CAT | Personal Privacy
In many cases, a false sense of security causes people to put themselves at much greater risk.
The following article describes a “burner” phone service that re-uses the temporary phone numbers. It appears that number a security researcher received was previously used by a sex worker, who’s customers continued to send pictures and messages to the number after it had been re-assigned.
The Internet is on fire with discussions of the recent release of stolen nude photos of over 100 female celebrities. This is a massive invasion of their privacy, and it says something sad about our society that there is an active market for such pictures. While this particular attack was against the famous, most of us have information in the cloud that we would like to stay secret.
While there is not a definitive explanation of the breach the current consensus is that it was probably caused by a vulnerability in Apple’s “Find My iPhone” feature. Apparently the API interface to this service did not check for multiple password failures, a standard security practice. This allowed attackers to test effectively unlimited numbers of passwords for each of the accounts they wanted to access.
Because most people use relatively weak passwords, this attack is quite effective. Once they gained access to the accounts, they could sync down photos or any other information stored in iCloud.
Of course, the first rule of secrecy is: If it does not exist, it can’t be discovered.
If you do want to create something that you would be pained to see released publicly, then make sure you keep close control of it. Store it locally, and encrypted.
Wherever you keep it, make sure it has a strong password. Advice for strong passwords has changed over time because of the increasing speed of computers. It used to be that fancy pneumonics would do the trick but now the fundamental truth is: if you can remember it, it is too weak.
This is particularly true because you need to be using completely different passwords for every website. Changing a good password in a simple obvious way for every website is obvious. It might prevent brute force attacks but if some other attack gives access to your password, the attacker will be able to easily guess your password on all other websites.
You need to be using a password manager like 1Password (Mac), LastPass, Dashlane, etc. Let the password manager generate your passwords for you. This is what a good password should look like: wL?7mpEyfpqs#kt9ZKVvR
Obviously I am never going to remember that, but I don’t try. I have one good password that I have taken the time to memorize, and it unlocks the password manager which has everything else.
UPDATE: There appears to be some question about whether this vulnerability is actually to blame.
This article describes a clever attack against Secret, the “anonymous” secret sharing app.
Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.
In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.
The Importance of Privacy & The Power of Anonymizers: A Talk With Lance Cottrell From Ntrepid — The Social Network Station A recent interview I did, talking about data anonymization and mobile device privacy. Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.
The latest leaked messages to blow up in someone’s face are some emails from Evan Spiegel, the CEO of Snapchat. These were incredibly sexist emails sent while he was in college at Stanford organizing fraternity parties.
These emails are like racist rants, homophobic tweets, and pictures of your “junk”. They are all trouble waiting to happen, and there is always a risk that they will crop up and bite you when you least expect it. If you have ever shared any potentially damaging messages, documents, photos, or whatever then you are at risk if anyone in possession of them is angry, board, or in search of attention.
Even if it only ever lives on your computer, you are vulnerable to hackers breaking in and stealing it, or to someone getting your old poorly erased second hand computer.
This falls in to the “if it exists it will leak” rant that I seem to be having to repeat a lot lately. The first rule of privacy is: think before you write (or talk, or take a picture, or do something stupid). Always assume that anything will leak, will be kept, will be recorded, will be shared. Even when you are “young and stupid” try to keep a thought for how that thing would be seen in ten years when you are in a very different position. Of course, ideally you are not sexist, racist, homophobic, or stupid in the first place.