Article 43

 

Privacy And Rights

Tuesday, January 14, 2014

My Leaked Apple Email Address

The mail logs gleaned some interesting stuff today.

A few SPAMS ALLEGEDLY FROM AMERICAN EXPRESS were sent to my apple store email address.

The alarming part is that email address is used only for purchases from the APPLE STORE.

Until now I guess.

Jan 14 11:32:16 sendmail[17633]: xxx: from=<AmericanExpress@welcome.aexp.com>, size=13616, class=0, nrcpts=1, msgid=<yyy@mymailserver>, proto=ESMTP, daemon=MTA, relay=[5.239.152.216]

Jan 14 11:32:20 spamd[30436]: spamd: result: Y 8 RCVD_ILLEGAL_IP, RCVD_IN_HOSTKARMA_BL, RCVD_IN_PSBL, RDNS_NONE scantime=4.8, size=14223, rhost=mymailserver,raddr=127.0.0.1, rport=12345, mid=<yyy@mymailserver>, tests=RCVD_ILLEGAL_IP, RCVD_IN_HOSTKARMA_BL, RCVD_IN_PSBL, RDNS_NONE

Jan 14 11:32:20 sendmail[17633]: xxx: to=<my-apple-store-email-address>

The question is how did that email address get shared?

Was it sold/given away, was somebody’s database broken into, or did PHISHERS find it by accident?

Better check that credit card.

Posted by Elvis on 01/14/14 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Saturday, October 05, 2013

Google Browser Spy Cam

google1.gif

Google Switches On Browser Spy Cam in Chrome

By Paul Wagenseil
Tech News Daily
August 1, 2013

Google’s frequent Chrome browser updates are rarely exciting, but one new feature built into the latest version ought to wake you up.

Chrome 21, RELEASED July 31, fully implements WebRTC (for “real-time communication"), a new standard that lets websites and Web applications use your computer’s camera and microphone - all the better to see and hear you with, of course.

Previously, websites and apps had to use browser plug-ins such as ADOBE FLASH PLAYER or Microsoft Silverlight for audio and video interaction with the user.

WebRTC leverages the powers of HTML5, the next generation of code underlying the Web, to build multimedia features directly into the browser. Google’s Chrome blog already points to a couple of fun sites that let you TAKE YOUR PICTURE with the browser or PLAY A VIRTUAL XYLOPHONE.

That all sounds great, but there doesn’t seem to be any way to disable WebRTC in Chrome 21.

An email seeking clarification from Google was not immediately returned.

“This is a standard JavascriptAPI [application-platform interface], and just like other Javascriptcomponents cannot be enabled/disabled by itself,” said Johannes Ullrich, chief technical officer at the SANS Technology Institute’s Internet Storm Center. “You would have to compile your own custom version of Chrome.”

Chrome requires websites and apps to ask the USER’S PERMISSION to access the camera and microphone. Yet any good hacker will tell you it’s just a matter of time before someone finds a way around that and uses WebRTC to have an unauthorized look at what people are doing in front of their computers.

To be fair, WebRTC may not be any less secure than what it’s replacing.

“The risk isn’t really larger than having Flash installed (of course, more and more people disable or do not install Flash),” Ullrich told SecurityNewsDaily via email. “Flash already had the ability to access the camera and microphone, and had some vulnerabilities that allowed websites to trick the user into ENABLING THE CAMERA/MICROPHONE VIA CLICKJACKING.”

Besides Chrome, only the forward-looking Opera browser has implemented WebRTC. Mozilla Firefox and Microsoft Internet Explorer are working on including it in future versions.

Chrome users concerned about their privacy can’t simply refuse to update to Chrome 21, because Chrome automatically updates itself. (For the technically skilled, there are ways to turn automatic updating off.)

If you’re worried, put black tape over your Webcam when you’re not using it. If you’re using a desktop PC, there may be a way to disconnect the built-in microphone.

Chrome 21 also FIXED 26 different, mostly moderate, security flaws. The single one rated “critical” is related to a tab-handling issue found only in the Linux version of the browser.

