Kalyani M., Author at The Privacy Post - Page 7 of 23

9

Snapchat Hack Leaks Millions of Names and Numbers

Posted by on Jan 3, 2014

Major security breach at Snapchat. Image from http://i1.ytimg.com/

Major security breach at Snapchat. Image from http://i1.ytimg.com/

The New Year did not start at a very good note for the most popular photo sharing application, Snapchat. On Wednesday, Jan 1, 2014, a major security breach took place at Snapchat. A hacker group exposed the phone numbers and usernames of approximately 4.6 million users on the Internet. Snapchat is used by millions of people for photo sharing because they consider it to be the most secure photo sharing app. Once the intended receiver receives a photo, the photo will be deleted after a certain timeframe. This is the biggest selling point of Snapchat. However, there were a few security vulnerabilities in the app that were overlooked by the company. As a result, the company has to face this situation. That the attack happened on New Year’s might have been a coincidence, but it was at the least very symbolic. As we look to the next year, and beyond, I think we’ll be seeing many more such attacks. The market goes crazy for a new app, so there is a rush to get them out and ready to be sold, oftentimes before they are secure. This is a very dangerous situation. Looking at the specifics of the Snapchat hack can help us understand the why and how these hacks happen, and hopefully provide a path toward avoiding them. The hackers posted the personal data and phone numbers of Snapchat users on a website called Snapchat.DB. The list exposed the entire phone number of the users except the last two digits. The hackers also mentioned that anyone who is interested could gain access to the full list of usernames and phone numbers by contacting them directly. The group behind this hack claims that driving force behind this release was to raise awareness among the people about the security vulnerabilities in Snapchat and to pressurize Snapchat to fix those vulnerabilities. Recently Gibson Security had alerted Snapchat regarding a vulnerability that allows a hacker to gain advantage of the “find friends” feature in Snapchat, and match the phone numbers of the users to their Snapchat accounts.

Security vulnerability exploited to carry out the attack. Image from http://arstechnica.com/

Security vulnerability exploited to carry out the attack. Image from http://arstechnica.com/

However, Snapchat disregarded the warnings of Gibson Security. In their blog post Snapchat said: “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. We recently added additional countermeasures and continue to make improvements to combat spam and abuse”. Gibson Security tried to warn Snapchat both privately and publicly regarding their security weaknesses many times. They also publicly posted a report highlighting the vulnerabilities in the APIs of Snapchat application on the Christmas Eve. According to the security team, it would have taken only a few lines of code to fix that weakness in the application. Unfortunately, unlike Snapchat the hacker group took the warnings of Gibson Security seriously and exploited this vulnerability to carry out their attack.

In response to the Snapchat hack, Gibson security has offered some help to the affected Snapchat users. Gibson security is offering users a website to look up if their accounts have been exposed or not. The impact of the hack can be more severe because people tend to use the same username and passwords for their other accounts. As a result they can fall prey to spamming and phishing attacks. So, if you think your account has been hacked then reset your username and passwords for your other accounts as well. We usually trust most of these popular applications and share all our personal information with them. We need to use our common sense and good judgment in deciding what to share and what not to share with these apps. In future we are going to see more such attacks because these days app developers are paying more attention towards building flashy and revenue generating apps rather than taking care of the privacy and security of their users. As adding more security controls affects the user experience of the apps, they tend to have less security controls. The app developers need to be more responsible regarding the security of their customers. Companies should not take the warnings of security experts lightly and proper actions should be taken to secure the vulnerabilities in the applications. Most importantly, the database containing personal user data should be protected using strong security controls.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

3

Biggest Security Events of 2013

Posted by on Jan 2, 2014

Important security events of 2013. Image from http://r3.cygnuspub.com/

Important security events of 2013. Image from http://r3.cygnuspub.com/

As the year 2013 bids adieu, let’s take a look back at some of the biggest privacy and security issues of last year. As an information security professional, I found this year to be very interesting from a cyber security point of view. We got to see many new forms of cyber attacks and new security controls to counteract them. Last year was a mixed bag of security events, from the positive revelations of NSA’s most controversial PRISM program to some of the biggest data and credit card breaches ever. Let’s hope we learn some lesson from these security breaches and establish strong security mechanisms to protect our personal data from cyber attacks.

Here are the highlights of some of the major security events of 2013:

NSA surveillance program. Image from https://dgtyg67y1bedo.cloudfront.net

NSA surveillance program. Image from https://dgtyg67y1bedo.cloudfront.net

NSA Surveillance Program: One of the biggest stories of 2013 was the revelation of the  NSA’s PRISM program. The documents leaked by a former NSA contractor, Edward Snowden showed that the US government has been spying over everything and everyone around the world. The revelations indicated that the NSA collects huge amounts of customer data from conducting surveillance activities by breaking security standards, tapping into data center links and sending legal notices to major technology companies. Major well known companies like Apple, Google, Microsoft, Yahoo, Facebook and so on were accused of cooperating with the NSA by responding to its user data collection requests. Besides sending legal notices to companies for collection of huge amounts of user data, the NSA also developed several backdoor methods like breaking encryption standards or exploiting security vulnerabilities of commercial products to carry out surveillance activities. However, one of the positive aspects of this revelation was that companies and consumers started taking the security of their personal data seriously. People started implementing strong security controls such as HTTPS and Tor and became careful regarding the sharing of personal information on the Internet. Similarly, the technology companies also teamed up against the NSA’s surveillance program, and requested that the government allow them to publish a transparent report of user data requests by the spy agency to restore the trust of their consumers.

Target Data Breach: The recent credit card breach at Target is considered as the second largest data breach in the US history, after the 2005 TJXCos credit card theft that affected 47.5 million card users. In this security breach approximately 40 million credit and debit card accounts were compromised. The intruders took advantage of any security vulnerability in the network of credit card devices during the busy Black Friday weekend and managed to access millions of personal data. Once hackers have so much personal data in their hands they can carry out more severe attacks like phishing and identity theft. This was an unfortunate event, which could happen to any business. Businesses need to keep their systems up to date and implement security controls to protect themselves from such catastrophic incidents. Businesses need to be extremely alert during the holiday season as the attackers take advantage of this busy time of the year to carry out fraudulent activities.

Adobe Data Breach: There is no denying fact that 2013 was the year of data breaches. After Target, comes the Adobe data breach which compromised 38 million Adobe user accounts.  The hackers hacked on to Adobe servers, and managed to access the personal information of millions of customers, as well as the source code of well-known Adobe products such as Adobe Acrobat, Cold Fusion, and many more. One of the lessons learnt from this breach was the companies should manage the keys used for encryption of personal user data securely. Most of the times it is seen that companies leave their keys on the server near the data they are protecting. As a result it becomes easier for the attacker to access the keys, if they break into the server containing sensitive user data.

Cryptolocker Ransomeware: Last but not least, this year was noteworthy due to the malicious Cryptolocker ransomware that has affected millions of computers. This is a virus/Trojan that allows the author of the malware to take control of your computer by encrypting all your files and documents. Once all your files are encrypted, you will receive a pop up message asking you to pay a ransom amount in order to get access to your documents. This kind of situation really highlights the importance of backing up your files and important documents on a secure cloud storage system. If you have backed up all your files regularly, then you are no longer trapped in such a situation. Always use strong passwords to protect your data in the cloud. Your passwords should be long, complex and hard to guess. CryptoLocker primarily spreads through booby-trapped email attachments. So, use proper judgment and do not open any suspicious email attachment. Remember, your one click can infect your entire system.

These incidents definitely teach us some important lessons like importance of strong encryption standards, efficient key management, strong passwords and secure cloud storage systems for better security. With every New Year, new cyber threats evolve, but by taking some of these security measures we can ensure better protection of our data.

SpiderOak protects your data from unauthorized access

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

0

Silent Circle Replaces NIST Encryption Standards

Posted by on Jan 1, 2014

End to End encryption with  Silent Circle. Image from http://www.engadget.com

End to End encryption with Silent Circle. Image from http://www.engadget.com

In Monday’s post, I mentioned the importance of end-to-end encryption tools like PGP and Silent Circle for better security of our data. Silent Circle has decided to move away from the National Institute of Standards and Technology (NIST) encryption standards and implement its own cryptographic technologies for extra protection from the NSA surveillance activities. In today’s post, I am going to discuss in detail why Silent Circle moved to new encryption standards and why it considers the new standards to be better than NIST encryption standards.

Silent Circle provides encrypted Voice Over Internet Protocol (VOIP), and text messaging apps and services. After closely watching all the revelations about the NSA, the company decided to replace AES and SHA-2 cryptographic standards for the best interest of itself and its customers. The documents leaked by Edward Snowden indicated that the NSA has been successful in undermining the majority of encryption standards across the Web. They also have influenced NIST to weaken a random number generator standard in 2006. The Dual Elliptic Curve Deterministic Random bit generator approved by NIST in 2006, had several security vulnerabilities and was vulnerable to tampering. NIST not only approved this technology but also recommended many companies to embed Dual ED DRGB in their commercial products. NSA exploits these vulnerabilities in the commercial products to establish backdoors for surveillance purposes.

