Cloud Security Archives - Page 5 of 11 - The Privacy Post

4

How The NSA Track Users With Website Cookies

Posted by on Dec 13, 2013

NSA tracks Google cookies. Image from http://businessdayonline.com

NSA tracks Google cookies. Image from http://businessdayonline.com

These days Internet companies generate a lot of revenue based on advertisements. They monitor your online activities and send you ads based on your interests. Many Internet companies use “cookies” to track users and send them targeted advertisements. Cookies are small tracking files that are placed in a user’s browser when they visit any advertiser’s website. Through the cookies the advertisers can identify an individual’s browsing habits or his interests, and send him ads customized to his interests. The privacy advocates have opposed the use of tracking technologies for targeted advertisements, as they believe it is an intrusion of user privacy. However according to the Internet companies, their customers are likely to be benefited by targeted advertisements, as they will be receiving ads geared towards their interests. A recent report revealed that the NSA takes advantage of these tracking technologies used by Internet companies for targeted advertisements, to carry out its surveillance activities.

The NSA and it’s British counterpart GCHQ use website cookies to identify the intended targets from the massive amount of data available on the Internet. The spy agencies use Google “PREF” cookies to track users and then later on hack their computers to gain access to additional information. The PREF cookies do not provide any information about your name, email address or any other personal details, but they contain a unique code that differentiates you from other users. Google “PREF” cookies contain a unique identifier called “PREFID” which is a random string of numbers and characters. Google places this unique identifier on your browser when you visit one of their services for the first time. Given the widespread use of Google services, I am sure many of us have a Google PREF cookie on our browser. The PREF cookie provides information about the user’s location and language, and this information can be extremely valuable to the spy agencies.

Besides the use of Google PREF cookie, the NSA also uses cookies for DoubleClick.net to track users. In one of the presentation slides released by the Guardian in October called “Tor Stinks”, it was indicated that Tor users can be tracked using DoubleclickID when they are browsing the Internet in regular browsing mode. Another slide in the presentation talks about a program called “QUANTUMCOOKIE” which “forces clients divulge stored cookies”. As per security expert Bruce Schneier, “the NSA uses frame injection to force anonymous users to visit common sites like Google and Facebook and reveal their identifying cookies. As a result they can de-anonymize Tor users if they use Tor from the same browser they use for other Internet activities.”

The NSA identifies the user's current location from the mobile apps. Image from http://www.wired.com/

The NSA identifies the user’s current location from the mobile apps. Image from http://www.wired.com/

The revealed internal slides also provided information regarding another program called HAPPYFOOT that allows the NSA to collect location information from mobile apps. Many Smartphone apps provide information about your current location even when your GPS is disabled. These apps collect geo-location data to share it with third parties for targeted advertisements. If the information sent by the app is in unencrypted form then the NSA can intercept that communication and collect user location data without the user’s knowledge. This issue can be tackled if the Mobile app developers encrypt the communication sending user location information.

Disable your cookies to prevent tracking.Image from http://cdn0.sbnation.com

Disable your cookies to prevent tracking.Image from http://cdn0.sbnation.com

As we came to know from the recently revealed NSA documents, the website cookies can be tracked by the NSA to collect information about your browsing habits. You can disable cookies on your browser to prevent advertisers and the surveillance agencies from collecting your information. In one of my previous posts, I have explained how to disable cookies on your browser. In order to track website cookies or collect geo-location information the NSA needs to provide a court warrant to the Internet company. However it is still unclear whether the NSA provided any warrant to the Internet companies before collecting user data or not.

Protecting your data with SpiderOak

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Cloud Security Archives - Page 5 of 11 - The Privacy Post

3

How True Are White House Claims Healthcare.gov is Fixed?

Posted by on Dec 12, 2013

Healthcare.gov still vulnerable to security risks. Image from http://www.rightspeak.net/

Healthcare.gov still vulnerable to security risks. Image from http://www.rightspeak.net/

The Healthcare.gov website has been in the headlines recently because of the technical glitches and performance and security issues with the website. People have encountered lots of technical difficulties, like slow operation or error messages while registering for healthcare plans. As I had mentioned in one of my previous posts, apart from all these technical issues, the website is also vulnerable to cyber attacks. Many security experts have highlighted the potential security risks with the healthcare website. The White House claimed to address the technical issues with the website, and they were fixed in a “day-night effort” last month. The Health Care and Human Services Department claims that over 400 bugs and issues were fixed, and the overall capability of the website was improved to handle the intended number of target users.

However the report did not mention anything about addressing the security issues with the website. As pointed out by many security experts, the website lacks basic security safeguards and is vulnerable to many cyber attacks. The healthcare website handles private data like name, address, birthdates and social security information of millions of Americans. Therefore, it is attracting the attention of many cyber criminals. Recently Vermont Health Connect reported a security breach, where one user got access to the social security number and other personal details of another user. After a few weeks, the person who had originally applied for coverage on the exchange website, received an envelope. “On the back of the envelope was hand-written ‘VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!’ This incident clearly indicates the importance of security on healthcare exchange websites.

