Online Privacy Archives - Page 4 of 13 - The Privacy Post

3

How to Protect Yourself From Online Holiday Scams

Posted by on Dec 27, 2013

Fake Amazon emails were sent to MicrosoftLive email accounts. Image from http://www2.pcmag.com

Fake Amazon emails were sent to MicrosoftLive email accounts. Image from http://www2.pcmag.com

Finally, the holidays are here. The holiday season is the time of giving and making purchases for near and dear ones. This is the busiest season of the year for retailers and the holiday shoppers. It’s also one of the busiest for cybercriminals, who take advantage of this busy time to carry out fraudulent activities. Like millions of other people, if you order something on Amazon, then it is likely that during this time your inboxes will be flooded with purchase confirmation emails. As there will be many of those you might not pay attention to whether it is a legitimate email from Amazon or a fake one. Recently, researchers at Malwarebytes revealed that spammers are targeting Amazon account holders by sending emails containing Trojan malware.

As per the findings of Christopher Boyd, suspicious Amazon order invoices dated Dec 8th and 9th were targeted towards Microsoft Live email accounts. A legitimate looking email was sent to many Amazon account holders saying there has been some change in their order status and in order to check the details they need to open a zip file attached to the email to find out the details. These emails that claim to contain order invoices and order details contained Trojan malware infected zip files. Two types of Trojans were found in the zip files- the Trojan.Inject.RRE and Trojan.Zbot.ML. If you have not been paying much attention to the details of this fake email and end up downloading the zip file, then your system might get compromised. As I had mentioned earlier, these emails were targeted towards @liveaddresses and were CCed to multiple Microsoft Live addresses. However, OutLook and Hotmail caught these emails as spam.

Trojn Infected zip file. Image from http://cdn.blog.malwarebytes.org

Trojan Infected zip file. Image from http://cdn.blog.malwarebytes.org

Similarly, last season many users got a text message that they have won a $1000 gift card from Best Buy. The text tricked the users to click on a website that looked legitimate (BestBuyContest.com and BestBuyWin.net) to enter the code in order to claim their gift cards. Those who clicked on the website were asked to provide their personal details like name, address, email address, phone numbers and date of birth. This information can be extremely valuable to attackers. They can use this data to carry out phishing and identity theft attacks.

Best Buy Scam. Image from http://www.180techtips.com

Best Buy Scam. Image from http://www.180techtips.com

There is a high possibility that you might receive such kind of emails or texts during the holiday season. You can take these steps to protect yourself from such kind of attacks:

  • First of all pay attention to the details of the email, before opening any attachment or clicking on any link. Do not click on any link or download any file if you find anything suspicious.
  • Usually a legitimate email containing your order details or any other personal information will not be CCed to a lot of people. So, look out for that. Like in the Amazon scam, the emails were CCed to multiple Microsoft Live addresses. This is a clear indication that the email is not coming from a legitimate source.
  • Look for security protocols and symbols such as https before entering your personal details on any website.
  • Lastly, if you have any suspicion regarding any email or message confirm it by calling up the legitimate organization independently and asking if they ever sent such email.
  • Do not trust any text message that says you have won something or asks you to click on any link. These kinds of text messages are targeted towards getting personal details of users to carry out more severe attacks. Usually if you have won something that valuable you will not just receive a text message asking for your personal details.
  • Don’t think you are entirely safe staying offline, either.  People are in a rush this time of year, so aren’t paying attention as much when shopping.  This can particularly hurt people suffering from bankruptcy, as the recent data breach at Target showed.  It demonstrated how the the reach of cybercriminals can extend into the physical world.

