Entries Tagged "Internet"

Page 10 of 21

Cryptocat

I’m late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singel, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian.

At this point, I would have considered writing a long essay explaining what’s wrong with the whole concept behind Cryptocat, and echoing my complaints about the dangers of uncritically accepting the security claims of people and companies that write security software, but Patrick Ball did a great job:

CryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Unfortunately, these tools are subject to a well-known attack. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. More generally, your security in a host-based encryption system is no better than having no crypto at all.

Sometimes it’s nice to come in late.

EDITED TO ADD (8/14): As a result of this, CryptoCat is moving to a browser plug-in model.

Posted on August 14, 2012 at 6:00 AMView Comments

Me at RSA 2012

This is not a video of my talk at the RSA Conference earlier this year. This is a 16-minute version of that talk—TED-like—that the conference filmed the day after for the purpose of putting it on the Internet.

Today’s Internet threats are not technical; they’re social and political. They aren’t criminals, hackers, or terrorists. They’re the government and corporate attempts to mold the Internet into what they want it to be, either to bolster their business models or facilitate social control. Right now, these two goals coincide, making it harder than ever to keep the Internet free and open.

Posted on April 13, 2012 at 2:11 PMView Comments

Teenagers and Privacy

Good article debunking the myth that young people don’t care about privacy on the Intenet.

Most kids are well aware of risks, and make “fairly sophisticated” decisions about privacy settings based on advice and information from their parents, teachers, and friends. They differentiate between people they don’t know out in the world (distant strangers) and those they don’t know in the community, such as high school students in their hometown (near strangers). Marisa, for example, a 10-year-old interviewed in the study (who technically is not allowed to use Facebook), “enjoys participating in virtual worlds and using instant messenger and Facebook to socialize with her friends”; is keenly aware of the risks—especially those related to privacy; and she doesn’t share highly sensitive personal information on her Facebook profile and actively blocks certain people.

[…]

Rather than fearing the unknown stranger, young adults are more wary of the “known other”—parents, school teachers, classmates, etc.—for fear of “the potential for the known others to share embarrassing information about them”; 83 percent of the sample group cited at least one known other they wanted to maintain their privacy from; 71 percent cited at least one known adult. Strikingly, seven out of the 10 participants who reported an incident when their privacy was breached said it was “perpetrated by known others.”

Posted on April 10, 2012 at 10:21 AMView Comments

The Battle for Internet Governance

Good article on the current battle for Internet governance:

The War for the Internet was inevitable—a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded. The system is now approaching a state of crisis on four main fronts.

The first is sovereignty: by definition, a boundary-less system flouts geography and challenges the power of nation-states. The second is piracy and intellectual property: information wants to be free, as the hoary saying goes, but rights-holders want to be paid and protected. The third is privacy: online anonymity allows for creativity and political dissent, but it also gives cover to disruptive and criminal behavior—and much of what Internet users believe they do anonymously online can be tracked and tied to people’s real-world identities. The fourth is security: free access to an open Internet makes users vulnerable to various kinds of hacking, including corporate and government espionage, personal surveillance, the hijacking of Web traffic, and remote manipulation of computer-controlled military and industrial processes.

Posted on April 4, 2012 at 12:34 PMView Comments

Facebook Patent to Track Users Even When They are Not Logged In to Facebook

Patent application number 2011/023240:

Communicating Information in a Social Network System about Activities from Another Domain

Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user. The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the thirdparty website. The method additionally includes logging the actions taken on the third-party website in the social networking system, each logged action including information about the action. The method further includes correlating the logged actions with one or more advertisements presented to the one or more users on the third-party website as well as correlating the logged actions with a user of the social networking system.

Facebook denies that this is a patent for that. Although Facebook does seem to track users even when they are not logged in, as well as people who aren’t even Facebook users.

EDITED TO ADD (10/24): Facebook claims that, while they do collect information on non-users, they don’t use it for profiling. This feels like hair-splitting to me; I get emails from Facebook with lists of friends who are already on the site.

EDITED TO ADD (10/24): It’s a patent application, not a patent.

Posted on October 24, 2011 at 6:42 AMView Comments

Domain-in-the-Middle Attacks

It’s an easy attack. Register a domain that’s like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened.

These are called “doppelganger domains.”

To test the vulnerability, the researchers set up 30 doppelganger accounts for various firms and found that the accounts attracted 120,000 e-mails in the six-month testing period.

The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.

They’re already being used to spy on companies:

Some of the companies whose doppelganger domains have already been taken by entities in China included Cisco, Dell, HP, IBM, Intel, Yahoo and Manpower. For example, someone whose registration data suggests he’s in China registered kscisco.com, a doppelganger for ks.cisco.com. Another user who appeared to be in China registered nayahoo.com ­ a variant of the legitimate na.yahoo.com (a subdomain for Yahoo in Namibia).

Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.

He also said that out of the 120,000 e-mails that people had mistakenly sent to their doppelganger domains, only two senders indicated they were aware of the mistake. One of the senders sent a follow-up e-mail with a question mark in it, perhaps to see if it would bounce back. The other user sent out an e-mail query to the same address with a question asking where the e-mail had landed.

Defenses are few:

Companies can mitigate the issue by buying up any doppelganger domains that are still available for their company. But in the case of domains that may already have been purchased by outsiders, Kim recommends that companies configure their networks to block DNS and internal e-mails sent by employees that might get incorrectly addressed to the doppelganger domains. This won’t prevent someone from intercepting e-mail that outsiders send to the doppelganger domains, but at least it will cut down on the amount of e-mail the intruders might grab.

I suppose you can buy up the most common typos, but there will always be ones you didn’t think about—especially if you use a lot of subdomains.

Posted on September 16, 2011 at 5:22 AMView Comments

1 8 9 10 11 12 21

Sidebar photo of Bruce Schneier by Joe MacInnis.