It is the Christmas season and there are some great parties around. At one party, you find yourself a little too into the Christmas spirits and send some intimate text messages to your ex-girlfriend, ex-boyfriend, or worst, your boss. Pretty soon it’s all over, the inter-webs and you can’t take it back!

One of the features that the Internet has given us is persistent data; data placed on the Internet can be there forever. This persistence has been useful and often nostalgic – I have found some of my friends’ websites that they hosted with Angelfire way back in the early 90’s still online. It has also allowed us to gather evidence on illegal activity to successfully prosecute criminals.

The dark side of this persistent data is the drunken texts, Facebook posts and incorrectly sent emails that we cannot remove no matter how we try. This may not apply to you, but for many, it has become a horror story that does not go away. The unintended consequences, along with low self-esteem, have been broken relationships and lost jobs.

It is on this basis that several services have been born with the ability to send ephemeral data, that is, data that will only last a short time after which it self-destructs (a la Mission: Impossible). These services include Snapchat, Gryphn, and Wickr.

However, even these ephemeral services cannot guarantee that data can disappear; and promising such gives an illusion of privacy. For example, you may still take a screenshot of an image with some of the apps (the Gryphn app does not allow this). You can even take a picture of your phone screen with another phone or camera to bypass those mechanisms. It certainly does not stop someone else from taking a photo of you doing something stupid and tweeting it.

Ephemerality is not something new, as you generally have that expectation with a telephone call – that a conversation is between you and the other party, and is not being recorded (NSA revelations aside). What these services are allowing is a return to a state where the conversations between two people stay only within that moment, and between the two.

I’m not sure about the popularity of Gryphn and Wickr (or as to why they left out vowels from their names), but I do know that Snapchat has gained in popularity. The presence, and more so, the success of these services will be an indication of whether Internet users, including businesses, really value their privacy.

However, these services are a plaster for a sore, but are no panacea for privacy. Instead, what we may need is the creation and establishing of a set of social norms as to the sharing of data such that there is an implicit trust – like you trust that your phone conversation is not being recorded.

The younger generation is a sharing culture, and until that culture changes, you should always assume that you have no privacy. These ephemeral services may provide some level of improved privacy, but not enough for me to send that naughty picture to my wife (no matter how much I trust her)…

Merry Christmas to you and your loved ones, and have a very happy and prosperous New Year!

Image credits:  digital democracy (flickr)

________________

In Michele Marius’ post last week, 5 takeaways from new allegations that the NSA infiltrated links to Yahoo, Google data centers worldwide, and as more and more information is released about the extent of the United States (US)-based National Security Agency (NSA) spying, more people are questioning the trustworthiness of cloud services. Considering that Google has featured prominently in much of the leaks about the spying, and that so many people who utilise their cloud services (me included), one has a right to wonder, how safe are cloud services?

 Cloud trends: the analysts speak

Leading IT advisory firm, Gartner, has predicted that cloud services will become the bulk of new IT spend by 2016, with nearly half of large enterprises having hybrid cloud deployments by the end of 2017.

Gartner also knows that the NSA scandal will be a challenge as companies ponder whether to adopt the cloud, especially companies in non-US countries, such as those in the Caribbean. A report (PDF) by the Information Technology & Innovation Foundation (ITIF) in August this year stated that PRISM (the NSA’s electronic surveillance and data mining programme that came under scrutiny a few months ago) could cause the US cloud computing industry to lose between USD 22 and USD 35 billion over the next three years. There is already some evidence of non-US companies cancelling contracts according to a report by the Financial Times.

Private leased lines not so private

The new information released now implies that you cannot trust your telecommunications service providers either, even if they say they are giving you “private” links. I, for one, never trusted private leased lines; I knew how easy it was to tap into those circuits, and am amazed though that Google and Yahoo had so much trust in those service providers, that they left their data unencrypted across those links.

What can we do?

With the new revelations, India and Brazil have lashed out, and are planning to put their own systems in place to prevent any foreign espionage. However, I am not surprised that no such anger is originating from our Caribbean countries.

Nevertheless, the circumstances do provide us with an opportunity to set up our own locally or regionally hosted and operated cloud services. I know of Fujitsu Caribbean offering locally hosted service in Trinidad, but there’s no reason that we cannot have a locally or regionally owned company providing those services. We, in the Caribbean, need to get our act together and tighten up our cyber-security, data protection and privacy legislation.

In the meantime, you should take steps to protect your own data. Choose carefully your cloud service providers and the data you want hosted there, encrypt your data being stored in the cloud, and please encrypt those private links using VPNs (Virtual Private Networks) or encryptors.

Image credit:  SparkCBC/flickr 

______________

Adobe Systems announced a couple of weeks ago, on Thursday 3 October 2013, that it was the victim of a sophisticated attack, where information for 2.9 million Adobe customer was accessed, including customer names, encrypted credit card numbers, expiration dates, and other information relating to customer orders. Also, source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products was accessed and downloaded by the attackers.

Adobe publicised the breach after Brian Krebs and Alex Holden, independent IT security experts, contacted them about 40GBs of Adobe product source code found on a server used by hackers. Adobe told them that they were investigating a possible breach since 17 September and the attack appeared to have happened around mid-August.

