Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

6

Security Concerns with “The Internet of Things”

Posted by on Jan 28, 2014

There have been many recent security risks with connected devices.
Image from Cdn.decoist.com.

The Internet of Things has become an emerging trend in today’s age. As the number of devices connected via Internet grows, the risk of cyber attacks also increases. By connecting so many unsecured smart devices like TVs, refrigerators, etc. to the Internet, we are opening the doors to many malicious activities. Recently, a security research firm, Proofpoint, revealed an Internet of Things cyber attack that compromised more than 100,000 Smart TVs, refrigerators, and other smart appliances; 750,000 malicious email communications were sent out from these devices. Proofpoint noticed this attack during the holiday season, from December 23,2013, to January 6, 2014. The researchers observed thousands of malicious email messages coming a particular range of IP addresses. When they conducted further investigation, they realized that these messages are not coming from PCs, which are the most common medium for launching these attacks, but from unidentified devices running on the standard Linux platform. On pinging those devices, they found out that they were smart appliances connected within households.

According to Proofpoint, just as personal computers are compromised by botnets to launch attacks, cyber criminals are exploiting the vulnerabilities in smart home appliances by transforming them into “thingbots” to carry out malicious activities. One of the major intentions behind such kinds of attacks is to collect personal information about the victim. The more information the attackers have in their hands, the more powerful they become. Another reason why Internet connected devices have become more appealing to the attackers is because they have poor security controls and can be infected easily. The researchers of Proofpoint noticed during their investigation that the majority of the smart appliances were not configured properly or used default passwords. Unfortunately, when we talk about Internet security, most people visualize securing their laptops or tablets. We forget that other than our laptops, PCs, or Tablets, there are many more household appliances that are connected to the Internet, and it is equally important to implement security controls to protect them from attacks.

Lack of security awareness among the users of smart appliances it the most important reason why connected devices are more attractive to cyber criminals than PCs or laptops. People need to educate themselves about the vulnerabilities in the Smart appliances and implement recommended security controls to ensure protection. They should make sure that they change the default passwords of these devices before putting them to use. Users should always choose strong and complex passwords for better security, and change them on a regular basis. Often times, the industries developing these devices find it difficult to find and fix vulnerabilities compared to PCs and software appliances. They do not have the expertise or ability to patch the weaknesses in these devices. According to security expert Bruce Schneier, most common home routers run on old version of Linux operating system. The vulnerabilities may have been patched earlier, but it is extremely important to apply patches to them more frequently, because as the systems age their security vulnerabilities increases.

Implement security controls to protect smart homes from cyber attacks.
Image from Insurancejournal.com

In order to apply patches the users need to manually download and apply them. It is rarely done because the users are never alerted about security updates, nor do they have the expertise to monitor the systems regularly and update patches. So, the best way to ensure protection from malicious attacks is to change your default password, and replacing them with strong, difficult-to-crack passwords. Keep your appliances connected to the Internet only as long as required; if you do not need your devices, disconnect them from the Internet. The 24/7 availability of connected devices makes them more vulnerable to attacks. Lastly, take the security precautions of connected devices just as seriously as your PCs or laptops.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

 

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

7

Beware: Malware Distributors are Moving Towards Cloud Computing Services

Posted by on Jan 21, 2014

malware detection

Cloud services have become an attractive place for hackers.
Image from Cloudtimes.org

As has been the trend of businesses, the makers of malware are also moving towards cloud services because of its flexibility, cost effectiveness, and easy maintenance. Malware distributors are embracing cloud services as a method of hosting malicious codes and adware. They are doing so either by buying services directly from the cloud service providers, or by compromising them. By hiding behind the names of legitimate cloud service providers like Amazon and GoDaddy, they can effectively serve malware to millions of Internet users. Hackers can use the trusted IP addresses of these major cloud service providers to initiate malicious activities without getting blacklisted. The cloud enables them to quickly  and cheaply develop malware-infected sites, and bring them online. Some of these benefits of cloud computing have made cloud one of the attractive places for these malicious actors.

Continue reading…

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

8

Privacy Issues with Student Loans

Posted by on Jan 20, 2014

Students are struggling to pay their loans to achieve their career goals. Image from Internationalteflacademy.com

Knowledge may be priceless, but a higher education is clearly not”.

- Peter Thiel, Cofounder Paypal

Over the years there has been a significant hike in the tuition fees of many U.S. universities. Students are struggling under the burden of student loans to achieve their career goals. Some of them have had to make career changes or postpone their dreams just because of the expenses of higher education. Washington Post had invited some researchers, thinkers and analysts to submit their favorite graph of 2013. The graph submitted by PayPal’s Cofounder, Peter Thiel showed how over the years the student loans have increased with respect to the income level of the majority of people.

Graph submitted by Peter Thiel. Image from WashingtonPost.com

Based on the graph, it can be inferred that with the increase in tuition fees, more and more people are relying on student loans for higher education. The services providing student loans, collect so much personal data like name, address, social security numbers, bank details etc. Have we ever thought about the security of our personal data collected by these services? Sometimes data breaches are like eye-openers that remind us how valuable our information is, and why it is important to take the security of personal data seriously. Last year, a security breach at the Human Resources and Skills Development department of Canada’s federal public service (HRSD) reported that a huge amount of personally identifiable information (PII) has been missing from one of the department offices in Quebec. An unencrypted hard drive containing PII of 250 of the department’s employees and 538,000 Student Loans borrowers was stolen.

The information that was stolen from HRSD included student names, Social Insurance Numbers (SINs), contact information, date of birth, and loan balances. Social Insurance Numbers are similar to Social Security Numbers in the U.S., and extremely important to the Canadian citizens. Another interesting fact is that the stolen hard drive had student data from 2003 to 2006. That means the students who had paid these loans, and no longer customers of HRDS, were affected by the breach. Just imagine the amount of personal information that hackers had at their dispense. Information is key to hackers, and the more information they have, the more dangerous they can become. With so much sensitive data in their hands, hackers can carry out more severe attacks such as identity theft.

Canadian Security exposed thousands of student data. Image from http://i1.ytimg.com/

If the HRDS had implemented strong security controls to protect sensitive information of thousands of student loan borrowers, then the situation would have been different. Here are some of the lessons learned from this security breach:

  • Implement Strong Encryption standards: One of the key things that went wrong here is that the hard drive containing sensitive information of student loan borrowers was not encrypted. Enterprises should use strong encryption standards like AES or Blowfish to encrypt sensitive user data.
  • Use of Strong passwords: Sensitive user data should be protected using long and complex passwords. The passwords should be 8-digits long and contain a combination of upper and lower case letters, numbers, and special characters. Also, they need to be changed frequently.
  • Don’t collect or retain more than what is required:  As mentioned earlier, the stolen hard drive contained student information from 2003 to 2006; this information was absolutely not required to be retained. Only collect and store data that is required. Get rid of the unnecessary information. Personal information related to SSN, credit card, or driver’s license should not be collected unless it is extremely needed.
  • Develop Strong Security policies: Companies must develop security guidelines to sort through the requirements, develop processes for handling data, and design applications that include appropriate safeguards, such as encryption and restricted access, for each location.
  • Employee training: Employees need to be trained regarding the security of sensitive personal information. They should strictly follow the security policies of the organization to maintain the privacy and confidentiality of user data.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices. Sign up for SpiderOak today!

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

6

Bombarded by Advertisements? How Online Ads Can Take Over Your System

Posted by on Jan 17, 2014

Online advertisements

Vulnerabilities in online ads can be exploited to launch cyber attacks. Image from Wpengine.netdna-cdn.com

Don’t you wish you could browse YouTube or Facebook without encountering those annoying advertisements? They have become impossible to ignore these days. Many websites rely on online advertisements to generate revenues. They are annoying for sure, have not caused any harm to our systems. Unfortunately, this is not the case anymore. Online ads can be manipulated to launch cyber attacks, called Distributed Denial of Service (DDoS). An intruder can simply embed an attack ad within a Web page. The attacker tricks advertising networks to accept compromised ads and display those ads on legitimate sites. When you click on one of these malicious ads, your browser gets enlisted in a botnet, which carries out denial of service attacks.

