Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

GUEST ESSAY: Why there’s no such thing as anonymity it this digital age

By Goddy Ray

Unless you decide to go Henry David Thoreau and shun civilization altogether, you can’t — and won’t — stop generating data, which sooner or later can be traced back to you.

Related: The Facebook factor

A few weeks back I interviewed a white hat hacker. After the interview, I told him that his examples gave me paranoia. He laughed and responded, “There’s no such thing as anonymous data; it all depends on how determined the other party is.”

App developers, credit card, telecommunication companies, and others use the term “anonymous data” because it sells. But anonymous data really doesn’t exist anymore

Every step online is recorded and stored – our interactions with devices, geolocation, voter registration, time stamps, etc. Machine learning (ML) is currently the leading technique to re-identify any data. Specifically-designed algorithms make pattern-recognition much faster and more efficient. Sometimes the accuracy of identifying is 90% and more.

De-anonymization

Actually, 63% of the population can be identified just by the combination of their gender, date of birth, and zip code.

“Anonymous” or “aggregated” large datasets are often released publicly. As a result, the development of de-anonymization tools is becoming increasingly more advanced. Here are a  few unexpected examples of supposedly anonymous data reversal: …more

MY TAKE: Microsoft’s Active Directory lurks as a hackers’ gateway in enterprise networks

By Byron V. Acohido

Many of our online activities and behaviors rely on trust. From the consumer side, for example, we trust that the business is legitimate and will take care of the sensitive personal information we share with them. But that level of trust goes much deeper on the organizational side.

Related: The case for ‘zero-trust’ authentication

Employees are given credentials that allow them authorized access to corporate networks and databases. IT leadership has to trust that those credentials are used properly.

That need for trust also make credentials one of the most difficult areas to secure. When someone is using the right user name and password combination to gain access, it is very difficult to tell if the user is legitimate or a bad guy. It is why credential theft has become a lucrative attack vector for cybercriminals, with credential stuffing attacks compromising billions of accounts last year.

Credential theft has led to a rise in attacks on tool that’s pervasively used in companies running Microsoft Windows-based networks. That tool is Active Directory. And because Active Directory is an almost universally-used tool in enterprise settings, it has, quite naturally, emerged as a favorite target of threat actors.

I had the chance to sit down with Rod Simmons, vice president of product strategy at STEALTHbits Technologies, a Hawthorne, NJ-based supplier of systems to protect sensitive company data, to discuss this at RSA 2019. For a full drill down, listen to the accompanying podcast. Key takeaways: …more

BEST PRACTICES: Why consumers are destined to play a big role in securing the Internet of Things

By Byron V. Acohido

There are certain things we as consumers have come to do intuitively: brushing our teeth in the morning; looking both ways before crossing a city street; buckling up when we get into a car.

Related: What needs to happen to enable driverless transportation — safely

In the not too distant future, each one of us will need to give pause, on a daily basis, to duly consider how we purchase and use Internet of Things devices and services.

This is coming. We are just getting started with the process of turning over granular control of every aspect of human society to ubiquitous digital sensors tuned to feed endless streams of data into increasingly “intelligent” machine algorithms.

The drivers of IoT-centric commerce appear to be unstoppable. And yet we are overlooking profound privacy and security ramifications. As individual consumers and citizens, we won’t be able to bury our heads in the sand much longer – the way we did when Internet commerce began to radically alter our traditional safety nets in the early part of this century. This time the stakes are too high. Here’s what to expect:

Evermore plugged in

Count on the wide deployment of IoT systems to continue at an accelerated rate. There are already more IoT devices than human beings on the planet, according to tech industry research firm Gartner. Of the 8.4 billion IoT devices in use as of 2017, half are consumer gadgets, like smart TVs, speakers, watches, baby cams and home thermostats; much of the rest is made up of things like smart electric meters and security cameras in corporate and government use.

Another tech industry consultancy, IDC, forecasts worldwide IoT spending will hit a record $745 billion in 2019, some 15.4% more than the $646 billion spent in 2018. This will be led by the manufacturing, consumer, transportation and utilities sectors.

The more data IoT systems collect and analyze, the smarter they get, and the more autonomous decisions they are capable of making. Enterprises are all too eager to tap into the resultant operating efficiencies.

…more

GUEST ESSAY: Australia’s move compelling VPNs to cooperate with law enforcement is all wrong

By Bogdan Patru

The moment we’ve all feared has finally come to pass. When government agencies and international intelligence groups pooled together resources to gather user data, the VPN’s encryption seemed like the light at the end of the tunnel.

Related: California enacts pioneering privacy law

However, it looks like things are starting to break apart now that Australia has passed the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018”. On the 6th of December 2018, a law that is a direct attack on internet users’ privacy was agreed to by both the House of Representatives and the Senate.

The amendment forces all companies, even VPN providers, to collect and give away confidential user data if the police demand it. All telecoms companies will have to build tools in order to bypass their own encryption.

If suspicions appear that a crime has been or will be committed by one of their users, the law enforcement agencies are in their right to demand access to user messages and private data.

This Orwellian Thought Police is to be the judge, jury, and executioner in a digital world that shelters our personal lives and secrets. All the things we’d like to keep hidden from others. You know, this revolutionary idea called “privacy” Anyone?

Tech companies all over the world are unsure how this can be achieved without installing backdoors into their own security systems. These vulnerabilities are just like a stack of powder kegs ready to blow up at any moment. This is because anyone with knowledge of their existence could theoretically use those security holes to gain access to the user data. …more

MY TAKE: Why Satya Nadella is wise to align with privacy advocates on regulating facial recognition

By Byron V. Acohido

We’re just a month and change into the new year, and already there have been two notable developments underscoring the fact that some big privacy and civil liberties questions need to be addressed before continuing the wide-scale deployment of advanced facial recognition systems.

This week civil liberties groups in Europe won the right to challenge the UK’s bulk surveillance activities in the The Grand Chamber of the European Court of Human Rights.

Related: Snowden on unrestrained surveillance

“The surveillance regime the UK government has built seriously undermines our freedom,” Megan Golding, a lawyer speaking for privacy advocates, stated. “Spying on vast numbers of people without suspicion of wrongdoing violates everyone’s right to privacy and can never be lawful.”

That development followed bold remarks made by none other than Microsoft CEO Satya Nadella just a few weeks earlier at the World Economic Forum in Davos, Switzerland.

Nadella expressed deep concern about facial recognition, or FR, being used for intrusive surveillance and said he welcomed any regulation that helps the marketplace “not be a race to the bottom.”

Ubiquitous surveillance

You may not have noticed, but there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems over the past couple of years. Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.

Last November,  SureID, a fingerprint services vendor based in Portland, Ore., announced a partnership with Robbie.AI, a Boston-based developer of a facial recognition system designed to be widely deployed on low-end cameras.

The partners aim to combine fingerprint and facial data to more effectively authenticate employees in workplace settings. And their grander vision is to help establish a nationwide biometric database in which a hybrid facial ID/fingerprint can be used for things such as fraud-proofing retail transactions, or, say, taking a self-driving vehicle for a spin.

However, the push back by European privacy advocates and Nadella’s call for regulation highlights the privacy and civil liberties conundrums advanced surveillance technologies poses. It’s a healthy thing that a captain of industry can see this. These are weighty issues …more

MY TAKE: 3 privacy and security habits each individual has a responsibility to embrace

By Byron V. Acohido

Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear?

Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized by malicious parties.

Related: Long run damage of 35-day government shutdown

Why we’re in the ‘Golden Age’ of cyber espionageThe fact is cyber criminals are expert at refining and carrying out phishing, malvertising and other tried-and-true ruses that gain them access to a targeted victim’s Internet-connected computing device. And the malware that subsequently gets installed continues to get more stealthy and capable with each advancing iteration.

This has become an engrained pattern in our modern digital world. A vivid illustration comes from Palo Alto Networks’ Unit 42 forensics team. Researchers recently flushed out a new variety of the Xbash family of malware tuned to seek out administrators’ rights and take control of Linux servers. This variant of Xbash is equipped to quietly uninstall any one of five popular types of cloud security protection and monitoring products used on such servers.

Targeting one device

The end game for this particular hacking ring is to install crypto currency mining routines on compromised Linux servers. But the larger point is that Xbash is just one of dozens of malware families circulating far and wide across the Internet. Xbash gets rolling by infecting one device, which then serves as the launch pad for deeper hacking forays limited only by the attacker’s initiative.

To be sure, it’s not as if the good guys aren’t also innovating. Worldwide spending on information security products and services rose to $114 billion in 2018, up from $102 billion in 2017, an increase of 12.4 percent, according to tech consultancy Gartner. …more

GUEST ESSAY: The true cost of complacency, when it comes to protecting data, content

By John Safa

Facebook was lucky when the Information Commissioner’s Office (ICO)—the UK’s independent authority set up to uphold information rights in the public interest—hit the U.S. social media company with a £500,000 fine.

Related: Zuckerberg’s mea culpa rings hollow

This penalty was in connection with Facebook harvesting user data, over the course of seven years — between 2007 and 2014. This user data became part of the now infamous Cambridge Analytica scandal.

Facebook was very lucky, indeed, that its misdeeds happened before May 25, 2018. On that date, the EU General Data Protection Regulation (GDPR) came into force.

If its violation had happened after that, the fine could have been up to £17 million or 4 percent of global turnover. Yet, even with the prospect of stupendously steep fines hanging over the heads, insecure enterprises still don’t grasp the true cost of data privacy complacency.

According to research by one law firm, pre-GDPR regulatory fines had almost doubled, on average, between 2017 and 2018, up from £73,191 to £146,412. Those figures pale when stacked against the potential bottom line impact that now exists. …more