TrustedSec, an information security company conducted a number of tests to determine if the security flaws with healthcare.gov website were fixed or not. As per TrustedSec, the website has multiple open redirect vulnerabilities. An attacker can exploit this vulnerability and send spoofed emails to the users, which might look valid and legitimate as if it has has come from the healthcare.gov website. The user might end up giving all his personal details to the fake email, which can be used by the attacker to conduct further attacks. These emails might also contain links to malicious websites, which can take control over your computer and can cause further damage.

Health.gov vulnerable to phishing and identity theft. Image from http://www.nerdwallet.com/

Health.gov vulnerable to phishing and identity theft. Image from http://www.nerdwallet.com/

Another vulnerability identified by Trusted Sec is “the ability to enumerate user information (first, last, email, userid, profile, etc) through one of the sub-sites that directly integrates into the healthcare.gov website. This vulnerability allows an attacker to enumerate as many users as he wants”.

Security loophole identified by TrustedSec. Image from https://www.trustedsec.com

Security loophole identified by TrustedSec. Image from https://www.trustedsec.com

David Kennedy the founder of TrustedSec said, “I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress. I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term.”

The security tests done by TrustedSec indicates that the fixes done on the healthcare.gov website have only addressed the issues at a functional level, but have still left the doors open for new security vulnerabilities.

Keep your health information secured

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!

Cloud Security Archives - Page 5 of 11 - The Privacy Post

1

Twitter Implements Forward Secrecy to Thwart NSA Snooping

Posted by on Dec 11, 2013

Twitter tightens security to prevent surveillance.http://images.socialnewsdaily.com

Twitter tightens security to prevent surveillance. http://images.socialnewsdaily.com

After the PRISM revelations, several Internet companies are strengthening their security practices to protect the privacy of their users. The NSA has been successful in cracking majority of encryption standards on the web in order to collect user data. They have tapped into the fiber optic cables of well-known tech companies to collect huge amount of data under the MUSCULAR program, without seeking the permission of Internet companies. The tech companies are teaming up against NSA’s mass data collection program and implementing strong security controls to ensure their users that their data is safe from government surveillance. Recently, Yahoo has announced that it will implement HTTPS encryption by default for its email service, and also encrypt the traffic between its data centers. Google has also implemented encryption for secure searches for privacy of its users.

Like Yahoo, Google, and many other tech companies, Twitter has also decided to strengthen its security practices to prevent user data from government surveillance. Twitter is planning to introduce perfect forward secrecy to provide an extra level of security. Prior to the PRISM revelations, many users trusted the standard SSL communication to transfer sensitive information across the Internet. However the documents leaked by Edward Snowden revealed that the NSA collects large volumes of encrypted Internet traffic for cryptanalysis. So that later on when they can get access to the SSL private key by hacking into the company’s server or by providing a court warrant, they can decrypt all the past communications. The NSA specifically targets encrypted communications such as PGP-encrypted emails and SSL encrypted communications for surveillance. They believe that enciphered communications might contain some secret meaning, and thus should be subjected to extra scrutiny and analysis.

SSL handshake.https://www.tierra.net

SSL handshake. https://www.tierra.net

In a SSL connection, two parties authenticate each other and then exchange session keys to establish an encrypted communication channel. These session keys are used for a limited amount of time and then destroyed afterwards. The only issue with this approach is that the session keys are protected using the server’s private key. So, anyone with access to the server’s private key can decrypt all the past-encrypted conversations.  Perfect forward secrecy ensures that an intruder cannot decrypt all the encrypted messages at once by gaining control over server’s private key. In perfect forward secrecy each session is encrypted using a short-lived session key, which is destroyed immediately after the session is over. The key exchange is based on a Diffie-Hellman Protocol that generates strong and secure keys, which cannot be cracked by simply knowing the server’s private key. A determined attacker can record large volumes of encrypted messages, but in order to decrypt them he has to compromise the session keys of each individual session. So, perfect forward secrecy definitely creates a significant obstacle in terms of decrypting secure communications. This might not provide foolproof protection, but definitely does not allow somebody to get access to private data easily. Here is an example of implementation of perfect forward secrecy by Google.

Exchange key mechanism ECDHE_RSA = Port Forward Secrecy. Image from https://www.bestvpn.com

Exchange key mechanism ECDHE_RSA = Port Forward Secrecy. Image from https://www.bestvpn.com

Along with all these benefits, perfect forward secrecy has a few demerits. Implementation of perfect forward secrecy can slow down the performance of websites and web browsers. Ivan Ristic, director of engineering at Qualys highlights some of the weaknesses in implementing perfect forward secrecy in his blog – “Although the use of Diffie-Hellman key exchange eliminates the main attack vector, there are other actions powerful adversaries could take. For example, they could convince the server operator to simply record all session keys. Server-side session management mechanisms could also impact forward secrecy. For performance reasons, session keys might be kept for many hours (or longer) after the conversation had been terminated.

“In addition, there is an alternative session management mechanism called session tickets, which uses separate encryption keys that are infrequently rotated (possibly never in extreme cases). Unless you understand your session tickets implementation very well, this feature is best disabled to ensure it does not compromise forward secrecy”.

Keeping all the merits and demerits with perfect forward secrecy into consideration, I believe Internet companies should implement this security practice as it provides better protection to our personal data and does not allow the government to access massive amounts of user data by simply having the server private key.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured.  SpiderOak encrypts the files in your computer before uploading them to the server.  As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”).

This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

Cloud Security Archives - Page 5 of 11 - The Privacy Post

5

NSA Infiltrates Online Gaming Services

Posted by on Dec 10, 2013

NSA taps into online gaming services. Image from http://cdn.images.express.co.uk/

NSA taps into online gaming services. Image from http://cdn.images.express.co.uk/

Online games have gained popularity over the years, and now have millions of avid users around the world. The lifelike graphics of online games almost make it impossible to discriminate between the real and virtual worlds. People enjoy the experience of creating avatars, making new friends and earning virtual currencies. These are some of the reasons why some people spend a lot of time playing these games. As I had discussed in last week’s post, online gaming is not just for fun and enjoyment, it also comes with certain amount of security risks. So, you need to be very careful about what you are sharing on this virtual gaming platform. In my post, I had also discussed some of the security risks that come from criminals and hackers associated with online gaming, and what countermeasures you can take to be secure and enjoy your online gaming experience. However, while writing that post I had  overlooked the possibility that the government might be monitoring our online gaming activities. Given the extent of privacy intrusive surveillance programs by the NSA, it does not come as a surprise to us that the spy agency also keeps tab on the online gaming services.

One of the documents of NSA’s 2008 top- secret report says  “Although online gaming may seem like an innocuous form of entertainment, when the basic features and capabilities are examined, it could potentially become a target-rich communication network.” The NSA and its British counterpart have managed to get into some of the famous online gaming services like World of Warcraft, Second Life and Microsoft’s Xbox live service to conduct their surveillance activities. As per the leaked documents by Edward Snowden, the NSA spies have created online gaming avatars to collect data and track communications between players on the online gaming sites. The agency believes that the online gaming platform allows the terrorists or cyber criminals to hide their identities under fake digital avatars, and plot attacks or carry out fraudulent activities. The NSA conducted it’s data collection program without the consent or permission of the gaming companies. Since most of these gaming services are owned by American companies, as per law, the NSA needs to submit a court warrant to collect user information.

The makers of online games are unaware of NSA's  surveillance activities. Image from  http://rt.com/files/news/21/6e/e0/00/wow-world-of-warcraft.si.jpg

The makers of online games are unaware of NSA’s surveillance activities. Image from http://rt.com/files/news/21/6e/e0/00/wow-world-of-warcraft.si.jpg

But the real question is whether this move has helped the NSA in their mission of counteracting terrorism and cyber crime? According to a leaked document, by the end of 2008 the British spy agency “had set up its “first operational deployment into Second Life” and had helped the police in London in cracking down on a crime ring that had moved into virtual worlds to sell stolen credit card information. The British spies running the effort, which was code-named Operation Galician, were aided by an informer using a digital avatar “who helpfully volunteered information on the target group’s latest activities.” The British intelligence agents were able to retrieve 176,677 lines of data including chat, instant message and financial transactions from Second Life in three days. The NSA and its British counterpart have been successful in tracking real time discussions between players on online gaming sites. The spy agencies constantly monitored suspicious IP addresses, emails and chat messages to track down potential terrorist activities. The documents also revealed that the agency would be targeting mobile games in the near future for surveillance purposes. However there is no evidence that the NSA was successful in tracking down any terrorist group as a result of this spying program.
NSA needs to be transparent about user data collection. Image from http://america.aljazeera.com/

NSA needs to be transparent about user data collection. Image from http://america.aljazeera.com/

The NSA surveillance on online gaming sites seems extremely intrusive as they are spying over popular gaming services without their consent or knowledge. Secondly, they are invading the privacy of millions of online gamers who are using these services with the sole aim of having fun and have nothing to do with terrorist activities. Given the mass data collection from high profile tech companies like Apple, Google, Yahoo and many others, and now the surveillance program on online gaming services, it is high time the NSA needs to be transparent regarding the usage of user data to gain the trust of the general public.

Secure Cloud Service that protects your data

Finding the right third party cloud service can be a challenge as many cloud services on the market have wide security gaps that leave sensitive data wide open to third party attacks from groups like LulzSec. One cloud service provider that sets itself apart from the market is SpiderOak. This private cloud provider offers the full benefits of cloud storage and sync along with 100% data privacy.

SpiderOak protects sensitive user data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some banking services that require a PIN as an extra precaution along with a password in order to successfully log in. With SpiderOak, users that choose to use two-factor authentication must submit a private code through SMS along with their individual encrypted password. Users can store and sync sensitive information with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data.

Plaintext encryption keys are exclusively stored on the user’s chosen devices, so businesses and users can rest easy knowing their data won’t be exploited by the latest hacking group.SpiderOak’s private cloud services are available on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for flexible solutions for both developers and gamers.


 

Cloud Security Archives - Page 5 of 11 - The Privacy Post

3

How Does the NSA Collect Cell Phone Location Data?

Posted by on Dec 9, 2013

NSA surveillance program collects millions of cell phone location data every day. Image from http://2.bp.blogspot.com

NSA surveillance program collects millions of cell phone location data every day. Image from http://2.bp.blogspot.com

The recent NSA revelations have made us more responsible towards the security of our personal data on the Internet. Many of us have implemented strong security controls such as Tor, two-factor authentication, HTTPS connection, encrypted email and chat services to protect our personal data from the prying eyes of government surveillance programs. But what can you do to protect your cell phone location data from being tracked? As per Chris Soghoian, principal technologist at American Civil Liberties Union, “ laws of physics won’t allow you to keep your cell phone location data private.

People who value their privacy can encrypt their e-mails and disguise their online identities, but the only way to hide your location is to disconnect from our modern communication system and live in a cave.” Well it is not possible to disconnect from the modern communication system to prevent from being monitored by NSA’s surveillance programs. This is the reason why the recently revealed NSA surveillance program of cell phone location data collection is considered as the most privacy intrusive of all surveillance programs. Under this program the spy agency collects almost 5-billion cell phone records a day, including the personal data of millions of Americans who use mobile devices while travelling abroad. The NSA tracks the movement of millions of mobile devices and feeds that information to a massive database. It analyzes those large amounts of collected data using a highly sophisticated tool called CO-TRAVELER. CO-TRAVELER algorithms allow the analysts to trace cell phone movements and determine communication patterns between different users.

The communication patterns reveal a lot of personal information and hidden relationships among the users. These surveillance tools are smart enough to track individuals using their mobile devices, anywhere they travel around the globe. They can even retrace previously traveled journeys. According to the  Washington Post, “the NSA collects metadata such as date, time and location of cell phones to find significant moments of overlap. Other tools compute speed and trajectory for large numbers of mobile devices, overlaying the electronic data on transportation maps to compute the likely travel time and determine which devices might have intersected.”

CO-TRAVELER tool is used to analyze large volume of cell phone data. Image from http://globalresearchreport.com

CO-TRAVELER tool is used to analyze large volume of cell phone data. Image from http://globalresearchreport.com

The NSA collects the majority of the location data by tapping into the network cables of major US and international mobile service providers. It relies on two major corporate partners named as ARTIFICE and WOLFPOINT to administer and manage its data interception tools. People who use disposable phones or switch their phones long enough to make brief calls are targeted for special scrutiny by the NSA. The NSA defends it’s intrusive cell phone data collection program, saying it collects and analyzes information about the location of domestic cell phones to develop intelligence against foreign targets.

NSA's cell phone data collection program is the most privacy intrusive surveillance program so far. Image from https://openmedia.org

NSA’s cell phone data collection program is the most privacy intrusive surveillance program so far. Image from https://openmedia.org

The privacy advocates and lawmakers have raised concerns over the NSA’s surveillance program, as they feel the spy agency might be collecting location information of millions of American citizens travelling abroad. The Congress is planning to introduce a bill that would require the U.S surveillance agency to say whether they ever had or have plans of collecting location data of large number of Americans who do not have any connection to suspicious activities. As we know, phones send location information the moment they are turned on. So, there is no way to hide location information. The only way we can be sure that the NSA is not invading our privacy is through transparency. The government needs to be transparent about its usage of user data. The more we learn about how our data is being handled by the government, the more we can trust that they are not abusing their authority.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs. SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private.

Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Cloud Security Archives - Page 5 of 11 - The Privacy Post

7

Millions of Gmail, Facebook, Twitter, Accounts Breached

Posted by on Dec 6, 2013

Trustwave reveals a massive data breach. Image from http://pumabydesign001.com

Trustwave reveals a massive data breach. Image from http://pumabydesign001.com

It’s not even been a week since I wrote a post about security breaches at Cupid Media and GitHub, that we get to hear about another massive breach, where the hackers managed to steal 2 million user accounts and passwords of Facebook, Gmail, Twitter and a few other websites. Yesterday, Chicago based cyber security company Trustwave revealed how attackers took control over large number of computers around the world to steal the log-in credentials of many popular websites. The security researchers at Trustwave have been tracking the Pony Botnet Controller since it’s source code was leaked. During their research they found out that a Pony Botnet server located in Netherlands contained stolen account credentials of approximately 93,000 websites including Facebook, Gmail, Twitter, ADP, LinkedIn and many more. However it is still not clear as how those credentials were obtained. According to Trustwave, the credentials might have been captured using keyloggers or malware installed on infected user computers.

Trustwave summarized their findings in a blog post. From the statistics it looks like usernames and passwords for 318,121 Facebook accounts, 59,549 for Yahoo, 54,437 for Google, and 21,708 for Twitter were compromised by the hacker group. Besides these popular websites, two Russian social networking websites vk.com and odnoklassniki.ru were also compromised. As I had mentioned earlier, this was a global attack, though about 97% of computers affected were located in the Netherlands.  Some computers in Thailand, Germany, Singapore, Indonesia and  United States were also hit. The attack was mainly targeted towards the Netherlands, which accounted for the majority of the user accounts and passwords. Only 0.08% of US accounts and 1943 passwords were affected by the data breach.

Analysis by Trustwave. Image from http://blog.spiderlabs.com

Analysis by Trustwave. Image from http://blog.spiderlabs.com

The most alarming part of the breach was to find the domain name of ADP, one of the largest payroll providers, on the hacker’s server. They can use the log-in credentials of compromised user accounts to access users’ bank accounts. In response to the attack, ADP reset the accounts of the affected users to protect them from further major attacks like phishing or identity theft. The company also said that so far none of their clients have been affected adversely due to the compromised credentials. Facebook, LinkedIn, Twitter and few other websites have also been resetting the passwords of compromised user accounts. Facebook has advised its users to “activate two features, “Login Approvals” and “Login Notifications,” which let them know if their account was accessed from a different Web browser and require a one-time passcode sent to their mobile phone to access the site”. Trustwave does not have any evidence whether the hacker logged into these accounts or not.

One of the things about the breach that disappointed me the most is the use of weak passwords by the users. Even after being cautioned a number of times regarding the importance of strong passwords, people still continue to use easy to guess passwords such as “1234” or “123456789”. As per Trustwave’s analysis, only 5% of users used passwords that were 8 characters long and had all four-character types. Majority of passwords fell in the medium category whereas the bad passwords outnumbered the good ones.

Password strength analysis by Trustwave. Image from http://blog.spiderlabs.com.

Password strength analysis by Trustwave. Image from http://blog.spiderlabs.com.

John Miller, a security research manager at Trustwave, advises the users “to update their antivirus software and download latest patches for Internet browsers, Adobe and Java to protect their computers from being infected by virus”Another major learning from this incident is to not to use the same password and login credentials for your social, financial and professional sites. If you use different login credentials for your different sites, then even if one of your credentials is compromised, then at least you can be assured that your other accounts are still safe. Unfortunately, because remembering multiple user ids and passwords is inconvenient, people tend to use the same login credentials across all their social and financial sites. This has the consequence that even if your password is strong, if it gets into the hands of hackers then they can access all of your other accounts as well. In order to manage different user ids and passwords, you can use a password manager such as 1Password for Mac and KeePass for Windows.

Secure your data with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service likeSpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Cloud Security Archives - Page 5 of 11 - The Privacy Post

5

Game on? Security Concerns And Online Gaming

Posted by on Dec 5, 2013

Security risks with online gaming. Image from http://www.ecnmag.com/news/

Security risks with online gaming. Image from http://www.ecnmag.com/news/

Online gaming has attracted lots of users over the years. People spend days and nights in front of their computers playing their favorite games. One of the misconceptions that people have is that security is not a big deal when it comes to online gaming. If gaming is for fun and enjoyment, a lot of people thing, then why is security important here?  I think this attitude is a throwback to when games were played on a console inside your house against the computer, or maybe a few of your buddies.  The worst thing that could happen was for someone to cheat, or look at your controller to see what play you were running.  Unfortunately, we forget the fact that anything in the digital medium is vulnerable to security risks. With the advent of the Internet, cheating does not remain as trivial as before. Now a player can cheat the system and take control of other players personal information available online. And these days, with the staggering amount of money involved with online gaming, it is attracting the attention of many cyber criminals.

