CAT | Google
Welcome to The Privacy Blog Podcast for May 2013.
In this month’s episode, I’ll discuss how shared hosting is increasingly becoming a target and platform for mass phishing attacks. Also, I’ll speak about the growing threat of Chinese hackers and some of the reasons behind the increase in online criminal activity.
Towards the end of the episode, we’ll address the hot topic of Google Glass and why there’s so much chatter regarding the privacy and security implications of this technology. In related Google news, I’ll provide my take on the recent announcement that Google is upgrading the security of their public keys and certificates.
Leave any comments or questions below. Thanks for listening!
Yesterday Google announced that it was updating its certificates to use 2048 bit public key encryption, replacing the previous 1024 bit RSA keys.
I have always found the short keys used by websites somewhat shocking. I recall back in the early 1990’s discussion about whether 1024 bits was good enough for PGP keys. Personally, I liked to go to 4096 bits although it was not really officially supported.
The fact that, 20 years later, only a fraction of websites have moved up to 2048 bits is incredible to me.
Just as a note, you often see key strengths described in bit length with RSA being 1024 or 2048 bits, and AES being 128 or 256 bits.
This might lead one to assume that RSA is much stronger that AES, but the opposite is true (at these key lengths). The problem is that the two systems are attacked in very different ways. AES is attacked by a brute force search through all possible keys until the right one is found. If the key is 256 bits long, then you need to try, on average, half of the 2^256 keys. That is about 10^77 keys (a whole lot). This attack is basically impossible for any computer that we can imagine being built, in any amount of time relevant to the human species (let alone any individual human).
By comparison, RSA is broken by factoring a 1024 or 2048 bit number in the key into its two prime factors. While very hard, it is not like brute force. It is generally thought that 1024 bit RSA is about as hard to crack as 80 bit symmetric encryption. Not all that hard.
Another from the “if the data exists, it will get compromised” file.
This article from the Washington Post talks about an interesting case of counter surveillance hacking.
In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.
Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.
I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.
Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.
The number of information requests coming to Google from governments around the world is growing fast. It is up 55% for the first half of 2012 vs. the first half of 2010. The linked article has some nice graphs showing the trend.
It is interesting to note that the US leads the world with over a third of the total requests, followed by India then Brazil.
The other even faster trend is in takedown requests. Since they are s search engine, not a host, this is really pure censorship. It is up 88% between the first half of 2011 and the first half of 2012. That is a true hockey stick. A lot of it appears to be trying to suppress criticism of government or government activities.
The more such information is gathered, the more important it is to take control of your own personal privacy.
Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.
iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.
The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.
Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).
- On your iOS device (iPhone, iPad, iPod Touch) go to “Settings”, select “Safari”, scroll down and “Clear Cookies and Data”. Do this frequently.
- Don’t log into Google or other social media sites through the browser, only use the dedicated apps.
- Use those social media apps to “like” or “+1” content, rather than doing so in the browser.
- Protect your IP address with a tool like Anonymizer Universal so these sites can’t just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.
The WSJ had the first article I saw on this, but it is paywalled.
John Battelle’s searchblog tries to look at this issue from both sides.
A reader of this blog recently emailed me to ask:
What s/w do you recommend to keep anonymous while using Gmail, IE, Outlook, and Facebook on a laptop?
This is actually a very tricky question because the nature of all of these tools, except Internet Explorer (IE), is to be associated with a visible and discoverable account and identity in the “cloud”. I will discuss IE last and separately.
Gmail ties to your gmail and other Google accounts. Outlook ties to some existing email account at some email provider. Facebook is tied to your Facebook account and is explicitly designed for making your information public.
The profound question here is, what do we even mean by being anonymous using these services? I would argue that the best one can manage is to be pseudonymous; that is to maintain a persistent and visible pseudonym / alias which, while discoverable, is not associated with your true identity.
Fortunately Gmail and Facebook are free and typically do not require any real credentials to set up an account, and many of the free email providers work similarly. Using Anonymizer Universal (AU), and a browser with no history or cache to set up the accounts would ensure they were not connected to your real identity. It is important that the accounts never be accessed in any way except through AU, or they will be forever after associated with your real IP address. Furthermore, it is critical that the browser used is never used for any activity connected to your real identity, or the cookies and other digital detritus in your browser may allow these sites (or other folks) to tie the pseudonym to your other real name accounts.
IE is in many ways the easiest because there is no underlying account, but all the same rules apply. You need to ensure that you isolate your anonymous or pseudonymous activity from your real name activity.
For all of this activity a virtual machine can be a very effective tool. For example, if you use a Mac you can use a virtual machine running Windows or Linux for all of your alias activities and use the normal operating system for your real name activities. Similar tools exist for other operating systems.
Reuters reports that the Google admits that its Street View vehicles captured much more WiFi data than previously reported. It appears that they managed to capture entire emails and passwords among other information.
People are vilifying Google about this, but I am not going to get on that bandwagon. The reality is that they did this accidentally, but the architecture of WiFi allows any bad guy to do the same thing intentionally. Google did not “hack” in to these WiFi communications, they simply configured their WiFi cards to accept all packets flying by them through the air in the clear. Anyone sitting in a Starbucks, driving around town with a laptop in the passenger seat, or in a thousand other ways could intentionally capture and maintain much more information and with it do significant damage.
The take away from this is that you need to take precautions when using open public WiFi. Full VPN technologies like Anonymizer Universal ensure that when (not if) someone sniffs your traffic they will not be able to get any of your personal information.
One of the reasons interception of insecure passwords is so scary is the tendency for people to use the same passwords for many accounts. While you might not care if someone hacks in to your social network or news account, if you use the same password attackers might use it to log in to your bank or email.