Kalyani M., Author at The Privacy Post - Page 5 of 20

7

NSA Partners With RSA to Weaken Encryption Standards

Posted by on Dec 30, 2013

NSA paid RSA to weaken encryption standards. Image from http://img.rt.com

NSA paid RSA to weaken encryption standards. Image from http://img.rt.com

The NSA has been working secretly for a decade to break the security standards on the Internet. The spy agency spends millions of dollars every year to break the encryption standards used to protect sensitive information like trade secrets, secure emails, and medical records. According to the documents leaked by Edward Snowden, they have been successful in circumventing the majority of encryption technologies over the Web by partnerships with security companies, court orders, and backdoor methods. The NSA works closely with security vendors to understand the vulnerabilities in commercial products and exploits them to carry out surveillance activities. There are times when the spy agency asks companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.

Speaking of commercial partnership of security companies with NSA, a shocking revelation has come into light recently. RSA, one of the famous cyber security companies was paid $10 million by the NSA in a “secret deal” to include a flawed encryption technology in a widely used security software. As per the articles released by The Guardian, The New York Times and ProPublica, the NSA has been working with many technology companies to undermine the security standards of many commercial products. The NSA took advantage of the vulnerabilities in crypto-random number generator “Dual Elliptic Curve Deterministic Random Bit Generator” to install backdoors in commercially used encryption products. RSA was paid by the NSA to embed the flawed random number generator, Dual EC DRGB in their widely-used security product BSafe toolkit. The Dual EC DRGB algorithm has been under the scrutiny of security experts for a long time. They have suspected that the algorithm was insecure and vulnerable to tampering. It still remains unclear that given so many shortcomings how Dual EC DRGB was approved by NIST. Approval of weak security standards by NIST also raises questions about their cooperation with the NSA.

The NSA uses backdoor in many commercial products for surveillance. Image from http://cdn.arstechnica.net

The NSA uses backdoor in many commercial products for surveillance. Image from http://cdn.arstechnica.net

However, RSA denies being involved in any secret deal with the NSA to weaken encryption standards. RSA claims that it decided to use Dual EC DRGB by default in BSafe toolkits to develop newer and stronger encryption methods. It used this technology because of its value in Federal Information Processing Standards compliance. RSA said in a statement: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”

Keeping all these security concerns at the forefront, as users we need to look out for a more secure end to end encryption tools such as PGP or Silent Circle. These are some of the more secure alternatives that can provide better protection against the NSA surveillance. Recently, Silent Circle announced to replace the use of NIST approved encryption standards like AES and Secure Hash Algorithm 2 in their products to thwart the NSA from spying on user data.

Enterprises should use most relevant security products and technologies, and should be transparent about their security practices. They should not encourage any modification in their products that would facilitate surveillance activities.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

3

How to Protect Yourself From Online Holiday Scams

Posted by on Dec 27, 2013

Fake Amazon emails were sent to MicrosoftLive email accounts. Image from http://www2.pcmag.com

Fake Amazon emails were sent to MicrosoftLive email accounts. Image from http://www2.pcmag.com

Finally, the holidays are here. The holiday season is the time of giving and making purchases for near and dear ones. This is the busiest season of the year for retailers and the holiday shoppers. It’s also one of the busiest for cybercriminals, who take advantage of this busy time to carry out fraudulent activities. Like millions of other people, if you order something on Amazon, then it is likely that during this time your inboxes will be flooded with purchase confirmation emails. As there will be many of those you might not pay attention to whether it is a legitimate email from Amazon or a fake one. Recently, researchers at Malwarebytes revealed that spammers are targeting Amazon account holders by sending emails containing Trojan malware.

As per the findings of Christopher Boyd, suspicious Amazon order invoices dated Dec 8th and 9th were targeted towards Microsoft Live email accounts. A legitimate looking email was sent to many Amazon account holders saying there has been some change in their order status and in order to check the details they need to open a zip file attached to the email to find out the details. These emails that claim to contain order invoices and order details contained Trojan malware infected zip files. Two types of Trojans were found in the zip files- the Trojan.Inject.RRE and Trojan.Zbot.ML. If you have not been paying much attention to the details of this fake email and end up downloading the zip file, then your system might get compromised. As I had mentioned earlier, these emails were targeted towards @liveaddresses and were CCed to multiple Microsoft Live addresses. However, OutLook and Hotmail caught these emails as spam.

Trojn Infected zip file. Image from http://cdn.blog.malwarebytes.org

Trojan Infected zip file. Image from http://cdn.blog.malwarebytes.org

Similarly, last season many users got a text message that they have won a $1000 gift card from Best Buy. The text tricked the users to click on a website that looked legitimate (BestBuyContest.com and BestBuyWin.net) to enter the code in order to claim their gift cards. Those who clicked on the website were asked to provide their personal details like name, address, email address, phone numbers and date of birth. This information can be extremely valuable to attackers. They can use this data to carry out phishing and identity theft attacks.

Best Buy Scam. Image from http://www.180techtips.com

Best Buy Scam. Image from http://www.180techtips.com

There is a high possibility that you might receive such kind of emails or texts during the holiday season. You can take these steps to protect yourself from such kind of attacks:

  • First of all pay attention to the details of the email, before opening any attachment or clicking on any link. Do not click on any link or download any file if you find anything suspicious.
  • Usually a legitimate email containing your order details or any other personal information will not be CCed to a lot of people. So, look out for that. Like in the Amazon scam, the emails were CCed to multiple Microsoft Live addresses. This is a clear indication that the email is not coming from a legitimate source.
  • Look for security protocols and symbols such as https before entering your personal details on any website.
  • Lastly, if you have any suspicion regarding any email or message confirm it by calling up the legitimate organization independently and asking if they ever sent such email.
  • Do not trust any text message that says you have won something or asks you to click on any link. These kinds of text messages are targeted towards getting personal details of users to carry out more severe attacks. Usually if you have won something that valuable you will not just receive a text message asking for your personal details.
  • Don’t think you are entirely safe staying offline, either.  People are in a rush this time of year, so aren’t paying attention as much when shopping.  This can particularly hurt people suffering from bankruptcy, as the recent data breach at Target showed.  It demonstrated how the the reach of cybercriminals can extend into the physical world.

SpiderOak protects your data from unauthorized access

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

0

A Consumer Privacy Bill of Rights, Part II

Posted by on Dec 26, 2013

Privacy of data on Cloud and online services. Image from http://linuxcoaching.ie

Privacy of data on Cloud and online services. Image from http://linuxcoaching.ie

Cloud services have made our lives easier by making our data available to us anytime from anywhere. Adoption of this emerging trend has proved to be beneficial for many of us. However, at the same time, it has opened the doors for new security risks and vulnerabilities. A day does not go by when we do not hear a news about security breaches exposing of user data by hacking into the servers of cloud storage systems. According to Gartner, “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”

Cloud services are vulnerable to external as well as internal attacks, since we are putting the security of our data in the hands of cloud service providers. There is a possibility that the cloud service providers can access customer data or provide the information to surveillance agencies on receiving a legal notice. The NSA has been successful in tracking huge amounts of user data by breaking the encryption technologies, as well as providing data request notice to cloud storage companies. As we trust the cloud services for the protection of our personal data, it is their responsibility to make sure that our data remains safe and secure from such kind of attacks. They should implement STRONG encryption standards such as 256 bit-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. The employees should be not be given access to more than what is needed to complete their tasks. The cloud storage companies should implement effective security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data.

Consumer privacy rights for cloud service. Image from http://axeetech.com/

Consumer privacy rights for cloud service. Image from http://axeetech.com/

As consumers, we have certain responsibilities regarding protection of our own data in cloud storage systems. You should always use strong passwords for better protection of your data. Your passwords should be long complex and should be changed frequently. Cloud storage services like SpiderOak allows users to encrypt their files in the computer before uploading them to the servers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. Therefore, it is extremely essential for users to have strong passwords for cloud services.

