Privacy at Risk – Key Sharing is Even More Prevalent

key sharing

SEC Consult first warned about private key sharing in November 2015. After looking at 4,000 internet connected devices using hardware from 70 makers, the international security consultancy concluded that way too many devices were accessible with the same ‘skeleton key’. Vulnerable products included anything from home routers, to Internet of Things (IoT) appliances, to industrial equipment.

Now, the situation appears to be getting rapidly worse. A recent update from SEC found a 40 percent increase in key sharing over just nine months; 4.5 million devices are currently at risk, 1.3 million more than last autumn. Key sharing is a privacy risk because it means that cracking a single code gives hackers access to numerous different devices. With the risk of leaks so high, privacy services, such as those offered by ReputationDefender are becoming even more important.

A closer look at key sharing 

The root of the problem is the replication of known encryption keys and certificates across multiple internet-connected products. These keys make up the security protocol used to access HTTPS sites. HTTPS stands for HyperText Transport Protocol Secure. In contrast to the HTTP prefix, HTTPS indicates that the connection is being protected by some form of encryption. SEC Consult studied SSH, SSL and X.509 certificates.

This might sound a bit obscure to the average internet user, but the numbers speak for themselves. SEC found two certificates duplicated most commonly: 500,000 products have been found using the first, while 280,000 web connected systems employ the second. In all, the latest research uncovered 331 matching certificates and 553 individual private keys shared across all 4.5 million products.

With a number of large scale hacks in the news recently, most people have heard about the dangers of sharing similar passwords amongst personal accounts. Essentially this is what manufacturers are doing on a larger scale. Hackers are able to extract the code from one device and then can use it to log into thousands of others or launch a ‘man-in-the-middle’ attack by decrypting a connection in progress.

Why is this happening?

Mostly it comes down to laziness on the vendor’s and manufacturer’s part. Software developer tools are sold to manufacturers with default keys already in place. In turn, little or no effort is made to individualize these security codes. Example certificates that can be extracted easily by anyone with the right technical ability are often copied right into the finished product.

SEC Consult says the increase in vulnerabilities is due to lack of security patching from vendors: insufficient firewalling by users and ISP’s, and the growing number of IoT appliances contribute greatly. In the end, the solution requires each specific device to employ an individual code. However, this would require sellers to maximize security and for manufacturers to be more responsible about the products they release.

What can you do?

To increase security, SEC Consult recommends that “end users should change the SSH host keys and X.509 certificates to device-specific ones,” but goes on to add, “this is not always possible.” The technical skill required goes beyond that of most buyers, and many devices don’t even have permission for end-users to update the security configuration. As such, there’s not much an individual can do to protect themselves against this threat except to limit the number of IoT appliances in their home, and again recognize, that any action taken on the internet is essentially public.

Please follow and like us:

Online Privacy Makeover – The Ultimate Guide Continued

online privacy

There are no fail-safe measures when it comes to internet security and online privacy, but the steps listed in our previous article will make your accounts much harder to hack. Next you will need to update your internet privacy to limit public sharing of details about your location and personal life. This can be a security risk also, since access to personal data will help hackers get past the security measures you just put in place.

Online Privacy Makeover

  • Check your address – professionals who own their domain name may find that their location and personal details are available online on Whoisnet. If this is the case, contact the service where you bought your domain name, and update your privacy settings, so your data won’t be visible. Other vulnerabilities in the UK include Freelectoralrolls.com and Companies House which may list your address online. You can contact your local electoral registration office and ask to be removed from the public records. If your personal address is available through Companies House contact them directly also, and ask that anything unrelated to your professional profile be removed. If you live in the US, there are even more agencies which could list your address (Spokeo is one example). To avoid being identified you will need to contact each one and ask to have your personal data removed.
  • Check your online privacy settings – if you interact personally on social media sites, this can be a big information leak. Double-check your settings to make sure you’re not automatically sharing pictures or posts publically. If you have a lot of social media accounts, you will need to make a list and go through them all one by one to make sure you don’t miss any. Remember, if you click share on an article page, this will always be public. It’s much better to copy and paste the address into your post.
  • Verify family members – it won’t matter how careful you are about online privacy and security, if family members don’t take the same measures. This is even more important for companies based on a family name since everything relatives do online will reflect back on the brand. Admittedly pushing your family to run through all the same measures listed in this article might not be easy. Once you’ve learned the ropes, try sitting down together and making a fun interactive security day.

Other security options

You’ve completed the basic security and privacy measures listed above, but you’re still concerned about what happens if your computer or mobile phone is hacked. If this is the case you can keep going with your makeover by installing programs that will protect you in the case of an emergency.

Little Snitch and Wireshark are two options that will show exactly what data your computer is sharing. These programs warn you immediately if your computer is hacked so you can take action right away. Another important protection for your mobile phone is “Prey,” a program that lets you wipe data in the advent that your phone is ever stolen.

None of these measures are absolutely necessary if you’ve already updated and double-checked your settings as outlined above. But they do add an extra layer of protection for individuals who have reason to be concerned.

