In episode 17 of The Privacy Blog Podcast for February, 2014 I talk about:
- The just completed RSA Security conference
- How an email can expose your location
- A guy who suffered extortion because his username was so valuable.
- What happened in the latest Bitcoin fiasco
- Exactly how secure Apple’s iMessage protocol is
- And finally how insurance companies may drive changes in cyber security
Apple released an update for Mac OS X 10.9 fixing the serious GOTO FAIL SSL vulnerability. This update appears to resolve the problem for The Safari browser, and many other Apple applications that use SSL/TLS.
If you use a Mac, make sure you install this update ASAP. Go to Software Update and you should see the update available.
Here is another example of he problem with storing your cash in an untrustworthy entity. Many Bitcoin services are based on having some third party store your coins for you.This has now lead to major thefts or losses of coins on a number of occasions. There is no insurance or mechanism for restitution to the people who have lost their coins. Reports suggest that 740,000 Bitcoin have gone missing. The precipitous loss of value on exchanges has also cause a further hit to the value of everyone’s coins
I strongly encourage Bitcoin users to follow one of the following strategies to protect themselves.
1) Only purchase Bitcoins immediately prior to use, and convert your coins back to a conventional currency in an insured bank account as quickly as possible after receiving them. This minimized your exposure to loss, theft, or market volatility.
2) Keep your Bitcoins securely stored in your own, ideally offline, wallet. Only allow third parties to have the minimum possible amount of coins for as short a time as possible.
It turns out that for several years Safari has failed to properly check the cryptographic signatures on Server Key Exchanges allowing attackers to mount man in the middle attacks against your browser sessions. Anyone with the ability to intercept your traffic could read and modify the data to or from any secure website you visit (of course they can always do it with insecure websites). This would include any WiFi you are using, the local ISP, backbone ISPs, and government entities wherever you might be, or anywhere along the path yo the server you are trying to reach.
This vulnerability impacts both iOS as well as Mac OS X. You can test whether you are vulnerable here.
There is a patch already available for iOS so update your device now!
If you are on a Mac, switch to using some browser other than Safari. Chrome and Firefox are both safe from this particular attack.
If you are on Windows, Linux, BSD, or Android, you would appear to be safe.
We have seen interesting experiments and studies where researchers have looked at what people are willing to pay to protect their privacy.
This then would be the opposite experiment. A company called Datacoup is offering people $8 per month to give them access to all of their social media accounts, and information on their credit and debit card transactions.
You certainly can’t fault them for being covert about their intentions. They are saying very directly what they want and offering a clear quid pro quo.
I don’t think I will be a customer, but it will be very interesting to see if they can find a meaningful number of people willing to make this deal.