Consumer privacy rights for online services. Image from http://media.cirrusmedia.com.au/

Consumer privacy rights for online services. Image from http://media.cirrusmedia.com.au/

Now let us come to the online services that we use in our day-to-day lives. It is hard to imagine passing a day without checking our Gmail or Yahoo Mail accounts or logging on to Facebook to see what our friends are doing. These services also come with a fair amount of security risks. Most of the times it is seen that these services monitor user activities to send them targeted advertisements. A recent report revealed that several top websites use hidden scripts to determine how long you hover over an ad, when you pause, or click on it. This way they determine what interests you and keep sending you promotions or advertisements according to your interests. Facebook has recently announced its intent to monitor cursor movement of the users to make improvements in its service. It will collect information such as how long your cursor hovers over a particular part of its website or whether your news feed is visible at a given moment on your mobile phone’s screen. They store all this captured information in a data analytics warehouse and make sure that you are getting targeted ads related to the stuff on which you hover your cursor the most.The NSA takes advantage of these technologies used for targeted advertisement to carry out surveillance activities. The NSA has been successful in breaking encryption standards, monitoring website cooking and tapping into the data center links of well-known technology companies to collect user data.

We deserve to know how these web services that we use almost everyday manage and store our data. They should clearly indicate in their privacy policy what security precautions they take to protect our data and how much of our data is shared with third parties or advertisers. What security controls do they have in place to protect data from NSA surveillance? What data do they share with the security agencies on receiving legal notice? They need to be transparent about their cooperation with the NSA in handling user data. A detailed report explaining what information they provided in response to National Security Letters and other government demands will help these companies gain the trust of their users.

Secure your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Kalyani M., Author at The Privacy Post - Page 5 of 20

1

A Consumer Privacy Bill of Rights, Part I

Posted by on Dec 25, 2013

Mobile app developers need to manage and store sensitive user data securely. Image from http://www.mobileapptesting.com

Mobile app developers need to manage and store sensitive user data securely. Image from http://www.mobileapptesting.com

With the advancement in mobile technology, companies have lots of consumer data in their possession. Many mobile and web applications collect personal information (like name, address, social security number or credit card details) from the users to provide them access to various services. As consumers we trust that our data is in safe hands, and won’t be available to any third party without our consent. Unfortunately, most of the times that is not the case. Many  mobile applications share customer data with third parties and advertisers to generate revenue, and to provide “value-add” services (although the “value-add” is highly questionable in some cases). Sometimes, they also share your personal information with the government upon receiving legal notice for surveillance purposes. As consumers, we have a right to know how our data is being used, and also a right to understand the value of the data we provide to these applications.

Monetizing mobile apps is a challenging task, and more often than not, most mobile apps end up using advertising as the primary source of revenue. With this in mind, these applications track each and every movement of the user to determine who they are. What are their interests? What is their income level? This data is extremely valuable to any business as they get lots of information about their users, and send them advertisements or services customized towards their interests. These days there are mobile apps for almost everything you can think of. The mobile health apps collect lots of personal and detailed health information from the users to provide better services for health and well being. Most of the apps do not even deliver the medical miracles they promise. Instead they end up sharing your sensitive health information with advertisers and third party vendors. Exposure of so much personal data leaves you vulnerable to identity theft and annoying targeted advertisements.

Mobile health apps sometimes share sensitive health data with third parties. Image from http://twimgs.com/informationweek

Mobile health apps sometimes share sensitive health data with third parties. Image from http://twimgs.com/informationweek

Recently, it was revealed that Android’s Flashlight app collects users geo-location data and secretly shares users location details and device IDs with advertisers without their knowledge. The mobile app company was charged by Federal Trade Commission (FTC) for deceiving the users and invading their privacy. As per the Flashlight app’s privacy policy, the company itself will use the collected geo-location data and will not share it with any third party. Most of the times we have seen that mobile apps, especially the free ones, do not clearly state their data collection and sharing practices in their privacy policies. The privacy policies are wordy and not to the point. As a result the users do not feel like going through the whole thing before downloading an app. They just accept the terms and conditions to get access to the apps as soon as possible. The privacy policies of the mobile apps need to be clear, definitive and should focus on protection of user data. Just because an app is free it does not mean that the developers have the authority to share sensitive user data without their permission.

