Two researchers appear to have discovered a serious flaw in USB. This isn’t just your everyday virus. Malware planted using this flaw is not merely stored on the flash memory itself; it’s actually in the firmware that the drive depends on to run. One article blames the flaw on the USB Implementers Forum, which supports and promotes the USB specification. The flaw is able to spread from a USB flash drive to a computer and vice versa.
Until device makers come up with a fix, Nohl, one of the two researchers, proposes a short-term solution: Don’t connect untrusted USB drives to your computer, and don’t connect your USB drives into untrusted computers.
Simple enough, right? Even before this flaw was discovered, Nohl’s suggestion would have been sound advice; untrusted computers can plant more run-of-the-mill malware on your drive or tamper with your files. But the fact that the article describes Nohl’s suggestion as a “fundamental change in how we use USB gadgets” reflects on how most of us in fact use our USB flash drives. This is unsurprising, considering how convenient it is to carry our files around from one computer to another, but it is also an attitude that should be reexamined, particularly in light of these latest discoveries.
The 3 Threats
Last week, a group of researchers released a paper detailing 3 major new threats to online privacy:
1. Canvas fingerprinting: This basically involves telling your browser to draw an invisible image. It is done in such a way that each browser is likely to draw the image slightly differently. This allows the site to identify your browser.
2. Evercookies: The site uses data stored in alternative vectors to respawn deleted http cookies. Such vectors include Flash cookies, localStorage, and IndexedDB.
3. Cookie Syncing: This is the practice of two or more sites sharing a user identifier with each other, allowing the sites to combine their respective databases with each other to build a more detailed profile of their users’ browsing history.
These methods are far more difficult to defend against than the use of traditional http cookies, which are easily deleted. Continue reading 3 Major New Threats to Online Privacy
Remember the controversy over Facebook’s psychology study of its own users? Dating site OkCupid has risen to Facebook’s defense, claiming that it too runs similar experiments on its own users.
OkCupid claims that such experiments are necessary for testing out products and features. Testing and obtaining user feedback in an effort to improve a service is one matter, but outright lying is quite another. One example of the kind of experiment OkCupid ran on its users was to tell people they were good matches when in fact they weren’t, leading them to send more messages. This kind of deception bears a remarkable similarity to Facebook’s manipulation of user news feeds.
As with Facebook, OkCupid has significant clout due to Continue reading Like Facebook, OkCupid also Experiments on its Users
Update (September 7, 2014): Today, I updated a computer to Java 8 Update 20. This time, I know for a fact that the boxes that lead to installation of an Ask program and change my home page settings were checked by default. Here’s what the installer for Java 8 Update 20 pops up:
Guess what? They changed the word “Toolbar” to “Search App”. Is that supposed to make the program more palatable? Giving the program a different name doesn’t change its nature. Nor does it change the fact that it’s an opt out, rather than an opt in third-party program.
My original post (July 26, 2014):
Last week, I was updating Java on a computer when I got the following pop-up. Although I’m not 100% certain, I believe the box next to “Install the Ask Toolbar in Internet Explorer” was checked, thus installing a toolbar into the browser of any unwary user. This situation is not news; Oracle has been doing this for over a year already. Nevertheless, I thought I’d take a moment to remind everyone not to click those “next” buttons in program installers without reading what you’re agreeing to.
Many companies, including large and well-known ones, bundle third-party programs into the installers for their own software. When you’re updating a program, how often do you read through every prompt Continue reading Watch Out for Bundled Third-Party Software
In recent years, a question has been raised: Who should have access to your online accounts after your death? Apparently, a group of lawyers are trying to make it easier for your loved ones to get access. The article notes that “the plan is likely to frustrate some privacy advocates.”
However, I had a partially opposite reaction. Given Facebook’s recent record, I think I would hesitate before labeling Facebook the champion of user privacy. As a society, have we really gotten to the point where the secrets we share with companies like Facebook are more intimate than the secrets we share with our loved ones? Personally, I think if you have secrets stored on Facebook that you would hesitate to share with your loved ones, you should consider the possibility that you might be confiding in (e.g. sending private messages, making wall posts, giving biographical details) Facebook just a little bit too much.
That said, I said that my reaction was only “partially” opposite because everyone has secrets, and there may be other online services that do contain information that the deceased would wish to keep from their loved ones. For the sake of my privacy, though, I would hope if there are such secrets, the service in question is one that is worthy of my trust.
2 days ago, Avast made a post on their blog describing their successful efforts to recover data from 20 old phones that they bought from eBay. Some details of their forensic analysis of the phones were provided the next day. Avast describes the inadequacy of deleting files “the regular way” and plugs its own app, which it claims allows the secure deletion of files. When Avast mentions deleting files “the regular way,” they simply mean Continue reading An Overview of Secure Data Deletion
According to threat intelligence firm CloudStrike, Chinese cyber spies have been targeting think tanks, ostensibly to obtain information on the potential disruption of Chinese oil interests in Iraq. Spear-phishing, the act of sending an e-mail tailored to a specific individual (as opposed to e-mails sent out en masse to many different individuals, which is simply “phishing”) to fraudulently induce them to give away personal information such as their e-mail password, is hardly a new tactic; nor is the Chinese government the only group which has been accused of using it. In February 2014, the Syrian Electronic Army hacked into Forbes using the same tactic. In many cases, the true perpetrator of an attack is unclear, especially when Internet traffic is routed through the accused country.
I’m going to leave the finger-pointing to governments and the private firms that investigate such attacks. I will instead focus on how you can protect yourself against such attacks. While Continue reading How to Protect Yourself Against Spear-Phishing