Online Privacy Archives - Page 6 of 13 - The Privacy Post

4

Is Your Smart TV Spying On You?

Posted by on Nov 25, 2013

LG Smart TV collects user viewing information. Image from http://www.huffingtonpost.ca/

LG Smart TV collects user viewing information. Image from http://www.huffingtonpost.ca/

Many households these days own “Smart TVs”. Sometimes we forget that these TVs are also connected to the Internet, and they are capable of collecting and transmitting our data. We seem to be a lot more concerned about surveillance programs that spy on our web browsing activities, email conversations, or our interactions on social media. We worry about what security controls we need to implement on our systems to avoid being tracked. However, very little has been said or revealed about the data collection activities of Smart TVs.  Recently, a U.K based information technology consultant, Jason Huntley, revealed in a blog post how LG smart televisions send customer-viewing information to LG Electronics Inc. According to his post, the LG Smart TV model LG 42LN575V sent unencrypted data over the Internet. He has included screenshots of the data transmitted by LG Smart TV.

In his tests, Huntley found out that the information was sent out every time he changed the channel. The TV also has an option in the system settings called “Collection of watching info” which is ON by default. He decided to turn off that option and do some traffic analysis to see if it is possible for the TV to send data. Unfortunately, the answer was yes. It seems the viewing information was sent regardless of whether “Collection of watching” option was set ON or OFF. The traffic sent over the Internet also included the names of files stored on a USB drive connected to the LG television. To prove this, Huntley carried out an experiment where he created a mock video file and loaded it to the USB drive, and plugged it into his TV. When he analyzed the network traffic, he found out that the file name was transmitted unencrypted in HTTP traffic, and sent to the address GB.smartshare.lgtvsdp.com. In some cases, he said, the file names for an entire folder were transmitted, and other times nothing at all was sent. He never determined the rules that controlled when data was or wasn’t sent. Other data collected by the Smart TV includes customer names of files, unique identification customer information, and specialized tracking numbers for specific TV.

LG Smart TV collects your data even when "Collection of watching info" is OFF. Image from http://doctorbeet.blogspot.co.uk/

LG Smart TV collects your data even when “Collection of watching info” is OFF. Image from http://doctorbeet.blogspot.co.uk/

However, the addresses in the HTTP POST request returned 404 errors, which means the personal information in the request may not have been logged on to the server. Even if the information is not stored on the server, tracking of user information is an intrusion of user privacy. As the LG TV is sending unencrypted data, it is easy for someone on the same network to monitor the communications. Also there is no guarantee that the information is not logged on the LG servers. “Despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored,” said the blogger.

Network data analysis. Image from http://doctorbeet.blogspot.co.uk/

Network data analysis. Image from http://doctorbeet.blogspot.co.uk/

In response to Jason Huntley’s blogpost, LG responded saying: “The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.”

Similarly, another security researcher also revealed a vulnerability in Samsung Smart TVs that allows an intruder to take control of the devices that are connected to the same network. He demonstrated how it is possible to remotely access USB files and install malicious apps, and use the TV’s microphone and camera to spy on users.

If you want to check how your Internet connected devices such as a Smart TV transfers your data across the Internet, then you can install a network analysis tool such as Wireshark. Wireshark is an open source packet analyzer that is used for network analysis and troubleshooting. By plugging Wireshark packet sniffing program into your home network, you can monitor and analyze all the data packets travelling through your router.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

0

SpiderOak Tops EFF’s Crypto Survey Report

Posted by on Nov 22, 2013

Secure data storage with SpiderOak. Image from www.spideroak.com

Secure data storage with SpiderOak. Image from www.spideroak.com

Revelations about the National Security Agency’s (NSA) surveillance programs are posing a serious threat to the reputation of technology companies. The documents revealed by Edward Snowden indicate that leading tech companies like Apple, Google, Yahoo, and Microsoft cooperated with the NSA in their mass data collection program, PRISM, by providing information about their customer data. The companies received a severe backlash from the privacy advocates and the general public for invading the privacy of their customers. To restore their reputation and win the trust of their customers, the tech companies teamed up against the U.S government’s surveillance programs. They requested the court to allow them to publish a transparent report of data requests made by the NSA. Besides fighting against NSA’s surveillance programs, the tech companies also started implementing strong security measures to ensure their customers that their data is safe from surveillance.

Data collection under PRISM program. Image from http://cloudstoragebuzz.com

Data collection under PRISM program. Image from http://cloudstoragebuzz.com

In the light of the NSA, it is extremely important for organizations to implement strong encryption technologies to protect user data. Even though the Internet users are using encryption for secure communications between their computer and the public facing Websites, the unencrypted internal data flows of the companies allow the NSA to obtain millions of records each month, including both metadata and content like audio, video, and text. The recently revealed MUSCULAR program allows the spy agencies to perform their operation of mass data collection without the knowledge of the tech companies. The NSA successfully taps onto the data center links of the companies without issuing a court warrant.

Keeping NSA’s surveillance activities and user privacy in mind, the Electronic Frontier Foundation (EFF) conducted a survey to determine how the technology companies are protecting their user data against spying activities of the NSA. As part of the survey, EFF recommended the service providers to implement strong encryption in every step of the way for a communication on its way to, or within, a service provider’s systems. These are the five-encryption steps recommended by EFF:

  1. Encrypt links between datacenters: All companies with data centers in the cloud should immediately encrypt all traffics between their datacenters.
  2.  Enable HTTPS by default: The companies should encrypt their websites with Hypertext Transfer Protocol Secure (HTTPS) by default. As a result when a user connects to their website the whole communication will be carried out on a secure channel.
  3.  Enable HTTP Strict Transport Security (HSTS): HSTS is a security policy that insists the users to interact with the web server using only HTTPS connection.     
  4.  Implement STARTTLS for email transfer: STARTTLS is an encryption system, which encrypts communications between email servers that use the Simple Mail Transfer Protocol (SMTP) standard.
  5. Forward secrecy: A strong key is extremely important for encryption. But what if the key gets compromised? Forward secrecy ensures that access to the encryption key will not compromise user data.
EFF's Survey Report. Image from https://www.eff.org/files/

EFF’s Survey Report. Image from https://www.eff.org/files/

In a recent report, EFF declared that Google, SpiderOak, Dropbox and Sonic.net are the Web companies that met all five of the communications encryption steps recommended by EFF. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.

Twitter was a close runner up as out of the 18 surveyed Internet companies as it implemented four of the recommended encryption steps. Twitter also confirmed that it has encryption of data center links in progress. “Facebook and Tumblr have provided further information to supplement the Encrypt the Web Report. We’re pleased to report that Tumblr is planning to upgrade its web connections to HTTPS this year and implement HSTS by 2014, and Facebook is working on encrypting data center links and implementing STARTTLS”.

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form.SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is in truly protected form.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

 

 

 

 

 

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

5

Snaphack App Lets You Save Snapchats Without Notifying the Sender

Posted by on Nov 21, 2013

Snaphack saves Snapchat messages. Image from http://cdn.hightechdad.netdna-cdn.com

Snaphack saves Snapchat messages. Image from http://cdn.hightechdad.netdna-cdn.com

Many of us use Snapchat for sharing photos and videos with our friends. People consider this as a secure medium to share their photos with others because once the receiver opens the photos or videos; they will automatically disappear within 10 seconds or less. The photos will also be deleted from Snapchat’s server after the user has opened them. That means the photos are not saved anywhere permanently. Surely Snapchat sounds like a very secure application for photo sharing as no one other than the receiver can access and view the photos, and the photos are deleted within a short timeframe. However, this new app “Snaphack” defeats the whole purpose of using Snapchat for photo sharing. With Snaphack you can save Snapchat photos and messages for an indefinite period of time without notifying the sender. Now you have to think twice before sending anything embarrassing on Snapchat.

Snaphack is an iPhone app designed by Darren Jones who has produced a few other apps under the name DAP Logic. He has launched another app Iconical few months back that allows the users to create their own icons for the home screen of any Apple device. In an interview given to Mashable, Jones said, “I wanted to prove that nothing was 100 percent secure once uploaded to the Internet. He also wanted to point out the dangers in sending images that you don’t want other people to see. As per Jones, he is not the first one who has launched a Snapchat –saver. In the past Sepia software had also designed an application called Screenshot save which also saves Snapchat messages. Besides the above-mentioned apps, Snapchat is also vulnerable to anyone who can take a quick screenshot of the chat messages or pictures. Jones had already submitted a new version of the app to Apple that will allow users to send saved Snapchat messages to other users via email. Snaphack does not have an Android version yet.

Let’s take a look at how the Snaphack app works? First of all you need to download the Snaphack app from the App store. Then log in with your Snapchat  credentials. “When you get a notification of a new snap all you have to do is open up the Snaphack app, refresh the app and get the new pictures and videos. Snaps can be opened up individually and then saved onto the handset.” I tested the Snaphack app by sending a photo on Snapchat to me. I took the photo of this vase on Snapchat and selected myself as the recipient. Once I received the photo on Snapchat, I closed Snapchat without opening the photo. Then I opened Snaphack using the login details of my Snapchat account.

Photo taken on Snapchat. Image by author.

Photo taken on Snapchat. Image by author.

When I clicked on the green item on Snaphack, I was able to view the Snapchat that I sent to myself. The image was permanently saved on Snaphack and I could access the image anytime I want. On the contrary, I could not view the items highlighted in red because I had opened those photos on Snapchat earlier.

Snapchat photos on Snaphack. Image by author.

Snapchat photos on Snaphack. Image by author.

Besides that it also gave me the option to save the photo to the camera roll, forward to friends and send via email.

Snaphack allows you to share Snapchat photos. Image by author.

Snaphack allows you to share Snapchat photos. Image by author.

Given these developments you need to be careful while sending photos on Snapchat because somebody might be able to save your private stuff from the other end. Snapchat is not as secure as it claims to be. In the past we have seen that the company has handed over photos to the US law enforcement agencies on receiving a court order. While it is true that Snapchat deletes snaps from its servers once they are opened, the unopened snaps remain on the company’s server for 30 days and can be turned over to the authorities if needed. In case you want to share some sensitive information, take proper security measures before sending them.

Protecting your photos with SpiderOak

 SpiderOak allows you to conveniently store photos online without having to worry about attacks or monitoring. This truly private storage and sync service is 100% anonymous, meaning that no one, not even the company’s own employees, can access the plaintext data uploaded to its servers. SpiderOakprotects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

8

Google to Implement Encryption for Secure Searches

Posted by on Nov 20, 2013

Google Search. Image from www.google.com

Google Search- trying to give users more privacy. Image from www.google.com

Google has made a change, aimed at providing “extra protection” for Google searchers. The company has announced it will  encrypt all search activity, except the click-on ads, to maintain the privacy and security of Internet users. Back in October 2011, Google had made the announcement that it will encrypt the searches of anyone who was logged on Google account. Google made this change to protect the online privacy of Google users by hiding the search queries performed by them. Now Google is expanding on providing online privacy by encrypting the searches of people who are not signed in to Google account. Google has confirmed this new move, saying:

“We added SSL encryption for our signed-in search users in 2011, as well as searches from the Chrome omnibox earlier this year. We’re now working to bring this extra protection to more users who are not signed in. We’re going to con­tinue expand­ing our use of SSL in our ser­vices because we believe it’s a good thing for usersThe moti­va­tion here is not to drive the ads side — it’s for our search users.”

Encrypted Google search. Image from www.google.com

Encrypted Google search. Image from www.google.com

Let us first understand how web analytics work to capture keyword data from search engines. When we search something on the search engine the search keyword is typically visible in the HTTP referer field of the page request. For example if you search “information security” on Google.com, the referer part of the HTTP request will look like:

http//www.google.com/search?q=information+security

Now when you click on a page listed in the search result, then you will leave Google and arrive at the page that you selected. This page will now get a copy of the above URL. As a result the owner of the page can find out using web analytics software that you landed up on their page by searching the keyword “information security”.

But when the searches are encrypted the search terms that are passed on to the page owner/publisher after someone clicks on their link on Google is withheld. “In Google Analytics, the actual term is replaced with a “Not Provided” notation”. In the past few years there has been a steady growth in “Not Provided” activity due to the use of encryption in searches.  “Not Provided Count, which tracks 60 sites to chart the rise of the keyword “(not provided),” has been reporting on the effects of encrypted keywords over time. In the chart below, you’ll notice a spike starting around the week of September 4. Today, the chart indicates that nearly 74% of search terms are being encrypted”.

Analysis by Not Provided Count. Image from http://www.notprovidedcount.com/

Analysis by Not Provided Count. Image from http://www.notprovidedcount.com/

Of course the obvious question that comes to our mind is: what could be the reason behind this change? What prompted Google to make such a change all of a sudden? Google claims that it is implementing this new change for maintaining the privacy of its users. However this move might be aimed towards blocking the spying activities of the NSA. Google was accused of providing the NSA direct access to the search data through the PRISM spying program. Even though the company has strongly denied this accusation, it has been criticized a lot by the security experts. The PRISM revelations have harmed the reputation of high profile tech companies like Google, Apple, Yahoo and so on. In order to gain the trust of its users, Google had also joined hands with other major tech companies in their quest for permission to publish a transparent report of the number of data requests made by US government under national security laws. These companies are requesting the government to allow them to be more transparent to the general public regarding the data requests and clarify some of the misconceptions regarding mass data collection.

Another reason behind this move could be to increase Ad Sales. As per this blog post, the publishers can see the actual terms that have been withheld over time through the Google AdWords system. Google will not withhold the search terms entirely. The publishers can see these terms by going to Google Webmaster Tools area. In August, Google made a change to Google AdWords. According to the change the publishers can store the search terms for as long as they want and can access them any time as long as they use Google’s ad system. So, Google won’t archive the search terms in the tool built for non-advertisers i.e Google Webmaster Tools but store them through its ad system. This clearly indicates that the terms are withheld to create new advertisers.

Secure cloud storage service that protects your data

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOakHive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

0

MacRumors Security Breach Exposes 860,000 User Passwords

Posted by on Nov 19, 2013

Image from http://cdn.itproportal.com

The security breach was, unfortunately, not just a rumor. Image from http://cdn.itproportal.com

We have been hearing a lot about so many security breaches these days. Every day millions and millions of user data is compromised due to lack of proper security controls, weak passwords or human errors. Recently MacRumors posted a notice that its user forums have been breached and the hackers have stolen cryptographically protected passwords of 860,000 users. Site Editorial Director Arnold Kim advised the users to change their passwords for MacRumors accounts and any other website that is protected by the same password.

 The hacker managed to gain access of a moderator account and was able to escalate their privileges to steal user login credentials. MacRumors is still investigating how the hackers managed to compromise the privileged account. After examining the log files, the investigators feel that the intruder tried to access the password database to steal the passwords. So far it looks like the hackers have not caused any further damage and there is no sign that they have accessed any other data belonging to the user forum.

Image from http://cdn.arstechnica.net

While you can hope you weren’t affected, it is always best to plan as if you were. Image from http://cdn.arstechnica.net

Kim stated that the attack is similar to the Ubuntu security breach in July. Ubuntu’s data breach compromised the security of 2 million users. The Ubuntu data breach seems to be indirectly related to the latest breach, as both MacRumors ad Ubuntu forums rely on Vbulletin’s forum software. Both Ubuntu and MacRumors forum uses the MD5 algorithm, along with a per-user cryptographic salt, to convert plaintext passwords into a one-way hash. This is the standard protection provided by Vbulletin on both the forums. However as per many security experts MD5 with or without salt is inadequate for password protection. “They say that while per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little or nothing to delay the cracking of small numbers of hashes”. Therefore it is not difficult for the hackers to decode the hashes of the stolen passwords.

In the meantime the group that hacked MacForums has declared that they are not going to use the password data to compromise the accounts of people who use the same login credentials on other sites. In this post, the hacker included the partial cryptographic hash corresponding to the password of MacRumors Editorial Director Arnold Kim, as well as the cryptographic salt used to increase the time required to crack it in order to claim that they are the ones who responsible for this breach. They mentioned that the attack was not designed to cause any harm to the MacRumor users but to sharpen the skills of the hacker and MacRumor.

We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),” the user known simply as Lol wrote. “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”

The hacker confirmed that the MacRumors password hashes totaled to 860,106, of which 488,429 had a salt that was 3 bytes long. The lesser the salt length the easier it is to be guessed. Salts are random strings of number or characters that are appended to the plaintext password before it goes through a one-way hash function. Salts increases the time required to crack large number of hashes by making the attacker to make a guess against each individual hash rather than all at once.

The post also stated that the fault lied within a single moderator and that led to the breach. “The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”

In my opinion, the MacRumors users should not take this post by the hacker seriously that their accounts on other sites like gmail or yahoo would not be compromised. They should follow Arnold Kim’s advice and change their passwords for MacRumors accounts and any other website that is protected by the same password.

Keeping your data safe

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. Sign up for this product today!