Continue reading…

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

5

The Magic Key: Google and Facebook Planning on Improving Security with Physical Tokens

Posted by on Jan 16, 2014

Physical Tokens on Google and Facebook will protect users

Google and Facebook are moving towards better security with physical tokens. Image from Jagran.com

Well-known technology companies like Google and Facebook are planning on bolstering the security of their users by introducing physical tokens. These physical tokens are very easy to use, and provide an additional level of protection along with your passwords. You just have to plug in the token directly to your computer ‘s USB drives and then type in your password. A correct combination of the password and the number on the physical token will give you access to your account. Both companies are planning on making their employees use physical tokens to access their accounts. John Flynn, security engineer at Facebook, said, “We’re keeping an eye on emerging authentication technology. Hardware authentication is one of those.” This latest tactic is a great move by Facebook and Google towards maintaining user privacy. Continue reading…

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

3

RAM Scraper Malware Infected Target’s Point-of-Sale terminals

Posted by on Jan 15, 2014

Target Data Breach is the result of a malware called RAM Scraper. Image from Media.cmgdigital.

Last month retail giant Target suffered a massive credit card breach that affected approximately 40 million credit and debit card accounts. As per recent investigations, the breach appears to be even worse than what was estimated earlier. The company confirmed that personal information like names, email addresses, mailing addresses, and phone numbers of an additional 70 million people were compromised in the data breach. This makes the Target data crisis one of the biggest security breaches of 2013. In an interview with CNBC, Target CEO, Gregg Steinhafel has revealed that the reason behind this massive attack is a malware that infected Target’s point–of-sale registers. Malware programs that are designed to infect the point-of–sale (PoS) systems are known as RAM scraper malware.

Continue reading…

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

5

Email Security in Light of NSA Surveillance

Posted by on Jan 14, 2014

Email Encryption ensures protection against NSA surveillance, identity theft and phishing attack. Image from Arstechnica.net

When Edward Snowden was asked if someone wants to stay off the NSA’s radar, could he or she encrypt emails and send them without arousing any suspicion? His response was “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Encryption has time and again proved to be the one of the most effective ways of protecting online communications from unauthorized access. However, as Snowden indicated, only properly implemented and strong encryption standards work against NSA surveillance. The NSA has been successful in circumventing majority of the encryption technologies on the web. But when it comes to cracking strong encryption standards like AES the NSA is facing some level of difficulty. The PRISM revelations have made us more responsible to towards the privacy and security of our data in the electronic medium. One of the most intriguing questions is how secure is our email communications? Nobody wants their private messages to be scanned by the spy agency.

There is no foolproof method to secure your email communications from NSA surveillance, but there are a few tools and techniques that you can use to maintain your privacy. PGP is one of the most secure email encryption services that you can use to encrypt your email messages. While it may or may not protect your emails from NSA, it can ensure protection against hackers trying to hijack your email accounts, crack your passwords or phishing attacks. PGP is a unique combination of traditional encryption and public key cryptography. For exchange of secure email messages both sender and receiver need to have PGP, so that they can exchange public keys in order to read each other’s email.

PGP is one of the most secure email encryption services that ensures protection against NSA surveillance. Image from Gawkerassets.com

Let’s take a look at how PGP works. First, PGP compresses a plain text message. That way it reduces the patterns found in plaintext, which can be exploited by cryptanalysis. Once the plain text is compressed, PGP generates a one time secret key called “session key”. The session key is basically a random number generator that is generated by the movements of your mouse or your keystrokes. The session key works with a cryptographic algorithm to produce a cipher text by encrypting the plain text message. After encryption of the plaintext, the session key is encrypted with the recipient’s public key. Now the encrypted message along with the session key is sent to the recipient.

