Tag Archive for Privacy

Don’t Know Much Security

Don’t Know Much SecurityWith apologies to Otis Redding, Americans don’t know much about security. They don’t know much privacy, or the SPAM they took. A new Pew Research Center survey, “What the Public Knows About Cybersecurity” quizzed 1,055 adults about their understanding of concepts important to online safety and privacy. The results of the Pew survey are unsettling.

questions about cybersecurityThe Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20% answered eight questions correctly. A relatively large percentage of respondents answered “not sure” to questions rather than providing the wrong answer.

Most Americans don’t know how to protect themselves. Only 10% were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.

Most Americans still unknowingly allow themselves to be tracked across the web. 61% of those surveyed were not aware that Internet Service Providers can still see the websites their customer visit even when they’re using “private browsing” on their search engines.

Internet securityA slight majority (52%) of people recognized that just turning off the GPS function on smartphones does not prevent all tracking of the phone’s location. Mobile phones can be tracked via cell towers or Wi-Fi networks.

Only 54% of respondents correctly identified a phishing attack. For cybercriminals, phishing remains a favorite trick for infecting computers with malware. Phishing schemes usually involve an email that directs users to click on a link to an infected website.

phishing attackComputer security software does a good job of blocking most phishing schemes, Stephen Cobb, security researcher for anti-virus software firm ESET told told Phys.org, including many advanced spear phishing attacks targeting people with personalized information.

Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region’s cybersecurity industry told KnowB4.

It is probably our No. 1 concern and No. 1 vulnerability … These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email.

cybersecurity2/3’s of Americans tested, could not identify what the what the ‘s’ in ‘https‘ meant. The article explains that the ‘s’ stands for secure, with website authentication and encryption of digital traffic. It is used mostly for online payments. Security researchers often suggest computer users check the website addresses – known as the URL – as a first step before they click on a link. ESET’s Cobb said, “You wonder if people know what a URL is … Do they know how to read a URL? So there is plenty of work to be done.”

In the most puzzling finding to me, 75% of participants identified the most secure password from a list of four options. And yet followers of Bach Seat know that year after year passwords suck. Could it be that Americans just don’t care about the online security?

Insecure passwordsFortunately some Americans also recognize that public Wi-Fi hotspots aren’t necessarily safe for online banking or e-commerce. The mixed security results highlights that staying secure online is not a priority for Americans at work or at home.

The Wall Street Journal also covered the Pew findings and quoted Forrester: “The percentage of security and risk professionals citing “security awareness” as a top priority rose to 61% last year, from 56% in 2010.”

In the enterprise,Heidi Shey, a senior analyst at Forrester, told CIO Journal that security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.

The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link. Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.

rb-

The data from Pew says that enterprise and home users need to be more security aware. Technology can’t solve stupid so users have to be the last line of defense.

Related articles

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Vizio TVs Sell Your Viewing Habits

Vizio TVs Sell Your Viewing Habits– Updated 03-26-2017 –  Vizio will pay $2.2 million to the FTC and the state of New Jersey to settle a lawsuit alleging it collected customers’ TV-watching habits without their permission.

In addition to the $2.2 million in payments, Vizio will now have to get clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016 according to the Verge.

Just in time for the Black Friday consumerism orgy of spending, Help Net Security reports that you are giving away more than cash when you buy a Smart TV from Best Buy or whoever. It turns out that owners of Smart TVs manufactured by California-based consumer electronics company Vizio (VZIO) viewing habits are being tracked and sold to third parties. The Vizio the privacy policy says;

Vizio… VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements … delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV.

Vizio’s competitors Samsung (005930) and LG Electronics (LGLD) can also track users’ viewing habits via their smart TV offerings, ProPublica‘s Julia Angwin pointed out, but the feature has to be explicitly turned on by the users. The collection of viewing data by Vizio’s Smart TVs is turned on by default, as is the Smart Interactivity feature that manages it.

Data miningAccording to the IEEE, Vizio smart TVs can track data related to whatever TV programming and related commercials you’re watching and link such data with the time, date, channel, and TV service provider. On most of the over 15 million Smart TVs sold, Vizio will also track whether you view TV programs live or later on. Vizio knows what you’re watching even if it’s a DVD being played on a gaming console or show being watched via cable TV. The identification tracking technology can differentiate between 100 billion data points.

While, in theory, IP addresses are not personal information, they actually can be linked to individuals if there is enough information (specific attributes like age, profession, etc.) tied to it.

Data collectionProPublica‘s Angwin’s sources, tell her that Vizio has been working with data broker Neustar to combine viewing data with this type of information about the user.

Even though users can turn off the spy technology, which will not won’t affect the device’s performance, the problem is that many, many users won’t bother reading the privacy policy or change the default settings once they set up the TV and start using them.

LawsuitTechHive reports that backlash against the intrusive spying has started. Two lawsuits (Reed v. Cognitive Media Network, Inc. (PDF) and David Watts et. al. v Vizio Holdings Inc et. al. (PDF)) have been filed in California against Vizio and their partners about their data collection habits.

The suits accuses Vizio and Cognitive of secretly installing tracking software on the former’s smart TVs in a way that violates various federal and state laws.

The suits allege that Vizio violated the Video Privacy Protection Act. The Video Privacy Protection Act prohibits any company engaged in rental, sale or delivery of audio-visual content and not necessarily just video tapes from divulging any personally identifiable information about its customer to a third-party, except where the customer has clearly consented to such data sharing.

Of course, Vizio has previously argued it’s not a video tape service provider at all, and so this particular law doesn’t apply to it.

rb-

I pointed out as far back as 2011 that Smart TV’s are a dumb idea for privacy.

Consumer Reports offers tips on how to stop your Smart TV from spying on you here.

 

Related articles

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Online Security in Era of Connected Cars

Online Security in Era of Connected CarsKarl-Thomas Neumann, CEO of General Motors (GM) European Opel brand announced that GM would launch OnStar telematics service in vehicles sold in Europe in late 2015. The Opel CEO declared the new technology, “transforms the car into a true part of the Internet of things.” Despite GM’s fascination with the technology, The Detroit Bureau says it also raises some of the same concerns consumers face on the Internet, including how to protect their privacy.

connected carEven though a growing number of consumers who have embraced the idea of having mobile access to smartphone apps, built-in Wi-Fi and the safety and security promised by systems like OnStar issues loom that consumers, manufacturers and regulators need to address. At the 2014 Consumer Electronics Show, Jim Farley,  then the top marketing executive at Ford Motor Company (F),  told an audience that the automaker “know(s) everyone who breaks the law, we know when you’re doing it,” thanks to the data collected by its OnBoard Sync technology system.

Despite a quick backtrack by Mr. Farley, the article says he was being truthful. The fact is, with the on-board black boxes in most cars are now equipped with the two-way capabilities. Privacy has become “a big issue,” according to Jon Allen, a principal with consulting firm Booz Allen Hamilton who focuses on security issues. Precisely what makes such technology so compelling is why it is also so worrisome. Mr. Allen told The Detroit Bureau,

Connected products provide customization and convenience because of the data they track. Part of the great opportunity to improve the customer experience is producing a vehicle that ‘learns’ your habits and preferences. But that information must be protected.

Connected car security breachThe EU takes privacy seriously and these types of tracking technology have drawn the attention of regulators in Europe and to a lesser extent, in the U.S. The article describes a measure of just how strongly Europeans feel about the issue came during Opel chief Neumann’s news conference. Unlike the U.S. version of OnStar, the European system will include a “Privacy” button to let a user “choose whether they want to provide location information or not.”

That choice would only be over-ridden after a crash severe enough to trigger OnStar’s emergency call system, CEO Neumann explained. It’s designed to call rescue crews in the event of an accident severe enough passengers might be disabled.

Send virtual coupon to a carThere have been experiments with marketing that could target motorists much as Google today can toss ads at a web viewer based on information revealed by hidden “cookies.” Imagine, they suggest, being able to send a McDonald’s ad and virtual coupon to a car driving near one of its restaurants around lunchtime.

While some drivers might embrace that possibility, others are appalled. The Detroit Bureau reports the potential to reveal more detailed personal information, as well as allowing a vehicle to be tracked, is raising flags on both sides of the Atlantic.

Online tracksIn the U.S., an auto industry alliance recently agreed on an approach it called “Privacy Principles for Vehicle Technologies and Services.” (rb- Which I covered here) Meanwhile, both the U.S. Federal Trade Commission and the National Highway Traffic Safety Administration are exploring the issues – though in some cases, they are actually encouraging greater access, noted analyst Allen.

The issue is further complicated by the threat of cyber-criminals exploiting vulnerabilities in vehicle communications systems. rb- I first covered this threat in 2011 here and here. And the theoretical became real in 2015 when researchers demonstrated they could use online systems to take over a Jeep Grand Cherokee.

rb-
The threat to personal freedom and privacy in your car has accelerated as Apple (AAPL) and Google (GOOG) join Microsoft (MSFT) in the battle to rule the car. Apple’s automotive ambition does not stop at CarPlay, they are also focused on developing an iCar . The Google Autonomous Cars are well know, but their efforts to take over the car cockpit are also taking off with Android Auto.

The government is contributing to the connected car conundrum. The Feds are abetting the Autos by trying to prevent security researchers from doing testing and reverse engineering that could improve security and safety for all of us according to Naked Security.

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Snoops Offer Security Tips

Snoops Offer Security TipsIn one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.” To be more specific, the report recommends that IT security pros:

  • Information securitySegregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;
  • Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
  • Deploy, configure, and monitor application whitelisting to prevent malware from executing;
  • Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
  • Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters (PDF) to catch the malware before it breaches the network;
  • Network attackMaintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;
  • Implement pass-the-hash mitigation to cut credential theft and reuse;
  • Deploy Microsoft (MSFT) Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability for devices running non-Windows operating systems;
  • Employ anti-virus file reputation services (PDF) to catch known malware sooner than normal anti-virus software;
  • Implement host intrusion prevent systems to detect and prevent attack behaviors; and
  • Update and patch software in a timely manner so known vulnerabilities cannot be exploited.

The author quotes from the report;

Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.

rb-

For those who have not been following along, the TLA’s have been attacking and manipulating anti-virus software from Kasperskey.

We also now know suspect that the TLA’s have compromised at leat one and probably two hardware vendors. The Business Insider recalls, way back in 2013, as part of the Edward Snowden NSA spying revelations.German publication Spiegel wrote an article alleging that the NSA had done a similar thing — put code on Juniper Networks (JNPR) security products to enable the NSA to spy on users of the equipment. 

Over at Fortinet (FTNT) they had their own backdoor management console access issue that appeared in its FortiOS firewalls, FortiSwitch, FortiAnalyzer and FortiCache devices. These devices shipped with a secret hardcoded SSH logins with a secret passphrase.

The article seems like advertising for the TLA’s hacking program.

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Privacy for Drivers

Privacy for DriversFord Motor Company (F) Global Marketing Director Jim Farley touched off a privacy storm when he told an audience at the Consumer Electronics Show that the automaker is tracking their travels thanks to their in-car navigation systems. He told the crowd in Las Vegas that the automaker tracks driver behavior, “We know everyone who breaks the law, we know when you’re doing it.

Connected carThe auto manufacturers have installed “black-box’s” on most modern cars. The black-boxes are capable of tracking, gathering and storing vehicle information. In fact, the Fed have proposed that such tracking technology become standard equipment on all cars.

Even though Ford quickly backed down from Mr. Farley’s claims, the comments created a privacy fire-storm. As a result, TheDetroitBureau.com reports that privacy advocates accelerated increased pressure on manufacturers to reveal what info that collect on “black-box’s” they’re doing with the personal data they do collect – and put limits on how it can be used.

Cloud based cars

In response, a group of 19 automakers have gotten together to lay down some ground rules, which they hope will assuage fears about the accessibility and use of the material. According to the article, the makers say the information won’t be given to government officials or law enforcement agencies without a court order, sold to insurance companies or other companies without their permission. The automakers agreeing to the “rules,” which they submitted to the Federal Trade Commission, include: Aston Martin, BMW, Chrysler (FCAU)  Ferrari, Ford, General Motors (GM), Honda (HMC) Hyundai, Kia, Maserati, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo.

Future carThe author speculates that the auto makers are willing to abide by the self-imposed “rules” because they believe actual laws could become onerous. Sen. Edward Markey, D-MA is skeptical of the impact of the “rules” he called them “an important first step,” but said it remains unclear “how auto companies will make their data collection practices transparent beyond including the information in vehicle manuals.” He noted that the automakers did not provide consumers with an opt-out option for whether sensitive information is collected in the first place. He plans to legislate an answer. He said in a statement, “I will call for clear rules — not voluntary commitments — to ensure the privacy and safety of American drivers is protected,” Markey said in a statement.

The automakers also committed to “implement reasonable measures” to protect personal information from unauthorized access. Privacy experts are concerned that in recent years many vehicles have had a variety of GPS and mobile communications technology built into them.

Cloud securityThe TheDetroitBureau explains these devices record and send all types of information which privacy advocates are afraid the data could be used by the government against the owners of vehicles. Some worry that many three-letter agencies and law enforcement will use data from the device to track citizens. Marc Rotenberg, executive director of the Electronic Privacy Information Center said legislation is needed to ensure automakers don’t back off their self-imposed “rules” when they become inconvenient. He said,

You just don’t want your car spying on you. That’s the practical consequence of a lot of the new technologies that are being built into cars.

The black boxes now installed in new vehicles could also be a safety issue for drivers. The article speculates that the rising level of interactivity of cars could open the door for pop-up ads in the cars. These automakers “rules” do not eliminate the possibility that Pop-up ads could appear on the touch screens of cars, trucks and SUVs as folks are motoring down the road.

One loophole in the guidelines identified in the blog, if customers agree at the time of their vehicle purchase, they could receive messages from advertisers who want to target motorists based on their location and other personal data according to the author. The possibility of pop-up ads popping up on in-car touch screens while drivers are behind the wheel worries some safety advocates. Henry Jasny of Advocates for Highway and Auto Safety, warned the Associated Press.

There is going to be a huge amount of metadata that companies would like to mine to send advertisements to you in your vehicle … We don’t want pop-up ads to become a distraction.

rb-

Three letter agencyThe road to hell is paved with good intentions and full of pot-holes. I covered Cisco’s try at monetizing driver data here.  Industry officials say they want to assure their customers that the information that their cars stream from the vehicle’s computers to automakers (or Feds) via OnStar. Sync, Automatic, In-Drive or Car-Net won’t be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads for pizza, gas stations or other businesses they drive past, without their permission.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.