leading news sites like theverge, pcworld, techcrunch, and many more. According to the hacker group, they took advantage of some vulnerability in Dropbox that lead to a database leak. They also posted a list of partial database leak on pastebin.com/WLFfTvFk .

A hacker group named the 1775 Sec claimed of compromising Dropbox. Image from www.pcworld.com

A hacker group named the 1775 Sec claimed of compromising Dropbox. Image from www.pcworld.com

In response to the Twitter feeds of the hacker group, Dropbox responded that they have not been compromised and the site went down as a result of  internal maintenance activities. The hacker’s claims of leaked user info were a hoax. A post on Dropbox’s blog stated “(W)e are aware of an issue currently affecting the Dropbox site. We have identified the cause, which was the result of an issue that arose during routine internal maintenance, and are working to fix this as soon as possible. We apologize for any inconvenience.” The site was up by 8 p.m PT; however, the attempts to log in produced error messages. The hacker group also acknowledged that this whole thing about user data being compromised was a hoax. They only brought down the site for a few hours by DDoS attack and no user information was compromised in this process.

Dropbox responded that the claims of user data leak are a hoax. Image from http://i1-news.softpedia-static.com/

Dropbox responded that the claims of user data leak are a hoax. Image from http://i1-news.softpedia-static.com/

This incident clearly indicates the importance of security in cloud storage services. A perfectly timed hoax created so much havoc all over the Internet. Just going by the Twitter feeds, many leading websites were under the impression that Dropbox has been hacked by some hacker group. Online cloud storage services are one of the most valuable innovations of the information technology industry, allowing us to access our data anytime from anywhere. In the near future we will see a huge growth in the adoption of this technology, and the attention from social media and technology news sites is only going to increase from here onwards.

As a result, cloud service providers need to find ways to protect sensitive user data along with providing high-quality service. They should implement strong encryption standards such as 256 bits-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. Employees should be not be given access to more than what is needed to complete their tasks. The cloud storage companies should implement effective security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data. Cloud storage systems cannot control hoax Twitter feeds, but they can definitely implement the right security controls to keep their data secure.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server.  The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data.

Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 4 of 21

6

How Secure are Mobile Banking Apps?

Posted by on Jan 10, 2014

Security risks with mobile banking apps. Image from http://www.digitaltrends.com

Security risks with mobile banking apps. Image from http://www.digitaltrends.com

There is a huge market for mobile apps because people are becoming more inclined to getting their work done through “easy and convenient” mobile apps rather than sitting in front of a PC. As we know, with the growth of any new technology comes new security risks. One of the major areas of concern is regarding the security of mobile applications for banking and payments. In the near future we will see an exponential growth in the usage of mobile applications for banking purposes. A survey done by Federal Reserve Board indicates the increasing use of mobile banking services by the users in their day-to-day lives.

Survey by Federal Reserve Board. Image from http://www.federalreserve.gov

Survey by Federal Reserve Board. Image from http://www.federalreserve.gov

From the survey, it looks like the majority of us have downloaded mobile banking apps to carry our bank transactions. Have we ever considered how secure are these apps? How do they manage our data locally? How securely do they communicate with the servers? Or what security protocols do they have in place for the protection of our data? These are some of the questions that need to be taken care of before downloading any banking application. As we tend to put some of our most personal data in the hands of these apps, we need to ensure that they are completely secure. Most people are completely unaware of the security vulnerabilities in the mobile apps and fall prey to cyber attacks. It is extremely important for the consumers to understand the security concerns associated with mobile banking apps, and take precautionary measures to protect themselves from these security threats.

