For the most part, everyone that I speak with has come to accept the possibility that the Internet knows much more about them than they might think. Their acceptance (which ranges from grudging to incredibly blasé) of a faceless, amorphous entity known as “the Internet” being more familiar with them than their neighbors is made acceptable exactly because the Internet has achieved that same omniscient and omnipresent position as “the Government” or “the CIA” or, dare we say, God him/her/itself. These entities are out there, both comforting and ominous, but not personal, not sitting right next to you.
Perhaps we’ve been doing this wrong.
People aren’t scared, upset or even bothered anymore when we tell them their privacy has been invaded by the “Internet”. In truth, that’s a kindness, because the specifics are much more disturbing. A security researcher just uncovered a veritable treasure trove of personal information on nearly 340 million Americans, i.e., all of us. This information was being hosted in an unsecured database by marketing firm Exactis, and it holds close to 2 terabytes of data. And unfortunately for all of us, it’s much worse than credit cards and social security numbers. Instead, it’s much more personal, such as home addresses and phone numbers, number of children in the family, interests, hobbies, habits, shopping preferences, up to 400 variables on each person in their database, including whether they are a smoker, how many pets and what type, and yes, religious affiliation.
If you ever question how online advertising could be so specific, wonder no more. The marketing firms know where their bread is buttered, and firms like Cambridge Analytica and Exactis are sacrificing your privacy on the altar of data aggregation for the almighty dollar. How does one fight back? Make sure you understand where your local congress critter stands on matters like privacy, encryption and regulatory enforcement on failures like the massive Equifax breach for which exactly zero justice or compensation was delivered.
Get out and vote.
I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.
A lot of my friends and colleagues are always surprised that I don’t have more gadgets around my house, especially items like Amazon’s Alexa or Google Home, seeing as I am a long-time customer of both mega-companies and utilize many of their services on a daily basis. Those of you who have been paying attention know that I’m pretty keen on privacy, and have also seen me write on the topic time and time again, mostly because companies like the aforementioned sometimes have trouble respecting our right to privacy. It’s not that I have something to hide, it’s that I am very specific about what I want to share, and that does not include sharing private family conversations with a work acquaintance, which seems to be what happened to a Seattle couple via their Amazon Echo device.
Entre nous becomes menage a trois
What many fail to truly understand is that in order for any voice-activated device to work, it must always be listening to everyone nearby, waiting for its moment to shine. In the case of the incident mentioned above, the Echo device thought it heard its vocal trigger, “Alexa” (or something phonetically similar) woke up, heard another trigger, “Send a message,” which caused to start recording what it thought was a legitimate message, which it then dutifully sent on to the unintended recipient. The couple had no idea their conversation was recorded and were only clued in when the unintentional eavesdropper called them to warn them about the incident.
How many times has your phone (iPhone or Android) self-activated because it thought it heard its vocal cue? Mine does this about 2-3 times a month, mainly because it hears (or thinks it hears) me saying “OK” and “Google” all the time, when in fact, I’m just having a conversation with someone nearby. It’s even self-activated because of audio from a podcast or song, which is really weird and creepy sometimes. Hackers have demonstrated the ability to completely compromise late model devices, and it’s a known intelligence exploit to compromise surveillance subject phones explicitly for the purposes of turning on the microphone as the ultimate audio bug. We carry these devices everywhere, and now they are in our most private spaces. It’s just you and me, and the internet now.
What scant regulation we have as a country that protects our personal privacy is mostly built around the concept of “Personally Identifiable Information” which, according to Wikipedia is, “…information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.” If you think of PII at all (most of don’t as a rule, which is part of the problem) you may enumerate bits like date of birth, social security number, mother’s maiden name, street address, phone number, etc. While those definitely qualify as PII, there is a ton of other information that falls into this category that the average person wouldn’t necessarily consider sensitive, such as a Twitter or Instagram account name, that without context, seems harmless. Thanks to the internet and data aggregation, everything can be connected, and now that pretty much all of our information is stored digitally, more readily stolen. A recent breach of DNA-testing firm MyHeritage put us one step closer to a dystopian future where the security and privacy of our own genetics will be at risk.
What this means for you
Fortunately for its 92 million customers, their DNA information wasn’t stolen, just encrypted emails and passwords. One could ask what sort of world we are living in that this constitutes (relatively) good news, but in the face of the massive Equifax debacle with zero consequences for any of the culpable, it seems that having your account and password stolen from yet another online service provider is now counting as the new normal. As horrifying as that is to consider, consider the nightmare scenario where not only are your DNA test results available somewhere on the internet, an insurance or mortgage company has bought this info and is using it in their underwriting process to evaluate your qualifications. It doesn’t matter that the information was originally acquired illegally or without your consent, there are no laws or regulations currently on the books that govern the use of genetic data, and judging from recent legislation coming out of Congress there is currently little interest in protecting the average citizen from anything, let alone an issue over which most Congress critters have an incomplete grasp. What’s to be done? Definitely don’t stop being outraged at yet another massive data breach that will largely go unnoticed by everyone. Make sure you understand where your government representatives stands on data privacy, and if it doesn’t match your standards, demonstrate your disapproval with you voting hand.
It’s been a solid three weeks since Facebook last graced our blog, but just like the proverbial bad penny, it just can’t stop turning up in the news for all the wrong reasons. There is a worn adage that claims there is no such thing as bad PR, but in Facebook’s case, I’m betting they’d rather stay out of the spotlight for a little longer. During CEO Mark Zuckerberg’s grueling congressional testimony earlier this year, Mr. Zuckerberg assured senators that Facebook users had complete control over who sees their data as well as how you share it. In a recent interview with the NY Times, Facebook has now owned up to previously undisclosed data-sharing relationships with four Chinese manufacturers, including Huawei who is viewed by American intelligence officials as a national security “threat” due to its close ties with the Chinese government.
What this means for you
According to an agreement Facebook entered into with the Federal Trade Commission in 2011, Facebook is not allowed to override a user’s privacy settings without first getting explicit consent. As part of the partnership agreement with these manufacturers – Huawei, Lenovo, Oppo and TC – Facebook granted privileged access to these partners to data collected through Facebook apps installed on their devices, even to the point of overriding the user’s explicit denial of access. Facebook executives have argued that they had adhered to the letter of the 2011 consent decree because the data in question (your data, your friends’ data, and your friends’ friends’ data) never actually leaves the device, and is only used “locally” to power applications and social media platforms. I’m no lawyer, but that sounds like splitting hairs, and as has been amply demonstrated by the Cambridge Analytica debacle (not even 2 months old, mind you!) relying on a partner company to adhere to Facebook’s privacy policies is not guaranteed, nor apparently something they can even enforce, once again demonstrating a clear gap in trustworthiness. Should you continue to use Facebook? As long as you keep your eyes open to the fact that Facebook might not be as transparent as they promise, even in the face of Congressional scrutiny, and more importantly, the watchful eye of journalistic rigor.
Unfortunately for the information security industry, a lot of other news was breaking this past Memorial Day weekend, so it’s entirely possible that you missed a PSA, tweet or even email from the Federal Bureau of Investigation asking you, citizen, to please reboot your SOHO (Small Office/Home Office) router, and to also disable remote management (if enabled) on the device. Apparently, up to half a million routers from Linksys, MikroTik, NetGear TP-Link and network attached storage (NAS) devices from QNAP are impacted by this malware threat, which has spread to 54 countries around the world. Initial analysis pins the blame on the same Advanced Persistent Threat (APT) group APT28 or “Fancy Bear” – the same group accused of perpetrating the attacks on the Democratic National Committee in 2016.
What this means for you
If you happen to be one of our managed firewall clients, you are not impacted by this version of VPNFilter malware. However, if you happen to be powered by one of these listed devices, you should contact us immediately to discuss short and long term security implications:
Mikrotik RouterOS Versions for Cloud Core Routers:
- TS439 Pro
Researchers are still trying to determine exactly what this attack platform is meant to do, but they have confirmed that it can collect confidential information (such as website logins) and has a self-destruct code that can literally render affected devices inoperable, possibly permanently.
In the short term, rebooting the router will eliminate a part of the threat, but if the device is compromised, the only way to remove the rest of the malware is to completely factory reset the device (or replace it), which means you will have to reprogram it to get connected back to the internet. If you’ve not done this before (and even if you have), this may not be straightforward and can be very disruptive to your operations. Most professional environments, especially offices with servers, may have configurations that are modified from the “vanilla” settings provided by a factory reset, and unless you have a backup or written documentation, may be difficult to reproduce quickly or without a lot of trial and error. Make sure you consult with a technology professional before pushing the factory reset button on your device.
Image courtesy of Nat_Stocker at FreeDigitalPhotos.net
Over the past 2 weeks, all of you have probably been beset with numerous emails from the various websites and online services with whom you regularly (or even infrequently) interact, notifying you that their terms of service/use or privacy policies have changed. Depending on how closely you may be paying attention to the ceaseless flood of data we call our inboxes these days, this might have struck you as rather odd. You might have also noticed a common set of letters sprinkled throughout these emails, “GDPR”, an unfamiliar anagram that seems to have an inordinate amount of influence over all of these companies, including ones we all assumed determined what exactly we could view as private or public. In this case, this particular bit of alphabet soup stands for “General Data Protection Regulation” and it is a new set of rules that govern how EU citizen data should be handled globally, starting May 25, 2018.
For the most part, the GDPR only governs data protection and privacy for EU an EEA citizens, and is designed to provide better protection and control of their personal data to those individuals, as well as unify the regulatory environment for international organizations that collect and use that data. Without diving into the gory details, the core intent of the GDPR is to require any organization that handles data generated by EU/EEA individuals to clearly disclose what, how and why data is being collected, how long it will be retained and if it is being shared with third-parties. These same users have a right to request a copy of the data collected, and in certain appropriate circumstances, request to have that data erased or removed.
What does this mean for Americans?
While you may think this should have zero impact on you as an American citizen, there are two things to consider. We all interact with businesses and organizations that operate globally. You could probably name 5 companies that have specifically changed their policies to comply with GDPR by scanning your inbox: Facebook, Google, Twitter, Instagram, and Microsoft are just a few of the ones in mine. The “side-effect” of these companies reshaping their operations to comply with GDPR means an improvement for users in terms of privacy and security for everyone, regardless of country. Though some companies may make changes to only their non-US operations and processes due to budgetary or resource constraints, it typically makes better long-term sense to streamline or consolidate operations around the most secure and compliant technologies. A rising tide of privacy protection raises all boats.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
I’d like to say we actually went a few weeks without having to talk about Facebook because they weren’t in the news, but in reality, they were. I was just exhausted with the punishment they have been taking in the media ring, and rang the bell out of mercy rather than letting them continue to get pounded, at least on this blog. But break time is over and its time to lace up. Facebook did come out swinging earlier this week, publicizing their last quarter efforts to clean the place up: over half a billion fake accounts have been banned since the start of 2018, and they have removed nearly one billion posts that violated the social media giant’s guidelines. But the wind was snatched from their sails with news of a yet another breach of user privacy as researchers at New Scientist uncover a leak of three million users’ extremely confidential data gathered by an app called My Personality. The app, designed by psychometric researchers affiliated with Cambridge University, gathered in-depth psychological data on over six million users, half of whom agreed to share their data anonymously with 3rd-parties for research purposes.
Pinky-swear to keep this data confidential?
While I’m sure they didn’t intend to out three million people to the internet, a class project uploaded to a popular code-sharing website by university students was found to contain a login and password to the protected database built by the My Personality team. Whoops. And that data was there, available for the public to access, for 4 years. Double-whoops. Here’s the thing: in order to gain access to this data originally, one had to register for access, and were supposedly bound by a strict confidentiality clause. Two-hundred and eighty people from 150 companies did register, but you can bet at least an equal number (and probably many more) did not, once they discovered the “backdoor” uploaded to GitHub. And the thing with data, once it’s out of the barn, there is no telling where it went from there. There’s a hard lesson to be learned from all of this: it’s extremely difficult to control data once you relinquish any control on it, and this control all but vanishes literally one step from that first line of control, as managing the chain of custody scope expands exponentially. You can liken this to the old party game of “Telephone”, but instead of the message getting muddled with each person, the security and responsibility get hopelessly mangled literally in the next whispered exchange.
The concept of a virtual assistant isn’t new – the practice has been around for easily a decade, if not longer, and traditionally taken to describe someone hired to work as a personal assistant that wasn’t physically located near the person they were assisting. Initially received very coolly, the practice has become fairly commonplace, though somewhat outmoded now by easier-to-use technology and the internet itself, both of which enabled concept of a virtual assistant in the first place.
When Google and Apple introduced their voice-activated “assistants” there was a thought that our smart phones might actually be able to act as, well, real assistants. Heck, I was counting on it, given the amount of time I’m stuck in traffic. And sadly, we find that both platforms, as well as the many copy-cats and voice-enabled apps that followed were barely usable on a good day, and more often a source of amusement than anything else. Amazon’s Alexa is perhaps the closest we’ve come to having a useful, voice-activated device, maybe until now. Google’s CEO Sundar Pichai demonstrates Google Assistant scheduling an appointment via phone as part of the Google I/O Conference keynote, and it’s an exciting glimpse into the future some of us have always dreamed of.
Would you take a call from a truly virtual assistant? What if you didn’t know the person on the other end wasn’t human? More importantly, would you trust Google to set your calendar for you? I’m willing to give it a try!
While I know I should be grateful that it’s a slow news week for technology, it makes writing this blog a little challenging. However there are a few bits of news that may be of interest to at least some of you. Taken individually, each item is probably not worth more than a “Hmph” from the average reader. Together they form a lumpy potpourri of cautionary tales that only serve to highlight our favorite elephant on the internet.
No one should be surprised that if you put a wifi-enabled infotainment system in a new car, someone is going to try to hack it. Dutch researchers from Computest did just that, and succeeded in compromising the system significantly by gaining access to the root account of the in-vehicle infotainment system, which allowed them to view various telemetry data including current and previous locations, address books and even the car’s microphone. Additionally, the researchers hypothesized that they could have accessed the car’s acceleration and braking systems, but stopped short of doing so for fear of being sued by VW. To its credit, VW’s engineers took the Computest’s findings under advisement and have supposedly plugged the exploits for certain models, but it’s unclear how they would handle the millions of cars on the road that do not have the means for an over-the-air update to patch the vulnerabilities. Researchers also concluded that Volkswagen, prior to Computest’s discovery, had not properly tested the infotainment system for these types of security issues. Volkswagen excuses this failing as part of their transition from automaker to “mobility provider”, which only serves to highlight how big companies, to this day, struggle to balance profit with security.
Surprising: The Internal Revenue Service online tax submission platform went down on April 17. I don’t remember this happening in recent years, and their track record may go as far back as when they first started taking digital submissions in 1986.
Not Surprising: The reason the IRS went down – a core computing platform reliant on technology built in the 1960s. That’s right, the IRS processes some of it’s data on technology that’s over 50 years old. I can’t even wrap my head around how they can actually keep that technology going when we struggle to keep two-year-old laptops functional. This is the organization that handles our tax dollars, at “work”. However, I do concede that replacing this ancient mainframe powering the IRS is probably akin to performing open-heart surgery on oneself while keeping pace in the Boston Marathon – not a casual undertaking, and something that can only be done once. You’d think they have enough money for this, but apparently the project to do just this is millions of dollars over budget and years behind schedule. Surprise, surprise.