Snapchat is not as secure as it claims to be. Image from http://www.wired.com/

Snapchat is not as secure as it claims to be. Image from http://www.wired.com/

Many of us use mobile photo sharing apps to share pictures with our friends and families.  One of the most popular mobile photo-sharing app is Snapchat. Snapchat claims to be the most secure photo sharing app because it allows the users to share pictures that disappears from devices after a certain amount of time. That means nobody else other than the sender or receiver can get access to the photos. Snapchat even deletes the photos that are opened from its servers. It definitely sounds like a safe medium to share your pictures. However, Snapchat has not been fully forthcoming on what happens to the photos that remain unopened. Apparently, the photos that are unopened remains on Snapchat’s server for thirty days. So, if an intruder gets access to the company’s servers then he can access those unopened photos. The mobile apps should state how long user data is stored on their servers and what security measures they take to protect that data.

Let’s face it – downloading mobile apps is so easy and fast, that many of us do not even consider glancing through their privacy policy. However, your personal data is more important than you think. As users of  mobile apps, we deserve the right to know how the company manages and stores our personal data. Most of the times app developers collect data for making improvements in their applications to satisfy the needs of the consumer. It is the responsibility of the app developers to let the user know what and how much of his data is collected and with whom it is shared. They should not collect more than what is required from the users. Their privacy policies should be transparent and more in line with protecting the privacy of the user. Lastly, proper encryption and security controls should be in place to protect sensitive user data. Having said that, the onus of reading the privacy policy still rests with the consumer. If the application asks for any personal data, then please do take some time to read their privacy policy, and make sure that you are comfortable with the policy before sharing your data.

Securing your data with SpiderOak

 Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

1

The Importance of Encryption for Companies in the Cloud

Posted by on Dec 24, 2013

Many organizations are moving towards cloud computing because it is cost effective, flexible and easy to deploy. Cloud computing enables you to access your data anytime, from anywhere around the world. Along with many benefits, the cloud services come with a fair amount of security risks. Every day millions of customers have their data compromised due to hacking of cloud storage systems. While companies are moving data from internal servers to the clouds, the data becomes vulnerable to cyber attacks. To ensure the protection of consumer data, companies are implementing strong security practices. One of the most effective and secure ways of protecting data in the cloud is encryption. Different organizations use different methodologies when it comes to encrypting data in the cloud.

Encryption

Encryption is the most effective way of securing data in the cloud.    Image from http://res.sys-con.com

An “Encryption in the Cloud” survey was done by the Ponemon Institute, which included more than 4000 IT professionals from seven countries including the US. According to the survey,“bout 38% of the respondents said their organizations rely on encryption of data as it’s transferred, typically over the Internet, to the cloud. Another 35% said their organizations encrypt data before it’s transmitted to the cloud provider so that it remains encrypted within the cloud. 27% answered their organizations perform encryption within the cloud environment, with 16% of those selectively encrypting at the application layer, and 11% letting the cloud provider encrypt stored data as a service”. Similarly, in terms of managing encryption keys, 36% of the respondents relied on their organization, 22% on the cloud service provider and 22% on independent third parties for handling encryption keys. From the survey it definitely looks like organizations put the security of sensitive user data on the forefront and takes suitable measures to protect the data from attacks or breaches. Encryption has time and again proved to be the most effective security technique in terms protecting data in the cloud. The NSA revelations made us aware how the spy agency has successfully collected huge amount of user data by breaking into the encryption standards of majority of Web services. The NSA takes advantage of poorly implemented encryption standards to carry out its surveillance activities. They can also get hold of enterprise’s private key used for encrypting consumer data by just providing a legal notice. In the age of NSA surveillance and growing rate of security breaches it has become extremely important for organizations to become more responsible towards the security of their customers. Here are some of the some of the tips that organizations can take to protect sensitive user data in the cloud:

  • Use of Strong Encryption standard:  Going back to the NSA revelations, we are aware that the NSA is cracking majority of encryption standards on the Web? But as I had mentioned earlier they have been successful in cracking poorly implemented and outdated encryption standards. When it comes to strong encryption technology like the Advanced Encryption Standard (AES), NSA finds it difficult to break through. As per Edward Snowden “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on”. You should implement AES encryption with a key length of 256 bits for better security of your data.
  • Effective Key Management: Mange your encryption keys efficiently by using advanced key management technologies. As NetworkWorld recommends, enterprises should manage their encryption effectively by efficient key assignment, periodic key rotation, and re-encryption of data with new keys.
  • Access Control: I agree that by encrypting data in rest, use and transit reduces their risk of external attacks. But what about the internal attacks? By putting the cloud service provider in charge of encrypting sensitive user data, the enterprises are opening doors for new internal attacks. Employees must be given access to the information that is required or relevant to their responsibilities. They should be trained to manage and deal with encrypted data effectively by following the security procedures of the organization.
  • Compliance with Security policies and procedures: Enterprises should encrypt sensitive user data based on industry compliance guidelines or mandates such as HIPAA, PCI, GLBA and so on.

True Privacy with SpiderOak At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server.  The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data.

Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

4

Target Credit Card Breach Exposes Millions of Customers

Posted by on Dec 23, 2013

Massive credit card breach at Target. Image from http://extras.mnginteractive.com.

Massive credit card breach at Target. Image from http://extras.mnginteractive.com.

Credit card data breaches seem to be on the rise these days. Hackers are attacking many businesses in order to access sensitive customer data like social security numbers or  credit card information. This information can be extremely valuable to the attackers, as having all that sensitive data in hand allows them to carry out more severe attacks.  Information is key to hackers, and the more information they have the more dangerous they can become, creating a snowball (or even an avalanche) effect.

Retail giant Target has become a recent victim of a massive credit card breach. According to different sources, approximately 40 million credit and debit card accounts were compromised in the security breach. This security breach is considered as the second largest breach in the US history, after the 2005 TJXCos credit card theft that affected $47.5 million card users. Target disclosed that the customers who made purchases using their credit cards between Nov 27 and Dec 15 may have been exposed to the attack. The hackers managed to access customer names, credit and debit card numbers, card expiration dates and embedded code on the magnetic strip. The data breach did not affect online purchases.

The data breach appears to have begun on the busy Black Friday weekend and potentially of affects nearly all the store locations across the US. According to cybersecurity expert Brian Krebs, the breach was initially believed to have extended from the Thanksgiving period till Dec 6 but after further investigation it was revealed that the breach extended till Dec 15th. He said that “track data” was stolen from customer’s accounts, allowing the attacks to make replicas of the credit cards by simply encoding that information to any card with a magnetic strip. If the PIN data for the debit cards were stolen then that could be used to produce stolen debit cards and withdraw money from ATM.

Millions of credit card data were exposed in the breach. Image from http://kfda.images.worldnow.com

Millions of credit card data were exposed in the breach. Image from http://kfda.images.worldnow.com

The US Secret Service is investigating this whole. They have confirmed with the Wall Street Journal that the breach was the result of a vulnerability in the network of 40,000 credit card devices at the store registers. Target has 1797 stores in the US and 124 stores in Canada. That means a massive amount of credit card data is at risk as a result of this massive breach. The breach did not affect the users shopping online, but affected the people who went physically to the store for shopping.

Does that mean shopping online is safer than going to a store?  Well each has its merits and demerits. It is unfortunate that something like this happened due to some flaw in the network of credit card devices, but this is a rare in-person breach. Usually, I feel it is safer to shop in a store than ordering something online, because when you are shopping online you are exposing yourself to more security risks. These security risks could be lack of proper security controls on the website, poor encryption standards and exposure to severe cyber attacks like Man-in-the Middle or phishing attacks.

Target recommends users to monitor their credit card records to prevent identity theft. Image from http://www.keepmyid.org.

Target recommends users to monitor their credit card records to prevent identity theft. Image from http://www.keepmyid.org.

Target has apologized to its customers for the inconvenience due to the credit card breach and has assured that they will be resolving the issue soon. They are working with a third party forensics team to conduct a thorough investigation of the breach and determine what significant steps they can take to avoid such situations in future. Target recommends customers to remain alert regarding fraud or identity theft by regularly monitoring their account statements and free credit reports. If they find any suspicious activities on their accounts then they should immediately inform their financial institutions. You can also call the Federal Trade Commission or law enforcement to report identity theft or credit card fraud.

