The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Podcast

Empty Cardboard Box

The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.

GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.

If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.

The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.

The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.

Play

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· · ·

USB connectorA couple of months ago researcher Karsten Nohl demonstrated a security vulnerability that he called BadUSB. Basically it was a demonstration that an attacker could alter the firmware in a USB device to automatically attack anything it was plugged in to. At the recent DerbyCon, researchers Adam Caudill and Brandon Wilson demonstrated their version of the attack and released sample code for how to implement it. This really opens pandora’s box.

The problem here is that this is not actually a bug in USB. It is exactly how USB is designed to work (as insecure as that might be), and changing that behavior is likely to break a lot of other things. A good and effective fix for this vulnerability is probably years away.

In the mean time, take great care with USB devices. My suggestion is to never use another person’s USB device. Don’t use USB to transfer files, and make sure that any USB devices you do use are obtained directly in unopened packaging. There could still be exploits introduced in manufacturing, but at least you are as safe as reasonably possible.

Play

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· · · · ·

Apple Store Chicago

Apple is getting taken to task for a couple of security issues.

First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.

Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.

Play

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

· · · · ·

Sep/14

5

The Privacy Blog Podcast – Ep. 23

Play

Standard Profile PictureIn episode 23 of our podcast for August 2014, I talk about:

  • The absurd alarmism over the new Facebook Messenger App’s privacy settings
  • Brazil’s move to ban anonymity
  • How the secrecy of the secret app has been compromised
  • and finally how Tor users were put at risk by a fake website

· ·

Aug/14

3

The Privacy Blog Podcast – Ep. 22

Play

Standard Profile PictureWelcome to episode 22 of the Privacy Blog Podcast for July, 2014.
In this episode I will talk about:

  • A recent revealed compromise of the Tor anonymity system
  • Why Canvas Fingerprinting both is and is not a big deal
  • The coming conflict between US searches and EU privacy
  • How even genealogy information can compromise your identity
  • An update on Chinese censorship
  • Why the security model of the web is hopelessly broken
  • Russia’s continuing crackdown on the Internet
  • and finally how Lightbulbs, among other things, can
  • compromise your network

· · · · ·

Older posts >>