Archive for the ‘Privacy’ Category

I had an interesting experience last week (my life seems to be full of them!). I signed up to take a class that purported to give me a better understanding of what I was looking for in a career.

The first day of class the instructor gave us the URL for an application that he had developed to collect a considerable amount of information about each of us: likes, desires, Myers-Briggs profile, and results from other assessment tests. During the class break, I asked him why the application was not using HTTPS. He said it did, but it used a referrer. I looked at the code of the web site. Hmm, not that I could see.

When I got home, I loaded up Wireshark so I could watch the interaction of the packets with the application. The application definitely did not use HTTPS. I emailed the instructor. Oh, he said, there was a mistake in the documentation, and he gave me the “real” secure URL.

Ok, so this application is sending his clients’ first and last names, email addresses, passwords, and usernames in clear text across the Internet. Not a big deal, you say?

It is a big deal, because many people use the same usernames and passwords on their accounts around the Web. Then add in their email address and their personal information is owned by anyone sniffing packets on any unsecured network they might be using, such as an unsecured wireless network in a coffee shop, an apartment building, a dorm room ….

So, next—because I now had their “secure” website URL—I checked their website against http://www.netcraft.com/, https://www.ssllabs.com/ssltest/, and some other sites—all public information. According to these tests, the application was running Apache version 2.2.22, which was released on January 31, 2012, WordPress 3.6.1 (released on September 11, 2013), as well as PHP 5.2.17 (released on January 6, 2011). It is never a good idea to run old software versions, but old WordPress versions are notoriously insecure.

Please note: I am not recommending either of these websites or their products; I merely used them as a method to find information about the application I was examining.

Not only that, but the app used SSL2 and SSL3, so the encryption technology is archaic. Qualys SSL Labs gave the app an “F” for their encryption, and that was after he gave me the HTTPS address.

(“It was harder to implement the security than we thought it would be,” he said.)

Although I did not find out the Linux version running on the web server, based on my previous findings—which I confirmed with the application owner—I would be willing to bet that the operating system was also not current.

So, then I tried creating a profile. I made up first and last names, user name, and a test email from example.net (https://www.advomatic.com/blog/what-to-use-for-test-email-addresses). I tried “test” for a password, which worked. So, the app does not test for password complexity or length.

He asked me on the second day of class if I now felt more comfortable about entering my information in his application since it was using HTTPS. I said no; I said that his application was so insecure that it was embarrassing, that it appeared to me that they had completely disregarded any considerations about securely coding an application.

He said that they never considered the necessity of securing someone’s information because they were not collecting credit card information.

I said that with the amount of data they collected, a thief could impersonate someone easily. I reminded him that some people use the same usernames and passwords for several accounts, and with that information and an email account, any hijacker was in business.

Then he said that he was depending on someone he trusted to write the code securely.

Although I believe in trust, if it were my application, I would verify any claims of security.

I told him he was lucky someone had not hacked his website to serve up malware. I said that I was not an application penetration tester, but that I could hack his website and own his database in less than 24 hours. I said the only reason it would take me that long is because I would have to read up on how to do it.

I told him I would never feel comfortable entering my information in his application because of the breach of trust between his application and his users. I said that while most people would not care even if I explained why they should care, I have to care. It is my job. If my information was stolen because I entered it in an application that I knew was insecure, I could never work in information security again.

So, what should you look for before you enter your information in an application?

  1. Does the web site use HTTPS? HTTPS stands for Hypertext Transfer Protocol Secure; what that means is that the connection between you and the server is encrypted. If you cannot tell because the HTTPS part of the address is not showing, copy the web address into Notepad or Word, and look for HTTPS at the beginning of the address.
  2. Netcraft.com –  gives some basic information about the website you’re checking. You do not need to install their toolbar, just put the website name into the box below “What’s that site running?” about midway down the right-hand side.
  3.  Qualys SSL Labs tests the encryption (often known as SSL) configuration of a web server. I do not put my information in any web site that is not at least a “C.”
  4. Another thing you should be concerned about is a site that serves up malware: Here are some sites that check for malware:

http://google.com/safebrowsing/diagnostic?site=<site name here>

http://hosts-file.net/ — be sure to read their site classifications here

http://safeweb.norton.com/

  1. Do not enter any personal information in a site when using an insecure Wi-Fi connection, such as at a coffee shop or a hotel, just in case the site doesn’t have everything secured on its pages.

The Electronic Frontier Foundation (EFF) recently released a plug-in for Chrome and Firefox called Privacy Badger 1.0. A plug-in is a software module, which adds functionality, that can be loaded into a browser. What the Badger plug-in does is block trackers from spying on the web pages you visit.