Security vulnerabilities with mobile banking apps as per Sanchez research. Image from http://blog.ioactive.com

Security vulnerabilities with mobile banking apps as per Sanchez research. Image from http://blog.ioactive.com

A research done by security analyst Ariel Sanchez revealed security weaknesses of mobile banking apps for the iOS platform. He tested 60 banking apps from financial institutions around the world to determine security vulnerabilities in them. According to his findings, almost all the apps could be installed on jail-broken iOS devices. This is a major security risk because jail-breaking bypasses protections on iOS devices. It allows applications to access and download additional applications or extensions that would not have been accessible on non-jail-broken devices. Usually, the majority of the mobile apps that deal with sensitive user data, such as handling bank and payment information, enforce SSL certificates. Unfortunately, only a few of them validate the authenticity of these certificates they receive from the servers. This makes them vulnerable to Man-in-the-Middle or phishing attacks. Some of the apps expose sensitive user information like usernames, passwords, and hidden URL paths that could be exploited by getting access to the iOS system log. Lastly, 70% of the apps lacked multi-factor authentication measures that could protect them from impersonation attacks. Sanchez said “Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”

These are some of the steps that can be taken to ensure protection against security risks with the mobile apps:

  • Consumer awareness:As I had mentioned earlier, most of the times people fall prey to cyber attacks due to lack of awareness. We need to learn about the security risks with the mobile apps and implement security controls for better security. Learn about the privacy policies of the banking apps, what security controls are in place, and how do these apps handle and share your data.  Always download apps from trusted sources.
  • Ensure the authenticity of SSL certificates: The SSL certificate is a must for mobile banking apps, but it is of no use if proper validation is not done. Mobile apps need to validate the authenticity of the digital certificates they receive from the servers
  • Implement Secure transfer protocol (HTTPS): Strong encryption standards like HTTPS should be implemented to protect data in transit. Consumer information exchange with third parties should also be encrypted.
  • Regularly update patches and software updates: Users need to update patches and software updates on a regular basis to ensure protection against upcoming threats and vulnerabilities.
  • Implement checks to determine jail-broken devices: Lastly, businesses should have methods or devices in place to detect jail-broken device.

Protecting your personal data with SpiderOak

 Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 4 of 21

1

Upcoming Ransomware of 2014: Prison Locker

Posted by on Jan 9, 2014

New malicious ransomware named Prison Locker has the potential of causing mare damage than Cryptolocker. Image from http://4.bp.blogspot.com/

New malicious ransomware named Prison Locker has the potential of causing more damage than Cryptolocker. Image from http://4.bp.blogspot.com/

Cryptolocker Ransomware has infected thousands of computers and has allowed hackers to make millions of dollars. Cryptolocker encrypts all your files and documents and restricts your access to your system until you pay a ransom amount to the hacker. This very serious malware attack has gained momentum over the past few years. There are some precautions that you can take to protect your data from being hijacked by Cryptolocker ransomware and security experts are also coming up with prevention kits to secure systems from this malware attack. Just when we have started understanding this new form of malware and devising ways to prevent Cryptolocker ransomware attacks, a new form of ransomware is making headlines in many hacker forums.

Prison locker or Power locker is an evolution from Crypolocker that encrypts all files on your hard drive and shared drive in a “practically unbreakable encryption” process. Prison locker’s developers claim that it has the potential of causing more damage than Cryptolocker. Two hackers named “gyx” and “Porphyry” have been talking about this ransomware on many online forums. The ransomware is coded in C/C++, which encrypts all your files and then locks your screen, until you pay a ransom amount to the hacker. When your system is infected with Prison locker, it opens up a new locked up Window and disables Windows and Escape Key. Besides that, it also prevents other user actions like taskmgr.exe, regedit.exe, cmd.exe, explorer.exe, and msconfig.exe, and disables Alt+Tab feature.

A hacker by name "gyx" is making headlines in online forums. Image from MalwareMustDie.

A hacker by name “gyx” is making headlines in online forums. Image from MalwareMustDie.

The ransomware encrypts files on the victim’s hard drive and shared drives using Blowfish encryption technology. It can encrypt all files except .exe, .dll, .sys, other system files. For each file it generates a unique Blowfish key that is further encrypted with RSA 2048 encryption. After encrypting all the files on the victim’s system, it sends that information to the control panel center of the hacker. From the control center, the hacker can set the warning time of the ransomware, handle payments and decrypt files on the victim’s computer. As per the online forums, the developer of the malware is working on some of the features of the application and will be releasing the malware sometime soon. One of the interesting things is that they are selling this powerful and extremely malicious ransomware for only $100. Ransomware has the potential of hijacking victim’s entire system, including the shared drives, and very little can be done to counteract such an attack. If it poses all those technical features that it claims, then the worth of the ransomware should be more than $100. Whatever may be the financial motivation behind the ransomware, its reasonable price can make it easily available to anyone and can lead to more severe attacks.