As per the reports, it definitely looks like the majority of the Target stores are affected as a result of the breach. Therefore, as a consumer, I would refrain from shopping at Target at this point and will wait for the issue to get resolved. More importantly, if you have shopped at Target during the timeframe of  the attack, then please monitor your account statements and credit reports, and if you find any kind of suspicious activities inform your credit card company immediately.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

2

Hackers Burn The Washington Post for The Third Time

Posted by on Dec 20, 2013

Washington post servers hacked again. Image from http://www.thewrap.com

Washington post servers hacked again. Image from http://www.thewrap.com

The servers of The Washington Post were recently hacked for the third time in the past three years. The hackers broke into the servers, and managed to access employee’s user names and passwords. Although the passwords were stored in encrypted form, it is likely that the hackers might be able to decode them. Mandiant, a cyber security company that monitors the Post’s networks, discovered the data breach yesterday. It is still unclear how much company data was compromised as a result of the attack. So far, there is no evidence that the personal details of subscribers, like credit card information or addresses, were compromised. Also, they are not aware if the hackers accessed the Post’s publishing systems, email addresses, or social security numbers of the employees. The attack began with an intrusion into a server used by Post’s foreign staff and gradually spread to other computers. The Washington Post is planning to reset the user names and passwords of all its employees, as they believe most of them may have been compromised.

Back in 2011, a similar kind of attack took place on the company’s servers by the Chinese hackers. Given the pattern of the attack, the officials suspect that Chinese hackers might also be responsible for this data breach. The previous attack targeted the company’s information technology servers and several other computers. Mandiant was in charge of the incident; they investigated the whole issue and resolved everything by the end of 2011. According to Grady Summers, a vice president at Mandiant, “ Chinese government hackers want to know who the sources are, who in China is talking to the media. They want to understand how the media is portraying them — what they’re planning and what’s coming.” The Chinese hackers have also targeted the New York Times over a four-month period, soon after they reported about the business dealings of relatives of the Chinese Prime Minster.

Attack on Washington Post by Syrian Electronic Army. Image from https://now.mmedia.me

Attack on Washington Post by Syrian Electronic Army. Image from https://now.mmedia.me

Besides the Chinese hackers, the post has been a victim of  “phishing attack” by the Syrian Electronic Army. This group succeeded in redirecting the readers of the Washington Post articles to their own website. They sent a fake email to the Post employees, which appeared to be legitimate and coming from one of their colleagues. The email asked the employees to click on a link and provide their log-in details. The administrative log-in credentials could have been used by the attackers to gain control of the entire computer network of the organization.

Cyber attacks on international news organizations. Image from http://qz.com

Cyber attacks on international news organizations. Image from http://qz.com

For the last few years, large international news organizations like the New York Times, Wall Street Journal and the Washington Post have been the target of cyber attacks. A growing number of distributed denial of service attacks has been seen against individual journalists and news agencies to disrupt their operations.  The organizations can protect their servers from such attacks by implementing strong access control methods to prevent unauthorized access. The servers should be placed behind firewalls to monitor suspicious network traffic. Also, organizations should update software patches and run antivirus on their systems frequently. As we saw in one of the phishing attacks targeted at the Washington Post, the attacker tricked the employees to enter their log-in details to a fake email. The hackers usually take advantage of employees to gain access to company’s administrative controls. The employees should be trained to discriminate between a fake and legitimate email messages and requests to prevent phishing attacks. By taking these security measures, organizations can maintain the privacy and security of consumer data.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOakBlue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

Kalyani M., Author at The Privacy Post - Page 5 of 20

2

What’s Next for Tech Companies And The NSA

Posted by on Dec 19, 2013

Technology companies teams up against NSA surveillance. Image from http://www.theguardian.com

Technology companies teams up against NSA surveillance.
Image from http://www.theguardian.com

The NSA’s controversial PRISM program has left the reputation of major technology companies is at stake. Time and again the NSA has collected huge amounts of user data from these companies, either by providing legal notice, or by illegally tapping into their data center links. Either way the spy agency has been successful in its mission of mass data collection for carrying out surveillance activities. People use services of major technology companies like Google, Apple, or Facebook in their everyday lives. Such revelations of mass data collection raise concern among the general population regarding the privacy and security of their data with these companies. Keeping the protection of customer data in the forefront, the technology companies have teamed up against the surveillance activities of the NSA.

Letter to the President. Image from http://b-i.forbesimg.com.

Letter to the President.
Image from http://b-i.forbesimg.com.

Last week, eight high profile tech companies sent a letter to President Obama and Congress, asking for the imposition of strict rules to refrain the NSA from collecting massive amounts of user data. The letter said:“We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish.”

The tech companies have requested a strong judicial oversight over the surveillance requests by the NSA. The reputation of US tech companies has been harmed in the international market because of the NSA tapping into the private communication links of major tech companies around the world. Especially, the government officials of Europe and Brazil have expressed deep concern over the collection of personal data of their citizens by the US spy agency.

President's meeting with the leaders of major Internet companies. Image from http://www.gannett-cdn.com

President Obama meets with the leaders of major Internet companies.
Image from http://www.gannett-cdn.com

Leaders of major tech companies also had a meeting with the President earlier this week, regarding the NSA’s surveillance programs. There were discussions about the impact of surveillance activities on the reputation of these companies, and the economy of the country in near future. The companies demanded the need for transparency and limits on the data collection practices of the NSA. In the past the tech companies have teamed up against the NSA to provide a transparent report of data collection requests made by the agency. However, the government declined their demands because they claim allowing the tech companies to reveal such details will be invaluable to the adversaries and would harm national security interests.

This move by the technology giants definitely shows their concern regarding the protection of their user privacy. Besides demanding for reforms in the surveillance programs, more and more companies are implementing strong security controls to protect user data. Major Internet companies like Yahoo and Google have introduced HTTPS encryption for their services, implemented two- factor authentication and also encrypted links to their data centers for better security.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

12

Facebook Even Tracks What You Don’t Post

Posted by on Dec 18, 2013

Facebook tracks your "self-censored" posts. Image from http://i.dailymail.co.uk/

                                            Facebook tracks your “self-censored” posts.                                               Image from http://i.dailymail.co.uk/

Facebook has become a part and parcel of our daily life. We make friends, post status updates, “like” each other’s pictures, and play games on this social networking site. Given all that, just imagine the amount of personal information Facebook have about its users.  Facebook tries to know everything about its users to provide them better service. In the past, Facebook has announced that it will track cursor movement of users to determine how much time they spend hovering over ads on the Facebook page to send them personalized advertisements. Besides tracking cursor movements, another study reveals that Facebook also stores information that we decide not to share with it. For example, a status update that you wanted to post, but for some reason changed your mind and did not post, or friend requests that you never accepted.

You must be thinking – Wait! How is that possible? How can Facebook know what we wanted to post? The code used in your browser while surfing Facebook can determine what you have typed in your status box or message, even if you decide not to publish it. The technology behind this is very similar to the technology used in Gmail.  You must have noticed whenever you type in a response in Gmail, the message is automatically saved as draft even if you did not send it. Even if you close the browser before saving your email message, you can find a copy of your email in the draft folder. Similarly, Facebook uses a code in your browser to collect the text that you type. The code collects and analyzes the text that you have typed and sends that information to Facebook. Facebook claims that the reason behind collecting this information is to determine if it was related to the interface, and find out ways to mitigate them. Facebook also wants to promote the News Feed feature, which shows up contents it thinks users will be interested in. Therefore by gathering more information about likes and dislikes of its users, Facebook can provide News Feeds that will be in the interest of the users.