Encrypted VoIP and text services. Image from http://greycoder.com/

Encrypted VoIP and text services. Image from http://greycoder.com/

Silent Circle will be replacing AES cipher with Twofish cipher and SHA-2 hash function with the Skein hash function in its products. The Twofish cipher suite was developed by well-known cryptographer Bruce Schneier, and was a finalist in the NIST selection of the AES cipher. The same group of people developed Skein hash function, which was a SHA-3 finalist. The company trusts these two cryptographic technologies because they come from trusted sources and the co-founders of Silent Circle personally know the team working behind these technologies.

Twofish encryption standard. Image from http://www.ravenproject.us

S Twofish encryption standard. Image from http://www.ravenproject.us

The company is also planning to stop using one of elliptic curves recommended by NIST P-384. The NSA has been a strong supporter of Elliptic Curve Cryptography (ECC) saying it is stronger, secure and provides better performance. P-384 is one of the elliptic curves used in Suite B set of cryptographic algorithms. Many cryptographers have opposed argued that there are potential security weaknesses in Suite B algorithms. Silent Circle is planning to replace P-384 with elliptic curves designed by security experts Daniel Bernstein and Tanja Lange. Both of them have argued in the past regarding the weaknesses of Suite B algorithms. Jon Callas, one of the founders of Silent Circle says that moving away from NIST standards does not mean that the company does not trust those standards. It still plans to support NIST–sanctioned algorithms but will not use them by default in its products and services.

So, far we do not have any evidence whether these standards provide foolproof protection against surveillance programs. But definitely shows the potential for providing better security for protecting sensitive user information. One thing is for sure is that the NSA revelations have made organizations more responsible towards the security of their customers. Many companies are working towards products and technologies that would provide better security to their customers, and restore the trust of their customers on their products and services.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

 

Kalyani M., Author at The Privacy Post - Page 7 of 23

3

Growing Security Threats with CryptoLocker Ransomware

Posted by on Dec 31, 2013

Pop up message after your computer gets hijacked by the hacker. Image from http://cdn.blog.malwarebytes.org

Pop up message after your computer gets hijacked by the hacker. Image from http://cdn.blog.malwarebytes.org

Over last few months, we have been hearing a lot about security breaches due to CryptoLocker Ransomware. This is basically a virus/trojan horse that takes control over your PCs by encrypting your files, and restricting access to your files/documents unless you pay a ransom amount to the author of the malware. The ransom amount needs to be paid in bitcoins. It generally affects users with Windows operating system. According to research by Dell’s security team, CryptoLocker has managed to infect nearly 250,000 systems, stealing millions of dollars. In a post on their blog, Dell stated that ”(b)ased on the presented evidence, researchers estimate that 200,000 to 250,000 systems were infected globally in the first 100 days of the CryptoLocker threat”. The security researchers at Dell believes that if the Bitcoin amount (1216 Bitcoins) collected as a result of these attacks from September this year, were sold by the hackers then would have earned approximately $380,000.

Let’s take a look how this malware attacks your system. CryptoLocker basically spreads on your computer if you click on malicious email attachments, or if your system gets hacked and the hacker takes advantage of outdated browser plugins to install the malware. It is difficult to detect CryptoLocker because your system will keep on working normally, but your important files – pictures, documents, MP3s will get encrypted. Your computer will show no sign of being infected by the malware because it usually takes hours to encrypt files and folders on a PC. Once all your files and folders are encrypted, a message with a timer will pop up on your computer screen asking you to pay ransom amount or to lose access to your important files forever. You do not have the option to decrypt your files, as the decryption key will be retained on the attacker’s server. This is definitely not a good situation to be in. You do not want to lose access to all your important documents as a result of such an attack. On the top of that, you also have to pay a hefty amount to get your access back. If you have not backed up your files, then your options are very limited.

You have to pay in bitcoins to get access to your files. Image from https://threatpost.com/f

You have to pay in bitcoins to get access to your files. Image from https://threatpost.com/f

This kind of situation really highlights the importance of backing up your files and important documents on a secure cloud storage system. If you have backed up all your files regularly, then you are no longer trapped in such a situation. You can access/retrieve your files from any computer, any time. In this scenario all you need to do is completely re-format or replace the hard-drive, and then download all your files from the cloud storage system. Regularly schedule your cloud backup to prevent yourself from being held hostage in such a situation.

