Troy Hunt walks through why HTTPS is important, even for a static website.
Tag: Security
To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.
Troy Hunt explains that even with HTTPS, there is still a need for VPNs and the added security/privacy they provide.
As the old saying goes, privacy isn’t necessarily about having something to hide, it’s also about not having something you want to share; if you’re depressed and going to beyondblue.org.au then you may not wish to share that with other people. If you’re having trouble with alcohol and visit aa.org.au then you may not want to share that either. If you’re pregnant and hopping over to pregnancybirthbaby.org.au then, again, you may expect to keep that information private (let us not forget the story of how Target managed to “data-mine its way into [a teenage girl’s] womb”). Just looking up those URLs I was imagining what sort of conclusions would be drawn about me if someone had access to my connection! (No, I’m not a depressed alcoholic teenager who’s expecting…)
tl; dr
Your boarding pass for a flight can sometimes be used to get your passport number. Donāt post your boarding pass or baggage receipt online, keep it as secret as your passport.
How it works
The Booking Reference on the boarding pass can be used to log in to the airlineās āManage Bookingā page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.
A password hash is a representation of your password that can’t be reversed, but the original password may still be determined if someone hashes it again and gets the same result.
Troy Hunt discusses the difference between encryption and hashing when it comes to passwords.
The defects, which have been fixed, exposed private details of people in quarantine. The country has been hailed as a pioneer in digital public health.
Aaron Krolik, Choe Sang-Hunnatasha Singer and Raymond Zhong report on Flaws found in the South Korean quarantine app:
In May, Mr. Rechtenstein returned to his home in Seoul from a trip abroad. While self-isolating at home, he became curious about the governmentās seemingly simple app and what extra features it might have. That prompted Mr. Rechtenstein to peek under the hood of the code, which is how he discovered several major security flaws.
He found that the softwareās developers were assigning users ID numbers that were easily guessable. After guessing a personās credentials, a hacker could have retrieved the information provided upon registration, including name, date of birth, sex, nationality, address, phone number, real-time location and medical symptoms.
It would seem that each country has had its sway.
The Times found this spring that a virus-tracing app in India could leak usersā precise locations, prompting the Indian government to fix the problem. Amnesty International discovered flaws in an exposure-alert app in Qatar, which the authorities there quickly updated. Other nations, including Norway and Britain, have had to change course on their virus apps after public outcry about privacy.
Although Australia’s issue seems to have been that it does not work.
Gain essential cyber security knowledge and skills, to help protect your digital life. Join this GCHQ Certified Training course from The Open University.
This looks like a worthy learning opportunity.
via Cory Doctorow
TheĀ something you knowĀ is the password, and yes itās still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember.Ā But itās not enough. Itās just one factor.
The second factor isĀ something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they canāt access your data, even if they know your password.Ā Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.
We all need to deal with reality. And in my experience, thatās what the people who have dedicated their lives to protecting all of usāsuch as the employees of the FBIāusually do best. How else do you stop the bad guys but by living in reality and aggressively taking the fight to them based on an accurate assessment of the facts? I am most certainly not advocating surrender, but public safety officials need to take a different approach to encryption as a way to more effectively thwart our adversaries, protect the American people and uphold the Constitution in light of the existential cybersecurity threat that society faces. If law enforcement doesnāt want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.
Jim Baker takes a deep dive into the world or security, encryption and zero-trust networks. He touches on the current confusion over the law, that the government can request access, but there is nothing to say that such access should not be encrypted:
Put differently, the legal problem for law enforcement is not the Fourth Amendment. Investigators and prosecutors can and do obtain warrants to authorize searches, seizures and surveillance of encrypted digital evidence. The problem is that there is no law that clearly empowers governmental actors to obtain court orders to compel third parties (such as equipment manufacturers and service providers) to configure their systems to allow the government to obtain the plain text (i.e., decrypted) contents of, for example, an Android or iPhone or messages sent via iMessage or WhatsApp. In other words, under current law, the most the government can do with respect to encrypted systems where the manufacturer or service provider does not hold the encryption keys is to demand that companies provide it with an encrypted blob for which they have no mechanism to decrypt.
One suggested workaround is better use of metadata to support crime enforcement:
If, in fact, governments more aggressively support encryption, they will have to focus even more on collecting and analyzing noncontent metadata, increasingly aided by advanced data analytics driven by machine learning and other artificial intelligence tools. I know full well that obtaining noncontent metadata, while useful, is not the same as collecting the full content of communications and documents. It is hard to use metadata, for example, to prove criminal intent or to understand exactly what a spy or a terrorist is plotting. But we are in a world where content is increasingly unavailable and there is a wealth of metadata. So, the government should focus on collecting the right data and developing or buying top-notch analytical tools. In doing so, of course, it needs to make sure that such metadata collection and analysis is consistent with the Fourth Amendment. Admittedly, that will be more complicated in light of the U.S. Supreme Courtās decision in Carpenter v. United States. And it will be harder to do all this in the face of efforts by some companies to further anonymize public internet metadata. Nevertheless, this is where law enforcement finds itself since it has not persuaded Congress to act.
However, what this all highlights is that every country has a different set of rules, therefore this is a debate that needs to be had in a number of places.
Ministers from several countries have written an open letter to the Facebook CEO, Mark Zuckerberg, asking him not to fully encrypt all of the companyās messaging services. This week, Jordan Erica Webber talks to The Guardianās tech reporter Julia Carrie Wong and security expert Alan Woodward about the implications of restricting end-to-end encryption
Jordan Erica Webber unpacks the push by some governments to limit end-to-end encryption and the impact this would have on privacy and security. Cory Doctorow also discusses this on the Bitcoin Podcast, while Edwina Stott explores this topic on the Future Tense Podcast.
A blog about learning supported by innovation and social networks.
Insider attacks,Ā cell-site simulators,Ā SIM-swap attacks,Ā thriving markets in super-cheap, fine-grained location data,Ā robocalls,Ā fictitious coverage maps, and more: does the fact that all this terrible shit keeps happening, and only gets worse, mean that mobile companies and the FCC just don’t give a fuck if your mobile phone is a crime wave you carry around with you on your pocket?
Three weeks ago I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics:
As the creator ofĀ TAGSĀ privacy and surveillance often sit at the back on my mind. From the beginning TAGS was designed to help show people the amount of data we personally share and how easy it is for anyone to access. We all know that technology is not neutral and whilst there is a long list of people using TAGS for positive purposes by its nature there are some who turn to the darkside.
In a keynote for Domains19, Martin Hawksey takes a look at privacy and security. He shares a number of experiments (Domain Invaders and They Live) designed to highlight what is possible. It is interesting to consider all this alongside Kin Lane’s sentinelization of APIs. I wonder if it is about being informed?
Virtual private networks are now a must-have privacy tool. But good luck figuring out which ones will actually make you safer.
Will Oremus explores the world VPNs. He explains the differences between free and paid subscriptions, as well as who owns the company and why it is not always possible to know.
Marginalia
One of the only definitive takeaways, besides āsteer clear of free VPNs,ā is that your choice of VPN should depend on what youāre using it for. If youāre just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company thatās clear about both who owns it and how it treats your data. If your goal is to torrent pirated files, view blocked content, assassinate an ambassador, or otherwise evade the long arm of your government (or the governments it shares intelligence with), one based offshore might be a better betāprovided youāre quite sure it doesnāt have secret ties to the government youāre trying to evade.
via Ian O’Byrne
Want to know the reasons why a WordPress site gets hacked? Check out the top reasons why WordPress sites get hacked and how to avoid them.
So if you’re looking for an alternative to the phone number, start with something more easily replaceable. Hardjono suggests, for example, that smartphones could generate unique identifiers by combing a user’s phone number and the IMEI device ID number assigned to every smartphone. That number would be valid for the life of the device, and would naturally change whenever you got a new phone. If you needed to change it for whatever reason, you could do so with relative ease. Under that system, you could continue to give out their phone number without worrying about what else it might affect.
We took a hacker to a cafĆ© and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things theyĀ googled
Mr Robot in real life?
Iāve talked about two factor authentication (2FA) in the past. Basically when you log in to a site/service, you need to give another proof of identity. In this case, you would insert the USB stick, or click the bluetooth sensor on your keychain.
This reminds me, I got given a Kubikey and never got around to setting everything up.
These technologies provide amazing opportunities to provide real services to our lives. I experienced this first hand as we enjoyed our time in this road race, and will look forward to the next one together. I was impressed by the use of technology as I was interacting with these sources and signals. At the same time, I was still plagued by a number of questions as I was thinking about these tools, and other possible uses. In our current and future societies, we need to examine these uses and think about how or why we use these solutions.
Ian O’Byrne reflects on the use of ChronoTrack B-Tags consisting of two stickers that contain RFID antennas to track participants in a fun run. This is used to monitor participants, but also connect them with commercial opportunities. Along with facial recognition and smart badges, this is another example of the continual evolution of the surveillance state.
š Privacy vs Security
Ian O’Byrne provides a comparison between privacy and security:
Privacy is often defined as the right of an individual to keep his/her individual information from being disclosed. This is typically achieved through policies and procedures. Privacy encompasses controlling who is authorized to access your information; and under what conditions information may be accessed, used and/or disclosed to a third party.Security is defined as the mechanism in place to protect the privacy of information. This includes the ability to control access to information, as well as to safeguard information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls. source
Doug Belshaw visually represents this to get the point home:
Mike Caulfield discusses the future of privacy and suggests that there is work that needs to be done in regards to participatory culture:
Iām sure that the powers that be in Silicon Valley believe in āthe end of privacyā, just like they believe in technocratic meritocracy. The most attractive thing for any programmer to believe is that new technologies will render the messiness of social relations obsolete. But this idea, that privacy is antiquated, will lead to institutional and organizational collapse on a massive scale, which is why a transparency organization like Wikileaks is the favorite tool of dictators.source
Lizzie OāShea explains how Mark Zuckerberg’s call for increase in privacy fails to capture the agency associated with it all:
A better understanding of privacy will not be limited to design concepts generated by highly profitable social media platforms. It needs to encompass how privacy is an essential component of our agency as human beings. Agency, to be explored and expressed fully, requires that we have space outside the influence of capitalismāto have freedom from market forces seeking to manipulate our unconscious. Privacy demands that human emotions like shame, joy, guilt, and desire be explored without someone seeking to profit from the process without us noticing.source