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

8

Facebook Plans to Track Your Cursor Movements

Posted by on Nov 18, 2013

Image from http://www.infotales.com

How much does Facebook know about us? The amount may be increasing. Image from http://www.infotales.com

The most popular social networking site, Facebook, already has a huge amount of user data to begin with. Even so, the company wants to know more about its users. According to the Wall Street Journal, Facebook is testing a brand new technology that would allow it follow user’s mouse movements on the social networking site. With the new cursor tracking technology the company can figure out where we click, where we pause, where we hover, and for how long. The biggest driving force behind implementing the cursor tracking technology is to track how long a user’s cursor hovers over revenue generating ads.

Ken Rudin, the analytics chief for Facebook, revealed to The Wall Street Journal, “The social network may start collecting data on minute user interactions with its content, such as how long a user’s cursor hovers over a certain part of its website, or whether a user’s  News Feed is visible at a given moment on the screen of his or her mobile phone.” Facebook may start collecting data based on your interactions with the content of the website. As mentioned earlier, it will collect information such as how long your cursor hovers over a particular part of its website or whether your news feed is visible at a given moment on your mobile phone’s screen. Then store all this captured information in a data analytics warehouse and make sure that you are getting targeted ads related to the stuff you hover your cursor the most. Basically, Facebook collects two kinds of data – demographic and behavioral. The demographic data include information beyond the network like where you live or went to school.  The behavioral data that is captured real time on your network like your “Friends” on Facebook or “Likes”. The ongoing test will mainly focus on the behavioral data that is collected. “Facebook should know in the coming months whether incorporating the new data collection makes sense for a slew of uses, be it product development or more precise targeting of ads”, Rudin said.

Image from http://www.innvio.com

Here are the companies most interested in user behavior. Image from http://www.innvio.com

Media, advertisers and social networks have been tracking your Internet behavior for web analytics for a long time. Back in 2011, Microsoft came up with an easy way to use the cursor movement to understand and improve search results. “The researchers developed a technique to track the gaze direction of an unlimited number of remote users’ attention on any website, with nothing but a standard web browser. They accomplished this feat (pdf) with a single Javascript that weighs in at less than 1k and can be run invisibly on any page without slowing its load time or your browser’s performance”. As per their innovation they can track where your cursor is at a given time. It seems there is a correlation between what we look on the web pages and where we place our cursor. Therefore tracking cursor movements give more information about search results than simple click data.

Facebook is not the only company planning to track users based on their cursor movement. Shutterstock Inc, a marketplace for digital images, records everything that its user does on the website. It uses open source Hadoop distributed file systems to track and analyze user data such as where do they place their cursor or how long do they hover over a particular section on the site before making a purchase. Facebook also uses a modified version of Hadoop to manage large volumes of data. The data that is in the analytics of the warehouse is separate from the company’s user data and has not been disclosed yet. The marketers can use this data for targeted advertising, provided the data become accessible to them. However this new data mining experiment of Facebook is still in its testing phase and Facebook is still evaluating how it can be valuable to the company. Rudin himself pointed out that collection of massive amounts of data would not help Facebook unless it can figure out how to make use of it.

Amidst PRISM revelations and issues with Facebook’s privacy policy, introduction of the cursor tracking technology can raise a lot of security questions regarding privacy and security of Facebook users.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOakBlue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

Online Privacy Archives - Page 6 of 13 - The Privacy Post

4

Keeping your Healthcare Data Safe in the Cloud

Posted by on Nov 15, 2013

 

Image from http://newsroom.cisco.com

Image from http://newsroom.cisco.com

While more and more companies are adopting cloud computing for its convenience and flexibility, the healthcare industry has been little slow in adopting this new trend. But gradually many hospitals and clinics are recognizing the benefits of cloud computing and embracing this technology to revolutionize their procedures. In the modern world of healthcare, it can be extremely challenging for the physicians to keep track of significant amount of information, from patient records to insurance information. With the traditional system, it can be burdensome to transfer physical files from one facility to another, wasting time and spending money on transportation and employee expenses. The cloud storage systems allow organizations to place data on a centralized electronic system that can be accessed anytime from anywhere. The healthcare industry has to deal with the massive amount of data, and cloud services help them to access and manage health records effectively in order to provide better patient care.

Research done by Healthcare IT news (http://www.healthcareitnews.com)

Research done by Healthcare IT news (http://www.healthcareitnews.com)

The cloud storage services provide lots of benefits to the healthcare industry. The healthcare data is doubling every year, what that means is the industry has to invest in hardware equipments, tweak databases and servers for storing large amount of data. With a properly implemented cloud storage system, hospitals can establish a network that can process tasks quickly without a drop in performance. Doctors no longer need to be tied to their offices to look up patient information. They can pull up medical records remotely to review patient records and tests. Cloud computing has proven cost effective for patients and healthcare providers, as the patients do not have to pay twice for the same test when they go to different doctors and medical offices do not have to pay for on-site hardware and storage services to maintain medical records. Lastly, the cloud services requires less technical support or maintenance compared to the traditional data storage systems.

However with all these benefits there are certain risks with using cloud services as well. As we all know disasters and security breaches can be damaging to every organization.But with health care it can be even more damaging because healthcare cloud security not only have to ensure that the sensitive patient information are protected but also to ensure the availability of critical medical data that can be the difference between life or death. Two security breaches at Oregon Health and Science University were reported recently.” In the two OHSU incidents, information on a total of more than 3,000 patients was inappropriately posted in unencrypted spreadsheets using cloud-based e-mail and document storage services from Google.” These data breaches expose a lot of personal information of the patients apart from medical records such as name, address and social security numbers.

Image from http://delimiter.com.au

Image from http://delimiter.com.au

The healthcare companies can take following steps to ensure that patient records are secure in the cloud:

  • Assess your risks: Risk assessments are mandatory for the protection of electronic health records. Conduct tests and evaluations to determine possible threats to your information systems and how will it impact your cloud environment.  “Be thorough in your assessment, and analyze all security policies and architectural vulnerabilities relating to storage and backup, encryption use and data authentication and transmission”.By assessing the risks and their impact you can take corrective actions to protect your information systems.
  • Train employees to use strong passwords: Make sure that your staff uses strong and hard to guess passwords. The passwords should be at least 8 digits long and a combination of letters, numbers and special characters. Also implement a procedure where your staff needs to change passwords periodically. 
  • Logout:  Almost all cloud services log you out after a period of inactivity. Still then make sure you log out of the application once you are done. That will make sure nobody can your information when you are not around.
  • Active monitoring: Constantly monitor and scan your systems to detect any suspicious activities. Set up alerts for anomalies like brute force attempts, abnormal web application requests or suspicious increases in traffic. In case of any security breach, research and determine the data patterns of the attack and take countermeasures for better security.

Keep your health records secure with SpiderOak

SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now.

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

2

Top Websites Use Device Fingerprinting to Track Users

Posted by on Nov 14, 2013

Image from http://www.redorbit.com/

Image from http://www.redorbit.com/

Several top websites track users without their knowledge or consent using a technique called “device fingerprinting”. Device fingerprinting or browser fingerprinting is a method of collecting properties of PCs, smartphones and tablets to track and identify users. These properties include screen size, versions of installed software, and lists of fonts. The combinations of these fingerprint properties are unique and thus can be used to track users without relying on the Internet cookies. Using this technique, the websites can track you even when you have enabled  Do Not Track HTTP header on your browser. According to the researchers from KU Leuven in Belgium and New York University (NYU), about 95 of the top 10 000 websites using device fingerprinting targeted at the Flash browser plugin used to play animations, videos, and sound files. When they expanded their survey to 1 million websites they found 404 of them used device fingerprinting targeted at JavaScript programming language used in web applications. “The researchers said the figures should be taken as the lower bounds since their crawlers weren’t able to access pages behind CAPTHCAs and other types of Web forms.”

As per Arstechnica, the researchers did not provide an exhaustive list of 404 or more websites that hosted tracking code. However researcher Gunes Acar of KU Leuven University in Belgium mentioned names of some of the websites that used device fingerprinting for tracking users like orbitz.com, tmobile.co.uk, pokerstrategy.com, anonymizer.com, westernunion.com, and t-online He stressed that his team may have missed some sites given the limitations of their scanning technology. The researchers also evaluated two privacy enhancing tools that provide resistance against device fingerprinting – Tor Browser and Firegloves. They identified some vulnerabilities in these tools that gives access to user ‘s identity.