Facebook collects posts or messages that you have not shared. Image from http://www.attorneymarketingprofits.com

Facebook collects posts or messages that you have not shared.          Image from http://www.attorneymarketingprofits.com

These unposted messages or thoughts are termed as “self–censorship” by Facebook. Two researchers, Adam Kramer and Sauvik Da, conducted an analysis on self-censored data on Facebook. They collected self–censorship data from a random sample of approximately 5 million English speaking Facebook users in a time frame of 17 days. They used two parameters to measure censorship on Facebook – “the “composer”—the HTML form element through which users can post standalone content such as status updates—and the “comment box”—the element through which users can respond to existing content such as status updates and photos”. They found out that 71% of users typed a message or status update but did not post it at the last minute. They conducted research on three different categories – demographics, behavioral features, and information on “social graph” of each user. According to their research paper, people censor posts more than comments because the posts attract more user attention and generate new discussion threads. Also, men are more likely to censor than women and even more when more of their friends are men than women. Finally they have concluded that  “people censor more when their audience is harder to define, and people censor more when the relevance of the communication “space” is narrower. “

Facebook has indicated in its Data Use Policy that it may be collecting information about things that have not happened. Facebook’s privacy policy is always under the scrutiny of privacy advocates, as they allow the company to collect more information about the users than required. I feel that collecting information about something that we do not want to share is extremely intrusive. Somebody decides not to share something because he considers that to be private, and collection of private data invades user’s privacy and security on Facebook.

True Privacy with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 5 of 20

3

Flashlight App Sends User Location Data to Advertisers

Posted by on Dec 17, 2013

Mobile apps collect user location data. Image from https://mocana.com

Mobile apps collect user location data. Image from https://mocana.com

With the growth in mobile technology, there is a significant increase in location-based advertising. Marketers want to know exactly where you are located to send you personalized advertisements. As per the Interactive Advertising Bureau, “Total online advertising revenues were $3 billion in the first six months of 2013, and mobile phone ads were less than 20 percent of that amount. Mobile advertising grew 145 percent in that period, however, and mobile ads that incorporate location information will make up a majority of ads by 2015.”

Many smartphone apps are designed to collect user data based on their location and to share that information with third parties. Some of the apps are smart enough to track your location even if your GPS is turned off. The location-based advertisement can prove extremely beneficial for the marketers, as they can now connect to their customers on a personal level, and send them relevant and customized information. Some people might not have any problem with location–based data collection as they might find it helpful in some ways. For others, especially those concerned with privacy, it is a huge concern.

FTC charged Brightest Flashlight Free for sharing user data with advertisers. Image from http://www.arizonadailyindependent.com

FTC charged Brightest Flashlight Free for sharing user data with advertisers. Image from http://www.arizonadailyindependent.com

According to a recent report, Android’s flashlight app secretly shares user’s location data and device IDs with advertisers. Android’s flashlight app is a free app that allows users to use their mobile devices like flashlights. Goldenshores Technologies LLC is the company that makes the popular app “Brightest Flashlight Free” for the Android operating system. The company was charged by Federal Trade commission (FTC) for deceiving customers about how their geo-location data will be collected and shared with third parties. Brightest Flashlight Free has stated that it did not provide any information about sharing of user’s geo-location data with advertisers in the app’s privacy policy. In their privacy policy, the company claimed that any information collected by the app will be used by the company itself. However, in reality it shared collected user data with third-party advertisers without user’s consent or knowledge. In my opinion, this is a huge intrusion of privacy.

End User License Agreement for Android's flashlight app. Image from http://www.business.ftc.gov

End User License Agreement for Android’s flashlight app. Image from http://www.business.ftc.gov

When you download the app for the first time, it will show an End User License Agreement, with information about data collection. It gives you an option to “Accept” or “Refuse” the License Agreement. It seems even before you select the “Accept” option, the application starts collecting your data and sends it to third party advertisers. Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said “When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used.” In the settlement with Goldenshores Technologies, LLC, the FTC prohibits the company from misinterpreting how consumer data is collected and shared, and how much control the consumers have on the amount of data being shared. The company needs to provide detailed information to the consumers regarding when, how, and why their geo-location data was collected, used and shared.

It is still very unclear how the collection of location-based data impacts consumers purchasing decisions, but it definitely invades their privacy in the mobile space. I hope that in the near future we will get to see privacy policies, which are clear, definitive and more in line with protecting the privacy of user data. The mobile apps should not collect more than what is required from the users, and should take the user’s permission before sharing their information with third parties. Lastly, app developers should clearly indicate their privacy practices to the users before they download their apps.

Secure your data with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.