Apple released an update for Mac OS X 10.9 fixing the serious GOTO FAIL SSL vulnerability. This update appears to resolve the problem for The Safari browser, and many other Apple applications that use SSL/TLS.
If you use a Mac, make sure you install this update ASAP. Go to Software Update and you should see the update available.
Everybody has been talking about the Apple SSL vulnerability, but just in case you have missed it….
It turns out that for several years Safari has failed to properly check the cryptographic signatures on Server Key Exchanges allowing attackers to mount man in the middle attacks against your browser sessions. Anyone with the ability to intercept your traffic could read and modify the data to or from any secure website you visit (of course they can always do it with insecure websites). This would include any WiFi you are using, the local ISP, backbone ISPs, and government entities wherever you might be, or anywhere along the path yo the server you are trying to reach.
This vulnerability impacts both iOS as well as Mac OS X. You can test whether you are vulnerable here.
There is a patch already available for iOS so update your device now!
If you are on a Mac, switch to using some browser other than Safari. Chrome and Firefox are both safe from this particular attack.
If you are on Windows, Linux, BSD, or Android, you would appear to be safe.
We have seen interesting experiments and studies where researchers have looked at what people are willing to pay to protect their privacy.
This then would be the opposite experiment. A company called Datacoup is offering people $8 per month to give them access to all of their social media accounts, and information on their credit and debit card transactions.
You certainly can’t fault them for being covert about their intentions. They are saying very directly what they want and offering a clear quid pro quo.
I don’t think I will be a customer, but it will be very interesting to see if they can find a meaningful number of people willing to make this deal.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
A Stranger Can Find Out Where You Are By Getting You To Open An Email - On The Media
The ability to use remotely loaded images in HTML emails for tracking has been known for years, but perhaps not widely known.
The On The Media: TLDR podcast just re-surfaced the issue in the above article, where they talk about a free Gmail plugin called Streak, which provides this capability.
It automatically embeds the hidden images in emails you send, then lets you see when and even where the recipient opens them.
Because they appear to use IP address based locations, you can block the “where” part by using Anonymizer Universal.
You can block this tracking completely by turning off the loading of images in your emails. Of course, if you then choose to load images, know that you are also enabling tracking. If you block image loading you will also find that your email become much less attractive and significantly more difficult to read.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
US Tech Sanctions In Sudan Are Empowering The Regime, Tamping Down Opposition | Techdirt
This article makes an interesting argument that sanctions against repressive regimes, particularly sanctions that block providing communications and security technologies to end users, harm dissidents more than they do the repressive regimes they are designed to target.
In particular, companies are unable to provide cryptography and anonymity tools to the people who really need them.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
INFO: Maintaining a connection on the Verizon Novatel MIFI 4510L | Kurt Shintaku's Blog
The linked blog is from last year, but just came to my attention. It discusses a use for Anonymizer Universal that I had not thought about before.
The author’s problem was that his MiFi mobile hotspot kept dropping the connection any time it was idle for more than a short time.
His solution was to enable the Anonymizer Universal VPN, which then generates frequent “keep alive” traffic to maintain the VPN connection, and at the same time keeps the MiFi awake.
Very cool.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
Turkey passed legislation to allow the government to censor access to websites within four hours of receiving an allegation of privacy violations. WSJ Article behind paywall. CNET Article
The law also requires web hosts to store all traffic information for two years. While the putative purpose of the legislation is privacy protection, it is widely assumed that this is an attempt to grab more control of the Internet, which has been repeatedly blasted by the Turkish government reporting on government corruption and graft.
As usual with these attempts at censorship, interested citizens can generally get around them. VPNs like Anonymizer Universal allow anyone to punch a hole through the national censorship firewalls to access any content.
I would be very interested to hear about efforts to block tools like Anonymizer in countries enforcing Internet censorship, like Turkey and the UK. Blocking of circumvention tools is already well documented in both China and Iran, and has been seen sporadically in many other countries.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
Sochi visitors entering hacking 'minefield' by firing up electronics | Security & Privacy - CNET News
UPDATE: According to Errata security the NBC story about the hacking in Sochi total BS. Evidently: They were in Moscow, not Sochi. The hack was from sites they visited, not based on their location. They intentionally downloaded malware to their Android phone. So, as a traveler you are still at risk, and my advice still stands, but evidently the environment is not nearly as hostile as reported.