A security research team called MalwareMustDie has been monitoring the discussions on Prison locker. From the screenshots of MalwareMustDie, it looks like the hacker is a security enthusiast with expert level knowledge in C/C++ programming language. Here is a screenshot from the hacker’s Twitter account:

Twitter profile of developer of Prison locker ransomware. Image from MalwareMustDie.

Twitter profile of developer of Prison locker ransomware. Image from MalwareMustDie.

The security team is closely following the developments in the Prison locker ransomware and updating details on their blog post.

One of the positive aspects of the revelation about this new threat is that we now have information about the ransomware before it is in its fully functional form. So, this gives an opportunity for the security experts to come up with a countermeasure for this ransomware before it is released. It is better to take control over this ransomware before starts causing major damages. As these kinds of malware usually hide in email attachments or website links, it is in your control to protect your personal data by not clicking on any malicious links or attachments. One click can infect your system, and can be avoided if you show good judgment.  Regularly back up all your files and keep your backups in a drive that is not connected to your computer. If you have backed up all your files regularly, then you are no longer trapped in such a situation. Even if your system gets infected with Prison Locker ransomware, you can retrieve your data from your back up drive that is not connected to your computer.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 4 of 21

2

Malware Attacks Thousands of Yahoo Users

Posted by on Jan 8, 2014

Yahoo ads infected thousands of computers with malware. Image from http://thingelstad.com/

Yahoo ads infected thousands of computers with malware. Image from http://thingelstad.com/

We have been adequately warned about not clicking on malicious websites, ads, or email attachments, as they have the potential of taking over our entire system. Even then, out of ignorance or due to lack of attentiveness, people fall prey to such kind of attacks. However, what if a hacker takes control over the servers of a legitimate website like ads.yahoo.com to trick users? That’s not something which you can control. How can you protect yourself from such attacks that hides behind the name of a well known legitimate website? Over the last few days Yahoo’s advertising servers have been infecting systems of thousands of users. Like I said before, many of us would trust the ads on Yahoo.com and click on it to explore more. As Yahoo is a trusted brand, we believe that we are secure while browsing on this website. The hackers take advantage of this situation to exploit vulnerabilities in legitimate websites to carry out fraudulent activities.

Schematic diagram of the attack by FoxIT. Image from http://blog.fox-it.com

Schematic diagram of the attack by FoxIT. Image from http://blog.fox-it.com

A Netherland based security firm named FoxIT detected and investigated the malware-infected computers after they visited yahoo.com. People visiting yahoo received malicious advertisements from ads.yahoo.com. On clicking upon these ads they were redirected to a “Magnitude” exploit kit. This “Magnitude” exploit kit sent to the users via Yahoo’s advertising servers exploits vulnerabilities in Java and installs different kinds of malware like ZeuS, Andromeda, Dorkbot/Ngrbot , Advertisement clicking malware, Tinba/Zusy and Necurs. Since the last few years vulnerabilities in Java have been exploited a lot to carry out cyber attacks. Java runs on millions of personal computers, enterprise systems, mobile and TV devices. The majority of the websites uses Java for interactive applications. Lately the cyber criminals are exploiting vulnerabilities in Java to carry out a series of attacks. Oracle has been working towards fixing some of the security loopholes in Java to strengthen the security in Java.

The security experts recommend users to constantly update their systems with new patches and software updates to protect themselves from cyber attacks. Java should be disabled when it is not required. Secondly, Oracle should thoroughly review the security vulnerabilities in Java software and improve Java security control for better security of users. Lastly, businesses should take the warnings of security industry seriously and implement controls effectively as recommended by the experts.  As per the research of FoxIT, Yahoo users have gotten infected since Dec 30th. They estimate about 300,000 users per hour visited the malicious site. Based on their research the company estimates around 9% of those or 27,000 users per hour were affected as a result of the attack. The countries most affected by this attack are Romania, Great Britain and France. The motivation behind this attack is mainly to gain financial benefits and provide a platform to other hacker groups to carry out attacks.

Countries affected by the attack. Image from http://blog.fox-it.com

Countries affected by the attack. Image from http://blog.fox-it.com

Yahoo says this attack is specifically targeting European users, and it is taking quick actions to prevent further attacks.  According to Yahoo “These advertisements were taken down on Friday, January 3.Users in North America, Asia Pacific, and Latin America were not served these advertisements, and were not affected. Additionally, users using Macs and mobile devices were also not affected.”

“We will continue to monitor and block any advertisements being used for this activity. We will be posting more information for our users shortly.”

Secure your data with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

 

Kalyani M., Author at The Privacy Post - Page 4 of 21

2

Exclusive Interview With ACLU On NSA Ruling

Posted by on Jan 7, 2014

The NSA

The NSA headquarters, where metadata about American communications is gathered.
Image from foxnews.com

“One of the disturbing truths about the NSA’s surveillance powers is how little can be done to avoid their reach.”

-Brett Max Kaufman, National Security Fellow at the ACLU, in an exclusive interview with SpiderOak.

The NSA’s mass collection of phone and internet records under counterterrorism laws have been opposed by many human rights leaders and privacy advocates. Bulk collection of metadata, often misunderstood, allows the government to paint a detailed and information-rich profile of an individual’s life. The gathering of so much information about one’s life through the bulk metadata collection program is a serious intrusion of user privacy. Keeping the privacy of millions of Americans in the forefront, the American Civil Liberties Union (ACLU) had filed a lawsuit against the NSA’s bulk phone record collection program.

Unfortunately, in a recent ruling, New York federal judge William H. Pauley III dismissed the ACLU’s lawsuit, saying the surveillance and data collection activities of the NSA is legal under the section 215 of the Patriot Act. Pauley defended the NSA’s mass surveillance program by citing the example of the events of 9/11, which indicated mistakes on the part of NSA due to lack of sufficient data regarding the terrorists. These intelligence failures led to the mass surveillance program to counteract terrorism. Pauley explained the importance of mass phone metadata collection program by stating that the surveillance program “significantly increases the NSA’s capability to detect the faintest patterns left behind by individuals affiliated with foreign terrorist organizations. Armed with all the metadata, NSA can draw connections it might otherwise never be able to find.”

Contrary to Judge Pauley, a federal judge in D.C, Judge Richard Leon, ruled that the NSA’s bulk phone record collection is a violation of the 4th Amendment of the United States Constitution and should be ended. After the ruling of Judge Leon, President Obama created a panel to determine changes that need to be done to reform the NSA surveillance program. During their research the panel did not find any instances in which the NSA has been successful in preventing terrorist attempts through the phone metadata collection program.

Judge Pauley

Judge William Pauley ruled that bulk collection of metadata was not in violation of the Constitution, a decision that was immediately appealed.
Image from zerohedge.com

In an exclusive email interview with SpiderOak, Brett Max Kaufman, National Security Fellow in the ACLU’s National Security Project shared his viewpoint on the recent rulings and on the NSA’s program in general.

On being asked to rationalize the difference in the rulings, Kaufman explained that such disparate rulings are not uncommon in the lower courts, and are not without precedent. According to Kaufman – “One of the strengths of the American judiciary is that its structure allows difficult legal questions to percolate in the lower courts, giving the courts of appeals and the Supreme Court the benefit of an array of arguments by the parties and conclusions by judges. There was never any question that the legality of this mass-surveillance program would ultimately be decided by the higher courts.”

Kaufman added that the ACLU has formally appealed Judge Pauley’s decision to the Second Circuit Court of Appeals. Similarly, the government had also appealed Judge Leon’s ruling to the federal appeals court in Washington, D.C. If either appellate court rules against the government, the legality of the mass call-tracking program may need to be brought before the Supreme Court in late 2014 or early 2015.

Highlighting the next moves of ACLU regarding NSA’s surveillance program Kaufman said that the “ACLU has filed motions in the FISC for public access to secret judicial opinions interpreting the scope of Americans’ constitutional rights; a federal lawsuit to enforce a FOIA request about the government’s deliberate five-year evasion of its legal duty to inform criminal suspects when they have been surveilled under the FISA Amendments Act, a 2008 law that vastly expanded the government’s foreign-intelligence spying powers; and another FOIA suit to uncover information about the government’s use of an executive order to conduct intelligence operations overseas that implicate Americans’ communications.”

