Snapchat, your house was not ransacked…

NRK (Norway) recently reported on the Snapchat hack and they started of with the following line (google translated):

If someone breaks into a young girl’s house, stealing nude photos of her and hang them up in the neighborhood, it’s her own fault?

Taking the statement on face value…it’s not like that.

Using the analogy:

  • The house is the phone
  • the package where the photos are kept is the application
  • The delivery method (postal service) is the application sending the file to the cloud service
  • The warehouse is a ‘cloud’/online service (SnapSaved)
  • so… the photos are sent from home to a warehouse and redistributed to other houses and not someone breaking into the house.

So, the intruder is not breaking into the house, they are breaking into the warehouse.

You have very little control over the package once it leaves your house.

In theory, the house is safe as long as the photos are not sent to the warehouse.

As previously mentioned, the warehouse (application cloud/online service) and the delivery method (application) needs to be secured, who’s responsibility is that?

Note:

  • No one broke into anyone’s the phone!
  • It’s not the victims fault but just as any delivery service has a ‘items may be lost in transit policy’ or an ‘insurance’ service for valuable items, the application owners must communicate the equivalent risks to the victims (Snapchat was irresponsible for stating that their service is ‘safe’/’secure’! How can you guarantee a service when other services can ‘access their service’)
  • Yes, another application issue

It is important to get the analogies right to properly understand and appeciate the issue at hand, lawmakers, speak to the professionals!

http://www.nrk.no/ytring/snapchat-i-steinalderen-1.11985369

http://www.theinquirer.net/inquirer/news/2375126/hackers-post-at-least-100-000-intercepted-snapchat-photos-on-4chan

Burn Phones are the new black

It appears that the burn phone idea ‘is catching on’ in the celeb world.

The iPhone scandal, eavesdropping, etc are all catalysts for increased privacy.

Note the use of the burn phone: details are sent directly to the phone and the ‘lack of trust’ with the guest’s phones.

http://www.theregister.co.uk/2014/09/30/clooney_wedding_burner_phones/

Trusting the cloud

A recent incident is making the rounds involving private photos of celebrities, iCloud and a hacker.

The hacker ‘broke’ into a few celeb accounts, pillaged and published.

The celebs lost their private moments.

A number of points here:

  1. If you are of value, you will be a target. Pretty obvious here.
  2. There would be no way that the celeb would know that they were under attack. The attack was not done on their phone, the attack was done ‘on the cloud’.
  3. Poor application security allowed for this to happened. To be precise, a combination of poor application security and poor passwords allowed for this to happen.
  4. If you are a potential target, consider what your potential loss is or speak to a professional.
  5. Finally, if you want your pics to be private, don’t use a cloud service. Remember, anything on the net is considered to be public!

http://www.bbc.co.uk/newsbeat/29008876

Ok, one more on application security.

Application developers must take responsibility to ensure their clients security.

Poorly coded software combined with growing network complexity has increased the attack surface at many organisations and it is taking its toll financially, said Spafford.

He called for an investment in computer programming education and a move by software manufacturers to embed software security concepts early into the development process.

http://news.techeye.net/business/security-industry-run-aground

Also, personal information + poorly coded software + in the public = disaster waiting to happen.

Putting your passwords in the cloud is not a good idea…it’s like putting your cash in a suitcase and leaving the safe in the middle of a busy road.

http://www.darkreading.com/cloud/hacking-password-managers/d/d-id/1297250

Hotel (un)safe

Did someone mention that last week is hotel safety week…Do you think your hotel is safe?

Hotel Wifi is probably a bad idea but so are ‘free’ computers at hotel business centers.

What about your hotel safe, the reason why the hotels recommend that you put your valuables in the main hotel safe is that the room safe is…well, not as safe.

What are your options?

  • Obviously, don’t use any public computers…you don’t get something for nothing!
  • If you have to use Wifi, use an encrypted VPN
  • Hotel safes, yes, use the hotel’s main safe.
  • Credit card swipe safes, don’t use a credit card…if you have a store loyality card, library card, etc (something that is not of value), use that. Better still, use the hotel’s main safe if it really is expensive or a pain to replace. Think what would happen if someone got your passport, …

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

http://www.theregister.co.uk/2014/07/17/hotel_safe_unsafe/

What ever you put on a site, it is no longer private

There are a number of reasons why:

  • Your security settings may allow the public access to your information (unless if you tie it down and monitor it for changes by the hosting site)
  • The hosting site (eg: Facebook) have access to your information (you read the EULA, didn’t you?)
  • Law enforcement have access to your information (depending on jurisdiction, with or without a warrant)
  • Hackers may break/steal/social engineer their way through to get access to your information (more likely to be the last option)

What are your options:

  1. Never post anything that would get you expelled, fired or arrested
  2. Don’t post anything that would get you kicked out of your house, break up your relationship, start a fight.
  3. Don’t post anything that could be used against you

http://nakedsecurity.sophos.com/2014/06/30/facebooks-facing-a-losing-battle-to-protect-users-privacy/