Showing posts with label Privacy. Show all posts
Showing posts with label Privacy. Show all posts

Saudi Arabia Government Threatens to Ban Skype, WhatsApp and other VOIP Services

VoIP services regularly get into trouble in countries where governments like to keep a solid grip on what people are talking about and with whom.

No, not the US this time, Saudi Arabia is the latest to join the anti-Skype brigade as it threatens to ban essentially all VoIP communications in the country unless those communications fall within the regulations.

Regulations that involve the government being allowed to snoop in on communications, which can't be done practically if the communications are encrypted.

While the government hasn't said exactly why these apps are being targeted, it did mention Skype, WhatsApp and Viber as falling outside the rules. All three are very popular VoIP services, the latter two mostly on mobile phones.

Saudi Arabia has a history of going against communication methods it can't control, it banned BlackBerry's built-in messaging service temporarily a few years ago over the use of encryption.

Twitter Hacked, 250,000 Email and Password Compromised

If you find that your Twitter password doesn't work the next time you try to login, you won't be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users.

"This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data," Bob Lord, Twitter's director of information security, writes in a blog post.

According to Lord, Twitter was able to shut down the attack within moments of discovering it, but not before the attackers were able to make off with what he calls "limited user information," including usernames, email addresses, session tokens, and the encrypted and salted versions of passwords.

The encryption on such passwords is generally difficult to crack – but it's not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them.

As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just "a small percentage" of the more than 140 million Twitter users worldwide.

If yours is one of the accounts involved, you'll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods. In addition, he recommends against using the same password on multiple sites.

Lord says Twitter's investigation is ongoing, and that it's taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
Although the attack took place this week, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday. On the other hand, however, Lord's post does make rather cryptic mention of the US Department of Homeland Security's recent recommendation that users disable the Java plug-in in their browsers. He mentions Java twice, in fact.

While it's true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn't clear and twitter is yet to respond to our request for clarification.

International Atomic Energy Agency server hacked

A group of hackers leaked email contact information of experts working with the International Atomic Energy Agency (IAEA) after breaking into one of the agency's servers.

The group published a list of 167 email addresses along with its manifesto on Sunday in a post on Pastebin.

IAEA hacked
"Some contact details related to experts working with the IAEA were posted on a hacker site on 25 November 2012," IAEA spokeswoman Gill Tudor said Wednesday in an emailed statement. "The IAEA deeply regrets this publication of information stolen from an old server that was shut down some time ago. In fact, measures had already been taken to address concern over possible vulnerability in this server."
The hacker group calls itself Parastoo and wants the IAEA to investigate Israel's nuclear activities at the Negev Nuclear Research Center near Dimona, an Israeli city located in the Negev desert. "Israel owns a practical nuclear arsenal tied to a growing military body and it is not a member of internationally respected nuclear, biochemical and chemical agreements," the group said.

Israel has long had a policy of nondisclosure regarding its nuclear military capabilities and has never signed the international Treaty on the Non-Proliferation of Nuclear Weapons (NPT).

The experts whose email addresses were leaked should sign a petition demanding that IAEA investigate the activities at Dimona, the hacker group said, claiming that it has evidence of "beyond-harmful operations" taking place at the site.

Parastoo threatened to published information on the whereabouts of every single individual on the list together with their personal and professional details, saying that all of them could be considered responsible if an accident was to happen at Dimona.

"The IAEA's technical and security teams are continuing to analyse the situation and do everything possible to help ensure that no further information is vulnerable," Tudor said. "The Agency treats information security, including cybersecurity, as a top priority and takes all possible steps to ensure its computer systems and data are fully protected."
The IAEA is an international organization that promotes the safe and peaceful use of nuclear energy and discourages the proliferation of nuclear weapons. The agency reports issues of non-compliance by states to the United Nations General Assembly and Security Council.

How to Use BTGuard to Completely Anonymize your Bittorrent Traffic

If you're using BitTorrent without taking special measures to hide your activity, it's just a matter of time before your ISP throttles your connection, sends you an ominous letter, or worst case, your ISP gets a subpoena from a lawyer asking for your identity for a file-sharing law suit. Here's how to set up a simple proxy to keep your torrenting safe and anonymous.


Note, you don't need to be doing anything illegal. Maybe you just want to keep Big Brother out of your business and from throttling your connection. Either way, if you really want to keep your activity private, your best bet involves routing your BitTorrent connection through an external service. BTGuard is a dead simple BT-focused proxy server and encryption service, and it's my service of choice. Below, I'll explain what it does, how it works, and how to set it up to privatize and anonymous your BT traffic.

How BTGuard Works

When you download or seed a torrent, you're connecting to a bunch of other people, called a swarm, all of whom—in order to share files—can see your computer's IP address. That's all very handy when you're sharing files with other netizens, but file sharers such as yourself aren't necessarily the only people paying attention. Piracy monitoring groups (often paid for by the entertainment industry either before or after they find violators) also join BitTorrent swarms, but instead of sharing files, they're logging the IP addresses of other people in the swarm—including you—so that they can notify your ISP of your doings. A proxy (like BTGuard) funnels your internet traffic—in this case, just your BitTorrent traffic—through another server, so that the BitTorrent swarm will show an IP address from a server that can't be traced back to you instead of the address that points to your house. That way, those anti-piracy groups can't contact your ISP, and your ISP has no cause to send you a harrowing letter.

But wait, can't the piracy groups then go to the anonymizer service (BTGuard) and requisition their logs to figure out that you're the one downloading the new Harry Potter? Theoretically, yes, but the reason why we chose BTGuard is because they don't keep logs, so there's no paper trail of activity leading back to you. All the piracy monitors see is BTGuard sharing a file, and all your ISP sees is you connecting to BTGuard—but not what data you're downloading, because it's encrypted.

If you subscribe to an ISP that throttles BitTorrent traffic, and aren't using an anonymizer service, you have an additional problem. Your ISP can still see what you're doing, and if they detect that you're using BitTorrent—even if you're using it for perfectly legal purposes—they'll throttle your connection so you get unbearably slow speeds. When you encrypt your BitTorrent traffic, your ISP can't see what you're using your connection for. They'll see that you're downloading lots of information, but they won't be able to see that it's BitTorrent traffic, and thus won't throttle your connection. You still have to be careful of going over your ISP's bandwidth cap, however, if that exists.

BTGuard offers you both a proxy (to combat spying) and encryption (to combat throttling)—though many torrent clients have encryption built-in as well.

First, BTGuard isn't free. At $7/month (as little as $5 if you pay for a year in advance), it isn't very expensive, and we think it's well worth it if you want to torrent anonymously. A law suit settlement, if it comes to that, will cost you at least a couple thousand dollars, which equals a couple decades of BTGuard subscriptions, so keep that in mind, too. The other potential downside is that piping your downloads through another service may decrease your upload and download speeds. How much depends on what torrent you're downloading, who from, and a lot of other factors, but just know that it's a possibility. In my experience, more popular torrents stayed at their top speed of 1.4 MB/s (my bandwidth cap) with a proxy, while other less popular torrents (which flew at 1.4MB/s without a proxy) would fluctuate around 200 or 300 kB/s with BTGuard in place. Again, though, a little longer wait on downloads is well worth the protection you get.

Lastly, proxies aren't supported by every client, which means you'll have to use one with more advanced features. uTorrent (for Windows) and Vuze (for Windows, Mac, and Linux) both support proxies, but sadly Mac and Linux favorite Transmission does not. (If you're absolutely stuck with a client that doesn't support proxies, check the end of this article for some alternative solutions to the anonymity problem.)

How to Set Up BTGuard

BTGuard has a one-click install process, but we're going to show you how to do it the manual way, since it works in any BitTorrent client that supports SOCKS5 Proxy—not just the ones supported by BTGuard's installer. It'll also give you a better sense of what exactly BTGuard does, so if you run into problems, you'll have a better idea of how to fix it.

Step One: Sign Up for BTGuard

First, sign up for an account over at BTGuard.com. It'll just take a minute, and then you can get to configuring your client. Their BitTorrent proxy service costs $6.95 a month, but you can get discounts by buying multiple months at a time (up to a year's service for $59.95). Once you're done, you should receive an email telling you that BTGuard is ready to go.

Step Two: Configure Your Client

Next, open up your torrent client of choice and find the proxy settings within its preferences. In uTorrent, for example, this is under Preferences > Connection. Your client may have them in a different place (Google around to find out where), but no matter your client, your settings should look like this:

  • Proxy Type: Socks v5
  • Proxy Host: proxy.btguard.com
  • Proxy Port: 1025
  • Username: Your BTGuard username
  • Password: Your BTGuard password
You'll also want to make sure you're using the proxy for hostname or tracker lookups as well as peer-to-peer connections, so check all boxes that say anything like that. You'll also want to disable connections or features that could compromise the proxy, so check all the boxes under uTorrent's "Proxy Privacy" section, or anything similar that your client may have. Hit Apply, exit the preferences, and restart your client. Your proxy should now be active.


Step Three: See If It's Working


To ensure that it's working, head over to CheckMyTorrentIP.com. This site can tell you what your IP address is, and compare it to the IP address of your torrent client, which will let you know whether your proxy is working correctly. To test it, hit the "Generate Torrent" button, and open the resulting torrent in your client. Then, go back to your browser and hit the Refresh button under the "Check IP" tab. If it's the same as your browser IP—which you'll see next to the Refresh button—then your proxy isn't working, and you'll want to double-check all of the above settings. If it shows a different IP address (often from another country like Germany or Canada), then BTGuard is successfully tunneling all your traffic for you.

Step Four (Optional): Enable Encryption

If you want extra security (or if you're trying to protect your connection from being throttled), you'll also want to encrypt all that traffic. Many clients have this feature built-in. In uTorrent, for example, just head to Preferences > BitTorrent and look for the "Protocol Encryption" section. Change your outgoing connection to Forced encryption, and uncheck the "Allow incoming legacy connections" box. From there, you should be good—your ISP shouldn't throttle your connection after this is enabled.

If your client doesn't support encryption, or you want a more powerful encryption behind your torrenting, BTGuard offers an encryption service as well. Just head to their Encryption page, download the software, and install it to C:\BTGUARD (this is very important; don't change the installation directory). Then, start the BTGuard Encryption program (accessible from the Start menu), and open up your BitTorrent client. Change your proxy server from proxy.btguard.com to 127.0.0.1, restart your client, and you're golden. Again, this isn't necessary if your client already supports encryption, but it is an extra layer of protection if you really want to keep everything private.

BitTorrent isn't the safe place it once was, and if you're going to use it to share and download files, we highly recommend getting some sort of protection from the services above so you can avoid DCMA notices and throttled speeds. Got any other tips for keeping your file sharing on the down low? Share them with us in the comments

Google Exploits Safari Flaw to Track Users Online

The Wall Street Journal has caught Google with its hand in the cookie jar of Apple’s Safari users, after manipulating Safari browser flaws to enable tracking users behaviours when browsing via cookies.


Search giant Google has been accused by the Wall Street Journal of bypassing the browser’s security settings by allowing a site to set tracking cookies.

Safari for Mac and PC, as well as Safari in-built into iOS devices, are thought to be affected. The browser was subject to tests by the Journal which show that Google used code in its advertisements to bypass Safari’s security, which by default blocks such tracking activity.

The aim of the code was to allow users who had signed into Google+ in Safari to access the ‘+1′ button within ads, provided by Google’s DoubleClick network.

“Don’t be evil,” the company said. While this may not classify as evil per se, it has already gained the attention of the online privacy advocacy group, the Electronic Frontier Foundation (EFF), reiterating the need for ‘Do Not Track’ rules on the Web.

Safari’s security would normally prevent ads from dropping a tracking cookie in such a case because it blocks cookies coming from advertising networks. But the code Google is accused of using ’tricked’ the browser into thinking the code was submitting a web form to Google; form cookies are not blocked, as it allows the browser to see whether the form was in fact sent.

The exploit isn’t new. It was first discovered in 2010 by Stanford researcher Jonathan Mayer and confirmed web developer and researcher Anant Garg.

But Google, while the biggest name on the list of the accused, was not the only one to do it. The Journal says that other advertising networks do similar things, such as the Media Innovation Group, Gannet’s PointRoll, and Vibrant.

Google’s DoubleClick adverts containing the privacy-circumventing code were found on major websites, including AOL.com, Match.com, TMZ.com and YellowPages.com, according to CNET reports. The Journal’s outside advisor found that 22 of the top 100 websites had Google’s Safari-busting tracking code, and that 23 different sites install the same code on Safari’s iOS browser.

The cookies were set to expire after 12 to 24 hours, but Safari can add even more cookies to a users’ browser once the first cookie as been left.

After Google was caught with its hand in the cookie jar, it said that “the Journal mischaracterizes what happened and why,” after it disabled the code. ”We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information,” the company said.

Apple, however, was quoted as saying that it is “working to put a stop” to the circumvention of its privacy settings and security features.

Microsoft has weighed in, taking a cheap shot at its closest rival, by saying that “this type of tracking by Google is not new”. The Internet Explorer blog continued: “The novelty here is that Google apparently circumvented the privacy protections built into Apple’s Safari browser in a deliberate, and ultimately, successful fashion.”

Rachel Whetstone, senior vice-president for communications and public policy at Google, expanded on the Journal’s findings:

“Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous — effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.”

How to Prevent Google from tracking you

Much has been made of Google's new privacy policy, which takes effect March 1. If you're concerned about Google misusing your personal information or sharing too much of it with advertisers and others, there are plenty of ways to avoid Web trackers.

The Electronic Frontier Foundation offers the Panopticlick service that rates the anonymity of your browser. The test shows you the identifiable information provided by your browser and generates a numerical rating that indicates how easy it would be to identify you based solely on your browser's fingerprint.

According the the entropy theory explained by Peter Eckersley on the EFF's DeepLinks blog, 33 bits of entropy are sufficient to identify a person. According to Eckersley, knowing a person's birth date and month (not year) and ZIP code gives you 32 bits of entropy. Also knowing the person's gender (50-50, so one bit of entropy) gets you to the identifiable threshold of 33 bits.

In some ways, Google's explanation of personalized ads is more informative than the company's privacy policy. Of course it's in Google's best interest to keep you in the personalized-ads fold, but the company does its best to present personalization as a boon to users. It certainly does help pay for the "free" services we've come to rely on.


Use Google's own tools to opt out of ad networks

Prominent in the Google privacy policy are links to services that let you view and manage the information you share with Google. Some of this personal data you volunteer, and some of it is collected by Google as you search, browse, and use other services.

To view everything (almost) Google knows about you, open the Google Dashboard. Here you can access all the services associated with your Google account: Gmail, Google Docs, YouTube, Picasa, Blogger, AdSense, and every other Google property. The dashboard also lets you manage your contacts, calendar, Google Groups, Web history, Google Voice account, and other services.



More importantly, you can view and edit the personal information stored by each Google service, or delete the service altogether. To see which other services have access to the account's information, click "Websites authorized to access the account" at the top of the Dashboard. To block an authorized service from accessing the account, click Revoke Access next to the service name.


The Google Ads Preferences Manager lets you block specific advertisers or opt out of all targeted advertising. Click the "Ads on the web" link in the left column and then choose "add or edit" under "Your categories and demographics" to select the categories of ads you want to be served or to opt out of personalized ads.


Another option is to use Google's Keep My Opt-Outs extension for Chrome. Google also participates in the Network Advertising Initiative's opt-out program. Select some or all of the dozens of online advertisers from the NAI program and then click Submit to place a cookie in your browser instructing the ad networks not to serve personalized ads.

Free add-on for Firefox and Google Chrome targets tracking cookies

Several free browser extensions help you identify and block the companies that are tracking you on the Web. For example, Ghostery (available in versions for Firefox and Chrome) adds an icon to your browser toolbar showing the number of trackers on the current page. Click the icon to see a list of the trackers and view options for blocking or white-listing specific ones.

The free Disconnect extension (also available for Facebook and Chrome) takes a more direct approach to wiping your Web tracks. Disconnect blocks tracking by Google, Facebook, Twitter, Yahoo, and Digg. It also has an option for depersonalizing searches.

As with Ghostery, Disconnect places an icon in the browser toolbar that shows the number of elements it has blocked on the current page. Click the icon to open a window showing the number of trackers blocked for each service. To unblock tracking for one of the services, click its entry. (Note that I tested Disconnect only with Google; also, blocking of international Google domains is not yet available, according to Disconnect's developers.)

When I tested Disconnect, I had to sign into Gmail, Google Docs, and other Google services every time I returned to or refreshed one of those pages, which is understandable considering that blocking the cookie prevents Google from keeping you signed in. Otherwise I was able to use Google services without a problem, including search, viewing and sending Gmail, and accessing, creating, uploading, and downloading Google Docs files.

While people are rightly concerned about who is watching and recording their Web activities, at least Google makes it possible to use the company's services without being too forthcoming with your personal information. ISPs and other Web services do as much tracking as Google--or more--but garner far fewer headlines. For a detailed look at the state of privacy in the digital world, read about the Electronic Frontier Foundation's Surveillance Self-Defense project.

After all, the true threat to privacy is from the trackers we don't know about, and who aren't household names.

Skype lapses allows hacker to track your BitTorrent downloads

skype.jpg
Scientists have devised a stealthy and low-cost way to track the internet protocol addresses of tens of thousands of Skype users, and link the information to their online activities such as the sharing of specific files over BitTorrent.

The method, which is laid out in a recently published academic paper, works even when Skype users have configured their accounts to accept calls only from people in their contact lists. It also works against Skype users who aren't currently logged in, as long as they've used the VoIP program in the past three days. The system is able to link an individual Skype user to specific BitTorrent activity, even when they share the IP address with others over a local area network that uses NAT, or network address translation.

“We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active),” the 14-page paper stated. “In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his internet usage.”
The scientists found that it was relatively easy to find the ID of most Skype users when their email address and birth name are known to the attacker. Additional information, such as the target's city of residence, sex, or age, brought greater accuracy to the task.

They then called the target's Skype account using a customized system that sent specially crafted packets. By examining the headers of the data that was returned, they had no trouble determining the person's IP address. Because the scientists prevented a TCP, or transmission control protocol, connection from being fully established during the probing, targets had no idea their Skype accounts were being tracked. The scientists devised the system so that it could track 10,000 people for about $500 per week.

After learning the IP addresses of individuals, the scientists tapped BitTorrent sites to track the specific downloads of addresses in their database. Even when one of the IP addresses was shared among many users on a single network, the method was able to single link a unique Skype user to a specific download by, among other things, collecting identifiers known as infohashes from BitTorrent networks.

The scientists said Google Talk, MSN Live and other real-time communication applications may also be susceptible to the technique, but they singled Skype out for containing what they called “a major privacy vulnerability.”

In a statement, Adrian Asher, chief information security officer in Microsoft's Skype division, said: “We value the privacy of our users and are committed to making our products as secure as possible. Just as with typical internet communications software, Skype users who are connected may be able to determine each other's IP address. Through research and development, we will continue to make advances in this area and improvements to our software.”
The research paper, which is titled I Know Where You are and What You are Sharing, made several recommendations for improving Skype's ability to conceal the identity of its users.
“One solution that would go a long way is to design the VoIP system so that the callee's IP address is not revealed until the user accepts the call,” it stated. “With this property, Alice would not be able to inconspicuously call Bob. Moreover, if Alice is a stranger (that is, not on Bob's contact list), and Bob configures his client to not accept calls from strangers, then this design would prevent any stranger from tracking him, conspicuously or otherwise.”
A PDF of the paper is here.

We don't track logged-out users, says Facebook

facebook.png
Facebook has attempted to shoot down claims that it leaves cookies on users' machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you've signed out.

Nik Cubrilovic, concerned about Facebook's approach to privacy, said that logging out doesn’t make a blind bit of difference, adding that Facebook still has ways to potentially track your behavior.

Cubrilovic’s conclusion after examining the behavior of Facebook’s cookies is simple: “Even if you are logged out, Facebook still knows and can track every page you visit.”

This is because instead of telling browsers to remove cookies when users log out, Facebook merely "alters" the state of those little parcels of data – including the cookie that stores your account number.

As a result, if you happen to pass by a page with a Facebook “like” button, "share" button, “or any other widget”, your information – including your account number – will be sent back to Facebook. And if you log into Facebook from a public terminal, those cookies could be left behind.

However, Facebook doesn’t agree. Whether or not Cubrilovic’s claim that he notified Facebook without response during 2010 is accurate, he certainly got a hair-trigger response from Facebook this time.

In a comment on Cubrilovic's blog, a Facebook engineer – identifying himself as staffer Gregg Stefancik – said that “our cookies aren’t used for tracking”, and that “most of the cookies you highlight have benign names and values”.

"Generally, unlike other major internet companies, we have no interest in tracking people," the insider added.