Tuesday 3 December 2013

Privacy Revolution Resolution

Internet governance took a positive step, albeit in a non-binding direction on Wednesday. When the United Nations passed The Right to Privacy in the Digital Age, it finally addressed concerns weighing heavily on everyone’s mind in the aftermath of the NSA leaks.

The need to convene and contend with reckless espionage was clearly the result of recent phone taps affecting heads of state coming to light. The German and Brazilian delegations that co-sponsored the resolution probably debated names like, “The Right to Privacy from the Nosy U.S. in the Digital Age," before settling on the current, less accusatory version.

The resolution gave representatives the chance to generate a discussion and ideally move the issue of online privacy to a more prominent position.

Comments ranged from thoughtful to semi-unrelated:

Sweden expressed disappointment that a stipulation to the "enjoyment of all human rights, online and offline, including the freedom of expression and the right to privacy" had not been included.

While North Korea suggested other countries "should...abstain from talking about human rights violations in other countries," essentially saying, “we aren’t the only ones violating human rights on a daily basis, so back off.”

Which leads to the overarching problem of what wasn't the primary motivator or point of this resolution: our privacy rights as individuals.  In the current resolution, the average citizen's right to privacy was too quickly conflated with government rights and national autonomy. Representatives referenced the sinister reality that Edward Snowden’s classified documents revealed. But, it is certainly the erosion of the average citizen’s privacy rights that should concern us.

As the internet grows out of its adolescence and becomes an integral part of all of our lives, the question of how to maintain control grows more unsettling. This resolution sounds nice and may give some much needed venting time to ticked-off member nations, but it is a shadow of a plan for what to do next. It's time for governments to take an aggressive approach to protecting the rights of those who don't deserve unwarranted surveillance. Until then, individuals will need to sort out their own privacy and security solutions.

Monday 2 December 2013

Cybersecurity Monday Offer!

Save 50% on Gold and Platinum plans and Stay Secure Online today, tomorrow and all year round

Is your connection secure? Are hackers keeping you up at night? Forgo the worrying and take advantage of Cyber Monday generosity.

SumRando has a soft spot for Cyber Monday. Use the CYBERMONDAY coupon code and you will get a whopping 50% off an upgraded account. You have until midnight Tuesday night...
days are a bit longer at SumRando.


The SumRando Team

Thursday 7 November 2013

SumRando Scares Up Some New Plans

The SumRando ghost has been hard at work scaring up some extra cyberspace and we are pleased to announce our brand new plans.

New Plans 
 FREE - No one’s left out in the rain: 1GB of data for Free!        
SumRando Gold - 10GB for 100 South African Rand (approximately 7 Euro).   
SumRando Platinum - UNLIMITED data for only 200 Rand (approximately 15 Euro).

 As always, all of the SumRando plans include:
  • Access to nodes in Sweden, New York, Hong Kong, Brazil and Turkey
  • High Level Encryption
  • Absolutely No Logging

Our new SumRando plans are available now. And as a thank you for keeping up to date on cyber news on our blog, we are offering you 25% off the plan of your choice! Click here to create a new account account or upgrade and enter the coupon code PRIVATEPARTS.

Thursday 17 October 2013

iPhone's Fingerprint Scanner is Already Hacked

For some time now, security experts have been hailing the “death of the password” and advocating for alternative security systems – especially biometric systems like fingerprint scanners. And when Apple unveiled that the new iPhone 5s included a fingerprint scanner, it seemed it might be the beginning of the end for the traditional password. Unfortunately, as German hacker Starbug was quick to demonstrate, Apple’s new fingerprint scanner is hardly fool-proof.
With relatively basic equipment, Starbug was able to beat Apple’s fingerprint scanner only 48 hours after the new iPhone’s debut.
“It's very easy. You basically can do it at home with inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs. And it will only take you a couple of hours. The techniques are actually several years old and are readily available on the Internet,” Starbug said in an interview with Ars Technica.