Apart from having an up-to-date remote backup of all your files, you should also install the latest anti-malware and anti-virus software. You should have these configured for active protection, i.e. they should always be running in the background, and checking to make sure that no virus or Trojan or malware takes over your system. For example, Malwarebytes anti-malware software is an effective kit that actively scans your system for malware attacks, and prevents any malware infection. Also Brian Krebs of krebsonsecurity.com recommends the CryptoPrevent kit that can effectively prevent CryptoLocker infections. Apart from anti-malware applications, you should also have the latest anti-virus software running in the background, since they both serve different functionalities.

Prevention from Crptolocker Ransomeware. Image from http://krebsonsecurity.com

Prevention from Crptolocker Ransomeware. Image from http://krebsonsecurity.com

The final point I want to make is to advise users to exercise good judgment and common sense. As mentioned earlier, CryptoLocker primarily spreads through booby-trapped email attachments. If you get an email from someone you do not know (and even if it is from someone you know), exercise caution in opening that email, and unless you are positively certain about the source, do not click on any attachments. One click can infect your system, and can be avoided if you show good judgment. Delete any emails that appear suspicious to completely eliminate any possibility of the infection making its way into your system.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

7

NSA Partners With RSA to Weaken Encryption Standards

Posted by on Dec 30, 2013

NSA paid RSA to weaken encryption standards. Image from http://img.rt.com

NSA paid RSA to weaken encryption standards. Image from http://img.rt.com

The NSA has been working secretly for a decade to break the security standards on the Internet. The spy agency spends millions of dollars every year to break the encryption standards used to protect sensitive information like trade secrets, secure emails, and medical records. According to the documents leaked by Edward Snowden, they have been successful in circumventing the majority of encryption technologies over the Web by partnerships with security companies, court orders, and backdoor methods. The NSA works closely with security vendors to understand the vulnerabilities in commercial products and exploits them to carry out surveillance activities. There are times when the spy agency asks companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.

Speaking of commercial partnership of security companies with NSA, a shocking revelation has come into light recently. RSA, one of the famous cyber security companies was paid $10 million by the NSA in a “secret deal” to include a flawed encryption technology in a widely used security software. As per the articles released by The Guardian, The New York Times and ProPublica, the NSA has been working with many technology companies to undermine the security standards of many commercial products. The NSA took advantage of the vulnerabilities in crypto-random number generator “Dual Elliptic Curve Deterministic Random Bit Generator” to install backdoors in commercially used encryption products. RSA was paid by the NSA to embed the flawed random number generator, Dual EC DRGB in their widely-used security product BSafe toolkit. The Dual EC DRGB algorithm has been under the scrutiny of security experts for a long time. They have suspected that the algorithm was insecure and vulnerable to tampering. It still remains unclear that given so many shortcomings how Dual EC DRGB was approved by NIST. Approval of weak security standards by NIST also raises questions about their cooperation with the NSA.

The NSA uses backdoor in many commercial products for surveillance. Image from http://cdn.arstechnica.net

The NSA uses backdoor in many commercial products for surveillance. Image from http://cdn.arstechnica.net

However, RSA denies being involved in any secret deal with the NSA to weaken encryption standards. RSA claims that it decided to use Dual EC DRGB by default in BSafe toolkits to develop newer and stronger encryption methods. It used this technology because of its value in Federal Information Processing Standards compliance. RSA said in a statement: “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”

Keeping all these security concerns at the forefront, as users we need to look out for a more secure end to end encryption tools such as PGP or Silent Circle. These are some of the more secure alternatives that can provide better protection against the NSA surveillance. Recently, Silent Circle announced to replace the use of NIST approved encryption standards like AES and Secure Hash Algorithm 2 in their products to thwart the NSA from spying on user data.

Enterprises should use most relevant security products and technologies, and should be transparent about their security practices. They should not encourage any modification in their products that would facilitate surveillance activities.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

3

How to Protect Yourself From Online Holiday Scams

Posted by on Dec 27, 2013

Fake Amazon emails were sent to MicrosoftLive email accounts. Image from http://www2.pcmag.com

Fake Amazon emails were sent to MicrosoftLive email accounts. Image from http://www2.pcmag.com

Finally, the holidays are here. The holiday season is the time of giving and making purchases for near and dear ones. This is the busiest season of the year for retailers and the holiday shoppers. It’s also one of the busiest for cybercriminals, who take advantage of this busy time to carry out fraudulent activities. Like millions of other people, if you order something on Amazon, then it is likely that during this time your inboxes will be flooded with purchase confirmation emails. As there will be many of those you might not pay attention to whether it is a legitimate email from Amazon or a fake one. Recently, researchers at Malwarebytes revealed that spammers are targeting Amazon account holders by sending emails containing Trojan malware.