For instance, one of the most popular online gaming brands, Blizzard Entertainment, suffered a massive security breach that compromised the user accounts of a large number of Battle.net gamers. The hackers managed to access user email addresses, “cryptographically scrambled passwords”, answers to security questions, and information related to dial-in and smartphone app based on two-factor authentication. According to Blizzard, the scrambled passwords were protected by the Secure Remote Password (SRP) (password authenticated key agreement). It surprises me that in spite of having strong security controls in place, somebody could still crack into their system. It suggests that there must be some vulnerability in their system that might have been exploited that led to the breach. When a hacker gets access to your personal information like passwords or security questions, he can use this information to conduct further major attacks such as phishing and identity information. Sometimes online gamers also have their credit card information stored on game company’s servers. If the credit card information is not stored in an encrypted form then an attacker can easily access it.

Security breach at Blizzard,net. Image from http://www.geekosystem.com/

Security breach at Blizzard,net. Image from http://www.geekosystem.com/

As an online gaming company, organizations should make sure that proper security controls are taken to protect their servers. The servers should be configured properly and strong access control methods should be in place to prevent unauthorized access to them. One of the things that I liked about the security practices of Blizzard Entertainment is the implementation of two-factor authentication. It is unfortunate that even after having strong access control method they got hacked. Still then, I still believe it is a must to have two-factor authentication along with your password for an extra level of security. Besides implementing two-factor authentication, companies should place their servers behind a firewall, to monitor the traffic, and filter out any suspicious signal. In terms of physical security, servers should be located in a secure area with locks.

You can also take certain security measures to protect your information from malicious attacks. Before signing up for any online gaming service, go through their privacy policy. Get some information regarding how they protect your personal information. If you are not satisfied with their policies, or how they protect your information, then do not provide your personal information, especially credit card details. Always use strong passwords that are long, complex and difficult to guess. Use different passwords for different accounts. By taking these security measures you can keep enjoying your online gaming experience without having to worry about the security of your data.

Secure Cloud Service that protects your data

Finding the right third party cloud service can be a challenge as many cloud services on the market have wide security gaps that leave sensitive data wide open to third party attacks from groups like LulzSec. One cloud service provider that sets itself apart from the market is SpiderOak. This private cloud provider offers the full benefits of cloud storage and sync along with 100% data privacy.

SpiderOak protects sensitive user data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some banking services that require a PIN as an extra precaution along with a password in order to successfully log in. With SpiderOak, users that choose to use two-factor authentication must submit a private code through SMS along with their individual encrypted password. Users can store and sync sensitive information with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data. Plaintext encryption keys are exclusively stored on the user’s chosen devices, so businesses and users can rest easy knowing their data won’t be exploited by the latest hacking group. SpiderOak’s private cloud services are available on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for flexible solutions for both developers and gamers.

 

Cloud Security Archives - Page 5 of 11 - The Privacy Post

5

Is Your Kindle Tracking Your Reading Habits?

Posted by on Dec 4, 2013

Ebook readers track your reading habits. Image from  http://www.theguardian.com

Ebook readers track your reading habits. Image from http://www.theguardian.com

As I have highlighted in one of my recent blog posts, reading is no longer a private activity in this age of digital tracking. As a book lover, when you curl up and read an interesting book, you feel that you are only interacting with the pages of the book. However, with the rise of ebooks, the concept of “reading alone” does not exist anymore. For example, look at how Barnes and Noble has interpreted their data to create a portrait of the reading public: “Barnes & Noble has determined, through analyzing Nook data, that nonfiction books tend to be read in fits and starts, while novels are generally read straight through, and that nonfiction books, particularly long ones, tend to get dropped earlier. Science-fiction, romance and crime-fiction fans often read more books more quickly than readers of literary fiction do, and finish most of the books they start. Readers of literary fiction quit books more often and tend skip around between books”.

This does not come as a surprise to many of us, as by now we are aware that everything in the electronic medium gets recorded. The ebook companies track every move of yours while interacting with their reading devices. Still, then, it is interesting to find out the extent to which e-readers spy on us, and what personal information do they collect?

Amazon records highlights  and notes. Image from http://www.pcmag.com

Amazon records highlights and notes. Image from http://www.pcmag.com

Amazon Kindle is a very popular e-reading device, which is owned by millions of people around the globe. Amazon Kindle collects all kinds of personal data from its readers and shares that information for promotional purposes. It has sophisticated algorithms that monitors your reading habits, such as which books you like the most, what sections of the book interests you the most, what is your reading speed or how many notes you take while reading. It also records bookmarks and highlights. For example, if you purchased a book on “gardening” your Kindle will record that information and keep sending you suggestions about books related to gardening. This way the device gets to know your personal interests and uses that information for its own benefit. You not only end up giving your personal data to the e-reader but also fall prey to their targeted advertisements. Similarly, your searches are also stored and analyzed to send you targeted ads and book recommendations. However, information about users’ reading behavior can be extremely valuable to publishers, as they can determine reader’s interests and incorporate changes in their future publications to make them interesting for readers. This way they can attract more readers.

EFF report on Ebook readers privacy policies. Image from https://www.eff.org/

EFF report on Ebook readers privacy policies. Image from https://www.eff.org/

A report by the digital rights defenders at the Electronic Frontier Foundation revealed how e- reading devices monitor the reading habits of their users.  The foundation went through the privacy policies of the nine most popular e-reading devices – Google books, Amazon Kindle, Barnes and Nobles Nook, Kobo, Sony, OverDrive, IndieBound , Internet Archive and Adobe Content server. It was revealed that majority of the e-reading devices keep track of searches, book purchase information, and users’ reading behavior, without their consent. Unfortunately, none of them have any mechanism for users to access, correct and delete that information. They share all these personal information with advertisers, publishers, third party vendors and sometimes with the government upon receiving a legal notice. From the foundation’s report, it looks like Amazon’s user data collection policy is the most privacy intrusive one, in comparison to other e-reader devices. Amazon’s privacy policy does not put any restriction on what and how much data should be collected from the readers, and they freely share that information outside the company without your consent.

As an information security professional, what bothers me the most is the lack of security controls for protecting user reading behavior online. As an e-reader, I do not feel like sharing what I am reading online with anybody else. I enjoy my solitude with the book of my interest. Unfortunately, that is no longer possible. Therefore, we need to be careful regarding what information we share on our reading devices. The companies providing e-reading services should also respect the privacy of their users and should implement transparent privacy policies stating what and how much data they collect from their users and how they share it with third parties.

Keep your reading information secure

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and syncing on the go.

 

Cloud Security Archives - Page 5 of 11 - The Privacy Post

0

Buffer Security Breach Shows the Importance of Two-Factor Authentication

Posted by on Dec 3, 2013

Buffer security breach. Image from http://3.bp.blogspot.com.

Buffer security breach. Image from http://3.bp.blogspot.com.

Buffer, the social media and scheduling service, became a victim of a major data breach last month. People registered with Buffer started seeing unauthorized posts on their behalf on Twitter and Facebook- a major loss of trust, and something that would outrage anyone.  I wouldn’t want my name being used to hock snakeoil. The company realized it had suffered a breach, when it found out that it was responsible for those posts. The attacker compromised Buffer’s systems, and made those posts on social networking sites on behalf of its registered users.

Spam messages on social media sites due to the breach. Image from http://www.nerv.co.uk/.

Spam messages on social media sites due to the breach. Image from http://www.nerv.co.uk/.

Later it was revealed that a data breach at cloud based database service MongoHQ, played an important role in the Buffer data breach. Buffer’s user data was stored in MongoHQ’s servers, and the hackers gained access to Buffer’s users email addresses and passwords as a result of the breach. They hackers tricked an employee to give up his login credentials and gained access to an internal support application. The support application allowed the intruders to view account information, including lists of databases, e-mail addresses, and passwords. The attacker also gained access to Buffer user access tokens.

Buffer acknowledged one of the factors to this security breach were unencrypted access tokens for the social media services that it supports. The company has announced that it will implement different security measures such as encrypting email addresses, access tokens, and two-step login to secure user data. In it’s blog post  Buffer said: “With all that trust given to us, despite the big mess, we wanted to really step up our game in terms of safety and security. “For the past few weeks, we have been focusing on making Buffer the safest, most secure way for you to manage and publish to your social media accounts. We have a number of awesome things to show you. The most important step in this process is a feature we’re announcing today: 2-Step Login”

Buffer implements two-factor authentication. Image from http://cdn.launchticker.com

Buffer implements two-factor authentication. Image from http://cdn.launchticker.com

Buffer is working on a 2-Step Login feature that will make it difficult for the attacker to gain control of sensitive user information, even if their credentials are stolen. This is an option setting for all Buffer users that will provide extra protection to their accounts. As a user, you will require an additional security code to log in to your Buffer account. You will receive this security code either via SMS sent to your phone or through Google Authenticator. Besides the two-factor authentication, Buffer has also provided encryption for email addresses and access tokens for social media services. As per the company’s new security policy, their team members are advised to change their passwords frequently and enable two-factor authentication on accounts for Google, Github, Stripe, HipChat and Dropbox.

One of the important lessons learnt from this breach is to enable strong security controls, so that even if the intruder gains control of a company’s internal systems, the sensitive user information remains protected. Two-factor authentication adds an extra layer of protection along with your passwords. With two-factor authentication, the user needs to provide two means of identification, such as physical token and a security code or password to access his information. This security control makes it difficult for the intruder to compromise your account, as he can no longer access your account by just guessing or stealing your password. Another benefit is you do not have to use password generators or rely on your memory to create long and complex passwords. It is not always practical to use complex passwords for all our accounts. In such a situation, two-factor authentication provides that extra protection to your personal data. It lets you use average passwords and still remain secure. Besides implementing two-factor authentication, I feel organizations should educate their employees about security attacks like phishing or identity theft. Majority of security breaches take place due to human errors such as weak passwords, lack of proper implementation of security controls or falling prey to online phishing attacks. In the case of MongoHQ, the breach took place because an employee used the same login credentials for a personal account and an internal support application. So, employees need to be trained to maintain organizations security.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

Cloud Security Archives - Page 5 of 11 - The Privacy Post

7

How Targeted Advertisements on Facebook Work

Posted by on Dec 2, 2013

Facebook uses your browsing data for targeted ads. Image from http://helpsgood.com/

Facebook uses your browsing data for targeted ads. Image from http://helpsgood.com/

Recently, I was browsing through Crate and Barrel’s website to order a rug online. I looked at different kinds of rugs, and spent some time doing more research on the ones I liked the most. Then I closed Crate and Barrel’s website and opened up my Facebook page. To my surprise, I saw an ad displaying Crate and Barrel rugs on my Facebook page – in fact, it was displaying the exact same rug that I had spent the most amount of time looking at online. This definitely bothered me, and I was curious to find out how Facebook can figure out that I am interested in Crate and Barrel rugs. I did some research to understand how Facebook uses your web browsing for targeted advertisement. Facebook’s ads are targeted to users based on their user profiles, and their activities on Facebook such as liking or sharing a page or product. For example, you want to know what products your friends like. So, Facebook pairs up ads and friends, and shows you what your friends like or share. This way it can determine your interests in specific products or services, and send you ads customized to your interests. Facebook also shows you ads depending on your activities on other websites or apps. The advertisers can reach out to you on Facebook based on what you do on their websites or apps.

Facebook’s online ad exchange service, FBX, helps advertisers display targeted ads through the use of cookies.  Facebook uses cookies to show you targeted ads by placing cookies in your web browser or app. These cookies track all your browsing data and send it back to Facebook. Information will be sent to Facebook when someone accesses  Facebook page or accesses a third party website that has connection with Facebook. Now let’s come back to how I was able to see Crate and Barrel ads on my Facebook page. When I visited the Crate and Barrel website, it placed a cookie on my browser. It tracked what products I accessed on the website, and what are some of the products that interested me the most. Facebook was able to read all that information from the cookie because Crate and Barrel is one of the advertisers on Facebook. As a result, it showed me Crate and Barrel ads on my Facebook page. Facebook’s advertising partners provide information back to Facebook on how you used their website or apps. They also use cookies to determine whether Facebook had shown their ads on your page, and how well it performed.

Another development that has happened recently is the announced tie-up between FBX and Google’s DoubleClick. Google’s DoubleClick ad-buying software will now allow clients to buy retargeted ads on Facebook. This allows Facebook to access a larger ad-base, and also allows advertisers to use DoubleClick as a one-stop shopping solution. Interestingly enough, the day this deal was announced, Facebook shares reached a 2013 high of $54.22, but have since dropped off.

Share prices of Facebook over last three months. Image from http://finance.yahoo.com/

Share prices of Facebook over last three months. Image from http://finance.yahoo.com/

If, like me, targeted ads bother you, then these are some of the steps you can take to protect yourself from these advertisements:

  • Opt out of Facebook ads: If you do not want Facebook to show you ads based on your activities on advertiser’s website then you can click on the “Opt out” feature on Facebook. On your iPhone or mobile device you can opt out of targeted advertisement by selecting “Limit Ad tracking”. You can refer to Facebook Data Use Policy and About Ads for more information.
Opt out of Facebook ad. Image by author.

Opt out of Facebook ad.
Image by author.

  • Disable cookies on your browser: As I had mentioned earlier, cookies track your web browsing information, which can be used for targeted advertisements. You can disable cookies on your browsers to prevent advertisers from collecting your information. If you are using Chrome, then Select Chrome Menu -> Go to Settings -> Select Advanced Settings -> In the “Privacy” section select “Content Settings” -> Now in the “ Cookies  section” you can change the cookies setting.You can also disable cookies on IE, Safari or Firefox by changing your browser settings similarly.
How to disable cookies on Chrome. Image by author.

How to disable cookies on Chrome. Image by author.

  • Install AdBlock:  Adblock plus is an open source content filtering and ad blocking applications. It prevents social networking sites like Facebook and Twitter from transmitting your data after you leave those sites. Here’s how to install Adblock plus. After the installation make sure to change your filter preferences to Easy Privacy. To do this go to the Adblock Plus website and click on the link to “Add EasyPrivacy to Adblock Plus”. This will take you to Adblock plus website. Click on “Add” and you are all set.

Protecting your data with SpiderOak

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.