Device fingerprinting can be used for various legitimate purposes like fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it has a darker side too. It can be used for marketing and analytics purposes via fingerprinting scripts hidden in advertising banners and web widgets. Besides that device fingerprinting may have given National Security Agency and its counterparts ability to identify and track people using Tor privacy service. In one of the slides of an NSA presentation titled Tor Stinks included the excerpt: “Goal: … Ignore user-agents from Torbutton or Improve browser fingerprinting? Using javascript instead of Flash?”

Image from www.theguardian.com

Image from www.theguardian.com

The Firefox Browser that ships the Tor Browser Bundle has attempted to prevent fingerprinting by placing a cap on the number of fonts a web page can request or load. The fingerprinting researchers were able to bypass the cap on the fonts of the web page by using a web-programming tool called as CSS front face. This weakness was reported to the Tor developers and later on it was patched.

The revelations about  the NSA’s surveillance program have been a wake up call for many of us and have put security front and foremost in our minds. It is extremely difficult for us to avoid being tracked by device fingerprinting technology. According to  Peter Eckersley, staff scientist at the Electronic Frontier Foundation, a privacy-advocacy group, “when it comes to device fingerprinting, we have no convenient options for privacy. All the things we can do are inconvenient to the point of being really impractical.” In a study this year, Mr. Eckersley found that about 91% of nearly 1 million computer users surveyed could be fingerprinted simply by visiting a website.

Image from http://www.bestvpnservicereview.com/

Image from http://www.bestvpnservicereview.com/

Fingerprints are tough to avoid but we can do a few things to maintain our privacy while surfing the Internet and protect ourselves from device fingerprinting:

  • Disable JavaScript and Flash in your browser.  Disabling JavaScript and Flash in the browser reduces some of the information websites can collect.You can disable JavaScript by using Mozilla Foundation’s Firefox browser will an add-on program called NoScript. This stops JavaScript on pages and allows people to access trusted web pages.
  • To detect websites using device fingerprinting technologies, the researchers developed a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts. This tool will be freely available at http://homes.esat.kuleuven.be/~gacar/fpdetective/ for other researchers to use and build upon.The findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin.

Protect your data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and syncing on the go.

 

 

Online Privacy Archives - Page 6 of 13 - The Privacy Post

0

Internet Archive to Implement HTTPS Encryption

Posted by on Nov 13, 2013

Image from http://lucian.uchicago.edu

Image from http://lucian.uchicago.edu

Recently I was browsing through the Amazon website to buy a book online. Suddenly I noticed that there is an option at the bottom of the page that allows you to share what book you purchased, on social media sites like Facebook, Twitter etc. The simple act of buying a book gets publicized automatically. Besides that, when you read a book online, the makers of the online reading device have the ability to track your reading habits. They can even make sure what sections of the book you read and what you skipped. I realized one thing, that reading is no longer a private act these days.

The Internet archive is a nonprofit digital library that provides permanent storage of and free public access to collections of digitized materials, including websites, music, moving images, and nearly three million public-domain books. It allows people to upload and download digital material to its data cluster. The company has recently announced to introduce new privacy protections to shield its users from the prying eyes of the government. With the PRISM revelations it is seen that the government is tracking the online behavior of the general public. As a result more and more companies are coming forward in order to protect the privacy of their users. People are starting to lose trust on the majority of the online services as they feel that the service providers can share their data anytime with the government by just receiving a court warrant. Keeping the customer privacy and security on the forefront, the Internet Archive has decided to implement encrypted Web protocol standard HTTPS to protect its user’s reading behavior. This security protocol is designed to protect against eavesdropping and Man-In-the Middle attack. The Internet archive claims to have more than 3 million daily users.

Image from www.computerworld.com

Image from www.computerworld.com

In a blogpost the company said the reason behind this move is the recent revelations of government surveillance programs like PRISM. Pointing to the NSA’s XKeyscore” too, the post said, “Based on the revelations of bulk interception of web traffic as it goes over the Internet, we are now protecting the reading behavior as it transits over the Internet by encrypting the reader’s choices of webpages all the way from their browser to our website”.

The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the Internet. XKeyscore allows analysts to search through vast databases containing emails, chat messages and browsing history of millions of individuals without any prior authorization. Under U.S law, the NSA is required to obtain a court warrant in order to carry out surveillance activities against US citizens. But XKeyscore provides the technical capability to target even US persons for extensive electronic surveillance without providing a warrant. With XKeyscore analysts can search metadata along with the content of the email and other Internet activities associated with the target. They can also search for name, telephone number, IP address, keywords, and the language in which the Internet activity was conducted or the type of browser used. Here is an example of one training slide that illustrates the digital activity constantly being collected by XKeyscore and the analyst’s ability to query the databases at any time.

