Author Archive

Protect Your Personal Information Cheat Sheet

Posted: January 2, 2015 by IntentionalPrivacy in Security or Privacy Initiatives, Tips
Tags: , , , , , ,

The amount of information collected on each of us is growing astronomically every day. What can you do to help protect your—as well as your family’s—information?

Note: This information is meant to be a starting place.Technology is constantly changing, so you must consider whether the information provided is timely and applicable to your situation. In order to adequately protect yourself and your family, you also might need to consult with your attorney or accountant or obtain other professional advice.

What information do you want to protect? Here are some categories you might want to consider:

Ad/cookie tracking Identity information Reputation
Digital identity Intellectual property Social media
Electronic devices Location Trash
E-mail Mailbox Travel
Family Medical information Voting
Financial information Personal safety Work information

Where are the threats to your information? Here are some common threats:

Data loss or theft

  • Backup media
  • Mail/trash
  • Organization w/ your info goes bankrupt
  • Paper
  • Website
 Types of Malware

  • DNS Changer
  • Drive-by downloads
  • Keyloggers
  • Phishing email
  • Rootkits
  • Search engine poisoning
  • Social media malware
  • Torrents
  • Spyware, Trojan horse, virus, worms
  • Zombies/botnets
  • Etc.
Device loss or theft

  • Computer
  • DVD/CD
  • Backup media
  • USB drives
  • Portable electronic devices
  • Laptop, iPad, smart phones, tablets
Natural or man-made disasters

  • Fires
  • Floods
  • Tornadoes
  • Earthquakes
 Personal safety

  • Craig’s List
  • Data leakage
  • Identity theft
  • Social media
ID theft Social engineering / Pretexting

Who do you trust with your information? Here are some organizations that you probably trust:

Accountant, lawyer, other professionals Religious & charity organizations
Employers Schools & Libraries
Financial institutions—banks, credit unions, loans & credit cards, brokerages Retailers & e-commerce sites
Government agencies Social sites
Health care—doctor, dentist, hospital, labs Websites
Insurance companies And …?

Why do you trust people or organizations?

  • Do they have a legitimate need for your information?
  • Do they have policies and procedures to tell you what they do with your confidential information?

When do you trust people or organizations?

  • Do you give confidential information on the phone, in email, texting, or in person?
  • Did you initiate the information exchange?
  • If you don’t feel comfortable, don’t do it.

How do you give people or organizations your confidential information? Think about advantages and disadvantages to giving out your information in person, over the phone, in email or in text messages, on a secure website. If you’re uncomfortable giving out information in a particular situation: don’t do it! Find another way to give the information.

General Tips

  • Don’t leave your electronic devices—cell phones, laptops, tablets, iPads, etc.—unattended in public, including hotel rooms.
  • Don’t ask strangers to watch your things while you go to the restroom or load up on more coffee.
  • Don’t leave your purse or briefcase unattended in public: including shopping carts, restaurants, and coffee shops.
  • Don’t use easy-to-guess passwords: http://www.dailymail.co.uk/sciencetech/article-2063203/This-years-easiest-guess-passwords–discovered-hackers-worked-out.html
  • Don’t post private information on social websites. Remember you have no expectation of privacy on social websites.
  • Data leakage:
    • Be careful about the information you throw in your trash.
    • Collect your mail as soon as possible.
    • Use vacation holds or have a friend collect your mail if you will be gone for more than a couple of days.
    • Do not announce on Facebook or other social media that you are going on vacation. Wait until you get back to share those fabulous pictures!
    • Keep your electronic devices and other valuables out of sight in your vehicle.
    • Read software and services licenses.
    • Use a password or a pin to protect your smart phone.

2014 – Once more into the breaches!

Posted: January 1, 2015 by IntentionalPrivacy in First Steps, Personal safety, Security Breach
Tags: , , , ,

Let’s look back at 2014 to review events that could impact our information privacy. Some substantial vulnerabilities occurred this year including the Heartbleed bug, Shellshock, and POODLE, along with the usual Microsoft, Java, browser, and Adobe Flash and Reader problems. There have been some notable payment system breeches: Sony, Kmart, Jimmy Johns, Home Depot, Apple, Dairy Queen, Community Health Systems to name a few … even some Goodwill payment systems got hacked.

What can you do to protect yourself? Here are a couple things to do:

  • Protect your information!

Don’t give it out unless it’s absolutely necessary. If your doctor—like mine did—asks you to sign a release so they can use your deidentified data in a study, ask them what information they are sending and who they are sending it to: Does it include your initials, your first name, your zip code, your street, your age and gender, your diagnosis, your treatment? If they frown at you and say it’s deidentified, ask them what that means to them.

According to HIPAA, there are 2 main methods to de-identify patient data, the “expert determination” method and the “safe harbor” method. The safe harbor method is usually safer because it removes 18 specific identifiers from the research data, such as name, age, dates must be year only, telephone numbers, address, full-face pictures, and account numbers. The expert method depends on an “expert” to determine what’s safe to disclose.

For instance, why do you care if someone shares your birth date? The birthday paradox is a probability theory that explains if you’re in a room with 23 other people, the chances that at least 2 people in the room will share a birthday is 50%, and in a group of 70 people, the probability that at least 2 of them will share a birthday reaches 99.9%. However, the probability that 2 people will share the same birth date is considerably smaller.

A recent article in American Medical News explained how Latanya Sweeney, PhD, a Harvard University researcher, was able to attach 241 identities to the deidentified medical information of a database of 1,130 research patients, using birth date, gender, and zip code combined with public records, such as US Census records or voter registration. That’s 22%! Yikes!

To see how identifiable you are by using those parameters, visit the Data Privacy Lab.

  • Make your important passwords unique for each account, change them often—every six months or sooner, especially if the web site is hacked—and implement two-factor authentication on sites that allow it, especially sites like email, banking, or e-commerce.

What is two-factor authentication? Two-factor authentication means that instead of using just a password to access your account, you add an additional method of verifying your identity.

Google Authenticator is a way to add a second factor; it’s easy to use and it sends a code via a text message to your device. You can set it up so that you only have to input a code if a new device tries to use the account or your password changes. In case you don’t have an Internet connection or cell phone service, you can download a set of 10 codes for backup authentication. Make sure you keep these codes safe! I store mine right in KeePass.

  • Back up your personal information on all your devices—documents, photos, music, videos.
  • Lock your devices: Use PINs, passwords, puzzles, or biometrics.
  • Install software like Find My Phone (Windows, Android, or iPhone) or Prey; if your device is lost or stolen, send it a lock and erase it. Be safe, call the police. Do not try to recover it yourself.
  • Don’t save password information in your browser! Here’s an article on how to disable saving passwords in IE, Safari, and Firefox browsers, and Chrome.

Can’t remember all those passwords? Neither can I! You can use a password-protected Excel 2007 or later spreadsheet (do not save in compatibility mode), download a password manager like KeePass, or use a cloud-based password manager like LastPass.

Do not lose the master password! If you might forget, put it someplace safe like your safe-deposit box.

I have used all three options, and I prefer KeePass, although Excel is in some ways more convenient because you can decide on the fields you use. The data is stored on your device (unless you load it in the cloud yourself). I use KeePass’s professional and portable versions, and KeePass2Android. Try to only update the KeePass database on one device and copy it to your other devices so you don’t get confused as to which device contains the most up-to-date copy of the database. I date the database when I add a new account or change a password (BlahXX-XX-XXXX), so I know to move it to my other devices.

It is very important to back up this database and store a copy that you update regularly —as well as a printed copy—in your safe-deposit box.

LastPass is convenient, but I don’t like the idea of not knowing where my data is stored. Also, if the service is down—as happened last August for over 12 hours—can you access your accounts? According to their documentation, you should be able to. However, it is always best to keep a non-cloud-based back up for cloud-based services.

  • Keep your operating system and applications up to date. When an operating system is no longer supported, it is time to either get the device off the Internet or—if the option is available—upgrade to a new operating system or download and install an open-source operating system. If none of those options work, wipe the device and recycle it here or at one of the Goodwill locations that partners with the Dell Reconnect program.

Spring clean your installed apps: if you don’t use it, uninstall it. Fewer apps will free up resources like memory and drive space, and your device might even run faster.

One application to consider installing on a Windows machine is Secunia’s Personal Software Inspector. It makes sure that all your updates and patches are current. I test a lot of software and some apps don’t always have automatic updates; this app is wonderful!

Everyone here at IntentionalPrivacy.com wishes you a prosperous, happy, healthy, and safe 2015! We’re happy you read us.

Christmas Present update: The Interview movie release

Posted: December 24, 2014 by IntentionalPrivacy in free speech
Tags: , , , ,

The number of independent theaters showing The Interview has been updated at Variety. Although not in the main list, Michael Moore’s theater, The Bijou, in Traverse City, Michigan, and George RR Martin’s theater, Jean Cocteau Cinema in Santa Fe, New Mexico, will also be showing the film.

You can also stream the video in HD on Google Play, YouTube Movies, Microsoft’s Xbox Video and  Sony’s own website, http://www.seetheinterview.com. A forty-eight hour rental is $5.99, while buying the movie costs $14.99.

David Drummond, SVP Corporate Development and Chief Legal Officer, posted today on the official Google blog, “Last Wednesday Sony began contacting a number of companies, including Google, to ask if we’d be able to make their movie, “The Interview,” available online. We’d had a similar thought and were eager to help—though given everything that’s happened, the security implications were very much at the front of our minds…. [W]e could not sit on the sidelines and allow a handful of people to determine the limits of free speech in another country (however silly the content might be).”

Christmas Present: The Interview

Posted: December 23, 2014 by IntentionalPrivacy in free speech, Security Breach
Tags: , , ,

The Art House Convergence  offered Sony a way to distribute The Interview, so there will be limited showings of the movie starting on Christmas Day. Here is a list of theaters currently showing the movie according to Variety, which they will continue to update.

In a statement released on Tuesday, 12/23/2014, President Obama praised Sony’s decision to release the movie.

In other news, North Korea experienced massive Internet outages for much of Monday, but Internet access was restored on Tuesday according to Reuters.

I still think this story would make a great plot.

Happy holidays!

 

Trading convenience for security

Posted: December 22, 2014 by IntentionalPrivacy in Tips
Tags: , , , ,

These are some great tips from Gary Miliefsky at SnoopWall. You can either watch his video or read the interview. I just installed his SnoopWall Privacy app on my Android phone. I’ll let you know how it goes!

A hero rides in!

Posted: December 20, 2014 by IntentionalPrivacy in free speech, Intellectual Property, Security Breach
Tags: , , , , , ,

On December 17, Matt Mason (@MattMason), chief content officer at BitTorrent, tweeted that “Sony should release The Interview as a BitTorrent Bundle. This is the very thing the platform is designed for.”

Okay! An unlikely hero rides to the forefront!

What is BitTorrent?

BitTorrent is file-sharing software that uses a peer-to-peer computer model. Peer-to-peer means that files transfer from device to device instead of getting them from a centralized server.

How it works: The hoster of a file breaks a large file into smaller, equal-sized pieces and stores the pieces on seed computers. Then the hoster creates a small torrent descriptor file that they advertise. The torrent software is installed on a client computer. When the client decides to download a file, the software locates the pieces on seed computers and starts transferring pieces. The pieces typically arrive out of order and are re-arranged into the proper order when the transfer of all the pieces completes. That means the download can be stopped at any time and re-started without having to start the download over. When the file has been completely downloaded, the client with the completed file becomes a seed computer for other clients to download the pieces.

According to Wikipedia, an estimate of monthly BitTorrent users was about 250 million in January 2012. That means that as the file pieces are distributed to seed computers and downloaded by client computers who then become seed computers, the speed of file distribution increases.

You may even have been using BitTorrent already and didn’t know it. It is a component in Amazon S3 Simple Storage Service, an online service providing cloud applications, backup, and content distribution. Open source and free software projects use it to distribute downloads. Blizzard Entertainment’s Blizzard Downloader client (Diablo III, Starcraft II, and World of Warcraft) uses it for games, content, and patches. Universities sponsoring BOINC distributed computing projects often offer BitTorrent to reduce bandwidth costs. It supports Facebook and Twitter.

Why could BitTorrent release The Interview when the major theater chains couldn’t?

The peer-to-peer model would make it difficult for the attackers to stop downloads of the file.

And, “BitTorrent Bundle is a safe and legal way for Sony to release this film, and they would join the nearly 20,000 creators and rights holders now using the Bundle publishing platform,” said BitTorrent according to VentureBeat.

Why does BitTorrent think it is better to release the movie through them instead of through Sony’s own online video channels?

According to BitTorrent, by “using the paygate option, Sony are able to set the price for the film and release it widely without implicating anyone or exposing any third party to a terrorist threat,” and “it would strike a strong note for free speech.”

Sony Entertainment CEO Michael Linton told CNN on December 19th that “no ‘major video on demand distributor’ has been ‘willing to distribute’ the film. ‘We don’t have that direct interface with the American public, so we need to go through an intermediary to do that.’”

Sony, meet BitTorrent.

Sony …. holding out for a hero!

Posted: December 19, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Intellectual Property, Security Breach, Uncategorized
Tags: , , , , , , , , , , ,

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

Spam Nation!

Posted: December 1, 2014 by IntentionalPrivacy in Books
Tags: , , , , ,

Krebs.2jpgI recently had the pleasure of attending a presentation put on by Brian Krebs, where he also signed his new book, Spam Nation.

I have been reading his blog, KrebsOnSecurity.com, since I did a paper on the Russian Business Network in 2008 for a class I was taking.

His blog is fascinating, and the book is also! The book has everything you’d look for in a thriller—spies, counterspies, theft, drugs, murder, hackers—and it’s all true. Even if you’re not a techie, I highly recommend this book.

And, if you’re buying pharmaceuticals from an online pharmacy that doesn’t ask for a doctor’s prescription, I hope this book will convince you to stop. It’s a really dangerous practice because you don’t know what you’re ingesting.

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.

Gnu Bash Shellshock … what is it … and does it affect me?

Posted: September 28, 2014 by IntentionalPrivacy in Browser Vulnerabilities, Vulnerabilities, Worms
Tags: , , , , , , , ,

Shellshock (CVE-2014-6271 and CVE-2014-7169) is the name of a bug affecting the Gnu Bash (Bourne-again shell) command-line shell, which can be used on many Linux and UNIX operating systems, as well as Mac OS X. It does not affect Windows computers unless you’ve installed Bash with something like Cygwin. While it’s unlikely that most consumer computers will be targeted, it’s a good idea to watch for updates for operating systems, firewalls, routers, switches, modems, printers, and household items that can be assessed over the Internet–TVs, thermostats, IP cameras, and other items.

It is already being exploited by worms and other malware.

Cisco, Red Hat, Debian, and Ubuntu have already issued updates. The first patch issued did not completely fix the problem, so make sure you update to the version that addresses CVE-2014-7169 as well as CVE-2014-6271. Apple has not issued any updates as of September 28, 2014.

This bug has been around for a very long time; the latest (safe) Bash version is 3.2.53.  Brian J. Fox wrote Bash in 1987 and supported it for five years, and then Chet Ramey took over support–his unpaid hobby. Mr. Ramey thinks Shellshock was accidentally added in 1992.

We have a Macbook that was running a vulnerable version of Bash. I manually updated Bash per this article.

According to Qualys, here’s how to test for the vulnerabilities; at the command line, paste the following line (make sure this line is exact):

env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true

If you have a vulnerable version of bash, the screen will display “vulnerable.” Just to be safe after updating, check the bash version by typing:

bash –version

Vulnerable versions will be before 3.2.53.

If you applied a patch before Friday, you might have a less-serious version of the error, which you can check by typing the following:

env X='(){(a)=>\’ bash -c “echo date”; cat echo; rm -f echo

This line will display the date if bash has not been completely patched.  After patching, you will get an error when running this command.

Older Entries
Newer Entries