Starbug went on to explain the issues associated with mobile security.
Passwords are no problem at all as long as they are long enough and someone had a look into the algorithms [used to store them] and their implementation. In fact, long, complex passwords, which can also be configured on iOS devices, offer a sufficient level of security. The problem is finding the right balance between convenience for the user and security. No normal person wants to be confronted with a 20-character password every single time they want to do something on their phone. On the other hand, today's smartphones contain a great amount of personal data where many would say that even a four-digit [PIN] is also insufficient.
Of course, there are other biometric options like iris scanners and voice recognition systems in development that don’t depend on fingerprints and many experts believe these might offer a substantial boost in security.

However, biometric security also poses problems outside of reliability. When your password is cracked, users only need to create a new one to regain security. Biometrics, on the other hand, are effectively impossible to alter, so if someone finds a way to crack your security, creating a new scheme could be potentially complicated.

You can try SumRando for free here.

Friday 20 September 2013

Vodafone Hacked! Over 2 Million Users Exposed

For a while now, we’ve been pushing the point that we can no longer trust established businesses and institutions to properly safeguard our data. If you doubted us, here’s some more evidence.

News broke last Thursday that a Vodafone server in Germany was hacked and the names, addresses, birth dates and bank account numbers of approximately 2 million customers have been exposed.

According to the latest statement from Vodafone (in German
), it appears hackers were unable to access other sensitive details like passwords and credit card numbers, but the information that was exposed should certainly be cause for concern.

As Vodafone explained in their (translated) statement, "It is virtually impossible to use the data to get direct access to the bank accounts of those affected." And that’s true. It is also true, however, that the leaked information could be enough to distribute very convincing, but fraudulent phishing emails and phone calls that encourage customers to hand over key access information like passwords that could ultimately give hackers full access to bank accounts.

The exact timing of the attack has not yet been made public, but the German branch of Vodafone said police have identified a suspect and began notifying customers on Thursday that their information may have been compromised.

Sadly, this is the type of attack that is very difficult for the end user to prevent. But it should also act as a reminder that our digital security is constantly exposed to very real and potentially damaging threats. If you aren’t yet taking practical measures to safeguard your personal data, it’s time to start.

You can try SumRando for free here.

Tuesday 10 September 2013

Google Docs Phishing Attack Puts All Your Online Data at Risk

Just over a week ago, we warned you about putting all your digital eggs in one service provider's basket. This week, the universe decided to back up our argument as cyber-scammers unleashed a large-scale phishing attack that pretended to be a "Secure Document" sent through Google Docs.  

The email reads:

Hello, A Secure Document was sent to you by your financial institute using Google Docs. Follow the link below to visit Google Docs webpage to view your Document Follow Here. The Document is said to be important. Regards. Happy Emailing, The Gmail Team 

Readers who click the link in the email are taken to a fraudulent Google login page that's actually hosted in Thailand. The page asks users to input their email address and password. Bonus: according to the fake login page, Google Docs now supports users from other email providers including Yahoo!, AOL, Hotmail, and others; so phishees can feel free to submit any email address they might have. Unfortunately, as the Sophos researchers who discovered the attack put it, filling out the form "can only end in tears."

Remember, falling for an attack like this doesn't just put your email at risk. Many services including online banking use your email address to verify your identity when you forget your password or username, so in many instances, unauthorized email access can put other data in jeopardy. Furthermore, as we previously mentioned, many users treat Google as a hub for their digital content with services like Google Docs and Google Calendar. If you have sensitive data in either of these services, you've just been compromised.

Friday 30 August 2013

Google is Unrolling Personalised Search. Should you use it?

When it comes to digital security, it’s a mistake to put all your eggs in one basket. Don’t use the same password for more than one account; don’t use the same browser for banking and surfing; and don’t use the same company for your email, search and storage needs.

Google, however, has other plans. The tech giant announced it will unroll an invasive a personalised search functionality that will effectively integrate users’ Gmail, Google Calendar and Google+ accounts with Google Search.

Google provided a few examples of the system's functionality on their blog. 
  • Flights: Ask Google “Is my flight on time?” to get info on your upcoming flights and live status on your current flights. 
  • Reservations: Ask for “my reservations” to see your dining plans or “my hotel” to get your hotel name and address. With one tap, you can get driving or public transit directions straight to your destination, saving you lots of steps.
  • Purchases: Ask for “my purchases,” and you’ll get the status of your current orders, so you know whether your mom’s birthday present will arrive on time.
  • Plans: Ask Google “What are my plans for tomorrow?” to see a summary of upcoming flights, hotels, restaurant reservations and events—very useful when you’re traveling. 
  • Photos: Say “Show me my photos from Thailand” to see the photos you uploaded to Google+. You can also ask for “my photos of sunsets” if you want to show off the shots you’ve taken over the year; Google will try to automatically recognize the type of photo you’re asking for.
The new system will be rolled out gradually. According to Google, U.S.-based users will be the first to try it out.

Officially, this system isn’t any less secure than your existing Google account. As Google explains on their blog, the data will be “secure, via an encrypted connection, and visible only to you when you're signed in to Google.” The problem, however, is with the behavior it encourages.

It’s no secret that Google has striven to become an all-inclusive operation when it comes to users’ online needs. And frankly, bundling features like Gmail, Google+ and Google Drive together provides a great deal of convenience. Unfortunately, that convenience comes at a cost. And what you might gain in efficiency, you’ll lose in security.

If you use three separate providers for your email, social networking, and cloud storage, when one becomes compromised, the others remain secure. But if a user moves all of his or her data under the Google umbrella, it only takes one hacked password to expose all of their information.

Again, this system won’t make your account any easier to hack. It will just make the consequences more dire should a hack occur. So, before you dive head-first into the Googleplex, make sure your data is stored and managed in a secure way.

Tuesday 27 August 2013

News Roundup

Facebook Refuses to Pay Bug Bounty

Like many web companies, Facebook offers independent analysts monetary prizes for discovering bugs. But when independent researcher Khalil Shreateh tried to use Facebook’s conventional channels to report a critical security vulnerability that allowed users to post on any other user’s wall—friend, enemy or other — the social network’s white hat disclosure programme failed to acknowledge his findings.
Not one to be ignored, Shreateh used the very exploit he tried to report and posted the information directly to Mark Zuckerberg’s wall.

Unfortunately, Facebook is now refusing to pay Shreateh. According to a post on Y Combinator’s forum, a Facebook representative said, “The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat."

Shreateh claims posting the bug on Zuckerberg’s wall was the only way he could prove it existed after being told previously that the bug was not valid.

Researchers Sneak Malicious App into Apple Store

Apple has always kept tight tabs on their app store. Whenever developers want to make a new app available for purchase, it must first receive the O.K. from Apple to make sure its content is neither malicious nor inappropriate. But a team of researchers has developed a work-around and successfully got a malicious app, called Jekyll, approved.

Instead of submitting an app that explicitly contains malicious functionalities to Apple, the attacker plants remotely exploitable vulnerabilities (i.e., backdoor) in a normal app, decomposes the malicious logic into small code gadgets and hides them under the cover of the legitimate functionalities. After the app passes the App Review and lands on the end user's device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together. [usenix]

In other words, the code needed for the malware is hidden in pieces within legitimate code and then reassembled during an update.

An Apple spokesman said the company has addressed the issue, but has yet to provide any details.

Cyberattacks Cause Internet Outages for More People than Hardware Failure

It’s important to remember we live in a world where cyberattacks affect more than just personal computers. According to the European Union Agency for Network and Information Security (ENISA), cyberattacks caused significant communications outages for more people than hardware failure last year.

The report shows that although cyberattacks caused only 6 percent of significant outages in the E.U., they affected about 1.8 million people. Comparatively, while hardware failure accounted for about 38 percent of all incidents, it only affected about 1.4 million people. Read more here.