Brett Max Kaufman of the ACLU's National Security Project explains why he disagrees with Judge Pauley's ruling.

Brett Max Kaufman of the ACLU’s National Security Project explains why he disagrees with Judge Pauley’s ruling.

Opponents of the ACLU, and supporters of the NSA, argue that this kind of spying isn’t new, and, if anything, collection of metadata is less intrusive than tapping phones or intercepting mail.  This kind of confusion is due partly to people not understanding what metadata really is.  Kaufman explains thusly.

The government’s bulk collection of metadata concerning every phone call placed or received in the United States subjects every American to surveillance that permits the government to assemble a richly detailed profile of an individual’s life. In fact, this metadata can be even more revealing and intrusive than the contents of Americans’ communications. Simply by knowing who you call, when, and how often, the government can easily discern sensitive facts about you, including your religious and political affiliations, your struggles with addiction to gambling or drugs, your use of abortion-counseling services, or private details about your sexual life. The government’s claims that this information is “just metadata” badly miss the point.

The last time that the American public became aware of domestic government surveillance on this scale, the Church Committee’s report about decades of a “‘vacuum cleaner’ approach to intelligence collection” led to major institutional reforms to ensure the protection of Americans’ constitutional liberties. The Snowden revelations have made clear that a renewed assessment of current U.S. surveillance practices—by all three branches—is long overdue.

Everyday the NSA comes up with a new technique to invade user’s privacy – either by providing legal notices for mass data collection, devising backdoor methods, breaking encryption standards, or exploiting vulnerabilities in commercial products. It is unfortunate to find out that how little can be done to protect our data from government surveillance. Kaufman has some suggestions on what the average U.S. citizen can do to protect themselves from being spied upon. People can still protect themselves by using strong security practices like encryption and becoming more careful about sharing of personal data on the Internet. Besides that, Kaufman concludes, “It is crucial that the public continue pressuring both Congress and the executive branch to reign in these abusive (and largely illegal) practices, which were roundly condemned by the president’s hand-picked review group in its comprehensive report issued last month.”

SpiderOak would like to thank Mr. Kaufman for his time and insight.  Follow him on Twitter at @brettmaxkaufman

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 4 of 21

3

NSA Plans on Building Quantum Computers to Break Encryption

Posted by on Jan 6, 2014

NSA is researching on building quantum computers to break encryption standards. Image from http://o.aolcdn.com/

NSA is researching on building quantum computers to break encryption standards. Image from http://o.aolcdn.com/

These days, it does not come as a surprise to any of us when we hear about the NSA working on new ways to break the security standards on the Internet. In the past we have seen how the NSA has been successful in collecting huge amounts of user data by providing legal notices, breaking encryption standards, establishing backdoors in commercial products and partnerships with security vendors. They have tried every possible way to get access to sensitive personal information of millions and millions of Americans. However, the efforts of the spy agency do not stop here.

A recent report published by Washington Post states that the NSA is trying to build a quantum computer to break the majority of the encryption standards on the Internet. The documents leaked by Edward Snowden indicate that this is part of a $79.7 million dollar research project called “ Penetrating Hard Targets”.

These computers will be extremely sophisticated and faster than the traditional computers, and will be able to crack complex encryption technologies in minutes. The basic difference between a quantum computer and a traditional computer is that a traditional computer uses binary bits, either zeros or ones.  Quantum computers uses quantum bits, and can use zeros and ones simultaneously. Therefore they are faster in performing calculations than traditional computers. With the advancement in encryption technologies,  the length of encryption keys and the strength of random number generators have increased a lot. Most of the companies use a key size of 256 bits or more to encrypt sensitive information. It has been relatively difficult for the NSA to crack strong and properly-implemented encryption standards. It will take years to crack these encryption technologies with even super computers. But now, in a disturbing development, quantum computers  will allow the spy agency to crack smart and sophisticated encryption technologies efficiently.

