Wednesday Aug 12, 2009

Reasonable Expectation of Privacy?

I've seen a lot of discussions lately about maintaining your privacy or personal identity on the Internet.

Let me tell you now - if you post something to a newsgroup, blog, Facebook, Myspace, Twitter, Friendster, Orkut, IRC, BBS, or send it in email to a mailing list, it's no longer private.  If you have a health condition you don't want people you work with to know about, don't blog about it or put anything in your Facebook status on it. Instead, talk to your doctor, talk to groups in person, keep a journal at the side of your bed.

I learned about the permanence of such things on the Internet in 1998 when I was interviewing for a job and and the interviewer pulled up a little site called DejaNews, a great search engine for netnews that has since been subsumed by Google, and he instantly knew that at the time I had been learning to play the bass guitar, had a pet snake, and had previously worked as a SunOS/Solaris system administrator.  He looked at my questions I had asked, to see if they were intelligent and well thought out. He looked at how I handled the responses I got. Was I gracious? Did I understand the information people were sharing with me?

Fortunately for me, I met his standards and the rest of the interview went well from there and I got the job.  I was shocked, though, I knew of no such service! I thought that once your postings fell off the news server, they were gone forever. Boy, was I naive!

I watch younger people on Facebook and MySpace posting all sorts of crazy things. Very personal things. Sometimes it's simply venting, but other times the attacks can be targeted at a specific person or be revealing very personal information on themselves or their own lack of self control.

I think we're doing a great disservice to future generations if we aren't teaching elementary school kids about the Internet Archive and Google's massive cache. Our ability to grasp the repercussions of our online actions is not keeping up with the technology.

When I was a teenager, my worst fear was having a physical note I handed to someone end up being shared. But, that was one note. Now our equivalents in email and text messages can be digitally shared in seconds with hundreds of people, and you can't take it back.

Some people mistakenly believe that stuff on Facebook can only be seen by your friends. In general, depending on how you have security set up, that's true - unless someone uses a screen capture.  Take these recent "passive aggressive notes" - one woman ("exhibit d") actually managed to lose her job through Facebook (and this is not the first instance I've heard of for that). 

Yes, I realize she clearly was not thinking about who was in her friend list before posting, but it still could've been shared by someone else later. I've also seen examples of people screen capturing things that were obvious typos to use to embarrass people forever.

So, whatever you're doing, if you're doing it on the Internet in semi-public forums, don't expect it to be private.

Most of us would believe that at least we can still have privacy in our own homes...

(Oh, please don't mention wiretapping.... or message interception.....)

Tuesday May 19, 2009

vishing?!?! vishing?!

Okay, I learned a new word today - "vishing", which means using "voice" to "phish" data from people.  Am I the only one that couldn't stop laughing after reading this word in the CNet article on vishing?  It's good ol' fashioned social engineering, folks. Tele-scam.  Nothing new, really, autodialers have been doing this nonsense for decades.  And really, any old phone phreakers see the irony in "vishing" being the word associated with \*phones\*.  Please tell me this won't catch on. I can't imagine the outrage in Beige-ing. ;-)

Thursday Feb 12, 2009

Psychology of a con

One of the biggest security weak spots in all systems is the user.  Yes, there are many complicated processes for attacking networks and cracking password files, but why bother with that when you can simply ask an inside user for their network credentials?  I'm just getting caught up on email so have just read Bruce Schneier's December cryptogram which highlighted a great article by Paul J Zak called How To Run a Con. While this article is specific to traditional con men and their marks, this same logic can be applied to how easy it is to social engineer data out of so many users. We want to trust people, and most of all, we want to be trusted, too. Interesting reading!

Friday Oct 31, 2008

One more reason to be paranoid...

As if I wasn't paranoid enough, researchers at University of California in San Diego have given me one more reason: they've developed software that can duplicate physical keys from photographs. Taken at a distance. Or with a cell phone camera. From any angle. This is really scary stuff. I mean, those 80s made for television movies scared me enough - whenever I leave one of my cars for service, or send it through a car wash, I always remove my house keys. Now doing that may not be enough.  Yes, it seems unlikely that everyone will be at risk for this type of attack, but certainly if you are targeted it will be worth someone's effort to observe you and your keys.

Monday Oct 20, 2008

Women more likely to give up passwords for chocolate

As always, the user is the weakest link in the security of the system. It is generally much easier to get a password and user name directly from someone with secure or privileged access than it is to hack/crack the system. This is pretty basic social engineering, and something we all need to constantly be on the lookout for. I have been recently cleaning up my email inbox, when I came across this article from April in The Register where their research showed that women are four times as likely to give out a password if chocolate is offered in exchange than men. Four times.  I could never have imagined how something so delicious could so easily be put to such a sinister purpose. \*sigh\*

Sunday Sep 28, 2008

Cell phone insecurity....

Phone hacking (aka Phreaking) is no longer just in the domain of the highly skilled and technically motivated that it was in the early 1990s. No longer do you need to get components from Radio Shack and modify them to do nefarious tasks.  You can simply buy a Cellular Seizure Investigation Stick (aka CSI Stick), and learn everything you could ever want to know from someones cell phone.  This type of stuff has been possible for a long time, and it's why my general security talk I give to high school students involves telling them to NEVER leave a cell phone unattended and unsecured, unless they don't mind someone eavesdropping on their future calls, getting access to all text messages and photos, etc.  This just makes it easier.

Valerie's former weblog. The new one can be found at


« July 2016