Friday, 26 April 2013

Will Google Glass change the way we look at digital security?

Yesterday, Apple CEO Tim Cook said, “It can be weird,” when he described using the voice-dominated functions of the much anticipated Google Glass.

And it got me thinking. Beyond the inevitable, “Is that crazy person talking to himself or just using Google Glass?” conundrum, using Google Glass in public will be weird from a security perspective as well.

In the current world of smartphones and tablets, our connection to the internet and its wealth of information is just a lock screen away. Certainly, it would take only a moment to look up a new acquaintance’s Facebook profile or find them on LinkedIn while you’re out and about. But the key here is that to use a smartphone you have to reach into your pocket, take it out, and use thumbs and fingers to actually do something. And while you’re doing it, your actions are obvious to anyone around you.

Google Glass could change that.

With a device that’s able to take pictures, record video, and access the web while mounted right in front of your face, Google will further blur the lines between your life on the internet and that in the real world. And in much the same way, the lines between real world security and cybersecurity will also be blurred.

Imagine living in a world where people all around you are wearing Google Glass. Wouldn’t you wonder what they’re up to? Are they taking your picture? Are they recording what you’re doing? Is it possible that a whole new culture of high-tech voyeurism will develop?

And what would this mean for cybercrime? Would cybercriminals start targeting based not on random IP addresses, but on how much money it looks like you have as they pass you on the street?

What about meeting new people? With the ability to snap a photo unnoticed, would you be tempted to do a reverse image search on that cute girl at the café before introducing yourself?

When anyone can go from simply seeing you on the street to finding your online profiles in a matter of minutes, the management of your online exposure will be even more important to your privacy than it already is.

I’ve posed a lot of questions and frankly, I don’t have any of the answers. Perhaps, to a certain degree, this is all an exaggeration. But we also need to be very aware that we are indeed moving into a future — with or without Google Glass — that will blur the lines between private and public. And in that future, nobody but you will be responsible for your digital safety and privacy. When anyone can go from simply seeing you on the street to finding your online profiles in a matter of minutes, the management of your online exposure will be even more important to your privacy than it already is.

Try SumRando for free here.

Thursday, 25 April 2013

Is Google going to make passwords obsolete?

Ok, this might be an over-dramatization. However, as we all know, the trusty password isn’t what it used to be. It seems like I’m reading about hashed password dumps and Twitter hacks every week now. I think it’s time for something better, and so does Google.
On Tuesday, the Fast IDentity Online Alliance (FIDO) announced that Google has joined their ranks. FIDO is a consortium of companies working to develop new authentication security technology that will ultimately replace the humble password. FIDO already includes heavy-hitters like PayPal, Lenovo, Nok Nok Labs and Validity, but it’s safe to say that Google’s research and financial brawn will bring a substantial lift to efforts.

But what will they come up with? There are certainly ideas out there, but replacing the password isn’t an easy task. Any replacement will need to be just as versatile, but more secure.
The most cliché replacement suggestion, of course, is a biometric scanner that reads fingerprints or other unique physical characteristics. The big benefit here, obviously, is that it’s very difficult to crack. If you think cracking a password takes time, imagine how long it would take to gather all the data contained in a fingerprint! The downside, of course, is that should your biometric data get hacked, there’s no good way to change it short of going Men in Black on your fingertips.
Other ideas include voice recognition, security tokens, and near-field communication. All have strong security benefits, but also present problems. I guess we’ll just have to see what FIDO comes up with.

Try SumRando for free here.

Wednesday, 17 April 2013

Holy Crap, BotNets are Getting Really Scary

A U.S.-based security firm is reporting that the average amount of bandwidth consumed in DDoS attacks by botnets has increased by a factor of eight in the first quarter of 2013.

You read that correctly. Eight times the bandwidth is being consumed compared to last year.

The average amount of bandwidth used in DDoS attacks mushroomed to an astounding 48.25 gigabits per second in the first quarter, with peaks as high as 130 Gbps, according to Hollywood, Florida-based Prolexic. During the same period last year, bandwidth in the average attack was 6.1 Gbps and in the fourth quarter of last year it was 5.9 Gbps. The average duration of attacks also grew to 34.5 hours, compared with 28.5 hours last year and 32.2 hours during the fourth quarter of 2012. Earlier this month, Prolexic engineers saw an attack that exceeded 160 Gbps, and officials said they wouldn't be surprised if peaks break the 200 Gbps threshold by the end of June. [Ars Technica]

According to Ars, the biggest factor contributing to these attacks is the harnessing of servers rather than home computers for botnets. While a personal PC might only be able to deliver a rather limited number of packets, a zombie-server is much more powerful and able to deliver staggering amounts of data.

In particular, we’ve seen servers running web-based software like WordPress are particularly vulnerable.

According to security firm CloudFlare’s CEO, Matt Prince:

"It is clear that if the story of the 2000s was how easy it was to compromise desktop PCs and turn them into spam-sending engines or botnets to do other nefarious things, the story of the 2010s is going to be how easy it is to compromise server software, which has gotten very consumerized and doesn't necessarily have the best security in place. If a server is 10 times as powerful as a desktop computer then you only need one-tenth to do the same level of damage." 

Saturday, 13 April 2013

Want to know how much of your personal info is being bought and sold? Ask Acxiom.

Earlier this week, I told you about an idiot who confessed to murder on the internet. It only took some quick sleuthing by members of the online message board Reddit to cull enough details to figure out his full name, military rank, and place of residence.

And while I can’t emphasize enough how completely irresponsible this fellow was with his personal details, it should make the rest of us wonder. How much information is out there about us?
This is Acxiom. You may not know about them,
but they certainly know about you.
Probably more than you think.

But here’s the good news: Soon, (if you’re American) you will be able to find out exactly how much.

Acxiom, a consumer data broker in the United States will be introducing a service that will allow people to find out exactly how much the company knows about them.

If you’re unfamiliar with data brokers, they’re the guys responsible for all those targeted advertisements you receive. They know your income, where you live, what kind of computer you use, if you’re married, and probably a lot more. Presently, exactly what they know is a mystery to anyone outside of their clients who purchase the data.

However, last March the Federal Trade Commission issued a recommendation that called for legislation requiring data brokers to disclose the information they have to individuals and allow that information to be amended for accuracy or even deleted.

And in the spirit of that recommendation, Acxiom announced that they will do just that.

Emily Steel lays it out in the Financial Times:
For years, the industry has operated behind a veil of secrecy and released few details about the exact information it tracked and how those details were used. Consumer privacy advocates long have demanded that data brokers such as Acxiom, Experian and Datalogix allow individuals to see what information is collected, correct those details, and delete their profiles. No current laws in the U.S. require that data brokers maintain the privacy of individual's data unless they are used for credit, employment, insurance, housing, or other similar purposes.

Is this a silver bullet for personal privacy management? Absolutely not. But it’s certainly a big step forward. When you know just what information is out there, you can take steps to contain it.

Let’s count this as a win.

Try SumRando for free here.

Tuesday, 9 April 2013

How to confess to murder… And get away with it.

A Redditor (a user of the online message board, Reddit) was recently reported to the FBI for homicide after confessing to murdering his sister’s abusive “meth addict” boyfriend on the message board through the popular “Confession Bear” meme.

As you may know, Confession Bear is typically used for milder confessions like, “I fart in my boss’s office every morning before she arrives, and now she has facilities checking the walls for dead animals,” or “When I have an argument with my girlfriend, I tighten the top of every jar and bottle in the house.”

So when a user going by Naratto posted the murder confession, Redditors took notice. Immediately after posting, users scanned his previous comments for identifying information, revealed who he was, and reported him to the FBI.

According to one user, it wasn’t even that hard…

“His post history had his middle name and his birthday, plus his job history and military rank, as well as a ton of info about where he lived. A couple people googled his user name and found a steam profile with the same info and a FULL NAME which matched an FB profile and a number of other profiles.”

In the comment thread accompanying the image, Naratto claimed the meme was only “partially true”. He also deleted all of his previous comments. Unfortunately for him, his information was already out.

Whether he’s a killer or not, it’s safe to say Naratto is not the sharpest tack in the box. But what could he have done differently? Well, not confessing to murder on the internet would have been a great start. Seriously. This is pretty much the dumbest thing I’ve ever heard. But what if you did want to confess? And what if you wanted to get away with it?

Here’s what you should do.

Step One: Get a disposable account. Reddit allows for unlimited accounts and doesn’t require any identifying information to set one up. A lot of users keep disposables just in case they need to admit something embarrassing they’d rather not have associated with them. Pretty sure murder falls into that category.

Step Two: Use a different computer. Yes, this might be overkill, but we’re talking about murder charges here. You can’t be too careful. Even if you aren’t traced online, there’s always the chance someone could find your illicit confession in your browser history or on your hard drive. Public libraries and cyber cafés are good options. Don’t be a schmuck and use your friend’s laptop.

Step Three: Use a VPN. Even though usernames on Reddit are anonymous, Reddit keeps a record of your IP address when you log on. Once investigators have that, all it takes is a quick call to your ISP and you’re busted! But, if you turned on your handy VPN, your IP would be masked and replaced by a random address provided by the VPN server. Utterly untraceable.

So there you have it. How to confess to murder and get away with it. Although, it’s probably best to avoid the whole murder thing in the first place. Maybe just call the police instead.

Try SumRando for free here.