Tag Archives: security

Apr 9 2013

The Shodan Search Engine IS a Bit Scary

Shodan_logo

But it may be indicative of the lurking loss of privacy and security we seem to freely exchange for the convenience of connectivity.

There are search engines out there specializing in all sorts of online information. I have highlighted some here, for example search tools that delve into the deep web. Shodan is different. Shodan searches for devices connected to the Web. Like servers. Printers. Routers. Webcams. Security cameras. Control systems for water parks. Really? Yup, really. And it can see what is secured out there and what is unsecured. From a CNN Money article that ran the rounds yesterday:

A quick search for “default password” reveals countless printers, servers and system control devices that use “admin” as their user name and “1234″ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

Search parameters include location by city or county, latitude or longitude. Or search by hostname, operating system or IP address. It also allows you to export your search results by XML, so you can take it with you, with the IP and physical location associated with the result. And, if you don’t want to do the heavy lifting, let some other hackers users do the work for you with shared searches.

SHODAN Computer Search Engine

Even scarier, use Shodan Exploits to search for known vulnerabilities and exploits lurking out there.

I can hear you now – “Oh.Em.Gee. How long has this been out there?” Three years. When you search one of their shared searches for, say, video web servers, you will see results from 2010 forward. Shodan is celebrating its three year anniversary with a decent flurry of press activity. Great. Now more hackers users will know about this means of tapping stuff.

I totally understand that being fore-warned is to be fore-armed, and that the principle purpose of this is to enhance security rather than shake up that fragile concept, but my pessimistic self can’t help but consider all the nefarious uses such a tool could promote. It is all great if device owners take heed and actually start securing these devices. FWIW, SHODAN (Sentient Hyper-Optimized Data Access Network) apparently is a name used for a fictional AI antagonist in the cyberpunk action role-playing video games System Shock and System Shock 2. Take from that what you may/will.

Shodan invites you to register using your social logins, but I had no problem running some searches without registering. Check it out. And be chilled.

Sep 5 2012

Apple UDID Breach & You

So maybe you have heard about the Great Unique Device ID breach of 2012 – a hacker group has claimed that it has pulled 12 million device IDs and personal information associated with Apple iDevice users. Scary stuff. The info was grabbed from the laptop of an FBI agent using that Java exploit that was in the news earlier this year. Double Yow.

Alone, the UDID – that 40 character string associated with your device -presents little risk. When coupled with other data, there are heightened risks of identity theft and social engineering.

You can check your status, to an extent, by entering your UDID into a tool provided by LastPass that will compare it to the leaked list. To get the ID, plug your device into your computer, open iTunes, and click on the device in the left bar.  Click on the serial number and the UDID will appear. Then navigate to the LastPass tool here. This will check your ID against the 1 million that were leaked by the hackers. Unfortunately, it doesn’t check the remaining 11 million not yet disclosed.

There isn’t a fix for a leaked ID short of a brand new phone. All you can do is monitor your credit for unusual activity. And hope for the best.

Feb 29 2012

Are You Safe & Secure On The Web?

Following my class at Solo Practice University on the changes to Google’s privacy policies and terms of service, I have found myself in a lot of conversations about web privacy generally. It pays to spend some time thinking about actions and consequences on the Web. So I thought I would discuss some tips here about staying as safe as possible in the virtual wilds of the World Wide Web.

 

First, consider your browser. The big three: Chrome, Firefox and Internet Explorer. Oh, and Safari too. ;)

 

Chrome comes with security settings enabled by default. These protections include malware and phishing notifications – it will warn if it detects malicious content on sites you may be visiting. Chrome can be adjusted to permit or refuse cookies, Javascript, pop-ups, plug-ins, images, and location sharing. You also can manage SSL setting and certificates. When you enable SSL, Chrome will encrypt all sensitive data communications. Settings can be found by clicking the wrench in the upper right corner of the tool bar. Click on options, then “Under the hood” and find the setting you wish to tweak.

 

IE has a “smartscreen filter” and several security settings enabled by default. It can identify impostor web sites designed to capture sensitive data. When loading files, it will flash high warnings for risky files, but allow loading of reputable or well known files. It will also alert you of potential harm before permitting software to enter your computer. Simply click on the “Safety “button in the Internet explorer, then “SmartScreen filter” and select it.

 

Firefox has its Favicon in the URL bar – hover and it will give an overview of whether a site is safe or not. Click it and you will get more information such as whether passwords are saved and number of visits. Firefox also warns against Trojans and other malware. Firefox maintains a list of phony phishing sites that are updated daily. It integrates with your antivirus software. To get into your Firefox settings, click on “Tools”, then “Options,” then “Security”.

 

Macs are often considered to be “safe” from such unwanted intrusions. But there have been instances of Mac-borne viruses, so it is worth getting familiar with your Safari security settings. Unclick the “open safe files after downloading” box in the General settings. Go into “Preferences” then “Security” and check the “Warn when visiting a fraudulent website” checkbox Safari will then advise when you are about to visit a website that has been reported as fraudulent or distributes malware.

 

On any browser, look for the “lock” icon and “https” in the URL bar. This connotes that the site is secure and is using encryption to protect your information.

 

Another concept that comes up frequently in web browsing is anonymous browsing through the use of proxy servers. Anonymous web browsing is browsing the Web without revealing your IP address or any other personally identifiable information to the websites that you are visiting. A proxy server is a server that serves as the “middleman” between your local request for action and the response from a server somewhere else. The request can be for a file, a connection, a web page or some other Web resource residing on another server. Many people use anonymous proxy servers to mask their identity while browsing. While there certainly nefarious reasons for doing so, it is a technique that can also be used to protect your privacy and disconnect you from search history. VPN (“virtual private network”) servers also allow anonymous browsing, and are often used within the enterprise to protect against infiltration by unwanted intruders or protect against the dissemination of sensitive information.

 

Worried about tracking cookies? There are ways to deal with those right within your browser. In IE, go to Control Panel, Internet Options, Privacy, and either choose the slider preset that blocks third-party cookies, or go into Advanced, Override automatic cookie handling, and then check Block under ‘Third-party cookies’. In Safari, go to Edit, Preferences, Privacy, and set ‘Block cookies’ to “From third parties and advertisers.” In Firefox, click on Options, Privacy, select “Use Custom Settings for History” from the drop-down menu and uncheck “Accept third-party cookies.” In Chrome, head to Options, then “Under the Hood,” then “Content Settings” in which you will check “Block third-party cookies From Being Set.” You also can deal with these within Google’s Ad Preference manager here or on a grander scale via the Opt Out From Online Behavior tool here.

 

Finally, there are tools to help you boost your security level on the Web. While the browsers all have some form of “incognito” mode, Cocoon is an extension for Firefox and IE, as well as mobile version, that blocks both cookies and IP addresses by routing your page requests through their servers. It has built in virus scanning tools and provides a disposable email address creator, keeping the spam out of your mail email inbox, as well as a handy “notes” feature – jot down notes on any web page and view them from your history. Very nice.

 

To access your browser’s incognito mode, do the following. In IE 9, InPrivate Browsing can be found with a Ctrl-Shift-P, Chrome’s Incognito Mode can be accessed with a Ctrl-Shift-N, Firefox’s Private Browsing mode is set with Ctrl-Shift-P, and Safari can too, with Private Browsing selectable from the Edit menu.

 

Maybe you don’t like so much social in your browsing, consider Antisocial for Chrome and ShareMeNot for Firefox. These will interfere with sharing buttons across the Web, such as Facebook’s “Like” and Google’s “+1″. Whether by preventing them from loading or by keeping them from reporting back to the social juggernaut whence they spawn, these extensions prevent tracking and keep your browsing and your social separate. Of course, you can log out of your social networks when you are done with them to keep sharing activity to a minimum as well.

 

Finally, although it doesn’t work on every site, HTTPS Everywhere will help enable HTTPS on sites that allow for it. When the site is HTTPS enabled, this extension will activate the HTTPS connection to encrypt your communication with those websites. Available in Firefox and Chrome flavors. Brought to you by the fine folks at the Electronic Frontier Foundation.

 

Use as many or as few of these tips to meet your comfort level on the Web. Remember to read privacy policies and terms of service on any of the sites on which you may want to spend time. Make sure you maintain control over your own information and web experience. Because if you don’t, who will?

 

 

Nov 1 2011

The Cloud: A Foul Play?

Whether or not to use the Cloud in your legal practice: that is the question. To be, or not to be, in the Cloud depends heavily on the ethical rules that guide our profession. Not surprisingly, those ethics commissions are having just as much difficulty grappling with the question as are the ordinary practitioners faced with the attractive option of SaaS and cloud products. Is there an ethical trap inherent in the use of these tools, just waiting to be sprung?

Fortunately, the ABA Commission on Ethics is striving to be realistic in its approach to the use of cloud computing and possible violation of client confidentiality. The Commission has drafted a proposal to assist lawyers in making decisions regarding cloud services. 

The gist of the proposal, as well as the gist of the ethics opinions rendered by state bar associations, is that a lawyer need take “reasonable” steps to ensure client confidentiality and that this same standard applies to use of the cloud to transmit client data. Some opinions also combine the concept of flexibility with reasonableness, clearly a nod to the “everchanging nature” of technology. Protection level may be adjusted based on the client’s needs and nature of the information involved. And, rightly so, the onus should be on the lawyer to establish that he or she acted reasonably with respect to the use of technology for storage, manipulation and transfer of data. This includes a showing that the lawyer acted diligently by, for example, analyzing terms of service, privacy policies, security features and actively took the steps necessary to ensure the greatest level of protection available. This does not inecessarily require a complete refusal to use anything cloud in support of your practice.

Take a look at some  of the reported ethics opinions. From these, you should be able to get a sense of what is required of you when you opt to look to skyward for technological assistance. And remember, just because it comes from the cloud doesn’t necessarily mean that something wicked this way comes.

Mar 24 2011

Cavalier Attitudes About Mobile Phone Security

We are all going mobile. And, generally speaking, that isn’t such a bad thing. To have a tool the approximate size of a deck of cards with you at all times that can manage your business and personal affairs over the “air” is a compelling sell indeed. However, along with the obvious benefits, there are certainly drawbacks, with security or lack thereof being not the least among them. In many respects, the lack of security does stand to some reason. What is far more troubling, however, is the general lack of awareness among mobile phone users regarding the risks associated with such “always on” connectedness.

BeSpacific blog highlighted a March 11, 2011 report by the Ponemon Institute, a group focused on security issues, on the findings from a survey of 734 U.S. mobile phone consumers over the age of 18. Ponemon was trying to get at two pieces of information: are consumers aware of the risks; and, do consumers care about the risks? The results, culled from their answers, are a tad shocking.

Ponemon reports that the key finding from their research is that users are unaware of the type and extent of security risks associated with mobile phone use and are not terribly concerned about them.  Users are far more concerned with security on their laptop or desktop computers than they are with respect to their mobile phones. They are also far more concerned that a marketer will try to contact them over their phone then they are about weak links in the security chain. A sizeable percentage store sensitive data on their phones, but over 50% of users have not enabled the basic security of a keypad lock or password protection. And a 57% majority report that security is not an important feature on their phone at all. Nearly half of consumers are unconcerned about transferring a device to another person without properly wiping the phone’s data. Most are unaware of being “tracked” while using their phones or the lessened security that accompanies jailbreaking a device. Less than half are concerned about insecure wi-fi to phone connections. Only about half are aware of and less than half are concerned about “cross-over” – security of business information jeopardized by personal use of a device.  And, it appears, a large percentage of smartphone use is mixed business and personal, with employers paying some or all of the bill.

Now, I am sure that Studio readers are well aware of the risks associated with mobile smartphone use and have implemented security measures to prevent against harm. But, as a public service, I list below the security scenarios addressed in the report. Maybe there is one you overlooked, who knows? But, knowledge being power and all, this is one arena in which ignorance is definitely not bliss.

1.   location data embedded onto image files can result in tracking of the smartphone user

2.   Smartphone apps can transmit confidential payment information (i.e. credit card details)

3.   Smartphones can be infected by specialized malware called “dialerware” that enables criminals to make use of premium services or numbers resulting in unexpected monthly charges.

4.   Smartphone apps may contain spyware that allows criminals to access the private information contained on a smartphone

5.   Financial apps for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials.

6.   If a social network app is downloaded on a smartphone, failing to log off properly could allow an imposter to post malicious details or change personal settings without the user’s knowledge.

7.   A smartphone can be disposed of transferred to another user without properly removing sensitive data, allowing an intruder to access private data on the device.

8.   In many cases, people use their smartphone for both business and personal usage, thus putting confidential business information at risk (a/k/a cross-over risk).

9.   A smartphone can connect to the Internet through a local WIFI network that is insecure. This may result in a virus attack to the smartphone.

10.   Smartphones contain basic security protections that can be disabled by jailbreaking, thus, making the smartphone more vulnerable to spyware or malware attacks.

11.   Smartphone users can be targeted by marketers based on how the phone is used for purchases, Internet browsing and location. As a result, the user may receive unwanted marketing ads and promotions on their smartphone.

Jan 21 2010

Microsoft Seeking Stronger Laws Regarding Cloud Computing

No doubt spurred in part by the ongoing federal FCC/ FTC hearings on bringing the internet into the 21st century and dealing with security gaps in the cloud, Microsoft put in its request to Congress and state governments to firm up the legal framework for ensuring stratospheric privacy and protection. Microsoft’s General Counsel Brad Smith addressed attendees on these issues at a keynote at the Brookings Institute on January 19, 2010.

Microsoft identified the primary concerns as privacy, security, transparency, and international sovereignty, the latter being a major issue in connection with storage server locations that know no boundaries. Transparency means that consumers and businesses should know whether and how their information will be accessed and used by service providers and how it will be protected online.

Smith is justifiably concerned with privacy protections and the fact that laws currently on the books do not take into account the heightened risk and the broader ramifications of hacking in the cloud. Smith proposed a new law, which he dubbed the Cloud Computing Advancement Act, and urged the revamping of an existing law,  the Electronic Communications Privacy Act, in order to address the spectrum of risks. He also proposed stronger sanctions under the Computer Fraud and Abuse Act: currently, cloud hackers face the same penalties as hackers that attack an individual PC.

I see mass movement into the cloud and, as a techie,  I understand the value of it. As attorneys, however, it pays to be aware of what our current technology can ensure with respect to privacy and security, be versed on the scope of the laws supporting cloud integrity, and choose cloud services accordingly. Lawyers, or course, have heightened responsibility with respect to privacy, security, and privilege. Perhaps this is one area of technology in which lawyers can afford to be slightly behind the curve – right behind security developments.

Hat tip to eWeek. For further reading on the topic, check out these articles:

The ABC’s of Cloud Based Practice Tools

 Seeding the Clouds: Key Infrastructure Elements of Cloud Computing

A Pragmatic and Effective Approach to Cloud Computing — Real Benefits From the

IBM Perspective on Cloud Computing

HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email

Jan 5 2010

Making A Federal Case Over Cloud Computing

Something got Goliath’s attention. The Federal Trade Commission has gotten involved in an inquiry before the Federal Communications Commission into security and privacy issues surrounding cloud computing that may have wide-reaching ramifications for enterprise and business use of the Web and SaaS.

It all began with the realization that our national broadband access was seriously lacking. In response, several federal laws were passed to encourage broadband development and deployment. The FTC has a degree of jurisdiction over broadband deployment. In the initial inquiry, filed last June, the FCC summarized the underlying rationale as follows:

In the recently passed American Recovery and Reinvestment Act of 2009,’ the “stimulus” legislation, Congress charged the Department of Agriculture’s Rural Utilities Service and the Department of Commerce’s National Telecommunications and Information Administration with making grants and loans to expand broadband deployment and for other important broadband projects. Congress provided $7.2 billion for this effort-no small sum. But even this level of funding is insufficient to support broadband deployment. With this realization, the Recovery Act charges the Commission to create a national broadband plan. By February 17, 2010, the Commission must and will deliver to Congress a national broadband plan that seeks to ensure that every American has access to broadband capability and establishes clear benchmarks for meeting that goal.

Sounds great. However, under this docket number, as well as two others, the FCC sought further comment on how to deal with disclosure of “confidential” information between “eligible entities” and broadband service providers. In part:

We also seek comment on section 106(h)(2) of the BDIA, which requires eligible entities to treat “any matter that is a trade secret, commercial or financial information, or privileged or confidential, as a record not subject to public disclosure except as otherwise mutually agreed to by the broadband service provider and the eligible entity.” In particular, we seek comment on whether that section is self effectuating or whether the Commission should take any measures to ensure eligible entities’ compliance with section 106(h)(2). If parties believe that the Commission should adopt safeguards to ensure compliance with section 106(h)(2), then we ask that they describe with specificity the nature of their proposed safeguards.

After workshops on the broader issues surrounding broadband development, including its effect on the general economy, IT and productivity, the public comments began pouring in. The cast of commenting characters is impressive, and includes some high profile corporations, including Alcatel-Lucent, NPR, QUALCOMM, Walt Disney and Microsoft. Much of the information is confidential and not viewable by the public.

Now the FTC has commenced its investigation into privacy, security concerns, identity managements systems, log-ons and authentication, mobile computing, and social networking in the context of this broader discussion. A roundtable is scheduled to be held on January 28 on these issues.

How will this resolve? Before the likes of Amazon and Rackspace, big players in the cloud computing sector, start shaking in their boots, the long-term goal should actually benefit those interested in storing in the cloud and utilizing cloud services  and tools.  Remember my post yesterday about the Internet in 2020? The recent inquiry appears to be another piece in the larger puzzle of transforming the Internet into an entirely new experience. Safety and security issues are a significant part of that process.

While it is possible that the inquiry will expose present insecurities that may affect enterprise and business use of the cloud, my sense is that those insecurities should be exposed, examined, quantified, and, hopefully, eliminated. I applaud the FCC and FTC for getting that ball rolling. Hopefully, cloud providers and businesses using their services are employing the best available tech, and thus mitigating the potential liabiltiy for security breaches in the here and now. Down the road, security and best available technology in support of the cloud should be dramatically improved as the direct result of such comments, inquiries, and investigations.

Hat tip to ReadWrite Enterprise

Jan 4 2010

In 20 Years, The Internet Will Get REALLY Interesting

I love reading smart peoples’ visions for the future. Especially when it involves technology, science, and our dear friend, the Internet. Check out some of the hopes, dreams, and goals shared by leading Internet engineers over at Networkworld, link here. Carolyn Duffy Marson reports on how these brainiacs are rethinking the entire architecture, with the hope of making internet access safer, reliable, and more widespread – reaching not only to the remote regions of this planet, but to other planets as well. Take THAT, ATT!

These scientists aren’t talking about terabytes, they are speaking in measures of exabytes of information. The research necessary to get us to the Brave New World of 2020 will be funded in part by the U.S.  Government (now there is a decent use of our tax dollars). From the article:

Indeed, the United States is building the world’s largest virtual network lab across 14 college campuses and two nationwide backbone networks so that it can engage thousands – perhaps millions – of end users in its experiments.

The motivation behind this massive research is the reality that the Internet is now so enmeshed into our business, financial, and personal lives that a failure from cyberattacks, insufficient networks, and huge data loads would be catastrophic. The Internet that carries out financial networks, our power grid, our government-to-citizen communications must not fail. The lack of security threatens this system and our brightest Internet minds are focused on protecting against the very real risks.

The article is a fascinating read and gets into the nuts and bolts of the research. For my purposes, the article is most interesting on two counts: first, the realization that our Internet experience will be vastly different in the short span of a decade and, second, that the powers-that-be realize just how hugely important this network is, how fundamental it will become, and how singularly important internet security and viability is to our international well-being.

Never mind our dreams for 2010: on to 2020 and the tech marvels that await!