Image from www.theguardian.com

Image from www.theguardian.com

Hopefully Internet Archive’s strong encryption protocols will make it difficult for the surveillance programs to monitor user’s reading behavior on the site. The company is also encrypting the Internet Protocol addresses stored on the servers for Archive.org and OpenLibrary.org. They have modified the servers so that they would encrypt the IP addresses with a key that changes each day. As a result they can make sure how many people used their service but will not be able to figure out who they are or where they are coming from. Wayback Machine, which allows the users to see previous versions of certain sites across the Internet, will also implement HTTPS version by default.

“The Internet Archive also announced several other initiatives, like fixing broken URL links it has archived, and a database of U.S. television news programs”.

Keeping PRISM Out of Your Cloud

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and syncing on the go.

Online Privacy Archives - Page 6 of 13 - The Privacy Post

3

Does Apple’s iCloud Keychain Really Improve Security?

Posted by on Nov 12, 2013

Image from http://www.tapscape.com

Image from http://www.tapscape.com

Apple has introduced iCloud Keychain feature in iOS 7 and OS X Mavericks to help iPhone, iPad and Mac users better manage their passwords with minimal inconvenience. Apple’s new iCloud Keychain claims that it can sync passwords across devices without storing them in the cloud. With features like random password generator, auto fill and iCloud sync, it helps you to create strong passwords and manage them effectively. There is no doubt that Apple iCloud Keychain does a good job of automatically entering your passwords on Apple’s Safari browser, but it does not work with any third party browsers on OS X or iOS. Same goes for autofill. Once you enter your passwords in iCloud Keychain they are only usable in Safari. You cannot use them with Web.app (the framework that pins websites and web apps to your Home screen), or with embedded web views in other apps. Therefore in order for iCloud to really help more people become more secure it needs to be compatible with other third party browsers and applications.

Let’s take a look at the password generator feature of iCloud Keychain. First of all make sure you are using Safari in order to use this feature. When you create a new Web account or fill in passwords, iCloud Keychain will ask you to save the password or recommend complex passwords if required. iCloud Keychain always generates passwords of 12 letters and numbers and three dashes, whereas most password generators like 1Password will change the default length and composition of the password. Another issue with iCloud Keychain is, if you wish to have a longer password then you have to come up with it yourself. Then what is the purpose of having an automatic password generator?

Image from arstechnica.com

Image from arstechnica.com

As I had mentioned earlier, your passwords in iCloud Keychain will be automatically filled on Safari on any Mac or iOS device you use, but the autofill feature is not going to work on any non-Safari browser or application. In order to enter your password into a non-Safari browser, you need to go to iCloud  Keychain’s non-Safari functionality that is found in Mac’s Keychain Access Tool. From there you can copy your password and then paste it into non-Safari browser or desktop application. This whole process is very complex and inconvenient to use. On the contrary other password generators available these days have extensions for every major browser. That makes generating passwords and filling them in easy no matter what you’re using.

As per an Apple support document, Apple claims that it can sync passwords across various devices from the company without storing them in the cloud. Some security experts find it hard to believe, because in general password managers sync data across multiple devices by storing password data on Cloud servers. Only devices like Wi-Fi sync allow users to sync data and passwords across multiple devices without storing them in the cloud. This requires a few extra steps however and reduces the simplicity and efficiency of good password manager applications.

Image from arstechnica.com

Image from arstechnica.com

Three user options are available to secure iCloud Keychain:

  •  The keychain app that contains user names and passwords for credit cards, websites and other merchant sites can be secured using a 4 digit passcode similar to ATM pins. This is the default option for all users. 
  • The second option is to use a longer, more complicated password instead of a 4-digit pass code. 
  • The third option is for the user to leave iCloud Keychain unsecured, without a PIN or passcode, preventing the device from approving other devices. 

Several security experts are conducting tests to explore the new functionality introduced by Apple and determine whether Apple has found a new method of password syncing without cloud services or the company has made an error while documenting for the new application.

Secure your data with SpiderOak

 For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, developers can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.