I had a great time talking with Gary about privacy, anonymity, security, Cypherpunks, WikiLeaks, and more. Check it out!
Show 124: Lance Cottrell Discusses Anonymity and Privacy | Cigital
What Hand Sanitizer Can Teach Us About Cybersecurity - Lessons learned while trying to stay healthy while walking around the RSA security conference.
Read MoreNew targeted web based attacks are like a poacher with a sniper rifle at a watering hole. Anonymity is the key to security against this.
Read MoreAs a result of the "Great Firewall of Britain" the Chaos Computer Club discovered it is being blocked by Verifone. It turns out that ThePrivacyBlog is too!
Read More
In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.
First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.
Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them.
Apparently Uber has an internal tool called “God View” which is fairly widely available to employees and allows tracking of any car or customer. Obviously such information must exist within the Uber systems for them to operate their business, but this access for personal or inappropriate business purposes is very worrying, possibly putting the security of customers at risk.
While Uber is the company that got caught, the potential for this kind of abuse exists in a tremendous number of businesses. We give sensitive personal information to these companies in order to allow them to provide the services that we want, but we are also trusting them to treat the data appropriately.
Last year there was a scandal within the NSA about a practice called “LOVEINT”. The name is an inside joke. Signals intelligence is called “SIGINT”, human intelligence is called “HUMINT”, so intelligence about friends and lovers was called “LOVEINT”. In practice, people within the NSA were accessing the big national databases to look up information on current or former partners, celebrities, etc.
The exact same risk exists within all of these businesses, but generally with far weaker internal controls than in the government.
I think that the solution to this is not to insist on controls that would be difficult to enforce, or to ban the keeping of information which they really do need, but rather to give users visibility into when their information is viewed, why, and by whom. Abuse could then be quickly detected and exposed, while allowing the business to continue to operate as they need to.
https://www.youtube.com/watch?v=XM8_JeVHwwo
[powerpress]
Good articles for more info from: The Verge, Forbs, & Forbs again
Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.
It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection.
The ISP can easily modify the data stream to remove the request, causing your computer to connect without any encryption. According to the standard, the user is supposed to get a warning about this, but in practice almost all software just fails silently.
The best way to protect yourself against this attack is to encrypt your email end to end. You can use SMIME, which is built into most email clients, or GPG. GPG can be stronger, but it is harder to use, and easy to misuse. Either will significantly improve your security.
The next step is to use a VPN like Anonymizer.com to protect you against your ISP. It will also protect you against anyone else in the path between your computer and your VPN service. Unfortunately between them and the destination server, you are still vulnerable to any hostile ISPs.
https://www.youtube.com/watch?v=aHtVjZJxO_Q
[powerpress]
Some other articles on this attack: Arstechnica, & The Washington Post
Also read:
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.
A new APT called DarkHotel conducts very targeted attacks against executives in Asian hotels. There are several things you can do to protect yourself.
Read More
The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.
GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.
If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.
The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.
The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.
https://www.youtube.com/watch?v=XS7cyv_4o8A
[powerpress]
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.
BadUSB security vulnerability is very broad, exploit code has been released, and it is unlikely to be fixed any time soon. Video Podcast.
Read More
In episode 23 of our podcast for August 2014, I talk about:
Welcome to episode 22 of the Privacy Blog Podcast for July, 2014.In this episode I will talk about:
In episode 21 of our podcast for July, I talk about:
In episode 19 of The Privacy Blog Podcast, recorded for April 2014, I talk about:
In episode 18 of The Privacy Blog Podcast for March 2014 I talk about:
In episode 17 of The Privacy Blog Podcast for February, 2014 I talk about:
In episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:Biological Advanced Persistent Threats
The Apps on your mobile devices that may be enabling surveillance
Why you may soon know more about how much information your service providers are revealing to the government
The total compromise of the TorMail anonymous email service
How the British government is using pornography as a trojan horse for Internet Censorship.
And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web
This is episode 15 of the Privacy Blog Podcast for December, 2013 In this episode I talk about:
How people are tracking the biggest ever theft of Bitcoins
A keylogger that has compromised 2 million accounts
Why a majority of Turks may be at risk of identity theft
How an anonymous bomb hoaxer got caught
A demonstration of activating iSight cameras without the indicator light
and finally, some thoughts on staying safe this holiday season.
This is episode 14 of the Privacy Blog Podcast for November,2013.In this episode I talk about:
How your phone might be tracked, even if it is off
The hidden second operating system in your phone
Advertising privacy settings in Android KitKat
How Google is using your profile in caller ID
and the lengths to which Obama has to go to avoid surveillance when traveling.
Welcome to episode 13 of our podcast for September, 2013.In this episode I will talk about: A major security breach at Adobe How airplane mode can make your iPhone vulnerable to theft Russian plans to spy on visitors and athletes at the winter Olympics Whether you should move your cloud storage to the EU to avoid surveillance Identity thieves buying your personal information from information brokers and credit bureaus How to stop google using your picture in its ads Why carelessness lead to the capture of the operator of the Silk Road And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.