Tag: Security
To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.
As the old saying goes, privacy isn’t necessarily about having something to hide, it’s also about not having something you want to share; if you’re depressed and going to beyondblue.org.au then you may not wish to share that with other people. If you’re having trouble with alcohol and visit aa.org.au then you may not want to share that either. If you’re pregnant and hopping over to pregnancybirthbaby.org.au then, again, you may expect to keep that information private (let us not forget the story of how Target managed to “data-mine its way into [a teenage girl’s] womb”). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I’m not a depressed alcoholic teenager who’s expecting…)
tl; dr
Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.
How it works
The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.
A password hash is a representation of your password that can’t be reversed, but the original password may still be determined if someone hashes it again and gets the same result.
The defects, which have been fixed, exposed private details of people in quarantine. The country has been hailed as a pioneer in digital public health.
In May, Mr. Rechtenstein returned to his home in Seoul from a trip abroad. While self-isolating at home, he became curious about the government’s seemingly simple app and what extra features it might have. That prompted Mr. Rechtenstein to peek under the hood of the code, which is how he discovered several major security flaws.
He found that the software’s developers were assigning users ID numbers that were easily guessable. After guessing a person’s credentials, a hacker could have retrieved the information provided upon registration, including name, date of birth, sex, nationality, address, phone number, real-time location and medical symptoms.
It would seem that each country has had its sway.
The Times found this spring that a virus-tracing app in India could leak users’ precise locations, prompting the Indian government to fix the problem. Amnesty International discovered flaws in an exposure-alert app in Qatar, which the authorities there quickly updated. Other nations, including Norway and Britain, have had to change course on their virus apps after public outcry about privacy.
Although Australia’s issue seems to have been that it does not work.
Gain essential cyber security knowledge and skills, to help protect your digital life. Join this GCHQ Certified Training course from The Open University.
via Cory Doctorow
The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember. But it’s not enough. It’s just one factor.
The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password. Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.
We all need to deal with reality. And in my experience, that’s what the people who have dedicated their lives to protecting all of us—such as the employees of the FBI—usually do best. How else do you stop the bad guys but by living in reality and aggressively taking the fight to them based on an accurate assessment of the facts? I am most certainly not advocating surrender, but public safety officials need to take a different approach to encryption as a way to more effectively thwart our adversaries, protect the American people and uphold the Constitution in light of the existential cybersecurity threat that society faces. If law enforcement doesn’t want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.
Put differently, the legal problem for law enforcement is not the Fourth Amendment. Investigators and prosecutors can and do obtain warrants to authorize searches, seizures and surveillance of encrypted digital evidence. The problem is that there is no law that clearly empowers governmental actors to obtain court orders to compel third parties (such as equipment manufacturers and service providers) to configure their systems to allow the government to obtain the plain text (i.e., decrypted) contents of, for example, an Android or iPhone or messages sent via iMessage or WhatsApp. In other words, under current law, the most the government can do with respect to encrypted systems where the manufacturer or service provider does not hold the encryption keys is to demand that companies provide it with an encrypted blob for which they have no mechanism to decrypt.
One suggested workaround is better use of metadata to support crime enforcement:
If, in fact, governments more aggressively support encryption, they will have to focus even more on collecting and analyzing noncontent metadata, increasingly aided by advanced data analytics driven by machine learning and other artificial intelligence tools. I know full well that obtaining noncontent metadata, while useful, is not the same as collecting the full content of communications and documents. It is hard to use metadata, for example, to prove criminal intent or to understand exactly what a spy or a terrorist is plotting. But we are in a world where content is increasingly unavailable and there is a wealth of metadata. So, the government should focus on collecting the right data and developing or buying top-notch analytical tools. In doing so, of course, it needs to make sure that such metadata collection and analysis is consistent with the Fourth Amendment. Admittedly, that will be more complicated in light of the U.S. Supreme Court’s decision in Carpenter v. United States. And it will be harder to do all this in the face of efforts by some companies to further anonymize public internet metadata. Nevertheless, this is where law enforcement finds itself since it has not persuaded Congress to act.
However, what this all highlights is that every country has a different set of rules, therefore this is a debate that needs to be had in a number of places.
Ministers from several countries have written an open letter to the Facebook CEO, Mark Zuckerberg, asking him not to fully encrypt all of the company’s messaging services. This week, Jordan Erica Webber talks to The Guardian’s tech reporter Julia Carrie Wong and security expert Alan Woodward about the implications of restricting end-to-end encryption
Insider attacks, cell-site simulators, SIM-swap attacks, thriving markets in super-cheap, fine-grained location data, robocalls, fictitious coverage maps, and more: does the fact that all this terrible shit keeps happening, and only gets worse, mean that mobile companies and the FCC just don’t give a fuck if your mobile phone is a crime wave you carry around with you on your pocket?
Three weeks ago I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics:
As the creator of TAGS privacy and surveillance often sit at the back on my mind. From the beginning TAGS was designed to help show people the amount of data we personally share and how easy it is for anyone to access. We all know that technology is not neutral and whilst there is a long list of people using TAGS for positive purposes by its nature there are some who turn to the darkside.
Virtual private networks are now a must-have privacy tool. But good luck figuring out which ones will actually make you safer.
Marginalia
One of the only definitive takeaways, besides “steer clear of free VPNs,” is that your choice of VPN should depend on what you’re using it for. If you’re just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that’s clear about both who owns it and how it treats your data. If your goal is to torrent pirated files, view blocked content, assassinate an ambassador, or otherwise evade the long arm of your government (or the governments it shares intelligence with), one based offshore might be a better bet—provided you’re quite sure it doesn’t have secret ties to the government you’re trying to evade.
via Ian O’Byrne
Want to know the reasons why a WordPress site gets hacked? Check out the top reasons why WordPress sites get hacked and how to avoid them.
So if you’re looking for an alternative to the phone number, start with something more easily replaceable. Hardjono suggests, for example, that smartphones could generate unique identifiers by combing a user’s phone number and the IMEI device ID number assigned to every smartphone. That number would be valid for the life of the device, and would naturally change whenever you got a new phone. If you needed to change it for whatever reason, you could do so with relative ease. Under that system, you could continue to give out their phone number without worrying about what else it might affect.
We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled
These technologies provide amazing opportunities to provide real services to our lives. I experienced this first hand as we enjoyed our time in this road race, and will look forward to the next one together. I was impressed by the use of technology as I was interacting with these sources and signals. At the same time, I was still plagued by a number of questions as I was thinking about these tools, and other possible uses. In our current and future societies, we need to examine these uses and think about how or why we use these solutions.