Category Archives: Privacy

Privacy, Security, Windows

Stop using TrueCrypt

Leave a comment

Before Microsoft started including whole-disk encryption in Windows (with Bitlocker in Vista), the best solution was TrueCrypt.

Now, according to its developers, TrueCrypt is no longer secure and should not be used. Development has been shut down and users are being instructed to use something else.

There is a lot of speculation about what’s going on. Recent revelations about security solutions being compromised by the NSA led one group to undertake a complete audit of TrueCrypt. It’s not much of a stretch to imagine that this audit prompted TrueCrypt’s shutdown. If the NSA inserted a back door into TrueCrypt, the software’s developers might want to keep that a secret. On the other hand, the audit continues, regardless of TrueCrypt’s status.

Anyone using TrueCrypt is strongly encouraged to switch to something else, like Bitlocker.

Internet crime, Privacy, Security

Blackshades users being investigated

Leave a comment

Krebs on Security reports that anyone who purchased the hacking toolkit known as ‘Blackshades’ should be prepared for the authorities to kick in their door and confiscate their computers.

Blackshades is “a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes.”

Internet crime, Privacy

eBay systems hacked, users should change passwords

Leave a comment

eBay just revealed that their systems were hacked earlier this year. Encrypted passwords and other non-financial data were stolen.

Anyone with an eBay account is strongly encouraged to change their password as soon as possible.

Oddly, when I logged into my eBay account to change my password a few hours ago, there was no mention of this breach or any warning about changing passwords. The only announcement of the breach from eBay seems to be this blog post on ebayinc.com. Ars Technica has more information about this unfortunate lapse on the part of eBay.

Update 2014May23: All the recent attention to their passwords is leading to some criticism of eBay’s password-handling procedures. Hopefully eBay will be quick to improve in this area.

Update 2014May25: Lost in all the concern about password changes is the fact that even if none of the stolen encrypted passwords are cracked, the other – unencrypted – information stolen (including eBay customer names, email addresses, physical addresses, phone numbers and dates of birth) will be very useful for anyone involved in credit card fraud and phishing efforts. And there’s not much you can do about that.

Internet, Privacy, Security

DropBox issue exposes private documents

Leave a comment

Security researchers recently discovered a flaw in DropBox that could allow access to users’ private documents in certain circumstances. DropBox responded quickly to fix the vulnerability. It’s not clear whether the vulnerability was known to – or exploited by – any nefarious persons.

If you use DropBox, you should review your Shared Links settings and restrict shared links to collaborators only.

Internet, Privacy, Security

More Heartbleed fallout

Leave a comment

The full extent of the damage caused by the Heartbleed vulnerability may not be known for months. New reports of compromised systems are appearing daily.

Ars Technica reports on a very unfortunate compromise of an OpenVPN installation. It’s particularly bad, because thousands of companies worldwide use VPN solutions to provide supposedly completely secure access to corporate networks from off-site. The potential for damage is enormous.

Also in Heartbleed news: apparently the recently-reported Heartbleed-based intrusion of the Canada Revenue Agency was the work of a teenaged computer science student. He’s been arrested. It seems clear that his motivation was curiosity rather than something more sinister, since he did absolutely nothing to conceal his identity.

Internet, Internet crime, Privacy, Security

Canada Revenue Agency hit by Heartbleed, recommends changing passwords

1 Comment

Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.

According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.

The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.

Internet, Linux, Patches and updates, Privacy, Security

Extremely critical security bug affects most of the Internet

1 Comment

A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.

This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.

Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.

Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.

This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.

Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.

Internet, Microsoft, Privacy

Microsoft steps in a huge steaming pile of privacy issues

Leave a comment

In yet another of the endless examples of why companies shouldn’t let lawyers make decisions, Microsoft has undone whatever goodwill they might have had from customers who value the privacy of their email.

A Microsoft employee apparently leaked Windows 8 information to a reporter. In typical big-corporation fashion, this leak caused the software giant to go into full-on freakout mode. Ignoring common sense entirely, they dug into the reporter’s Hotmail account, looking for clues to the identity of the leaker. Apparently the lawyers were consulted, and the lawyers said, “Go right ahead and look! The Terms of Service for Hotmail mean the law is on our side.” And they’re right. But that doesn’t mean it was a good idea. Now that this incident has come to light, the public backlash is just beginning for Microsoft.

Of course, this problem is not limited to Microsoft. Almost all email services operate this way. Whoever provides the service can access any part of it at any time, even if it’s encrypted as part of the service. The only way to get around this exposure while using a typical email service is to add your own encryption – on both ends of every email exchange – commonly referred to as end-to-end encryption. Lavabit was one of the few email services to offer this kind of security, and they closed down recently rather than comply with access requests from the NSA.

Update 2014Mar29: Microsoft, in damage control mode, has made changes to its privacy policies. A statement by Microsoft General Counsel Brad Smith on the ‘Microsoft on the Issues’ blog makes it clear that they will no longer look at customer data in situations like this. Smith also states that Microsoft will work with the EFF and other digital rights organizations to help avoid problems like this in the future.