post

Never, Ever, Send Confidential Stuff via Email

Do you send private, confidential or secure information inside an email? Don’t. Never. Ever.

You might already know that emailing from a public Wifi hotspot is a huge problem since it is so incredibly insecure (see my post You’re in Danger on Public Wifi! for more). Since all of your information passes in the clear, it’s trivial for someone to snag it and read it or download the attachments.

The kicker? Email heading across the internet, sitting on a mailserver, or being retrieved by someone else in a non-secured way means that your private, confidential, secure information is also exposed.

Two reasons you should care about your email getting hacked.

[Read more…]

post

NSA: Why are you not focused on protecting the nation?

nsa-logoReading the German publication Der Spiegel’s article called Prying Eyes: Inside the NSA’s War on Internet Security this weekend, like them I was struck by something that has been on my mind for over ten years. Why does the U.S. intelligence services, and specifically the National Security Agency (NSA), do more to protect the nation?

What came out in the Edward Snowden revelations was that the NSA is, without question or doubt, working feverishly to crack all encryption and are also working hard to build a quantum computer that will crack the little unbreakable encryption we still enjoy today.

Any of us in information technology, web or mobile app creation, and any sort of data security at all, know that if something has been cracked—regardless if it’s some kid in Norway or a state-based intelligence service—it is only a matter of time before the blackhat hackers discover it and exploit the crack.

[Read more…]

post

You’re in Danger on Public Wifi!

wifi-publicIllustration by Kristina Collantes

If you ever connect to a public Wifi hotspot, you owe it to yourself to spend 4-5 minutes and read this article by Maurits Martijn called, “Maybe It’s Better If You Don’t Read This Story on Public WiFiWe took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

I want to make thousands of copies of that article and give them to every single person I see in every public Wifi location everywhere!

Let me say it as emphatically as I can if you’ve read this far: You are an idiot if you connect to any public Wifi without running a virtual private network (VPN) connection (like the one I use, Private Internet Access for $39.99/year for 5 devices). If you don’t it’s not “if” you will get hacked, but rather “when” it will happen to you.

To show you how pervasive and simple it is to hack your laptop, smartphone or tablet when you connect willy-nilly to some public Wifi hotspot, let me give you a glimpse at what I can only describes as a…

HACKER’S DREAM MACHINE
The Wifi Pineapple, a $99.99 black box

The Wifi Pineapple, a $99.99 black box
which makes it trivial for a hacker to steal you!

Because I’ve technically known the risks for nearly ten years, I’ve been paranoid about public Wifi locations since 2005 and wrote about being “naked in a coffee shop” here, here and here. But to show you how brain-dead-simple it has become to BE a hacker, wait until you read about a black box called the Wifi Pineapple you can buy, for $99.99, which lets anyone who has one:

  • Run a man-in-the-middle attack, essentially spoofing a public Wifi connection and even impersonating the actual, real network connection (whether open or secured). How many times have you connected to Wifi that said “Coffee Shop Guest” or “Free Public Wifi”? Sometimes they’re real, mostly they are not. You can almost never be certain.
  • The attacker can monitor all network traffic flowing between an Internet gateway and the connected clients (like your laptop, smartphone or tablet!) as well as manipulate this data in transit such as through captive portals, DNS spoofing, IP redirection and even the substitution of executables in transit (so that file you’re downloading might be coming off of the attacker’s laptop!).

There’s alot more you can do with this device and Hak5, the group that makes it, is certainly gleeful about all the rogue crap it can do:

“…the WiFi Pineapple is more than a platform – it’s a community for creativity. Rickrolling clients, powering off WiFi drones mid-flight, tracking commercial airliners and logging WiFi connections are only some of the creative things being done within the WiFi Pineapple community.”

On the Hak5 forums they even have a section entitled, “WiFi Pineapple University” to help users teach users about this ‘fun’ little box.

The good news? If you run a VPN and inadvertently connect to “Coffee Shop Guest” and it’s actually a spoofed connection through one of these black boxes, the hacker would only see encrypted traffic! Everyone else’s internet traffic—Facebook login, bank password, credit card data—would mostly be going in the clear. (Note: I know that an actual SSL connection would encrypt traffic in the browser, and so do most smartphone and tablet apps, but more sophisticated hackers can even spoof SSL connections so that your browser thinks it is securely connecting…but it is not).

I must admit that, even though I’m more appalled by the activities of our government and mass surveillance of U.S. citizens in what I believe is a direct violation of our Constitution, boxes like this one target individuals with a lot to lose. It’s not right and not fair and I hope I never catch someone using one in a public place or…

post

Privacy Does Matter

Glenn Greenwald was one of the first reporters to see — and write about — the Edward Snowden files, with their revelations about the United States’ extensive surveillance of private citizens. In this searing talk, Greenwald makes the case for why you need to care about privacy, even if you’re “not doing anything you need to hide.”

post

Thank you, Apple, for iPhone Encryption

ip6-under-the-hoodThough our national security is an absolute imperative, the Edward Snowden revelations about mass NSA surveillance—and what most of us see as a direct violation of our Constitution by them (as well as their practice of passing that data to the DEA, FBI, IRS and local law enforcement)—the intelligence community made their bed…and now they have to lie in it.

From Wired’s article called Apple’s iPhone Encryption Is a Godsend, Even if Cops Hate It:

It took the upheaval of the Edward Snowden revelations to make clear to everyone that we need protection from snooping, governmental and otherwise. Snowden illustrated the capabilities of determined spies, and said what security experts have preached for years: Strong encryption of our data is a basic necessity, not a luxury.

And now Apple, that quintessential mass-market supplier of technology, seems to have gotten the message. With an eye to market demand, the company has taken a bold step to the side of privacy, making strong crypto the default for the wealth of personal information stored on the iPhone. And the backlash has been as swift and fevered as it is wrongheaded.

Though this is clearly the right thing for Apple’s business—especially if they continue to hope to sell in countries like China (see Apple iPhone a danger to China national security)—I still want to say, “Thank you Apple…seriously.

post

NSA Files Decoded

guardian-nsa-files-decodedThe Edward Snowden revelations about the U.S. National Security Agency (NSA) and its vacuum surveillance, sadly seems to be fading from the public consciousness. Undoubtedly this is viewed as a positive by the intelligence community since they are continuing to accelerate their programs now seemingly unabated.

Awareness is one reason I was pleased to see this article that The Guardian wins an Emmy for coverage of NSA revelations. Their multimedia piece NSA Files Decoded is one of the best, most comprehensive and informative (dare I say “entertaining?”) pieces I’ve seen yet. Congratulations to The Guardian team!

If you care at all about the world our children and grandchildren will inherit, then you owe it to yourself to watch the videos or read articles at NSA Files Decoded. You might also consider paying attention to a relatively new website, The Intercept, so that you can stay aware, stay informed, and not be one of those who are naive about the unprecedented and growing power of the intelligence community and its surveillance of all U.S. citizens.

post

Frontline’s United States of Secrets

frontline-ussecrets

Last night was part two of the PBS Frontline program called United States of Secrets. It was one of the best, most thorough overviews of what is going on with the NSA’s vacuum surveillance that I’ve ever seen.

You owe it to yourself, and the future of our children, to be aware of what’s going on.

NSA Finally In The Light

nsa-logoI’ve been deeply concerned about the massive, sweeping surveillance going on for over TEN YEARS! Whenever I bring up this topic (and online security in general) too many of my family and friends just shrug and say, “Oh well.” Frankly, I just don’t understand why most people don’t seem all that concerned about our fundamental erosion of liberty caused by the NSA’s mass surveillance.

Thankfully the Edward Snowden whistleblowing finally shined a light on what I intrinsically knew was going on shortly after 9/11 (see Snowden’s revelations and the overall controversy at The Guardian’s NSA Files website section). Yes, I feel vindicated for my paranoia but that attestation is not something I longed for…instead I hoped the government’s drive to classify their constitutional violations and illegal activities as “keeping America safe from terrorism” would stop.

Unfortunately that whistleblowing has made it increasingly hard for companies who sell their technology outside of the United States. For example, the NSA was inserting hardware in Cisco routers which caused CEO John Chambers to write a letter to President Obama asking for it to cease…now.

We’ve only seen the beginning of the backlash and erosion of our competitiveness around the world since no one trusts us anymore.  [Read more…]

post

Skype to be renamed “Scrape”?

skype-backdoorSomething happened four and a half years ago that made me stop and wonder what the hell really happened: Skype was mysteriously taken offline so I dashed off this post: Skype. How big *is* the back door?

Confirmation of my paranoia back then has become clearer with articles about how Microsoft has setup Skype to be “scraped” by the National Security Agency like this one Skype: Reportedly Funneling Your Calls To PRISM Since 2011:

Skype, long thought to be a privacy haven for its encrypted communication, reportedly began integrating its systems into the NSA’s PRISM program as early as November of 2010, nearly a year prior to joining Microsoft in the fall of 2011, according to a new report from the Guardian

Skype reportedly began sending audio and text messages to the NSA, which shared the data with the FBI and CIA. The Guardian also reported that Skype, under the helm of Microsoft, worked closely with the NSA to enable the collection of video calls starting in July 2012.

Or this one Microsoft Hints Skype Calls May Be Fair Game for NSA:

Microsoft indirectly hinted that Skype communications can be intercepted and handed over to the National Security Agency, according to two privacy and security researchers’ interpretation of the latest statement by the company regarding NSA surveillance.

For security experts, that means Skype calls are at the mercy of NSA requests, just like traditional phone calls made with landlines or cellphones. In other words, the U.S. government, through its PRISM program, can legally compel Microsoft to hand over Skype communications, something that the company previously denied was even possible at a technical level.

I always try to leverage my strengths and use them to see what’s coming next. Rarely do I take on face value any announcement, strategic move or even terrorist ‘attack’ since I’ve been wrong every single time I did so. Only when I try to read between the lines or do a smell test on whether something feels right — all while taking in to consideration the facts I’ve been sticking in my brain through all my research and knowledge — that I become paranoid enough to take action and one action is to move off of Skype. More on that to come…

Good discussion from a quite varied group of folks on This Week on ABC:

post

The Ends Justify The Means?

TEJTM101Was at two high school grad parties yesterday and found myself having disheartening conversations with several young people who had just graduated high school. We talked about what they’d be doing post-high school, their visions about their future lives and whether they thought what they wanted to do was achievable, and what kind of world they thought they were inheriting from those of us were close to passing it on to them.

I was not prepared to hear their sense of sadness, fear, pessimism and, especially, their true befuddlement that the BIG lesson they had been taught by those in power was that:

  1. It was OK to lie to the world to start a war and no one is held accountable
  2. If you are a huge financial institution and instrumental in facilitating a global economic meltdown, not only will you not go to jail but your company is saved and it’s back to business (and bonuses) as usual within a year or two and no one is held accountable
  3. That a “terrorism Pearl Harbor” is excuse enough to spend trillions abroad while at home our infrastructure fails and our country embarks on the largest runup in mass surveillance while trampling on our Constitution’s Fourth Amendment and no one is held accountable (at least not yet)
  4. The richest and most powerful nation on earth has the highest incarceration rate in the world, while many of the crimes (especially ironic compared to no jail time for those in #2 above) are petty in nature.

While I tried to continually steer the conversations toward a more positive note—and part of their funk might have been partially attributable to our crappy, rainy weather yesterday—they continued to be gloom-and-doomsters about the state of our country and how uncertain they felt about the future.

gordon-gekkomother-theresaThe lessons taught to (and learned by) these young people? The ends justify the means. Makes me wonder if the next several decades may make many of these young people look more like a Gordon Gekko character than a Mother Theresa, and that our country’s ethical decline is now systemic and most of the skids-are-greased to make it easier for the United States to become a totalitarian country.

post

Google Chrome: Why I Said, “No thanks”

chrome-iconThough I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.

The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.

Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensionsGoogle says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:

Chrome Remote Desktop 'agreement'

Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?

Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.

Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).

I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.