Category Archives: Privacy

Warning For Symantec Customers

As I have reported before, Symantec has had problems with its server SSL certificate business for years and was on double-super probation.  Symantec bought its certificate business mostly from Verisign in 2010 for about 1.2 billion dollars.  It also bought the certificate businesses of Thawte, Equifax and others

Last month it sold that business to Digicert, a move that was designed to preserve its equity.  It sold that business for $950 million plus a minority stake in Digicert.

But now the other shoe is dropping.

The reason Symantec was in trouble was that the browser vendors didn’t trust the security of the certificates that were issued before June 2016.

OK, so what is there to do.

First, each browser maker does its own thing.  Except, Chrome has the largest share of the browser market, so what Chrome does is more important than what anyone else does and, for the most part, everyone will follow what Chrome does in this case.

As of December 1 of this year, Chrome will no longer trust any NEW certificates issued by Symantec after this date.  That means that if your web server uses a Symantec certificate issued on December 2, when a user visits that site, Chrome will pop up a warning saying that the site is not to be trusted.

Starting with Chrome version 66 which should be released around April 1, 2018, no Symantec certificate issued before June 1, 2016 will be trusted.

Finally, When Chrome 70 is released in October 2018, NO Symantec certificates will be trusted at all.

So, for those of you webmasters that bought Symante certificates – for certificates bought before June 2016, you have until early next year to replace those server certificates and for those of you who bought Symantec certificates after June 2016, you have until late 2018 to replace your certificates.

Since most people buy certificates that last one, two or three years, some of this will be solved by attrition, but we were examining one certificate today that expires TEN years in the future.

If you don’t know what vendor your certificates came from please reach out to us and we will be happy to assist you.

Information for this post came from ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

How To Digitally Erase All Your Stuff When You Quit Your Job

Wired ran a piece a few weeks ago with the title of this post.  An alternative title might be “How to get yourself arrested and prosecuted“.

While Wired’s heart was in the right place, they probably should have consulted an attorney before they published the article.

The basic premise of the article is that you should copy all of your personal stuff off your work computer and then wipe your work computer.

The problem is that your work computer is not your property and wiping it could be considered destroying company property and you could be prosecuted under any of a number of laws.  You could be liable for all of the costs to reconstruct the data that was stored on your computer.

That being said, lets look at what they suggested:

  1. Before wiping out your computer entirely, make sure to back up anything important.  PDFs, photos, your resume, anything dear to your heart.  Do it with a flash drive or USB disk.

The problem is that this is about protecting YOUR stuff and not your employer’s stuff.  And, if you do this without your employer’s permission you could be ACCUSED of stealing company information – even if you didn’t.  Remember, being charged with a crime is different than being convicted, other than both will cost you a lot of money, damage your reputation and distract your attention from a new job.

2, Check USB slots for cables, flash drives, etc.

That is probably OK as long as you only take stuff which is yours, personally.

3. Shut down your Voicemail.  Record a new greeting telling people that you left the company and who to bug.  Delete all the messages in your voicemail inbox.

Don’t do this unless your employer approves.  Those voice mails are not your property – they belong to the company.  Ask your employer what they want you to do regarding your voice mails.  More than likely they will want you to preserve them until they have a chance to go through them.  They may or may not want to make your departure public right now, so they may not want you to change your greeting.  In any case, it is their choice, not yours.

4. Shut down your email.  Delete all your emails.  In Wired’s defense, at least here they say make sure it is within your company’s policies to do so.

I doubt your company is going to want to you to delete ANY emails.  They are going to want to back everything up first, then probably they are going to want to go through them.

5.  Wipe your computer.  Wipe the puppy clean, they say.

I say that doing this could subject you to a felony.

6. Wipe your phone.  Here they are partially right.  If the phone is your property, the company cannot tell you what to do with it, but if it is yours, you are probably not going to want to wipe it.

If it is company property, you don’t have the right to destroy the data on it.  Again, potential felony charges, depending on how much it costs the company to reconstruct the data and if they consider it willful destruction of company property or sabotage.

7.  Log out of any applications like Slack, Hipchat or your browser.

I think this one is safe.  If it a company account, they will have the means to log back in.

Bottom line, if the device is owned by the company, coordinate with your manager, HR and/or IT.   If in doubt, don’t do it.  If you own the device you have a lot more latitude in terms of what you can do with it.

One simple way to do things, if your company allows it, is to store YOUR stuff on your own personal flash drive.  Also don’t comingle work and personal email messages.  Keep personal personal and work work.  That way, you don’t store anything on the company computer and you don’t have to remove anything.  Don’t log on to your personal email or social media accounts from your work computer.  Remember, even if log out from social media or email accounts or delete your social media and email passwords, your company may have them anyway in a variety of different ways.

If in doubt, contact an attorney.  Before you act.

Information for this post came from Wired.

 

Facebooktwitterredditlinkedinmailby feather

Another Day, Another Amazon Data Exposure – And How Not To Handle It

Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).

Today we have another case and, this time, an example of how not to handle it.

Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”.  In fact, the company is Tigerswan, a private security firm.

Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.

On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan.  As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information.  This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.

On July 21st Chris emailed Tigerswan about the situation.  He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.

On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.

Finally, on August 24th, a month after being notified, Tigerswan the data was secured.

THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.

Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected.  No one “Owned” that data.

Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents.  Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.

Also on some of the resumes were references with contact information including one former director of the CIA clandestine services.  You kind of get the idea.

The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company.  The fact that Amazon finally had to intervene makes the situation even worse.  Unfortunately, neither of these is unusual.

While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low.  Very low.  For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it.  That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.

Information for this post came from Upguard and ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather

Is Kaspersky Software a Russian Spy Front?

Gene Kaspersky, CEO of Russian Software Firm Kaspersky Labs

Some in Congress and the Intelligence Services are concerned that Kaspersky’s security software could be co-opted by the Russian government and be used to spy on American companies who use the software.

Fundamentally, this is no different than concerns that people have that the U.S. spy agencies could or already have forced U.S. companies to insert back doors into their software to allow U.S. spies to use U.S. software to spy on people as well.

We already know that Yahoo did that by running all email through filters and feeding the data to the Intelligence Community.

The challenge in both cases – Russia and the United States – is that any efforts on the part of the respective spy agencies to do that would be highly classified and those agencies would not admit that they are doing so, even if they are.

Since it is the job of spy agencies to spy on people, it is not unreasonable to assume that they would do that if they could.

Some people, including me, have been concerned for a long time that Gene’s software could be used for no good.  Even though I think he makes good products, I find it hard to trust him.  He has had very close times to the KGB and FDB for a long time, including training him at a school run by the KGB.

Kaspersky’s software, they say, is used by 400 million people world wide, including many people in the United States.  There is a bill working it’s way through Congress right now that would ban the DoD from using it.  It is used in some places inside U.S. government agencies.

While suspicions have run wild for years, there has been no hard evidence.  Now a media outlet has found something unusual in a document that Russian companies need to have in order to operate in Russia.  This document has a military intelligence unit number attached to this document.  While some people are making a big deal of this, it could be legit – no different than, maybe, a U.S. defense contractor might have some ID numbers.  Some former spies say that this MI unit number is a pretty unusual thing.  Stay tuned.

Kaspersky has offered to let the government look at his source code to verify that there are no back doors.  Of course, no back doors today does not equal no back doors after the next update.

In the U.S. Verizon and AT&T shared call data with the intelligence community and there are thousands of FISA court orders issued every year.  Those are all classified so we have no clue what they might entail.

Kaspersky IS the company that paid General Flynn those consulting fees that he forgot to declare.

While I don’t know if his software has been compromised, my theory is that is isn’t worth the risk.  There are plenty of American and European software products that would see to me, on the face of it, less risky.

Listening to the rumblings of the U.S. Britain, Germany, France and others, I am not sure HOW much less risky, but probably at least somewhat less risky.

Information for this post came from MSN.

 

Facebooktwitterredditlinkedinmailby feather

When Does A Web Site Really Get Your Data?

While this is certainly not a breach, it surely is not what you are expecting.

Have you ever noticed after you went to a web site, started to fill out a form but then abandoned it, that you got an email from the web site?

If you have gotten one, you are not alone.  That is because the submit button is really mostly a concept.

Quicken Loans, Acurian and a host of retailers, among others, have programmed their web sites so that as soon as you start typing or finish one field, the data is transmitted, in the background to the web server.  No need to wait till the user finishes entering the data to transmit it – just do it as the user fills out the form.

While there is nothing even remotely illegal about this, it is certainly not what people expect.

I expect – and likely so do you – that if I fill out a web form, that data is not sent to the web site owner until I say so.  Apparently, in an effort to capture those folks who bail out half way through and get another chance to persuade them to buy whatever that web site is selling,  the site captures the data long before you hit submit.

So for those of you who think that your data is still yours if you don’t hit that submit button – maybe you are right – but maybe you are wrong.

Information for this post came from Bruce Schneier.

 

Facebooktwitterredditlinkedinmailby feather

Google Wants All Web Sites To Use HTTPS:

While I have whined that HTTPS:// is not super secure, it is certainly way more secure then not using HTTPS.  Technically known as SSL or more correctly TLS, when you type HTTPS://, it signals the web browser to work with the web site to encrypt all of your information.

For the last year or two, Google has been waging a quiet war to encourage web site owners to use TLS on every page of every web site.

The way they are doing this is by changing how Google’s Chrome browser and Google’s search results handle non HTTPS-protected web sites.  Since Chrome is now the majority browser out there, having a more than 50% share and Google itself  is and has been the predominant search engine forever, how Google treats non HTTPS-protected web sites is important.

So what, exactly, is Google doing?  There are a couple of things they have already done and more to come.

First, and pretty important for folks that depend on customers finding them through Google search results, if your website does not support HTTPS, Google will lower where you show up in the search results.  That’s right,  If you don’t support HTTPS, you will show up farther down the list.  For people who depend on search results, even if you buy ad words, you are going to show  up lower on the list if you do not support HTTPS.

Next thing they have already done is to pop up a red warning in the address bar that says NOT SECURE, if your web site asks for a userid and password and it doesn’t do that over an HTTPS connection.  That probably makes sense – after all everyone wants their userid and password to be protected,  but there are still many web sites that don’t use HTTPS to protect your login.

Come this October, Google is going to label all web pages that request ANY INPUT AT ALL as not secure if it is not done over HTTPS.  That means that if all you have is a brochure web site and you have a search box on your web page, Google will flash up that red NOT SECURE warning in the address line.

Finally, the last announced phase of this effort is to label ALL WEB PAGES that are not using HTTPS as NOT SECURE.  This is the exact opposite of what they were doing a few years ago when they labelled those pages that did use HTTPS as secure by displaying the padlock icon.

The plan here is to sort of shame web site owners into using HTTPS and I think it is a plan that is working.  We are seeing many more web sites using HTTPS than ever before.

And, what Google’s Chrome does is usually done by Firefox sooner or later, in some cases, at the same time.  Microsoft’s browsers typically lag way behind, but between Chrome and Firefox, you cover the vast majority of the user base.

Sooooooooo, if you do not currently support HTTPS, now is the time to start handling that.  It really is not that hard to do, is not very expensive and sends the right message to your customers and visitors.  After all, who wants their web site visitors to be greeted by NOT SECURE?

One last thing, there are two types of HTTPS, domain validation (DV) and extended validation (EV).  With DV, which is, by far, the predominant type of HTTPS in use, your traffic is encrypted, but you have no assurance that who you think is the owner of a web site is, in fact the owner.  With EV, you get an extra level of assurance that you are really talking to your bank and not someone masquerading as your bank.  But, EV certificates are more expensive than DV certificates, so most sites just use DV.  More about this in a future post.

If you have questions about setting up HTTPS on your web site, please contact us.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather