CategoriesPrivacySecurity

Coronavirus Concerns: More People Working from Home Means More Employer Tracking

So I’m going to stir up some :poop: , y’all — but bare with me.

Generally speaking, I’m of two minds on this subject. On one hand, I’m OK with this.

e.g., prior to CommieVirus2020, we would go to work, log on to an employer-provided asset, and commence working. On Employer-provided assets, such as laptops, desktops, servers, etc, I’m 100% fine with <pick an employer> installing NARCwarez. Why? Simple: They own the device.

However, that’s not what’s been happening.

Instead, as more and more people are working from home, employers are attempting to basically “track,” your every waking moment, from the time you roll out of bed, to the time you crawl back into it. Yea, I know that’s an extreme, but let’s get real — we’re talking about a really bad fucking episode of Black Mirror.

So you’ve got two choices: You can tell your employer to pound sand; that you won’t tolerate this type of invasion of privacy.

Their response will probably be your atypical “…..install this (or else you can’t work here any longer).”

So what do you do? Continue reading

CategoriesInternetPrivacySecurity

Tinder: Three Things You Probably Didn’t Know

It all seems very straightforward. Swipe right if you’re attracted to the person on your screen, swipe left if you’re not. Tinder makes the process of finding someone to date seem easy. Individual profiles take only seconds to scan. In under one hour, you could be matched up with someone available to date you tonight. Yet, there’s more to the app than meets the eye. The inner workings of Tinder’s algorithms might leave you a little surprised.

 

 



Tinder has a “desirability” ranking system.

That’s right, Tinder “scores” your desirability based on several factors. You are shown specific matches first, based on these factors. You aren’t able to retrieve these scores for yourself – but a writer, Austin Carr, from Fast Company, was granted access to his score by Tinder executives. This is what he came away with:

“Every swipe is in a way casting a vote: I find this person more desirable than this person, whatever motivated you to swipe right. It might be because of attractiveness, or it might be because they had a really good profile.” Tinder’s engineers tell me they can use this information to study what profiles are considered most alluring in aggregate.” -Carr, Fast Company

Furthermore, Tinder’s VP of product compares the ranking system to that of a World of Warcraft game. He says if someone with a really high score swipes right on you, that’s going to in turn increase your score too. Just like if a high-level player helps a lower-level player level up in Warcraft.

Your Tinder Data may not be Secure.

Yep, it says so right in their TOS: “We do not promise, and you should not expect, that your personal information, chats, or other communications will always remain secure”. With the onslaught of hacked sites and apps in recent years, it’s no wonder they’re taking this precaution.

Since the launch of Tinder, it has been an attractive medium for data scrapers. Scrapers are automated bots or tools that extract data from websites or apps. With over 50 million users on Tinder, these tools provide valuable data to marketers, research firms and potentially to governments. In fact, there have been multiple instances where scrapers were discovered to have harvested a large amount of data from Tinder.

One developer managed to scrape information from over 40,000 profiles and posted it publicly. The purpose for this massive harvesting of profile data was to train AI to recognize gender based on a person’s facial features. The project was called “People of Tinder” and it has since been removed.

Tinder has a Huge Trove of Data on Every User

Last year, Judith Duportail, a writer at The Guardian, asked Tinder for all of the data they had stored on her. Every European citizen is allowed to request their data from companies using the EU data protection law. It turned out Tinder had 800 pages of data stored on her that included information like education, Facebook likes, conversation history, number of Facebook friends, the age-rank and race of men she was interested in, which matches she’d recycled pickup lines with, who she’d ghosted on, and tons more.

The reason Tinder is able to amass so much information on each user, is because most users sign up through Facebook. When someone uses Facebook to login to any app, that app gets access to likes, location information, friend information, public profile information, and often much more (though some of this access may soon be restricted due to the recent Cambridge Analytica scandal). They also study your behaviors while using the app, and then use that behavioral data to help target matches and advertisements. Many users also link their Instagram accounts to the app, which gives Tinder even more data to harvest.