SpiderOak protects your data from unauthorized access

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

0

A Consumer Privacy Bill of Rights, Part II

Posted by on Dec 26, 2013

Privacy of data on Cloud and online services. Image from http://linuxcoaching.ie

Privacy of data on Cloud and online services. Image from http://linuxcoaching.ie

Cloud services have made our lives easier by making our data available to us anytime from anywhere. Adoption of this emerging trend has proved to be beneficial for many of us. However, at the same time, it has opened the doors for new security risks and vulnerabilities. A day does not go by when we do not hear a news about security breaches exposing of user data by hacking into the servers of cloud storage systems. According to Gartner, “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”

Cloud services are vulnerable to external as well as internal attacks, since we are putting the security of our data in the hands of cloud service providers. There is a possibility that the cloud service providers can access customer data or provide the information to surveillance agencies on receiving a legal notice. The NSA has been successful in tracking huge amounts of user data by breaking the encryption technologies, as well as providing data request notice to cloud storage companies. As we trust the cloud services for the protection of our personal data, it is their responsibility to make sure that our data remains safe and secure from such kind of attacks. They should implement STRONG encryption standards such as 256 bit-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. The employees should be not be given access to more than what is needed to complete their tasks. The cloud storage companies should implement effective security controls like strong passwords, longer keys or complex hash algorithms that will make it difficult for anyone to access user data.

Consumer privacy rights for cloud service. Image from http://axeetech.com/

Consumer privacy rights for cloud service. Image from http://axeetech.com/

As consumers, we have certain responsibilities regarding protection of our own data in cloud storage systems. You should always use strong passwords for better protection of your data. Your passwords should be long complex and should be changed frequently. Cloud storage services like SpiderOak allows users to encrypt their files in the computer before uploading them to the servers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form. Therefore, it is extremely essential for users to have strong passwords for cloud services.

Consumer privacy rights for online services. Image from http://media.cirrusmedia.com.au/

Consumer privacy rights for online services. Image from http://media.cirrusmedia.com.au/

Now let us come to the online services that we use in our day-to-day lives. It is hard to imagine passing a day without checking our Gmail or Yahoo Mail accounts or logging on to Facebook to see what our friends are doing. These services also come with a fair amount of security risks. Most of the times it is seen that these services monitor user activities to send them targeted advertisements. A recent report revealed that several top websites use hidden scripts to determine how long you hover over an ad, when you pause, or click on it. This way they determine what interests you and keep sending you promotions or advertisements according to your interests. Facebook has recently announced its intent to monitor cursor movement of the users to make improvements in its service. It will collect information such as how long your cursor hovers over a particular part of its website or whether your news feed is visible at a given moment on your mobile phone’s screen. They store all this captured information in a data analytics warehouse and make sure that you are getting targeted ads related to the stuff on which you hover your cursor the most.The NSA takes advantage of these technologies used for targeted advertisement to carry out surveillance activities. The NSA has been successful in breaking encryption standards, monitoring website cooking and tapping into the data center links of well-known technology companies to collect user data.

We deserve to know how these web services that we use almost everyday manage and store our data. They should clearly indicate in their privacy policy what security precautions they take to protect our data and how much of our data is shared with third parties or advertisers. What security controls do they have in place to protect data from NSA surveillance? What data do they share with the security agencies on receiving legal notice? They need to be transparent about their cooperation with the NSA in handling user data. A detailed report explaining what information they provided in response to National Security Letters and other government demands will help these companies gain the trust of their users.

Secure your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Online Privacy Archives - Page 4 of 13 - The Privacy Post

1

A Consumer Privacy Bill of Rights, Part I

Posted by on Dec 25, 2013

Mobile app developers need to manage and store sensitive user data securely. Image from http://www.mobileapptesting.com

Mobile app developers need to manage and store sensitive user data securely. Image from http://www.mobileapptesting.com

With the advancement in mobile technology, companies have lots of consumer data in their possession. Many mobile and web applications collect personal information (like name, address, social security number or credit card details) from the users to provide them access to various services. As consumers we trust that our data is in safe hands, and won’t be available to any third party without our consent. Unfortunately, most of the times that is not the case. Many  mobile applications share customer data with third parties and advertisers to generate revenue, and to provide “value-add” services (although the “value-add” is highly questionable in some cases). Sometimes, they also share your personal information with the government upon receiving legal notice for surveillance purposes. As consumers, we have a right to know how our data is being used, and also a right to understand the value of the data we provide to these applications.

Monetizing mobile apps is a challenging task, and more often than not, most mobile apps end up using advertising as the primary source of revenue. With this in mind, these applications track each and every movement of the user to determine who they are. What are their interests? What is their income level? This data is extremely valuable to any business as they get lots of information about their users, and send them advertisements or services customized towards their interests. These days there are mobile apps for almost everything you can think of. The mobile health apps collect lots of personal and detailed health information from the users to provide better services for health and well being. Most of the apps do not even deliver the medical miracles they promise. Instead they end up sharing your sensitive health information with advertisers and third party vendors. Exposure of so much personal data leaves you vulnerable to identity theft and annoying targeted advertisements.

Mobile health apps sometimes share sensitive health data with third parties. Image from http://twimgs.com/informationweek

Mobile health apps sometimes share sensitive health data with third parties. Image from http://twimgs.com/informationweek

Recently, it was revealed that Android’s Flashlight app collects users geo-location data and secretly shares users location details and device IDs with advertisers without their knowledge. The mobile app company was charged by Federal Trade Commission (FTC) for deceiving the users and invading their privacy. As per the Flashlight app’s privacy policy, the company itself will use the collected geo-location data and will not share it with any third party. Most of the times we have seen that mobile apps, especially the free ones, do not clearly state their data collection and sharing practices in their privacy policies. The privacy policies are wordy and not to the point. As a result the users do not feel like going through the whole thing before downloading an app. They just accept the terms and conditions to get access to the apps as soon as possible. The privacy policies of the mobile apps need to be clear, definitive and should focus on protection of user data. Just because an app is free it does not mean that the developers have the authority to share sensitive user data without their permission.

Snapchat is not as secure as it claims to be. Image from http://www.wired.com/

Snapchat is not as secure as it claims to be. Image from http://www.wired.com/

Many of us use mobile photo sharing apps to share pictures with our friends and families.  One of the most popular mobile photo-sharing app is Snapchat. Snapchat claims to be the most secure photo sharing app because it allows the users to share pictures that disappears from devices after a certain amount of time. That means nobody else other than the sender or receiver can get access to the photos. Snapchat even deletes the photos that are opened from its servers. It definitely sounds like a safe medium to share your pictures. However, Snapchat has not been fully forthcoming on what happens to the photos that remain unopened. Apparently, the photos that are unopened remains on Snapchat’s server for thirty days. So, if an intruder gets access to the company’s servers then he can access those unopened photos. The mobile apps should state how long user data is stored on their servers and what security measures they take to protect that data.

Let’s face it – downloading mobile apps is so easy and fast, that many of us do not even consider glancing through their privacy policy. However, your personal data is more important than you think. As users of  mobile apps, we deserve the right to know how the company manages and stores our personal data. Most of the times app developers collect data for making improvements in their applications to satisfy the needs of the consumer. It is the responsibility of the app developers to let the user know what and how much of his data is collected and with whom it is shared. They should not collect more than what is required from the users. Their privacy policies should be transparent and more in line with protecting the privacy of the user. Lastly, proper encryption and security controls should be in place to protect sensitive user data. Having said that, the onus of reading the privacy policy still rests with the consumer. If the application asks for any personal data, then please do take some time to read their privacy policy, and make sure that you are comfortable with the policy before sharing your data.

Securing your data with SpiderOak

 Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

4

Target Credit Card Breach Exposes Millions of Customers

Posted by on Dec 23, 2013

Massive credit card breach at Target. Image from http://extras.mnginteractive.com.

Massive credit card breach at Target. Image from http://extras.mnginteractive.com.

Credit card data breaches seem to be on the rise these days. Hackers are attacking many businesses in order to access sensitive customer data like social security numbers or  credit card information. This information can be extremely valuable to the attackers, as having all that sensitive data in hand allows them to carry out more severe attacks.  Information is key to hackers, and the more information they have the more dangerous they can become, creating a snowball (or even an avalanche) effect.

Retail giant Target has become a recent victim of a massive credit card breach. According to different sources, approximately 40 million credit and debit card accounts were compromised in the security breach. This security breach is considered as the second largest breach in the US history, after the 2005 TJXCos credit card theft that affected $47.5 million card users. Target disclosed that the customers who made purchases using their credit cards between Nov 27 and Dec 15 may have been exposed to the attack. The hackers managed to access customer names, credit and debit card numbers, card expiration dates and embedded code on the magnetic strip. The data breach did not affect online purchases.

