Jump to content
Sign in to follow this  
taestell

Security and Privacy

Recommended Posts

Further, most digital natives grew up with a sense that their privacy was compromised - via Facebook posts, etc. My generation was just on the cusp of being able to remember an existence off the grid.

 

I'd argue that in America right now, one does not have the right to be forgotten or left alone. Not if you want any semblance of a normal life at least.

Share this post


Link to post
Share on other sites

This isn't really a fair characterization of the benefits of having mobile/smartphones, though. Getting real-time transit info, for example, allows you to plan much more dynamically than waiting for a bus that is late or had its run canceled. No amount of non-sloppy planning would fix that, and it's not an infrequent occurrence for many who rely on transit daily. That's just one example of many tangible benefits.

 

I just look at the schedule (or know the schedule) and stand there until the bus shows up.  Looking at your phone doesn't make it get there any sooner. 

 

Notice the bolded part. The schedule won't tell you if a bus is running late or its run was canceled. Especially in the case that a run is canceled and the headways are long, it's a significant quality of life improvement to not be sitting at a bus stop twiddling your thumbs for 30+ extra minutes.

Share this post


Link to post
Share on other sites

Further, most digital natives grew up with a sense that their privacy was compromised - via Facebook posts, etc. My generation was just on the cusp of being able to remember an existence off the grid.

 

I'd argue that in America right now, one does not have the right to be forgotten or left alone. Not if you want any semblance of a normal life at least.

 

All you used to have to do was leave town.

Share this post


Link to post
Share on other sites

If you guys are truly concerned about apps and websites turning on your webcams and microphones, I hope you are using operating systems and hardware that prevent applications from doing so.

 

For example, on iOS, the permissions are very granular. You can go into your settings and verify which apps have permission to access your camera, microphone, photos, location, etc. When the apps are using those things, an icon is shown on the phone to indicate that. If you have not granted that permission, it is simply not possible for an application to bypass that. A lot of apps also request to know your location at all times, and I change the vast majority down to the lower "use my location only when I'm using the app" setting.

 

Similarly, on the last generation of MacBook Pro and iMac hardware, the webcam is controlled via a different internal chipset. Therefore it is impossible for any app to use the webcam without turning on the green LED right next to the webcam. Although it does not have an type of indicator light that comes on when the microphone is in use.

Share this post


Link to post
Share on other sites

Notice the bolded part. The schedule won't tell you if a bus is running late or its run was canceled. Especially in the case that a run is canceled and the headways are long, it's a significant quality of life improvement to not be sitting at a bus stop twiddling your thumbs for 30+ extra minutes.

 

Phone people are either screwing around with their phone indoors or outdoors.  If it's raining, you need an umbrella anyway for when you walk from the bus to wherever you're going. 

 

When I was a kid (again, no phones, no internet) one day the school bus didn't show up and we all stood around joking for about 15 minutes wondering if we actually had to go to school. Then a yellow mini bus showed up with an unknown driver and we all had to crowd on that thing, which was pretty funny.  Unfortunately we still ended up getting to school on time.  So FFWD 25 years...with the miracle of cell phones, we could have known the mini bus was coming and gone back to our houses to play with our phones for 10 minutes instead of playing with our phones for 10 minutes at the bus stop.  We could have snapchatted a photo of the mini bus.  Awesome.  Rad.  LIKES!

 

 

Share this post


Link to post
Share on other sites

If you guys are truly concerned about apps and websites turning on your webcams and microphones, I hope you are using operating systems and hardware that prevent applications from doing so.

 

For example, on iOS, the permissions are very granular. You can go into your settings and verify which apps have permission to access your camera, microphone, photos, location, etc. When the apps are using those things, an icon is shown on the phone to indicate that. If you have not granted that permission, it is simply not possible for an application to bypass that. A lot of apps also request to know your location at all times, and I change the vast majority down to the lower "use my location only when I'm using the app" setting.

 

Similarly, on the last generation of MacBook Pro and iMac hardware, the webcam is controlled via a different internal chipset. Therefore it is impossible for any app to use the webcam without turning on the green LED right next to the webcam. Although it does not have an type of indicator light that comes on when the microphone is in use.

 

From a few of my sources on the "other side", I'm not convinced of the effectiveness of these OS's

Share this post


Link to post
Share on other sites

From a few of my sources on the "other side", I'm not convinced of the effectiveness of these OS's

 

What are you implying? That if I go into my iOS settings and deny an app the ability to use my microphone, the app is figuring out some way to get around that restriction? If so, that would be a huge security vulnerability, and given how much people like to s**t on Apple any time they make a mistake, it would be front page news. I follow a lot of people in the information security field and have never heard anyone make an accusation like this.

Share this post


Link to post
Share on other sites

Stock Android (AOSP) is open source.

 

Does any phone manufacture release an AOSP only phone? I would guess that even the Nexus ships with proprietary Google code.

 

IOS and MacOS also have open source components.

 

KDE is trying to create a fully open source phone/tablet OS, but it's a ways off, if it ever works.

Share this post


Link to post
Share on other sites

From a few of my sources on the "other side", I'm not convinced of the effectiveness of these OS's

 

What are you implying? That if I go into my iOS settings and deny an app the ability to use my microphone, the app is figuring out some way to get around that restriction? If so, that would be a huge security vulnerability, and given how much people like to s**t on Apple any time they make a mistake, it would be front page news. I follow a lot of people in the information security field and have never heard anyone make an accusation like this.

 

No. I'm implying that such a feature can be rendered useless if someone else has access to and thereby control over your phone.

 

Phones are being hacked more rapidly than computers right now. And once the harmful malware is there, that hacker owns that phone.

Share this post


Link to post
Share on other sites

Are you saying that major tech companies like Facebook or Amazon are creating malware?  Or that someone else is creating malware, which is then exploited by FB or Amazon?

Share this post


Link to post
Share on other sites

Someone else having physical access to the device is a whole different matter. To my prior point, this is why Apple is starting to add an additional layer of security where the computer will not even boot unless the operating system has been cryptographically signed by Apple. This feature has only debuted in the new iMac Pro that just came out in December, but will roll out to their other machines as new hardware comes out (since it requires a second chipset on the machine). This means that even if someone has physical access to your machine and has installed a hacked version of the OS that bugs your mic, the security chipset won't even allow the machine to boot.

Share this post


Link to post
Share on other sites

Someone else having physical access to the device is a whole different matter. To my prior point, this is why Apple is starting to add an additional layer of security where the computer will not even boot unless the operating system has been cryptographically signed by Apple. This feature has only debuted in the new iMac Pro that just came out in December, but will roll out to their other machines as new hardware comes out (since it requires a second chipset on the machine). This means that even if someone has physical access to your machine and has installed a hacked version of the OS that bugs your mic, the security chipset won't even allow the machine to boot.

 

What about that new $350 speaker that Apple is selling?  It has a mic on it. 

 

Share this post


Link to post
Share on other sites

Someone else having physical access to the device is a whole different matter. To my prior point, this is why Apple is starting to add an additional layer of security where the computer will not even boot unless the operating system has been cryptographically signed by Apple. This feature has only debuted in the new iMac Pro that just came out in December, but will roll out to their other machines as new hardware comes out (since it requires a second chipset on the machine). This means that even if someone has physical access to your machine and has installed a hacked version of the OS that bugs your mic, the security chipset won't even allow the machine to boot.

 

I know a guy who (says he) can hack most phones from sufficient distance that you wouldn't think twice about him.  He would need to be relatively close though, like across the street.  If his methods are no good anymore, that's wonderful.  But I doubt security systems will even get too far ahead of hackers.  Security will never quite win the war because the hacker army is thousands of times bigger than theirs.  And because nefarious intent seems to breed a certain amount of creativity.

Share this post


Link to post
Share on other sites

So, quick brag...

 

My mom founded her own security company - Preferred Security. Since I was 13 I watched her work another job while starting this company from scratch.

 

Last night, a church in Wadsworth was robbed, and police found two young men hiding on top of a warehouse nearby. Police then used the cameras that my mom's company installed on the warehouse to review the prior night's activities. The police then realized that their was a third man in the church with them.

 

Upon discovering the man's identity, the police obtained a search warrant and entered his home. Inside, they found the wallet of a 98 year old woman who was murdered and shoved in her own closet.

 

Could not be more proud to see my mom's company having such a positive impact on Northeast Ohio.

Share this post


Link to post
Share on other sites

Brian Krebs, one of the most respected journalists covering cybersecurity issues, writes about how the extended government shutdown is hurting this country's cybersecurity:

 

One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.”

 

“The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

 

The source said his agency can’t even get agents and analysts the higher clearances needed for sensitive cases because everyone who does the clearance processing is furloughed.

 

“Investigators who are eligible to retire or who simply wish to walk away from their job aren’t retiring or quitting now because they can’t even be processed out due to furlough of the organization’s human resources people,” the source said. “These are criminal investigations involving national security. It’s also a giant distraction and people aren’t as focused.”

Share this post


Link to post
Share on other sites

AG Barr to Facebook: We need 'lawful access' to users' digital messages to fight crime

Facebook acknowledges the needs of law enforcement but wants to protect its users from unwanted snooping.

https://www.nbcnews.com/tech/tech-news/ag-barr-facebook-we-need-lawful-access-users-digital-messages-n1062281


"Life is 10% what happens to you and 90% how you respond." -- Coach Lou Holtz

Share this post


Link to post
Share on other sites

In other news, just being a friend... 

 

For those of you that work at mid to large market companies that have mailrooms, be careful. 

 

I'm currently working on matters wherein packages with a fake return address were sent to companies with MKT caps over $100 million... These packages would be addressed to a person who does not exist at that company. 

 

Amidst the confusion, the package would sit there for hours and sometimes day, unattended. Meanwhile, inside the package is a device that scans every endpoint within 50 feet in order to gain access to the network. 

Share this post


Link to post
Share on other sites
12 minutes ago, YABO713 said:

In other news, just being a friend... 

 

For those of you that work at mid to large market companies that have mailrooms, be careful. 

 

I'm currently working on matters wherein packages with a fake return address were sent to companies with MKT caps over $100 million... These packages would be addressed to a person who does not exist at that company. 

 

Amidst the confusion, the package would sit there for hours and sometimes day, unattended. Meanwhile, inside the package is a device that scans every endpoint within 50 feet in order to gain access to the network. 

 

That's CRAZY!!!


"Life is 10% what happens to you and 90% how you respond." -- Coach Lou Holtz

Share this post


Link to post
Share on other sites

Took a trip to a client on the coast this week, on the trip I learned some of the most terrifying information of my career thus far. 

 

Here's a 30,000 foot view... 

 

Foreign actors (primarily Russian) attacks on controls to our power grids - specifically those in cold weather climates in population centers, like our three C's - have more than tripled on a yearly basis since 2012. That means the number is set to triple again next year. For reference, a power grid domain controller will face over 35,000 attacks an hour. 

 

What's more - the cold weather cities are targeted because they're particularly vulnerable to power outages in the winter, potentially leading to human casualties by freezing. These rolling blackouts by Russian operatives have already been tested in Ukraine (Kiev has suffered days long blackouts in its winter months on a few occasions since 2014) and also in Estonia. 

 

Nonetheless, for the first time since 2012, the Federal government is poised to slash or freeze the budget to helping protect our critical infrastructure. In our meeting, we were told that "any escalation of defense is viewed by the administration as an enhancement of the narrative that Russia has sway over us." 

 

This isn't a mere political issue, this is the type of thing that can cost lives if not properly resourced.

Edited by YABO713

Share this post


Link to post
Share on other sites
5 minutes ago, freefourur said:

^ but it might hurt Trump's fee fees if Russia are the bad guys. 

 

FWIW - read Sandworm. Best book on the current landscape of the Russian cyber threat and its accessible to people with all comprehension levels of cybersecurity

Share this post


Link to post
Share on other sites
4 minutes ago, YABO713 said:

 

FWIW - read Sandworm. Best book on the current landscape of the Russian cyber threat and its accessible to people with all comprehension levels of cybersecurity

 

I will check it out. It seems that our Congress is unconcerned with this stuff for some reason. 

Share this post


Link to post
Share on other sites
18 minutes ago, YABO713 said:

Nonetheless, for the first time since 2012, the Federal government is poised to slash or freeze the budget to helping protect our critical infrastructure. In our meeting, we were told that "any escalation of defense is viewed by the administration as an enhancement of the narrative that Russia has sway over us." 

 

I don't even understand this as a pretext.  You could increase the budget without specifically directing it against any specific country unless we're talking about active countermeasures aimed directly at counterattacking a particular country.  Or are passive defenses really country-specific?  Do we defend against Chinese hacking noticeably differently than against Russian hacking?

Share this post


Link to post
Share on other sites
40 minutes ago, Gramarye said:

 

I don't even understand this as a pretext.  You could increase the budget without specifically directing it against any specific country unless we're talking about active countermeasures aimed directly at counterattacking a particular country.  Or are passive defenses really country-specific?  Do we defend against Chinese hacking noticeably differently than against Russian hacking?

 

Perhaps I didn't state it well enough - sorry about that! 

 

Additional funding would be a de facto reaction against Russia, because they're responsible for over 85% of the attempted attacks against our critical infrastructure. Chinese hacks are more targeted at wealth transfers, i.e. IP theft. 

 

So while this certainly isn't uniformed, the DOHS and DOD moneys that would be allocated to critical infrastructure would, by and large, be a reaction against Russia. 

 

Again, being in the profession I am, it's impossible for me to see Russia as an ally or even cooperative partner. China isn't an ally, and is a threat to our ability to innovate and our wealth as a nation. Russia isn't an ally and wants to be a direct threat to American lives. 

Share this post


Link to post
Share on other sites
29 minutes ago, YABO713 said:

 

Perhaps I didn't state it well enough - sorry about that! 

 

Additional funding would be a de facto reaction against Russia, because they're responsible for over 85% of the attempted attacks against our critical infrastructure. Chinese hacks are more targeted at wealth transfers, i.e. IP theft. 

 

So while this certainly isn't uniformed, the DOHS and DOD moneys that would be allocated to critical infrastructure would, by and large, be a reaction against Russia. 

 

Again, being in the profession I am, it's impossible for me to see Russia as an ally or even cooperative partner. China isn't an ally, and is a threat to our ability to innovate and our wealth as a nation. Russia isn't an ally and wants to be a direct threat to American lives. 

Thank you for that explanation.  always enjoy your comments. And I appreciate that you keep it simple enough for me to understand. 

Share this post


Link to post
Share on other sites
2 hours ago, Gramarye said:

 

I don't even understand this as a pretext.  You could increase the budget without specifically directing it against any specific country unless we're talking about active countermeasures aimed directly at counterattacking a particular country.  Or are passive defenses really country-specific?  Do we defend against Chinese hacking noticeably differently than against Russian hacking?

 

Donald Trump is definitely not a Russian asset who is intentionally trying to lower American defenses to Russian aggression yet again.

Share this post


Link to post
Share on other sites

Yabo, going back to our mobile security discussion from a while back, there are a few companies beginning to roll out Linux smartphones:

 

https://www.omgubuntu.co.uk/2019/11/pinephone-specs-price-release-date

 

https://www.omgubuntu.co.uk/2019/11/librem-5-birch-shipping

 

They offer several security enhancements, including physical kill switches for things like cameras/mikes.  Also, they are open source, which I like as it allows for open debate about the code, and thus makes hidden trackers highly unlikely to escape detection.  The build quality and software is still a bit rough, and the app selection is small.  But I expect it to get better.