Now that you know Tinder is just as exploitative as other apps and services that have been in trouble for data-mining lately, will you still continue to use it to find dates?

CategoriesData BreachesNewsSecurity

Panera Bread Ignored Data Breach Warning, Said it was a “Scam”

Panera Bread has suffered a major data breach, affecting potentially 7 million customers. The data is said to include names, email addresses, and credit card information. What’s worse – the data could have been crawled and indexed with simple automated tools.

This wasn’t news to those at the top at Panera Bread. Last summer, a security researcher told Panera Bread that their website was exposing this sensitive data. When Panera was made aware of the flaw, they dismissed it as a scam or sales pitch. After months of the flaw continuing to be exposed and unpatched, the security researcher decided to go public with evidence of the vulnerability.

“I am not exaggerating when I say you have a massive sensitive data exposure issue,” he said, “and I’d simply like you to be made aware of it so you can quickly resolve it.” -researcher Dylan Houlihan (in response to Panera Bread maintaining that he was giving a sales pitch).

Panera Bread is now downplaying the security of the breach, telling Fox News they have secured the breach and only ten thousand records were exposed. Krebs on Security is not buying it, especially considering Panera’s commercial division which serves countless catering companies which may run on the same software.

As of this writing, Panera has not made any statement on their website (it was recently taken down) nor on Twitter about the breach.

Photo Credit: Mike Mozart

CategoriesNewsSecurity

Wannacry Ransomware Attack – Updates From Top Sources

WannaCry? Ransomware Spreads Globally…

A ransomware attack began last week in Europe, targeting thousands of computers running Windows. Ransomware is malicious software that makes it impossible for the user to access their computer files unless they pay a ransom. Ransomware attackers frequently ask to be paid in bitcoin. Often times, even after the ransom is paid, the user still does not regain access to their files. The name of the worm that targets the Windows OS is called Wannacry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor)

Here are some updates about the Wannacry ransomware attack from some top tech sources as well as clever comments from the internet:

NSA says ransomware was like “fishing with dynamite”

Quick guide on how it all works:

More leaks coming….

Leave Wannacry Hero Alone!

“A stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks.”

IBM Suggestions to protect yourself from ransomware

Microsoft be like

“The Wannacry Starter Pack”

VXShare claims to have access to Wannacry samples

Some Linux users are gloating

See more news stories like this.

Photo Credit: christiaancolen

CategoriesHackingSecurity

Are The Shadow Brokers Like Snowden? Theory Suggests Insider Hack

By now, most of our readers have heard of the Shadow Brokers, the hacker group who obtained a large trove of data from the National Security Agency (NSA) and leaked information about the NSA’s cyber tools. The cyber tools were apparently stolen from the Equation Group, a cyber attack operation who experts believe are part of the NSA.

(Watch a quick overview about the NSA hack – “NSA Reportedly Hacked By Group Called The Shadow Brokers”):

Initially, evidence suggested that the Shadow Brokers were Russian, but a new theory is emerging that whoever is leaking this data might be “a second Edward Snowden… albeit one with different motives” (Fortune). James Bamfield, a journalist who is well known for his publications about United States intelligence agencies, believes that Russia would not want to publish these hacks if they obtained them, because companies would quickly patch their vulnerabilities and the information would soon be worthless to anyone trying to sell the data. He also brings up that the bad English used by the hackers seems to be phony. Furthermore, he suggests that the hacker(s) could be linked to the NSA’s Tailored Access Operations (TAO) which is a unit of the surveillance agency that gathers intelligence related to cyber-warfare. He states:

“Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.

So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations” (Reuters).

As of now, the “second Snowden” theory is just that – a theory. Most experts still say Russia is behind the hacks. Nevertheless, as Bamford puts it in his commentary – the “NSA may prove to be one of Washington’s greatest liabilities rather than assets.”

CategoriesHackingNewsSecurity

Facial Recognition gets “Hacked” Thanks to Facebook

Facial recognition technology is utilized in many different systems. Biometric software is used in facial recognition tools for security purposes and other applications such as social media marketing. Algorithms use a statistical approach to identify facial features – and facial recognition is increasingly used as a crime-fighting tool. In the future it could be used to monitor employee attendance at work, to enhance security measures at ATMs and to prevent voter fraud. Many privacy advocates see a problem with this technology because it could quickly turn us into a surveillance society.

University of North Carolina researchers have discovered a way to get around facial recognition security. By using a virtual reality (VR) system to develop 3D models of the face, they were able to trick the biometric security measures. They did this with just a handful of photos found on Facebook and were able to fool the systems more than half the time (Newsweek).

Clearly this is a huge security flaw in the technology which means other types of “verifiable data” would need to be used for authentication in order for facial recognition to be a feasible option. One technique that could be used is the detection of infrared radiation which would be given off by a real face, not a 3D model (Techworm).

For more information on how facial recognition technologies work, check out this video from Brit Lab:

CategoriesSecuritySmart PhonesTechnology

Gesture Analysis: Could your Movements be Hacked?

Smart phone and tablet developers will need to put better security measures in place to keep hackers and governments out of their devices. Many newer generation devices implement fingerprint readers in place of passcodes, which are often promoted as a stronger security feature. However, as we learned in recent news, authorities can force you to use your fingerprint to unlock your phone (but you can still invoke your 5th amendment right to withhold your numeral passcode from them). Gesture analysis could come next.

Free-form gestures have been said to be the next step in passwords. It is very difficult to simulate a complex gesture as opposed to guessing a numerical combination. Jailbroken iPhones got this feature awhile back (called Stride2), you can see how it works here:

In addition to using gestures to set your passwords, your touch-screen device could continuously verify your identity while you’re using it. It would do this by interpreting your gestures with mathematical algorithms. According to Motherboard, “the basic idea is to observe a user’s movements on a touchscreen device for some period of time and to come up with a gestural profile unique to that individual.” Every person makes unique gestures when they use a device and those all add up to make a personal profile. Ideally, if hijackers or authorities have access to your unlocked device, they wouldn’t be able to use it for long. If they did, the device would recognize that the user is not you since the gestures would not fit the profile. Yet as we see from the Motherboard article, robots were able to recreate user biometrics pretty easily.

Phones and tablets could end up having multiple layers of authentication (fingerprint, gesture analysis and codes) but many users would find that to be too much of a hassle. Facial recognition could be another alternative to passwords, but that might not protect you from authorities either. Voice recognition would probably be protected under the 5th amendment, but isn’t a convenient way to work with your phone in quiet places. Research into better security features is at the forefront of developers minds right now. Hopefully we will see better solutions in the near future.

Photo Credit: Jhaymesisviphotography

CategoriesInternetPrivacySecurity

New Security Measures from Gmail (VIDEO)

Have you noticed some of the changes lately in your Gmail inbox? You may have received an email from a friend or colleague and saw that it had an unlocked red padlock next to it like this:

gmail not encrypted did not encrypt this message

When you hover over the padlock, it says something like: “Some recipients use services that don’t support encryption” or “[(x) service provider] did not encrypt this message”. Gmail put this visual element in place to let users know that the sender’s email service does not support TLS encryption (video explaining TLS encryption following this article). Gmail users took notice of this change and in less than 2 months of implementation, “the amount of inbound mail sent over an encrypted connection increased by 25%” –Nicolas Lidzborski Gmail Security Blog

Another change you may have noticed is that the person you receive an email from has a question mark next to their name rather than the standard Google Plus avatar. A message is displayed that says: “Gmail couldn’t verify that this message was sent by [sender]…” This is a new way for Gmail to help you flag spam or determine if emails are spoofed.

gmail couldn't verify spammer

You will often see this warning when the message has been forwarded or has been sent by a third party site, as reflected by the email headers – or if the email service provider did not sign or verify the messages.

These new features are part of Google’s protections that are designed to help keep their users safe. Since 2012, Google has also warned its users if state-sponsored attackers may be targeting them. Even though this is a rare warning to receive, it is important for people like journalists and activists to know if they’re being targeted.

state sponsored attackers gmail

Now Google has made a new announcement. If they have reason to believe government-backed attackers may be trying to steal your password, they will give you a full page warning upon sign in like this:

new warning google government state sponsored attackers

Google maintains: “The security of our users and their data is paramount.” Do you believe these changes will in fact make Gmail’s users safer?


(Google now lets Gmail users know if senders are not using TLS encryption. Learn about TLS by watching the above video)

CategoriesInternetNewsPrivacySecurity

Skype Will Better Protect Users by Hiding IP Addresses

Skype has announced that in their new update, they will finally hide your IP address so that you are protected from “trolls”. This news is especially good for gamers who often find themselves DDoS’d by gaming rivals. There have been many YouTube tutorials helping Skype users find IP addresses through Skype calls. This sometimes leads to retaliation tactics against other gamers.

Here is an example of one such tutorial:

Instead of allowing users to opt-out of sharing IP addresses with contacts, Skype’s new update will automatically hide the IP address.

“Microsoft says the measure will “prevent individuals from obtaining a Skype ID and resolving to an IP address,” which won’t only protect gamers, but other Skype users who may be targeted by online trolls.” –Matt Brian, Engadget

Many believe that Skype is responding to the wishes pro-gamers have had for a long time. Some users were already using work-arounds to disguise their IP to protect themselves.

If you still need to get the latest version of Skype, you can find it here.

CategoriesInternetPrivacySecurity

How Do SSL Certificates Work?

How do you exchange private data over the internet? Part of the answer lies with SSL certificates. Secure Socket Layer (SSL) certificates work by creating a private line of communication in which allows private data to be delivered.

The main problem with communication and security over the internet is eavesdropping. Others may be able to access the data exchange between your computer and the website’s servers. This is also called a main-in-the-middle attack. SSL certificates are a way of ensuring that no one is able to intercept and decrypt this information.

To better understand how SSL certificates work, let’s imagine a boy is being picked up at the train station for the first time by someone who he’s never met. How can he know for sure to trust the person picking him up? The answer is simple. His parents write a letter signed by them stating they trust that individual. By trusting his parent’s authority, the boy can now trust the person picking him up.

This is quite similar to how SSL certificates work. Web sites can create certificates and have them signed by something called a CA or Certificate Authority. An example includes DigiCert. By having them signed, browsers can then identify website and servers by their certificate. They then know if they can trust them. This is the basic concept of how SSL Certificates help to identify and trust the websites we are communicating with.

What about actually communicating? What if two people want to talk in that same train station without worrying if someone else is listening? The answer lies with keys. To illustrate the concept of keys and how they help with encryption, imagine each of the two people have a box and a set of keys. The keys are labeled private and public. They exchange their public keys. Now, each person has a private key, the other’s public key, and a box.

The basic process works like this: One person writes a message and places it into the box. They then lock the box with the other’s public key. They then pass the box along. Once the box is at its destination, only the person holding the private key can open the box locked by its very own public key. If the other person wants to send a message back, they can send back a letter in the box locked with the other’s public key. The entire communication, also called a session, can go back and forth securely using this method.

This is much like how SSL certificates are used to create private and public keys. Web servers send the user a copy of its public key along with the certificate. The browser can then decide to trust the website based on this information. If it does, it can then send messages back and forth simply by encrypting and decrypting keys.

Identifying websites that have and use SSL are easy. Simply look for the lock at the top of the browser. Never exchange private data unless there is a lock up at the top of the browser. If there isn’t, there is not an acceptable level of encryption being used on that site. Anyone who sells anything online needs to have an SSL .All banks and e- commerce sites need to have an SSL to help ensure security.