Security Bytes – September 2013 – Take control of your privacy!
In my previous articles I covered how the Government is currently warehousing information that they gather from ISPs (Internet Service providers) so that they can review that information at a later time when they have the ability to decrypt or acquire the decryption keys needed.
I want to explain how it becomes easy for the Government to actually get at encrypted data that is NOT encrypted by the end user, by keys that are under the end user’s control. Previously I have explained that whenever one goes to a “secure” website one can verify the encryption certificate in use by looking at the details in your web browser. One thing you will notice is that every certificate in use has a set of dates that validate the certificates use and also show the expiration date of that certificate. In essence this means that once that encryption certificate expires, the data that is encrypted by that certificate supposedly becomes unrecoverable. However, ISP’s and web hosts, email hosts etc., are required to retain these old keys just in case they are needed to recover user data. The Government also can ask to have a copy of these keys that have been “retired” and therefore will be enabled to decrypt any data that was encrypted with the keys during their valid periods.
Security Bytes – August 2013 – More Prism Revelations.
Last month I talked about “Prism” and how the Government is actively collecting and parsing data from many Internet Service Providers upstream of their main data feeds. I also talked about simple ways to help keep your data secure despite this revelation.
This month I want to continue the topic by diving a bit deeper into what out government can possibly get from your data and what you can do to keep your data safe.
In order to better combat terrorism, our government as well as other governments around the world are starting to implement systems where they can capture vast amounts of data for later analysis by their experts. What this means is that third parties might look at any data sent over the Internet and it’s content analyzed. I described that some Cloud based storage providers offer “encrypted” storage for their customers, but the one thing that people fail to comprehend is that this “encrypted” storage is based on encryption keys that the cloud provider possesses. That means that if compelled by a government, that provider may provide the decryption keys to a federal agency allowing them to decrypt data that was encrypted. This fact makes it very important for everyone to carefully read the agreement with the cloud provider to understand what level of privacy you really have.
Is there a way to ensure a better level of privacy if needed?
Security Bytes – June 2013 – Security Wake Up Call.
This month I wish to diverge from technical mattes to raise awareness toward threats that are emerging from overseas. If you have been keeping up with the news I am sure you are all aware that China has been actively hacking into and stealing top secret documents from the US and vehemently denies all actions. In fact our President is meeting with Chinese officials in the next few weeks to discuss these matters.
You may ask: “ How might these threats directly affect me?”
The answer to that question is multi-faceted, however there are many reports that point to the same conclusion. Hacker groups from around the world some even sponsored by governments are actively targeting military, financial, infrastructure, and other critical areas of our economy to either gain technical information that quite possibly could be used in a major cyber attack on the US. Just think what would happen if one day you wake up and there is no internet, no banking, no electricity, no commerce traffic, no food supply, waste treatment plants fail, hospitals fail, etc.
Security Bytes – July 2013 – Prism and your privacy.
The news has been abuzz with fears for privacy since the Government came clean with their “Prism” project and how it can spy on a vast majority of Internet communications. Since most internet backbones run on fiber that caries communications in the form of light, there is a way to use a beam splitter to siphon off a mirror image of any internet communications that go through an backbone connection. This method works very much the same way a prism splits light into its component wavelengths.
Using this technology, a Govt. agency can collect, store, categorize and analyze any or all data that comes through an Internet service provider’s uplink to the backbone. Many privacy proponents are crying foul since the Govt. can act as big brother and sort through everything at their leisure. While this may be true, I personally feel that this can be classified as “intrusive” however, we are in a dangerous world where many terrorist groups use the Internet to threaten our economy and Country, so it falls in the hands of our Govt. to take steps to protect our borders even if it means that we have to sacrifice some privacy in return.
Security Bytes – May 2013 – Memories are Priceless!.
If you have been following the news for the past few weeks you have probably been thinking what is going to happen next? Between the bombing in Boston, data breaches and more Java and Adobe vulnerabilities galore, its just seems that one can never stay ahead of a pending disaster.
The one thing I have learned as a security researcher and practitioner is that at some point disaster will strike and unless you have proper backups you will loose critical or sensitive data. Throughout the years that I have consulted with clients, I have witnessed many cases where people thought they were safe enough by using antivirus software, firewalls other best practice methods of securing their data, however to their dismay they realized only too late that they never checked the viability of their backups to restore from a disaster! Everyone understands the concept to backups, but few actually test the backup to see if they can recover data from them. In many of these cases, the “sensitive” data happens to be personal items such as family pictures and movies.
For that reason, I like to highlight the idea of backing up in threes! One backup to a device on a home or business network, one device that can be removed from active manipulation ( such as an external hard drive ) , and a third device such as a portable USB stick that can be taken off site and stored in a secure location. While this methodology may seem redundant and extreme, it is proven to work if procedures are followed and made into a regular practice.