The data breach appears to have begun on the busy Black Friday weekend and potentially of affects nearly all the store locations across the US. According to cybersecurity expert Brian Krebs, the breach was initially believed to have extended from the Thanksgiving period till Dec 6 but after further investigation it was revealed that the breach extended till Dec 15th. He said that “track data” was stolen from customer’s accounts, allowing the attacks to make replicas of the credit cards by simply encoding that information to any card with a magnetic strip. If the PIN data for the debit cards were stolen then that could be used to produce stolen debit cards and withdraw money from ATM.

Millions of credit card data were exposed in the breach. Image from http://kfda.images.worldnow.com

Millions of credit card data were exposed in the breach. Image from http://kfda.images.worldnow.com

The US Secret Service is investigating this whole. They have confirmed with the Wall Street Journal that the breach was the result of a vulnerability in the network of 40,000 credit card devices at the store registers. Target has 1797 stores in the US and 124 stores in Canada. That means a massive amount of credit card data is at risk as a result of this massive breach. The breach did not affect the users shopping online, but affected the people who went physically to the store for shopping.

Does that mean shopping online is safer than going to a store?  Well each has its merits and demerits. It is unfortunate that something like this happened due to some flaw in the network of credit card devices, but this is a rare in-person breach. Usually, I feel it is safer to shop in a store than ordering something online, because when you are shopping online you are exposing yourself to more security risks. These security risks could be lack of proper security controls on the website, poor encryption standards and exposure to severe cyber attacks like Man-in-the Middle or phishing attacks.

Target recommends users to monitor their credit card records to prevent identity theft. Image from http://www.keepmyid.org.

Target recommends users to monitor their credit card records to prevent identity theft. Image from http://www.keepmyid.org.

Target has apologized to its customers for the inconvenience due to the credit card breach and has assured that they will be resolving the issue soon. They are working with a third party forensics team to conduct a thorough investigation of the breach and determine what significant steps they can take to avoid such situations in future. Target recommends customers to remain alert regarding fraud or identity theft by regularly monitoring their account statements and free credit reports. If they find any suspicious activities on their accounts then they should immediately inform their financial institutions. You can also call the Federal Trade Commission or law enforcement to report identity theft or credit card fraud.

As per the reports, it definitely looks like the majority of the Target stores are affected as a result of the breach. Therefore, as a consumer, I would refrain from shopping at Target at this point and will wait for the issue to get resolved. More importantly, if you have shopped at Target during the timeframe of  the attack, then please monitor your account statements and credit reports, and if you find any kind of suspicious activities inform your credit card company immediately.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

2

What’s Next for Tech Companies And The NSA

Posted by on Dec 19, 2013

Technology companies teams up against NSA surveillance. Image from http://www.theguardian.com

Technology companies teams up against NSA surveillance.
Image from http://www.theguardian.com

The NSA’s controversial PRISM program has left the reputation of major technology companies is at stake. Time and again the NSA has collected huge amounts of user data from these companies, either by providing legal notice, or by illegally tapping into their data center links. Either way the spy agency has been successful in its mission of mass data collection for carrying out surveillance activities. People use services of major technology companies like Google, Apple, or Facebook in their everyday lives. Such revelations of mass data collection raise concern among the general population regarding the privacy and security of their data with these companies. Keeping the protection of customer data in the forefront, the technology companies have teamed up against the surveillance activities of the NSA.

Letter to the President. Image from http://b-i.forbesimg.com.

Letter to the President.
Image from http://b-i.forbesimg.com.

Last week, eight high profile tech companies sent a letter to President Obama and Congress, asking for the imposition of strict rules to refrain the NSA from collecting massive amounts of user data. The letter said:“We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish.”

The tech companies have requested a strong judicial oversight over the surveillance requests by the NSA. The reputation of US tech companies has been harmed in the international market because of the NSA tapping into the private communication links of major tech companies around the world. Especially, the government officials of Europe and Brazil have expressed deep concern over the collection of personal data of their citizens by the US spy agency.

President's meeting with the leaders of major Internet companies. Image from http://www.gannett-cdn.com

President Obama meets with the leaders of major Internet companies.
Image from http://www.gannett-cdn.com

Leaders of major tech companies also had a meeting with the President earlier this week, regarding the NSA’s surveillance programs. There were discussions about the impact of surveillance activities on the reputation of these companies, and the economy of the country in near future. The companies demanded the need for transparency and limits on the data collection practices of the NSA. In the past the tech companies have teamed up against the NSA to provide a transparent report of data collection requests made by the agency. However, the government declined their demands because they claim allowing the tech companies to reveal such details will be invaluable to the adversaries and would harm national security interests.

