Wednesday, 26 June 2013

Facebook Knows More About You Than You Think

You know what the problem with Facebook is? They just don’t give out enough of my information. I mean, sure, they dish out all the stuff I put out “voluntarily”, but is that really enough?

Obviously they didn’t think so.

Last week, Facebook owned up to a bug that exposed the private information of more than six million users. Then, security researchers revealed that the private information contained data on many more users – even some that aren’t even on Facebook. These “shadow profiles” contained names, and even email addresses and phone numbers for millions of people.

Many of the users whose email addresses and phone numbers were exposed had not knowingly shared that personal information with Facebook.
Instead, their contact information had been collected on the sly — stored in Facebook's secret behind-the-scenes scaffolding, where it collects troves of data on you that you never knew about. That information comprises what's known as your "shadow profile."

Basically, when one of your friends had Facebook analyze his address book to find his friends, Facebook was gathering extra, unauthorized information including email addresses and phone numbers and then assigning that data secretly to the appropriate user. In this way, Facebook has data on you that you never actually authorized them to have.

Holy privacy violations, Batman!

Wednesday, 19 June 2013

Hacking So Scary It Will Stop Your Heart

As if blackhats going after bank accounts and email passwords wasn’t enough, U.S. federal officials warn that a wide array of medical devices are susceptible to potentially life-threatening hacks.
Pacemakers are among the devices vulnerable to hacks
The devices, including heart defibrillators, drug infusion pumps, ventilators, patient monitors, and anesthesia devices, all possess serious password vulnerabilities that open them up for tampering.
According to an advisory issued last week by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the devices have a hard-coded default password that, if used, provides backdoor access to the devices.
The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified. [ICS-CERT]
For most of the devices like drug pumps and patient monitors, the hacker needs physical access to the device to actually access anything. However, some devices like pacemakers and insulin pumps, since they are actually inside or on the body, can be accessed remotely, which is both very dangerous and super creepy.

Officials have not named the specific devices that are effected, but have said that most devices are effected.

Private Parts is the official blog of SumRando VPN and is basically the coolest thing on the web. You can try SumRando for free here.

Wednesday, 12 June 2013

Your iPhone will Auto-Connect to Data Thieves

We have harped about a thousand times on the dangers of open Wi-Fi networks. Seriously people, it’s just a bad idea. And now, security researchers say they’ve found a flaw in iPhones that can force users to connect to these networks without them even knowing it.

The flaw is in the configuration settings that are set up by carriers like Vodafone and AT&T.
Imagine you had to manually reconnect each day to your home, work, or favorite coffee shop networks? That would be cumbersome. Operating systems have a great feature, allowing automatic connection to networks they previously connected to. However, this feature has security consequences: attackers can simply guess (e.g., “Apple Store”, “Boingo Hotspot”) or retrieve the SSID of previously used networks, and cause victims’ devices to automatically connect to their rogue network, without the victims’ approval. Once the victims are connected to the rogue network, the attackers can utilize common MiTM (man in the middle) tools…to attack their victims. [Skycure Security]

To test their hypothesis, the researchers took their setup to a popular restaurant in Tel Aviv, Israel and set up a fake Wi-Fi network. 60 people connected within the first minute. Holy smokes! But wait, it gets even better. Even the most security conscious mobile users fell victim. In another test, the folks at Skycure set up a similar fake network at a cybersecurity conference. In just two and a half hours, 448 cybersecurity professionals auto-connected to their network.
Fortunately, the people at Skycure aren’t hackers and never launched attacks on any of the connected iPhones, but the kind of software needed for man-in-the-middle attacks used in this kind of situation is cheap, readily available, and dead-simple to use.
The only real work-around for iPhone users is to turn off Wi-Fi when you’re not using it — which we highly recommend.

You can try SumRando for free here.

Sunday, 9 June 2013

PRISM is Creepy. Time to Take Your Privacy Seriously

News broke over the last couple of days that the United States’ National Security Agency has been operating a top-secret surveillance programme called PRISM that allows the government to monitor everything you do online.

While the Obama Administration has basically said, “it’s no big deal,” it is and it’s exactly the kind of thing that privacy-conscious VPN users should be worried about.

Made legal by the controversial Patriot Act, the NSA used PRISM to access information collected by companies like Apple, Google, Facebook, and Microsoft, among others. According to the latest sources, PRISM does not collect actual content, only information about connections. For instance, the administration might know that you Skyped with Bill last night, but they don’t know what you said.

According to the Washington Post, PRISM monitors email, chat, videos, photos, stored data, VoIP, file transfers, video conferencing, logins, online social networking details, and special requests.

If you’re wondering if you should be totally freaked out, yes, yes you should. PRISM has confirmed many of our worst fears regarding internet surveillance and the total failure of government accountability when it comes to protecting our privacy.

More than ever, it’s become clear that our data is not safe in the hands of otherwise trusted companies and authorities and the news of PRISM should act as a wake-up call to start implementing your own privacy strategies. If you don’t want strangers and governments to see what you do online, a VPN like SumRando is a great first step.

You can try SumRando for free here.

Wednesday, 5 June 2013

Nice Tat, Mate. Is That for Gmail or Vodafone?

In the race to replace the soon-to-be-obsolete password, Motorola has some innovative ideas — among them, tattoos.
Photo Credit: Lorena Cupcake
That’s right kids, soon you’ll be securing your online credentials and ticking off your parents at the same time. If that’s not a win-win, I don’t know what is.

According to Motorola senior vice president of advanced technology and products Regina Dugan who spoke at the AllThingsD conference, one of the devices the company is developing is a temporary tattoo that would be worn on the skin and would allow the wearer to authenticate their credentials on any device they use. The tattoo would last for only a few days.

“It may be true that 10-20 year-olds don't want to wear a watch on their wrist, but you can be sure they'll be more interested in wearing an electronic tattoo, if only to piss off their parents,” Dugan said.

Motorola also revealed a pill authentication device at the conference. Intended to be taken daily, the pill’s electronic components would react with chemicals in the user’s digestive tract and subsequently broadcast the appropriate signals for authentication that could be read by anything from mobiles to cars.

The pill has already been cleared by US Food and Drug Administration, though no timetable was given for its release.

You can try SumRando for free here.