Friday, 30 August 2013

Google is Unrolling Personalised Search. Should you use it?

When it comes to digital security, it’s a mistake to put all your eggs in one basket. Don’t use the same password for more than one account; don’t use the same browser for banking and surfing; and don’t use the same company for your email, search and storage needs.

Google, however, has other plans. The tech giant announced it will unroll an invasive a personalised search functionality that will effectively integrate users’ Gmail, Google Calendar and Google+ accounts with Google Search.

Google provided a few examples of the system's functionality on their blog. 
  • Flights: Ask Google “Is my flight on time?” to get info on your upcoming flights and live status on your current flights. 
  • Reservations: Ask for “my reservations” to see your dining plans or “my hotel” to get your hotel name and address. With one tap, you can get driving or public transit directions straight to your destination, saving you lots of steps.
  • Purchases: Ask for “my purchases,” and you’ll get the status of your current orders, so you know whether your mom’s birthday present will arrive on time.
  • Plans: Ask Google “What are my plans for tomorrow?” to see a summary of upcoming flights, hotels, restaurant reservations and events—very useful when you’re traveling. 
  • Photos: Say “Show me my photos from Thailand” to see the photos you uploaded to Google+. You can also ask for “my photos of sunsets” if you want to show off the shots you’ve taken over the year; Google will try to automatically recognize the type of photo you’re asking for.
The new system will be rolled out gradually. According to Google, U.S.-based users will be the first to try it out.

Officially, this system isn’t any less secure than your existing Google account. As Google explains on their blog, the data will be “secure, via an encrypted connection, and visible only to you when you're signed in to Google.” The problem, however, is with the behavior it encourages.

It’s no secret that Google has striven to become an all-inclusive operation when it comes to users’ online needs. And frankly, bundling features like Gmail, Google+ and Google Drive together provides a great deal of convenience. Unfortunately, that convenience comes at a cost. And what you might gain in efficiency, you’ll lose in security.

If you use three separate providers for your email, social networking, and cloud storage, when one becomes compromised, the others remain secure. But if a user moves all of his or her data under the Google umbrella, it only takes one hacked password to expose all of their information.

Again, this system won’t make your account any easier to hack. It will just make the consequences more dire should a hack occur. So, before you dive head-first into the Googleplex, make sure your data is stored and managed in a secure way.

Tuesday, 27 August 2013

News Roundup

Facebook Refuses to Pay Bug Bounty

Like many web companies, Facebook offers independent analysts monetary prizes for discovering bugs. But when independent researcher Khalil Shreateh tried to use Facebook’s conventional channels to report a critical security vulnerability that allowed users to post on any other user’s wall—friend, enemy or other — the social network’s white hat disclosure programme failed to acknowledge his findings.
Not one to be ignored, Shreateh used the very exploit he tried to report and posted the information directly to Mark Zuckerberg’s wall.

Unfortunately, Facebook is now refusing to pay Shreateh. According to a post on Y Combinator’s forum, a Facebook representative said, “The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat."

Shreateh claims posting the bug on Zuckerberg’s wall was the only way he could prove it existed after being told previously that the bug was not valid.

Researchers Sneak Malicious App into Apple Store

Apple has always kept tight tabs on their app store. Whenever developers want to make a new app available for purchase, it must first receive the O.K. from Apple to make sure its content is neither malicious nor inappropriate. But a team of researchers has developed a work-around and successfully got a malicious app, called Jekyll, approved.

Instead of submitting an app that explicitly contains malicious functionalities to Apple, the attacker plants remotely exploitable vulnerabilities (i.e., backdoor) in a normal app, decomposes the malicious logic into small code gadgets and hides them under the cover of the legitimate functionalities. After the app passes the App Review and lands on the end user's device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together. [usenix]

In other words, the code needed for the malware is hidden in pieces within legitimate code and then reassembled during an update.

An Apple spokesman said the company has addressed the issue, but has yet to provide any details.

Cyberattacks Cause Internet Outages for More People than Hardware Failure

It’s important to remember we live in a world where cyberattacks affect more than just personal computers. According to the European Union Agency for Network and Information Security (ENISA), cyberattacks caused significant communications outages for more people than hardware failure last year.

The report shows that although cyberattacks caused only 6 percent of significant outages in the E.U., they affected about 1.8 million people. Comparatively, while hardware failure accounted for about 38 percent of all incidents, it only affected about 1.4 million people. Read more here.

Wednesday, 14 August 2013

London Bans Creepy Stalker Trash Bins

A government not hesitating to take proactive and concrete steps to protect our privacy seems almost bizarre given recent news cycles, but indeed, the city of London stepped up and asked marketing company, Renew, to remove their mobile-tracking trash bins from London's sidewalks.

Renew deployed 12 bins featuring "ORB" technology that allowed them to collect the unique media access control (MAC) address of Wi-Fi enabled mobile devices as they passed within range. The idea, as outlined in a press release, was to use the data gleaned from tracking pedestrians to serve the most effective ads on the LCD screen on each bin.

The consolidated data...highlights the significance of the Renew ORB technology as a powerful tool for corporate clients and retailers. It provides an unparalleled insight into the past behavior of unique devices--entry/exit points, dwell times, places of work, places of interest, and affinity to other devices--and should provide a compelling reach data base for predictive analytics (likely places to eat, drink, personal habits etc.). [Renew]
You can think of this as a less malicious version of Moscow's new mobile tracking system (although, they use different technologies). 

With only 12 bins, Renew was able to log data from more than 4 million devices over a single week. It is unsettling, at best, that this data could be used to paint reasonably detailed portraits of pedestrian behaviour without any notification or ability to opt-in to this data collection program.

Certainly, tracking systems like this should be a concern for anyone using a Wi-Fi capable mobile device. And while Renew likely does not harbour any malicious intent, similar techniques have already been shown as feasible. In previous demonstrations, researchers showed that by simply using common network names like "Apple Store" or "Boingo Hotspot," mobile devices could be tricked into auto-connecting to unsecured Wi-Fi networks that serve your data to anyone watching.

Fortunately, defense against programs like ORB is available. A simple mobile VPN will ensure that any data sent over unsecured Wi-Fi networks is safe and disabling Wi-Fi on your device when you don't need it will prevent it from talking to these networks at all.

Friday, 9 August 2013

Lavabit and Silent Circle Shutter Secure Email Due to Gov. Pressure

Lavabit, the secure email service reportedly used by ex-National Security Agency contractor, Edward Snowden, has abruptly suspended its service without a complete explanation.
A letter posted on the company's homepage by Lavabit owner Ladar Levison said he made the decision to suspend service due to pressure from the U.S. government.

My Fellow Users, I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what's going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What's going to happen now? We've already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely, Ladar Levison, Owner and Operator, Lavabit LLC

Lavabit came on the scene in 2004 as a secure and privacy oriented alternative to other more popular email services. The service gained notoriety earlier this year when a representative from Human Rights Watch posted a message from Snowden that included the email address

Following suit shortly after, Silent Circle has also scrapped Silent Mail, a similar encrypted mail service. The move to preempt any possibility that their users would suffer the same fate as LavaBit's customers calls into question whether a US company will ever be able to truly offer a secure mail service. 

Though we are unlikely to ever hear the full story, Levison’s predicament serves to emphasize the delicate nature of privacy and security in a cyber-age. At the end of the day it wasn't just Snowden's account that was closed. This case a loss for every user trying to licitly exercise their right to privacy and security.  

Tuesday, 6 August 2013

Aw Crap, Toilets are Hackable

Remember when we only had to worry about our computer being hacked? Those were the days. Unfortunately, as technology improves and an ever-increasing number of otherwise mundane devices are outfitted with microchips and wireless connections, we’ve also seen a rise in security vulnerabilities in everything from mobile phones to pacemakers. And now, sadly (or hilariously), even our toilets aren’t safe.

Security company Trustwave issued an advisory last week that LIXIL’s Satis line of smart toilets is vulnerable to hackers with a penchant for pranks. Among the many vital features of the toilets are the capabilities to play music, raise the lid, flush, and operate the bidet with a Bluetooth connection and an Android app. Unfortunately for the unsuspecting toilet enthusiast, LIXIL hard-coded the Bluetooth PIN “0000” into all of their toilets. This means that any ne’er-do-well with a smartphone can download the “My Satis” app and control any Satis toilet.

An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.  Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user. [Trustwave]

Here at SumRando, we’re wondering why anyone would need to remotely access a toilet. Perhaps they just like a fresh bowl?

And while hacking a toilet may be laughable for the security-minded (or anyone), the widespread neglect of basic security precautions in non-traditional wireless devices is a serious issue. Things like computer-controlled power grids, remote-controlled pacemakers, and digital medical records have dramatically improve our quality of life through greater efficiency and accuracy. But as we increase our connectedness, we also open ourselves up to substantial risk. Moving forward, it is essential that we include security and privacy in any discussion relating to technology. Unless we establish and prioritise cybersecurity best practices, we could find our progress flushed down the tubes.

You can try SumRando for free here.