fbpx

Tech companies are leaving your private data unlocked online and there isn’t much you can do about it. (image: Flickr/ Maarten Van Damme)

SANTA ROSA, CALIF. — Chances are your private data has probably been available on the web for any random visitor to read. And you may not even be able to blame hackers or identity thieves for it.

Instead, somebody at a company that collected or handled your information — maybe a wireless carrier, maybe a software firm with a mailing list, maybe a political research firm trying to put you in one likely-voter box or another — may have left it vulnerable on their own. And this happens often enough for a security researcher to make finding these exposures his speciality.

What’s more, there’s really not much you can do about it short of becoming a digital hermit.

A boom in breaches

Chris Vickery, director of cyber risk research at Upguard Security, has a simple theory for why he keeps finding databases open.

“I would say convenience is probably the biggest reason,” Vickery said during an interview at a coffee shop in this Sonoma County city where he works remotely for his Mountain View, California employer. “It’s easier just to have it open to everybody.”

At best, he added, some hapless employee doesn’t think they left the data exposed or believes nobody will stumble upon their attempt to ease telecommuting.

The biggest such example Vickery found to day was some 200 million voter-registration records that a Republican National Committee contractor left publicly accessible.

But the consequences of changing secure default settings in such cloud systems as Amazon’s (AMZNAWS can go well beyond extra spam.

For example, the 13 million account credentials from the Mac-software firm Kromtech that Vickery found in 2015 could have been used to hack into other accounts “secured” with the same passwords.

The 6 million Verizon (VZ) wireless subscriber records Vickery found last month included some account passcodes that an attacker might have used to defeat two-step verification security that confirms strange logins with a one-time code texted to your phone.

(Verizon’s media division Oath owns Yahoo Finance.)

And the 87 million Mexican voting records he uncovered in 2016 could have been exploited by drug traffickers to compound the country’s plague of kidnappings and murders. Vickery recalled one immediate reaction: “You cannot let the cartels know about this.”

The 32-year-old’s work has won endorsements from other security researchers.

“Chris has been enormously effective at sniffing out exposed data left at risk in all sorts of obscure places,” said Troy Hunt, an Australian researcher who runs a data-breach index called Have I been pwned? that can reveal if your accounts have been exposed.

How to find a breach

Vickery said the easy part of his job is finding these databases, thanks to a searchable catalogue of publicly-accessible devices called Shodan and automated scanning toolsthat can quickly detect databases left open.

“The amount of data that comes back isn’t a ton, but it happens at a very, very fast rate,” he said.

At no point, he said, does he engage in hacking or impersonation of a legitimate user.

“If you have a password or a username set up, I’m not going to go any further,” he said. “I don’t trick anything.”

If a search locates apparently sensitive data, he will download a sample to confirm that it represents material that should have stayed private. He usually doesn’t bother looking for his own info, but he has not been amused when he finds it — such as in a leaked voter-registration database in 2016.

“I looked myself up just to see if it was legit, and it was all my data,” he recalled “I was pretty pissed.”

Then he will try to notify the affected company. That hasn’t always been easy. Kromtech, the maker of the often-scorned security app MacKeeper, didn’t respond to his queries until he posted about the problem on Reddit — though after securing the data, the firm hired him to blog about security issues.

Hunt, the Australian researcher, recently met even more egregious resistance when a British firm selling family discounts for things like theme parks blocked him and others on Twitter for tweeting about its lax security.

“I used to start at the bottom, calling the receptionist or something,” Vickery said. “Now I’ll start with the breached data and then find the CEO’s home number and call him at dinner. That usually gets a faster response.”

Unhelpful responses and an unhelpful law

But a response accepting his findings can still come seasoned with denial. Vickery advised against trusting the common excuse that only he saw the exposed data — many companies don’t keep the access records needed to prove that claim.

“They can say that plausibly because they’re not keeping logs,” he said.

Vickery said he has also received the occasional legal threat, despite making a point of not using hacking tools to sneak into sites.

“No law enforcement agency has ever even suggested that what I do is illegal,” he said.

But the 1986-vintage Computer Fraud and Abuse Act applies such a broad definition of online trespassing that a company could feasibly try to sue a researcher like Vickery.

A new bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, would exempt more security research from the CFAA as part of a larger tightening of security standards for internet-connected devices in government use. But this law’s vagaries have survived years of talk about reforming it.

Will another round of data-breach headlines change that? We’ll probably find out soon enough, Vickery said. While consumers are now better educated about the scope of the problem, companies keep making the same mistakes.

“I think things have gotten better in the past couple of years as far as awareness goes,” Vickery said. “But the number of breaches happening hasn’t decreased at all.”

Source: This article was published yahoo.com By Rob Pegoraro

Categorized in Internet Privacy

‘Surveillance is the business model of the internet,’ Berkman and Belfer fellow says

In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.

In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.

To assess the internet landscape, the Gazette interviewed cybersecurity expert Bruce Schneier, a fellow with the Berkman Klein Center for Internet & Societyand the Belfer Center for Science and International Affairs at Harvard Kennedy School. Schneier talked about government and corporate surveillance, and about what concerned users can do to protect their privacy.