As per the findings of Christopher Boyd, suspicious Amazon order invoices dated Dec 8th and 9th were targeted towards Microsoft Live email accounts. A legitimate looking email was sent to many Amazon account holders saying there has been some change in their order status and in order to check the details they need to open a zip file attached to the email to find out the details. These emails that claim to contain order invoices and order details contained Trojan malware infected zip files. Two types of Trojans were found in the zip files- the Trojan.Inject.RRE and Trojan.Zbot.ML. If you have not been paying much attention to the details of this fake email and end up downloading the zip file, then your system might get compromised. As I had mentioned earlier, these emails were targeted towards @liveaddresses and were CCed to multiple Microsoft Live addresses. However, OutLook and Hotmail caught these emails as spam.

Trojn Infected zip file. Image from http://cdn.blog.malwarebytes.org

Trojan Infected zip file. Image from http://cdn.blog.malwarebytes.org

Similarly, last season many users got a text message that they have won a $1000 gift card from Best Buy. The text tricked the users to click on a website that looked legitimate (BestBuyContest.com and BestBuyWin.net) to enter the code in order to claim their gift cards. Those who clicked on the website were asked to provide their personal details like name, address, email address, phone numbers and date of birth. This information can be extremely valuable to attackers. They can use this data to carry out phishing and identity theft attacks.

Best Buy Scam. Image from http://www.180techtips.com

Best Buy Scam. Image from http://www.180techtips.com

There is a high possibility that you might receive such kind of emails or texts during the holiday season. You can take these steps to protect yourself from such kind of attacks:

  • First of all pay attention to the details of the email, before opening any attachment or clicking on any link. Do not click on any link or download any file if you find anything suspicious.
  • Usually a legitimate email containing your order details or any other personal information will not be CCed to a lot of people. So, look out for that. Like in the Amazon scam, the emails were CCed to multiple Microsoft Live addresses. This is a clear indication that the email is not coming from a legitimate source.
  • Look for security protocols and symbols such as https before entering your personal details on any website.
  • Lastly, if you have any suspicion regarding any email or message confirm it by calling up the legitimate organization independently and asking if they ever sent such email.
  • Do not trust any text message that says you have won something or asks you to click on any link. These kinds of text messages are targeted towards getting personal details of users to carry out more severe attacks. Usually if you have won something that valuable you will not just receive a text message asking for your personal details.
  • Don’t think you are entirely safe staying offline, either.  People are in a rush this time of year, so aren’t paying attention as much when shopping.  This can particularly hurt people suffering from bankruptcy, as the recent data breach at Target showed.  It demonstrated how the the reach of cybercriminals can extend into the physical world.

SpiderOak protects your data from unauthorized access

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

0

A Consumer Privacy Bill of Rights, Part II

Posted by on Dec 26, 2013

Privacy of data on Cloud and online services. Image from http://linuxcoaching.ie

Privacy of data on Cloud and online services. Image from http://linuxcoaching.ie

Cloud services have made our lives easier by making our data available to us anytime from anywhere. Adoption of this emerging trend has proved to be beneficial for many of us. However, at the same time, it has opened the doors for new security risks and vulnerabilities. A day does not go by when we do not hear a news about security breaches exposing of user data by hacking into the servers of cloud storage systems. According to Gartner, “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”

Cloud services are vulnerable to external as well as internal attacks, since we are putting the security of our data in the hands of cloud service providers. There is a possibility that the cloud service providers can access customer data or provide the information to surveillance agencies on receiving a legal notice. The NSA has been successful in tracking huge amounts of user data by breaking the encryption technologies, as well as providing data request notice to cloud storage companies. As we trust the cloud services for the protection of our personal data, it is their responsibility to make sure that our data remains safe and secure from such kind of attacks. They should implement STRONG encryption standards such as 256 bit-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. The employees should be not be given access to more than what is needed to complete their tasks. The cloud storage companies should implement effective security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data.

Consumer privacy rights for cloud service. Image from http://axeetech.com/

Consumer privacy rights for cloud service. Image from http://axeetech.com/

As consumers, we have certain responsibilities regarding protection of our own data in cloud storage systems. You should always use strong passwords for better protection of your data. Your passwords should be long complex and should be changed frequently. Cloud storage services like SpiderOak allows users to encrypt their files in the computer before uploading them to the servers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. Therefore, it is extremely essential for users to have strong passwords for cloud services.

Consumer privacy rights for online services. Image from http://media.cirrusmedia.com.au/

Consumer privacy rights for online services. Image from http://media.cirrusmedia.com.au/

Now let us come to the online services that we use in our day-to-day lives. It is hard to imagine passing a day without checking our Gmail or Yahoo Mail accounts or logging on to Facebook to see what our friends are doing. These services also come with a fair amount of security risks. Most of the times it is seen that these services monitor user activities to send them targeted advertisements. A recent report revealed that several top websites use hidden scripts to determine how long you hover over an ad, when you pause, or click on it. This way they determine what interests you and keep sending you promotions or advertisements according to your interests. Facebook has recently announced its intent to monitor cursor movement of the users to make improvements in its service. It will collect information such as how long your cursor hovers over a particular part of its website or whether your news feed is visible at a given moment on your mobile phone’s screen. They store all this captured information in a data analytics warehouse and make sure that you are getting targeted ads related to the stuff on which you hover your cursor the most.The NSA takes advantage of these technologies used for targeted advertisement to carry out surveillance activities. The NSA has been successful in breaking encryption standards, monitoring website cooking and tapping into the data center links of well-known technology companies to collect user data.

We deserve to know how these web services that we use almost everyday manage and store our data. They should clearly indicate in their privacy policy what security precautions they take to protect our data and how much of our data is shared with third parties or advertisers. What security controls do they have in place to protect data from NSA surveillance? What data do they share with the security agencies on receiving legal notice? They need to be transparent about their cooperation with the NSA in handling user data. A detailed report explaining what information they provided in response to National Security Letters and other government demands will help these companies gain the trust of their users.

Secure your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Kalyani M., Author at The Privacy Post - Page 7 of 23

1

A Consumer Privacy Bill of Rights, Part I

Posted by on Dec 25, 2013

Mobile app developers need to manage and store sensitive user data securely. Image from http://www.mobileapptesting.com

Mobile app developers need to manage and store sensitive user data securely. Image from http://www.mobileapptesting.com

With the advancement in mobile technology, companies have lots of consumer data in their possession. Many mobile and web applications collect personal information (like name, address, social security number or credit card details) from the users to provide them access to various services. As consumers we trust that our data is in safe hands, and won’t be available to any third party without our consent. Unfortunately, most of the times that is not the case. Many  mobile applications share customer data with third parties and advertisers to generate revenue, and to provide “value-add” services (although the “value-add” is highly questionable in some cases). Sometimes, they also share your personal information with the government upon receiving legal notice for surveillance purposes. As consumers, we have a right to know how our data is being used, and also a right to understand the value of the data we provide to these applications.

Monetizing mobile apps is a challenging task, and more often than not, most mobile apps end up using advertising as the primary source of revenue. With this in mind, these applications track each and every movement of the user to determine who they are. What are their interests? What is their income level? This data is extremely valuable to any business as they get lots of information about their users, and send them advertisements or services customized towards their interests. These days there are mobile apps for almost everything you can think of. The mobile health apps collect lots of personal and detailed health information from the users to provide better services for health and well being. Most of the apps do not even deliver the medical miracles they promise. Instead they end up sharing your sensitive health information with advertisers and third party vendors. Exposure of so much personal data leaves you vulnerable to identity theft and annoying targeted advertisements.

Mobile health apps sometimes share sensitive health data with third parties. Image from http://twimgs.com/informationweek

Mobile health apps sometimes share sensitive health data with third parties. Image from http://twimgs.com/informationweek

Recently, it was revealed that Android’s Flashlight app collects users geo-location data and secretly shares users location details and device IDs with advertisers without their knowledge. The mobile app company was charged by Federal Trade Commission (FTC) for deceiving the users and invading their privacy. As per the Flashlight app’s privacy policy, the company itself will use the collected geo-location data and will not share it with any third party. Most of the times we have seen that mobile apps, especially the free ones, do not clearly state their data collection and sharing practices in their privacy policies. The privacy policies are wordy and not to the point. As a result the users do not feel like going through the whole thing before downloading an app. They just accept the terms and conditions to get access to the apps as soon as possible. The privacy policies of the mobile apps need to be clear, definitive and should focus on protection of user data. Just because an app is free it does not mean that the developers have the authority to share sensitive user data without their permission.