According to an NBC report, the hacking environment at Sochi is really fierce. After firing up a couple of computers at a cafe, they were both attacked within a minute, and within a day, both had been thoroughly compromised.
While you are vulnerable anywhere you use the Internet, it appears that attackers are out in force looking for unwary tourists enjoying the olympics.
Make sure you take precautions when you travel, especially to major events like the Sochi Olympics.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
In episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:Biological Advanced Persistent Threats
The Apps on your mobile devices that may be enabling surveillance
Why you may soon know more about how much information your service providers are revealing to the government
The total compromise of the TorMail anonymous email service
How the British government is using pornography as a trojan horse for Internet Censorship.
And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web
Turkey Debates New Law to Control Web Users - Emerging Europe Real Time - WSJ
Turkey already requests more takedowns from Google than any other country in the world, almost 1700 in the first half of 2013. They have a history of blocking popular websites like Youtube, and Vimeo, and Prime Minister Erdogan lashes out against Twitter at every opportunity.
Now the government is about to enact sweeping new powers to force providers to keep complete records of all user activity for 2 years, and give the government total access to that information.
This appears to be a reaction to citizen use of social media to coordinate protests and spread information about Turkish government corruption.
Unless they implement a ban on privacy technologies, VPN services like Anonymizer Universal will provide a way of getting around this kind of logging. I would strongly suggest that people in Turkey make a habit of always using VPNs, and moving to search engines, email, and social media platforms located outside of the country.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
Facial recognition app matches strangers to online profiles | Crave - CNET
Google has adopted a privacy protecting policy of banning facial recognition apps from the Google Glass app store. I appreciate the effort to protect my privacy but facial recognition is probably the ONLY reason I would wear Google Glass.
I am hopeless at parties or networking events. I have no ability at all to remember names, and I know I am far from alone in this. The ability to simply look at someone and be reminded of their name, our past interactions, and any public information about their recent activities, would be absolute gold.
Obviously I am less enthusiastic about having third party ratings of my intelligence, integrity, hotness, or whatever, popping up to the people looking at me. As usual, humans are in favor of privacy for themselves but not for others.
A new app is coming out soon called Nametag, which is planned to do exactly this. On iOS, Android, and jail broken Glass, you will be able to photograph anyone and, using facial recognition, pull up all available social media information about them.
To opt out you will need to set up an account with NameTag, and I presume you will also need to upload some high quality pictures of yourself so they can recognize you to block the information. Hurm…..
Whatever we all think about this, the capability is clearly coming. The cameras are getting too small to easily detect, high quality tagged photos are everywhere, and the computing power is available.
While citizens have some ability to impact government surveillance cameras and facial recognition, it will be much harder to change course on the use of these technologies with private fixed cameras, phones, and smart glasses. Even if we convince device makers to block these applications, the really creepy people will jailbreak them and install them anyway.
For years I have said that the Internet is the least anonymous environment we inhabit. With this kind of technology, it may soon be much easier to hide yourself online than off. Police really don’t like you wearing masks.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
Russia's Surveillance State | World Policy Institute
In March of 2013 the Bureau of Diplomatic Security at the US State Department issued a travel advisory for Americans planning to attend the 2014 winter Olympics in Sochi, Russia.
As I blogged before, this is expected to be one of the most aggressively surveilled events ever.
The advice for cyber protection in the advisory is interesting:
Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary.
Obviously this is not just good advice for attending the Olympics, but would also apply to China, or any other situation where it is important to protect your electronic information.
The ability to conduct sophisticated surveillance and cyber attack is widespread. If you are engaged in business that is a likely target of economic espionage, then you should be following these kinds of practices any time you travel anywhere, and perhaps even at home.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
This is refreshing. Some evidence that most people ARE actually willing to pay for privacy. If the market shows that this is a winner, we might start to see more privacy protecting applications and services.
The real question is whether invading your privacy generate more revenue than what we are willing to pay to be protected.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.
None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.
We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.
Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.
This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”
One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.
For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.
If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
Google’s Location History Browser Is A Minute-By-Minute Map Of Your Life | TechCrunch
TechCrunch has a nice article on the location tracking of Android based devices.
It is an “opt in” thing, but I suspect that most people are robo-approving all the questions they are asked when they are trying to get their new phones or tablets set up for the first time.
In this case, you may have given Google permission to track and maintain high resolution location information on you. That information is used to discover where you live and work, to improve weather, travel, and traffic information.
If you follow this link, you can see a track of your activities for up to the last 30 days. Really cool in a very frightening way.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
This is episode 15 of the Privacy Blog Podcast for December, 2013 In this episode I talk about:
How people are tracking the biggest ever theft of Bitcoins
A keylogger that has compromised 2 million accounts
Why a majority of Turks may be at risk of identity theft
How an anonymous bomb hoaxer got caught
A demonstration of activating iSight cameras without the indicator light
and finally, some thoughts on staying safe this holiday season.
On Monday, Dec 16, during final exams, someone sent an email to Harvard University administrators saying that there were bombs in two of four named buildings on campus. The threat was a hoax to get out of final exams. The sender used TOR and Guerrilla Mail, a disposable email address service, to hide his identity.
Despite that, police quickly identified Eldo Kim, he confessed, and was arrested. So, why did the privacy tools fail?
According to the FBI affidavit, the lead came from Harvard University, which was able to determine that Mr. Kim had accessed TOR from the university wireless network shortly before and while the emails were being sent.
This is really a case of classic police work. A bomb threat during finals is very likely to be from a student trying to avoid the tests. A student trying to avoid a test is unlikely to have the discipline to find and use a remote network. Therefor, the one or hand full of students using TOR at the time of the email are the most likely suspects…. and it turns out that they are right.
This case provides some important lessons to the rest of use who are trying to protect our identities for less illegal reasons.
First, clearly the Harvard Wireless network is being actively monitored and logged. It is reasonable to assume that your ISP or government might be monitoring your activities. One way to reduce correlations of your activity is to use privacy tools all the time, not just when you need them. This provides plausible deniability.
After all, if you never use such services, except for ten minutes exactly when some message was sent, and you are a likely suspect, then the circumstantial evidence is very strong. If you are using them 24/7, then the overlap says nothing.
Second, if Mr. Kim used anonymous email, how did they know he used TOR to access the email service? Because GuerrillaMail embeds the sending IP address in every outgoing email. The service only hides your email address, not your IP. In this case, they must have embedded the IP address of the exit TOR node. Even if they had not embedded the IP, GuerrillaMail keep logs which would have been available to the FBI with a warrant.
The lesson here is to look closely at your privacy tools, and to understand what they do protect and what they don’t.
The most important takeaway is that there is no privacy tool which will let you turn it on and turn off your brain. You always need to be thinking about what you are hiding, from whom, and how much effort they are likely to expend in finding you.
If you are hiding your IP address to get a better price on airline tickets, the threat is very low across the board. If you make terrorist threats, it is very hard to stay hidden afterwards.
Government to launch 'Netra' for internet surveillance - The Times of India
India is preparing to deploy a comprehensive Internet content monitoring system. They claim that it will be able to trigger on messages containing specific words. There is also mention of capturing “dubious voice traffic” over Skipe and other voice channels.
Use of VPNs like Anonymizer Universal will allow traffic to pass through these systems unanalyzed, but the fact that you are using a VPN will be visible.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
AT&T thinks that Austin, TX residents will sell their on-line privacy for less than $20 per month. AT&T is launching a service called U-verse with GigaPower, which will provide 300Mbps of bandwidth to the home initially, increasing to 1Gbps in 2014. The cost of the service is $99 per month, but they have a special offer.
If you sign up for the Premier plan you can get the service for $70 per month. Additionally a bunch of setup and install fees are waived and you get free HBO. If you follow the footnote on the offer, you will see that Premier is only available if you agree to participate in the “AT&T Internet Preferences” program.
This invites AT&T to monitor your Internet usage to better profile you and so more effectively target ads at you.
GIGAOM reports that AT&T says "we will not collect information from secure (https) or otherwise encrypted sites, such as online banking or when a credit card is used to buy something online on a secure site. And we won’t sell your personal information to anyone, for any reason.”
I am pleased that they are not doing active man in the middle attacks on customer encryption, but that is a very very low privacy hurdle.
So, is $20 per month enough for you to allow AT&T to monitor, record, and monetize everything you on the Internet? Let me know if the comments.
Of course, if you use Anonymizer Universal for all of your on-line activity, there is nothing for them to see.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
McAfee - 12 Scams of the Holidays!
This is a nice collection of the most common scams run during the holidays. I encourage you to pass this around to friends and family.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.