Encryption and Decryption using PGP. Image from Goanywheremft.com

On the recipient side, the recipient uses his/her private key to decrypt the session key. Once the session key is decrypted, it decrypts the traditionally encrypted cipher text. With the combination of two encryption methods and large encryption keys, PGP is a robust email encryption technique that protects your data from government snooping. There are several instances in the past that indicates that the NSA has not been successful in breaking PGP encrypted email messages. As a result, they force the service providers to hand over the encryption keys in order to read the encrypted emails. Therefore, it is extremely important for the secure email service providers to be transparent about the data requests made by the NSA in order to gain the trust of their customers.

Some people are under the impression that the use of security tools on the Internet will put them under extra scrutiny by the NSA. This is not true. By not using security tools you are opening the doors for other kinds of cyber attacks like phishing and identity theft. Imagine the amount of personal and sensitive data stored in your Inbox- bank statements, credit card information, medical records and many more. An intruder can take advantage of this sensitive information and carry out fraudulent activities. So, it is in your best interest to encrypt your email messages.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

 

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

6

Dropbox Hack Hoax Reveals Cloud Security Concerns

Posted by on Jan 13, 2014

Security of cloud storage services is extremely important as they store our personal and sensitive information. Image from  http://www.freewaregenius.com/

Security of cloud storage services is extremely important as they store our personal and sensitive information. Image from http://www.freewaregenius.com/

It seems like hardly a day goes by without hearing about data breaches or cyber attacks somewhere. There is an even greater impact if one of these breaches is of a cloud storage system. Many of us rely on different cloud storage systems like Dropbox, SpiderOak, or SugarSync to store and backup our important files and documents. We value the security of cloud storage systems more than anything else, as we store our personal and sensitive details in them. When it comes to cloud storage, nothing can be more important than secure data storage and backup. Any news or discussions regarding security of cloud storage systems on social media sites becomes headlines and draws maximum traffic. That shows how much people care about the privacy and security of their data in cloud systems.

Two days back there was a huge buzz on many of the tech news sites about Dropbox being hacked by cyber criminals. Almost every news site was reporting about the hack and updating on a regular basis. In short, the internet was in a panic. Many people rely on Dropbox for sensitive business and personal information, and it being compromised was a huge scare.  But here’s what actually happened.

Dropbox went down late Friday evening for a few hours because of some routine maintenance. People who tried to access the Dropbox website from 6 p.m to 8 p.m PT were directed to a webpage acknowledging the issue. That’s pretty normal.  However, just a few minutes before the outage a hacker group named “the 1775Sec” claimed that they are responsible for the Dropbox hack on Twitter. The hacker group tweeted that they compromised the Dropbox website in honor of late programmer Aaron Swartz on the eve of his death anniversary. The surprising thing is how quickly this Twitter jibe transformed into headlines at many leading news sites like theverge, pcworld, techcrunch, and many more. According to the hacker group, they took advantage of some vulnerability in Dropbox that lead to a database leak. They also posted a list of partial database leak on pastebin.com/WLFfTvFk .

A hacker group named the 1775 Sec claimed of compromising Dropbox. Image from www.pcworld.com

A hacker group named the 1775 Sec claimed of compromising Dropbox. Image from www.pcworld.com

In response to the Twitter feeds of the hacker group, Dropbox responded that they have not been compromised and the site went down as a result of  internal maintenance activities. The hacker’s claims of leaked user info were a hoax. A post on Dropbox’s blog stated “(W)e are aware of an issue currently affecting the Dropbox site. We have identified the cause, which was the result of an issue that arose during routine internal maintenance, and are working to fix this as soon as possible. We apologize for any inconvenience.” The site was up by 8 p.m PT; however, the attempts to log in produced error messages. The hacker group also acknowledged that this whole thing about user data being compromised was a hoax. They only brought down the site for a few hours by DDoS attack and no user information was compromised in this process.

Dropbox responded that the claims of user data leak are a hoax. Image from http://i1-news.softpedia-static.com/

Dropbox responded that the claims of user data leak are a hoax. Image from http://i1-news.softpedia-static.com/

This incident clearly indicates the importance of security in cloud storage services. A perfectly timed hoax created so much havoc all over the Internet. Just going by the Twitter feeds, many leading websites were under the impression that Dropbox has been hacked by some hacker group. Online cloud storage services are one of the most valuable innovations of the information technology industry, allowing us to access our data anytime from anywhere. In the near future we will see a huge growth in the adoption of this technology, and the attention from social media and technology news sites is only going to increase from here onwards.

As a result, cloud service providers need to find ways to protect sensitive user data along with providing high-quality service. They should implement strong encryption standards such as 256 bits-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. Employees should be not be given access to more than what is needed to complete their tasks. The cloud storage companies should implement effective security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data. Cloud storage systems cannot control hoax Twitter feeds, but they can definitely implement the right security controls to keep their data secure.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server.  The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data.

Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

6

How Secure are Mobile Banking Apps?

Posted by on Jan 10, 2014

Security risks with mobile banking apps. Image from http://www.digitaltrends.com

Security risks with mobile banking apps. Image from http://www.digitaltrends.com

There is a huge market for mobile apps because people are becoming more inclined to getting their work done through “easy and convenient” mobile apps rather than sitting in front of a PC. As we know, with the growth of any new technology comes new security risks. One of the major areas of concern is regarding the security of mobile applications for banking and payments. In the near future we will see an exponential growth in the usage of mobile applications for banking purposes. A survey done by Federal Reserve Board indicates the increasing use of mobile banking services by the users in their day-to-day lives.

Survey by Federal Reserve Board. Image from http://www.federalreserve.gov

Survey by Federal Reserve Board. Image from http://www.federalreserve.gov

From the survey, it looks like the majority of us have downloaded mobile banking apps to carry our bank transactions. Have we ever considered how secure are these apps? How do they manage our data locally? How securely do they communicate with the servers? Or what security protocols do they have in place for the protection of our data? These are some of the questions that need to be taken care of before downloading any banking application. As we tend to put some of our most personal data in the hands of these apps, we need to ensure that they are completely secure. Most people are completely unaware of the security vulnerabilities in the mobile apps and fall prey to cyber attacks. It is extremely important for the consumers to understand the security concerns associated with mobile banking apps, and take precautionary measures to protect themselves from these security threats.

Security vulnerabilities with mobile banking apps as per Sanchez research. Image from http://blog.ioactive.com

Security vulnerabilities with mobile banking apps as per Sanchez research. Image from http://blog.ioactive.com

A research done by security analyst Ariel Sanchez revealed security weaknesses of mobile banking apps for the iOS platform. He tested 60 banking apps from financial institutions around the world to determine security vulnerabilities in them. According to his findings, almost all the apps could be installed on jail-broken iOS devices. This is a major security risk because jail-breaking bypasses protections on iOS devices. It allows applications to access and download additional applications or extensions that would not have been accessible on non-jail-broken devices. Usually, the majority of the mobile apps that deal with sensitive user data, such as handling bank and payment information, enforce SSL certificates. Unfortunately, only a few of them validate the authenticity of these certificates they receive from the servers. This makes them vulnerable to Man-in-the-Middle or phishing attacks. Some of the apps expose sensitive user information like usernames, passwords, and hidden URL paths that could be exploited by getting access to the iOS system log. Lastly, 70% of the apps lacked multi-factor authentication measures that could protect them from impersonation attacks. Sanchez said “Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”

These are some of the steps that can be taken to ensure protection against security risks with the mobile apps:

  • Consumer awareness:As I had mentioned earlier, most of the times people fall prey to cyber attacks due to lack of awareness. We need to learn about the security risks with the mobile apps and implement security controls for better security. Learn about the privacy policies of the banking apps, what security controls are in place, and how do these apps handle and share your data.  Always download apps from trusted sources.
  • Ensure the authenticity of SSL certificates: The SSL certificate is a must for mobile banking apps, but it is of no use if proper validation is not done. Mobile apps need to validate the authenticity of the digital certificates they receive from the servers
  • Implement Secure transfer protocol (HTTPS): Strong encryption standards like HTTPS should be implemented to protect data in transit. Consumer information exchange with third parties should also be encrypted.
  • Regularly update patches and software updates: Users need to update patches and software updates on a regular basis to ensure protection against upcoming threats and vulnerabilities.
  • Implement checks to determine jail-broken devices: Lastly, businesses should have methods or devices in place to detect jail-broken device.

Protecting your personal data with SpiderOak

 Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Business & the Cloud Archives - Page 3 of 15 - The Privacy Post

1

Upcoming Ransomware of 2014: Prison Locker

Posted by on Jan 9, 2014

New malicious ransomware named Prison Locker has the potential of causing mare damage than Cryptolocker. Image from http://4.bp.blogspot.com/

New malicious ransomware named Prison Locker has the potential of causing more damage than Cryptolocker. Image from http://4.bp.blogspot.com/

Cryptolocker Ransomware has infected thousands of computers and has allowed hackers to make millions of dollars. Cryptolocker encrypts all your files and documents and restricts your access to your system until you pay a ransom amount to the hacker. This very serious malware attack has gained momentum over the past few years. There are some precautions that you can take to protect your data from being hijacked by Cryptolocker ransomware and security experts are also coming up with prevention kits to secure systems from this malware attack. Just when we have started understanding this new form of malware and devising ways to prevent Cryptolocker ransomware attacks, a new form of ransomware is making headlines in many hacker forums.

Prison locker or Power locker is an evolution from Crypolocker that encrypts all files on your hard drive and shared drive in a “practically unbreakable encryption” process. Prison locker’s developers claim that it has the potential of causing more damage than Cryptolocker. Two hackers named “gyx” and “Porphyry” have been talking about this ransomware on many online forums. The ransomware is coded in C/C++, which encrypts all your files and then locks your screen, until you pay a ransom amount to the hacker. When your system is infected with Prison locker, it opens up a new locked up Window and disables Windows and Escape Key. Besides that, it also prevents other user actions like taskmgr.exe, regedit.exe, cmd.exe, explorer.exe, and msconfig.exe, and disables Alt+Tab feature.

A hacker by name "gyx" is making headlines in online forums. Image from MalwareMustDie.

A hacker by name “gyx” is making headlines in online forums. Image from MalwareMustDie.

The ransomware encrypts files on the victim’s hard drive and shared drives using Blowfish encryption technology. It can encrypt all files except .exe, .dll, .sys, other system files. For each file it generates a unique Blowfish key that is further encrypted with RSA 2048 encryption. After encrypting all the files on the victim’s system, it sends that information to the control panel center of the hacker. From the control center, the hacker can set the warning time of the ransomware, handle payments and decrypt files on the victim’s computer. As per the online forums, the developer of the malware is working on some of the features of the application and will be releasing the malware sometime soon. One of the interesting things is that they are selling this powerful and extremely malicious ransomware for only $100. Ransomware has the potential of hijacking victim’s entire system, including the shared drives, and very little can be done to counteract such an attack. If it poses all those technical features that it claims, then the worth of the ransomware should be more than $100. Whatever may be the financial motivation behind the ransomware, its reasonable price can make it easily available to anyone and can lead to more severe attacks.

A security research team called MalwareMustDie has been monitoring the discussions on Prison locker. From the screenshots of MalwareMustDie, it looks like the hacker is a security enthusiast with expert level knowledge in C/C++ programming language. Here is a screenshot from the hacker’s Twitter account:

Twitter profile of developer of Prison locker ransomware. Image from MalwareMustDie.

Twitter profile of developer of Prison locker ransomware. Image from MalwareMustDie.

The security team is closely following the developments in the Prison locker ransomware and updating details on their blog post.

One of the positive aspects of the revelation about this new threat is that we now have information about the ransomware before it is in its fully functional form. So, this gives an opportunity for the security experts to come up with a countermeasure for this ransomware before it is released. It is better to take control over this ransomware before starts causing major damages. As these kinds of malware usually hide in email attachments or website links, it is in your control to protect your personal data by not clicking on any malicious links or attachments. One click can infect your system, and can be avoided if you show good judgment.  Regularly back up all your files and keep your backups in a drive that is not connected to your computer. If you have backed up all your files regularly, then you are no longer trapped in such a situation. Even if your system gets infected with Prison Locker ransomware, you can retrieve your data from your back up drive that is not connected to your computer.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.