Most of the other flaws apply to all versions of Chrome, and are rated as “low” to “high” threats.

UPDATE: A spokeswoman for Google told SecurityNewsDaily in an email, “We are working closely with the W3C [World Wide Web Consortium] to ensure there is a high standard of security and transparency with the GetUserMedia API [which enables WebRTC in Chrome], including ensuring the user is in control of whether and how media is used, and to make any usage transparent through in-product notifications.

“For example,” she said, “the user needs to give permission for a site to use the camera by clicking ‘allow’ and a persistent notification that the camera is turned on will be present until the camera is turned off to remind users.”

As for whether malicious actors could access the camera or microphone surreptitiously, “Because both the user consent (infobar) and notification mechanisms (system tray and persistent bubble) are in the browser, it’s isolated from website content and therefore much harder to be broken by malicious sites.”

SOURCE

Posted by Elvis on 10/05/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Lavabit

spying.jpg

Cheeky Lavabit *did* hand over crypto keys to US government after all - printed in a 4-point font

By Paul Duncan
Naked Security
October 4, 2013

Just under two months ago, we wrote about the closure of secure EMAIL SRERVICE Lavabit.

Lavabit’s founder, Ladar Levison, explained that he was in a spot of legal bother that made it impossible for him to continue to operate with a clear conscience, so he would suspend the service.

He also noted that, much as he wanted to, he couldn’t give details about said legal bother.

All he could do was to point out that he had lodged an appeal and hoped to open up the service again one day.

Of course, the smart money was that law enforcement wanted access to data belonging to a certain Mr EDWARD SNOWDEN, the National Security Agency (NSA) whisteblower, who was known to be a Lavabit user.

We HEDGED OUR BETS on Naked Security, since the only thing we knew we knew was that we didn’t know whether the kerfuffle involved Snowden at all.

But recently unsealed COURT DOCUMENTS [PDF, 162 pages, 16MB] now tell a bit more of the story.

The name Snowden is still mentioned only in passing (various redactions have suppressed names throughout the unsealed documents).

So we still don’t have official confirmation that Snowden, amongst others, was the target of the investigation.

lb-warrant.png

That, however, hardly matters any more.

What matters is the intriguing tale of the court requiring Lavabit to hand over its SSL private keys, and Lavabit arguing that it ought not to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

Very greatly simplified (and I hope I have not oversimplified to the point of misunderstanding), the court wanted Lavabit to enable law enforcement to intercept so-called email metadata for a particular user.

But due to the use of SSL/TLS at all times, with data kept encrypted in transit and at rest, even accessing mail headers was no simple matter - unless law enforcement were given Lavabit’s private keys.

(A MiTM, or man-in-the-middle, attack on encrypted traffic is trivial if you have all the encryption keys and certificates to use “in the middle.")

Eventually, Lavabit had little choice but to comply, turning over five SSL private keys.

It still wasn’t game over for Lavabit user’s privacy, however, because Levison gamely supplied the cryptgraphic material in printed form, stretched over 11 pages in a four-point font.

lb-key.png

To say that the law enforcement officers were underwhelmed is the understatement of the year, and matters were soon back in court, with “handing over the keys” quickly redefined to mean, “handing over the keys as computer-readable PEM files suitable for immediate use, and no more mucking around.”

Indeed, to guard against further stalling tactics, the government petitioned the court to fine Levison $5000 for every day he continued to dither.

At this point, Levison folded and complied, but pulled the plug on Lavabit at the same time, and that was that for the men-in-the-middle.

The New York Times REPORTS that a prosecutor referred to the abrupt shutdown of Lavabit as “just short of a criminal act,” but, then, nearly-a-crime isn’t actually a crime.

What can we learn from this?

Aside, of course, from the fact that the government didn’t let up for a minute, giving back in court to Lavabit as good as it got - better, in fact, were it not for Levison’s confounded coup de grce.

To me, one of the most interesting aspects of this story is the recognition by a non-tech-savvy court that at least part of the problem was the regrettable fact that Lavabit would need to put the privacy of 400,000 users at risk to secure the lawful surveillance of just one person.

As the court pointed out (this is a transcript, not a written judgement):

[Y]ou’re blaming the government for something that’s overbroad [the requirement to hand over the all-revealing SSL keys], but it seems to me that your client is the one that set up the system that’s designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another. And to say you can’t do that just because you’ve set up a system that everybody has to—has to be unencrypted, [read: in which all users are encrypted in the same way] if there’s such a word, that doesn’t seem to me to be a very persuasive argument.

In short, the court is as good as saying, “If you wanted to come up with this ‘but what about the privacy of all the 399,999 other users’ argument, why didn’t you implement the system so their individual privacy was better protected?”

After all, Lavabit could have taken an approach more like the one used by Kiwi internet showman Kim Dotcom’s Mega service, so that each user’s encrypted traffic and content could stand (or fall) alone.

Of course, that wouldn’t have stopped Levison shuttering the entire service, effectively DDoSing all his users to protect the privacy of one of them.

But from a cryptographic point of view, it would have made a lot more sense to me.

SOURCE

Posted by Elvis on 10/05/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, July 07, 2013

For Sale - Your Cell Phone Records

attnsa.jpg

AT&T has announced that it will begin SELLING customers smart phone data to the highest bidder, putting the telecommunications giant in line with Verizon, Facebook and other competitors that quietly use a consumer’s history for marketing purposes.

RT news
July 6, 2013

The company claims its new privacy policy, to be updated within “the next few weeks,” exists to deliver “mor erelevant advertising” to users based on which apps they use and their location, which is provided by GPS-tracking. Apparently recognizing the natural privacy concerns a customer might have, AT&T assured the public that all data would be aggregated and made anonymous to prevent individual identification.

A letter to customers, for instance, described how someone identified as a movie fan will be sent personalized ads for a nearby cinema.

“People who live in a particular geographic area might appear to be very interested in movies, thanks to collective information that shows wireless devices from that area are often located in the vicinity of movie theaters,” the letter states. “We might create a ‘movie’ characteristic for that area, and deliver movie ads to the people who live there.”

A June 28 blog post from AT&Ts chief privacy officer Bob Quinn said the new policy will focus on “Providing You Service and Improving Our Network and Services,” but the online reaction has been overwhelmingly negative, with many customers looking for a way to avoid the new conditions.

“You require that we allow you to store a persistent cookieof your choosing in our web browsers to ”OPT-OUT” one person wrote. “No mention of how other HTTP clients, such as email clients, can opt out. If you really did care about your customers, you would provide a way for us to opt out all traffic to/from our connection and mobile devices in one easy setting.:

One problem for any customer hoping for a new service is the lack of options, smartphone or otherwise. Facebook, Google, Twitter and Verizon each store consumer data for purposes that have not yet been made clear. And because of the profit potential that exists when a customer blindly trusts a company with their data, small Internet start-ups, including AirSage and many others, have developed a way to streamline information into dollars.

The nefarious aspect of AT&Ts announcement is underscored by the recent headlines around the National Security Agency, which has spent years has compelling wireless corporations to hand over data collected on millions of Americans. Unfortunately for the privacy of those concerned, AT&Ts new policy may only be a sign of things to come.

“Instead of merely offering customers a trusted conduit for communication, carriers are coming to see subscribers as sources of data that can be mined for profit, a practice more common among providers of free online services like Google and Facebook,” the Wall Street Journal wrote about the matter in May.

SOURCE

Posted by Elvis on 07/07/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, June 30, 2013

Kiss HIPPA Goodbye

hippa.jpg

Obamacare Will Collect and Share Americans’ Data Without the Consent of the Individual

By J.D. Tuccille
Reason
June 25, 2013

If you were starting to fret that the National Security Agency was the only government body that cared enough to stalk you, fret not! It turns out that the concerned folks slapping together Obamacare exchanges plan to hoover up your personal information in something called a Data Services Hub in order to determine your privileges and exemptions under the new government health care regime. Even better, officials intend to SHARE YOUR DATA with federal and state agencies, private contractors and consultants, explicitly without asking for your leave to do so.

John Merline of Investors Business Daily REPORTS:

The Health and Human Services Department earlier this year exposed just how vast the government’s data collection efforts will be on millions of Americans as a result of ObamaCare.

Sen. Max Baucus, D-Mont., asked HHS to provide “a complete list of agencies that will interact with the Federal Data Services Hub.” The Hub is a central feature of ObamaCare, since it will be used by the new insurance exchanges to determine eligibility for benefits, exemptions from the federal mandate, and how much to grant in federal insurance subsidies.

In response, the HHS said the ObamaCare data hub will “interact” with seven other federal agencies: Social Security Administration, the IRS, the Department of Homeland Security, the Veterans Administration, Office of Personnel Management, the Department of Defense and believe it or not ח the Peace Corps. Plus the Hub will plug into state Medicaid databases.

And what sort of data will be “routed through” the Hub? Social Security numbers, income, family size, citizenship and immigration status, incarceration status, and enrollment status in other health plans, according to the HHS.

The Center for Consumer Information & Insurance Oversight at the Centers for Medicare & Medicaid Services PROVIDES SOME REASSURANCES for those concerned by such concentration of personal information.

For all marketplaces, CMS is also building a tool called the Data Services Hub to help with verifying applicant information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs.  The hub will provide one connection to the common federal data sources (including but not limited to SSA, IRS, DHS) needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.  CMS has completed the technical design, and reference architecture for this work, is establishing a cross-agency security framework as well as the protocols for connectivity, and has begun testing the hub.  The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.

No stored consumer information? Privacy is the “highest priority”? Well, that’s all right, then. Except ... Damn it. Government agencies often say one thing publicly, and quite aother privately. Merline points out that the Centers for Medicare & Medicaid Services portrayed the Data Services Hub in a somewhat different light in an obscure regulatory notice FILED ON FEBRUARY 6, 2013:

In accordance with the requirements of the Privacy Act of 1974, CMS is establishing a new system of records titled, ``Health Insurance Exchanges (HIX) Program,’’ to support the CMS Health Insurance Exchanges Program established under provisions of the Affordable Care Act (PPACA) ... The system of records will contain personally identifiable information (PII) about certain individuals who apply or on whose behalf an application is filed for eligibility determinations for enrollment in a qualified health plan (QHP) through an Exchange, and for insurance affordability programs.

So, the database “will contain personally identifiable information” after all. And just how “highest priority” is the privacy of the stored data?

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM
A. Entities Who May Receive Disclosures Under Routine Use

These routine uses specify circumstances, in addition to those provided by statute in the Privacy Act of 1974, under which CMS may release information from the HIX without the consent of the individual to whom such information pertains. ...

Among the listed “entities who may receive disclosures under routine use” without your consent are federal agencies, state agencies, agency contractors, consultants, CMS grantees and non-profit entities operating exchanges for states.

Those are just the entities authorized to have access to your information, As we know, employees of government agencies from local police departments to the Internal Revenue Service have a history of MISUSING DATABASES FOR FUN AND PROFIT.

SOURCE

Posted by Elvis on 06/30/13 •
Section Privacy And Rights
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 3 of 68 pages « First  <  1 2 3 4 5 >  Last »

Statistics

Total page hits 8718386
Page rendered in 0.9950 seconds
41 queries executed
Debug mode is off
Total Entries: 3128
Total Comments: 337
Most Recent Entry: 09/10/2018 12:29 pm
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 10
Total anonymous users: 0
The most visitors ever was 114 on 10/26/2017 04:23 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

There are three bombs. The first one is the atomic bomb, which disintegrates reality, the second one is the digital or computer bomb, which destroys the principle of reality itself - not the actual object - and rebuilds it, and finally the third bomb is the demographic one. - Albert Einstein

Search


Advanced Search

Sections

Calendar

September 2018
S M T W T F S
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights