Data-Privacy-Day-2015roundInternational Data Privacy Day—called Data Protection Day in Europe—is celebrated in the US, Canada, and 27 European countries every year on January 28. It started on January 28, 1981, when the members of the Council of Europe signed the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. In the US, Data Privacy Day is sponsored by StaySafeOnline.

Ever thought, why should I protect my information? Listen to Glenn Greenwald’s Ted Talk on Why Privacy Matters. Not only will it help you understand, but it might galvanize you to action!

Some tips on how to better protect your data include:

  • Use “Do Not Track” on your browser. The Electronic Frontier Foundation (EFF) explains how to turn on “Do Not Track” in some common browsers here. The EFF is a great resource about how to better protect your personal information.
  • Think before you share personal information, whether through email, on social media sites, or over the phone. Once you share information, you have no control over what happens to it. Help your children learn what is okay for them to share.
  • Check the privacy settings on social media sites you use on a regular basis. Twitter, LinkedIn, Instagram, Pinterest, … privacy policies change, which may impact your privacy settings.
  • Protect your computer by keeping your operating system and applications updated. On Windows, Secunia’s Personal Software Inspector helps me keep my applications current.
  • Create strong, unique passwords for every important site. Have a problem remembering all those passwords? Me too! Use a password manager like KeePass or LastPass. If you want to protect your information more, use two-factor authentication for email and social media site log-ins.
    • Help setting up Google’s Two-Factor Authentication
    • Help setting up Microsoft’s Two-Factor Authentication
  • Back up your important data regularly—pictures, documents, music, videos, or whatever is important to you—at least once a week. If you use a physical device, disconnect it between backups. To ensure that your information is safe, use two physical backup devices, alternate them, and keep one someplace safe like a safe deposit box. If you use a cloud backup, use a physical back up as well. Online services can go offline temporarily or even go out of business, while devices break, become corrupted, lost, stolen, or infected by malware. Periodically try to recover documents to ensure that your backups are functional.

Other tips

  • Mozilla’s Get Smart on Privacy
  • FTC’s Consumer Information
  • Check out DuckDuckGo, a search engine that doesn’t track you. Want to see how much tracking happens in your browser? Check out the Firefox Lightbeam addin.
  • Try WhiteHat Security Lab’s Aviator browser. Note: if you use two-factor authentication, you will need to enter a code every time you open up a site that uses it.

Your cell phone can be taken over by hackers who will view through your camera and watch you enter your passwords and other information.  Here in Austin at the IEEE “Globecom” conference on global communication last December, I attended a presentation from Temple University researchers who compromised an Android cell phone. 

Doctoral candidate Longfei Wu and five colleagues from Temple University, the University of Massachusetts, and Beijing University exploited vulnerabilities in the Android cell phone to seize control of the camera.

Having done that – and having reduced their footprint to one pixel – they then watched finger touches to the keyboard in order to guess passwords.  Some sequences were more secure than others.  1459 and 1479 were easy to identify.  1359 and 1471 were harder to guess.  The fundamental fact remains: They took control of the camera without the cell phone owner being aware of it.

Moreover, the Android operating system does not provide you with a log file of usage.  There is no way for you to review what your phone has been doing. However, the researchers fixed that. 

“We make changes to the CheckPermission() function ofActicityManagerService, and write a lightweight defense app such that whenever the camera is being called by apps with CAMERA permission, the defense app will be informed along with the caller’s Application Package Name.

[…]

There are three parts of warnings in our defense scheme. First, an alert dialog including the name of the suspicious app is displayed. In case the warning message cannot be seen immediately by the user (e.g., the user is not using the phone), the defense app will also make sound and vibration to warn the user of spy camera attacks. Besides, the detailed activity pattern of suspected apps are logged so that the user can check back.” — from “Security Threats to Mobile Multimedia Applications: Camera-based Attacks on Mobile Phones”,IEEE Communications Magazine, March 2014.”

If you want to protect your phone, you have to figure out how for yourself.  Very few ready-made defense apps exist for Android, or iPhone.  You could join a local hacker club such as DefCon.  (For Ann Arbor, it is DefCon 734; for Minneapolis it is DC612.)  That brings up the problem of trust.  When I go to computer security conferences, I never take a computer; and I do not answer my phone.  I do trust the organizers of our local groups, LASCON, ISSA, OWASP,  and B-Sides; but I do not trust everyone who comes to every meeting.  If you want someone to “jailbreak” your phone, and program something on it for you, then you really need strong trust.  It is best to do it for yourself.

“Unfortunately, it’s not uploaded online. To support the defense scheme, I modified the Android system and generate new image files. This means if someone want to use the defense function, he/she must flash the phone. As a result, all the installed stuff may get lost. I think people wouldn’t like that to happen. Besides, the Android version I used for testing is 4.1-4.3, while the most recent release is 5.0.” – Longfei Wu, reply to email.

As “the Internet of Things” connects your washing machine and your car to your home thermostat and puts them all online along with your coffee-maker and alarm clock, all of them connected to the television box that never shuts off and always listens, you will be increasingly exposed to harm.

A friend of mine called me for help after she started getting pop-ups every time she opened her web browser. She asked me how her computer got into this mess. While I could not pinpoint an exact cause (no log files), I suspect she downloaded crapware with a software installation she trusted.

She also wanted to know why anyone would want to inflict this malware on her computer. The answer is simple: Money.

So what can you do to avoid this problem? The consensus advice is to only download programs from a trusted source. Ok! That’s great advice! But what is a “trusted source”?

HowToGeek.com explains in “Yes, Every Freeware Download Site Is Serving Crapware” that all the major free download sites–Tucows, CNET Downloads / Download.com, FileHippo, SnapFiles, MajorGeeks, and yes, even SourceForge–include adware and even malware with their installers. While some sites are better than others about telling you what they’re including and about allowing you to uncheck those additions, they all do it.

What to do instead? Go to the developer’s website and download from there. And support those software authors that do not include crapware by donating to support their development work.

Other steps to take:

  • Back up regularly (at least once a week or oftener), then disconnect the media. Test your backups by periodically restoring a file. I also recommend alternating backup media to offsite storage, such as a safe-deposit box. Backup media–just like any other technology–can break, become corrupted, get lost or stolen.
  • If you back up to a  cloud provider, your back ups can become unavailable if their storage media becomes unavailable for any reason, so use physical backup media as well.
  • On Windows systems, set System Restore Points.
  • Change your IMPORTANT passwords as soon as you can from a computer that is not infected. Use a unique, strong password for each site.
  • Can’t remember all those passwords? Use a password manager. Note: Do NOT lose this password! I use the Professional versions of KeePass and Portable KeePass, and KeePass2Android (available from Google Play), but cloud-based LastPass is also very popular. (LastPass is more convenient, but I am leery of cloud-based services for availability reasons.)

If you have recent back-ups and your files get locked by a version of CryptoLocker / CryptoWall, you may not have to pay to get your files back (depending on how recent your backups are).

For an interesting read, check out Kaspersky’s 2014 Trends in the Internet Security Industry.

Crime in the Workplace

Posted: January 20, 2015 by uszik11 in Security Breach, Vulnerabilities
Tags:

Your need to protect yourself from your co-workers is an unspoken truth. In criminology, we say “crime knows no neighborhood.”  In other words, crime is everywhere, not just in one bad place. People are people everywhere.   At work, we steal inventory and information from our employers.  We steal money and other tangibles from our colleagues.  Of course, I do not do those. Of course, you do not, either.  But other people do.  Here in America, about 20% of us are habitual perpetrators.

If you work in a small shop, you probably are among people you know well enough.  Nonetheless, your company is still in a shared space of some kind, a building, a strip mall, a street. Everyone there is in your world. You cannot know them all.

If you are in a large enterprise, the statistical facts are warnings.  If you have 1000 people in your building, then you meet 200 perpetrators every day.  Background checks only reveal the habitual, compulsive, or genetic predators who have been caught.  But many aggressors are opportunistic and competent. Routine offenders get away with harming others because no one speaks up.  And it is not easy to confront a bully or report a thief.  So, the harms and crimes continue.

Generally, security falls under the control of the facilities manager.  Rarely does an organization have a chief security officer at the same level as the chief financial officer or chief information officer. Facilities managers are concerned only with keeping costs down. Facilities managers seldom have professional training in security. As a result, most buildings have too few guards, posted in the wrong places, at the wrong times, assigned to futile activities.  Security is reactive, not proactive.

Badging and other controls for identity and access tend to be minimal and ineffective. You have no idea who is in your building with you.  Vagrants know all the ways to get in.  Professional thieves have no problem getting through the front door.

Professional thieves work large office buildings with public traffic. They look just like everyone else in our casual dress society.  They walk the halls peeking into offices, and trying doors.  Laptops are an easy grab.

