Uncategorized Archives - The Privacy Post

3

How Does The NSA Identify Tor Users?

Posted by on Oct 25, 2013

Image from http://topinfopost.com

Image from http://topinfopost.com

Tor (The Onion Router) is an open source application that maintains the privacy of Internet users from the prying eyes of surveillance programs or other tracking software. Tor conceals the user’s identities and their network activity by separating the identification and routing information. The data is transmitted through multiple computers via network relays run by volunteers around the globe. The routers employ encryption in multiple layers during the data transmission to maintain privacy between the relays, thereby providing users with anonymity in network location. There are a lot of benefits of using Tor: it protects your privacy from potential identity thieves and marketers, hides any sensitive information you are researching on and conceals your location from anyone conducting surveillance.

Image from http://cdn3.tnwcdn.com

Image from http://cdn3.tnwcdn.com

The Tor program came in to prominence because of the recent revelations of the NSA’s PRISM program. As we know that the NSA has been successful in cracking majority of the encryption technologies on the Internet, now the question is how the NSA surveillance impacts Tor? So far the NSA has been successful in invading the privacy of Tor users by exploiting vulnerabilities in the Tor browser bundle- a collection of programs designed to make it easy for people to install and use the software. It attacks Tor users by implanting malicious code on the computer of Tor users who visits a particular website. The malicious code exploits the vulnerabilities in the version of Firefox that’s in the Tor Browser Bundle.

Tor is a high-priority target for NSA and they are working on developing ways to defeat the security of this tool. As per security researcher, Bruce Schneier, these are the following steps by which NSA exploits the vulnerabilities in Tor users network or computer:

  • Firstly, the NSA identifies the Tor users by monitoring the Internet traffic. It creates fingerprints for Tor users that detect any http request from Tor networks to any server.
  • These fingerprints are loaded to the NSA ‘s database systems where the powerful data analysis tools sift through the enormous amount of Internet traffic, looking for Tor connections.
  • After identifying a Tor user, the NSA redirects those users to a set of secret internal servers known as FoxAcid to infect user’s computer.  “FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems”.
  • Once the user’s system is compromised, it secretly calls FoxAcid server, then carries out further attacks on the target and makes sure that the system remains compromised for a prolonged time to provide eavesdropping information back to the NSA.
  • The NSA places secret servers codenamed “Quantum” at the key places of Internet backbone. As a result these servers intercepts the requests for legitimate sites and responds before the legitimate servers reply. The response of the Quantum servers redirects the user to a NSA controlled web server that sends the browser malware.

If there is one thing that can be concluded from all these efforts of NSA, it’s that it is difficult to compromise the core security of Tor. In order to invade Tor user’s privacy, the NSA has to look for loopholes in its browser. The technique used by NSA to target Tor users with vulnerable software on their computers was called EgotisticalGiraffe. Here the attack was conducted by exploiting the vulnerabilities in the version of Firefox that’s in the Tor Browser Bundle. “According to the documents provided by Edward Snowden, the particular vulnerabilities used in this type of attack were inadvertently fixed by Mozilla Corporation in Firefox 17, released in November 2012 – a fix the NSA had not circumvented by January 2013 when the documents were written. So, the users who have not updated their software might become victims of such attacks.

Again the NSA can target individuals with browser exploits but if it attacks too many users then it will become noticeable. So, they have to be selective about which tor user they want to spy on, rather than tracking everyone. Tor hidden services are arbitrary communications endpoints that are resistant to both metadata analysis and surveillance. It is not possible to go to a single party and obtain the full metadata, communications frequency, or contents. One top-secret presentation, titled ‘Tor Stinks’, states: “We will never be able to de-anonymize all Tor users all the time.” It continues: “With manual analysis we can de-anonymize a very small fraction of Tor users,” and says the agency has had “no success de-anonymizing a user in response” to a specific request.

Tor conceals your identity from your recipent and conceals your recipient and your content from observers on your end. It does not protect your communication content once it leaves Tor network. Therefore Tor recommends its users to use Tor in combination with some other tools for better security. For example you can use HTTPS Everywhere in Tor Browsers to secure your online communications. You can also use a combination of tools like TorBirdy and EnigmailOTR, and Diaspora along with Tor to  protect your communications content in cases where the communications infrastructure (Google/Facebook) is compromised.

Secure cloud storage service that protects you data from surveillance

Similar to Tor, SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now

 

Uncategorized Archives - The Privacy Post

0

How The Cloud Impacts Developing Economies

Posted by on Oct 11, 2013

Image from http://blog.cloudbees.com/

Image from http://blog.cloudbees.com/

Cloud computing has become the new trend in the technology market for the last few years. With the advent of cloud computing, it has become possible for individuals and organizations to access data and computing resources from anywhere at anytime. Many industries and businesses in developed countries are embracing this technology for its flexibility, effectiveness and speed.

While so much has been said and discussed about the impact of cloud computing in developed economies, less focus has been given to the impact of cloud services in developing economies. There is a huge potential in the growth of cloud computing in developing economies because of a number of reasons. It can be extremely beneficial to developing nations by reducing costs of investment in information and communication infrastructure (ICT). Companies can boost their businesses by getting access to the best business applications and infrastructure at a negligible cost. As a result there will be more job creations, improvement in government services, and they can be better competitors in the global market.

In order to enjoy the benefits of cloud computing there should be an effective and efficient flow of information between the cloud service provider and the customer. This cannot be achieved without three key technical capabilities:

  • First and foremost, the availability of high-speed communication service (Broadband). Although some cloud-supported applications can be delivered in narrow band networks, the real benefits of cloud services can be earned by using high speed Internet.
  • Unrestricted flow of information between the cloud service provider and the customer.
  • The cloud data centers can operate effectively, if they can be located and operated on the basis of efficiency considerations. This way they will be able to provide effective service to the customers anytime and from anywhere.
Image from http://www.cheki.com.ng/

Image from http://www.cheki.com.ng/

The market for cloud computing is gradually increasing in countries like India, China, Brazil, South Africa and Vietnam. An African used car classifieds sevice, Cheki, has built a huge market (that covers Kenya, Nigeria, Malawi, Rwanda and Ethiopia) with most users accessing the site using $70 Android smartphones. Similarly a recent study revealed that in Mexico there was a 3% reduction in fixed cost of a 45-person firm when they switched to cloud services. As a result there was a significant growth in job openings. Besides the above-mentioned examples, there are other areas where cloud computing has proved beneficial for developing nations. Universities and colleges are using cloud services to conduct innovative research, analyze data, and provide virtual computing lab facilities to their students. Another major application of cloud is seen in healthcare services – “India’s ICICI Bank’s insurance arm has used Zoho’s Web-based applications to develop services such as personalized insurance for patients with diabetes. The company adjusts premiums based on how well policy-holders stick to a fitness plan.”

The table below shows cloud computing application areas in developing countries:

Image from http://libres.uncg.edu

Image from http://libres.uncg.edu

There is no doubt that the cloud services offer so many benefits to the developing nations but on the other hand there are concerns about data privacy and security associated with the unauthorized access of information stored on cloud services for malicious purposes.

  • One of the biggest fears in using cloud computing is data loss or illegal access to data. Small businesses trusting cloud services to store their valuable data, can suffer severe loss if any of the service provider’s datacenter servers is hacked or some sensitive information is exposed accidentally. These kinds of situations will harm the reputation of the companies badly.
  • Unlike developing nations, there are standardized rules and regulations (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT) for the cloud service providers operating in countries like US, Canada or the European Union.The service provider needs to comply with all the rules and regulations in order to provide service to their customers. Unfortunately, in developing countries these regulations are not widely adhered by software companies yet.
  • There is always a risk of consumer data being accessed by the service providers, used for targeted ads, or shared with third parties. The provider needs to ensure the customers that their data will not be used for any unintended purposes.
  • Another security issue with the use of the cloud is identity theft. The consumer needs to verify the identity of the cloud service providers using reliable verification mechanisms before using their service.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

Uncategorized Archives - The Privacy Post

0

Adobe data breach affects 2.9 million customers

Posted by on Oct 8, 2013

Adobe

Image from www.adobe.com

Adobe Systems has become the recent victim of a massive data breach. The data breach exposed the personal information of millions of customers and the source code of famous Adobe products like Adobe Acrobat, Cold Fusion and others. Last Thursday, Adobe confirmed that the attackers accessed about 2.9 million user data. The customer information that was accessed included names, encrypted credit card and debit card numbers, expiration dates, and other information related to customer orders. However, the decrypted debit card and credit card numbers were not removed from the system.

Adobe has been attracting the attention of a lot of cyber criminals lately because of the widespread use of many of its products. The firm confirmed that they have been receiving “sophisticated attacks” on their network, involving illegal access to customer data and the source code of numerous Adobe products. Journalist Brian Krebs and Alex Holden of Hold security discovered the data leak about a week ago. As per Krebs, “they became aware of the data leak when they discovered a 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.” The server of the hacking team contained huge repositories of compiled and uncompiled source code of ColdFusion and Adobe Acrobat.

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

After that discovery, KrebsOnSecurity informed Adobe about the attack with several screenshots showing Adobe source code on hacker’s server. Adobe confirmed that it is aware of the attack and has been working on an investigation of a broad ranging breach on its network since Sept 17th 2013. The Chief Security Officer of Adobe Brad Arkin said that the information shared by KrebsOnSecurity “helped steer their investigation in a new direction.”

ColdFusion source code repository found on hacker’s server.

 

In this case, the risk of identity theft or fraud seems to be low because the compromised personal data was encrypted. However it is still not clear what kind of encryption or security was used by Adobe on the stolen data. The biggest threat in this breach is the leak of source code of Adobe products. This information could lead to spear phishing attacks. The attacker can use this information to fool users by recommending them to download a software update with an email, which my look real because of the accurate information contained in it.

In response to the breach, Adobe has taken certain steps to maintain the security of customer data:

  • Adobe is resetting customer passwords to prevent unauthorized access to Adobe IDs. They are sending email notifications to the affected users-which include many Revel and Creative Cloud account holders- to change their passwords. The users are recommended to change the passwords of the websites where they have used the same user name and password.
  • The customers whose credit and debit card information were accessed will receive an email notification on how to protect yourself against potential misuse of your personal information. “Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available”.
  • Adobe has also notified banks processing customer payments for them, so that they can work with work with payment card companies and card issuing banks to help protect user data.
  • They have also contacted federal law enforcement and are assisting in their investigation.

So, as an Adobe customer, if you think your data is compromised or if you have received any notification from Adobe regarding that, make sure you follow the instructions given by Adobe in the notification email.Also be very careful in downloading any software updates from Adobe, as there might be a potential risk of phishing attack due to compromised source code.  Ensure that the update is from a legit site by checking if it is supported by SSL protocol, has any security symbol or HTTPS:// protocol.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment. 
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can sign-up for this product at SpiderOak Blue and see it work seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.