Snapchat is not as secure as it claims to be. Image from http://www.wired.com/

Snapchat is not as secure as it claims to be. Image from http://www.wired.com/

Many of us use mobile photo sharing apps to share pictures with our friends and families.  One of the most popular mobile photo-sharing app is Snapchat. Snapchat claims to be the most secure photo sharing app because it allows the users to share pictures that disappears from devices after a certain amount of time. That means nobody else other than the sender or receiver can get access to the photos. Snapchat even deletes the photos that are opened from its servers. It definitely sounds like a safe medium to share your pictures. However, Snapchat has not been fully forthcoming on what happens to the photos that remain unopened. Apparently, the photos that are unopened remains on Snapchat’s server for thirty days. So, if an intruder gets access to the company’s servers then he can access those unopened photos. The mobile apps should state how long user data is stored on their servers and what security measures they take to protect that data.

Let’s face it – downloading mobile apps is so easy and fast, that many of us do not even consider glancing through their privacy policy. However, your personal data is more important than you think. As users of  mobile apps, we deserve the right to know how the company manages and stores our personal data. Most of the times app developers collect data for making improvements in their applications to satisfy the needs of the consumer. It is the responsibility of the app developers to let the user know what and how much of his data is collected and with whom it is shared. They should not collect more than what is required from the users. Their privacy policies should be transparent and more in line with protecting the privacy of the user. Lastly, proper encryption and security controls should be in place to protect sensitive user data. Having said that, the onus of reading the privacy policy still rests with the consumer. If the application asks for any personal data, then please do take some time to read their privacy policy, and make sure that you are comfortable with the policy before sharing your data.

Securing your data with SpiderOak

 Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

1

The Importance of Encryption for Companies in the Cloud

Posted by on Dec 24, 2013

Many organizations are moving towards cloud computing because it is cost effective, flexible and easy to deploy. Cloud computing enables you to access your data anytime, from anywhere around the world. Along with many benefits, the cloud services come with a fair amount of security risks. Every day millions of customers have their data compromised due to hacking of cloud storage systems. While companies are moving data from internal servers to the clouds, the data becomes vulnerable to cyber attacks. To ensure the protection of consumer data, companies are implementing strong security practices. One of the most effective and secure ways of protecting data in the cloud is encryption. Different organizations use different methodologies when it comes to encrypting data in the cloud.

Encryption

Encryption is the most effective way of securing data in the cloud.    Image from http://res.sys-con.com

An “Encryption in the Cloud” survey was done by the Ponemon Institute, which included more than 4000 IT professionals from seven countries including the US. According to the survey,“bout 38% of the respondents said their organizations rely on encryption of data as it’s transferred, typically over the Internet, to the cloud. Another 35% said their organizations encrypt data before it’s transmitted to the cloud provider so that it remains encrypted within the cloud. 27% answered their organizations perform encryption within the cloud environment, with 16% of those selectively encrypting at the application layer, and 11% letting the cloud provider encrypt stored data as a service”. Similarly, in terms of managing encryption keys, 36% of the respondents relied on their organization, 22% on the cloud service provider and 22% on independent third parties for handling encryption keys. From the survey it definitely looks like organizations put the security of sensitive user data on the forefront and takes suitable measures to protect the data from attacks or breaches. Encryption has time and again proved to be the most effective security technique in terms protecting data in the cloud. The NSA revelations made us aware how the spy agency has successfully collected huge amount of user data by breaking into the encryption standards of majority of Web services. The NSA takes advantage of poorly implemented encryption standards to carry out its surveillance activities. They can also get hold of enterprise’s private key used for encrypting consumer data by just providing a legal notice. In the age of NSA surveillance and growing rate of security breaches it has become extremely important for organizations to become more responsible towards the security of their customers. Here are some of the some of the tips that organizations can take to protect sensitive user data in the cloud:

  • Use of Strong Encryption standard:  Going back to the NSA revelations, we are aware that the NSA is cracking majority of encryption standards on the Web? But as I had mentioned earlier they have been successful in cracking poorly implemented and outdated encryption standards. When it comes to strong encryption technology like the Advanced Encryption Standard (AES), NSA finds it difficult to break through. As per Edward Snowden “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on”. You should implement AES encryption with a key length of 256 bits for better security of your data.
  • Effective Key Management: Mange your encryption keys efficiently by using advanced key management technologies. As NetworkWorld recommends, enterprises should manage their encryption effectively by efficient key assignment, periodic key rotation, and re-encryption of data with new keys.
  • Access Control: I agree that by encrypting data in rest, use and transit reduces their risk of external attacks. But what about the internal attacks? By putting the cloud service provider in charge of encrypting sensitive user data, the enterprises are opening doors for new internal attacks. Employees must be given access to the information that is required or relevant to their responsibilities. They should be trained to manage and deal with encrypted data effectively by following the security procedures of the organization.
  • Compliance with Security policies and procedures: Enterprises should encrypt sensitive user data based on industry compliance guidelines or mandates such as HIPAA, PCI, GLBA and so on.