Engineers and programmers are a special problem.  They enjoy getting around locks; and they are good at it.  The statistics apply to them as well. People who make a lot of money steal and bully just like poor people. Crime knows no neighborhood.  Even the 80% of them who are nice, still leave us vulnerable when they gimmick, jimmy, or shim a lock.  They have no control over who the next person will be to come through that door.

Protecting yourself at work begins with a few simple rules.  Lock your desk and your computer when you leave the area.  Always take your purse or wallet with you.  Never leave your laptop, phone, or pad unattended in the cafeteria or restroom.

Generally, if you have a problem with someone, you have six choices.

  1. You can confront them.
  2. You can go to your manager.
  3. You can take it to human resources.
  4. You can report it to security.
  5. You can call the police.
  6. You can ignore them.

The bottom line is that it is better to prevent a problem than to fix one.

 

Blackhats

Posted: January 19, 2015 by IntentionalPrivacy in Hacker gangs
Tags: , , , , ,

I saw the Blackhat movie yesterday, and in my opinion, it was not that great. Realistic? Yes, but formulaic and even predictable, with a little hacking thrown in to make it seem original. The script—while well-researched—felt as if it had been churned out of a script-writing program like Final Draft. I was hoping for a movie like Sneakers, which is realistic, but not at all formulaic and it’s very funny besides.

And speaking of blackhats, some purported members of Lizard Squad have recently been arrested for the Christmas attacks on Microsoft Xbox and Sony PlayStation networks during a joint investigation by the FBI and the British police. The Daily Mail reported that Jordan Lee-Bevan was arrested in Southport, Merseyside on January 16, 2015. In Finland, seventeen-year-old Julius “Ryan/Zeekill” Kivimäki was questioned last month, while Vincent Omari, Twickenham, south-west London, was arrested and released on bail shortly after they gave interviews to Sky News on December 27, 2014, about the alleged role of Lizard Squad in the Christmas gaming attacks.

Ironically, according to KrebsOnSecurity, Lizard Squad’s website, LizardStresser[dot]su, which they used to “coordinate attacks and sell subscriptions to its attacks-for-hire service” was hacked by another hacker group, Finest Squad. Brian Krebs acquired a copy of their user account information database—unfortunately stored unencrypted! Apparently the same information was also sent to the FBI. You can read more about the battles between Lizard Squad and Finest Squad on Business Insider’s article.

For whom the bell tolls

Posted: January 7, 2015 by IntentionalPrivacy in free speech

“Any mans death diminishes me, because I am involved in Mankinde” … and so, #Je Suis Charlie.

Reason says it better than I can, “Today is an awful day for the basic project of free inquiry. Do you really wanna be Charlie Hebdo? Then get on out there, live and speak bravely. And God help you.”

Je-Suis-Charlie

Want a good reason to back up your devices?

Posted: January 5, 2015 by IntentionalPrivacy in Uncategorized

Read Alina Simone’s story in the New York Times How My Mom Got Hacked.” Lessons learned, she says, are:

1. Back up your stuff!

2. Keep your operating system and applications patched!

3. Do not open email attachments!

The amount of information collected on each of us is growing astronomically every day. What can you do to help protect your—as well as your family’s—information?

Note: This information is meant to be a starting place.Technology is constantly changing, so you must consider whether the information provided is timely and applicable to your situation. In order to adequately protect yourself and your family, you also might need to consult with your attorney or accountant or obtain other professional advice.

What information do you want to protect? Here are some categories you might want to consider:

Ad/cookie tracking Identity information Reputation
Digital identity Intellectual property Social media
Electronic devices Location Trash
E-mail Mailbox Travel
Family Medical information Voting
Financial information Personal safety Work information

Where are the threats to your information? Here are some common threats:

Data loss or theft

  • Backup media
  • Mail/trash
  • Organization w/ your info goes bankrupt
  • Paper
  • Website
Types of Malware

  • DNS Changer
  • Drive-by downloads
  • Keyloggers
  • Phishing email
  • Rootkits
  • Search engine poisoning
  • Social media malware
  • Torrents
  • Spyware, Trojan horse, virus, worms
  • Zombies/botnets
  • Etc.
Device loss or theft

  • Computer
  • DVD/CD
  • Backup media
  • USB drives
  • Portable electronic devices
  • Laptop, iPad, smart phones, tablets
Natural or man-made disasters

  • Fires
  • Floods
  • Tornadoes
  • Earthquakes
Personal safety

  • Craig’s List
  • Data leakage
  • Identity theft
  • Social media
ID theft Social engineering / Pretexting

Who do you trust with your information? Here are some organizations that you probably trust:

Accountant, lawyer, other professionals Religious & charity organizations
Employers Schools & Libraries
Financial institutions—banks, credit unions, loans & credit cards, brokerages Retailers & e-commerce sites
Government agencies Social sites
Health care—doctor, dentist, hospital, labs Websites
Insurance companies And …?

Why do you trust people or organizations?

  • Do they have a legitimate need for your information?
  • Do they have policies and procedures to tell you what they do with your confidential information?

When do you trust people or organizations?

  • Do you give confidential information on the phone, in email, texting, or in person?
  • Did you initiate the information exchange?
  • If you don’t feel comfortable, don’t do it.

How do you give people or organizations your confidential information? Think about advantages and disadvantages to giving out your information in person, over the phone, in email or in text messages, on a secure website. If you’re uncomfortable giving out information in a particular situation: don’t do it! Find another way to give the information.

General Tips

  • Don’t leave your electronic devices—cell phones, laptops, tablets, iPads, etc.—unattended in public, including hotel rooms.
  • Don’t ask strangers to watch your things while you go to the restroom or load up on more coffee.
  • Don’t leave your purse or briefcase unattended in public: including shopping carts, restaurants, and coffee shops.
  • Don’t use easy-to-guess passwords: http://www.dailymail.co.uk/sciencetech/article-2063203/This-years-easiest-guess-passwords–discovered-hackers-worked-out.html
  • Don’t post private information on social websites. Remember you have no expectation of privacy on social websites.
  • Data leakage:
    • Be careful about the information you throw in your trash.
    • Collect your mail as soon as possible.
    • Use vacation holds or have a friend collect your mail if you will be gone for more than a couple of days.
    • Do not announce on Facebook or other social media that you are going on vacation. Wait until you get back to share those fabulous pictures!
    • Keep your electronic devices and other valuables out of sight in your vehicle.
    • Read software and services licenses.
    • Use a password or a pin to protect your smart phone.

Let’s look back at 2014 to review events that could impact our information privacy. Some substantial vulnerabilities occurred this year including the Heartbleed bug, Shellshock, and POODLE, along with the usual Microsoft, Java, browser, and Adobe Flash and Reader problems. There have been some notable payment system breeches: Sony, Kmart, Jimmy Johns, Home Depot, Apple, Dairy Queen, Community Health Systems to name a few … even some Goodwill payment systems got hacked.

What can you do to protect yourself? Here are a couple things to do:

  • Protect your information!

Don’t give it out unless it’s absolutely necessary. If your doctor—like mine did—asks you to sign a release so they can use your deidentified data in a study, ask them what information they are sending and who they are sending it to: Does it include your initials, your first name, your zip code, your street, your age and gender, your diagnosis, your treatment? If they frown at you and say it’s deidentified, ask them what that means to them.

According to HIPAA, there are 2 main methods to de-identify patient data, the “expert determination” method and the “safe harbor” method. The safe harbor method is usually safer because it removes 18 specific identifiers from the research data, such as name, age, dates must be year only, telephone numbers, address, full-face pictures, and account numbers. The expert method depends on an “expert” to determine what’s safe to disclose.

For instance, why do you care if someone shares your birth date? The birthday paradox is a probability theory that explains if you’re in a room with 23 other people, the chances that at least 2 people in the room will share a birthday is 50%, and in a group of 70 people, the probability that at least 2 of them will share a birthday reaches 99.9%. However, the probability that 2 people will share the same birth date is considerably smaller.

A recent article in American Medical News explained how Latanya Sweeney, PhD, a Harvard University researcher, was able to attach 241 identities to the deidentified medical information of a database of 1,130 research patients, using birth date, gender, and zip code combined with public records, such as US Census records or voter registration. That’s 22%! Yikes!

To see how identifiable you are by using those parameters, visit the Data Privacy Lab.

  • Make your important passwords unique for each account, change them often—every six months or sooner, especially if the web site is hacked—and implement two-factor authentication on sites that allow it, especially sites like email, banking, or e-commerce.

What is two-factor authentication? Two-factor authentication means that instead of using just a password to access your account, you add an additional method of verifying your identity.

Google Authenticator is a way to add a second factor; it’s easy to use and it sends a code via a text message to your device. You can set it up so that you only have to input a code if a new device tries to use the account or your password changes. In case you don’t have an Internet connection or cell phone service, you can download a set of 10 codes for backup authentication. Make sure you keep these codes safe! I store mine right in KeePass.

  • Back up your personal information on all your devices—documents, photos, music, videos.
  • Lock your devices: Use PINs, passwords, puzzles, or biometrics.
  • Install software like Find My Phone (Windows, Android, or iPhone) or Prey; if your device is lost or stolen, send it a lock and erase it. Be safe, call the police. Do not try to recover it yourself.
  • Don’t save password information in your browser! Here’s an article on how to disable saving passwords in IE, Safari, and Firefox browsers, and Chrome.

Can’t remember all those passwords? Neither can I! You can use a password-protected Excel 2007 or later spreadsheet (do not save in compatibility mode), download a password manager like KeePass, or use a cloud-based password manager like LastPass.

Do not lose the master password! If you might forget, put it someplace safe like your safe-deposit box.

I have used all three options, and I prefer KeePass, although Excel is in some ways more convenient because you can decide on the fields you use. The data is stored on your device (unless you load it in the cloud yourself). I use KeePass’s professional and portable versions, and KeePass2Android. Try to only update the KeePass database on one device and copy it to your other devices so you don’t get confused as to which device contains the most up-to-date copy of the database. I date the database when I add a new account or change a password (BlahXX-XX-XXXX), so I know to move it to my other devices.

It is very important to back up this database and store a copy that you update regularly —as well as a printed copy—in your safe-deposit box.

LastPass is convenient, but I don’t like the idea of not knowing where my data is stored. Also, if the service is down—as happened last August for over 12 hours—can you access your accounts? According to their documentation, you should be able to. However, it is always best to keep a non-cloud-based back up for cloud-based services.

  • Keep your operating system and applications up to date. When an operating system is no longer supported, it is time to either get the device off the Internet or—if the option is available—upgrade to a new operating system or download and install an open-source operating system. If none of those options work, wipe the device and recycle it here or at one of the Goodwill locations that partners with the Dell Reconnect program.

Spring clean your installed apps: if you don’t use it, uninstall it. Fewer apps will free up resources like memory and drive space, and your device might even run faster.

One application to consider installing on a Windows machine is Secunia’s Personal Software Inspector. It makes sure that all your updates and patches are current. I test a lot of software and some apps don’t always have automatic updates; this app is wonderful!

Everyone here at IntentionalPrivacy.com wishes you a prosperous, happy, healthy, and safe 2015! We’re happy you read us.

The new movie, The Imitation Game, about Alan Turing and his romance with Joan Clarke, already has won rave reviews across Rotten Tomatoes, IMDB, Rolling Stone, and Roger Ebert.

The effort by Alan Turing and about 10,000 other people at Bletchley Park was cryptanalysis. A cryptanalyst breaks codes or ciphers.

The Enigma machine was a cryptographic device. Cryptography is the making and using of codes or ciphers. A cryptographer creates codes or ciphers.

The general study of making and breaking codes and ciphers is cryptology.

NSA Museum Front 1

The Museum of the National Security Agency is open to the public and sells memorabilia.

Encryption is putting a message into a code or cipher.

Decryption is the extraction of a message from its code or cipher. Decryption must be carried out by the intended receiver; but it might be done by anyone else who intercepts the message.

crypto-bion-front-19

Above: Alberti cipher disk made by Louis Brion for Louis XV (Gessler collection Duke University Information Science and Information Studies)

A cipher (sometimes still spelled cypher) is an orderly substitution or rearrangement of characters. A=Z, B=Y, C=X, … is a substitution. Writing a long message out horizontally, then re-writing it vertically is a rearrangement. A cipher is an algorithm. It is easy to write a computer program that will take a message, encipher it, and print out the encrypted message.

A code is a pre-arranged system of signals that have no direct relationship to the symbols they map. In baseball, the catcher’s signs and the constant fidgeting of the third base coach are coded signals. A computer program to encode a message requires a look-up table.  A code cannot be reduced to a mathematical formula.  The “Little Orphan Annie Decoder Ring” of the classic Christmas Story was actually a cipher disk.

Leon Battista Alberti (1404-1472) was perhaps second only to Leonardo da Vinci in his range of achievements. For 500 years, the Alberti Cipher Disk was the essential cryptographic tool, capable of creating the Vigenere Cipher, a 26×26 polyalphabetic system.  If you put “cipher disk” into a browser for images, you can find antiques and moderns.  The NSA Museum store has sold replicas of the disks used by the Confederate States secret service.  Geocaching is a treasure hunt or scavenger hunt game that includes GPS tracking and figuring out clues at each location.  Geocachers often use cipher disks (even though there’s an app for that) just because the mechanisms are cool.

 

Image  —  Posted: December 31, 2014 by uszik11 in Historical and future use of technology
Tags: , , , , , ,