GAZETTE: After whistleblower Edward Snowden’s revelations concerning the National Security Agency’s (NSA) mass surveillance operation in 2013, how much has the government landscape in this field changed?

SCHNEIER: Snowden’s revelations made people aware of what was happening, but little changed as a result. The USA Freedom Act resulted in some minor changes in one particular government data-collection program. The NSA’s data collection hasn’t changed; the laws limiting what the NSA can do haven’t changed; the technology that permits them to do it hasn’t changed. It’s pretty much the same.

GAZETTE: Should consumers be alarmed by this?

SCHNEIER: People should be alarmed, both as consumers and as citizens. But today, what we care about is very dependent on what is in the news at the moment, and right now surveillance is not in the news. It was not an issue in the 2016 election, and by and large isn’t something that legislators are willing to make a stand on. Snowden told his story, Congress passed a new law in response, and people moved on.

 

Graphic by Rebecca Coleman/Harvard Staff

 

GAZETTE: What about corporate surveillance? How pervasive is it?

SCHNEIER: Surveillance is the business model of the internet. Everyone is under constant surveillance by many companies, ranging from social networks like Facebook to cellphone providers. This data is collected, compiled, analyzed, and used to try to sell us stuff. Personalized advertising is how these companies make money, and is why so much of the internet is free to users. We’re the product, not the customer.

GAZETTE: Should they be stopped?

SCHNEIER: That’s a philosophical question. Personally, I think that in many cases the answer is yes. It’s a question of how much manipulation we allow in our society. Right now, the answer is basically anything goes. It wasn’t always this way. In the 1970s, Congress passed a law to make a particular form of subliminal advertising illegal because it was believed to be morally wrong. That advertising technique is child’s play compared to the kind of personalized manipulation that companies do today. The legal question is whether this kind of cyber-manipulation is an unfair and deceptive business practice, and, if so, can the Federal Trade Commission step in and prohibit a lot of these practices.

GAZETTE: Why doesn’t the commission do that? Why is this intrusion happening, and nobody does anything about it?

SCHNEIER: We’re living in a world of low government effectiveness, and there the prevailing neo-liberal idea is that companies should be free to do what they want. Our system is optimized for companies that do everything that is legal to maximize profits, with little nod to morality. Shoshana Zuboff, professor at the Harvard Business School, invented the term “surveillance capitalism” to describe what’s happening. It’s very profitable, and it feeds off the natural property of computers to produce data about what they are doing. For example, cellphones need to know where everyone is so they can deliver phone calls. As a result, they are ubiquitous surveillance devices beyond the wildest dreams of Cold War East Germany.

GAZETTE: But Google and Facebook face more restrictions in Europe than in the United States. Why is that?

SCHNEIER: Europe has more stringent privacy regulations than the United States. In general, Americans tend to mistrust government and trust corporations. Europeans tend to trust government and mistrust corporations. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does. U.S. law has a hands-off way of treating internet companies. Computerized systems, for example, are exempt from many normal product-liability laws. This was originally done out of the fear of stifling innovation.

“Google knows quite a lot about all of us. No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”
               —Bruce Schneier, cybersecurity expert

GAZETTE: It seems that U.S. customers are resigned to the idea of giving up their privacy in exchange for using Google and Facebook for free. What’s your view on this?

SCHNEIER: The survey data is mixed. Consumers are concerned about their privacy and don’t like companies knowing their intimate secrets. But they feel powerless and are often resigned to the privacy invasions because they don’t have any real choice. People need to own credit cards, carry cellphones, and have email addresses and social media accounts. That’s what it takes to be a fully functioning human being in the early 21st century. This is why we need the government to step in.

GAZETTE: You’re one of the most well-known cybersecurity experts in the world. What do you do to protect your privacy online?

SCHNEIER: I don’t have any secret techniques. I do the same things everyone else does, and I make the same tradeoffs that everybody else does. I bank online. I shop online. I carry a cellphone, and it’s always turned on. I use credit cards and have airline frequent flier accounts. Perhaps the weirdest thing about my internet behavior is that I’m not on any social media platforms. That might make me a freak, but honestly it’s good for my productivity. In general, security experts aren’t paranoid; we just have a better understanding of the trade-offs we’re doing. Like everybody else, we regularly give up privacy for convenience. We just do it knowingly and consciously.

GAZETTE: What else do you do to protect your privacy online? Do you use encryption for your email?

SCHNEIER: I have come to the conclusion that email is fundamentally insecurable. If I want to have a secure online conversation, I use an encrypted chat application like Signal. By and large, email security is out of our control. For example, I don’t use Gmail because I don’t want Google having all my email. But last time I checked, Google has half of my email because you all use Gmail.

GAZETTE: What does Google know about you?

SCHNEIER: Google’s not saying because they know it would freak people out. But think about it, Google knows quite a lot about all of us. No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.

GAZETTE: Is Google the “Big Brother?”

SCHNEIER: “Big Brother” in the Orwellian sense meant big government. That’s not Google, and that’s not even the NSA. What we have is many “Little Brothers”: Google, Facebook, Verizon, etc. They have enormous amounts of data on everybody, and they want to monetize it. They don’t want to respect your privacy.

