Attention to Privacy Issues Growing

From the board room to main street, digital privacy is becoming more and more of a hot topic.

Organizations have been asking us to discuss it with steering committees and boards. Our intelligence team has been performing privacy-related recon and other testing engagements for the last several years. More and more of our security engagements are starting to include elements of privacy concerns from organizations and individuals alike.

In the mainstream media, you have articles being pushed heavily like this – which discusses supposedly stolen NSA technology for monitoring, to discussions of personal privacy from the likes of Tim Cook, CEO of Apple.

As such, security teams should take the time to verse themselves in the privacy debate. It is likely that management and boards will be asking in the near future, if they aren’t already, for advice on the topic. This is a fantastic opportunity for security teams to engage in meaningful discussions with organizational leaders about a security-related topic on both a professional and personal scale. It might even be worth putting together a presentation, preemptively, and delivering it to the upper management and line managers around your company.

With so much attention to privacy these days, it’s a great chance to engage with people, teach basic infosec practices and have deep discussions about the changing digital world. That’s what your security team has been asking for, right? Now’s the time… 🙂 

Podcast Episode 8 is Out

This time around we riff on Ashley Madison (minus the morals of the site), online privacy, OPSec and the younger generation with @AdamJLuck. Following that, is a short with John Davis. Check it out and let us know your thoughts via Twitter – @lbhuston. Thanks for listening! 

You can listen below:

The Mixed Up World of Hola VPN

Have you heard about, or maybe you use, the “free” services of Hola VPN?

This is, of course, a VPN, in that it routes your traffic over a “protected” network, provides some level of privacy to users and can be used to skirt IP address focused restrictions, such as those imposed by streaming media systems and television suppliers. There are a ton of these out there, but Hola is interesting for another reason.

That other reason is that it turns the client machine into “exit nodes” for a paid service offering by the company:

In May 2015, Hola came under criticism from 8chan founder Frederick Brennan after the site was reportedly attacked by exploiting the Hola network, as confirmed by Hola founder Ofer Vilenski. After Brennan emailed the company, Hola modified its FAQ to include a notice that its users are acting as exit nodes for paid users of Hola’s sister service Luminati. “Adios, Hola!”, a website created by nine security researchers and promoted across 8chan, states: “Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or “unblocker”, but in reality it operates like a poorly secured botnet – with serious consequences.”[23]

In this case, you may be getting a whole lot more than you bargained for when you grab and use this “free” VPN client. As always, your paranoia should vary and you should carefully monitor any new software or tools you download – since they may not play nice, be what you thought, or be outright malicious. 

I point this whole debacle out, just to remind you, “free” does not always mean without a cost. If you don’t see a product, you are likely THE PRODUCT… Just something to keep in mind as you wander the web… 

Until next time, stay safe out there!

Artificial Intelligence – Let’s Let Our Computers Guard Our Privacy For Us!

More and more computer devices are designed to act like they are people, not machines. We as consumers demand this of them. We don’t want to have to read and type; we want our computers to talk to us and we want to talk to them. On top of that, we don’t want to have to instruct our computers in every little detail; we want them to anticipate our needs for us. Although this part doesn’t really exist yet, we would pay through the nose to have it. That’s the real driver behind the push to achieve artificial intelligence. 

Think for a minute about the effect AI will have on information security and privacy. One of the reasons that computer systems are so insecure now is because nobody wants to put in the time and drudgery to fully monitor their systems. But an AI could not only monitor every miniscule input and output, it could do it 24 X 7 X 365 without getting tired. Once it detected something it could act to correct the problem itself. Not only that, a true intelligence would be able monitor trends and conditions and anticipate problems before they even had a chance to occur. Indeed, once computers have fully matured they should be able to guard themselves more completely than we ever could.

And besides privacy, think of the drudgery and consternation an AI could save you. In a future world created by a great science fiction author, Charles Sheffield, everyone had a number of “facs” protecting their time and privacy. A “facs” is a facsimile of you produced by your AI. These facs would answer the phone for you, sort your messages, schedule your appointments and perform a thousand and one other tasks that use up your time and try your patience. When they run across situations that they can’t handle, they simply bring you into the loop to make the decisions. Makes me wish this world was real and already with us. Hurry up AI! We really need you!

Keep Your Hands Off My SSL Traffic

Hey, you, get off my digital lawn and put down my binary flamingos!!!!! 

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…) 

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter! 

My Thoughts of Raising Teenagers While Protecting Their Online Privacy

As a parent, who has teenagers, it can be a somewhat complicated and mortifying world when it comes to trying to allow a teenager a small level of personal “freedom” of expression and allowing them to be curious and discover new things while also satisfying the need to protect their online privacy from those who may do them harm. In this blog segment we will discuss some of my thoughts on what we as parents can do to aid our child in this ever evolving world that is the internet.