True Privacy with SpiderOak At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server.  The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data.

Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Kalyani M., Author at The Privacy Post - Page 7 of 23

4

Target Credit Card Breach Exposes Millions of Customers

Posted by on Dec 23, 2013

Massive credit card breach at Target. Image from http://extras.mnginteractive.com.

Massive credit card breach at Target. Image from http://extras.mnginteractive.com.

Credit card data breaches seem to be on the rise these days. Hackers are attacking many businesses in order to access sensitive customer data like social security numbers or  credit card information. This information can be extremely valuable to the attackers, as having all that sensitive data in hand allows them to carry out more severe attacks.  Information is key to hackers, and the more information they have the more dangerous they can become, creating a snowball (or even an avalanche) effect.

Retail giant Target has become a recent victim of a massive credit card breach. According to different sources, approximately 40 million credit and debit card accounts were compromised in the security breach. This security breach is considered as the second largest breach in the US history, after the 2005 TJXCos credit card theft that affected $47.5 million card users. Target disclosed that the customers who made purchases using their credit cards between Nov 27 and Dec 15 may have been exposed to the attack. The hackers managed to access customer names, credit and debit card numbers, card expiration dates and embedded code on the magnetic strip. The data breach did not affect online purchases.

The data breach appears to have begun on the busy Black Friday weekend and potentially of affects nearly all the store locations across the US. According to cybersecurity expert Brian Krebs, the breach was initially believed to have extended from the Thanksgiving period till Dec 6 but after further investigation it was revealed that the breach extended till Dec 15th. He said that “track data” was stolen from customer’s accounts, allowing the attacks to make replicas of the credit cards by simply encoding that information to any card with a magnetic strip. If the PIN data for the debit cards were stolen then that could be used to produce stolen debit cards and withdraw money from ATM.

Millions of credit card data were exposed in the breach. Image from http://kfda.images.worldnow.com

Millions of credit card data were exposed in the breach. Image from http://kfda.images.worldnow.com

The US Secret Service is investigating this whole. They have confirmed with the Wall Street Journal that the breach was the result of a vulnerability in the network of 40,000 credit card devices at the store registers. Target has 1797 stores in the US and 124 stores in Canada. That means a massive amount of credit card data is at risk as a result of this massive breach. The breach did not affect the users shopping online, but affected the people who went physically to the store for shopping.

Does that mean shopping online is safer than going to a store?  Well each has its merits and demerits. It is unfortunate that something like this happened due to some flaw in the network of credit card devices, but this is a rare in-person breach. Usually, I feel it is safer to shop in a store than ordering something online, because when you are shopping online you are exposing yourself to more security risks. These security risks could be lack of proper security controls on the website, poor encryption standards and exposure to severe cyber attacks like Man-in-the Middle or phishing attacks.

Target recommends users to monitor their credit card records to prevent identity theft. Image from http://www.keepmyid.org.

Target recommends users to monitor their credit card records to prevent identity theft. Image from http://www.keepmyid.org.

Target has apologized to its customers for the inconvenience due to the credit card breach and has assured that they will be resolving the issue soon. They are working with a third party forensics team to conduct a thorough investigation of the breach and determine what significant steps they can take to avoid such situations in future. Target recommends customers to remain alert regarding fraud or identity theft by regularly monitoring their account statements and free credit reports. If they find any suspicious activities on their accounts then they should immediately inform their financial institutions. You can also call the Federal Trade Commission or law enforcement to report identity theft or credit card fraud.

As per the reports, it definitely looks like the majority of the Target stores are affected as a result of the breach. Therefore, as a consumer, I would refrain from shopping at Target at this point and will wait for the issue to get resolved. More importantly, if you have shopped at Target during the timeframe of  the attack, then please monitor your account statements and credit reports, and if you find any kind of suspicious activities inform your credit card company immediately.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.