Category Archives: Privacy

Facebook gives Tor a huge boost

Tor (The Onion Router) is a software toolkit that can be used to make your Internet-based communication more secure. It’s been getting a lot more attention since the Snowden leaks, as most people are uncomfortable with the knowledge that the NSA is spying on everyone.

Of course, the NSA and its supporters characterize Tor as a tool for criminals and terrorists, but in fact it’s used by plenty of regular folks who just want some privacy on the ‘net. Certainly there are some people who use Tor to hide criminal activity, but those people also use telephones.

Note that if Tor is used improperly, it won’t completely hide your Internet activity. It also adds overhead to network communications, making browsing somewhat slower. Worse, many Internet-based services and sites now detect the use of Tor, and limit or block Tor connections. As a result, Tor has been falling out of favour lately.

Now Facebook, in a move that seems to have surprised everyone, has decided to back Tor in a big way. A version of Facebook is now available via Tor. This move has the potential to propel Tor into wider use, and sets a standard for the general acceptance of Tor by large service providers. Whether Facebook actually turns out to be the ‘killer app’ for Tor remains to be seen.

This month’s Ouch! newsletter: using the Cloud

In the wake of the recent exposure of supposedly private celebrity images comes this timely look at Cloud (web-based) storage (warning: PDF). The article covers all the basics, including what you should look for in a Cloud provider, and how to keep your Cloud-based data secure (hint: use a strong password). Recommended reading for anyone currently using or considering using the Cloud for data storage.

Home Depot: massive security breach

Brian Krebs reports on the most recent security breach at a major retailer. According to some reports, the breach started as far back as April 2014. There’s no direct evidence of a breach, but it looks like it’s only a matter of time before that changes, given the suspicious activity related to Home Depot being reported by financial institutions.

Update 2014Sep04: Details are starting to appear, and it looks like almost all Home Depot stores in the USA are affected.

Update 2014Sep19: Brian Krebs has additional details on the scale of the breach. According to Home Depot, as many as 56 million debit and credit card numbers were stolen.

Update 2014Nov08: As if this breach wasn’t already bad enough, apparently the attackers also stole as many as 53 million email addresses from Home Depot systems. Maybe this explains the recent uptick in spam email I’ve noticed.

Targeted iCloud accounts compromised

By now you’ve likely heard that dozens of celebrity accounts on Apple’s iCloud service were recently accessed by unscrupulous persons, and embarrassing photos from those accounts posted on various web sites.

This should server as a reminder to everyone who uses web-based storage like iCloud that such services are extremely tempting targets for nefarious hackers.

In this case, the invader discovered that the ‘Find my Phone’ app had no protection against brute force (rapid, automated) login attempts. This was used, along with a list of common passwords, to learn the passwords of some targeted iCloud accounts, at which point all data stored on those accounts became available.

If you use cloud storage, make sure to use strong passwords; otherwise, you might as well assume everything you store there is publicly accessible.

The SANS InfoSec Handler’s Diary has more.

Update 2014Sep07: Ars Technica has a followup, in which Apple CEO Tim Cook admits Apple could have done more to prevent the incident, and talks about upcoming iCloud security changes. Over on Bruce Schneier’s blog, he reminds everyone that strong passwords would have protected the victims’ accounts, and to use an offline password manager.

What we know about the recent theft of 1.2 billion passwords

On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.

The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.

Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.

Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.

In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.

In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.

Microsoft adds encryption to its email and cloud storage services

Traffic into and out of Microsoft’s Outlook.com email service will now be encrypted, as long as the other end also supports encryption. Both Outlook.com and OneDrive, Microsoft’s cloud storage service, now use random keys that are generated for each session.

That last change is a strong indication that Microsoft’s motivation in making these changes is to regain public trust in the wake of Snowden’s revelations. The NSA and other law enforcement agencies can only read encrypted communication if they obtain the encryption keys, and now those keys are temporary and disappear after use.

Ars Technica has additional details.

Web browsers can reveal browsing history

Chrome, Firefox and Internet Explorer can be tricked into revealing your browsing history by unscrupulous web site owners.

The new vulnerability is similar to one that was discovered, then patched, in the major browsers several years ago. The new technique uses a different approach to accomplish the same thing.

Browser developers are working on fixes for this vulnerability, but in the meantime, anyone concerned about their browser history potentially being revealed should get into the habit of clearing their history frequently. Alternatively, you could switch to a privacy-oriented browsing solution such as the Tor Browser Bundle.

Tools to reduce browser-based tracking

The search engine DuckDuckGo has received a lot of attention because of its attitude towards user privacy. Unlike Google, DuckDuckGo doesn’t store your search queries. Their motto is ‘The search engine that doesn’t track you.’

Not everyone cares whether their online activities are tracked. But for those who do, DuckDuckGo’s Fix Tracking! page is an excellent source of information. Once you’ve selected your web browser, you’ll be presented with a list of tools and techniques that can help to reduce the amount of tracking that is done when you use that browser.

The Fix Tracking! page also contains a section describing Common Tracking Methods. Recommended reading.