Basics of Digital Privacy Is Now Available in Portuguese

Translated Title I’m please to announce that Basics of Digital Privacy is now available in Portuguese.  Based on the package that I just received from the publisher someone from the Brazilian branch of the publisher liked the book enough that they took their option to publish the book in Portuguese as well as English.  This makes the book available in Brazil in their native language opening the book up to another 200+M potential readers.

I welcome these new readers of the book (and hopefully this blog, which is only published in English, sorry about that) and hope that they did a good job translating the book so that it makes sense in Portuguese.

Getting a book translated into another language is a first for me.  All I can say is that it’s pretty cool that someone feels that my work is good enough to take the time and money to translate it into another language.

Dennyhttp://basicsofdigitalprivacy.com

How to Keep Your Home Made Porn Safe?

Contrary to popular believe there is a lot you can do to protect yourself from having your intimate pictures and videos stolen.  The first thing is STOP PUTTING THEM ON THE INTERNET.  When you save those files to that fancy Mac computer it uploads them to iCloud to back them up (Windows users, don’t get smug, there’s plenty of services to do this on Windows as well).  This means that they are on the Internet.  At this point you are asking for trouble.  If it is on the Internet you can assume that someone is going to attempt to find it and share it.

If you are going to put the files on the Internet via iCloud, DropBox, Cubby, etc. then encrypt the files.  If they are encrypted it will be a LOT harder for someone who downloads them to view them.  They can share them all they want, but without your encryption key they won’t be able to see the data in the files.  Now if you aren’t involved in technology this probably sounds pretty hard, and it can be but if you’ve got files that you really don’t want to have out there for the public to view, then it’s probably worth an afternoon of your time to learn about this stuff so that you can protect yourself.  Do some reading, take a class at the local community college, buy my book, there’s lots of options available to you.

If you have these sorts of pictures and videos that you don’t want online, grab an old computer, disconnect it from the Internet, and put the files on there.  Use this machine for only those files, and never connect it to the Internet.  Odds are you don’t plan on sharing those files with anyone besides yourself, so having them on a computer which can’t get on the Internet probably isn’t a big deal.  If you loose those files is it that much of a problem?  After all you can always take new ones, and that’s most of the fun anyway, right?

After you’ve got your files encrypted you still need to do things like put a pin number on your cell phone, put passwords on all of your computers (especially that one with the naughty pictures on it), and use two factor authentication for everything that allows you to including your email, blogs, websites, banks, etc.  Of all of these your email is the most important one to have two factor authentication for, as this is where all the other services will send password reset messages to.

Now for the love of god, remove all those pictures from the Internet before you do anything else.

It Is Shocking What You Can Find On the Internet

If you know how to do some creative looking around on the Internet, it is truly shocking just how much access you can get to systems without really trying.  Recently an Internet Security Expert Paul McMillan (@PaulM) build a tool to scan for machines which were exposed to the Internet and which didn’t have any security in place so that if you knew they were there would simply allow you to access them.  What was found, and the screenshots which were published are a shocking display of systems security failure.

You would think that various colleges around the US would have a better idea of network security, but apparently not.  Now these aren’t really all that important, and it would slightly embarrassing at worst if someone started making changes to these.  However not everything that was found was so.

A kiosk at a college

A kiosk at a college

Something else at a college

Something else at a college

Display board of a college library

Display board of a college library

A desktop at a college

A desktop at a college

There’s some stuff that could have a direct impact on peoples day to day lives.  Such as the controls for a grain silo, which I could be told to dump all the grain from the silo onto the ground, which would ruin the grain and cost the farmer a lot of money.

Appears to be a Grain Silo

Appears to be a Grain Silo

Or we could lock down the pumps at this gas station.

A large Gas Station

A large Gas Station

Ever wanted to control a car wash?

A Car Wash Control System

A Car Wash Control System

How about a movie theater?

Cinema City Movie Theater Control System

Cinema City Movie Theater Control System

Or maybe we could screw around with the Parking ticket Kiosk for the city of Oakland, California, USA.

City of Oakland Parking Ticket Payment System

City of Oakland Parking Ticket Payment System

There were a large number of people’s desktop computers just sitting there available.  In this one the person is writing code for an application.

Someone actively writing code

Someone actively writing code

It isn’t just small companies that have their systems exposed to the Internet for no reason at all. Here’s the Double Tree hotel in Boston, MA (a member of the Hilton family of hotels).  This system happens to be the display board for what’s going on in the conference rooms on the day the screenshot was taken.

The Boston Double Tree's conference room TV

The Boston Double Tree’s conference room TV

So far all of these systems have been pretty harmless.  But there are some pretty big control systems online as well.  Here’s the control systems for a hydro-electric plan which is producing around 480kw or power.

Some sort of Hydro-electric plant generting about 480kw of power

Some sort of Hydro-electric plant generating about 480kw of power

Here’s what appears to be another power plant.

My best guess is a power plant

My best guess is a power plant

Or if coal mining is more your speed, this appears to let us control the loaders, belts, trains, etc. for an active coal mine.

Coal Mine Control System

Coal Mine Control System

Here’s the control systems for a few more power plants, all of which are available to anyone who knows how to look for them.

A Power Plant

A Power Plant

Another Power Plan

Another Power Plan

Yet another power plan

Yet another power plant

I’m not really sure what this controls, but it looks pretty important.

Something very industrial looking

Something very industrial looking

I wonder what kind of wells these are that we can shutdown?  Water, oil, could be anything.

What appears to be a well monitoring system

What appears to be a well monitoring system

Maybe there’s someone important hooked up to this heart monitoring system at a hospital.

Heart Monitor for a hospital bed

Heart Monitor for a hospital bed

Every one of these systems can be connected to, and controlled from anywhere in the world because they don’t have even the most basic network security setup on these devices.  Do any of these devices need to be connected to the public Internet?  No, there’s no valid reason for a single one of these to be on the Internet, but they are.

Companies who run these systems need to take better care of their networks, because eventually someone who is looking to do some actual damage is going to stumble across the tools and techniques which are used to find and access these systems.  And once that happens it’s to late.  Thankfully Paul McMillan was just doing research, imagine if his plan was to do actually do damage.  I’ve shown you just some of the power plants, hospital equipment, and food storage locations which he found.  It would have been a simple task to just shutdown all those systems one by one as he found them and no one would have had any idea that it was him, or even what happened.  According to all the logs at the power plants someone would have issued the shutdown command from which ever control system that Paul was connected to.

Someone needs to get the message out to these companies, utilities, etc. that they need to fix these problems BEFORE it’s to late, not after.

Denny

Special Thanks to Paul McMillan for doing the hard work of scanning all these systems, and to Information Security Expert Dan Tentler (@Viss) for sifting through and finding some of the interesting ones and sharing them with me for this post.http://basicsofdigitalprivacy.com

What does “Heartbleed” mean to the rest of us?

By now we’ve all read about the Internet bug called “Heartbleed“.  But what does this mealy mean to the rest of us?  In a nheartbleedutshell it means that there is a real good chance that someone has your username and password that you don’t want to have it.

Is my computer infected?

No, your home computer isn’t going to be infected with anything.  Heartbleed exists because of a bug in the software which handles the data encryption on some web servers.

Are all websites infected?

No.  Not every website is infected.  There is no easy way for us the end users to know which websites are still suffering from the problem and which ones aren’t.

How can I protect myself?

The only way to protect yourself is to not use websites which are suffering from the Heartbleed problem.  If you are using websites which haven’t had the needed patches installed on them, then any information which you send to those websites could be read by an attacker.

Is there a list of websites which are safe to use?

Sadly no, there is no list of websites.  All you can do is check with the company which runs the website or wait for them to tell you that their webservers have been patched.

Is this something that I need to worry about?

Sadly the answer here is yes.  If you shop online, or use the same username or password or different websites then you might be at risk.  There’s no way to know if your information has been leaked or not, so it’s best to change your passwords for all the websites that you use.

How would I know if a website is safe to use?

There’s no easy way, or any way to really know for sure.  The best bet for an end user is to look at the SSL certificate for the website and see what the dates for when the SSL certificate was issued.  If that date is April 2014 or later then it is probably safe.  The reason that I say this is that part of the threat is that the private keys for the websites certificate may have been compromised, so websites are getting new certificates and having the old ones disabled.

Finding if the certificate is new is pretty straight forward.  In your web browser such as Internet Explorer, Firefox or Chrome connect to the website in question, I’ll use Google.com as an example.  Once connected to the website find the padlock which shows that the website connection is secure, which I’ve circled below in Internet Explorer, and click on the padlock.

lock

When you click on the padlock you’ll get some basic information similar to what you see below.  Click on the “View certificates” link at the bottom.

view

This will show you the certificate itself, which you can see below.  At the bottom you’ll see the dates which the certificate is valid from and to.  If the from date is in April 2014 or later then it’s probably safe.  You’ll notice that the from date in this case is April 2, 2014.

cert

If you are using Firefox or Chrome the steps will be very similar but the screens will look a little different.

What should I do?

The best thing you can do is change your passwords for all the websites which you use, and use a different password for each website.

As I learn more about this, I’ll post it here.

Dennyhttp://basicsofdigitalprivacy.com

British Medical Records Uploaded to Google

Apparently a consulting company called PA Consulting who has been doing work for the NHS (National Health Service) in England has taken it upon themselves to take the entire patient check in statistics and upload them to Google in order to make it easier to create reports for the NHS.

The amount of data which they uploaded is massive, taking 27 DVDs worth of data (you Encyclopediascan typically fit more than one encyclopedia set on one DVD) so you can imagine just how much information that would be if it was printed.  To make all this even worse the servers which make up the Google service which this data was uploaded to aren’t in Europe, instead being in the United States which is another problem as the European Union (EU) has specific laws about sending the data about people who live in Europe outside of Europe.

The kinds of data which was uploaded include the patients NHS number, their address, post code (zip code), date of birth, gender, what doctor they saw, as well as their inpatient, outpatient and emergency records.

And all of this was done without any sort of notice to the patients or a way to opt out of having your data uploaded to Google.  This is just another example of people (the ones who work for PA Consulting in this case) trying to get their job done but in doing so creating a massive problem for hundreds of thousands of people (or more depending on how many people’s data was included).

According to the article the information uploaded was the “entire start-to-finish HES dataset across all three areas of collection – inpatient, outpatient and A&E”, so basically everything that the NHS has ever collected.

The number of law suits which will be started up and the number of government inquiries will be amazing to watch as PA Consulting attempts to defend themselves from this mess which they’ve just created.

This sort of data breach is the worst kind for consumers because there isn’t any way to protect yourself from this as it was totally out of the hands of the consumers as to what happened and who had access to the data.

This is one of those cases where the best we can do is complain to the people in charge (in this case your local MP) to work to get the data removed from Google’s cloud servers and ensure that something like this never happens again.http://basicsofdigitalprivacy.com

Basics of Digital Privacy talked about in Woman’s World Magazine

Well this is definitely a first for me, the book which I wrote “Basics of Digital Privacy” is talked about in a non-IT magazine, in this case Woman’s World magazine. It’s a short one page article, but there’s a couple of quotes from me and mention of “Basics of Digital Privacy” right at the top of the article.  If you want to take a peek the magazine went on sale yesterday basically everywhere in the US.  It’s the one dated February 17th and it’ll be on sale until about Wednesday or Thursday or next week.

Needless to say I’m pretty thrilled that the book is being recognized outside of the world of IT.

Denny

Enjoying That New Credit Card Number? Time To Get Another One.

So apparently there’s yet another data breach.  This time at the arts and crafts chain Michaels.  In their announcement (available here) they don’t say when the breach started, when it ended, if it has ended, or really anything about the breach other than the fact that it happened.

The safest assumption is that if you’ve used your card at Michaels in the second half of 2013 you’ll want to request a new card from your bank.  If you don’t want to go through the hassle of getting yet another new card then at the least you’ll want to monitor your bank account regularly to ensure that no one else is using your card to have purchases. I’d go with this for now until Michaels tells us more about the details of the breach.

Denny

Target’s Credit Monitoring Service is Ready

If you shopped at Target in the United States between Thanksgiving and Christmas then there is a pretty good chance that your credit card data for the credit card that you used was stolen by some cyber thieves.  Because of this massive data theft Target has arranged for credit monitoring services for all Target customers for a year.

The only way to get signed up is via the webpage which target has setup at https://creditmonitoring.target.com/.  Any other website which claims to be signing people up for this (and there are going to be several of them popping up rather quickly).  Also if anyone calls you trying to get you signed up they are scamming you.

If you shopped at Target, I’d recommend getting signed up for the monitoring service.  According to Target:

Guests have until April 23, 2014 to sign up to receive an activation code. Activation codes must be redeemed by April 30, 2014.

So go get signed up,

Denny

Has My Email Address Been Compromised?

There is always a problem when it comes to knowing if your data has been compromised on line.  That problem is how do you know if your data has been compromised?  Until now you would need to download and scan the list of compromised accounts yourself.  Now there is a much easier way.

The website “have i been pwned?” (https://haveibeenpwned.com/) has been created to help you solve this exact problem.  This website is very simple, when there are large amounts of data which have been breached and the lists made public they will be loaded into this website so that you can search and see if your account was on one of the lists.

have i been pwned

Let me be clear, the person who created this website is NOT the person who is stealing your data, he’s just taking data that someone else has stolen and making it so that you can easily search the data without having to figure out where to get the data, and without having to figure out how to search through all this data manually.

So who created this site?  The answer here is also pretty easy, his name is Troy Hunt and he is trustworthy.  He is a well known IT security researcher and author who made this website to make everyone else’s life easier.  If you have questions about the site, I would recommend checking out the FAQ that is posted.  If you’ve read Basics of Digital Privacy Troy’s name may look familiar.  This is because I talked about Troy a couple of times in the book, and you’ll see a couple of links to Troy’s blog over on the links page, specifically this one.

Currently the website allows you to search the site, and it allows you to setup alerts so that when new data is loaded into the system if your email address has been compromised the website can email you.

I highly recommend checking your email address via this website and setting up alerts for your email address.

There are new features coming that Troy is working on, but I’m not going to steal Troy’s thunder.

Denny

 http://basicsofdigitalprivacy.com

Target Breach Proves That We Can’t Trust Companies

The news for Target is just getting worse and worse for Target and their customers.  Over the weekend it was announced (original announcement from Target is here) that Target has joined an elite club, specifically called the 100 Million club.  This club is a clubtarget that no company ever wants to be a part of because it means that people have stolen data on more than 100 million people from the company.

In the case of the target breach the first information which was known to be stolen was information for around 70 million credit and debit cards which were used in Target stores (which included one of my cards, which I’ve since canceled).  In this new finding (which to be clear was part of the same data theft, but was just found) another 70 million customers information has been taken.  But the data which was taken this time is very different from the credit card data.  This time it was what is called Personally Identifiable Information such as names, addresses, phone numbers, etc.  The exact information which someone would need to attempt to open credit cards in another persons name.

As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

This information is invaluable to data thieves as they can now begin matching this data up against other credit card data which they have in order to build a better profile about the specific credit cards to make it easier to use the stolen card numbers as well as sign up for more credit card accounts.

The breach notification from Target doesn’t give a whole lot of technical information about the breach or if the data which was taken was encrypted or not, but based on the fact that Target announced the breach this tells me that the data wasn’t encrypted which means that Target did not to a proper job securing the data.  This leads me directly to what I wrote in Chapter 1 of “Basics of Digital Privacy” where I talk specifically about knowing how the companies which we trust with our data actually secure that data so that we know for sure that the information which we trust them with is fully secured.

For the companies out there, they need to be reading books on data security from both the IT Professional side (such as my book “Securing SQL Server“) as well as from the consumer side (such as my book “Basics of Digital Privacy“) so that these sorts of things can be stopped before they happen.

Denny

http://basicsofdigitalprivacy.com