This move by the technology giants definitely shows their concern regarding the protection of their user privacy. Besides demanding for reforms in the surveillance programs, more and more companies are implementing strong security controls to protect user data. Major Internet companies like Yahoo and Google have introduced HTTPS encryption for their services, implemented two- factor authentication and also encrypted links to their data centers for better security.

Secure cloud storage service that protects your data from surveillance

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

12

Facebook Even Tracks What You Don’t Post

Posted by on Dec 18, 2013

Facebook tracks your "self-censored" posts. Image from http://i.dailymail.co.uk/

                                            Facebook tracks your “self-censored” posts.                                               Image from http://i.dailymail.co.uk/

Facebook has become a part and parcel of our daily life. We make friends, post status updates, “like” each other’s pictures, and play games on this social networking site. Given all that, just imagine the amount of personal information Facebook have about its users.  Facebook tries to know everything about its users to provide them better service. In the past, Facebook has announced that it will track cursor movement of users to determine how much time they spend hovering over ads on the Facebook page to send them personalized advertisements. Besides tracking cursor movements, another study reveals that Facebook also stores information that we decide not to share with it. For example, a status update that you wanted to post, but for some reason changed your mind and did not post, or friend requests that you never accepted.

You must be thinking – Wait! How is that possible? How can Facebook know what we wanted to post? The code used in your browser while surfing Facebook can determine what you have typed in your status box or message, even if you decide not to publish it. The technology behind this is very similar to the technology used in Gmail.  You must have noticed whenever you type in a response in Gmail, the message is automatically saved as draft even if you did not send it. Even if you close the browser before saving your email message, you can find a copy of your email in the draft folder. Similarly, Facebook uses a code in your browser to collect the text that you type. The code collects and analyzes the text that you have typed and sends that information to Facebook. Facebook claims that the reason behind collecting this information is to determine if it was related to the interface, and find out ways to mitigate them. Facebook also wants to promote the News Feed feature, which shows up contents it thinks users will be interested in. Therefore by gathering more information about likes and dislikes of its users, Facebook can provide News Feeds that will be in the interest of the users.

Facebook collects posts or messages that you have not shared. Image from http://www.attorneymarketingprofits.com

Facebook collects posts or messages that you have not shared.          Image from http://www.attorneymarketingprofits.com

These unposted messages or thoughts are termed as “self–censorship” by Facebook. Two researchers, Adam Kramer and Sauvik Da, conducted an analysis on self-censored data on Facebook. They collected self–censorship data from a random sample of approximately 5 million English speaking Facebook users in a time frame of 17 days. They used two parameters to measure censorship on Facebook – “the “composer”—the HTML form element through which users can post standalone content such as status updates—and the “comment box”—the element through which users can respond to existing content such as status updates and photos”. They found out that 71% of users typed a message or status update but did not post it at the last minute. They conducted research on three different categories – demographics, behavioral features, and information on “social graph” of each user. According to their research paper, people censor posts more than comments because the posts attract more user attention and generate new discussion threads. Also, men are more likely to censor than women and even more when more of their friends are men than women. Finally they have concluded that  “people censor more when their audience is harder to define, and people censor more when the relevance of the communication “space” is narrower. “

Facebook has indicated in its Data Use Policy that it may be collecting information about things that have not happened. Facebook’s privacy policy is always under the scrutiny of privacy advocates, as they allow the company to collect more information about the users than required. I feel that collecting information about something that we do not want to share is extremely intrusive. Somebody decides not to share something because he considers that to be private, and collection of private data invades user’s privacy and security on Facebook.

True Privacy with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

3

Flashlight App Sends User Location Data to Advertisers

Posted by on Dec 17, 2013

Mobile apps collect user location data. Image from https://mocana.com

Mobile apps collect user location data. Image from https://mocana.com

With the growth in mobile technology, there is a significant increase in location-based advertising. Marketers want to know exactly where you are located to send you personalized advertisements. As per the Interactive Advertising Bureau, “Total online advertising revenues were $3 billion in the first six months of 2013, and mobile phone ads were less than 20 percent of that amount. Mobile advertising grew 145 percent in that period, however, and mobile ads that incorporate location information will make up a majority of ads by 2015.”

Many smartphone apps are designed to collect user data based on their location and to share that information with third parties. Some of the apps are smart enough to track your location even if your GPS is turned off. The location-based advertisement can prove extremely beneficial for the marketers, as they can now connect to their customers on a personal level, and send them relevant and customized information. Some people might not have any problem with location–based data collection as they might find it helpful in some ways. For others, especially those concerned with privacy, it is a huge concern.

FTC charged Brightest Flashlight Free for sharing user data with advertisers. Image from http://www.arizonadailyindependent.com

FTC charged Brightest Flashlight Free for sharing user data with advertisers. Image from http://www.arizonadailyindependent.com

According to a recent report, Android’s flashlight app secretly shares user’s location data and device IDs with advertisers. Android’s flashlight app is a free app that allows users to use their mobile devices like flashlights. Goldenshores Technologies LLC is the company that makes the popular app “Brightest Flashlight Free” for the Android operating system. The company was charged by Federal Trade commission (FTC) for deceiving customers about how their geo-location data will be collected and shared with third parties. Brightest Flashlight Free has stated that it did not provide any information about sharing of user’s geo-location data with advertisers in the app’s privacy policy. In their privacy policy, the company claimed that any information collected by the app will be used by the company itself. However, in reality it shared collected user data with third-party advertisers without user’s consent or knowledge. In my opinion, this is a huge intrusion of privacy.

End User License Agreement for Android's flashlight app. Image from http://www.business.ftc.gov

End User License Agreement for Android’s flashlight app. Image from http://www.business.ftc.gov

When you download the app for the first time, it will show an End User License Agreement, with information about data collection. It gives you an option to “Accept” or “Refuse” the License Agreement. It seems even before you select the “Accept” option, the application starts collecting your data and sends it to third party advertisers. Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said “When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used.” In the settlement with Goldenshores Technologies, LLC, the FTC prohibits the company from misinterpreting how consumer data is collected and shared, and how much control the consumers have on the amount of data being shared. The company needs to provide detailed information to the consumers regarding when, how, and why their geo-location data was collected, used and shared.

It is still very unclear how the collection of location-based data impacts consumers purchasing decisions, but it definitely invades their privacy in the mobile space. I hope that in the near future we will get to see privacy policies, which are clear, definitive and more in line with protecting the privacy of user data. The mobile apps should not collect more than what is required from the users, and should take the user’s permission before sharing their information with third parties. Lastly, app developers should clearly indicate their privacy practices to the users before they download their apps.

Secure your data with SpiderOak

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

2

Keeping Secure and Private in the “Internet of Things”

Posted by on Dec 16, 2013

In the near future we are going to see more Internet connected homes. Image from http://static5.businessinsider.com

In the near future we are going to see more Internet-connected homes. Image from http://static5.businessinsider.com

Imagine a situation where you are shopping at the grocery store and receive a text on your smartphone…from your refrigerator! It is reminding you to pick up eggs and replace the orange juice, which is 4 weeks old. After picking up the instructed items, you head back home, and based on your GPS location (relayed from your car to your home), your thermostat automatically turns on, so that your home is warm and cozy when you arrive. These scenarios are going to be commonplace soon thanks to the “Internet of things”.

Internet of things is one of the most popular term in today’s digital age. We are going to see far more connected homes in the near future. From the way the technology is advancing, the day is not far when the appliances of your house will be talking to each other and performing their tasks without much human intervention. There is no doubt that these gadgets will make life much easier. However, with new technologies come new security risks. When all your personal devices are connected to the Internet then imagine how much of your personal data will be stored on each device? What will happen if that data gets shared? If somebody gains control over your smart home network, he can remotely control all your appliances according to his wish. Earlier people used to feel safe when they get inside their house and lock their front doors. With connected homes you are not secure behind locked doors, as somebody with access to your network connections can take control of your entire house.

