Privacy | Bach Seat

Tag Archive for Privacy

RB | July 7, 2018

Comments Off

RIP Yahoo Messenger

Do you remember Yahoo Messenger? It was popular in the late ’90s and early 2000s when there were only two messengers to communicate with your friends and family. Well … the remnants of Yahoo nee Verizon recently announced the end of Yahoo Messenger. Verizon (VZ)/Yahoo announced that they will disable the Yahoo Messenger service after July 17th, 2018. (rb- yes Yahoo Messenger was still a thing – in the face of Apple‘s (AAPL) FaceTime, Telegram, Snapchat, and Facebook‘s (FB) WhatsApp).

According to the Oath website, YIM had 122.6 million users at its peak. In the FAQ announcing the shutdown, Yahoo said, “We know we have many loyal fans who have used Yahoo Messenger since its beginning … As the communications landscape continues to change over, we’re focusing on building and introducing new, exciting communications tools that better fit consumer needs.” If you’re looking for a Messenger replacement from Yahoo, they recommend Squirrel, which is in closed beta and by invite only. But why?

YIM leaves a dubious security legacy, as all “free” web products do. In 2007 there were reports that up to 75% of the users in Yahoo Messenger were SPAMBots. In 2010 all Yahoo systems and customer email accounts were hacked by the Chinese military in “Operation Aurora.” In Operation Aurora the Chinese also attacked Adobe (ADBE ), Dow Chemical, Google (GOOG) Juniper Networks (JNPR ), Morgan Stanley, Northrop Grumman (NOC ), Rackspace (RAX), and Symantec (SYMC).

In 2014 The Guardian reported that The British intelligence agency Government Communications Headquarters (GCHQ)’s secret mass surveillance program Optic Nerve and National Security Agency (NSA) were indiscriminately collecting still images from Yahoo webcam streams from millions of mostly innocent Yahoo webcam users, among other things creating a database for facial recognition for future use. Optic Nerve takes a still image from the webcam stream every 5 minutes. Also in 2014 Yahoo was also hit by a hack that affected around 500 million people.

In September 2016, The New York Times reported that Yahoo’s security team, had pressed for Yahoo to adopt end-to-end encryption sometime between 2014 and 2015, but senior leadership resisted, “…because it would have hurt Yahoo’s ability to index and search message data.”

In 2017 Yahoo announced that all of its customer’s accounts were compromised. Allegedly Yahoo did not detect the full extent of the 2013 hack until 4 years later. In 2017, Yahoo announced that all 3 billion accounts were compromised.

You can download your chat history for the next 6 months at this download request site. Yahoo will email your chats to you. If you have anything you want to save from Yahoo Messenger, it’s a good idea to get a copy, because users will be unable to sign in to the service after July 17th.

rb-

YIM is not the first long-standing chat app to shut down – AOL Instant Messenger shut down December 15, 2017. But Yahoo Messenger was one of the few old-school messaging services left.

Related article

The Secret to Disconnecting? Bring Back the ‘Away’ Message (The Wall Street Journal)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2018, AOL, Breach, Business, China, Data, Edward Snowden, Instant messaging, Operation Aurora, Optic Nerve, Privacy, RIP, Spambot, Verzion, VZ, Yahoo

RB | October 25, 2017

Comments Off

Biometrics Hype

Followers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is rolling across the Intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, Samsung has released the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

However, this awesome idea appears to lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 being unlocked using just a photo (at the 1:09 mark). To their credit, Samsung has acknowledged that the Face Unlock feature is more for convenience than for security. The biometric feature cannot be used for mobile payments. While weak facial recognition software may be a convenience for the user, it could also be very convent for others, too.

The troubles with Face Unlock date back to 2011. In 2011 SlashGear reported that Google (GOOG) admitted the security system could be fooled by a picture of you and not the real thing. CNet reports that the technology was developed by PittPatt, a startup originating from Carnegie Mellon University, which was later acquired by Google.

FBI’s facial recognition database

The Guardian reports during testimony before congress the FBI admitted that about half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports from 18 states including Michigan.

The FBI first launched its advanced biometric database, Next Generation Identification (NGI), in 2010. NGI augmented the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the gathering of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.

“I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.”

rb-

So anyone with a photo of you, or maybe even just access to your Facebook (FB) photos, could potentially access your phone. There are two important reasons why biometrics won’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

People expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to hide this data from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team gummy bears to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft stepped up its biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports other biometric factors to secure your PC. Some of the factors are fingerprints and iris recognition. For facial recognition though, Microsoft (MSFT) has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects. Microsoft uses RealSense to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. FIDO was founded in 2013 to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

Related article

Facial recognition technology is everywhere. It may not be legal. (Washington Post)

Category: Uncategorized | Tags: 2017, Biometrics, Facial recognition, FBI, FIDO, GOOG, Google, INTC, Intel, Michigan, Microsoft, MSFT, PII, Privacy, Samsung, Security

RB | June 29, 2017

Comments Off

Don’t Know Much Security

Don’t Know Much Security With apologies to Otis Redding, Americans don’t know much about security. They don’t know much privacy or the SPAM they took. A new Pew Research Center survey, “What the Public Knows About Cybersecurity” quizzed 1,055 adults about their understanding of concepts important to online safety and privacy. The results of the Pew survey are unsettling.

The Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20% answered eight questions correctly. A relatively large percentage of respondents answered “not sure” to questions rather than providing the wrong answer.

Most Americans don’t know how to protect themselves. Only 10% were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.

Most Americans still unknowingly allow themselves to be tracked across the web. 61% of those surveyed were not aware that Internet Service Providers can still see the websites their customer visit even when they’re using “private browsing” on their search engines.

A slight majority (52%) of people recognized that just turning off the GPS function on smartphones does not prevent all tracking of the phone’s location. Mobile phones can be tracked via cell towers or Wi-Fi networks.

Only 54% of respondents correctly identified a phishing attack. For cybercriminals, phishing remains a favorite trick for infecting computers with malware. Phishing schemes usually involve an email that directs users to click on a link to an infected website.

Computer security software does a good job of blocking most phishing schemes, Stephen Cobb, security researcher for anti-virus software firm ESET told Phys.org, including many advanced spear-phishing attacks targeting people with personalized information.

Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region’s cybersecurity industry told KnowB4.

It is probably our No. 1 concern and No. 1 vulnerability … These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email.

2/3’s of Americans tested, could not identify what the what the ‘s’ in ‘https‘ meant. The article explains that the ‘s’ stands for secure, with website authentication and encryption of digital traffic. It is used mostly for online payments. Security researchers often suggest computer users check the website addresses – known as the URL – as a first step before they click on a link. ESET’s Cobb said, “You wonder if people know what a URL is … Do they know how to read a URL? So there is plenty of work to be done.”

In the most puzzling finding to me, 75% of participants identified the most secure password from a list of four options. And yet followers of Bach Seat know that year after year passwords suck. Could it be that Americans just don’t care about online security?

Fortunately, some Americans also recognize that public Wi-Fi hotspots aren’t necessarily safe for online banking or e-commerce. The mixed security results highlight that staying secure online is not a priority for Americans at work or at home.

The Wall Street Journal also covered the Pew findings and quoted Forrester: “The percentage of security and risk professionals citing “security awareness” as a top priority rose to 61% last year, from 56% in 2010.”

In the enterprise, Heidi Shey, a senior analyst at Forrester, told CIO Journal that security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.

The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link. Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.

rb-

The data from Pew says that enterprise and home users need to be more security-aware. Technology can’t solve stupid so users have to be the last line of defense.

Related articles

Americans must become better at cybersecurity (The Hill)

Category: Uncategorized | Tags: 2017, Authentication, Encryption, HTTPS, Location, Pew Research Center, Phishing, Privacy, Security

RB | November 24, 2015

Comments Off

Television Sells Your Viewing Habits

– Updated 03-26-2017 – Vizio will pay $2.2 million to the FTC and the state of New Jersey to settle a lawsuit alleging it collected customers’ television-watching habits without their permission.

In addition to the $2.2 million in payments, Vizio will now have to get clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016 according to the Verge.

—

Just in time for the Black Friday consumerism orgy of spending, Help Net Security reports that you are giving away more than cash when you buy a Smart Television from Best Buy or whoever. It turns out that owners of Smart TVs manufactured by California-based consumer electronics company Vizio (VZIO) viewing habits are being tracked and sold to third parties. The Vizio privacy policy says;

… VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements … delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV.

Vizio’s competitors Samsung (005930) and LG Electronics (LGLD) can also track users’ viewing habits via their smart TV offerings, ProPublica‘s Julia Angwin pointed out, but the feature has to be explicitly turned on by the users. The collection of viewing data by Vizio’s Smart TVs is turned on by default, as is the Smart Interactivity feature that manages it.

According to the IEEE, Vizio smart TVs can track data related to whatever TV programming and related commercials you’re watching and link such data with the time, date, channel, and TV service provider. On most of the over 15 million Smart TVs sold, Vizio will also track whether you view TV programs live or later on. Vizio knows what you’re watching even if it’s a DVD being played on a gaming console or a show being watched via cable TV. The identification tracking technology can differentiate between 100 billion data points.

While, in theory, IP addresses are not personal information, they actually can be linked to individuals if there is enough information (specific attributes like age, profession, etc.) tied to it.

ProPublica‘s Angwin’s sources, tell her that Vizio has been working with data broker Neustar to combine viewing data with this type of information about the user.

Even though users can turn off the spy technology, which will not won’t affect the device’s performance, the problem is that many, many users won’t bother reading the privacy policy or change the default settings once they set up the TV and start using them.

TechHive reports that backlash against intrusive spying has started. Two lawsuits (Reed v. Cognitive Media Network, Inc. (PDF) and David Watts et. al. v Vizio Holdings Inc et. al. (PDF)) have been filed in California against Vizio and their partners about their data collection habits.

The suits accuse Vizio and Cognitive of secretly installing tracking software on the former’s smart TVs in a way that violates various federal and state laws.

Legal system The suits allege that Vizio violated the Video Privacy Protection Act. The Video Privacy Protection Act prohibits any company engaged in rental, sale, or delivery of audio-visual content and not necessarily just videotapes from divulging any personally identifiable information about its customer to a third party, except where the customer has clearly consented to such data sharing.

Of course, Vizio has previously argued it’s not a videotape service provider at all, and so this particular law doesn’t apply to it.

rb-

I pointed out as far back as 2011 that Smart TVs are a dumb idea for privacy.

Consumer Reports offers tips on how to stop your Smart TV from spying on you here.

The Internet Of Things – How will it shape the future of business? (techburgh.com)

Category: Uncategorized | Tags: 2015, Big data, Black Firday, Broker, Collection, Data, IEEE, IOT, IP address, ISP, LG, PII, Privacy, ProPubica, Samsung, Security, Smart TV, Vizio, VZIO

RB | October 27, 2015

Comments Off

Online Security in Era of Connected Cars

Karl-Thomas Neumann, CEO of General Motors‘ (GM) European Opel brand announced that GM would launch OnStar telematics service in vehicles sold in Europe in late 2015. The Opel CEO declared the new technology, “transforms the car into a true part of the Internet of things.” The Detroit Bureau says it raises some of the same concerns consumers face on the Internet, including how to protect their privacy in highly connected cars.

Even though a growing number of consumers have embraced the idea of having mobile access to smartphone apps, built-in Wi-Fi, and the safety and security promised by systems like OnStar issues loom that consumers, manufacturers, and regulators need to address. At the 2014 Consumer Electronics Show, Jim Farley, then the top marketing executive at Ford Motor Company (F), told an audience that the automaker “know(s) everyone who breaks the law, we know when you’re doing it,” thanks to the data collected by its OnBoard Sync technology system.

Despite a quick backtrack by Mr. Farley, the article says he was being truthful. The fact is, the onboard black boxes in most cars are now equipped with two-way capabilities. Privacy has become “a big issue,” according to Jon Allen, a principal with consulting firm Booz Allen Hamilton who focuses on security issues. Precisely what makes such technology so compelling is why it is also so worrisome. Mr. Allen told The Detroit Bureau,

Connected products provide customization and convenience because of the data they track. Part of the great opportunity to improve the customer experience is producing a vehicle that ‘learns’ your habits and preferences. But that information must be protected.

The EU takes privacy seriously and these types of tracking technology have drawn the attention of regulators in Europe and to a lesser extent, in the U.S. The article describes a measure of just how strongly Europeans feel about the issue that came during Opel chief Neumann’s news conference. Unlike the U.S. version of OnStar, the European system will include a “Privacy” button to let a user “choose whether they want to provide location information or not.”

That choice would only be over-ridden after a crash severe enough to trigger OnStar’s emergency call system, CEO Neumann explained. It’s designed to call rescue crews in the event of an accident severe enough passengers might be disabled.

There have been experiments with marketing that could target motorists much as Google today can toss ads at a web viewer based on information revealed by hidden “cookies.” Imagine, they suggest, being able to send a McDonald’s ad and virtual coupon to a car driving near one of its restaurants around lunchtime.

While some drivers might embrace that possibility, others are appalled. The Detroit Bureau reports the potential to reveal more detailed personal information, as well as allowing a vehicle to be tracked, is raising flags on both sides of the Atlantic.

In the U.S., an auto industry alliance recently agreed on an approach called “Privacy Principles for Vehicle Technologies and Services.” (rb- Which I covered here) Meanwhile, both the U.S. Federal Trade Commission and the National Highway Traffic Safety Administration are exploring the issues – though in some cases, they are actually encouraging greater access, noted analyst Allen.

The issue is further complicated by the threat of cyber-criminals exploiting vulnerabilities in-vehicle communications systems.

rb-

I first covered this threat in 2011 here and here. And the theoretical became real in 2015 when researchers demonstrated they could use online systems to take over a Jeep Grand Cherokee.

The threat to personal freedom and privacy in your car has accelerated as Apple (AAPL) and Google (GOOG) join Microsoft (MSFT) in the battle to rule the car. Apple’s automotive ambition does not stop at CarPlay, they are also focused on developing an iCar. Google’s Autonomous Cars ambitions are well known, but their efforts to take over the car cockpit are also taking off with Android Auto.

The government is contributing to the connected car conundrum. The Feds are abetting the Autos by trying to prevent security researchers from doing testing and reverse engineering that could improve security and safety for all of us according to Naked Security.

Category: Cars | Tags: 2015, 4G, 5G, AAPL, Android, Apple, Bluetooth, DMCA, F, Ford, FTC, GM, GOOG, Google, IOT, Microsoft, MSFT, NTSC, Opel, Privacy

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Privacy

RIP Yahoo Messenger

Biometrics Hype

FBI’s facial recognition database

Don’t Know Much Security

Television Sells Your Viewing Habits

Related articles

Online Security in Era of Connected Cars

Meta