Posts Tagged ‘privacy’

The amount of information collected on each of us is growing astronomically every day. What can you do to help protect your—as well as your family’s—information?

Note: This information is meant to be a starting place.Technology is constantly changing, so you must consider whether the information provided is timely and applicable to your situation. In order to adequately protect yourself and your family, you also might need to consult with your attorney or accountant or obtain other professional advice.

What information do you want to protect? Here are some categories you might want to consider:

Ad/cookie tracking Identity information Reputation
Digital identity Intellectual property Social media
Electronic devices Location Trash
E-mail Mailbox Travel
Family Medical information Voting
Financial information Personal safety Work information

Where are the threats to your information? Here are some common threats:

Data loss or theft

  • Backup media
  • Mail/trash
  • Organization w/ your info goes bankrupt
  • Paper
  • Website
Types of Malware

  • DNS Changer
  • Drive-by downloads
  • Keyloggers
  • Phishing email
  • Rootkits
  • Search engine poisoning
  • Social media malware
  • Torrents
  • Spyware, Trojan horse, virus, worms
  • Zombies/botnets
  • Etc.
Device loss or theft

  • Computer
  • DVD/CD
  • Backup media
  • USB drives
  • Portable electronic devices
  • Laptop, iPad, smart phones, tablets
Natural or man-made disasters

  • Fires
  • Floods
  • Tornadoes
  • Earthquakes
Personal safety

  • Craig’s List
  • Data leakage
  • Identity theft
  • Social media
ID theft Social engineering / Pretexting

Who do you trust with your information? Here are some organizations that you probably trust:

Accountant, lawyer, other professionals Religious & charity organizations
Employers Schools & Libraries
Financial institutions—banks, credit unions, loans & credit cards, brokerages Retailers & e-commerce sites
Government agencies Social sites
Health care—doctor, dentist, hospital, labs Websites
Insurance companies And …?

Why do you trust people or organizations?

  • Do they have a legitimate need for your information?
  • Do they have policies and procedures to tell you what they do with your confidential information?

When do you trust people or organizations?

  • Do you give confidential information on the phone, in email, texting, or in person?
  • Did you initiate the information exchange?
  • If you don’t feel comfortable, don’t do it.

How do you give people or organizations your confidential information? Think about advantages and disadvantages to giving out your information in person, over the phone, in email or in text messages, on a secure website. If you’re uncomfortable giving out information in a particular situation: don’t do it! Find another way to give the information.

General Tips

  • Don’t leave your electronic devices—cell phones, laptops, tablets, iPads, etc.—unattended in public, including hotel rooms.
  • Don’t ask strangers to watch your things while you go to the restroom or load up on more coffee.
  • Don’t leave your purse or briefcase unattended in public: including shopping carts, restaurants, and coffee shops.
  • Don’t use easy-to-guess passwords: http://www.dailymail.co.uk/sciencetech/article-2063203/This-years-easiest-guess-passwords–discovered-hackers-worked-out.html
  • Don’t post private information on social websites. Remember you have no expectation of privacy on social websites.
  • Data leakage:
    • Be careful about the information you throw in your trash.
    • Collect your mail as soon as possible.
    • Use vacation holds or have a friend collect your mail if you will be gone for more than a couple of days.
    • Do not announce on Facebook or other social media that you are going on vacation. Wait until you get back to share those fabulous pictures!
    • Keep your electronic devices and other valuables out of sight in your vehicle.
    • Read software and services licenses.
    • Use a password or a pin to protect your smart phone.

Trading convenience for security

Posted: December 22, 2014 by IntentionalPrivacy in Tips
Tags: , , , ,

These are some great tips from Gary Miliefsky at SnoopWall. You can either watch his video or read the interview. I just installed his SnoopWall Privacy app on my Android phone. I’ll let you know how it goes!

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

You might know and follow the general rules for creating a good password. Apparently, no one else does.

The “25 Worst Passwords” is an annual press release from SplashData, which sells password management tools. They also tap into the resources provided by similar security reporting firms. Those reports from recent news stories illustrate that most people seem to be really bad at inventing new passwords. Writing about the Adobe website breach of 2013 PC World revealed that ‘adobe123’ and ‘photoshop’ were very common choices. An article from the BBC cited security researcher Per Thorsheim. He pointed out that the color schemes of Twitter, Facebook, and Google, all lead people to include the word “blue” in their passwords.

As a result, more websites require you to use a Mix of Upper and Lower Case, and also to include $pecial C#aracters and Numb3rs. The password photoshop becames !Ph0t0$hop* and that should be more secure.

However, what really makes that more secure is not the mix of characters but the two additional symbols. The ! and * at the beginning and end turn a string of 9 characters into a string of 11. The basic arithmetic of computing says that the longer something is, the harder it is to guess. Your bank transfers money with cipher strings of 200 digits. We call them “computationally difficult” to crack.

“Black hat hackers” build special computers to attack passwords. One of those homebrew boxes broke every Windows-standard 8-character password in under 6 hours. A lesser machine revealed 90% of the passwords on LinkedIn. However, if you have an 11-character password those powerful crackers would need 515 years to work through all the possible combinations. And yet, long as they are “AmericanTheBeautiful” and “ToBeOrNotToBe” are known phrases.

Those networks of multiple game processors also grind through huge databases of words and proper names in English and their many variations. . Passages from the Bible, quotations from Shakespeare, and other cultural artifacts add to the databases.  Black hat hackers have mammoth dictionaries of known passwords. Those are compiled from the revelations of each successful attack.

Password Cracking Machine

Jeremi Gosney’s High Performance Computer. The rapidly-moving graphics of games are computationally intensive. So, the central processor and parallel processors of the Xbox, PlayStation, and others rely on co-processors designed for rapid arithmetic. That makes them perfect for running billions of guesses per second.

It is also true that some websites prevent you from using special characters. You might be instructed to keep your passwords to Upper and Lower Case Letters and the numerals 0 through 9. Restricted like that, all of the possible 11-character passwords can be broken in just 4 years. Turn the computer on; let it run day and night; it churns out passwords.

The reason why you sometimes are restricted from special characters is that the Dollar $ign and <Greater-than Less-than> and @some others# are common to programming systems and languages such as SQL (pronounced “sequel”) and Java. So, in place of the password, a hacker inserts a line of computer code to open up the website to their commands. Such SQL attacks are common.

BBC Cat 2

“If you have a cat, or any other type of pet, do not use its name as part of a password.” – BBC

That brings us to the corporations and organizations that allow your data to be stolen. SQL attacks are an old, known problem. But everyone is busy. And businesses cut costs by releasing employees. So, successful attacks are inevitable. The key to security is not just to put up barriers. Victims must act quickly, decisively, and effectively when those firewalls are breached. And they will be breached. It is not a matter of “if” but of “when.” For over 20 years, even the FBI has suffered periodic intrusions.   Rather than requiring you to have a ridiculously difficult password, the system administrators should just do their jobs.

But this is the Information Age. We all have computers, phones, pads, notebooks, and networks. That puts the burden back on you.

We give out our usernames and passwords all too easily. Spam Nation is new book by Brian Krebs. Formerly a technology writer for the Washington Post, Krebs more recently investigated two Russian “businessmen” who apparently controlled the world’s largest floods of spam email. They sold fake Viagra and fake vicodin, fake Gucci and fake Rolex. Millions of people bought them. From all indications, the crooks really did deliver the goods. In doing that, they acquired millions of usernames and passwords. And people are lazy.

If you have the same log-in credentials for illegal drugs that you do for your bank account, you have only yourself to blame when a drug dealer steals your money.

Brian Krebs writes a very readable blog.

Brian Krebs writes a very readable blog.

But the same breach could come through the garden club, the library charity, your school, or work. How many log-in accounts have you had since the Worldwide Web was launched in 1991? According to Brian Krebs, it is your responsibility to keep yourself safe by keeping your identities separate.

Even Wonder Woman, Superman, Batman, and Batgirl manage only two lives each, not twenty. You may need a password manager. PC Magazine, PC World, MacWorld, and InfoWorld all review and evaluate password managers. It is a start. Of course, if your home Wi-Fi network is open to the public, then you have a different problem, entirely.

RESOURCES

The methods of securing data are robust. Your financial transactions, health records and other sensitive information are safeguarded by strong mathematical processes. You can use these same tools yourself to keep your emails private. It is not much harder than learning a new phone and installing an app.

Usually, when your personal data is exposed by organized gangs of Russian “businessmen” or the Chinese People’s Liberation Army, it because of failures in computer security allowed by weaknesses in the programs. The cell phone companies deliver records to the NSA. The NSA does not break your ciphers. As far as we know, no one has ever cracked one of the public key methods developed since 1975. Some theoretical weaknesses have been suggested. Brute force attacks by the NSA have been hinted at, but never demonstrated. The mathematics is as immutable as the Law of Identity: A is A.  It is absolutely true that 1 + 1 = 2, always and forever.

A Crazy Idea

In the early to mid-1970s, independent researchers Whitfield Diffie and Martin Hellman at Stanford, Ralph Merkle at Berkeley, and Ronald Rivest at MIT, along with his doctoral candidates Adi Shamir and Lenard Adelman, all sought and found ways to encrypt information that were not based on any of the historically known methods. As a result, when Ralph Merkle submitted his papers to the Communications of the Association for Computing Machinery, they were rejected for denying the established wisdom of 2000 years. Working on his doctorate at Berkeley, he was told by his professors that he obviously did not know the basics of cryptography.

Codes and Ciphers

A code is a secret translation of one set of symbols for another. If we let
Handkerchief = Train
Scarf = Bus
Blouse = Plane
Red = 2:00PM
Blue = 3:00PM
Green = 3:45 PM
Then, “Thank you for the red scarf “ or “Thank you for the green blouse” could be sent via email or on a post card and the real meaning would be hidden. The weakness is in exchanging the key. Someone has to pass the translation table. However, given the security of the key table, the code is unbreakable.

A cipher is an orderly substitution. Taking the alphabet backwards, A=Z, B=Y, C=X,… turns BARACK OBAMA into YZIZCP LYZNZ. Another kind of cipher just takes the letters in turn say, every third in rotation so that HILLARY CLINTON becomes LRLTHLYIOIACNN.

Ciphers often can be broken with applied arithmetic. In English, e is the most common letter, followed by t a o i n s h r d l u… Among the complicated ciphers was the Vigenere in which a table of letter keys allowed shifting substitutions. During World War II, the Germans employed their “Engima” machine with its shifting and changeable wheels. It fell to the first of the computers, the “Bombe” of Bletchley Park and “Ultra” Project. In The Jefferson Key by Steve Berry (Ballantine Books, 2011), a supposedly unbreakable cipher finally falls to a modern-day sleuth. As constructed, it involved writing the letters vertically, then inserting random letters, then writing the letters horizontally. However, again, common arithmetic allows you to use the fact that any English word with a Q must have that letter followed by a U; and no English words have DK as a digraph. (Until DKNY, of course.) So, the cipher was broken.

Speaking to LASCON in Austin, October 23, 2014, Martin Hellman said that he and his co-workers were considered “insane” for suggesting that an encryption method could be devised in which the formulas were public. In fact, this idea had old roots.

The 19th century founder of mathematical economics, William Stanley Jevons, suggested that certain mathematical functions that were “asymmetric” could be the basis for a new kind of cryptography. Just because A=Z does not mean that Z=A. His idea did not bear fruit. However, Martin Hellman asked his colleagues in the mathematics department if they knew of any such asymmetric functions. Indeed, many exist.  They can be called “trapdoor functions” because they are easy to do in one direction, but computationally difficult in the other.  In other words, they are are unlike the four common arithmetic operations.

The Diffie-Hellman system employs modulo arithmetic.  RSA (Rivest-Shamir-Adleman) uses the totient function discovered by Leonhard Euler in 1763. In 1974, Ralph Merkle, then at Berkeley, thought of using a set of puzzles, where each one is moderately hard, but the full set of 15 becomes computationally difficult. Working together, Merkel and Hellman created a “knapsack” function in which the challenge is to put the “most important objects” (numbers) with the smallest weights (numbers) into a bag (solution set).

You can get the papers online. If you loved high school algebra, and get a kick out of crossword puzzles (especially acrostics) this will be fun. If not, just accept the fact that they work.

The salient facts remain: the cipher system is clearly described, yet stands cryptographically secure.   That is a mandate called “Kerckhoffs Law” named for Auguste Kerckhoffs, a 19th century Dutch linguist. A cryptographic system should remain secure, even if everything about it is known, except the key. Thus, in our time, you can find the mathematical theorems and computer code for public key systems. You can download almost instantly clickable applications to secure your email.

Pretty Good Privacy
A hundred years ago, codes and ciphers and the study of cryptography all were controlled by the secret services of governments. In our time, academic theoreticians publish papers. To be patented, a device must be published. And so, Phil Zimmermann took the mathematical theorems and processes of the RSA encryption algorithm and recoded them from scratch to create a new system, just as powerful, but available to anyone without need for a license. Zimmermann was threatened with lawsuits and such, but he prevailed. Today, PGP is a free product offered by software sales giant Symantec on their website here. It is something a “loss leader” for Symantec. You can get PGP from other places as well, see here.

With it, you can encrypt your emails. Know, however, that (1) you would need to be “approved” by another PGP user (easy enough) and that (2) anyone you send emails to with this also needs it to read your emails to them. Be that as it may, it is no harder than setting up a really cool Facebook page, just a bit of work and some close focus.

Shellshock (CVE-2014-6271 and CVE-2014-7169) is the name of a bug affecting the Gnu Bash (Bourne-again shell) command-line shell, which can be used on many Linux and UNIX operating systems, as well as Mac OS X. It does not affect Windows computers unless you’ve installed Bash with something like Cygwin. While it’s unlikely that most consumer computers will be targeted, it’s a good idea to watch for updates for operating systems, firewalls, routers, switches, modems, printers, and household items that can be assessed over the Internet–TVs, thermostats, IP cameras, and other items.

It is already being exploited by worms and other malware.

Cisco, Red Hat, Debian, and Ubuntu have already issued updates. The first patch issued did not completely fix the problem, so make sure you update to the version that addresses CVE-2014-7169 as well as CVE-2014-6271. Apple has not issued any updates as of September 28, 2014.

This bug has been around for a very long time; the latest (safe) Bash version is 3.2.53.  Brian J. Fox wrote Bash in 1987 and supported it for five years, and then Chet Ramey took over support–his unpaid hobby. Mr. Ramey thinks Shellshock was accidentally added in 1992.

We have a Macbook that was running a vulnerable version of Bash. I manually updated Bash per this article.

According to Qualys, here’s how to test for the vulnerabilities; at the command line, paste the following line (make sure this line is exact):

env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true

If you have a vulnerable version of bash, the screen will display “vulnerable.” Just to be safe after updating, check the bash version by typing:

bash –version

Vulnerable versions will be before 3.2.53.

If you applied a patch before Friday, you might have a less-serious version of the error, which you can check by typing the following:

env X='(){(a)=>\’ bash -c “echo date”; cat echo; rm -f echo

This line will display the date if bash has not been completely patched.  After patching, you will get an error when running this command.

More on the Target breach …

Posted: December 29, 2013 by IntentionalPrivacy in Security Breach
Tags: , , , ,

According to the NY Times, Target is partnering with a Verizon forensic team to investigate the breach, as well as the Secret Service and the Justice Department.

If you would like to learn more about PIN number analysis, read this article http://www.datagenetics.com/blog/september32012/. Nick Berry, the president of Datagenics, also gave a speech on July 23, 2013, on Ted Talks about how to use passwords and be safer on the Internet.

 

I recently read an article called the “Rise of the Warrior Cop” in the Wall Street Journal. Ordinarily, I would tend to blow off an article such as this.

Except there are too many articles like these:

Reasonable search and seizure? It’s supposed to be a right guaranteed by the Fourth Amendment of the Bill of Rights.

A filter bubble is when the results of doing an Internet search are targeted to you–your likes, your age, your location, your click history, and other aggregated information–meaning that you don’t see objective results when you search. It also means that advertiser links can be targeted more closely to what you might purchase. For an interesting look at filter bubbles, check out this information page at https://duckduckgo.com/?kad=en_US. The comments at the bottom of the page are very enlightening.

But is your information private when you search using DuckDuckGo? Maybe. You can read more about Web privacy and the NSA at Duck Duck Go: Illusion of Privacy and CNN’s How the U.S. forces Net firms to cooperate on surveillance.

For a more in-depth look at how Google personalizes your searches, read Personalized Search for Everyone and look at your Google Web History here [you must be signed in to a Google account to view this page]. You can turn off search history personalization by following instructions here.

To see who’s tracking you as you surf the Web, install a Firefox add-on called Collusion; it’s eye-opening!

For more reading on the NSA and privacy, read Bruce Schneier’s Crypto-Gram Newsletter; always fascinating!

This article about how you give up your privacy from CNN is eye-opening, http://www.cnn.com/2013/06/13/living/buzzfeed-data-mining/index.html?iid=article_sidebar

I tried the link listed in the article http://youarewhatyoulike.com/. I thought their specific findings were interesting although not all that accurate.

Data Mining Is Scary

How does shopping affect my privacy?

I like the products that Target carries and the stores are usually clean and well-stocked. You can even sometimes find a clerk to help you when you need one. But I am seriously creeped out by the amount of data they carry on each person who shops there. A couple of weeks ago, I bought some items at Target and the clerk was very aggressive about getting me to sign up for their “REDcard.” The REDcard is a Target-branded debit card that allows you to save an extra 5% on your purchases from their stores. I declined, saying  I wanted to find out more information before I signed up and I was also in a hurry, but the clerk kept pushing, which only reinforced my decision not to sign up. My husband was surprised at my decision because I like to save money. But I value my privacy and I also don’t like feeling I’m being railroaded into a hasty decision that I might regret later.

When I got home, I immediately started researching the Target REDcard. I am not the only person to find their data-mining tactics offensive. If you’re interested, you can read this NY Times article on how organizations data mine an individual’s shopping habits http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?_r=5&ref=business&pagewanted=all&

Credit.com also wrote a series of articles on the Target REDcard:

What’s the bottom line?

  1. Read those pesky agreements that you receive when you sign up for any kind of debit/credit card. If you don’t like the terms, don’t accept the card.
  2. The Electronic Frontier Foundation has some great articles on protecting your privacy. I highly recommend “4 Simple Changes to Stop Online Tracking.”
  3. You can remove tracking cookies specific to a website by following these directions http://www.ehow.com/how_6367641_remove-amazon-tracking-cookies.html or you can decide not to accept any third-party cookies.
  4. Install browser tools such as Ghostery or AdBlockPlus, and enable Do Not Track.
  5. Here’s an article on how to opt out of Facebook’s ads http://gizmodo.com/5989550/how-to-opt-out-of-facebooks-new-targeted-ads