 

Any thoughts on these?  Supposedly, they plan on making them able to run Android apps, which could bring some of the Android issues over, but I would think that the damage an app can do is a little bit more limited in a system that is overall more dedicated to privacy (and assuming a user diligent enough to watch their settings)

Share this post


Link to post
Share on other sites
2 hours ago, YABO713 said:

Nonetheless, for the first time since 2012, the Federal government is poised to slash or freeze the budget to helping protect our critical infrastructure. In our meeting, we were told that "any escalation of defense is viewed by the administration as an enhancement of the narrative that Russia has sway over us."

 

What is the budget, what has it been annually in the past, and what is proposed? I assumed most of the onus of meeting NERC CIP requirements falls on the utility, and thus rate payers. I know that since the 2003 blackout, utilities have been hardening their reliability systems significantly to prevent any sort of widespread, cascading failure - be it accidental as 2003 was or a deliberate attack.

 

All I could find in a 2 minute search of DHS's budget was funding for protection of government infrastructure, not utilities. Maybe I'm looking in the wrong place?

Share this post


Link to post
Share on other sites
1 hour ago, Ram23 said:

 

What is the budget, what has it been annually in the past, and what is proposed? I assumed most of the onus of meeting NERC CIP requirements falls on the utility, and thus rate payers. I know that since the 2003 blackout, utilities have been hardening their reliability systems significantly to prevent any sort of widespread, cascading failure - be it accidental as 2003 was or a deliberate attack.

 

All I could find in a 2 minute search of DHS's budget was funding for protection of government infrastructure, not utilities. Maybe I'm looking in the wrong place?


So I’m by no means an expert on the budgetary side of it do feel free to correct me if I’m wrong...

 

 But in my understanding, especially with DOD resources, the spending to supplement Cybersecurity for digital infrastructure isn’t subject to traditional budget review. The reason for that is because some of our “defensive” programs will actually have offensive capabilities wherein IP addresses and audit logs are forwarded on to Fort Meade for potential retaliatory actions. Since 2007/08, when our cyber command was established as a work around to NSA rules against offensive weaponry, this kind of budget maneuvering has been used to keep private our spending and, thereby, the level of concern that most Americans should have over our cybersecurity.

 

Having said that... a portion of control grid defense subsidies come from other sources, as you noted, and those SHOULD be available for public review, so far as I know. However, DOD is the heavy hitter when it comes to our critical infrastructure 

Share this post


Link to post
Share on other sites
1 hour ago, X said:

Yabo, going back to our mobile security discussion from a while back, there are a few companies beginning to roll out Linux smartphones:

 

https://www.omgubuntu.co.uk/2019/11/pinephone-specs-price-release-date

 

https://www.omgubuntu.co.uk/2019/11/librem-5-birch-shipping

 

They offer several security enhancements, including physical kill switches for things like cameras/mikes.  Also, they are open source, which I like as it allows for open debate about the code, and thus makes hidden trackers highly unlikely to escape detection.  The build quality and software is still a bit rough, and the app selection is small.  But I expect it to get better.

 

Any thoughts on these?  Supposedly, they plan on making them able to run Android apps, which could bring some of the Android issues over, but I would think that the damage an app can do is a little bit more limited in a system that is overall more dedicated to privacy (and assuming a user diligent enough to watch their settings)


Let me read these over after work. Sounds pretty cool!

Share this post


Link to post
Share on other sites

Again, can't say too much. But the threat from Russian state-sponsored groups is increasingly difficult to ignore. It's confirmed that the 2017 "NotPetya" attack was, in fact, caused by GRU actors. 

 

FWIW - I'm starting to get quotes to make our home solar sufficient or, at the very minimum, getting a generator backup. 

Share this post


Link to post
Share on other sites

If it's going to benefit Russia, then expect Trump to fire whoever tries to investigate and prosecute it....

 

 


"Life is 10% what happens to you and 90% how you respond." -- Coach Lou Holtz

Share this post


Link to post
Share on other sites

FWIW... My cases paid out over $8 million (personal record) in ransomware this week, all but one traced to IP addresses in Russia

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...