The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

TAG | Podcast

Play

CCC Censored

The Chaos Computer Club recently announced that their website was being blocked by Vodefone as part of their participation in the “Great Firewall of Britain”. This is somewhat concerning as they don’t seem to match any of the criteria for blocking that have been announced. This also blocks access to information and tickets for their upcoming conference. Many people predicted (me, EFF, and many others)  that this censorship system would inevitable overreach when it was first announced. (more…)

· · · · ·

Play

Party in limo

In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.

First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.

Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them. (more…)

· · · · · ·

Play

Cricket

Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.

It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection. (more…)

· · · · · ·

Play

Dark Hotel hall

Kaspersky recently announced the discovery of a new Advanced Persistent Threat (APT) that they are calling DarkHotel. This is in the fine tradition of giving all newly discovered hackers or vulnerabilities clever and evil sounding names. In this case they have found something quite interesting.

For the last 7 years a group has been systematically targeting executives and government officials staying at high end hotels. They hack their computers and grab their files, sniff their keyboards, and install virus that can then spread within the victim’s organization. (more…)

· · · · ·

Empty Cardboard Box

The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.

GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.

If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.

The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.

The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.

Play

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· · ·

Older posts >>