Baby Monitor Hack. Image from http://i1.ytimg.com

Baby Monitor Hack. Image from http://i1.ytimg.com

Few months back, a Texas based family revealed how their baby monitor was hacked. The hacker took control of the monitor, which was connected to the home wireless network, and said unpleasant things to their two-year old daughter. There have been some incidents in the past indicating that Wi-Fi-connected baby monitor cameras are vulnerable to hacking. They come with default username and passwords, which most people do not bother to change. Dave Chronister, who is the managing partner of Parameter Security, says “breaking into these cameras is the same as breaking into a website. Therefore it is extremely important to use strong passwords for your WI-Fi connected cameras.” Chronister recommends using Wi-Fi Protected Access 2 (WPA2) to set up a password because it uses better encryption standards and is very difficult to crack, especially when combined with a good password.

In one of my previous blogs, I had discussed data collection by your smart TV.  Smart TVs collect a lot of information about the users viewing habits and store them on their servers. The data collected by your smart TV includes customer names of files, unique identification customer information, and specialized tracking numbers for specific TV. They keep track of your viewing habits and send you targeted advertisements. Since a lot of TVs have cameras connected to them (for Skype and other video messaging services), a hacker can potentially take control over your TV, and thereby your camera, and can view everything going on in your home. Security researchers David Bryan and Daniel Crowley, conducted some tests on a Internet connected device called Veralight , that can be connected to your home network system to manage various household appliances. They found many security flaws in the authentication process of Veralight during tests. It did not require the setting up of any user name or password to access the system, and the authentication was so weak that anybody could access the system. Crowly and Bryan carried out such security tests on many other Internet connected home products to determine the security risks associated with them and reported these issues to the respective companies.

In the future we are going to see more and more Internet-connected appliances. As more devices will be connected to the Internet, more security risks will evolve. Somebody can hack into one of the devices connected to your network, and take control of your entire household. The challenge is for consumer electronics corporations to provide smart, connected, and secure appliances that simplify the user’s life, while not compromising on the security of such devices.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

4

How The NSA Track Users With Website Cookies

Posted by on Dec 13, 2013

NSA tracks Google cookies. Image from http://businessdayonline.com

NSA tracks Google cookies. Image from http://businessdayonline.com

These days Internet companies generate a lot of revenue based on advertisements. They monitor your online activities and send you ads based on your interests. Many Internet companies use “cookies” to track users and send them targeted advertisements. Cookies are small tracking files that are placed in a user’s browser when they visit any advertiser’s website. Through the cookies the advertisers can identify an individual’s browsing habits or his interests, and send him ads customized to his interests. The privacy advocates have opposed the use of tracking technologies for targeted advertisements, as they believe it is an intrusion of user privacy. However according to the Internet companies, their customers are likely to be benefited by targeted advertisements, as they will be receiving ads geared towards their interests. A recent report revealed that the NSA takes advantage of these tracking technologies used by Internet companies for targeted advertisements, to carry out its surveillance activities.

The NSA and it’s British counterpart GCHQ use website cookies to identify the intended targets from the massive amount of data available on the Internet. The spy agencies use Google “PREF” cookies to track users and then later on hack their computers to gain access to additional information. The PREF cookies do not provide any information about your name, email address or any other personal details, but they contain a unique code that differentiates you from other users. Google “PREF” cookies contain a unique identifier called “PREFID” which is a random string of numbers and characters. Google places this unique identifier on your browser when you visit one of their services for the first time. Given the widespread use of Google services, I am sure many of us have a Google PREF cookie on our browser. The PREF cookie provides information about the user’s location and language, and this information can be extremely valuable to the spy agencies.

Besides the use of Google PREF cookie, the NSA also uses cookies for DoubleClick.net to track users. In one of the presentation slides released by the Guardian in October called “Tor Stinks”, it was indicated that Tor users can be tracked using DoubleclickID when they are browsing the Internet in regular browsing mode. Another slide in the presentation talks about a program called “QUANTUMCOOKIE” which “forces clients divulge stored cookies”. As per security expert Bruce Schneier, “the NSA uses frame injection to force anonymous users to visit common sites like Google and Facebook and reveal their identifying cookies. As a result they can de-anonymize Tor users if they use Tor from the same browser they use for other Internet activities.”

