Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

5

Tech companies call for more restraints on NSA surveillance

Posted by on Nov 11, 2013

Image from http://b-i.forbesimg.com

Image from http://b-i.forbesimg.com

NSA surveillance revelations have raised questions on the reputation of high profile technology companies in recent days. Leading Tech companies like Yahoo, Google, Apple and Facebook have teamed up against the U.S government’s surveillance programs to restore their reputation and win the trust of their customers. After months of requesting the government to be more transparent about the surveillance requests for mass digital data collection, the technology companies are demanding substantial restraints on how the National Security Agency collects and uses vast amounts of data. The companies have been fighting for the transparency of surveillance requests since few months. Unfortunately, the U.S government has denied their requests, saying allowing the companies to release such detailed information “would be invaluable to our adversaries,” providing a clear picture of where the government’s surveillance efforts are directed and how its surveillance activities change over time.

Image from http://s1.ibtimes.com

Image from http://s1.ibtimes.com

However, the government’s decision has not stopped the technology companies from fighting against surveillance programs for mass data collection. Six major companies Facebook, Google, Apple, Yahoo, Microsoft and AOL have sent a letter to the Senate Judiciary Committee calling for more restraints on NSA surveillance programs.The letter endorses greater transparency in surveillance programs and urges U.S lawmakers to enact reforms that would “include substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms for those programs.” The letter also applauded the bill by the lawmakers that would end the bulk collection of phone records of millions of Americans and create a privacy advocate to represent civil liberties interests within the secretive court that oversees the NSA. The companies also noted in the letter “Transparency is a critical first step to an informed public debate, but it is clear that more needs to be done. Our companies believe that government surveillance practices should also be reformed to include substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms for those programs.”  These new steps should make people who use social media or who want to incorporate social media buttons into their websites (an increasingly popular thing to do) breathe a little easier.

The recent news about the NSA tapping into the data center links of Google and Yahoo has alarmed the technology companies. In comparison to the PRISM program the recently revealed MUSCULAR program seems to be more intrusive, as the spy agencies perform their operation of mass data collection without the knowledge of the tech companies. Therefore the tech companies are demanding that the surveillance practices of the U.S government should be reformed to enhance privacy protections and provide “appropriate oversight and accountability mechanisms.” Besides demanding for more restraints on the surveillance practices the companies are also implementing strong security controls in order to protect their user information. For example, Yahoo has recently announced to encrypt its email services. Google has confirmed that it is going to encrypt all keyword searches. We can see that the companies are taking security more seriously after the PRISM revelations. If the companies are transparent about their data sharing practices with the NSA, and implement proper security measures to protect user data then they are never going to lose the trust of their customers. Keeping the their customers’ interest in mind, the companies have stated in the letter: “Allowing companies to be transparent about the number and nature of requests will help the public better understand the facts about the government’s authority to compel technology companies to disclose user data and how technology companies respond to the targeted legal demands we receive. Transparency in this regard will also help to counter erroneous reports that we permit intelligence agencies ‘direct access’ to our companies’ servers or that we are participants in a bulk Internet records collection program.”

Image from http://img.washingtonpost.com/

Image from http://img.washingtonpost.com/

NSA counteracts the arguments made by the tech companies regarding the invasion of user privacy, saying “it conducts all of its activities in accordance with applicable laws, regulations, and policies — and assertions to the contrary do a grave disservice to the nation, its allies and partners, and the men and women who make up the National Security Agency.”

As per the analysis of legal experts, “most of the surveillance bills getting wide circulation on Capitol Hill would not address NSA collection operations in other countries.” Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society said,”To reform this is going to require passing a law that regulates NSA’s operations overseas, and none of the bills do that now.”

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

0

NSA’s Influence on NIST Encryption Standards

Posted by on Nov 8, 2013

Image from http://www.govinfosecurity.com

Image from http://www.govinfosecurity.com

The PRISM revelations indicate that the NSA has been eavesdropping on Internet communications by cracking and installing backdoors into the majority of cryptographic systems on the web. The classified documents released by Edward Snowden also indicate that the NSA works with the National Institute of Standard and Technology (NIST) to weaken international encryption standards, in order facilitate its spying activities. NIST is a federal technology industry that “makes measurements and sets standards as needed by industry or government programs”.  They also work in cryptography to set standards for the functions that protects data such as AES (Advanced Encryption Standard) and DES (Digital Encryption Standard). NIST is required “by statute” to consult the NSA on certain standards, but to what extent the NSA influences NIST for its own benefit is still unclear.

The NSA claims that the agency’s role in standards development has made the Internet safer. “An NSA spokesperson said in an emailed statement -We use the cryptography and standards that we recommend, and we recommend the cryptography and standards that we use,” according to the statement. “Our participation in standards development has strengthened the core encryption technology that underpins the Internet.” But the revelations made by Snowden say something different. According to the documents leaked by Snowden, Dual Elliptic Curve Deterministic Random Bit Generation, or Dual_EC_DRBG is vulnerable to tampering and allows the spy agency to build in backdoor to access information. This algorithm has been under the scrutiny of security experts since 2006. They had suspected that the algorithm was insecure and can be cracked successfully.

Dual EC DRGB was slower than other random number generators proposed alongside, and was not very random. A random number generator is extremely important in cryptography as it strengthens the security of a system by making it less predictable and difficult to crack. The security experts predicted that knowing one variable e- in the curve equation could crack the algorithm. “Microsoft security employees Dan Shumow and Niels Ferguson presented this weakness [PDF] at the Crypto security conference in 2007. If an attacker knows e, then they can determine a small number of possibilities for the internal state of the Dual EC PRNG and predict future outputs,” they wrote in their presentation”. Despite of the vulnerabilities with the Dual EC DRGB algorithm, NIST approved it and several well-known companies like Microsoft, Cisco, Symantec and RSA included that algorithm in their product’s cryptographic libraries in order to become eligible for government contracts.

Image from http://fcw.com

Image from http://fcw.com

Besides Dual EC DRGB, concerns have been raised against the new hash function SHA-3. It is a mathematical operation that will produce a digital fingerprint for a set of data. The SHA-3 algorithm was the result of an international competition that ran from 2007 – 2012, under the supervision of NIST. While almost all the phases of the competition were open to public, the NIST committee’s discussions regarding the selection process were not public. Therefore it was not clear how they determined which teams should advance to the next levels. NIST has also made some minor changes to the SHA-3 hash algorithm called Keccak, which seems a little suspicious. As per the new changes -“The standard will incorporate two rather than the proposed four versions of the hash and some internal changes to the Keccak algorithm that experts fear will reduce SHA-3’s security”.

Image from http://readwrite.com

Image from http://readwrite.com

NIST has always denied the involvement of NSA in tampering NIST’s process of vetting and choosing encryption algorithms. However, these allegations have prompted NIST to review data encryption processes to restore its reputation in public eyes. As Donna Dodson, Chief of NIST’s computer security division said, “We will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines. If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible”.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

6SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

 

 

 

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

9

Security Concerns with Healthcare.gov Website

Posted by on Nov 7, 2013

Image from www.healthcare.gov

Image from www.healthcare.gov

Healthcare.gov website has been encountering some technical difficulties lately. After the launch of the website, many visitors who paid a visit to the website were extremely disappointed with the site’s slow and sluggish operation. Some people were greeted with a blank screen, some spoke to misleading call center representatives or received error messages and some even had their personal data compromised. On top of all these technical glitches, an issue related to the security of the website was revealed recently. The security flaw was discovered by Arizona based Software Tester Ben Simo. According to Simo’s research, gaining access to user accounts by exploiting the security loopholes in the websitewas extremely simple.. Initially he found out a flaw in the site’s password reset function, where anyone can reset your Healthcare.gov password without your knowledge and can potentially hijack your account. Apart from that he lists some of the other possible ways by which your sensitive information (like birthdate, Social Security number and estimated income range) could have been compromised. A hacker could have accessed your personal information by:

  • Guessing an existing user name, and the website would have confirmed it exists.
  • Claiming that you forgot your password, and the site would have reset it.
  •  Viewing the site’s unencrypted source code in any browser to find the password reset code.
  •  Plugging in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
  • Answering the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted
Image from http://listentometalkaboutmyself.files.wordpress.com

Image from http://listentometalkaboutmyself.files.wordpress.com

 

Anyone with basic knowledge about website coding can conduct such attacks and compromise your personal and healthcare information. The software quality researcher also found flaws with the coding done to integrate the site. Personally identifiable information was embedded both in Web addresses sent to reset user passwords and in data being sent to third-party sites not directly involved in the health insurance certification process. While the data is being sent over an encrypted connection still then it could be vulnerable to exploits targeting the website users.