Please follow and like us:

Online Security Makeover – The Ultimate Guide

online security

Online security is a bit like the newest household chore. We know it’s important; we do our best to keep up with it, but somehow few of us are as thorough as we’d like to be. Anyone who reads this blog regularly, knows they should change passwords often, use a unique, individual password for each site, and check frequently to see if vulnerable personal data is available online. Still, how do people have time to make this part of a daily or weekly routine? Looking at the number of celebrity hacks and internet missteps, it’s clear that even the most successful people don’t fare much better.

This guide will help lay out the most important things you can do to protect yourself online. This is doubly important for high profile individuals who represent a much bigger target for hackers. Reputation damage can be a problem in almost any career and keeping security and privacy settings up-to-date will go a long way to prevent the issue.

Step-by-step guide to becoming worry-free

The following measures will take an hour at the very minimum, and probably longer depending on how tech-savvy you are. You may want to break the work down to focus on security in one session and privacy the next. Once these steps are complete, you’ll be able to get on with your life, free of immediate concern over internet vulnerabilities. If you are someone who spends a lot of time forgetting their password, you’ll probably even find things run a lot smoother!

Online security

  • Choose a password manager – this is first step in any online security makeover. It’s not as simple as it might sound given the range of password managers available, from free versions to those with a yearly fee or a one-time license cost. LastPass is the easiest and most popular option. It comes as a free download, but to include your mobile phone you will need the premium version with a US $12 yearly cost. LastPass had some security issues in 2015, but most people agree it was well handled. According to security expert Troy Hunt, “their hashing approach was solid and designed to be resilient.” LastPass is a cloud based system so your passwords will be stored in the cloud, however they will be downloaded to your computer before they are un-encrypted. Other systems like KeePass and 1Password opt for offline storage which is slightly more secure. Passwords can still be manually synced between devices, but they are stored on your computer or on a USB drive rather than the cloud. Dashlane is another well-rated option that is secure as well as easy to use, but the US $40 yearly fee can be prohibitive.
  • Update your accounts – once you’ve chosen and downloaded your password manager, you will need to go through all your accounts to store each password in your password manager. Make a list of every account you can think of, from bank accounts to social media pages, to Amazon.com and other places you order online, and go through them one by one. Unless you already have a strong password system, you will want to let the manager generate a new, unique password for each site. If you prefer to keep your existing passwords, some models like LastPass will capture these and highlight weaknesses, however it’s generally easier to let the manager generate and remember passwords.
  • Create a master-password – you will need to choose a secure, memorable master-password for the manager itself. Try using the first letters of a unique phrase and substitute capitals, numbers, and symbols for some letters. Avoid giving yourself hints that could make your master-password too easy to guess. Remember, this password will allow access to all your accounts, so it needs to be memorable for you but un-guessable to anyone else.
  • Add two-step verification – many sites like Twitter, Facebook and Gmail now offer two-step verification. It’s important to activate this measure since it will protect you in case of an online security issue with your password manager. Two-step verification will send a code to your cell phone or another email address which you will then be required to enter in order to sign on. This measure will kick in anytime you change your password or sign in from a new computer. If you think this sounds cumbersome, remember how many emails and texts you receive on a daily basis. You’ll rarely be trying to access your account without your cellphone immediately handy.

In the next article in the series, we will move on to the subject of online privacy and show you what additional steps you can take to stay protected.

Please follow and like us:

Password Memorization Difficulties? – Google Suggests the End May Be Near

password privacy google

Many people will be happy to hear about Google’s latest project. Partnering with the password manager, Dashlane, Google is working on devising a smooth universal link that will allow Android users to log into all their apps with a single password.

Those of you who read our blog regularly, are familiar with the issues surrounding passwords that are too simple and/or duplicated across multiple sites. The recent release of stolen information from LinkedIn, Tumblr, and others highlighted how vulnerable these practices can be, giving hackers access to a number of different accounts with a single data breach. Yet at the same time, memorizing numerous fourteen character passwords, that include capitalization, numbers and symbols, is a difficult if not impossible task.

Open Yolo

Google and Dashlane are working together to create a secure system that would make password management easier by facilitating all logins through a single password. Titled Open Yolo (as in “you only login once”), this “open-source” connection would be universally accessible for all “third party apps” on the Android system. When Open Yolo is functional, users will only have to remember a single credential for their password manager. Once they log into the manager, they’ll have immediate authentication with all their accounts.

Currently, most password managers will automatically type your saved credentials into Android apps, but compatibility is uneven, and the process is cumbersome and time-consuming. Apple’s iOS system faces similar issues since many apps don’t support the feature. In most cases, users still end up needing to remember a number of complex passwords, or face resetting through an external link when they forget.

Open Yolo would be the first Open API of its kind, allowing universal access though the Android platform, regardless of the app or the password manager. Malaika Nicholas, community manager with Dashlane, says this will “increase online security” for Android users. She hopes in the future the system will become “universally implemented by apps and password managers across every platform and operating system”.

Other Google projects

Open Yolo isn’t the only Google project aimed at streamlining security. Android’s “smart-lock” system provides a number of non-traditional options for logging in using biometrics or location and some limited password sharing through Chrome. Just this year, Google added an option for simpler two-step verification known as “one-tap push notifications”. Users that choose this option will still get the security of an email or text sent to another account, but, instead of having to copy down a code and enter it, they will only need to push “yes” or “no”. to access their account.

Please follow and like us: