Archive for the ‘Security’ Category

Selfies are Not Security

Posted by | Privacy, Security | July 13, 2015

It’s so hard to reach the kids these days, what with their internets and their Facepages. But Mastercard is going to try anyway. After all, what product is better for the young ones than unmanageable credit. Now they want to make “selfies” the new way to verify your identity using facial recognition verification software. It’s the perfect blend of pop culture meets privacy creepiness.

To make it better, the technology is not secure. Previous attempts at this software were breached when users drew animated eyes on photographs to overcome the “blink” commands. So why would they do this?

According to their security expert, “The new generation, which is into selfies… I think they’ll find it cool.”

To quote the kids these days, “I can’t even…”

BBC – Mastercard testing facial recognition security app

Read More

$10,000 Per Person for a Data Breach?

Posted by | Security | March 20, 2015

If Approved, Target Settlement Opens the Door to Big Payouts

Still haven’t put in those security measures to protect your clients’ personal information? What if a data breach cost $10,000 per person? Target suffered one of the largest data breaches in history in 2013 when the credit card information for 40 million shoppers, and the personal information of 70 million shoppers was stolen.

Now they are settling a class action for $10m. The settlement would provide compensation of up to $10,000 for shoppers who show they suffered damages from the breach.

This is a useful number to consider. If you think it’s too expensive or a hassle to improve your security, try counting up customers you have personal information for. Then multiply that by $10,000. That is your potential liability if your company’s data is stolen.

Odds are, that amount is much higher than the cost of encryption or improved security.

Washington Post – Target data breach victims could get up to $10,000 each from court settlement


Read More

What to do About Heartbleed

Posted by | Security | April 14, 2014

Heartbleed Exploit Requires Changes

For those who haven’t heard, there is a new internet security risk. The Heartbleed exploit is a weakness in the program known as OpenSSL, which encrypts data. Whenever you access a secure site and see the lock next to the site address, that is SSL. There are many SSL programs out there, and only OpenSSL was affected. However, it’s the most used program, and affects up to 2/3 of all internet sites using SSL.

So what sites use SSL? Pretty much everyone. Your banks, credit card companies, even social media. In fact, Yahoo! Announced that it did not know about the hole until it was made public, which means any Yahoo! password needs to be changed, including their sites, Tumblr and Flickr.

To make matters worse, it seems that it’s not just websites, but your internet connecting devices as well. These would include your routers and networking equipment. In other words, if you have WiFi in your home or business, you need to check with the equipment’s manufacturer to see if they use OpenSSL. If so, they will need to devise a “patch,” or an update to their software that closes the hole. This takes longer than websites, so is a bit worrisome. Two of the largest companies, Cisco and Juniper, have already announced that they are patching their equipment.

The widespread use of OpenSSL may also affect other online devices, from BlueRay players to web-enabled refrigerators. While it’s cool to be able to control your thermostat from your iPhone, you don’t want some kid in Russia doing it. Just like the WiFi equipment, you need to check with the creators of the devices to see if they have a patch.

For most people, they need to change their passwords on their websites and call the makers of their WiFi devices. Doing so won’t do much good if the site has not fixed the hole, but it just means you’ll need to change it again when they do fix it. A small inconvenience. If you’re not sure, do a Google search for the site in question and “heartbleed.” Many of the larger sites have commented. If you find nothing, send a message to the site and ask them straight up if they are affected, and if they have fixed it. There is a good guide over at Tom’s Guide on what to do.

For companies, most states require online companies to report data breaches to their customers in writing. The Heartbleed is particularly difficult because site administrators have no way of knowing whether they suffered a data breach, since a hacker using Heartbleed can come and go without leaving a trace. Therefore, it’s a good idea for all online companies using OpenSSL to act as if they had been breached. Patch the hole in the program, tell your customers that you use OpenSSL, and recommend that they change their passwords. If you’re not sure whether your site is vulnerable, try entering the URL here (keep it to your own sites, there may be legal issues with checking others).

If your company does not use OpenSSL, but another SSL program, inform your customers that is the case. Otherwise, you will be suspect for no good reason (plus you’ll look like you are better protected than your competitors).

And for my clients, and the Virtual Law Office, and all other services I use to hold client data have been confirmed as secure or patched. Nonetheless, it’s still recommended that you change your password in the Virtual Law Office in case something happened before the breach.


NYTimes – Flaw Calls for Altering Passwords, Experts Say

Washington Post – Heartbleed could harm a variety of systems

Tom’s Guide – Heartbleed: Who Was Affected, What to Do Now – Heartbleed test

Read More

Tech Start-Ups Vulnerable to DDoS Attacks

Posted by | Security | April 11, 2014

The New York Times published a piece highlighting the recent vulnerabilities of tech start-ups to attack. A few new companies have been targeted for ransom attacks, in which the hacker demands a payment (like $300) or they will initiate a denial-of-service (DDoS) attack on the site. DDoS attacks have been more common recently, hitting very large companies. This new wave of attacks focuses on small start-ups and only request small amounts of money.

While the FBI is investigating them, online companies should be on their guard and have a plan in place to safeguard against such attacks, or be ready to respond should one occur.

NY Times – Tech Start-Ups Are Targets of Ransom Cyberattacks

Read More

Judge Rules NSA’s Cell Phone Program Unconstitutional

Posted by | NSA, Privacy, Security | December 19, 2013

I would be remiss not to comment on the recent court ruling holding the NSA phone program unconstitutional. U.S. District Judge Richard Leon held that the Fourth Amendment’s right to privacy outweighs the government’s interests in gathering and analyzing  cell phone information (see the full opinion here). This was the first judicial opinion since the release of the NSA’s secret documents by Edward Snowden.

Central to the issue was the way the NSA bulk collected everyone’s information without a warrant. Judge Leone described it as an “arbitrary invasion” that targeted “virtually every citizen.” The Government had proffered a 1979 case, Smith v. Maryland, 442 U.S. 735 (1979). The Supreme Court in Maryland had held that dialing a number was no different than calling an operating and asking to be connected. In doing so, the caller loses the expectation of privacy, so police did not need a warrant to get “pen register” data from phone companies. The Government had tried to argue that metadata collected in bulk followed the same logic.

Judge Leone distinguished Maryland by pointing out that the case only dealt with a short period of time for calls targeting a suspect in a robbery. The NSA program, instead deals with an untold number of citizens not suspected of anything over an indefinite period. Further, he noted that use of phones and the technology (and private information) involved had increased dramatically since 1979 so such standards could no longer control.

Judge Leon’s arguments make sense. Relying on the analogy of old technology is clearly flawed, though the difficulty in making those distinctions is also apparent. The emergence of cell phones as multi-purpose devices further muddies the issue. There is disturbingly little precedent dealing with cell phone data to date.

I also noticed that almost every article discussing this case pointed out that Judge Leon was appointed by President George W. Bush (eg. This is something that happens almost every time a federal case or judge is discussed in the media. It is as if a judge’s decisions can only be viewed through the lens of the judge’s obvious partisanship. It is a disturbing sign that partisan politics is so widely assumed in judicial decision making as to make such appointment a necessary part of the story.

Back to the case – Judge Leon granted the plaintiffs’ injunction, but stayed the order pending the Government’s inevitable appeal. This will be an interesting case to follow as it makes its way to the Supreme Court. It will certainly be a major test of the post-9/11 laws that granted the government many unbridled powers to combat terrorism and crime.

Read More