Some security researchers say that the website is vulnerable to a hacking technique called “clickjacking” (planting invisible links on legitimate websites.) According to the researchers, Healthcare.gov, portal where the consumers of 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to use clickjacking technique. The hacker could trick users to give their personal data as they enter into the website leaving them vulnerable to identity theft or allowing fraudsters to file health care claims. As mentioned earlier the website uses Secure Socket Layer encryption (SSL) which prevents hackers from intercepting data in transmission. However the 15 states running their own independent Obamacare websites do not have any explicit instruction from HHS (Health and Human Services) to use SSL. They are individually responsible for developing their standards to protect the privacy and security of consumers’ personal information.

Image from www.arstechnica.com

Image from www.arstechnica.com

The reason behind these security flaws in the website could be the long-delayed security testing of the entire integrated exchange system. According to an internal memo, the administrators knew that the Obamacare website has security flaws days before the launch of the website. The memo warned that the system hadn’t been sufficiently tested, “exposing a level of uncertainty that can be deemed high risk”. The site was only given provisional security approval before the launch because a substantial amount of testing had not been completed just days before the site’s October 1 launch date. Health and Human Services Secretary Kathleen Sebelius told a House committee last week that temporary authority was granted because a security risk “mitigation plan” was in place. “The personal information going into HealthCare.gov includes birth date, Social Security number and an estimated income range. Sebelius emphasized that the additional security controls gave the agency confidence in going ahead with the launch, despite the audit showing a security gap”.

Keep your health information secured

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

1

Silent Circle and Lavabit’s “DarkMail Alliance”

Posted by on Nov 6, 2013

Image from http://silentcircle.wordpress.com

Image from http://silentcircle.wordpress.com

In the age of PRISM revelations, finding a truly secure email service can be a challenge. The recent news about government surveillance often makes us worried about the privacy of our personal information on the Internet. The NSA leaks have made us aware that almost all of us store our email with a third party service, and it can be intercepted during data transmission. Apart from that, there is also the possibility of the emails being hacked, or scanned by advertisers. Keeping such user privacy concerns in the forefront, two secure email service providers, Lavabit and Silent Circle have joined hands to launch a secure email system called “Dark Mail Alliance”. Both Silent Circle and Lavabit had shut down their encrypted email services in August in a bid to resist surveillance.

The companies presented their ideas at the Inbox love conference last week, saying that they hope to “change the world of email completely by putting privacy and security at its core.” Dark Mail would shield both contents of the email and it’s “metadata,” including “to” and “from” data, IP addresses and headers. It will use XMPP, a web messaging protocol, along with another secure protocol created by Silent Circle called SCIMP instead of  SMTP. Silent Circle CTO Jon Callas told that “it’s high time to boot the antiquated SMTP out the doorThis is just another transport – what we’re getting rid of is SMTP. We like to laugh at it, but there are reasons why it was a good system. We’re replacing the transport with a new transport. E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends.”

Image from www.arstechnica.com

Image from www.arstechnica.com

The private key used for encrypting the emails will not be stored on the server of the service provider, rather will be held on the user’s system and can be populated across all his devices. The public key and addresses will be in the public server. The emails will be encrypted and stored in the user’s system before being sent to the cloud. As a result the user data would not be compromised even if the government forces an SSL key to be turned over, as all the messages are encrypted using the key that is sitting on the user’s system. Dark mail will be available as an add on or an option to existing email providers – Gmail can use it if Google choose to participate.

The alliance is also planning on implementing other security measures to provide a robust and secure email service to the users. One idea is to implement a protocol that will keep a static public key for a few hours or days and then refresh it. Old email messages need to be encrypted using the new key to provide better protection for sensitive data. Another security feature that is under consideration is “forward secrecy” that limits the amount of data that can be decrypted if the private key is compromised.

Image from ttp://www.computerworld.com

Image from ttp://www.computerworld.com

In comparison to existing forms of email encryption like PGP, Dark Mail will provide better security by encrypting the metadata along with the content of the email. PGP cannot encrypt the subject header, or metadata and the average user finds it very complicated to use. Dark mail plans to make its service extremely easy to use. “People using the technology will still be able to send emails to friends or colleagues using Gmail and Hotmail—but when sending messages to non-Dark Mail users, a warning will be displayed, making it clear that the communication could be intercepted”.

The source code of the software will be available in public for anyone to scrutinize or audit and the team is hoping more companies to join Dark Mail Alliance for better email security. The founder of Lavabit, Ladar Levison will soon launch a campaign to fundraise for the Dark Mail Alliance to open-source Lavabit’s code “with support for DarkMail built-in.” “The first 32 companies to donate $10,000 will get a pre-release 60 days before the public gets it so that those companies can integrate it into their systems first”.

The companies believe that in three or four years from now the Dark Mail service will be used by the majority of the Internet users. However companies like Microsoft and Google might be unwilling to adopt this technology, because use of such a technology would hinder the government’s surveillance attempt to monitor communications and track criminals. Silent Circle CEO Mike Janke says, “Surveillance has become “completely out of hand and he believes it’s time to readdress the balance between security and privacy”.

Secure cloud storage service that protects you data from surveillance

Similar to Silent Circle and Lavabit, SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

2

SpiderOak Tips To Securely Manage All Your Passwords

Posted by on Nov 5, 2013

Image from http://www.freepasswordmanager.com

Image from http://www.freepasswordmanager.com

Many of us log on to so many online applications everyday to check our emails, manage bank accounts, play games and socialize. However, using so many services means accumulating usernames and passwords for all the services that we try. We tend to use the same log-in information for all the services that we use. In spite of being warned several times about the importance of strong and secure passwords, we tend to use simple short and easy to remember passwords. I know that using a different, unique and complex password to log on to different applications can be very tiring. But for the privacy and security of our own data we need to do so. Weak passwords leave our data vulnerable to unauthorized access. In a phishing scam, an attacker can trick you to log into your credentials to a legitimate looking website or email and can compromise your account. The result of such an attack can be even worse if you use the same password for a number of different applications. Similarly, if a web server is hacked then our account information can be accessed by the attacker and can be used to conduct further attacks.

Image from http://www.techxav.com/

Image from http://www.techxav.com/

These are some of the steps you can take to create a strong and hard to crack password to protect your data online:

  • Your passwords should be at least 8 characters long and should be a combination of upper and lowercase letters, numbers and special characters.  Never use personal information like child’s name or pet’s name, birth dates or words from dictionary to create your password.
  • Even if you decide to use a loved ones name or dictionary words for your password, you can use them more safely by incorporating random capital letters, swap letters for numbers and includes a symbol or two. “For example, the extremely poor “password” password would be much stronger as “r1Va’5paZZw8rD.”
  • Similarly you can also use a phrase or a line from a poem and mix it with numbers, symbols or misspelled words for better security.
  • You should change your passwords frequently (in every 30 – 60 days). Changing your passwords regularly will make them difficult to guess. Never use your old passwords again and again. Don’t share them or leave them out for others to see (no sticky notes).
  • Use different passwords for different web services, that if one of your accounts is compromised, you can be assured that your other accounts are safe. “A study by BitDefender showed that 75 percent of people use their e-mail password for Facebook, as well. If that’s also your Amazon or PayPal password and it’s discovered, say good-bye to some funds, if not friends.” Here is an interesting video by SpiderOak that provides some additional information about password security.

 

Besides the above-mentioned steps, you can also use password manager to manage multiple passwords for different web applications.  A password manager stores username and passwords and allows you to access them using only one master password. Some of the popular password managers are 1Password for Mac and KeePass for Windows. “These programs detect when you’re visiting a website for which they have a saved password, and then allow you to paste the correct username and password into that site using only your master password. Using such a program, you can create unique, secure passwords for every account you own, while only memorizing one secure key.” Password manager can create and fill-in passwords automatically, and can be used on as many of your own computers as you want. However, the only drawback with using a password manager is, if your master password is compromised then the hacker will get access to all of your other sites information. Therefore you need to change your master password regularly in order to keep your information safe.

Image from http://mashable.com

Image from http://mashable.com

True Privacy with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service likeSpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

1

Adobe Breach Worse than Previously Disclosed

Posted by on Nov 4, 2013

Image from http://www.pcrisk.com

Image from http://www.pcrisk.com

 

Early in October, Adobe had suffered a massive data breach. The data breach exposed the personal information of millions of customers and the source code of famous Adobe products like Adobe Acrobat, Cold Fusion, and others. The attackers managed to access customer names, IDs, encrypted credit card and debit card numbers, expiry dates and other details. Initially it was estimated that the data of about 2.9 million users were accessed during the breach. However, according to a report by Krebs on Security, the security breach has impacted personal and sensitive data of approximately 38 million accounts. Journalist Brian Krebs and Alex Holden of Hold security found out a huge file named “users.tar.gz” on AnonNews.org, that appears to have included more that 150 million username and hash password pairs taken from Adobe. The 3.8 GB file appeared to be the same one they had found on the server with the other data stolen from Adobe.

Image from KrebsOnSecurity

Image from KrebsOnSecurity

Adobe’s spokesperson Heather Edell, confirmed that the breach affected about 38 million active users. Edell said Adobe believes that the attackers managed to access many invalid Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. She also mentioned that Adobe has finished informing the affected active users and is working on contacting inactive users.

So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident… Our notification to inactive users is ongoing.”

The security investigations of Krebs on Security and Hold Security claims that the hackers stole the source code of Adobe products such as Photoshop, Acrobat, and Reader. Adobe confessed that some of the Photoshop source code was stolen. Hold Security suggested that the source code theft could have far-reaching security implications. “While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data,” the firm wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.

Adobe has released a help document for the affected users. Adobe encourages the affected users to change their passwords if they receive an email notification from Adobe. The users are recommended to user different passwords for different Adobe services. As a precaution, they should also change their password on any website where they may have used the same user ID and password as their Adobe ID and password.

Image from http://thenextweb.com/

Image from http://thenextweb.com/

Lessons learnt from the Adobe security breach:

  • Companies must protect the keys used to perform encryption for protecting sensitive user data. Although the keys have become longer and harder to crack over the years, but there are still some issues regarding secure management of keys. Most of the times it is seen that companies leave their keys on the server near the data they are protecting. As a result it becomes easier for the attacker to access the keys, if they break into the server containing sensitive user data.
  • Similarly, weak random number generators can also be broken used to generate an encryption can also be broken these days by connecting the computing power of a few regular PCs into a cloud-based type of bootleg supercomputer.
  • As a customer you can keep your data safe by using strong and hard to crack passwords. You should always use passwords at least 8 –digit long and a combination of letters, numbers and special characters. Also change your passwords frequently. Use different passwords for different web services for better security. Tomorrow, we’ll be featuring an article on secure password management, featuring a great video from SpiderOak.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You cansignup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOakBlue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

5

NSA Hacks into Google and Yahoo Data Center Links

Posted by on Nov 1, 2013

Image from http://s1.reutersmedia.net

Image from http://s1.reutersmedia.net

After the famous PRISM program, another mass data-collection program by the NSA called “MUSCULAR” has recently come to light. The NSA jointly operates this project of exploiting data links with its British counterpart Government Communications Headquarters. Both spy agencies successfully penetrated the main connection links that connect Google and Yahoo data centers around the world. Now they can get access to user accounts of millions of people including US residents. As the Washington Post reports, by tapping into those links the NSA is able to collect a wide range of user information including “metadata” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video.

Through this program the NSA collects millions of data every day from internal networks of Yahoo and Google to data warehouses at NSA’s in Fort Meade, Maryland. As per a top-secret accounting dated January 9 2013, about 181,280,466 new records containing user data has been processed and sent by field collectors. The NSA does not keep everything that it collects, but keeps a lot of them. Jointly, the NSA and its British counterpart copies the entire data that flows across the fiber optic cables carrying information between Yahoo and Google data centers. However, the interception points from where they access such a huge amount of data is still undisclosed. In an NSA slide presentation, the agency explains how it gets into the midpoint where the Google cloud touches the public Internet. The presenter adds a smiley face and says, “SSL added and removed here”.

Image from www.washingtonpost.com

Image from www.washingtonpost.com

In response to the report by Washington Post regarding the “MUSCULAR” program, the NSA said:

“NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true. The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true. NSA applies Attorney General-approved processes to protect the privacy of U.S. persons – minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination. NSA is a foreign intelligence agency. And we’re focused on discovering and developing intelligence about valid foreign intelligence targets only.

Image from http://www.slashgear.com

Image from http://www.slashgear.com

In comparison to the PRISM program the recently revealed MUSCULAR program seems to be more intrusive, as the spy agencies perform their operation of mass data collection without the knowledge of the tech companies. Also the NSA has a greater advantage by intercepting communications overseas because of lax rules and less oversight. Such a large-scale data collection would be illegal in the United StatesOn the contrary, in the PRISM program the NSA had to issue a court warrant to the companies in order to collect user data. In order to maintain the privacy of their users, the tech companies are also working on implementing strong security measures to keep the user data secure. Google is working towards encrypting the flow of information between its data centers as a reaction to the NSA surveillance. Google Chief Legal Officer David Drummond said “the company does not give any government access to its systems. However, the company has been concerned about the possibility of this kind of snooping and has encrypted more of Google’s services and links as a result. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he said.

Similarly Yahoo emphasized “strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or any other government agency.”

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

2

Mobile apps vulnerable to HTTP Request Hijacking

Posted by on Oct 31, 2013

Image from http://blog.farreachinc.com

Image from http://blog.farreachinc.com

Like many people, I like to start my day by selecting the news app on my Smartphone, and reading about what’s going on around the world. I totally trusted my news application for reading the daily news, until I stumbled upon this blogpost that talks about vulnerabilities in mobile phone apps. According to the researchers of Israel-based Skycure, large numbers of iPhone and iPad apps are susceptible to hacks that will cause them to interact with a malicious server instead of a legitimate one. The majority of the mobile apps interacts with the server to send or retrieve data.

An attacker can carry out an attack by altering the server URL from which the app loads its data and redirect victim’s app to a malicious server. By redirecting to a malicious server, the apps that display news, social media content, or stock quotes can be manipulated to display fraudulent contents. Also the data sent by the end user can be intercepted. Once an app is tampered, it will continue to connect to the hacker-controlled server for a prolonged time.

The team at Skycure came across this redirection bug in their own app. Soon after that, they tested a bunch of high profile apps and found out that about half of the apps were vulnerable to such attacks. This kind of vulnerability or weakness is called an HTTP request hijacking (HRH) and is estimated to affect at least 10,000 titles in the Apps Store.

Browsers and apps store HTTP redirections in a cache, so that they can use the updated address if the end user wants to visit the old address. An app or browser receives an HTTP response known as 301 Moved Permanently status code when an URL address is changed. The hacker can exploit this Moved Permanently HTTP response to alter and control the applications without the victim knowing about it. It is not possible for us to visually figure out which server we are connecting to while using a mobile app. On the contrary, the address-forwarding mechanism can be easily noticed in the address bar of Web browsers.

Image from http://www.skycure.com

Image from http://www.skycure.com

In order to conduct this attack, a hacker first performs a Man-In- the-Middle attack on an unsecured Wi-Fi connection. When a user opens a vulnerable app the attacker intercepts the HTTP request it sends and responds with a fake 301 status response. From now on the app will connect to the hacker-controlled server even though it is connected to a trustworthy network. As per the research of Skycure team, this kind of attack can only happen if – the attacker is physically near to victim for initial poisoning (the next steps of the attack does not depend on the location of the victim) and HTTP connection is used to connect to the server. Apps that use HTTPS protection correctly is less likely to fall prey of such an attack. However a victim can be socially engineered to install a malicious profile that includes fraudulent digital certificates. Besides iOS, apps that run on Android and Microsoft’s Window Phone are also vulnerable, but the security researchers at Skycure have not performed enough testing to be sure.

How to protect yourself from HTTP Request Hijacking attacks?

  • If you are suspicious that one of their connections is hacked then they should immediately remove the app and reinstall it.
  • Always use apps that use HTTPS connection, that way you will be protected against malicious attacks. HTTPS encrypts the communication channels over the Internet. Therefore, it is difficult to break into an HTTPS connection compared to an HTTP connection.
  • Skycure recommends a remediation method for app developers, that is to create a new subclass object NSURLCache that avoids 301 redirection caching.
Image from http://www.skycure.com

Image from http://www.skycure.com

 Secure your data with SpiderOak

 For most developers and users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, developers can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

4

How the NSA is Controlling the Internet

Posted by on Oct 30, 2013

Image from http://raymondpronk.files.wordpress.com

Image from http://raymondpronk.files.wordpress.com

Recently, I came across an interesting article by security researcher, Bruce Schneier titled the “ The Battle for Power on the Internet”. The article talks about the battle for power in the cyberspace between the traditional and institutional bodies like the government, and the cyber criminals (i.e. hackers). From the recent revelations about the NSA’s PRISM program, it looks like the government is winning this battle big time. The NSA has the power and resources to spy on each and every one of us. They have been successful in circumventing the majority of security controls on the web in order to gain control over Internet communications. In my previous blogs, we have seen how the government has joined hands with technology giants like Google, Apple, Facebook and other well -known companies to get access to user data that it couldn’t have accessed otherwise. Most of these companies provide information to the government, betraying their users’ trust. Besides that, the NSA also works with security vendors to understand the vulnerabilities of widely used commercial products and later exploits them for surveillance purposes.

Image from http://www.theatlantic.com/

Image from http://www.theatlantic.com/

On the other hand, cybercriminals are very quick at taking advantage of new technologies to accomplish their goals. During the early ages of the Internet, cybercriminals became more powerful because they could use this new technology to carry out cyber crimes before the government could think of a better way to use it. A new technology always benefits a hacker more than institutional powers, because the hackers are not hindered by bureaucracy or by ethics and laws. Therefore they evolve faster than the institutional powers. However when the powerful big institutions figure out a way to harness the Internet, they become even more powerful. For example “while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents to arrest.” We saw the launch of new iPhone 5S with fingerprint detector recently. Guess what? Two days after the smartphones went on sale, a Germany based hacker group, Chaos Computer Club (CCC) claimed that they have bypassed the fingerprint reader of iPhone 5S. The group confirmed the bypass on its website saying: “A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with Touch ID.”

Image from http://www.4pointsecurity.com

Image from http://www.4pointsecurity.com

I totally agree with Schneier’s statement – “it is a battle between the quick and the strong”.

After reviewing the strengths and weaknesses of both hackers and the government, I feel that as the technology advances this battle is going to get worse. As a result, there will be more risks to the privacy of common people using the Internet. We do not have the technical ability to protect our data from government snooping, or avoid hackers from preying on us. With the rise in cloud computing we do not have the control over our data anymore, as they are stored in the servers of tech companies like Apple, Google, Microsoft and so on. From the PRISM revelations, it is clear that the government can get access to our data whenever they want by just issuing a warrant to these companies. In such a situation, what needs to be done to maintain the privacy of the users on the Internet? Firstly, the government needs to be transparent about its usage of user data. The more we learn about how our data is being handled by the government, the more we can trust that they are not abusing their authority. “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we’re going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”

Secondly, the technology companies also need to be transparent about their cooperation with the NSA in handling user data. We have seen in the past that technology companies are teaming against the NSA to publish a transparent report of user data requests made by the government. A detail report explaining what information they provided in response to National Security Letters and other government demands will help these companies in gaining the trust of their users. Also the cloud storage companies should implement strong security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data.

Lastly, we as users needs to be aware of the security risks that comes with the Internet and take proper security measures to protect our data from unauthorized access.

Secure your personal data with SpiderOak

 Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Business & the Cloud Archives - Page 8 of 15 - The Privacy Post

10

Facebook Changes Privacy Setting for Teenagers

Posted by on Oct 29, 2013

Image from http://blogs.lse.ac.uk

Image from http://blogs.lse.ac.uk

 

Facebook has recently made some changes to its privacy rules for teenagers. According to the new policy, teenagers between the ages 13 and 17 can now share their posts with everyone on the Internet. They can post status updates, images and videos that can be seen by anyone, and not just their friends or people who know their friends.These changes might help Facebook to become more competitive against other social media networks that appeal to young users. Also, having public data on teenagers, and their likes/dislikes will attract more advertisers.

When an underage user signs up for a Facebook account their posts will be shown to a narrower audience by default –only to Friends. If teenagers decide to choose “Public” in the audience selector setting then they will see a reminder that the post can be seen by anyone, not just people they know, with an option to change the post’s privacy. And if they continue to post publicly, they will get another reminder saying that anyone in the public can see their posts now. Default settings for existing teenagers with profiles won’t change or affect past posts. Besides giving warnings to the users while changing their setting to private, Facebook also maintains the privacy of teenagers online by:

  • Designing features that will remind them of who they are sharing their information with and to limit interaction with strangers.
  • Protecting sensitive information of minors from appearing in the public like contact info, school and birthday.
  • Reminding minors that they should only accept friend request from people they know.
Image from www.facebook.com

Image from www.facebook.com

 

In a blog post, Facebook says that it has loosened the privacy restrictions to make its service more enjoyable for teenagers, and give them an opportunity to express their views and opinions in a public platform. Justifying its new move, Facebook states “Teens are among the savviest people using social media, and whether it comes to civic engagement, activism, or their thoughts on a new movie, they want to be heard. So, starting today, people aged 13 through 17 will also have the choice to post publicly on Facebook.”

Image from http://therealtimereport.com/

Image from http://therealtimereport.com/

Although Facebook has implemented many security measures to protect teenagers, there are still certain risks that need to be addressed. Security risks with the new change in privacy policy for teen:

  • Technological advances have made it possible to analyze large amounts of data and identify patterns. Facebook collects massive amounts of personal data and its search engine allows users to filter through a trove of information, including “status updates, photo captions, check-ins and comments.” So, the more information teenagers share in public the easier it will for unintended parties to find them. Some of the searches on Facebook might reveal controversial or embarrassing views, relationships and experiences of underage users.
  • Teenagers might become a victim of targeted advertisement by sharing their interests on food, clothing or technology in public. The businesses that depend on social media for reaching out to their customers will be hugely benefited from this move. Valuable data on teen’s interests will help them in shaping marketing efforts for their businesses. For example “Favorite teen retailer Forever 21 engages its Facebook fans by posting pictures of models wearing its clothing on city streets. Customers can then purchase the items by clicking on a link that leads directly to its store. Since teenagers are statistically more susceptible to peer pressure than older Facebookers, seeing these outfits in action is more likely to prompt them to click through to see the items in the photo.”
  • Kids can bypass parental control and permission, and might end up offering sensitive information to strangers online. Cyberbullies can use that information to harass, blackmail or demean children. Through private profiles or fake identities, bullies can make outrageous claims and attacks without having to worry about retribution or consequences of any kind.
  • Facebook does not have a reliable way of verifying if somebody signing up a Facebook account is a minor or not. Millions of kids fake their age to get on to Facebook. Therefore Facebook needs to implement controls to verify user’s age and provide younger children with a safe, secure and private experience that allows them to interact with verified friends and family members without having to lie about their age.

Social Media & Security Through SpiderOak

Social media users should be aware of how their data is collected and used before using any social media site or platform. Don’t upload anything you don’t want shared and exploited for advertising purposes. And be sure to exclusively store anything sensitive to a secure cloud provider. For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that photos, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access