Quantum computers can break encryption technologies faster than traditional computers. Image from http://cdn.zmescience.com/

Quantum computers can break encryption technologies faster than traditional computers. Image from http://cdn.zmescience.com/

Now the question is: how feasible is it to develop such computers? Many universities and labs are investing millions of dollars in programs designed to develop reliable quantum computers. In order to develop stable quantum computers, the individual blocks of these computers- atoms, photons or electrons need to be isolated from external forces. Any change in the state of these particles might lead to computing errors. Therefore, it is extremely important to protect the quantum computers from external environments. This is one of the reasons why it is difficult to attain quantum computing. The leaked documents indicate that the NSA is carrying out research in large shielded rooms called Faraday’s cage to prevent electromagnetic energy from coming in and out. Many experts have predicted that it would take at least five more years to attain the kind of quantum computers that the NSA wants.

The power of quantum computing can be harnessed to solve a number of globally relevant problems like curing health problems, predicting weather patterns and so on. There are so many positive aspects of this technology. However, I do not believe that the NSA should use quantum computing for invading the privacy of millions of American citizens. A few weeks back the shocking revelation of NSA’s partnership with RSA to weaken encryption standards showed an example of NSA’s implementation of backdoor methods to undermine encryption technologies. Now, the NSA’s research on building quantum computers clearly shows its efforts in cracking down every possible security control on the Internet to gain access to user data. However, from the research of security experts it still looks like the spy agency will take a while to come up with such technologically advanced computers.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

Kalyani M., Author at The Privacy Post - Page 4 of 21

9

Snapchat Hack Leaks Millions of Names and Numbers

Posted by on Jan 3, 2014

Major security breach at Snapchat. Image from http://i1.ytimg.com/

Major security breach at Snapchat. Image from http://i1.ytimg.com/

The New Year did not start at a very good note for the most popular photo sharing application, Snapchat. On Wednesday, Jan 1, 2014, a major security breach took place at Snapchat. A hacker group exposed the phone numbers and usernames of approximately 4.6 million users on the Internet. Snapchat is used by millions of people for photo sharing because they consider it to be the most secure photo sharing app. Once the intended receiver receives a photo, the photo will be deleted after a certain timeframe. This is the biggest selling point of Snapchat. However, there were a few security vulnerabilities in the app that were overlooked by the company. As a result, the company has to face this situation. That the attack happened on New Year’s might have been a coincidence, but it was at the least very symbolic. As we look to the next year, and beyond, I think we’ll be seeing many more such attacks. The market goes crazy for a new app, so there is a rush to get them out and ready to be sold, oftentimes before they are secure. This is a very dangerous situation. Looking at the specifics of the Snapchat hack can help us understand the why and how these hacks happen, and hopefully provide a path toward avoiding them. The hackers posted the personal data and phone numbers of Snapchat users on a website called Snapchat.DB. The list exposed the entire phone number of the users except the last two digits. The hackers also mentioned that anyone who is interested could gain access to the full list of usernames and phone numbers by contacting them directly. The group behind this hack claims that driving force behind this release was to raise awareness among the people about the security vulnerabilities in Snapchat and to pressurize Snapchat to fix those vulnerabilities. Recently Gibson Security had alerted Snapchat regarding a vulnerability that allows a hacker to gain advantage of the “find friends” feature in Snapchat, and match the phone numbers of the users to their Snapchat accounts.

Security vulnerability exploited to carry out the attack. Image from http://arstechnica.com/

Security vulnerability exploited to carry out the attack. Image from http://arstechnica.com/

However, Snapchat disregarded the warnings of Gibson Security. In their blog post Snapchat said: “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. We recently added additional countermeasures and continue to make improvements to combat spam and abuse”. Gibson Security tried to warn Snapchat both privately and publicly regarding their security weaknesses many times. They also publicly posted a report highlighting the vulnerabilities in the APIs of Snapchat application on the Christmas Eve. According to the security team, it would have taken only a few lines of code to fix that weakness in the application. Unfortunately, unlike Snapchat the hacker group took the warnings of Gibson Security seriously and exploited this vulnerability to carry out their attack.