The NSA identifies the user's current location from the mobile apps. Image from http://www.wired.com/

The NSA identifies the user’s current location from the mobile apps. Image from http://www.wired.com/

The revealed internal slides also provided information regarding another program called HAPPYFOOT that allows the NSA to collect location information from mobile apps. Many Smartphone apps provide information about your current location even when your GPS is disabled. These apps collect geo-location data to share it with third parties for targeted advertisements. If the information sent by the app is in unencrypted form then the NSA can intercept that communication and collect user location data without the user’s knowledge. This issue can be tackled if the Mobile app developers encrypt the communication sending user location information.

Disable your cookies to prevent tracking.Image from http://cdn0.sbnation.com

Disable your cookies to prevent tracking.Image from http://cdn0.sbnation.com

As we came to know from the recently revealed NSA documents, the website cookies can be tracked by the NSA to collect information about your browsing habits. You can disable cookies on your browser to prevent advertisers and the surveillance agencies from collecting your information. In one of my previous posts, I have explained how to disable cookies on your browser. In order to track website cookies or collect geo-location information the NSA needs to provide a court warrant to the Internet company. However it is still unclear whether the NSA provided any warrant to the Internet companies before collecting user data or not.

Protecting your data with SpiderOak

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can sign up for this product now.

Online Privacy Archives - Page 4 of 13 - The Privacy Post

3

How True Are White House Claims Healthcare.gov is Fixed?

Posted by on Dec 12, 2013

Healthcare.gov still vulnerable to security risks. Image from http://www.rightspeak.net/

Healthcare.gov still vulnerable to security risks. Image from http://www.rightspeak.net/

The Healthcare.gov website has been in the headlines recently because of the technical glitches and performance and security issues with the website. People have encountered lots of technical difficulties, like slow operation or error messages while registering for healthcare plans. As I had mentioned in one of my previous posts, apart from all these technical issues, the website is also vulnerable to cyber attacks. Many security experts have highlighted the potential security risks with the healthcare website. The White House claimed to address the technical issues with the website, and they were fixed in a “day-night effort” last month. The Health Care and Human Services Department claims that over 400 bugs and issues were fixed, and the overall capability of the website was improved to handle the intended number of target users.

However the report did not mention anything about addressing the security issues with the website. As pointed out by many security experts, the website lacks basic security safeguards and is vulnerable to many cyber attacks. The healthcare website handles private data like name, address, birthdates and social security information of millions of Americans. Therefore, it is attracting the attention of many cyber criminals. Recently Vermont Health Connect reported a security breach, where one user got access to the social security number and other personal details of another user. After a few weeks, the person who had originally applied for coverage on the exchange website, received an envelope. “On the back of the envelope was hand-written ‘VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!’ This incident clearly indicates the importance of security on healthcare exchange websites.

TrustedSec, an information security company conducted a number of tests to determine if the security flaws with healthcare.gov website were fixed or not. As per TrustedSec, the website has multiple open redirect vulnerabilities. An attacker can exploit this vulnerability and send spoofed emails to the users, which might look valid and legitimate as if it has has come from the healthcare.gov website. The user might end up giving all his personal details to the fake email, which can be used by the attacker to conduct further attacks. These emails might also contain links to malicious websites, which can take control over your computer and can cause further damage.

Health.gov vulnerable to phishing and identity theft. Image from http://www.nerdwallet.com/

Health.gov vulnerable to phishing and identity theft. Image from http://www.nerdwallet.com/

Another vulnerability identified by Trusted Sec is “the ability to enumerate user information (first, last, email, userid, profile, etc) through one of the sub-sites that directly integrates into the healthcare.gov website. This vulnerability allows an attacker to enumerate as many users as he wants”.

Security loophole identified by TrustedSec. Image from https://www.trustedsec.com

Security loophole identified by TrustedSec. Image from https://www.trustedsec.com

David Kennedy the founder of TrustedSec said, “I’m a little bit more skeptical now, and I would still definitely advise individuals to not use the website because it’s definitely something that I don’t believe is secure and neither did the four individuals that testified in front of Congress. I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term.”

The security tests done by TrustedSec indicates that the fixes done on the healthcare.gov website have only addressed the issues at a functional level, but have still left the doors open for new security vulnerabilities.

Keep your health information secured

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!