InfoSec privacy links October 23, 2014

How to restore privacy - fix macosx

It appears that Apple's Spotlight app, which helps search for various items, on Max OS X Yosemite devices sends your search data to Apple. This website will show you how to disable the features that send this information. I went ahead and disabled everything, because I don't use Spotlight. For more information click here. To open Spotlight, simply swipe down on the home screen.

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker - Kim Zetter - WIRED

Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.

More Crypto Wars II - Bruce Schneier - Schneier on Security

I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door."

This post first appeared on Exploring Information Security.

Google offers new two-factor authentication option

You Can Now Protect Your Google Accounts With a Physical Key - Eric Limer - GIZMODO

I've never had a problem with how Google's two-factor authentication works. There are two options, receive a text message with the two-factor code or install an app that syncs with the Google account. Both methods are fairly easy to use and add a significant amount of security to Google accounts. Now, though, it appears there is a third option, which includes hardware. The hardware will have to be purchased and then enabled for a Google account, but it makes it much easier to interact with a Google account via Chrome or Chrome OS.

I'm a little concerned at the fact that it's a hardware option, because it could be lost or stolen. I imagine that you can disassociate the device from the account if it's lost, but if it's used sparingly there could be a large period of time between the lost device and discovery. And if someone steals the device and happens to have the password to my account it seems like it would be much easier for them to get into my account with hardware that supposed to make it more convenient for me to login. Sure my phone can be lost or stolen, but I'll know about it pretty quickly and it does have a lock on it. And yes, my phone passcode could be cracked, but it is adding another barrier to someone getting into my account vs. a piece of hardware that's triggered by the push of a button. That's not to say that I think this option is bad; it's just that I don't find the current process all that annoying. Regardless, I think a third option is a good thing, because more options for security is a very good thing.

This post first appeared on Exploring Information Security.

InfoSec links August 26, 2014

Father of PGP encryption: Telcos need to get out of bed with governments - Sean Gallagher - Ars Technica

Doing business with US government customers generally requires the use of National Institute of Standards and Technology (NIST) standards for encryption. But by default, Zimmermann said, Silent Circle uses an alternative set of encryption tools.

“It wasn’t because there was anything actually wrong with the NIST algorithms,” Zimmermann explained. “After the Snowden revelations, we felt a bit resentful that NIST had cooperated with the NSA."

Edward Snowden: The most wanted man in the world - James Bamford - Wired

Despite being the subject of a worldwide manhunt, Snowden seems relaxed and upbeat as we drink Cokes and tear away at a giant room-service pepperoni pizza. His 31st birthday is a few days away. Snowden still holds out hope that he will someday be allowed to return to the US. “I told the government I’d volunteer for prison, as long as it served the right purpose,” he says. “I care more about the country than what happens to me. But we can’t allow the law to become a political weapon or agree to scare people away from standing up for their rights, no matter how good the deal. I’m not going to be part of that.”

Why So Many Card Breaches? A Q&A - Brian Krebs - Krebs on Security

Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

This post first appeared on Exploring Information Security.

AddThis, the White House, and Privacy Badger

White House Website Includes Unique Non-Cookie Tracker, Conflicts With Privacy Policy - Peter Eckersley - Electronic Frontier Foundation

The company AddThis has been playing around with a replacement for cookies. The idea is that each computer handles browser traffic slightly different, so give it a pen and paper and let it draw a visualization of what that looks like. A cool idea, but it essentially means AddThis is fingerprinting all computers for tracking purposes. Not a good thing for privacy and apparently the White House dot gov is one of many sites running this new fangled voodoo from AddThis. There is a way to mitigate this though and it comes in the way of EFF’s recently released browser extension, Privacy Badger.

The extension is easy install. Simply, go to this site and click on the link for your browser. Accept the installation of the extension. Once the extension has been installed a badger icon will appear in the top right corner of the browser and a page will open explaining what the different indicators mean.

  • Green means you’re not being tracked.

  • Yellow means the site is tracking you, but on a whitelist. The cookie in question may be needed to view the page properly.

  • Red means the content has been disallowed.

Clicking on the extension icon will open up a panel with the list of domains that are being either blocked or allowed. You can change setting for the domain by sliding the bar left or right.

The extension is really easy to install and use and improves your privacy while surfing the internet. I’ve been using it for a little while now and I haven’t noticed any significant performance issues. I have noticed that I am no longer creeped out by ads that display service or equipment from email conversations with other people.

Another extension I highly recommend is NoScript for Firefox. According to Bruce Schneier, it appears that extension will block most of this stuff as well. NoScript requires a little more involvement, as it blocks everything by default and you have to decide what to allow, but it is one of the easiest things you can do to improve your own personal security as you browse the internet.

If you have anything further to add or other suggestions for safe browsing, leave a comment below.

 This post first appeared on Exploring Information Security.

Public infosec links July 21, 2014

How to remove your house from Google Street View - Graham Cluley - welivesecurity

Google is mapping the world, which does come with privacy concerns. However, there is a way for someone to request that their home be blurred on Google Maps street view.

The Rise of Thin, Mini and Insert Skimmers - Brian Krebs - Krebs on Security

There are devices that can be attached to an ATM that can grab your credit card information and pin number. The stuff is meant to look like it’s part of the ATM. If you can wiggle something loose at an ATM it’s probably not meant to be there. Look for anything that appears to be out of place on an ATM.

Beware Keyloggers at Hotel Business Centers - Brian Krebs - Krebs on Security

Malware on a public machine is not all that surprising. Using a public computer for personal accounts is never a good idea. I would recommend avoiding public computers all together, but if you must I would be very careful what information you access on that machine.

This post first appeared on Exploring Information Security.

Bruce Schneier infosec inception links July 8, 2014

Could Keith Alexander's Advice Possibly Be Worth $600K a Month? - Bruce Schneier - Schneier on Security

What does being the head of the National Security Agency (NSA) get you in retirement? A 600K asking price for security advice. And probably for good reason. Think of all the classified knowledge he has that could help an organization become secure.

NSA Targets the Privacy-Conscious for Surveillance - Bruce Schneier - Schneier on Security

If you use Tor, Tails or other privacy/anonymous types of sites and tools (or read BoingBoing), you’re likely being targeted for monitoring by the NSA.

NSA Employee Flees to Hong Kong -- You won't Believe What Happens Next - Bruce Schneier - Schneier on Security

Another batch of NSA documents have hit the media:

90% of the individuals eavesdropped on were not the targets of the surveillance.

What does the NSA do with the data once they’ve determined it’s unnecessary? Keep it.

This post first appeared on Exploring Information Security.

InfoSec links June 19, 2014

iOS 8 to stymie trackers and marketers with MAC address randomization - Lee Hutchinson - ars technica

The good: MAC address randomization when looking for a WiFi sounds fantastic.

The bad: This looks like a business move, which forces companies to use iBeacon. iBeacon (or as I like to call it, iBacon) is a "location-based service that can be used to track users and issue alerts (or ads) to iOS device." Essentially, it's a business move for Apple.

Why the iOS 'Limit Ad Tracking' setting is more important than ever - Jason D. O'Grady - ZDNet

In my search for more information on MAC address randomization, I discovered the setting in the above link. The setting is believed to add a little more privacy to your iOS devices.

Designers create a Faraday-cage cloak to foil NSA, other spies - Casey Johnston - ars technica

I love this. Not only cause it's privacy clothing, but because I would be a hat and a staff away from looking like a wizard. On a more serious note, this is awesome because it's one step closer to feasible clothing that protects your privacy.

This post first appeared on Exploring Information Security.

InfoSec links May 28, 2014

Fitness apps are a "privacy nightmare," shedding personal data to the highest bidder - Lisa Vaas - Naked Security

Information can be a powerful thing. Fitness apps can give you detailed information about your training, that allows you to structure workouts better, but you might not be the only one getting that information. You're also giving that information to the apps, and then the question becomes what are they doing with that information. Information is a powerful, and profitable thing.

Comey: FBI 'Grappling' With Hiring Policy Concerning Marijuana - Charles Levinson - The Wall Street Journal

The FBI needs smart and talented people to help battle the ever increasing population of cyber criminals.  The problem for the FBI is that due to their drug policy they eliminate a large pool of those smart and talented people. FBI Director, James Comey, has recognized this and is looking at possibly changing some of the FBI's policy in regards to marijuana use.

Worst Day for eBay, Multiple Flaws leave Millions of Users vulnerable to Hackers - Mohit Kumar - The Hacker News

eBay has had a rough go of it recently (if you have an eBay account and have no idea what I'm talking about you might want to go change your eBay account password, immediately).  They've not only bungled the handling of their breach, but apparently there are still a few vulnerabilities live that can still get their systems compromised. This article is from Friday, May 23, 2014, so the vulnerabilities may have been fixed by now,.

This post first appeared on Exploring Information Security.