Tag Archives: Data Security

How to Keep Your Home Made Porn Safe?

Posted on by under Basics Of Digital Privacy

Contrary to popular believe there is a lot you can do to protect yourself from having your intimate pictures and videos stolen.  The first thing is STOP PUTTING THEM ON THE INTERNET.  When you save those files to that fancy Mac computer it uploads them to iCloud to back them up (Windows users, don’t get smug, there’s plenty of services to do this on Windows as well).  This means that they are on the Internet.  At this point you are asking for trouble.  If it is on the Internet you can assume that someone is going to attempt to find it and share it.

If you are going to put the files on the Internet via iCloud, DropBox, Cubby, etc. then encrypt the files.  If they are encrypted it will be a LOT harder for someone who downloads them to view them.  They can share them all they want, but without your encryption key they won’t be able to see the data in the files.  Now if you aren’t involved in technology this probably sounds pretty hard, and it can be but if you’ve got files that you really don’t want to have out there for the public to view, then it’s probably worth an afternoon of your time to learn about this stuff so that you can protect yourself.  Do some reading, take a class at the local community college, buy my book, there’s lots of options available to you.

If you have these sorts of pictures and videos that you don’t want online, grab an old computer, disconnect it from the Internet, and put the files on there.  Use this machine for only those files, and never connect it to the Internet.  Odds are you don’t plan on sharing those files with anyone besides yourself, so having them on a computer which can’t get on the Internet probably isn’t a big deal.  If you loose those files is it that much of a problem?  After all you can always take new ones, and that’s most of the fun anyway, right?

After you’ve got your files encrypted you still need to do things like put a pin number on your cell phone, put passwords on all of your computers (especially that one with the naughty pictures on it), and use two factor authentication for everything that allows you to including your email, blogs, websites, banks, etc.  Of all of these your email is the most important one to have two factor authentication for, as this is where all the other services will send password reset messages to.

Now for the love of god, remove all those pictures from the Internet before you do anything else.

It Is Shocking What You Can Find On the Internet

Posted on by under Basics Of Digital Privacy

If you know how to do some creative looking around on the Internet, it is truly shocking just how much access you can get to systems without really trying.  Recently an Internet Security Expert Paul McMillan (@PaulM) build a tool to scan for machines which were exposed to the Internet and which didn’t have any security in place so that if you knew they were there would simply allow you to access them.  What was found, and the screenshots which were published are a shocking display of systems security failure.

You would think that various colleges around the US would have a better idea of network security, but apparently not.  Now these aren’t really all that important, and it would slightly embarrassing at worst if someone started making changes to these.  However not everything that was found was so.

A kiosk at a college

A kiosk at a college

Something else at a college

Something else at a college

Display board of a college library

Display board of a college library

A desktop at a college

A desktop at a college

There’s some stuff that could have a direct impact on peoples day to day lives.  Such as the controls for a grain silo, which I could be told to dump all the grain from the silo onto the ground, which would ruin the grain and cost the farmer a lot of money.

Appears to be a Grain Silo

Appears to be a Grain Silo

Or we could lock down the pumps at this gas station.

A large Gas Station

A large Gas Station

Ever wanted to control a car wash?

A Car Wash Control System

A Car Wash Control System

How about a movie theater?

Cinema City Movie Theater Control System

Cinema City Movie Theater Control System

Or maybe we could screw around with the Parking ticket Kiosk for the city of Oakland, California, USA.

City of Oakland Parking Ticket Payment System

City of Oakland Parking Ticket Payment System

There were a large number of people’s desktop computers just sitting there available.  In this one the person is writing code for an application.

Someone actively writing code

Someone actively writing code

It isn’t just small companies that have their systems exposed to the Internet for no reason at all. Here’s the Double Tree hotel in Boston, MA (a member of the Hilton family of hotels).  This system happens to be the display board for what’s going on in the conference rooms on the day the screenshot was taken.

The Boston Double Tree's conference room TV

The Boston Double Tree’s conference room TV

So far all of these systems have been pretty harmless.  But there are some pretty big control systems online as well.  Here’s the control systems for a hydro-electric plan which is producing around 480kw or power.

Some sort of Hydro-electric plant generting about 480kw of power

Some sort of Hydro-electric plant generating about 480kw of power

Here’s what appears to be another power plant.

My best guess is a power plant

My best guess is a power plant

Or if coal mining is more your speed, this appears to let us control the loaders, belts, trains, etc. for an active coal mine.

Coal Mine Control System

Coal Mine Control System

Here’s the control systems for a few more power plants, all of which are available to anyone who knows how to look for them.

A Power Plant

A Power Plant

Another Power Plan

Another Power Plan

Yet another power plan

Yet another power plant

I’m not really sure what this controls, but it looks pretty important.

Something very industrial looking

Something very industrial looking

I wonder what kind of wells these are that we can shutdown?  Water, oil, could be anything.

What appears to be a well monitoring system

What appears to be a well monitoring system

Maybe there’s someone important hooked up to this heart monitoring system at a hospital.

Heart Monitor for a hospital bed

Heart Monitor for a hospital bed

Every one of these systems can be connected to, and controlled from anywhere in the world because they don’t have even the most basic network security setup on these devices.  Do any of these devices need to be connected to the public Internet?  No, there’s no valid reason for a single one of these to be on the Internet, but they are.

Companies who run these systems need to take better care of their networks, because eventually someone who is looking to do some actual damage is going to stumble across the tools and techniques which are used to find and access these systems.  And once that happens it’s to late.  Thankfully Paul McMillan was just doing research, imagine if his plan was to do actually do damage.  I’ve shown you just some of the power plants, hospital equipment, and food storage locations which he found.  It would have been a simple task to just shutdown all those systems one by one as he found them and no one would have had any idea that it was him, or even what happened.  According to all the logs at the power plants someone would have issued the shutdown command from which ever control system that Paul was connected to.

Someone needs to get the message out to these companies, utilities, etc. that they need to fix these problems BEFORE it’s to late, not after.

Denny

Special Thanks to Paul McMillan for doing the hard work of scanning all these systems, and to Information Security Expert Dan Tentler (@Viss) for sifting through and finding some of the interesting ones and sharing them with me for this post.http://basicsofdigitalprivacy.com

Enjoying That New Credit Card Number? Time To Get Another One.

Posted on by under Basics Of Digital Privacy

So apparently there’s yet another data breach.  This time at the arts and crafts chain Michaels.  In their announcement (available here) they don’t say when the breach started, when it ended, if it has ended, or really anything about the breach other than the fact that it happened.

The safest assumption is that if you’ve used your card at Michaels in the second half of 2013 you’ll want to request a new card from your bank.  If you don’t want to go through the hassle of getting yet another new card then at the least you’ll want to monitor your bank account regularly to ensure that no one else is using your card to have purchases. I’d go with this for now until Michaels tells us more about the details of the breach.

Denny

Has My Email Address Been Compromised?

Posted on by under Basics Of Digital Privacy

There is always a problem when it comes to knowing if your data has been compromised on line.  That problem is how do you know if your data has been compromised?  Until now you would need to download and scan the list of compromised accounts yourself.  Now there is a much easier way.

The website “have i been pwned?” (https://haveibeenpwned.com/) has been created to help you solve this exact problem.  This website is very simple, when there are large amounts of data which have been breached and the lists made public they will be loaded into this website so that you can search and see if your account was on one of the lists.

have i been pwned

Let me be clear, the person who created this website is NOT the person who is stealing your data, he’s just taking data that someone else has stolen and making it so that you can easily search the data without having to figure out where to get the data, and without having to figure out how to search through all this data manually.

So who created this site?  The answer here is also pretty easy, his name is Troy Hunt and he is trustworthy.  He is a well known IT security researcher and author who made this website to make everyone else’s life easier.  If you have questions about the site, I would recommend checking out the FAQ that is posted.  If you’ve read Basics of Digital Privacy Troy’s name may look familiar.  This is because I talked about Troy a couple of times in the book, and you’ll see a couple of links to Troy’s blog over on the links page, specifically this one.

Currently the website allows you to search the site, and it allows you to setup alerts so that when new data is loaded into the system if your email address has been compromised the website can email you.

I highly recommend checking your email address via this website and setting up alerts for your email address.

There are new features coming that Troy is working on, but I’m not going to steal Troy’s thunder.

Denny

 http://basicsofdigitalprivacy.com