Why should you care? Because Big Data companies track everything you do online, and what do they do with that data? One thing they do is analyze data to predict consumer behavior. Here are a couple of articles that explain some of the issues: “The Murky World of Third-Party Tracking” is a short overview, while the EFF has a three-part article called “How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)” that while several years old, is very detailed.

The FTC has gotten involved as well. Here is a link to one of their papers called “Big Data: A Tool for Inclusion or Exclusion?

I loaded the Badger plug-in as soon as it came out, and I am amazed at the number of trackers it blocks (it does allow a few)! One CNN.com page I visited had over a hundred trackers blocked and a Huffington Post page had almost as many. I also run other plug-ins in Firefox (Ghostery, NoScript, AdBlock Plus, Lightbeam).

The Badger icon in the upper right-hand corner tells you how many are blocked.

The best thing about Badger is that it is very easy to use, unlike NoScript.

Give it a try, and let me know what you think.

Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.

 

App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text https://silentcircle.com/pricing Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.

Sources
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication
http://www.bbc.co.uk/news/technology-16812064
http://www.practiceunite.com/notifications-the-3-factor-in-choosing-a-secure-texting-solution/
http://www.tomsguide.com/us/iphone-jailbreak-risks,news-18850.html

When you send a message, who controls your messages? You write them and you get them, but what happens in the middle? Where are they stored? Who can read them? Email, texts, instant messaging and Internet relay chat (IRC), videos, photos, and (of course) phone calls all require software. Those programs are loaded on your phone or your tablet by the device manufacturer and the service provider. However, you can choose to use other – more secure – programs.

In the old days of the 20th century, a landline telephone call (or a fax) was an example of point-to-point service. Except for wiretaps or party lines, or situations where you might be overheard or the fax intercepted, that type of messaging was reasonably secure. Today, messaging does not usually go from your device—whether it is a cell phone, laptop, computer, or tablet—directly to the receiver’s device. Landlines are becoming scarcer, as digital phones using Voice over IP (VoIP) are becoming more prevalent. Messages are just like any other Internet activities: something (or someone) is in the middle.

It’s a lot like the days when an operator was necessary to connect your call. You are never really sure if someone is listening to your message.

What that means is that a digital message is not be secure without taking extra precautions. It may go directly from your device to your provider’s network or it may be forwarded from another network; it often depends on where you are located in relation to a cell phone tower and how busy it is. Once the message has reached your provider’s network, it may bounce to a couple of locations on their network, and then—depending on whether your friend is a subscriber of the same provider—the message may stay on the same network or it may hop to another provider’s network, where it will be stored on their servers, and then finally be delivered to the recipient.

Understand that data has different states and how the data is treated may be different depending on the state. Data can be encrypted when it is transmitted and it can be encrypted when it is stored, or it can remain unencrypted in either state.

Everywhere it stops on the path from your device to the destination, the message is stored. The length of time it is kept in storage depends on the provider’s procedures, and it could be kept for weeks or even years. It gets backed up and it may be sent to offsite storage. At any time along its travels, it can be lost, stolen, intercepted or subpoenaed. If the message itself is encrypted, it cannot be read without access to the key. If the application is your provider’s, they may have access to the message even if it is encrypted if they have access to the key.

Is the message sent over an encrypted channel or is it sent in plain text? If you are sending pictures of LOLZ cats, who cares? But if you are discussing, say, a work-related topic, or a medical or any other confidential issue, you might not want your messages available on the open air. In fact, it’s better for you and your employer if you keep your work and personal information separated on your devices. This can happen by carrying a device strictly for work or maybe through a Mobile Device Management application your employer installed that is a container for your employer’s information. If you do not keep your information separate and your job suddenly comes to an end, they may have the right to wipe your personal device or you may not be able to retrieve any personal information stored on a work phone. Those policies you barely glanced at before you signed them when you started working at XYZ Corporation? It is a good idea to review them at least once a year and have a contingency plan! I have heard horror stories about baby pictures and novels that were lost forever after a job change.

Are you paranoid yet? If not, I have not explained this very well!

A messaging app that uses encryption can protect your communications with the following disclaimers. These apps cannot protect you against a key logger or malware designed to intercept your communications. They cannot protect you if someone has physical or root access to your phone. That is one of the reasons that jail-breaking your phone is such a bad idea—you are breaking your phone’s built-in security protections.

An app also cannot protect you against leaks by someone you trusted with your information. Remember: If you do not want the files or the texts you send to be leaked by someone else, do not send the information.

If you decide that you want to try one or more messaging applications, it is really important to read the documentation thoroughly so you understand what the app does and what it does not do and how to use it correctly. And, finally: Do not forget your passphrase!! Using a password manager such as KeePass or LastPass is a necessity today. Also back up your passwords regularly and put a copy—digital and/or paper—of any passwords you cannot afford to lose in a safe deposit box or cloud storage. If you decide to use cloud storage, make sure you encrypt the file before you upload it. Cloud storage is a term that means you are storing your stuff on someone else’s computer.

Part 2

I have recently started using the WhiteHat Aviator browser, which uses the anonymous search engine Disconnect. It is available for Windows and Mac here. It works pretty well (although it is sometimes slow). When I use it for sites like Gmail where I use two-factor authentication, I do have to enter both the second factor and the password every time I load the website. It will not save the code like Firefox can for thirty days.

I am planning on installing Disconnect on my phone next. If that works out, I will try the premium version, which includes encrypted Internet, safe browsing, and location control.

Another anonymous search engine is DuckDuckGo.

I also use Firefox with extensions NoScript, Ghostery, Adblock Plus, and Lightbeam. Lightbeam is particularly fascinating to look at; it shows all the sites that track me, even after all those add-ons. NoScript can be painful to use because you have to enable every single site.

After the last set of Adobe Flash 0days (two in a week!), I uninstalled Adobe Flash and Air. After all, if I really need Flash, I can always use Google Chrome, where Flash is built in.

I rarely use Internet Explorer any more.

And while you are updating your browser, make sure your Java version is current.

Your cell phone can be taken over by hackers who will view through your camera and watch you enter your passwords and other information.  Here in Austin at the IEEE “Globecom” conference on global communication last December, I attended a presentation from Temple University researchers who compromised an Android cell phone. 

Doctoral candidate Longfei Wu and five colleagues from Temple University, the University of Massachusetts, and Beijing University exploited vulnerabilities in the Android cell phone to seize control of the camera.

Having done that – and having reduced their footprint to one pixel – they then watched finger touches to the keyboard in order to guess passwords.  Some sequences were more secure than others.  1459 and 1479 were easy to identify.  1359 and 1471 were harder to guess.  The fundamental fact remains: They took control of the camera without the cell phone owner being aware of it.

Moreover, the Android operating system does not provide you with a log file of usage.  There is no way for you to review what your phone has been doing. However, the researchers fixed that. 

“We make changes to the CheckPermission() function ofActicityManagerService, and write a lightweight defense app such that whenever the camera is being called by apps with CAMERA permission, the defense app will be informed along with the caller’s Application Package Name.

[…]

There are three parts of warnings in our defense scheme. First, an alert dialog including the name of the suspicious app is displayed. In case the warning message cannot be seen immediately by the user (e.g., the user is not using the phone), the defense app will also make sound and vibration to warn the user of spy camera attacks. Besides, the detailed activity pattern of suspected apps are logged so that the user can check back.” — from “Security Threats to Mobile Multimedia Applications: Camera-based Attacks on Mobile Phones”,IEEE Communications Magazine, March 2014.”

If you want to protect your phone, you have to figure out how for yourself.  Very few ready-made defense apps exist for Android, or iPhone.  You could join a local hacker club such as DefCon.  (For Ann Arbor, it is DefCon 734; for Minneapolis it is DC612.)  That brings up the problem of trust.  When I go to computer security conferences, I never take a computer; and I do not answer my phone.  I do trust the organizers of our local groups, LASCON, ISSA, OWASP,  and B-Sides; but I do not trust everyone who comes to every meeting.  If you want someone to “jailbreak” your phone, and program something on it for you, then you really need strong trust.  It is best to do it for yourself.

“Unfortunately, it’s not uploaded online. To support the defense scheme, I modified the Android system and generate new image files. This means if someone want to use the defense function, he/she must flash the phone. As a result, all the installed stuff may get lost. I think people wouldn’t like that to happen. Besides, the Android version I used for testing is 4.1-4.3, while the most recent release is 5.0.” – Longfei Wu, reply to email.

As “the Internet of Things” connects your washing machine and your car to your home thermostat and puts them all online along with your coffee-maker and alarm clock, all of them connected to the television box that never shuts off and always listens, you will be increasingly exposed to harm.

More websites that value privacy are shutting down … Groklaw, Lavabit, and Silent Circle.

While I agree with much of what Pamela Jones said in this article, http://www.groklaw.net/article.php?story=20130818120421175, I can’t agree with her conclusion to get off the Internet. “They” win then, don’t they?

I also have to agree with PandoDaily’s Adam L. Penenberg that their owners shutting down these 3 websites in particular was not such a great idea. http://pandodaily.com/2013/08/20/why-shutting-down-groklaw-lavabit-and-silent-circle-was-a-bad-move/  Like the guy said in The Godfather, “Go to the mattresses!” Keep people interested in fighting for their rights.

Now, back to the usual type of privacy-impacting shenanigans this website looks at. This article talks about how stores want to personalize your shopping experience for your shopping habits, kinda like Amazon already does. http://pandodaily.com/2013/08/23/customer-stalking-coming-soon-to-a-store-near-you/

I like coupons as well as the next person, but … it’s c-r-e-e-p-y! Facial recognition software, emotion-sensing technology … Carmel Deamicis calls it customer stalking and I don’t want to be stalked. Next thing you know, I’m gonna have one of those coffee machines that brews individual cups of coffee at a bazillion dollars per cup sitting in my kitchen and I’m going to feel bad every time I throw one of those little cups away. And, besides which, the type of coffee that goes in them is kinda nasty.

I don’t like it when Amazon tells me what I’ve looked at and what I’ve bought and what somebody else that bought what I bought bought … Geez, is that even grammatical?!

But what I do know is this: It’s creepy.

I recently read an article called the “Rise of the Warrior Cop” in the Wall Street Journal. Ordinarily, I would tend to blow off an article such as this.

Except there are too many articles like these:

Reasonable search and seizure? It’s supposed to be a right guaranteed by the Fourth Amendment of the Bill of Rights.

A filter bubble is when the results of doing an Internet search are targeted to you–your likes, your age, your location, your click history, and other aggregated information–meaning that you don’t see objective results when you search. It also means that advertiser links can be targeted more closely to what you might purchase. For an interesting look at filter bubbles, check out this information page at https://duckduckgo.com/?kad=en_US. The comments at the bottom of the page are very enlightening.

But is your information private when you search using DuckDuckGo? Maybe. You can read more about Web privacy and the NSA at Duck Duck Go: Illusion of Privacy and CNN’s How the U.S. forces Net firms to cooperate on surveillance.

For a more in-depth look at how Google personalizes your searches, read Personalized Search for Everyone and look at your Google Web History here [you must be signed in to a Google account to view this page]. You can turn off search history personalization by following instructions here.

To see who’s tracking you as you surf the Web, install a Firefox add-on called Collusion; it’s eye-opening!

For more reading on the NSA and privacy, read Bruce Schneier’s Crypto-Gram Newsletter; always fascinating!

This article about how you give up your privacy from CNN is eye-opening, http://www.cnn.com/2013/06/13/living/buzzfeed-data-mining/index.html?iid=article_sidebar

I tried the link listed in the article http://youarewhatyoulike.com/. I thought their specific findings were interesting although not all that accurate.

Data Mining Is Scary

How does shopping affect my privacy?

I like the products that Target carries and the stores are usually clean and well-stocked. You can even sometimes find a clerk to help you when you need one. But I am seriously creeped out by the amount of data they carry on each person who shops there. A couple of weeks ago, I bought some items at Target and the clerk was very aggressive about getting me to sign up for their “REDcard.” The REDcard is a Target-branded debit card that allows you to save an extra 5% on your purchases from their stores. I declined, saying  I wanted to find out more information before I signed up and I was also in a hurry, but the clerk kept pushing, which only reinforced my decision not to sign up. My husband was surprised at my decision because I like to save money. But I value my privacy and I also don’t like feeling I’m being railroaded into a hasty decision that I might regret later.

When I got home, I immediately started researching the Target REDcard. I am not the only person to find their data-mining tactics offensive. If you’re interested, you can read this NY Times article on how organizations data mine an individual’s shopping habits http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?_r=5&ref=business&pagewanted=all&

Credit.com also wrote a series of articles on the Target REDcard:

What’s the bottom line?

  1. Read those pesky agreements that you receive when you sign up for any kind of debit/credit card. If you don’t like the terms, don’t accept the card.
  2. The Electronic Frontier Foundation has some great articles on protecting your privacy. I highly recommend “4 Simple Changes to Stop Online Tracking.”
  3. You can remove tracking cookies specific to a website by following these directions http://www.ehow.com/how_6367641_remove-amazon-tracking-cookies.html or you can decide not to accept any third-party cookies.
  4. Install browser tools such as Ghostery or AdBlockPlus, and enable Do Not Track.
  5. Here’s an article on how to opt out of Facebook’s ads http://gizmodo.com/5989550/how-to-opt-out-of-facebooks-new-targeted-ads