Issues to ponder

The first questions that popped into my mind when I heard about the breach were, “Why did Adobe take so long to publicise the breach? And why did it take so long to discover it in the first place?” I would think that a company the size of Adobe would have the resources capable of discovering and taking faster action on these breaches.

The most serious aspect of the breach though, is the source code in the hands of hackers. While getting their hands on customer information and credit card data was nice, the source code was a nice paydirt considering the number of people who run Adobe products on their computers (me included).

With the source code, cyber-criminals can effectively find zero-day exploits (exploits for vulnerabilities where no patch exists). Usually hackers would either have to wait for a vulnerability to be discovered in the wild, or reverse engineer patches to find the vulnerabilities. Now they could find vulnerabilities on their own and save lots of time.

Cyber-criminals can even compile their own malicious versions of Adobe software and pass it off as the official version. They will still have to bypass the digital signatures of the installation, but I’m sure that many people would ignore the warning.

The possibility also exists that the hackers may have tampered with the source code on the servers. Adobe may then release the tampered version of the software to the public. It’s unlikely, but still a possibility.

Precautions

Considering the scope of the breach, you should take a couple of precautions:

1. Firstly, if you have an Adobe account, change the password if you haven’t already done so. Adobe would have sent out a notice, but just because you haven’t received one doesn’t mean that you shouldn’t change it.
2. If you had any credit card data stored on Adobe’s site because of a purchase you made, or if you used any of their subscription services, talk to your bank about reissuing a card, just to be safe.
3. Be careful where you download Adobe software, and ensure that any version you use is digitally signed by Adobe. Better, stick to downloading Adobe software directly from Adobe’s website, well, assuming that the site isn’t hacked… again.
4. Install updates for Adobe immediately when released. As exploits may be released quickly, expect patches to be released fairly quickly as well.
5. Be extra cautious when opening PDF files from unknown sources.
6. Use other software for viewing PDFs. There are lots of good ones out there. Check out this site for some alternatives.

While I still have questions as to how the breach took place, and why it took so long to discover it and to be notified, the horses have already bolted.

In this increasingly connected world, the Internet has become the new Wild West and you can expect to see many more of these high-profile attacks to come. Cyber-criminals are getting better, and unfortunately, those who are supposed to protect us are having a hard time keeping up.

Image credit:  Wikipedia

_____________

Wireless Hotspots – those places that offers wireless Internet access to the visitor or weary traveller. They are often found in coffee shops, bistros, restaurants, and well, almost anywhere. Some of those hotspots, you either have to pay to use, or patronise the establishment, but many are also free.

Hotspots are convenient: a way to get connected, when you aren’t already always connected. It offers a quick respite from the Facebook or Twitter cravings, and can be a life-saver when you need to send an email to your boss. It is also nice to have when you’re working from “home” but actually on the beach (hey, as long as the work is done!).

Many people can be seen pecking away at laptops, or have their faces buried in their tablets or mobile smartphones while connected to these hotspots. But, are wireless hotspots safe?

The simple answer is no. Wireless hotspots are not safe.

Don’t get me wrong, I’m not saying to not use hotspots; besides, I use them all the time. Hotspots are like public pools – it’s okay to have fun in it, just don’t drink the water. That is, take some time to understand the risks, and make some effort to protect yourself.

So what are the risks?

Most hotspots are open, that is, they are unprotected and unencrypted, and anyone can access them. Even hotspots that either require an access-code or username/password are open, but just have a gateway device in-between the wireless network and the Internet to regulate access. All the traffic between your device and the access-point (the wireless transmitter/receiver) is unencrypted. This means that anyone within the vicinity can “see” your traffic, and someone with some know-how can read it.

Another risk that’s gaining popularity is the Man-in-the-Middle attack (MITM). The attacker uses a device that presents itself as a wireless hotspot, but in reality, is an access-point engineered to capture all traffic that passes through it. MITM attacks have been around for years, but because of the power of mobile chips, those devices have become smaller and more portable. An attacker can leave the device hidden at a location and then return later to collect it with all the data stored on it.

What’s more with the MITM attack is that the attacker has full control over the network, unlike the hotspot at a coffee shop. This means, he or she, can direct you anywhere they want. They can issue fake websites, or route you to infected ones, where they can phish your personal details or infect your computer. For example, when you type ‘google.com’ or ‘yourbank.com’, you can be sent to a website that looks like the real Google.com (or yourbank.com), but is really a fake site set up to look like it.

So, knowing some of these risks, how can I protect myself?

1. Use hotspots only when necessary. The less you use it, the less risky it becomes.
2. Don’t make assumptions about the availability of a hotspot at a site. Ask the store workers whether they indeed have a hotspot and what is the name. If you see more than one, ask if they do have more than one access-points (sometimes they do if the site is big); of the answer is no, do not connect.
3. Only visit secured sites, that is, sites that start with HTTPS. If your browser gives any warnings about the site certificate such as a name mismatch, or certificate expiration, disconnect immediately.
4. Avoid using native apps on phones or tablets, unless you are positive that the apps encrypt all their communications. Some apps do not encrypt all the data transmissions and can therefore be seen by third parties.
5. Use a VPN (Virtual Private Network). VPNs usually encrypt data so that they are securely transmitted, and safe from prying eyes. Your company may have VPN services, so ask your IT department about it. If you have a company that does not already have VPN services, then consider implementing it. You can also consider  trusted 3rd party VPN providers. These are usually paid services, but can be worth the investment to protect your data.
6. Use a personal firewall and an updated anti-virus software. This will help protect your device from unauthorised access and drive-by infections. Drive-by infections are where your computer can be compromised by simply visiting a malicious or infected site.
7. Configure your computer, tablet or phone to not automatically connect to an open network. Also, when you are done using a hotspot, delete the profile from your device to prevent it from remembering the connection and automatically connecting the next time.
8. And lastly, know that not all risks are high tech. That guy sitting next to you may be more than just a customer, and may be looking at everything that you are doing. Be aware of those around you and install a privacy screen on your laptops and tablets. Don’t forget those CCTV cameras as well; you never know who’s watching.

In conclusion

Wireless hotspots have allowed us to stay connected and get more done, and with some precautions you can use it safely. However, in a world where it is now easy to become engrossed in your virtual life, perhaps it might be nice to disconnect from the electronic devices and connect to the people around you instead.

Stay safe out there.

Image credit:  Salvatore Vuono (FreeDigitalPhotos.net)

_________________

In a recent post, Michele posed the question, “Should you have any reasonable expectation of privacy with Gmail?”. It was in relation to an ongoing class-action suit against Google for perceived privacy infringements.

Considering the many services out there for which there are privacy concerns, coupled with the recent revelations that the National Security Agency (NSA) has been secretly gathering data from a variety of sources (including email, telephone and social media), the question we should ask is whether you should expect privacy on the Internet at all?

Email is not the only online service that threatens your privacy. Your Amazon shopping, Facebook updates, Dropbox files and Google searches are all areas of concern. Recently, a couple’s home was raided by SWAT when they searched for “pressure cookers” and “backpacks”.

Further, for files on Dropbox, the Terms of Service (TOS) says that “Dropbox employees are prohibited from viewing the content of files,” but goes on to say that they have “a small number of employees who must be able to access user data”. Several months ago there was a huge brouhaha about who owned the files on Dropbox. Yet, after all of that, people went right on using Dropbox, and they are still rapidly growing.

We’ve actually given up some privacy for more convenience. Google analyses your browsing history so it can display ads that are relevant to you. Amazon analyses your shopping habits to recommend products that you might find useful (although it can be debated whether that is a good thing). Dropbox analyses your files so that they can perform de-duplication, which reduces their storage requirements and thus allows them to offer you free space.

Are you willing to give these up? Or can we have the best of both worlds? Convenience and security? Privacy and free services? It would be nice, but I don’t think we can.

What do you think? I am interested in hearing your views.

Image credit:  Stuart Miles / FreeDigitalPhotos.net

______________

Imagine putting your baby to sleep and leaving her room. Later you hear the voice of a strange man coming from inside, saying lewd and derogatory statements. Sounds like a movie doesn’t it? Only that is exactly what happened to a Texas couple a few days ago. And no, it wasn’t a ghost, but a man who had hacked into the Internet connected baby monitor and was speaking through it.

The hacked monitor was probably not made secure by the owners, but how many of us know how to do that? What researchers have found when investigating similar vulnerable devices is that many of those devices were running without any security enable, using default administration credentials, or running an old, insecure version of the device software.

As the Internet of Things becomes more prevalent, there are more and more everyday devices being connected to the internet, and more and more risks that people are just not aware of. Such risks and threats are not confined to baby monitors, but also to home automation systems, smart energy meters, smart TVs, and even medical devices.

Many manufacturers do not think about security when creating their products. And to be fair, the baby monitor manufacturer from above has been known to have equipment with similar vulnerabilities. These devices are meant to be created cheaply and quickly.

So what can the typical consumer do to protect themselves?

1. RTFM – Read the ‘Fine’ Manual. Ensure that you understand how the device works and how to configure it. Look particularly for security settings and how to get and install updated software for the device.
2. Give it a secure password. If you can supply a different administration username, do it. Make sure to use a strong, secure password.
3. Get and install the latest device software. Subscribe to updates from the manufacturer, if available, so that you can be alerted of any potential issues.
4. Install the device behind a firewall if you can. Even small consumer firewalls nowadays come with some pretty good security features.
5. Depending on how critical the device is, turn it off when not in use. Not only is the device most secure then, you also save energy.
6. Create a Google Alert for the product name and model, and use keywords such as “security”, “vulnerability” and “risk”.
7. Lastly, if you are unsure of anything, ask for help. Even the device manufacturers themselves may have support options available for you.

Internet connected devices are meant to provide convenience and make your lives easier. And they still can, once you take the appropriate steps to understand the risks of such technologies and protect yourself against them.

Stay safe out there…

Image credit:  Nutdanai Apikhomboonwaroot (FreeDgitalPhotos.net)

_____________