Thursday, 29 January 2015

Happy Data Privacy Day!

January 28, 2015 marks the 8th Annual Data Privacy Day.  It is a day dedicated to raising awareness and promoting privacy and data protection best practices among users and businesses. Over the past several years, we have seen our online privacy rights eroded with our personal information compromised by hackers, thieves, big business and government. Actions and discussions related to keeping your personal information private on the internet should not be limited to one day a year, and there are many things you can do year round to protect your online identity and promote internet privacy rights in your country and internationally.

1.  Use a VPN Service like SumRando.
VPNs protect your internet privacy by encrypting your connection and anonymizing your IP address.  This prevents hackers and thieves, ISPs, and governments from gaining access to your personal information and what you do while you are online.  To learn more, check out our video about VPNs.

2.  Use strong passwords (and different passwords for different sites!).
Passwords like "password" or "12345678" are hardly secure.  Easy to guess by hand and even easier for password cracking software.  When creating passwords, use a combination of capital and lowercase letters, numbers, and special characters.  Think of a phrase that will be easy for you to remember, and get creative.  For example, take the phrase "I love SumRando."  Make that a secure password that you can remember using different characters like "i70v3$umRand0!" or "1L0v3SumR@ndo*!".  Easy to remember, hard to crack.  (And don't use these example passwords!)

3.  Use FireFox or Google Chrome with enhanced browser privacy settings.
FireFox and Google Chrome have more advanced privacy features than other browsers, and despite some of their shortcomings (current issues with Super Cookies and switching between regular and private browsing), they are better than the alternative, insecure options.  Combining a secure browser with a VPN service helps to provide additional protection.

4.  Consider using an encrypted SMS-alternative like SumRando Messenger.
Did you know that normal SMS-messages aren't encrypted, meaning your phone provider and anyone else who can gain access to your network can read along with your conversations?  Think about using an app that encrypts your text messaging, and better yet, use an app from a company you trust (WhatsApp and Facebook Messenger, two of the most popular SMS-alternative apps, are both owned by data-hungry Facebook.) and that has different privacy features - no required connection to your device (think phone number requirements) and the ability to completely delete conversations.  SumRando Messenger does not require you to provide any personal information when creating and using an account and also has a feature that allows you to destroy a conversation - from your account and the recipient's account.

5.  Protect your personal information - full name, full birthdate, country ID information, etc.
Your personal identifying information is just that - personal.  It helps define who you are amongst the world’s 7 billion people.  With it, you can get credit cards, forms of ID, accounts, and purchases.  Be careful what, where and with whom you are sharing this information as it is valuable information for thieves to steal and sell.

6.  Know your privacy settings on social media.
Social media was designed for us to be open.  We share everything from the exciting news of a new job to what we decided to have for dinner last night.  But have you ever paid attention to what you are sharing and where? On Facebook, if you see the little globe, that means whatever you are sharing is public to the world.  With Twitter, location information may be included in your tweets depending on your setting; all tweets are public unless you elect to "protect your tweets."  As a rule, make sure you take a look at your privacy settings, and know what and with whom you are sharing.

7.  Stand up for Internet Privacy.
There is an international movement working towards protecting Internet privacy.  Movements like ResetTheNet, Fight For the Future, Data Privacy Day, and other collective action to make demands on the international community and individual country legislators to take legal action and protect users’ privacy online.

The State of Cybersecurity in 2015

2014, the year of the cyber breach—think Target, Heartbleed, Home Depot, JP Morgan Chase, and, yes, Sony—has unsurprisingly led the United States to where it is today: with a president willing to move the conversation about cybersecurity to the forefront of politics. Last week, President Obama used his annual State of the Union address to set his agenda for 2015. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information,” he said.

Obama’s comments come amidst tangible action in Washington.  In the closing weeks of 2014, Congress passed several pieces of cybersecurity legislation, including the National Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Cybersecurity Enhancement Act of 2014, and the Cybersecurity Workforce Assessment Act of 2014; this legislation will strengthen the ability of the public and private sectors to work together in preventing future cybersecurity breaches while also developing a more robust cybersecurity workforce.  Furthermore, Obama has planned a White House Cybersecurity Summit at Stanford University on February 13, which will provide an opportunity to develop further public-private sector collaboration and to explore cybersecurity best practices and technologies.

The legislation Obama referred to in his State of the Union address remains to be acted upon by a partisan Congress. The goals, however, are threefold: to encourage the private sector to share cyber threat information with the government through the use of liability protection for companies that adhere to consumer privacy protections; to strengthen the government’s ability to combat cybercrime by prosecuting the sale of botnets and criminalizing the sale of stolen financial information abroad; and to create a national standard for how and when companies report security breaches to the public.

Although cybersecurity experts are encouraged by Washington’s newfound urgency surrounding online privacy and security, many doubt politicians will be effective in creating a climate that will truly protect the public.  Increased sharing of information with the government assumes the government is a safe and secure place for information, which continues to beg blind trust and insecurity of consumers.  Congress is tasked with reauthorizing parts of the Patriot Act by June 1, 2015. Until the American public knows the extent to which the National Security Agency (NSA) is authorized to conduct surveillance, it should be hesitant to support the government’s proposed information sharing. Additionally, cybersecurity professionals at companies such as Nexus-Guard and Social-Engineer, Inc. find Obama’s proposed legislation to be “scary as hell,” as it would turn the hacking done in the interest of protecting companies against cyberattacks into a criminal offense.  

Obama was wise to refer to cyber-attacks as an “evolving threat” last Tuesday night.  However, he failed to recognize that partisan politics, slow-to-pass legislation, and business as usual will simply not keep up with cybersecurity’s evolving threats such that consumers will receive the security they deserve.

In an era in which the United States government is just beginning to grasp the significance of cybersecurity and has yet to produce a workable solution to protecting its citizens’ privacy and security, consumers everywhere need to take their online safety into their own hands. This Data Privacy Day, we urge you to take a look at the National Cyber Security Alliance’s provided resources to keep individuals and businesses secure in an otherwise well-intentioned but uncertain 2015.

Wednesday, 3 December 2014

Keep it secure, keep it safe

On November 6, 2014, the Electronic Frontier Foundation (EFF) released the Secure Messaging Scorecard in an effort to disclose the security and privacy capabilities of 39 messaging apps. Its findings, based on rating each app on seven different criteria, confirmed that many of today’s most widely used messaging services do not provide the level of security consumers need in order to protect themselves against internet surveillance, data collection, and snooping in general.

Messaging services whose names feature in everyday parlance—AIM, BlackBerry Messenger, Facebook Chat, Google Hangouts, SnapChat, Skype, Viber, WhatsApp, and Yahoo Messenger—do little more than encrypt communication while in transit. Such limited security leaves messages and conversations conducted through these platforms to be read by the provider and/or shared with the government. Despite their security concerns, the ease of accessibility and ubiquity of these apps have kept them in high demand thus far.

Last week, however, we were reminded that consumers will not need to choose between user-friendliness and security forever. WhatsApp’s ratings on the Secure Messaging Scorecard are already arguably about to rise: on November 17, Open Whisper Systems announced a partnership with WhatsApp, as well as a plan to bring end-to-end encryption (unreadable messaging) to hundreds of millions of WhatsApp users. Security and usability, all in one. As stated on the Kaspersky Lab blog: “The bottom line with the WhatsApp crypto announcement is this: WhatsApp is among the most popular and valuable pure messaging services around. That they are starting to take security and privacy very seriously is great news, and hopefully WhatsApp’s competitors will soon follow WhatsApp’s lead.”

SumRando is part of a growing movement to make secure, easy-to-use messaging accessible to its client-base. SumRando Messenger is a real time chat app that encrypts your communication in transit and on our server. Our service is unique in that it automatically deletes most or all read messages (you decide) in addition to giving you the option to clear your entire conversation from both sides and from our server at any time. SumRando Messenger recognizes that its consumers do not want to sacrifice privacy or simplicity.

We encourage you to read about and download SumRando Messenger. As we continue to develop SumRando Messenger and add more features, we welcome your feedback at Help us make SumRando Messenger the secure, user-friendly experience that you know you deserve.

Thursday, 4 September 2014

Germany Considering New Cybersecurity Law

The German Government is considering a new cybersecurity law meant to strengthen existing protections with new minimum security standards for companies to follow.  About the law, InsidePrivacy (privacy analysis by Covington & Burling LLP) notes its resemblance to efforts across the EU, following much of the EU Dirlaw similar to this effort had been considered in Germany last spring without success.
ective on Network and Information Security (“NIS”).

They report that the key difference between the EU directive and the German law is "the reporting obligations under the proposed IT Security Law go further than those in the NIS Directive and the German proposal contains additional obligations in particular for telecommunications providers and providers of commercial information society services."

Commenting on the draft of the law published by The German Federal Ministry of the Interior, InsidePrivacy describes the main objectives of the new law as the following:
  1. Improved IT security of companies: in particular, providers of critical infrastructures will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of those infrastructures and to report significant IT security incidents.

  2. Protecting citizens online: Increased security standards but also additional information obligations vis-à-vis users/subscribers.

  3. Strengthening the Federal Office for Information Security (“BSI”): The BSI shall act as the national information security authority and centralized information hub with regard to any sort of cyber-attack or other impairment of information systems of critical infrastructures. For this purpose, the BSI will collect and analyze essential information in relation to IT security and to inform operators of critical infrastructures and competent authorities but can also provide information about providers’ compliance with security requirements and security incidents and liaise with third parties (such as providers) to identify and warn affected users. The BSI will publish technical guidelines on security measures.  Among other things, the BSI will be empowered to (i) investigate IT products, systems and services and to disclose and publish its evaluation of the security of the investigated products, systems and services; (ii) request from the providers of critical infrastructures a copy of audit and certification results prepared to prove compliance; (iii) request immediate removal of security defects.

  4. Expanding the competences of the Federal Criminal Police Office (BKA): the BKA will become competent for police tasks regarding the prosecution of cybercrimes insofar as they are directed against the security of Germany or certain vital facilities.

  5. Protecting the IT security of the German Government and federal administration: the BSI will obtain the power to issue mandatory requirements for the IT of the federal state.

The Government must approve the measure before it is sent to the parliament for approval.  To read more detail about the law -- its scope, its requirements for those in the private sector, among other things -- check out InsidePrivacy's detailed analysis.

Monday, 11 August 2014

Moving Past Privacy-Poaching Facebook Messenger

Facebook is again making privacy headlines.  Sources have discovered that Facebook's new Messenger app has a laughably invasive list of terms and conditions to which users must agree.  What is worse is that this app replaces messaging services offered within the main Facebook app, trying to force millions of users to agree to terms no one should have agree to.

According to The Toronto Star, the app can access personal information and also take action based on the data discovered.  For instance, users will allow the app to do the following:

  • Call phone numbers without your intervention and sending text messages;

  • Record audio with the microphone, and taking photos and videos with the camera, without your confirmation;

  • Read your phone’s call log.
  • By contrast, services like our SumRando Messenger are security-focused and privacy-protecting while still being easy to use and convenient on the go.  We have gone out of our way to design an app that protects users and those they message while other services continue to force unfair terms on their users.

    You should not have to worry about anyone collecting information from you and also take invasive action based on that information.  In contrast to Facebook Messenger, these are a few of our specs:
    • Two forms of encryption (AES-256 and SSL) to keep your messages secure
    • No direct link between your phone number, device email address, or other identifying account; the decision on who you want to communicate with is strictly yours
    • Messages automatically deleted upon logout with only 10 messages stored (if you do not clear you conversation) stored for future conversational reference.
    See the difference?  We don't believe consumers should have to choose between privacy and convenience.  What remains striking is just how many major developers try to force consumers to make that choice.

    The benefit of a story like this about Facebook Messenger is that it is a story that could attract millions of Facebook users to take privacy concerns seriously.  One of the largest social media and messaging companies in the world has taken a stand against privacy, and their users are retaliating.

    What remains to be seen are two things: How many users will refuse this new Messenger app and what Facebook will do (if anything) to bring them back into the fold.

    Wednesday, 6 August 2014

    Cyber-exposed Thailand Prepares New Security Measures

    It's no secret that Thailand lacks sufficient cyber infrastructure.  Rated third among the 10 worst countries for internet safety by UK security firm Sophos, Thailand experiences significant exposure to malware attacks.  Around 20.8% of PCs experience malware attacks in a span of three months.  To put that figure in perspective, the safest countries (Norway, Sweden, and Japan) range from 2.6 to 1.8%, and the most dangerous country (Indonesia) is only a little higher than Thailand at 23.5%.  Research has shown the country is additionally susceptible to ATM-related and government cyber attacks. (Needless to say, Thailand is somewhere you would want to use a VPN.)

    Surangkana Wayuparb, Director of Thailand's
    Electronic Transactions Development Agency
    Thailand made headlines this week when Surangkana Wayuparb, the country's Director of Electronic Transactions Development Agency, addressed the Regional Asia Information Security Exchange Forum in Bangkok.  Bangkok Post reports that Surangkana told those in attendance, "All these world records reflect that Thailand urgently needs to set up a national computer emergency response team (Cert) as a command centre to manage and collaborate on national cybersecurity threats and cyberwarfare... Cyberattacks pose a serious challenge to people at all levels, from end-users to enterprises and government agencies."

    According the Bangkok Post:

    “Surangkana said information security threats were no longer only technical dangers. They can have a major effect on the country's economy and national physical security. "Cyberattacks pose a serious challenge to people at all levels, from end-users to enterprises and government agencies,” Surangkana said… The ETDA [will] propose a national Cert to the junta. If approved, the ETDA expects a centre will be created by year-end. The creation of a national Cert is expected to upgrade the ETDA's existing computer emergency response team to a full national command centre, she said.”

    Read more about Thailand's cybersecurity plans at Bangkok Post.

    Saturday, 26 July 2014

    AddThis Tests 'Canvas Fingerprint' to Replace Cookies in 5,000+ Popular Sites

    A study conducted by Princeton University and Belgium’s KU Leuven University revealed that more than 5,000 of the top websites in the world have been testing "canvas fingerprint" technology intended to replace cookies, to track user data with most using popular widget AddThis.

    ProPublica insists that canvas fingerprints are "nearly impossible to block," and PC World describes the technology with the following:
    "An invisible image was sent to the browser, which rendered it and sent data back to the server. That data can then be used to create a 'fingerprint' of the computer, which could be useful for identifying the computer and serving targeted advertisements."
    AddThis Chief Executive Rich Harris accounted for their testing by saying they were seeking a "cookie alternative." According to ProPublica, Harris "considered the privacy implications of canvas fingerprinting before launching the test, but decided 'this is well within the rules and regulations and laws and policies that we have.'"

    Cookies have been around since the 1990s, and many internet users have routinely started to circumvent their influence.  Canvas fingerprints signaled the potential to track users' history in more covert ways, and AddThis appears to have tested their efficacy on thousands of sites, including and YouPorn.

    ProPublica explains, "[Canvas] fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus." You can test the canvas fingerprint technology yourself on ProPublica, to see what kind of image you produce to be translated into a unique ID number with the Canvas Fingerprinting in Action feature. 

    Below is an example, using ProPublica's feature:

    In order to curb the effects of canvass fingerprinting, ProPublica suggests the following strategies:
    • Use the Tor browser (Warning: can be slow)
    • Block JavaScript from loading in your browser (Warning: breaks a lot of web sites)
    • Use NoScript browser extension to block JavaScript from known fingerprinters such as AddThis (Warning: requires a lot of research and decision-making)
    • Use a browser extension that blocks JavaScript from known ad tracking companies such as AddThis. Extensions include Disconnect or AdBlockPlus browser extension with the EasyPrivacy filter installed. (Warning: Only blocks known ad tracking companies; other websites could still employ canvas fingerprinting)
    • Try the experimental browser extension Chameleon that is designed to block fingerprinting (Warning: only recommended for tech-savvy users at this point)
    • Install opt-out cookies from known fingerprinters such as AddThis (Warning: fingerprint will likely still be collected, companies simply pledge not to use the data for ad targeting or personalization)