In response to the Snapchat hack, Gibson security has offered some help to the affected Snapchat users. Gibson security is offering users a website to look up if their accounts have been exposed or not. The impact of the hack can be more severe because people tend to use the same username and passwords for their other accounts. As a result they can fall prey to spamming and phishing attacks. So, if you think your account has been hacked then reset your username and passwords for your other accounts as well. We usually trust most of these popular applications and share all our personal information with them. We need to use our common sense and good judgment in deciding what to share and what not to share with these apps. In future we are going to see more such attacks because these days app developers are paying more attention towards building flashy and revenue generating apps rather than taking care of the privacy and security of their users. As adding more security controls affects the user experience of the apps, they tend to have less security controls. The app developers need to be more responsible regarding the security of their customers. Companies should not take the warnings of security experts lightly and proper actions should be taken to secure the vulnerabilities in the applications. Most importantly, the database containing personal user data should be protected using strong security controls.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 4 of 21

3

Biggest Security Events of 2013

Posted by on Jan 2, 2014

Important security events of 2013. Image from http://r3.cygnuspub.com/

Important security events of 2013. Image from http://r3.cygnuspub.com/

As the year 2013 bids adieu, let’s take a look back at some of the biggest privacy and security issues of last year. As an information security professional, I found this year to be very interesting from a cyber security point of view. We got to see many new forms of cyber attacks and new security controls to counteract them. Last year was a mixed bag of security events, from the positive revelations of NSA’s most controversial PRISM program to some of the biggest data and credit card breaches ever. Let’s hope we learn some lesson from these security breaches and establish strong security mechanisms to protect our personal data from cyber attacks.

Here are the highlights of some of the major security events of 2013:

NSA surveillance program. Image from https://dgtyg67y1bedo.cloudfront.net

NSA surveillance program. Image from https://dgtyg67y1bedo.cloudfront.net

NSA Surveillance Program: One of the biggest stories of 2013 was the revelation of the  NSA’s PRISM program. The documents leaked by a former NSA contractor, Edward Snowden showed that the US government has been spying over everything and everyone around the world. The revelations indicated that the NSA collects huge amounts of customer data from conducting surveillance activities by breaking security standards, tapping into data center links and sending legal notices to major technology companies. Major well known companies like Apple, Google, Microsoft, Yahoo, Facebook and so on were accused of cooperating with the NSA by responding to its user data collection requests. Besides sending legal notices to companies for collection of huge amounts of user data, the NSA also developed several backdoor methods like breaking encryption standards or exploiting security vulnerabilities of commercial products to carry out surveillance activities. However, one of the positive aspects of this revelation was that companies and consumers started taking the security of their personal data seriously. People started implementing strong security controls such as HTTPS and Tor and became careful regarding the sharing of personal information on the Internet. Similarly, the technology companies also teamed up against the NSA’s surveillance program, and requested that the government allow them to publish a transparent report of user data requests by the spy agency to restore the trust of their consumers.

Target Data Breach: The recent credit card breach at Target is considered as the second largest data breach in the US history, after the 2005 TJXCos credit card theft that affected 47.5 million card users. In this security breach approximately 40 million credit and debit card accounts were compromised. The intruders took advantage of any security vulnerability in the network of credit card devices during the busy Black Friday weekend and managed to access millions of personal data. Once hackers have so much personal data in their hands they can carry out more severe attacks like phishing and identity theft. This was an unfortunate event, which could happen to any business. Businesses need to keep their systems up to date and implement security controls to protect themselves from such catastrophic incidents. Businesses need to be extremely alert during the holiday season as the attackers take advantage of this busy time of the year to carry out fraudulent activities.

Adobe Data Breach: There is no denying fact that 2013 was the year of data breaches. After Target, comes the Adobe data breach which compromised 38 million Adobe user accounts.  The hackers hacked on to Adobe servers, and managed to access the personal information of millions of customers, as well as the source code of well-known Adobe products such as Adobe Acrobat, Cold Fusion, and many more. One of the lessons learnt from this breach was the companies should manage the keys used for encryption of personal user data securely. Most of the times it is seen that companies leave their keys on the server near the data they are protecting. As a result it becomes easier for the attacker to access the keys, if they break into the server containing sensitive user data.

Cryptolocker Ransomeware: Last but not least, this year was noteworthy due to the malicious Cryptolocker ransomware that has affected millions of computers. This is a virus/Trojan that allows the author of the malware to take control of your computer by encrypting all your files and documents. Once all your files are encrypted, you will receive a pop up message asking you to pay a ransom amount in order to get access to your documents. This kind of situation really highlights the importance of backing up your files and important documents on a secure cloud storage system. If you have backed up all your files regularly, then you are no longer trapped in such a situation. Always use strong passwords to protect your data in the cloud. Your passwords should be long, complex and hard to guess. CryptoLocker primarily spreads through booby-trapped email attachments. So, use proper judgment and do not open any suspicious email attachment. Remember, your one click can infect your entire system.

These incidents definitely teach us some important lessons like importance of strong encryption standards, efficient key management, strong passwords and secure cloud storage systems for better security. With every New Year, new cyber threats evolve, but by taking some of these security measures we can ensure better protection of our data.

SpiderOak protects your data from unauthorized access

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 4 of 21

0

Silent Circle Replaces NIST Encryption Standards

Posted by on Jan 1, 2014

End to End encryption with  Silent Circle. Image from http://www.engadget.com

End to End encryption with Silent Circle. Image from http://www.engadget.com

In Monday’s post, I mentioned the importance of end-to-end encryption tools like PGP and Silent Circle for better security of our data. Silent Circle has decided to move away from the National Institute of Standards and Technology (NIST) encryption standards and implement its own cryptographic technologies for extra protection from the NSA surveillance activities. In today’s post, I am going to discuss in detail why Silent Circle moved to new encryption standards and why it considers the new standards to be better than NIST encryption standards.

Silent Circle provides encrypted Voice Over Internet Protocol (VOIP), and text messaging apps and services. After closely watching all the revelations about the NSA, the company decided to replace AES and SHA-2 cryptographic standards for the best interest of itself and its customers. The documents leaked by Edward Snowden indicated that the NSA has been successful in undermining the majority of encryption standards across the Web. They also have influenced NIST to weaken a random number generator standard in 2006. The Dual Elliptic Curve Deterministic Random bit generator approved by NIST in 2006, had several security vulnerabilities and was vulnerable to tampering. NIST not only approved this technology but also recommended many companies to embed Dual ED DRGB in their commercial products. NSA exploits these vulnerabilities in the commercial products to establish backdoors for surveillance purposes.

Encrypted VoIP and text services. Image from http://greycoder.com/

Encrypted VoIP and text services. Image from http://greycoder.com/

Silent Circle will be replacing AES cipher with Twofish cipher and SHA-2 hash function with the Skein hash function in its products. The Twofish cipher suite was developed by well-known cryptographer Bruce Schneier, and was a finalist in the NIST selection of the AES cipher. The same group of people developed Skein hash function, which was a SHA-3 finalist. The company trusts these two cryptographic technologies because they come from trusted sources and the co-founders of Silent Circle personally know the team working behind these technologies.

Twofish encryption standard. Image from http://www.ravenproject.us

S Twofish encryption standard. Image from http://www.ravenproject.us

The company is also planning to stop using one of elliptic curves recommended by NIST P-384. The NSA has been a strong supporter of Elliptic Curve Cryptography (ECC) saying it is stronger, secure and provides better performance. P-384 is one of the elliptic curves used in Suite B set of cryptographic algorithms. Many cryptographers have opposed argued that there are potential security weaknesses in Suite B algorithms. Silent Circle is planning to replace P-384 with elliptic curves designed by security experts Daniel Bernstein and Tanja Lange. Both of them have argued in the past regarding the weaknesses of Suite B algorithms. Jon Callas, one of the founders of Silent Circle says that moving away from NIST standards does not mean that the company does not trust those standards. It still plans to support NIST–sanctioned algorithms but will not use them by default in its products and services.

So, far we do not have any evidence whether these standards provide foolproof protection against surveillance programs. But definitely shows the potential for providing better security for protecting sensitive user information. One thing is for sure is that the NSA revelations have made organizations more responsible towards the security of their customers. Many companies are working towards products and technologies that would provide better security to their customers, and restore the trust of their customers on their products and services.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.