GAZETTE: In your book “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World,” you recommend a few strategies for people to protect their privacy online. Which one is the most effective?

SCHNEIER: Unfortunately, we live in a world where most of our data is out of our control. It’s in the cloud, stored by companies that may not have our best interests at heart. So, while there are technical strategies people can employ to protect their privacy, they’re mostly around the edges. The best recommendation I have for people is to get involved in the political process. The best thing we can do as consumers and citizens is to make this a political issue. Force our legislators to change the rules.

Opting out doesn’t work. It’s nonsense to tell people not to carry a credit card or not to have an email address. And “buyer beware” is putting too much onus on the individual. People don’t test their food for pathogens or their airlines for safety. The government does it. But the government has failed in protecting consumers from internet companies and social media giants. But this will come around. The only effective way to control big corporations is through big government. My hope is that technologists also get involved in the political process — in government, in think-tanks, universities, and so on. That’s where the real change will happen. I tend to be short-term pessimistic and long-term optimistic. I don’t think this will do society in. This is not the first time we’ve seen technological changes that threaten to undermine society, and it won’t be the last.

This interview has been edited for length and clarity.

 Source: This article was published news.harvard.edu By Liz Mineo

Categorized in Internet Privacy

I JUST GOOGLED “alarm dust,” “alibi sweatshirt,” and “sleuth intelligence.” Then I shopped for industrial dehydrators, scanned a Pinterest page for concrete decks, and read something about nuclear war.

The thing is, I’m not in the market for a new dehydrator. Concrete decks aren’t really my style, and I still have no idea what “alarm dust” is. I didn’t visit any of these web sites of my own volition—a website called Internet Noise did, all to obscure my real browsing habits in a fog of fake search history.

Yesterday, the House of Representatives voted to let internet service providers sell your browsing data on the open market. This decision angered a lot of people, including programmer Dan Schultz. After reading about the vote on Twitter at 1 AM, he turned off Zelda and coded this ghost currently opening tabs on my machine.

Internet Noise acts like a browser extension but is really just a website that auto-opens tabs based on random Google searches. Schultz isn’t a hacker but a concerned do-gooder trying to get Americans to understand how much their online privacy is at risk. “I cannot function in civil society in 2017 without an internet connection, and I have to go through an ISP to do that,” he says.

To counter that threat, Schultz wants to make it impossible for ISPs or anyone they’ve sold your data to accurately profile you. The vote yesterday implicitly legalized such tracking by explicitly rescinding rules against it. By muddying your online identity, advertisers can’t accurately target you, and authorities can’t accurately surveil you. To create noise that blocks your signal, Schultz googled “Top 4,000 nouns” and folded the list into his code. When you hit the “Make some noise” button on his site, it harnesses Google’s “I’m Feeling Lucky” button to search those phrases, then opens five tabs based on the results. Every ten seconds it does another search and opens up five more. Within minutes, my entire browser history was a jumble. Internet Noise will keep going until you hit the “STOP THE NOISE!” button. Schultz envisions you running this while you sleep.

This is a snapshot of my browsing history a minute after installing "Internet Noise."This is a snapshot of my browsing history a minute after running Internet Noise.

This signal-jamming offers just one modest example of the larger theory of obfuscation, the idea that if you can’t disappear online at least you can hide yourself in a miasma of noise. Adnauseam.io is a plug-in currently banned by Google that works in a similar way, except instead of just opening pages and jamming your history, it actually clicks on random ads. In the process, it’s directly targeting the ad model that underpins so much of the internet, and it can be pretty effective. I am not building a deck or in the market for a manual regenerative hydrator, but now that Internet Noise search for those things ads for both will likely appear in my Facebook feed, and I’m cool with that. Internet Noise tries to throw them off my trail by creating a fake path to follow. That’s the key to successful signal-jamming: You can’t just generate random sounds. You have to generate a second song.

Risks and Limitations

What if it’s not an advertiser looking at your web data, though, but a spy agency or some other authority drawing conclusions about your browsing? From my test run, someone might conclude something causal between my googling of industrial equipment, chemical companies, nuclear proliferation, sleuth intelligence, and cancer. Sketchy! Schultz himself hasn’t evaluated all 4,000 search words (and the 16,000,000 results their two-word combinations can generate)1 to determine whether they might raise red flags for anyone spying on my habits.

But I can take some comfort in the fact that right now, Schultz’s site isn’t that effective at truly jamming my signal. It’s actually too random. It doesn’t linger on sites very long, nor does it revisit them. In other words, it doesn’t really look human, and smart-enough tracking algorithms likely know that.

“The main problem with these sorts of projects is that they rely on your being able to generate plausible activity more reliably than your adversaries,” says privacy expert Parker Higgins, formerly of the Electronic Frontier Foundation. “That’s a really hard problem.”

Schultz says the main point of Internet Noise for now is to raise awareness, though the open source project has the potential to evolve into a real privacy tool. People have already reached out to fix minor problems and suggest ways to make it more effective. In the meantime, anyone truly concerned about their privacy needs to stay savvy about the technical limitations of the tools they choose, including Internet Noise. “I fear that any of these cool hacks will give people a false sense of security,” says EFF privacy researcher Gennie Gebhart, who is working with her team to create a broad toolkit of how to protect yourself from ISP tracking. “There is no one click that will protect you from all the kinds of tracking.”

Not that privacy-minded programmers will stop trying. Internet Noise may be the first grassroots hack created in direct response to yesterday’s vote. But a sizable collectionof similar tools offers a sobering reminder that companies were already tracking and selling your data. Geeks may not have the political clout to stop such infringements of online freedom, but they do have the advantages of speed and passion. As long as they have keyboards, internet fighters will try to drown out Washington with the roar of their code.

1Updated to include how many different search results the noun combinations could generate.

Source: This article was published wired.com By EMILY DREYFUSS

Categorized in Internet Privacy
An unusually sophisticated identity phishing campaign appeared to target Google's roughly 1 billion Gmail users worldwide, seeking to gain control of their entire email histories and spread itself to all of their contacts, Google confirmed Wednesday.
 
The worm — which arrived in users' inboxes posing as an email from a trusted contact — asked users to check out an attached "Google Docs," or GDocs, file. Clicking on the link took them to a real Google security page, where users were asked to give permission for the fake app, posing as GDocs, to manage users' email account.
 
 
 
To make matters worse, the worm also sent itself out to all of the affected users' contacts — Gmail or otherwise — reproducing itself hundreds of times any time a single user fell for it.
Screenshot 3 
The strategy is a common one, but the worm that was released Wednesday caused havoc for millions of users because of its unusually sophisticated construction: Not only did the malicious link look remarkably realistic and trustworthy, but the email that delivered it also appeared to come from someone users already know — and the payload manipulated Google's real login system.
 
 
Google said it had "disabled" the malicious accounts and pushed updates to all users. The vulnerability was exposed for only about one hour, and a spokesperson told NBC News on Wednesday night that it affected "fewer than 0.1 percent of Gmail users" — which would still be about 1 million.
 
"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed," the spokesperson said.
 
It could have been a potential calamity for unsuspecting victims: With control of your Gmail account, scammers can harvest any personal data you've ever sent or received in an email. That can allow them to generate password-reset requests on scores of other services, potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts.
View image on Twitter
View image on Twitter
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. 
 
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
 
 
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
View image on Twitter
 
View image on Twitter
Be careful, Twitter people with Gmail accounts! Do not click on the "doc share" box. It's a solid attempt at phishing. 

What you can do

While the malicious email was a dead ringer for a real message from a trusted friend, there was one key giveaway: The mail was sent to a fake email address in the main recipient field — This email address is being protected from spambots. You need JavaScript enabled to view it.. Users' addresses were included in the BCC field.
 
If you received a Gmail message with the mailinator.com address as the main recipient, report it as phishing by clicking the down arrow beside the reply button and selecting "Report phishing." Then delete it.
 
If you do click on the malicious link, don't grant permission when the fake GDocs app asks for it.
 
If, unfortunately, you fell for the scam and granted permission to the hackers, go to your Google connected sites console and immediately revoke access to "Google Docs." (If you don't trust the embedded link here — which is generally a good thing — you can manually type the address into your browser: https://myaccount.google.com/security?pli=1#connectedapps)
 
While you're at it, it's a good idea to revoke permission for any app listed there that you don't recognize.
 
Finally, change your Google password.
 
Source : This article was published in cnbc.com By Alex Johnson
Categorized in Internet Privacy

It looks like security researchers have reached an important milestone in the ongoing war against malware. A new search engine has been revealed which can be used to sniff out malware command-and-control servers around the world. Under the Malware Hunter banner – not to be confused with the Malware Hunter software – this search engine looks to bring malware distribution to a halt in the near future.

MALWARE HUNTER IS A POWERFUL TOOL

It is not hard to see why security researchers around the globe are quite excited about the Malware Hunter search engine. Having a viable solution to discover command-and-control servers will provide to be useful when it comes to thwarting malware and ransomware attacks in the future. The tool is created by Shodan and Recorded Future, who are trying to become an industry leader in the fight against global cybercrime.

The way malware Hunter works is as follows: it uses search bots crawling the Internet for computers configured to act as a command-and-control server. It remains unclear if this will yield a lot of positive results, though, as C&C servers may very well reside on the darknet for all we know. Moreover, not every server will easily give up its location either, which could prove to be quite problematic.

The Malware Hunter search engine comes with a feature that will trick these servers into giving up their location, though. To be more specific, the search engine will pretend to be an infected computer reporting back to the server in question. Assuming the server will acknowledge the request and respond, the search engine will log its IP and update the Shodan interface in real time. This provides researchers with invaluable information when it comes to locating these servers and shutting them down as quickly as possible.

What makes the search engine so powerful is how it is capable of probing virtually every IP address on the Internet today. This means the algorithm is constantly looking for new computers that may act as a malware command-and-control server. Quite an intriguing development, as it should reduce the amount of time during which malware remains a problem.

In most cases, once the C&C server is shut down, the malware will no longer cause harm. Then again, some newer types of malware have shown a way tor remains a big threat even when they fail to communicate with the central server. It remains unclear if Malware Hunter will be capable of doing anything about these attacks as well. For now, this search engine is a big step in the right direction, though.

It is important to note Malware Hunter is capable of identifying several dozen C&C servers used for Remote Access Trojans. Given the recent surge in Remote Access Trojan distribution, this is quite a positive development, to say the least. The team is hopeful Malware Hunter will detect other major threats in the future, including botnets, cryptominers, and backdoor trojans.

This article was published in themerkle.com By JP Buntinx

Categorized in Search Engine

I’m very privacy-minded. I’ve written quite frequently about securing your browser and network on the Mac. I figure it’s about time to give the iPhone some loving, since there are a number of ways to make sure you have a good experience browsing while keeping things private. Let’s look at some of the methods for doing that and I’ll give you my not-so-humble opinion about which one is best.

If you want to lock up your Internet security and privacy, is a Tor browser really the answer? (Image Credit: HypnoArt

First Things First, Secure Your Network

Before you do anything else, you should make sure your network is secure. This even applies to your cellular network, so you might wonder what you can do about it. One important step is to use a Virtual Private Network, or VPN.

There are plenty of commercial VPNs out there. You could go with TunnelBear, for one, or Astrill VPN. You might also choose to set up your own private VPN for your personal use.

Next, Think About a Tor Browser

If you don’t already know about it, the Tor browser is built from the ground up to anonymize your browsing experience. Tor directs Internet traffic through a worldwidefree volunteer network consisting of more than seven thousand relays, for free. It will conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. There are plenty of iOS Tor clients out there, so let’s cover a few of them.

The one thing you’ll need to bear in mind about Tor browsers is that it’s pretty common for major internet sites to blacklist them, forcing you to endure Captchas to no end. From most of my research, including a rare answer from Stack Exchange itself, this is because of the wide variety of nefarious individuals who use Tor to mask themselves as they carry out dastardly deeds on the internet. StackExchange referred to them as “spammers, trolls and psychopaths.”

Black Mesh, a VPN That Redirects You to Tor

The first one isn’t a browser at all, but one that changes settings in your iPhone so that your internet traffic redirects through the Tor network. This is a decent option, but it’s notably slower than my own VPN. I’d give this a three out of five; it does what it’s supposed to, but remarkably slower than most of us would like. To make matters worse, Mr. Whoer reports that the IP address I get through Black Mesh is infected with a Trojan. Black Mesh is available for $1.99 on the App Store.

Red Onion Tor Browser

Red Onion gets its name because Tor was originally an acronym for “The Onion Router.” It redirects your internet browsing through the Tor network, and automatically cleans up cookies when you exit the app. You can also protect your browser with a password or Touch ID, so you don’t have to worry so much about your privacy being invaded through physical access to your device. It’s not perfect, though. Red Onion defaults to use Bing as its search engine, and Google won’t work through the browser at all, in my experience. Also, when you tap inside the address field, it doesn’t highlight the text. This one, too, is blacklisted, according to Mr. Whoer. Red Onion is a 3.5 out of five, in my opinion. The app costs $1.99 on the App Store.

Secret Secure Web Browser

I’ll just call this one the Purple Onion Browser, even though a number of Tor clients have a purple icon. This is another option, and is a bit more feature-rich than some other Tor browsers. It defaults to DuckDuckGo for its search engine, which is good, and allows you to quickly change your identify, if you need to. Secret Secure Web Browser seems a bit faster than other options, but still not as quick as connecting through my VPN and using Safari. Yet again, another Tor browser that shows being infected with some sort of Trojan, and thus blacklisted. Secret Secure Web Browser is, in my estimation, a four out of five. If you want to try it out, this app is free on the App Store.

My Verdict

I’ve tried a number of other Tor browser clients, and the experience was always the same. Browsing was fine, but slow. For my own purposes, I’m going to stick with my VPN connection and use DuckDuckGo for my search engine. That prevents both my internet service provider from tracking me, as well as my search engine. That’s private enough, don’t you think?

This article was  published in macobserver.com by Jeff Butts

Categorized in Internet Privacy

For anyone who is really concerned about keeping their thoughts private there is only one piece of reliable technology: write with a pen on paper, and burn what you’ve written when you’re done. For the rest of us, who want to get things done, there is an inevitable trade-off which we still don’t entirely understand. We now carry with us everywhere devices that give us access to all the world’s information, but they can also offer almost all the world vast quantities of information about us. The sense of personal integrity and boundaries that seems self-evident is actually the product of particular social arrangements which are profoundly affected by technology even though it doesn’t determine them. Technological change could move us towards our better selves or our worse ones, but things can’t stay as they are.

To go online is to descend into a world as transparent as an aquarium – and this aquarium is full of sharks. The newly discovered vulnerability in WhatsApp’s procedures is only the latest in an apparently unending succession of moments of unintended transparency.

It would be a mistake to see these problems as primarily technological because that would suggest that their solutions would be technological, too. In fact, the preservation of personal privacy and collective security online is a political and social task as much as it is one for the very few experts who understand the ramifications of mathematical magics like public key cryptography. Technological solutions will only work within a legal and political context, and the real threats to privacy come not from vulnerable widgets but weak laws, careless users and feeble oversight. The WhatsApp encryption scheme is proof against anyone who does not control or threaten the company’s own networks, which is something only a government could do. But sufficiently ruthless governments would not hesitate to do so if they had the opportunity. And against sufficient ruthlessness and physical power, technology is ultimately no defence. Although we can use schemes of encryption that are mathematically impossible to crack, so long as the password is known to anyone it can be tricked or even tortured from its holder.

Adding to this problem is the increasingly permeable border between state and non-state actors. When the FBI could not crack the iPhone used in the San Bernadino shootings, it turned to a private firm in Israel, which could. But that company has in turn now been hacked, and meanwhile many of the devices designed for use by law enforcement, which can suck all the information out of a captured mobile phone, can now be bought freely over the internet by any private company – or mafia outfit.

These threats can seem very distant. It’s easy to suppose that you will never come to the attention of a hostile state apparatus. On the other hand, the commercially motivated attacks on privacy pervade the whole of the internet, and in fact fund most of it today. Websites routinely collect as much information as they can about the users and then sell it on to data brokers for use in personally targeted advertising campaigns. Facebook (which, incidentally, owns WhatsApp) has built its entire titanic empire on this trade. Even when this data is anonymised, the protection is leaky, and in any case, someone who knows everything about you except your name is in a much stronger position than one who knows your name but nothing else.

But the real danger comes when these two kinds of loss of privacy combine so that the knowledge gained for commercial ends is used for political manipulation too. It is in the interests of advertisers to short-circuit rational thought and careful consideration, but it is even more in the interests of demagogues to do so. Against this we must rely on moral and intellectual defences much more than the supposed magic of advanced technology.

Source: theguardian.com

Categorized in Internet Privacy

Internet privacy was once again thrust into the limelight recently when President Donald Trump signed a bill that would allow internet service providers to sell your browsing history to third parties like advertisers.

As much as the news rekindled concerns around internet privacy, little has actually changed. The signed bill is generally keeping things as they are. The outrage comes from the fact that the bill is rolling back an Obama-era measure to prevent ISPs from tracking and selling your browsing history, which didn't have time to take effect before he left office.

Still, some of you may be looking for ways to browse the web privately, and one of the most prominent solutions is to use a virtual private network, or VPN, which cloaks your online activity.

Here's what VPNs are, what they do, and what to look out for if you're an average person using the internet.

A VPN essentially hides your internet activity from your internet service provider, which means it has nothing to sell to third parties.

A VPN essentially hides your internet activity from your internet service provider, which means it has nothing to sell to third parties.

If the internet is an open highway, VPNs act like a tunnel that hides your internet traffic. The VPN encrypts your internet traffic into a garbled mess of numbers that can't be deciphered by your ISP or a third party. 

Most VPNs also hide identifying details about your computer from ISPs.

Most VPNs also hide identifying details about your computer from ISPs.

Any device that's connected to your ISP's network has an IP address, which looks like a series of numbers. Many Americans have multiple devices, so ISPs use IP addresses to see which device has accessed which websites and where.

Without an IP address, your devices wouldn't be able to communicate with the websites you want to look at, and you wouldn't be able to browse the internet.

VPN services hide the IP addresses on the devices you use with the VPN and replace them with IP addresses from one of their servers, which can be located anywhere in the world. So if you're in the US but are connected to a VPN server in Europe, ISPs will see the VPN's European server's IP address instead of your device's.

Can't ISPs track my browsing history through the VPN's IP address?

They could if you were the only user on that VPN server. But several users are usually using the same VPN IP address, so they can't determine whether a browsing history belongs to you, specifically. It's like searching for a needle in a stack of needles.

VPN services aren't perfect.

By using a VPN, you're still switching the trust of your privacy from your ISP to your VPN service. With that in mind, you need to make sure the VPN you use is trustworthy and doesn't store logs of your browsing history.

Certain VPN services say they don't log your browsing activity and history while you're connected to their servers. It means ISPs or a third party can't retroactively check your browsing history, even if it could decrypt the VPN's encryption "tunnel," which is unlikely in the first place.

For an extra layer of protection, choose a VPN whose servers are based outside the US. That protects against the possibility of legal entities in the US trying to access your browsing history through court orders.

They can slow down your internet speed.

The "internet" travels incredibly quickly around the world, but it's still bound by the laws of physics.

Since VPN services reroute your internet traffic through one of its servers somewhere around the globe, your internet speed could be slightly reduced.They essentially make your internet traffic take a longer route than it usually would, which means things can take longer to load.

The further away the VPN server is from your location, the longer the distance your internet traffic has to travel, which can end up in slower internet speeds. 

Most free VPN services may not be enough to protect your privacy.

Many free VPN services simply hide your IP address and don't encrypt your data, and it's the encryption part that protects your privacy more thoroughly.

You have to pay extra for privacy.

Paying extra for a premium VPN service on top of your internet bill so you can browse privately isn't very appealing. 

Should you get a VPN?

Should you get a VPN?

By getting a VPN in light of the recent events, you're preventing your ISP from tracking your activity and selling your browsing history to a third party to make more money out of your subscription. 

Some people don't want their browsing history to be seen by ISPs, nor do they want it to be sold to advertisers, even if it isn't tied to you personally. Some ISPs have said they value their customers' privacy and don't track their activity, but some of their language surrounding this subject can be vague.

Secondly, it seems fair to be recompensed for providing, albeit involuntarily, your precious browsing histories, as advertisers covet them to find out what you're interested in and show you targeted ads. If my ISP is making money out of selling my browsing history, I'd expect my monthly internet bill to be reduced, as I'm technically providing my ISP a service by browsing the web and exposing my interests. 

The likelihood of this happening, however, is uncertain and perhaps unlikely considering it's now an ISP's "right" to sell your browsing history to third parties. There's no law out there that forces ISPs to compensate their customers for providing their browsing histories, so don't expect them to anytime soon.

In a way, you can't blame the ISPs.

In a way, you can't blame the ISPs.

ISPs can see which sites you're visiting, anyway, because they can tell what internet traffic is going through which IP address. From their point of view, they might as well make money out of it. There's certainly a market for browsing histories, and after all, a business is in the business of making money.

Still, not everyone is comfortable with having their activity tracked at all — or having to opt out versus opting in — even if they have a squeaky-clean, legal web-browsing history.

 

Author: Antonio Villas-Boas
Source: businessinsider.com

Categorized in Internet Privacy

Hiring a hacker could reveal security flaws in your organisation.

The global cost of cybercrime could reach £4.9 trillion annually by 2021, according to a recent report from Cybersecurity Ventures. Cyber crime incidents continue to plague organisations globally, even as businesses pour money into boosting their security. 

But how do businesses deal with vulnerabilities they cannot identify? It only takes one smart hacker to discover a backdoor and get access to your sensitive data and systems. 

Organisations must identify the weaknesses in their cyber security, before -- not after -- they’re exploited by hackers. However, to beat a hacker you’ll need to think like one. Here’s how -- and why -- you should hire a hacker in 2017.

 

The stakes have never been so high 

State sponsored hacking wreaked havoc in 2016 when Yahoo revealed that 1billion accounts were compromised in the largest data breach in history. And as cyber crime becomes increasingly advanced, the threat hackers pose to businesses will only increase. 

Leave your organisation open to a data breach and it could cost you a massive £4.25m (on average). And that’s without considering the painful remediation and brand damage you’ll be subject to as a result. 

These attacks aren’t restricted to huge multinationals, the latest Government Security Breaches Survey found that 74% of small organisations reported a security breach in the past year. 

For any organisation, a security flaw passing undetected is a huge risk, and when GDPR hits in 2018 the stakes will only increase.    

The EU General Data Protection Regulation will come into force in 2018 and will govern how businesses handle customer data. Compliance won’t be easy, and the risk of non-compliance is massive, with potential £17million fines.

  

Big businesses aren’t safe from this, and they’ll need to boost their data security to ensure compliance. Tesco were recently lucky to escape a £1.9bn fine for a recent data breach. 

How hackers will boost your cyber security 

Not every hacker wants to attack your business and leak your sensitive data. There are hackers out there who are paid to protect, not provoke. 

Known as ‘white hat’ or ‘ethical hackers’, these security professionals strive to defend organisations from cyber criminals.   

They’re not your conventional dark web lurking delinquents. Ethical hackers are IT security experts -- trained in hacking techniques and tools -- hired to identify security vulnerabilities in computer systems and networks.   

According to ITJobsWatch, the average salary for an ethical hacker is £62,500. Considering the average cost of a data breach sits at £4.23m, that’s a small price to pay.  

Businesses and government organisations serious about IT security hire ethical hackers to probe and secure their networks, applications, and computer systems. 

But, unlike malicious ‘black hat’ hackers, ethical hackers will document your vulnerabilities and provide you with the knowledge you need to fix them.  

Organisations hire ethical hackers to conduct penetration tests - safe attacks on your computer systems designed to detect vulnerabilities.   

To test their security, businesses often set goals or win states for penetration tests. This could include manipulating a customer record on your database, or getting access to an admin account –potentially disastrous situations if they were achieved by malicious hackers. 

Ethical hackers leverage the same techniques and tools used by hackers. They might con employees over email, scan your network for vulnerabilities or barrage your servers with a crippling DDoS attack.   

But instead of exploiting your business, ethical hackers will document security flaws and you’ll get actionable insight into how they can be fixed. It’s your responsibility to act on the ethical hacker’s guidance - this is where the hard work begins. 

Without these harmless penetration tests security holes remain unseen, leaving your organisation in a position that a malicious hacker could exploit.   

Not your typical dark web delinquents 

Thankfully, the days of hiring underground hackers and bartering with bitcoins are over. There’s now a rich pool of qualified security professionals to choose from, complete with formal ethical hacking certifications.   

Ethical hackers, or penetration testers, can be hired just like any other professional, but be certain to get tangible proof of your ethical hacker’s skills.   

Ethical hackers, or penetration testers, can be hired just like any other professional, but be certain to get tangible proof of your ethical hacker’s skills. 

Candidates with the CEH certification have proved they know how to use a wide range of hacking techniques and tools.     

What’s more, CEH certified professionals must submit to a criminal background check. These experts are committed to their profession and do not use their hacking knowledge maliciously. 

Despite the relative youth of the ethical hacking field, these professionals have already proved their worth to some of the largest businesses in the world. 

This year Facebook awarded a white hat hacker £32000 -- its largest ever bounty -- for reporting one ‘remote code execution flaw’ in their servers.   

That’s not the first time Facebook have paid out either. They’ve long supported the efficacy of bug bounties, having paid more than £4 million to ethical hackers since it’s program debuted in 2011. 

How to hire a hacker (legally) 

It’s important to understand what you actually want from your ethical hacker. Do this by creating a clear statement of expectations, provided by the organisation or an external auditor. 

Ethical hackers shouldn’t be hired to provide a broad overview of your policies, these professionals  are specialised experts with a deep knowledge of IT security. Instead, ask specific questions like “Do we need to review our web app security?” or “Do our systems require an external penetration test?” 

Before hiring an ethical hacker to conduct a penetration test, businesses should ensure an inventory of systems, people and information is on-hand.   

Instead of hiring, many organisations develop ethical hacking skills in their own businesses by up-skilling team members through ethical hacking courses, like EC-Council’s CEH or the more advanced ECSA.   

Your staff will get the skills they need to conduct ethical hacking activities on your own businesses, finding and fixing security flaws that only a hacker could find.   

Secure your business now 

Complex threats -- like rapid IoT expansion -- are set to dominate 2017. To defend your organisation in 2016, you’ll need to think like a hacker. 

Source : itproportal.com

Categorized in Internet Privacy

As government chisels away at internet privacy protections, researchers at the Massachusetts Institute of Technology and Stanford University have developed a system they say will give you more anonymity in cyberspace.

The catch: You’ll probably have to pay for it.

To start with, it’s important to remember that every single thing you type online gets stored as data, no matter what kind of web protection software you own.

Sites like Google, Yelp, Kayak and others translate each request into a query, which gets stored in a database center.

With that in mind, the MIT-led research group has developed Splinter, a system that cuts the cord on that data flow without having to mask or delete the actual information.

Splinter allows websites to encrypt a user’s internet searches so they're never saved. The data is still out there, but is split among multiple database centers. That scrambles the search information a person has entered, preventing the websites from gathering information about the person who made the request.

“Data is floating around everywhere, so if you have anything on the internet, anyone can learn about it at some point. That’s scary,” said Frank Wang, an MIT graduate student who helped develop Splinter. “Your internet service provider is learning about you, so [we said] ‘How can we leak the least amount of information?’" 

Now, about that catch: Instead of relying on internet service providers to look out for your privacy, Splinter puts the power of protection into the hands of web services. The consumer cannot install the software. It's a system each company would have to incorporate into their own site.

Because consumers are demanding more privacy in their web browsing, they may be willing to pay for the privilege. And companies may be willing to satisfy that demand.

With Splinter, services could charge a nominal fee for queries, like maybe $5 a month. Wang said using Splinter costs a web service less than 2 cents per search.

"Web services could say, 'Hey, I charge you to [search for a flight], but I won't release any of that information or use your data,” Wang said. 

David O’Brien, a senior researcher at Harvard’s Berkman Center for Internet & Society, said the concept could open a window.

“It’s been discussed for years now and could be one alternative path,” he said. The problem, though, is that payment for privacy “hasn’t been supported by demand and maybe won’t ever be.”

But more people are demanding privacy, especially in the wake of both the House and Senate voting to repeal internet privacy protections adopted by the Federal Communications Commission during the Obama administration. That means that internet service providers like Comcast and AT&T would be able to share or sell information from a web user without that user’s permission.

Now more than ever, Wang said, "users are starting to care more about privacy, and the government is not regulating it as much as [people] wanted them to. So there’s an opportunity for web services to differentiate themselves and say, ‘We have a private offering.’” 

So what can you do, for free, to protect your privacy?

The best way to protect yourself is to practice abstinence, virtually, said David O’Brien of Harvard’s Berkman Center for Internet & Society.

“Unfortunately, the simplest answer is: Don’t use online services,” O’Brien said. “For most people, that doesn’t really fly. Short of that, a lot of services you can use obscure your identity online.”

Aside from that, O’Brien and MIT researcher Frank Wang suggested using Tor, a system that links your internet connection to multiple servers, placed all around the country or even the world. This means that when you go to a website like Google, it looks, to that website, “as if you’re coming from multiple different countries with each query you send.”

Another service, DuckDuckGo, is a search engine that promises not to track your queries.

Your computer or smart device's "Incognito" mode can be used in conjunction with these programs to provide a bit more privacy. It protects against targeted advertisements, but doesn't prevent companies from obtaining important data about the searches themselves.

In the end, O’Brien said, true privacy may be a dream. “It’s hard to be truly anonymous on the internet. It might even be impossible.”

Author : KRISTIN TOUSSAINT

Source : metro.us

Categorized in Internet Privacy
Page 4 of 8

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media