I know it has been said before, but it apparently needs repeating… You get what you pay for. This is especially true in the world of Virtual Private Networks. With so many people using the net to work from home or whatever, VPNs are a good idea, but not every VPN is a a good idea.
If it is free, you are paying for it in another way. 100+ VPN Logging Policies Debunked.
And it isn’t just the unknown players that you need to beware of.
For example, McAfee’s Safe Connect claims to encrypt your online activity and defend you against cybercriminals. On their homepage, they also claim to protect your privacy.
After the break find a table that details some of the VPNs and how they are not guarding your privacy.
Torrent Freak hasn’t updated its list of VPNs, so we still have last year’s list. It is good. The Good VPNs don’t change much year-to-year. Which VPN Services Keep You Anonymous
Someday companies will take security seriously. But it won’t be in 2020. New York payments startup exposed millions of credit card numbers.
The processor is PAAY, a startup in New York left a database online with no password protection. You can click thru for the particulars.
The interesting thing is the attitude and the lies of one of the co-founders. He said they didn’t store credit card numbers.
TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.
Mendlowitz disputed the findings. “We don’t store card numbers, as we have no use for them.” TechCrunch sent him a portion of the data showing card numbers in plaintext, but he did not respond to our follow-up.
So perhaps not a total nightmare, but it is still a screw-up of monumental stature. To put a database online without security and leave it there for 3 weeks, is just plain stupid. Or it shows you don’t care in the least about security. Which they don’t.
Because security it hard. Security and Privacy Implications of Zoom.
Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. [SNIP]
They’re also lying about the type of encryption.
So the short story is, they don’t give a rat’s ass about security.
And then there is privacy. (What’s that?) First they lied about it. Then they tried to be coy. But privacy is not high on their list of priorities.
Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising.
But then security and privacy are expensive, and if you give a person a chocolate bar, there is good chance they will give you access to their online banking system.
Because of course it is. Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account.
Actually most apps send data to F*c*book, because programmers are lazy, and the F*c*book development environment is an easy place to start.
Privacy is such a 20th Century concept. (Hat tip to Wirecutter.)
They want to snoop on EVERYTHING you do online. EVERYTHING. Research Finds Microsoft Edge Has Privacy-Invading Telemetry.
When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.
For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.
“Telemetry” data. Everything you do online, is a bit beyond telemetry, and more like a creepy invasion of privacy.
Google’s Blogspot blogging software, has decided that in order to comment on any post at a blogspot.com website, you need to have 3rd-party cookies enabled. So I keep Edge handy with that feature on in case I ever want to comment on a blogspot blog. Because I won’t enable 3rd party cookies in my usual browsers. (Which are all of them, aside from Edge.)
More like Airstrip One everyday. UK Govt. Approves Net Censorship – Free Speech Dies – Liberty Nation.
The United Kingdom has become the first Western nation to move ahead with large-scale censorship of the internet, effectively creating regulation that will limit freedom on the last frontier of digital liberty. In a move that has the nation reeling, Prime Minister Boris Johnson has unveiled rules that will punish internet companies with fines, and even imprisonment, if they fail to protect users from “harmful and illegal content.”
Couched in language that suggests this is being done to protect children from pedophiles and vulnerable people from cyberbullying, the proposals will place a massive burden on small companies. Further, they will ultimately make it impossible for those not of the pervasive politically correct ideology to produce and share content.
Western Civilization was nice while it lasted. (Hat tip)
Because security is important. Signal is finally bringing its secure messaging to the masses | Ars Technica.
Or are you comfortable living in a state like the old East Germany under the Ministerium für Staatssicherheit, or the Stazi?
But Deb, they make it so hard to share emojis and security is hard, and I really want a chocolate bar, and to get one all I have to do is turn over my life to Google, or F*c*book, or Apple or the NSA, or – Oh look! a squirrel! </sarcasm>
Marlinspike has always talked about making encrypted communications easy enough for anyone to use. The difference, today, is that Signal is finally reaching that mass audience it was always been intended for—not just the privacy diehards, activists, and cybersecurity nerds that formed its core user base for years—thanks in part to a concerted effort to make the app more accessible and appealing to the mainstream.
So there really is no excuse.
Everything. You. Do. Customer Tracking at Ralphs Grocery Store.
To comply with California’s new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy.
Health. Insurance. Property. Bank Accounts. What you do online. Geolocation data – which is vague. (Where you go in the store or where you go in general?) There’s more.
And when people got creeped out, they said they may have to rethink how they worded the disclosure.
That’s the company’s solution. Don’t spy on people less, just change the wording so they don’t realize it.
More consumer protection laws will be required.
Still, it should be interesting to see the politicos explain why privacy is such an outmoded concept. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance.
The reforms this bill wants to impose are quite extensive and here is a shortlist of the highlights:
- It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.
- It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
- It would prohibit warrantless collection of geolocation information by intelligence agencies.
- It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.
It’s beginning to feel like we live in the Soviet Union, or East Germany, where the .gov can do pretty much what it wants, and it will destroy anyone who gets in the way.
Whiskey. Tango. Foxtrot. The Future of Texting Is Far Too Easy to Hack: Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess..
Can we PLEASE get some secure communications. Aside from Signal that is. (Look, I love Signal. I wish I could get everyone to use it, but for some reason I can’t.) And in what is essentially 2020 there is no fucking excuse to have insecure communications. We know how to do this.
But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.
At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.
For the love of all things Holy. USE Signal.
Massive surveillance of everything is in the hands of Amazon. What could go wrong? Amazon’s Ring Home Surveillance Network Raises Big Privacy Concerns.
According to Motherboard, police officers can request homeowners’ surveillance footage through Ring. In a statement, Ring said that law enforcement requests must be tied to an active investigation, and though the owner’s consent is required, a warrant isn’t necessary.
Edward Snowden’s privacy concerns are starting to sound less and less like paranoia.
And the terms of service will change over time. You know, that legally binding statement you agreed to when you opened the package. The fine print that no one ever reads, and changes regularly anyway.
What a shock. Google has access to detailed health records on tens of millions of Americans.
Google quietly partnered last year with Ascension—the country’s second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal.
The endeavor, code-named “Project Nightingale,” has enabled at least 150 Google employees to see patient health information, which includes diagnoses, laboratory test results, hospitalization records, and other data, according to internal documents and the newspaper’s sources. In all, the data amounts to complete medical records, WSJ notes, and contains patient names and birth dates.
So much for protections for privacy.
I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.
It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.
Two months to go.
As if that wasn’t enough. Alexa and Google Home abused to eavesdrop and phish passwords.
By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.
Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google.
Privacy is such a 20th Century concept.
Netflix. Roku. Smart-TVs. They are all spying on you. Facebook and Google have ad trackers on your streaming TV, studies find.
Modern TV, coming to you over the Internet instead of through cable or over the air, has a modern problem: all of your Internet-connected streaming devices are watching you back and feeding your data to advertisers. Two independent sets of researchers this week released papers that measure the extent of the surveillance your TV is conducting on you. They also sort out who exactly is benefiting from the massive amounts of consumer data that is taken with or without consumer knowledge.
They just can’t stand the idea that you have any privacy. Or that you think thoughts they don’t approve of, but that’s another story.
This is BEYOND stupid. Buggy GPS Trackers Expose Childrens’ Real-Time Location.
It seems that corporations haven’t learned a damn thing about security, and people are so excited about convenience they don’t seem to care that it comes at the cost of privacy and/or security.
So when you bought the GPS tracker to keep tabs on your kid, did you think it would make their every move public? Did you think you would be outfitting them with a microphone that anyone on the planet could listen to? Did you think you get a “really good” system for next to no money?
The security flaws were found in GPS location trackers manufactured by the Shenzhen i365 Tech, with over 600,000 users from countries all over the world and resold under multiple brands on various e-commerce platforms like Amazon or eBay.
The details are at the link, but in short… There is a default password for EVERY tracker, which is “123456” and user-id is the serial number. While you can define a more stupid “security model,” it would be hard to come up with one in 2019.
Back in 2017, the European Consumer Organisation (BEUC) also issued a public service announcement warning that most children’s GPS-tracking smartwatches are stuffed to the brim with various security flaws exposing their location or allowing potential attackers to take control of the devices.
Various “children’s tablets” that could be hacked and used for phishing. Trackers. Smart watches. Do you really want to bet your kid’s safety on cheap technology from a company you never heard of, sold by an “Amazon Affiliate” – which is about the equivalent of buying something from a flea market.
This isn’t the first exploit to hit Bluetooth, and it probably won’t be the last. New Attack exploiting serious Bluetooth weakness can intercept sensitive data.
Address book syncing between a car and phone, keystroke from a keyboard, it isn’t a particular product that is vulnerable, it is the ENTIRE Bluetooth architecture.
KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.
Architectural level problems are the hardest to fix, though several companies have implemented fixes to “mitigate” the issue.
Why aren’t schools doing anything to prepare? (And they’re not.) That would be a better question. Why School Systems? The Rise of Ransomware in Public Schools.
And if you ask the wrong question, any answer that you get won’t result in any useful insights.
Due to their wealth of data and limited budget for cybersecurity staff and training, schools have drawn the eye of hackers. Experts recommend backing up data and investing in cybersecurity training and preparedness.
My personal recommendation is that schools cut back on that “wealth of data” until such time as they have a wealth of “cybersecurity training and preparedness” in place, and deployed to protect it. And even then, they should ask if they really need to have that information online, because while ransomware has been in the news, there have been instances where all the data needed to steal identities was taken out of school systems. That’s a lifetime of having to worry about identity theft for people who are not old enough to drink. (Thanks Public Schools Idiots Everywhere who think you know how much you need to spend on security.) All because some administrator somewhere, with next to no knowledge of the risks, decided that he couldn’t be bothered to look up a kids address the 2 times during the year when he needed that information. And how often to school administrators need SSN? Really? They couldn’t get by 99.999% of the time with an in-house student ID number?
But back to the schools.
“The principal reason is that it’s a relatively easy target to aim for,” he said, explaining that school systems typically suffer from a fairly limited IT staff, older equipment and less-than-optimal cybersecurity expertise.
Then repeat after me. If that statement (limited expertise, limited staff, etc.) applies to your organization, that purge every last bit of data that is not needed, and some that is needed. And it isn’t needed just because you’ve “always collected it.” Schools do NOT need SSN. Not online they don’t. They don’t need every piece of information for stealing identities in a place where they can be stolen by the lowest-knowledge hacker on the planet. How big is your school? You can’t file a couple of 1000 pages of info. (Like home address, and SSN for the one time in 4 years when you MIGHT need it?) Stop pretending that having “everything at your fingertips” is a requirement. It isn’t.
Another instance where people asked the wrong question. What diet leads so many people in this area to live past 100? (Hint: It isn’t diet.)
In this case Canon cameras. Even DSLR cameras are vulnerable to ransomware.
More to the point, why aren’t WiFi enabled interfaces secure?
The hackers (white hat) showed that if a camera had WiFi turned on, and that camera was in range of their WiFi access point, they could encrypt the photos on the camera’s memory card.
Canon issued an advisory telling folks to avoid unsecured WiFi, turn off network functions and install a new security patch.
The issue affects most of Canon’s camera lineup, from the EOS 70D to the mirrorless EOS R. It might not be limited to Canon, either, as Check Point told The Verge that other manufacturers, which use the same PTP protocol, could also be vulnerable. [My emphasis.]
PTP or Picture Transfer Protocol is an Unauthenticated interface used by a lot of cameras and software.
Could manufacturers of everything please check to see if they have
- any non-secure interfaces
- hard-coded passwords or other backdoors
and get rid of them immediately? Probably not.
So they’re just like every other tech giant. And they did get bad press. Apple suspends Siri response grading in response to privacy concerns.
In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide. Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake.
In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.
This is similar to mess Google is in.
Privacy is such a 19th Century concept.