A couple days ago, I posted comments about the tension between the need for reliable and totally secure encryption and the needs for law enforcement to be able to access messages with the goal of finding terrorists before they act. See Privacy in the Wake of the Paris Attacks.
An article in today’s Boston Globe entitled In the age of ISIS, privacy still matters by Hiawatha Bray reminded me about a crucial element that needs to be considered in this discourse: Even if the US and/or other western countries require encryption “back doors” in technology going forward, there are plenty of opportunity for terrorists and criminals to acquire and use secure communication apps that will not support such back doors.
This is no different than the problems of regulating criminal activity on-line. As long as the technology is developed in another country, it can’t be effectively regulated in the US.
In the rush to address to provide a very real but elusive law enforcement capability, the end result will certainly have significant adverse impact to our nation’s on-line and computer leadership, as well as to your data’s security and privacy.
Like the vast numbers of people around the globe, I’m appalled and saddened by the events of November 13, 2015 in Paris. I feel for the families as well as Western culture which, like 9-11, as taken a huge hit.
Which brings me to the issue of private and secure communication and data. A number of commentators in the US have been railing against commercial apps that offer unbreakable encryption for communication that likely were the methods that the terrorists used to communicate between themselves. Regardless of which side you fall on regarding privacy against governmental snooping, having no way to intercept terrorists messages that lead to an event like Paris is a legitimate problem.
Vendors like Apple have listened to the concerns of their customers (post the Snowden revelations) and have provided very powerful encryption on certain communications and data for which the decryption keys are kept on the user’s device not on the server side. This is a huge advance, since even a hacker breach of the vendor’s servers will not compromise the encrypted data. For example, did you know that iMessage on iOS and MacOS is securely encrypted in this manner? (See the TechCrunch article for more information.) Same with Keychain on MacOS. Without this level of security, Cloud services are simply too porous to store extremely sensitive data. However, since the vendors do not have access to the keys, they can’t provide them to law enforcement.
The Paris attacks demonstrate the rub: Preventing legitimate, lawful access by law enforcement (including the NSA) to private communications and data is important to help prevent or at least anticipate attacks like we saw in Paris. It’s really problematic that the French authorities didn’t see it coming.
As readers of this blog are aware, I’m less concerned about governmental agencies in the US spying on me. In some other countries, I’d be much more concerned about this. What I am concerned about is the amount of data being collected about me (and others) in the name of commerce in conjunction with the apparent lack adequate safeguards on my data by various entities (both governmental and private). I do not trust that my communications and data will not be released into the wild. For some stuff, that’s fine. However, for other stuff, it’s a huge problem that has been largely mitigated by secure encryption that permits me to hang onto the keys.
So, what to do?
There’s going to be renewed debate whether governmental agencies, with appropriate safeguards, will be able to have a backdoor into your private communication and data. This time, the momentum will be much more in favor of it. I welcome the discourse. In my opinion, we need to solve this issue and soon. On the surface, governmental access vs. private and secure data appear to be mutually exclusive goals. I’m hoping we can come up with a reasonable compromise that satisfies both needs.
However, we all need to be diligent to insure that lawmakers and others don’t gut the safeguards that currently exist.
Viva la France!
November 19th Update: I neglected a crucial element in the discussion of this issue. It turns out that there are other ways to get encrypted apps, even if the US government mandates some form of back-door. The end result is no real benefit, while potentially allowing your data’s security and privacy to get into the wild. Please read Update on the encryption issue post the Paris attacks for more on this.
I’d like to approach a topic which might not exactly be part of the purview of this blog but it is related and that’s skimmer fraud. Most likely, you’ll run into skimmers at ATMs and at exposed point-of-sale terminals like those on gas pumps.
So, what’s a skimmer?
It’s a device that attaches to the credit card slot of an ATM or point-of-sale terminal to make a copy or “skim” the data from your credit card’s magnetic strip as you swipe or insert the card. Its frequently coupled with a device to copy your pin when you enter it, either with a faux-keypad that lays on top of the real keypad or a discrete camera to watch you enter the pin from above. Continue reading
There is an interesting article in this week’s New York Times: Why ‘Smart’ Objects May Be a Dumb Idea. In it, the author Zeynep Tufekci, notes that with the rapid proliferation of smart things, enough hasn’t been done to secure them from hacking. There have been several examples recently of cars being hacked to demonstrate the dangers.
Though I’ve written about the Internet of Things in the past, specifically around the Nest thermostat, I’ve been surprised to hear how many items have been getting connectivity. Some items make sense, door locks, thermostats, lamps, televisions, automobiles. Others are a little surprising, like light bulbs, refrigerators and ovens. Yet more are frightening like rifles.
The problem that they all share is how to keep them secure against hacking. At the most benign, hacking them can undermine privacy, even if it’s not clear why. Take Nest thermostats. Hacking into a Nest user’s account will show whether there is anyone at home. Whether at home or away, a fair amount of mischief is possible exercising control of the thermostat. On the other end of the spectrum, the threat of someone controlling your car is terrifying!
The general concern in the security community is that the various manufacturers are not implementing holistic security practices. Rather, they are reactively fixing discovered issues, but are not properly looking for and proactively fixing security weaknesses before they become identified by a third-party or worse, become exploitable “in the wild.” A perfect example is the auto hacking. Why has there not been a firewall between the Wi-Fi capability and the computers operating the car itself. That would be easy to do, with no loss of functionality, yet the manufacturers apparently didn’t see the need.
As a result, I’m personally slow rolling on the Internet of Things. Yes, I have a smart TV and the Nests, but I’m not running out to purchase smart door locks, nor does my TV have a camera or microphone. Though one of our cars has Wi-Fi, we don’t really need it, so I’ve disabled it for now, the risk is currently not worth the reward.
Fortunately, the car hacks that the media has been yelling about of late, were performed in laboratory conditions, which is to say that to hack the car, the researchers needed access to the vehicle at some point to be able to retrieve the data required to get remote access to the vehicle. As a result, we’ve not yet seen any incidents in the wild.
What should you do? Like everything on-line these days, you need to evaluate the value you get with smart devices and weigh that against the risks posed. As aways, do not take the enhanced capabilities at face value or worse do it because it’s cool. The good news is that we’ve not yet seen widespread hacking of appliances and other “things”. That said, its probably a matter of time before it happens.
As readers of this blog know, I run Windows in a virtual machine (VM) on one of my Macs. Though I can do most everything on the Mac, there are a few apps that that I depend upon that do not run on the Mac so I run them on Windows. Also, I test various topics for this blog on both a Windows and Linux VMs.
Before performing any change as major as upgrading your operating system, you should do a couple things:
- Insure that your applications and devices are compatible. Check Microsoft’s Compatibility Center. I found the site to be helpful, but didn’t find everything I run on my Windows box, so I also needed to check with various app vendors also.
- Back up your system! Let me say it again (with emphasis): BACK UP YOUR SYSTEM! Upgrades typically work fine, but they can go south and put you into a world of hurt if you’ve not backed up. See my post on Systematic Backups for more information. BTW: If you’re running in a virtual environment, simply take a Snapshot, which will permit you easily recover your system to a pre-upgrade state.
- Finally, be aware of a new feature that has serious security implications: Wi-Fi Sense.
Now that Windows 10 is available for upgrade, there is a new feature that you should know about prior to upgrading your system to Windows 10.
The new feature is called Wi-Fi Sense. Wi-Fi Sense allows you to share your Wi-Fi network credentials with friends and family without explicitly giving them the credentials. When enabled, Wi-Fi Sense copies your credentials into the Microsoft Cloud, where anyone on your Outlook, Skype or Facebook friends list can automatically connect with your Wi-Fi network when within range. It’s an interesting feature but personally, I think the security concerns far outweigh the benefits.
It comes enabled by default, but It can be disabled. My concern is whether it saves your credentials prior to you explicitly disabling it. By that I mean, if you disable it after you upgrade, it appears that the credentials have already been stored by Microsoft and there is no indication that they will be deleted from their servers. Given the current security climate, I’d be a little uncomfortable with this.
If you tend to give your friends and family credentials (as opposed to maintaining a “guest” Wi-Fi account) liberally, then this could be a more secure method since you don’t need to provide the actual password in unencrypted form.
The only way to securely opt out of this feature for your network is to rename it adding the string “_optout” to the SSID. This is really inconvenient and totally unnecessary. However, for now, this is the only method to insure that your Wi-Fi credentials are not compromised.
For more information, see the following articles:
- Brian Krebs – Windows 10 Shares Your Wi-Fi With Contacts
- Ars Technica – Wi-Fi Sense in Windows 10: Yes, it shares your passkeys; no, you shouldn’t be scared
it will be interesting to see how this develops over the next few weeks. As always, unless the upgrade is needed, it’s a good idea to delay upgrading to a major new release until things settle out. Also, a reminder to check to see if your favorite applications are supported by the Windows 10.
Are your pictures, financial data, letters, music, videos and other critical data protected?
- Is it protected if your disk drive dies?
- Is it protected if your computer is stolen?
- What about if there is a fire at home that destroys everything?
- If you corrupt a file?
- What about the data changed or added within the last 24 hours protected? The last hour? Or was the last backup a week ago?
If your answer is no, or sorta or something other than a definitive YES, then you need to address backups. There is no excuse not to have reliable and automated backups. Continue reading
Recently, I watched one of my favorite mini-series, Band of Brothers, which describes the (mostly) real exploits of the 101st Airborne Division during WWII. There’s a funny scene (and funny scenes were in short supply) in the film where during a training mission, one of the character’s pretended to be a general, yelling a command from behind a bush to to the officer in charge of the platoon. This particular officer, Captain Sobol, was distrusted by the men and his acting on the prank command helped undermine Sobol’s reputation with Command.
I thought about this episode, when I read the Krebs on Security post entitled Spoofing the Boss Turns Thieves a Tidy Profit. In this post, Brian Krebs describes an administrator by the name of Judy, who received an email from her boss to wire $315,000 to a supplier ASAP. Though she started the process, she was bothered by the “tone” of the email, went back and examined the message and determined that it wasn’t from her boss. It turns out that someone had created a domain name that was one character different from the company’s domain name. It looked OK, until examined more thoroughly. Fortunately, she was able to pull back the wire transfer, no harm, no foul.
In this case, the goal was a wire transfer. The more common reason is a phishing attempt. Periodically, I’m sure you’ve seen an email from a friend that says something like: “Check this out!” and gives a URL. You click on the URL contained within the bogus message and end up with malware on your computer. This is the way many of the major corporate security lapses begin, by someone acting on a bogus email message.
Vigilance and good policies can help reduce the impact of these false emails. Judy’s life would have been much easier if she’d called the sender to get verbal confirmation of the wire request. Many companies are adding verification steps to the process of issuing payment.
For the individual, always take a second look at every email that asks you to do something, particularly clicking a URL. Is the tone consistent with the sender? Is the sender’s email address correct? For an email from a “corporation” (e.g. American Express), is the URL correct? Frequently, it will look OK, but the underlying address itself is wrong … hover over the URL for the real address.
Finally, always enter URL addresses by hand. Do not activate them from the email.
Over the past few years, there have been a continuing barrage of calls from people claiming to be from Microsoft offering to “fix” the malware that they’ve detected on my and likely your computer. At my house, I’ve gone through periods where I’ve received several of these calls in a single evening. What’s unsettling is that the callers know your name and possibly other details about you, including your spouses name and home address.
Everyone who reads The Family HelpDesk missives know that these calls are fake and should ignore them, as the goal is to get onto your computer and using a variety of methods, find ways to separate you from your money. For details on this scam, see the Snopes article entitled: Microsoft Impersonation Scam.
Unfortunately, this scam has taken a dark turn. Reports are coming in that callers are now threatening people who don’t sign up for the service. I’ve heard (from a local police department) that at least one caller was threatened to be killed when she declined the service. Continue reading
Every once in a while, a warning will pop up that says something like:
The site does not have a security certificate that is trusted!
The site has an expired security certificate!
with the options to proceed to the site or back away. Many (most?) of us simply click through to the site, assuming this was caused by an administrative problem, which will not impact us. After all, we’ve been doing it forever and nothing bad has happened, right?
Unfortunately, this can be a bad decision, with ramifications that you might not understand for quite a while. Continue reading