To start of with I suppose we need to first look at the child’s age and I’m not speaking to their numeric age, but rather to their level of maturity. And so when my wife and I decide what applications (apps) our children may download, it depends heavily on the content of the application, but also to the child’s maturity level. Who would want a scary game or a very provocative application to be seen or played by a minor, especially if it is something that you fundamentally don’t agree with as a parent. Let alone a game or app with overtones of sexuality that is going to be played by your teenager for hours on end. Now I am not saying that they don’t hear it and see it in the world that we live in, I am not naive, but why put it on a silver platter and feed it to them. Those things can wait a bit longer, especially if we are talking the difference between a thirteen year old versus a seventeen year old. True it is only four years, but developmentally and cognitively there are vast differences between them. Particularly in their ability to make intelligent decisions as I am sure many of you would agree!

So lets start with the basics, remember that you are the parent and a good dose of common sense goes a long way. With that we all need to be able to reach our children and so perhaps you want be able to track where your child is and more importantly they are where they say they are. Have no fear there are apps for that, but most if not all smartphones have GPS built right in. However, apps like Find My iPhone and Find My Friends can be quite helpful. Perhaps you want to limit the amount of time that a child spends online or limit the sites that they can have access to there are apps for that too. Apps such as Screentime and DinnerTime Parental Control offer you the ability to not only limit their screen time, but also limit how much they are texting and playing games. All in an effort to help them refocus on working on homework, chores or spending quality time with the family. Some parents may elect to take it a step further and want to track who their child is communicating with, read emails, see all the pictures that are sent, received and perhaps more importantly deleted. Well they can do so with an app called Teensafe. I know this one sounds a bit like big brother, but if your child is being bullied, abused, or dating without your knowledge, some parents want the ability to intervene more quickly. Especially, if the child isn’t as forth coming as the parent feels they should be.

Next, comes the security of the websites and the apps themselves. I think we as parents have a responsibility to protect our children and that responsibility should include a healthy dose of cynicism. To that end, make sure you go through each setting on an app or website that you load or your child loads onto their device(s). Making sure that you turn on or off the security settings that you feel are appropriate for your child. Lets say we allow our child to use a social media website or app, we certainly wouldn’t want a thirteen year old exposed to the entire world, when all they want to do is connect with their friends. This would potentially expose them to threats that you may not recognize as a threat until it was too late. So lets go through those settings and turn off some of those features and lock it down to a level where you as a parent are comfortable with. It may seem like just a simple click of a button, but believe me it is a very important step in ensuring your child’s online safety.

Finally, remember that you may not want to give your child the ability to download or change the settings of their devices, so maybe keeping a log of all of their passwords. Perhaps in a password vault such as 1Password would be in order. You would do this for two reasons. One to make sure that they are using a strong password, and where possible to also turn on two-step verification, but also to make sure that they don’t forget the password that they just created, because a good password should be challenging, otherwise it’s pointless. Please remember you are in charge and ultimately responsible for the safety of your child both at home and online. Secure as much as you can, where you can. So let’s be safe out there!

It should be noted that some of the apps mentioned above are free and some are open source and some are at a cost to the consumer. It is up to you to research these applications and see what best fits your security needs. 

In no way do we endorse the applications that were presented in this article we are simply stating that they may be an option for you to consider for your device. Your particular security needs for your device are up to you to decide. Be safe out there.

This post by Preston Kershner.

Consumers are Changing their Minds about Data Breaches

Per this article in Fast Company, it now seems that some 72% of consumers expressed an impact in their perception of a retail brand following a breach announcement. However, only 12% actually stopped shopping at the breached stores.

This appears to be a rising tide in the mind of consumers, with an increase in both attention and action versus previous polls.

Add to that the feelings of fatigue that we have been following on social media when breaches are announced. TigerTrax often identifies trending terms of frustration around breach announcements, and even some outright hostility toward brands with a breach. Not surprising, given the media hype cycle today.

TigerTrax also found that a high percentage of consumers were concerned to a larger extent about information privacy than in the past. Trending terms often include “opt out”, “delete my data” and various other conversation points concerning the collection and sharing of consumer information by vendors.

Retailers and other service providers should pay careful attention to this rising tide of global concern. Soon, breaches, data theft and illicit data trafficking may show significant increases in consumer awareness and brand damage is very likely to follow…

Never Store Anything on the Cloud that You Wouldn’t Want Your Mamma to See

It’s great now days, isn’t it?

You carry around devices with you that can do just about anything! You can get on the Internet and check your email, do your banking, find out what is new on Facebook, send a Tweet or a million other things. You can also take a picture, record a conversation, make a movie or store your work papers – and the storage space is virtually unlimited! And all this is just great as long as you understand what kind of risks this freedom poses to your privacy.

Remember that much of this stuff is getting stored on the cloud, and the only thing that separates your stuff from the general public is a user name, password and sometimes a security question. Just recently, a number of celebrities have complained that their photos (some of them explicit) have been stolen by hackers. These photos were stored in iCloud digital vaults, and were really very well defended by Apple security measures. But Apple wasn’t at fault here – it turns out that the celebrities themselves revealed the means to access their private stuff.

It’s called Phishing, and there are a million types of bait being used out there to fool or entice you. By clicking on a link in an innocent-looking email or answering a few simple questions, you can give away the keys to the kingdom. And even if you realize your mistake a couple of hours later, it is probably already too late to do anything about it. That naughty movie you made with your spouse during your romantic visit to Niagara Falls is already available from Peking to Panama!

Apple announced that they will soon start sending people alerts when attempts are made to change passwords, restore iCloud data to new devices or when someone logs in for the first time from new Apple devices. These are valuable controls, but really are only detective in nature and won’t actually prevent many data losses. That is why we recommend giving yourselves some real protection.

First, you should ensure that you educate yourself and your family about the dangers hackers and social engineers pose, and the techniques they use to get at your stuff. Second, it is really a lot better to store important or sensitive data on local devices if possible. But, if you must store your private data in the cloud, be sure it is well encrypted. Best of all, use some sort of good multi-part authentication technique to protect your stuff from being accessed easily by hackers. By that I mean something like a digital certificate or an RSA hard token – something you have or something you are, not just something you know.

If you do these things, then it’s a good bet your “special moments” won’t end up in your Momma’s inbox!

Thanks to John Davis for this post.

Digital Images and Recordings: How Can We Deal with the Loss of Trust?

For many decades now the human race has benefitted from the evidentiary value of surveillance videos and audio recordings. Human beings cannot be relied on to give accurate accounts of events that they have witnessed. It is a frustrating fact that eye witness testimony is highly inaccurate. More often than not, people are mistaken in their recollections or they simply fail to tell the truth. But, with some reservations, we have learned to trust our surveillance recordings. Sure, analog videos and audio recordings can be tampered with. But almost universally, analysis of such tampered material exposes the fraud. Not so anymore!

Virtually every camera, video recorder and audio recorder on the planet is now digital. And it is theoretically possible to manipulate or totally forge digital recordings perfectly. Every year now, computer generated images and sounds used in movies are becoming more seamless and convincing. I see no reason at all why we couldn’t make totally realistic-appearing movies that contain not a single human actor or location shot. Just think of it: Jimmy Stewart and John Wayne, in their primes, with their own voices, starring in a brand new western of epic proportions! Awesome! And if Hollywood can do it, you can bet that a lot of other less reputable individuals can do it as well.

So what are we going to do about surveillance recordings (everything from ATMs and convenience store videos to recordings made by the FBI)? We won’t be able to trust that they are real or accurate anymore. Are we going to return to the old days of relying on eye witness testimony and the perceptiveness of juries? Are we going to let even more lying, larcenous and violent offenders off scot free than we are today? I don’t think we as a society will be able to tolerate that. After all, many crimes don’t produce any significant forensic evidence such as finger prints and DNA. Often, video and audio recordings are our only means of identifying the bad guys and what they do.

This means that we are going to have to find ways and means to certify that the digital recordings we make remain unaltered. (Do you see a new service industry in the offing)? The only thing I can think of to solve the problem is a service similar in many ways to the certificate authorities and token providers we use today. Trusted third parties that employ cryptographic techniques and other means to ensure that their equipment and recordings remain pristine.

But that still leaves the problem of the recordings of events that individuals make with their smart phones and camcorders. Can we in all good faith trust that these recordings are any more real than the surveillance recordings we are making today? These, too, are digital recordings and can theoretically be perfectly manipulated. But I can’t see the average Joe going through the hassle and spending the money necessary to certify their private recordings. I can’t see a way out of this part of the problem. Perhaps you can come up with some ideas that would work?

Thanks to John Davis for writing this post.


Yo, MSI Raps Podcast Episode 1

This is the latest version of Yo, MSI Raps. We have decided to make these episodes open to public finally, so we will start with this one.

This is an open round table discussion between members of the MSI Technical Team. It is candid, friendly and, we hope, interesting. 🙂

This time around, the team talks about privacy, the news around the NSA collection of data and impacts of surveillance on liberty. 

You can check out the podcast here!

Look for these sessions to be released more frequently and on topics that are in the news. We hope you enjoy them, and feel free to give us feedback via Twitter (@lbhuston or @microsolved) and/or via the comments section.

Thanks for listening!