Archive for the ‘Issues’ Category

Christmas Present: The Interview

Posted: December 23, 2014 by IntentionalPrivacy in free speech, Security Breach
Tags: , , ,

The Art House Convergence  offered Sony a way to distribute The Interview, so there will be limited showings of the movie starting on Christmas Day. Here is a list of theaters currently showing the movie according to Variety, which they will continue to update.

In a statement released on Tuesday, 12/23/2014, President Obama praised Sony’s decision to release the movie.

In other news, North Korea experienced massive Internet outages for much of Monday, but Internet access was restored on Tuesday according to Reuters.

I still think this story would make a great plot.

Happy holidays!

 

A hero rides in!

Posted: December 20, 2014 by IntentionalPrivacy in free speech, Intellectual Property, Security Breach
Tags: , , , , , ,

On December 17, Matt Mason (@MattMason), chief content officer at BitTorrent, tweeted that “Sony should release The Interview as a BitTorrent Bundle. This is the very thing the platform is designed for.”

Okay! An unlikely hero rides to the forefront!

What is BitTorrent?

BitTorrent is file-sharing software that uses a peer-to-peer computer model. Peer-to-peer means that files transfer from device to device instead of getting them from a centralized server.

How it works: The hoster of a file breaks a large file into smaller, equal-sized pieces and stores the pieces on seed computers. Then the hoster creates a small torrent descriptor file that they advertise. The torrent software is installed on a client computer. When the client decides to download a file, the software locates the pieces on seed computers and starts transferring pieces. The pieces typically arrive out of order and are re-arranged into the proper order when the transfer of all the pieces completes. That means the download can be stopped at any time and re-started without having to start the download over. When the file has been completely downloaded, the client with the completed file becomes a seed computer for other clients to download the pieces.

According to Wikipedia, an estimate of monthly BitTorrent users was about 250 million in January 2012. That means that as the file pieces are distributed to seed computers and downloaded by client computers who then become seed computers, the speed of file distribution increases.

You may even have been using BitTorrent already and didn’t know it. It is a component in Amazon S3 Simple Storage Service, an online service providing cloud applications, backup, and content distribution. Open source and free software projects use it to distribute downloads. Blizzard Entertainment’s Blizzard Downloader client (Diablo III, Starcraft II, and World of Warcraft) uses it for games, content, and patches. Universities sponsoring BOINC distributed computing projects often offer BitTorrent to reduce bandwidth costs. It supports Facebook and Twitter.

Why could BitTorrent release The Interview when the major theater chains couldn’t?

The peer-to-peer model would make it difficult for the attackers to stop downloads of the file.

And, “BitTorrent Bundle is a safe and legal way for Sony to release this film, and they would join the nearly 20,000 creators and rights holders now using the Bundle publishing platform,” said BitTorrent according to VentureBeat.

Why does BitTorrent think it is better to release the movie through them instead of through Sony’s own online video channels?

According to BitTorrent, by “using the paygate option, Sony are able to set the price for the film and release it widely without implicating anyone or exposing any third party to a terrorist threat,” and “it would strike a strong note for free speech.”

Sony Entertainment CEO Michael Linton told CNN on December 19th that “no ‘major video on demand distributor’ has been ‘willing to distribute’ the film. ‘We don’t have that direct interface with the American public, so we need to go through an intermediary to do that.’”

Sony, meet BitTorrent.

Sony …. holding out for a hero!

Posted: December 19, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Intellectual Property, Security Breach, Uncategorized
Tags: , , , , , , , , , , ,

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

Someone Could Control Your Car from the Outside

Posted: October 18, 2014 by uszik11 in Historical and future use of technology, Personal safety, Security Breach
Tags: , , , ,

If you have a late model car, someone could disable the brakes, command the steering wheel, set the speed, open the doors, disable the airbags, or explode them, all from a Wi-Fi hotspot.

Perhaps the modern icon is the General Motors OnStar system. Everyone knows it; it shows up in movies and TV as commonly as orange juice or dogs. OnStar was launched in 1995 and went from analog to completely digital in 2006. (Wikipedia here.)  Now, such radio systems are a standard feature on common makes and models. The radios are called “transceivers” for “transmitter and receiver”, that is, a “walkie-talkie” or two-way radio, in other words, a cell phone that is always on. With that link someone can take control of your car.

Computers in cars go back to the 1978 Cadillac Seville. The chip was a Motorola 6800, used also in early personal computers. It ran the car’s onboard display that provided eleven outputs such as fuel economy, estimated time of arrival, and engine speed. By the turn of the Millennium, upscale BMWs and Mercedes boasted 100 processors. Even the low-tech Volvo now has 50. (Automotive Mileposts website here and Embedded website here. Note that “embedded” systems are computer controllers that built into other machines for control or diagnostics. Embedded systems is a branch of computing.)

However, the older your car, the safer you are. A vehicle from the 1980s or 1990s will have electronic controls, but they will be less open to attack from the outside.  Without a radio link such as OnStar, there is no way to control the car from the outside. Also, the older processors were more often dedicated to reporting things such as gas mileage or fuel economy. Electronic fuel ignition replaced carburetors, but, again, was a simple, stand-alone controller that could not be compromised from the outside.

Over the past few years, two different security projects have been reported in which “white hat hackers” (good guys) investigated ways to take control of different models of automobile.

models-panelbg-001

The little antenna on the Prius is not just for the FM radio.

 In 2011, Car and Driver told about the work of the Center for Automotive Embedded Systems Security, a collaboration between academics from the University of Washington and California State University at San Diego. First, they plugged their own device under the dashboard to compromise the on-board diagnostic computer. (Anyone who can get to your car could do that the next time you take in for an oil change or other routine service.) In the second phase, they figured out how to do that remotely.

According to Car and Driver: “Such breaches are possible because the dozens of  independently operating computers on modern vehicles are all connected through an in-car communications network known as a controller-area-network bus, or CAN bus.  Even though vital systems such as the throttle, brakes, and steering are on a separate part of the network that’s not directly connected to less secure infotainment and diagnostic systems, the two networks are so entwined that an entire car can be hacked if any single component is breached.”  (“Hack to the Future” Car and Driver July 2011 by Keith Barry here.)  The original research from the academics is posted online as PDFs.  (See below).

In the words of the researchers:  “We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input—including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”  (Published as “Experimental Security Analysis of a Modern Automobile” by

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
 IEEE Symposium on Security andPrivacy, Oakland, CA, May 16–19, 2010. Available as a PDF from the authors here.)

Then, having figured out how to install their own controller into a car under the dashboard, they turned to the problem of remote control.

“Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model—requiring prior physical access—has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.”  (Published as “Comprehensive Experimental Analyses of Automotive Attack Surfaces” by Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage (University of California, San Diego) and Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno (University of Washington). Available as a PDF from the authors here.)

Two years later, Andy Greenberg, who reports on technology for Forbes, filed a story about Charlie Miller and Chris Valasek who carried out their own car hacking research with a government grant.

“Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.” (Forbes, August 12, 2013 here. This story includes a video of the event. They took Greenberg for a ride that ended in a crash despite everything he could do to fight for control of the car. The 5 mph roll out finally stopped in some high grass. )

 

 

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.

Gnu Bash Shellshock … what is it … and does it affect me?

Posted: September 28, 2014 by IntentionalPrivacy in Browser Vulnerabilities, Vulnerabilities, Worms
Tags: , , , , , , , ,

Shellshock (CVE-2014-6271 and CVE-2014-7169) is the name of a bug affecting the Gnu Bash (Bourne-again shell) command-line shell, which can be used on many Linux and UNIX operating systems, as well as Mac OS X. It does not affect Windows computers unless you’ve installed Bash with something like Cygwin. While it’s unlikely that most consumer computers will be targeted, it’s a good idea to watch for updates for operating systems, firewalls, routers, switches, modems, printers, and household items that can be assessed over the Internet–TVs, thermostats, IP cameras, and other items.

It is already being exploited by worms and other malware.

Cisco, Red Hat, Debian, and Ubuntu have already issued updates. The first patch issued did not completely fix the problem, so make sure you update to the version that addresses CVE-2014-7169 as well as CVE-2014-6271. Apple has not issued any updates as of September 28, 2014.

This bug has been around for a very long time; the latest (safe) Bash version is 3.2.53.  Brian J. Fox wrote Bash in 1987 and supported it for five years, and then Chet Ramey took over support–his unpaid hobby. Mr. Ramey thinks Shellshock was accidentally added in 1992.

We have a Macbook that was running a vulnerable version of Bash. I manually updated Bash per this article.

According to Qualys, here’s how to test for the vulnerabilities; at the command line, paste the following line (make sure this line is exact):

env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true

If you have a vulnerable version of bash, the screen will display “vulnerable.” Just to be safe after updating, check the bash version by typing:

bash –version

Vulnerable versions will be before 3.2.53.

If you applied a patch before Friday, you might have a less-serious version of the error, which you can check by typing the following:

env X='(){(a)=>\’ bash -c “echo date”; cat echo; rm -f echo

This line will display the date if bash has not been completely patched.  After patching, you will get an error when running this command.

Jimmy Johns isn’t the only breach … Signature Systems PDQ point-of-sale systems

Posted: September 28, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach
Tags: , , , , , ,

According to KrebsOnSecurity.com, Jimmy Johns aren’t the only restaurants to get caught in this breach, which lasted from June 16 through mid-September (dates vary at some locations). Many small restaurants use Signature Systems PDQPOS point-of-sale systems. A total of 216 Jimmy Johns and 108 other restaurants are affected because “an authorized person gained access to a user name and password that Signature Systems used to remotely access POS systems.” This access allowed the attacker to install malware to steal payment card data, containing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card.

I wonder if Signature Systems changed their passwords on a regular basis? Probably not. Did they use two-factor authentication? Long and strong passwords? Did they conduct employee training on anti-phishing techniques?

Unfortunately, as of October 28, 2013, PDQPOS was only acceptable for pre-existing deployments. So it’s possible that some of these restaurants may receive fines if the system was installed after that date.

What do the Goodwill, DQ, Jimmy Johns and Home Depot have in common?

Posted: September 13, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach
Tags: , , , , , ,

They’ve all had recent breaches.

How many well-known and large breaches have we had in the past year? A bazillion! Please see the page I’ve posted that shows a list of recent breaches.

What should you do if you’ve used a payment card–debit or credit–at a store with a recent breach?

  1. Check your financial statement to confirm that you used the card within the time period breached.
  2. If you have unauthorized charges, notify your financial institution immediately.
  3. Even if you don’t have unauthorized charges, ask your bank or credit union to replace your card.
  4. If the breached company is offering identity protection, sign up for it.
  5. If your identity has been stolen, this FTC site–Create an Identity Theft Report–will help you create documents for the various places you will need to contact.
  6. Don’t shop with a debit card online.
  7. Use the credit card option when shopping with a debit card.

KrebsOnSecurity stated last week that banks are seeing fraudulent ATM withdrawals from debit cards stolen in the Home Depot breach. Be vigilant!

The last thing to think about, if a company has a breach and only has a news release. Two recent examples include Dairy Queen and Jimmy John’s. There’s no additional information on their website, not even an apology! Should you continue to visit their establishment?  How do you know they’ve even cleaned up their payment systems?

I’m voting with my feet and I will never buy anything from either Jimmy Johns or Dairy Queen again.

What to know about the Target breach …

Posted: December 27, 2013 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach, Tips, Vulnerabilities
Tags: , , , , , , ,

I shop at Target about once a week. Last Saturday, I was dismayed to discover that an estimated 40 million debit and credit cards used at Target had been stolen. This isn’t the first time my card number has been stolen, and it probably won’t be the last, unfortunately.

Many of those cards will be duplicate numbers, so the total number of cards stolen will probably be fewer than 40 million. Still, it is a very large breach, the second largest to date. The biggest breach—90 million credit/debit account numbers!—in the US occurred at TJX over a period of 18 months and was discovered on December 18, 2006 (TJX data theft).

First, let’s look at what happened:

  • On December 15, 2013, malware was discovered on Target’s point-of-sale systems at US stores. Target eliminated the malware, and notified card processors and payment card networks.
  • According to some sources (a Reuters story posted on Yahoo!), Target did not find the breach; it was discovered by a security researcher. That is worrisome.
  • According to Target, the issue only affected US stores; purchases made online at Target.com or in Canada were not part of the breach.
  • In their statement, Target explains the breach occurred between 11/27/2013 and 12/15/2013.
  • PIN data was stolen (Reuters – Target says PINs stolen, but confident data secure), but not the key, which according to Target’s statement, resides at the external card processing center. They are not giving out the name of their processing center. The PIN data is encrypted with Triple DES encryption.  To decrypt the PIN data, the thieves need the key.
  • There are 2 types of security codes used with credit/debit cards. Each card issuer calls the security codes by different names.
    • The first code is embedded in the magnetic stripe of the card and is used when you present the card to a merchant; it’s often called the CVV code. This one was included in the stolen data.
    • The second number, often called the CVV2 code, is not included in the magnetic stripe data and therefore was not stolen. This is the number used when you make card-not-present transactions, such as online or over the phone. American Express prints the four-digit number they use on the front side of the card, while most other issuers use a three-digit code printed on the back of the card next to the signature area.
  • The US Secret Service is investigating, as well as an unnamed outside investigator.
  • Stay tuned for more details. I don’t think investigators have a good handle on this theft yet, so the details are likely to change.

Note: PINs are not the safest way to protect your financial information; there are only 10,000 combinations (0000 to 9999). Europe uses electronic chips in their cards; another method is a dynamic pin generated through a text message or some other media, such as an RSA token. The problem with dynamic pins is that they’re slow and expensive.

According to Krebs on Security, stolen Target credit/debit card numbers are already being sold in underground black markets in batches of one million cards.

What to do?

  1. Monitor any account(s) used at Target at least daily for evidence of tampering.
  2. Check out the Target breach details.
  3. Get a copy of your credit report. You get 1 free credit report from each credit agency per year. https://www.annualcreditreport.com/index.action
  4. Target says they will pay for credit reporting; they will have more details later.
  5. Replace your card:
    • If you use a Target REDcard, contact Target for a replacement card.
    • Ask your bank or credit union to replace each card used at Target during the dates the breach occurred.
  6. If you choose not to replace your card, at least change your PIN number.
  7. When you choose a PIN, do not use your birth date or consecutive digits, such as “1234.”
  8. Some cards allow you to add an alert when it’s used; check with your card issuer to find out if they have this feature. The Target REDcard does give you this ability.
  9. Do not respond to any scam emails, texts, or phone calls asking for your PIN or your social security number or your credit card number.
  10. Some people suggest buying a prepaid credit card or using cash instead of using credit/debit cards. I’ve never used one, so I don’t know anything about costs, but I’m going to look into it.

If you notice fraudulent activity in your account:

  1. Notify your card issuer immediately at the number on the back of your card and cancel your card. This greatly limits the payment portion of fraud you’re responsible for.
  2. Put a block on your credit report at one of the three credit reporting agencies:
  3. Read the FTC’s tips for “Lost or Stolen Credit, ATM, and Debit Cards.”

Who pays the costs?

While it’s true that the banks and the merchant eat the losses initially; ultimately, we all pay the price of such theft through higher costs.

Groklaw shutting down …

Posted: August 25, 2013 by IntentionalPrivacy in Cell phone, Privacy, Security or Privacy Initiatives
Tags: , , , , , , , ,

More websites that value privacy are shutting down … Groklaw, Lavabit, and Silent Circle.

While I agree with much of what Pamela Jones said in this article, http://www.groklaw.net/article.php?story=20130818120421175, I can’t agree with her conclusion to get off the Internet. “They” win then, don’t they?

I also have to agree with PandoDaily’s Adam L. Penenberg that their owners shutting down these 3 websites in particular was not such a great idea. http://pandodaily.com/2013/08/20/why-shutting-down-groklaw-lavabit-and-silent-circle-was-a-bad-move/  Like the guy said in The Godfather, “Go to the mattresses!” Keep people interested in fighting for their rights.

Now, back to the usual type of privacy-impacting shenanigans this website looks at. This article talks about how stores want to personalize your shopping experience for your shopping habits, kinda like Amazon already does. http://pandodaily.com/2013/08/23/customer-stalking-coming-soon-to-a-store-near-you/

I like coupons as well as the next person, but … it’s c-r-e-e-p-y! Facial recognition software, emotion-sensing technology … Carmel Deamicis calls it customer stalking and I don’t want to be stalked. Next thing you know, I’m gonna have one of those coffee machines that brews individual cups of coffee at a bazillion dollars per cup sitting in my kitchen and I’m going to feel bad every time I throw one of those little cups away. And, besides which, the type of coffee that goes in them is kinda nasty.

I don’t like it when Amazon tells me what I’ve looked at and what I’ve bought and what somebody else that bought what I bought bought … Geez, is that even grammatical?!

But what I do know is this: It’s creepy.

Older Entries
Newer Entries