privacy

Chrome will distrust SSL certificates generated by Symantec

I reviewed the headers of my IT Security News website https://www.itsecuritynews.info/ in order to add HSTS. This is what I can see in the headers.   The certificate used to load https://www.itsecuritynews.info/ uses an SSL certificate that will be distrusted in an upcoming release of Chrome. Once distrusted, users will be prevented from loading this resource. See https://g.co/chrome/symantecpkicerts for more information.   Source: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html Checking the article, I see some disturbing news:   Information For Site Operators Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018. If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome. Additionally, by December 1, 2017, Symantec will transition issuance and operation of publicly-trusted certificates to DigiCert infrastructure, and certificates issued from the old Symantec infrastructure after this date will not be trusted in Chrome.     Strato…

Read More

Lack of security made simple: Casual Insecurity

I am travelling quite a lot because of my job, working with Avira’s customers to integrate their OEM Technologies. For this reason, I am very often in hotels and airports. Almost everywhere these days, I can find free WiFis: wireless networks with free of charge access. We all know that accessing resources through free WiFis is not the best ideas. Especially, if these networks do not have any kind of password set.   This is how I think that the Lack of Security is made so simple: offer something everybody needs for free and make that as unsecure as possible. Maybe at the beginning it is going to be few which don’t access the free unprotected wifi. But in time, everybody will think that it is absolutely normal that a WiFi is supposed to be free and unprotected. And this is how you convert masses of people to lower their security expectations. I call this concept: “Casual insecurity”.   Read here in my free eBook how to “Improve your security“.  


Quoted in SecurityWeek.com: 45 Million Potentially Impacted by VerticalScope Hack

Source: http://www.securityweek.com/45-million-potentially-impacted-verticalscope-hack Author: Ionut Arghire, Security Week     Here is my longer comment:   LeakedSource writes on their website about a massive breach of VerticalScope.com and all its affiliated websites from February 2016. However, neither VerticalScope.com nor any of the websites mentioned in the LeakedSource page mention anything related to a hack. Even if denial of a breach is not something unseen before, after reading the Summary of the dump on LeakedSource I am starting to see here a pattern:  “Each record may contain an email address, a username, an IP address, one password and in some cases a second password”. This is exactly the same as in the Myspace breach:”Each record may contain an email address, a username, one password and in some cases a second password.” How come that two completely unrelated breaches share the dump format? Could it be that they are converted somehow into a single format before they are put on sale? The assumption regarding the VerticalScope hack is that they used some vulnerable vBulletin software. I have verified this myself and this is why I found on a couple of their websites: Doing a search on “vulnerabilities for vBulletin 3.8.7 Patch Level 3” can…


LinkedIn Legal : “Important information about your LinkedIn account”

Yeah, they’ve been hacked 4 years ago and now their data is everywhere … well, almost everywhere. The LinkedIn hack of 2012 is  now being sold on the dark web. It was allegedly 167 million accounts and for a mere 5 bitcoins (about US$2.2k) you could jump over to the Tor-based trading site, pay your Bitcoins and retrieve what is one of the largest data breaches ever to hit the airwaves. Until this week, when Myspace.com leak from 2013 (or 2008!) released data of over 360Mil users.   LinkedIn’s Legal wrote :   Notice of Data Breach You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you. What Happened? On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since…


A new type of fraud: News Scareware

After posting the article with the ads, I thought that I covered all stupid things that online publications do to force their readers to pay, subscribe or to disable ad blockers. Well, this was not correct… The stupidity goes on… with Washington Post.   They request your email address in order to allow you to read any article. I tried first to add some bogus email address so that I move on. But, these guys take things really serious. They connect to the SMTP server and try to authenticate if the user exists. If it doesn’t work, you get an error. After you successfully enter an email address, they store various system cookies and you’re free to read all articles.     I tried to test this in three browsers Chrome – where I registered Firefox Tor (browsing from USA) and it worked in all of them. I even erased all cookies above and it still worked. I honestly don’t know how they verify that my computer is authorized to view the content. Thy definitely stored something on the computer, different than a cookie, and they are checking that from the code of the website. I will investigate this when I…


What’s the issue with the mobile apps permissions?

If an App requires some permissions like Access Camera, Access Microphone, does it mean that they can do with these devices of a smartphone whatever they want, whenever they want? Short answer Yes, but it is not so simple Long answer There are rumours, that apps like WhatsApp, Facebook, G+, etc., are using the camera and microphone to spy on users, even when the device is in idle mode or when the app is not running in the foreground. It was also stated that exactly this was part of their EULAs and hence a legal procedure. This is Google’s permission for “android.permission.CAMERA” / “android.hardware.camera2” and reads as such: “Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.” all those statements are theoretical assumptions. They are possible to be implemented, however, these apps will never do that. This doesn’t mean that there are no apps that do exactly this. But, this is the exception and not the rule. Be careful If an app requires too many permissions, or if it requires permissions that it should not need, then it is something strange there. For example, an app that play music doesn’t…


How to convince your boss that adding security features from the beginning is worth doing it!

Everything of value has a cost. The same applies to security! I recently flew to Berlin for business purposes with a known airline. As I was the first one checking in, I was asked if I want the seat near the emergency exit. This is, usually, the place where you have more space for your legs. So, I said without thinking too much: Yeeess, please :). The plane was a very small one with propellers and the emergency exit was actually the first seat (1 A). Just in front of the cockpit and face to face with the flight attendant. Now, if you wonder what this has to do with the title of the post, here comes the cost for it: The flight attendant requested me to take the brochure with the special instructions and read it all.  In front of her. It wasn’t much, just two pages, so no big deal. But, then because she was staying in front of me, watching me directly, she kept making observations and requests during takeoff and landing: I am not allowed to put the newspaper on the seat near me because it could fall on the floor and if there is an emergency, someone could slip on…


No Image

Set up an Ad-filter with Privoxy on Raspberry Pi for free

I hate ads… They are for many companies, unfortunately, the main source of income. So, they are a necessary evil in today’s world where everything is expected to be free of charge. In general, I use an anti-advertisements filter in the browser. Now I use AdBlock for Chrome. It is available for FF and IE as well. But, what do you do with mobile devices which, normally, don’t have such a filter? You use a filtering proxy or gateway. To set up a gateway with a transparent proxy (or filter) is more complicated. To set up a filtering proxy is very simple and here is how you can do it easily.   What you need Raspberry Pi B (1 or 2) – you need a network interface and a large enough SD card (8 GB should do) Raspbian – the de facto OS for RPi Privoxy – as Privacy Proxy Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user…


No Image

Comments on Privacy for “Data Privacy Day 2015”

My comments on Data Privacy Day 2015: Top Experts Comment on Privacy Issues (+Infographic) from http://www.cloudwards.net.   Our society has become in a very short time digitally connected and the consumers didn’t have the time to understand the implications of data privacy on their lives. We can be sure that every provider of an online service is doing everything legally possible to obtain maximum information about its users. This is person related information, as well as information that the user is voluntarily (or not) sharing with others in online platforms. Because many people don’t take their online actions seriously or don’t understand the consequences, they tend to act differently in their online life than in their offline life. If I would have to give just two pieces of advice that one should remember about privacy, they are: When online, don’t tell or share with anyone something that you wouldn’t also tell them loud in a room full of people listening. It sounds scary? Think that re-sharing your comment with the entire world is usually one click away. Once you publish or upload something online, independent of your security and privacy settings, it doesn’t belong just to you alone anymore. It also belongs to the provider of…


No Image

The PRICE of FREE

The idea of offering your product or a version of it for free has been a source of much debate. What is FREE and is FREE really, really, free as in gratis? Idea on writing this article came from reading this article on “Minimum Viable Free Product (MVFP)” by Nathan Taylor. Nathan is talking about “Minimum Viable Free Product” and I personally don’t like how “Free” is interpreted. Yes, I did read the book of  Chris Anderson about the free products. But the Internet decided to do things quite differently. Let’s define the terms before we go into the discussion. Terminology FREE = means that a product has a zero acquisition price: it doesn’t cost anything to install/use. Nothing is said about what happens after you install it.Note also that this doesn’t say anything about what is being sold: MVFP or freeware or ad sponsored or… you name it, It is just “something” that doesn’t cost anything, and it doesn’t say if it is the “full” product or an “entry level” product. Free trial = this is the full product offered for FREE for a limited period of time. After that, the product either stops functioning or reduces the functionality to an “entry…


%d bloggers like this: