privacy - Page 9

  • the free windows10 preview makes a guinea pig out of you without any privacy

    "If you are unaware of Microsoft’s privacy policy, so now you should pay attention to what the policy says. Microsoft is watching your every move on the latest Windows 10 Technical Preview, Thanks to portions of Microsoft's privacy policy, which indicates that the technology giant is using keylogger to collect and use users’ data in a variety of astounding ways without the user being aware.

     

    If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of] it for purposes such as improving performance, or [if you] enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features,” the privacy policy states.

     

    Essentially by accepting the Windows 10 privacy policy you are allowing Microsoft to screen your files and log your keystrokes. This means, if you open a file and type, Microsoft have access to what you type, and the file info within.

    This could likely one of the reasons why the company insisted that Windows Technical Preview not be installed on computers that are used every day.

     

     

    OTHER DATA COLLECTION

     

    But Wait! Wait! Not just this, Microsoft says it may collect even more data. The company will be watching your apps for compatibility, and collect voice information when you use speech to text. This information will be used to improve speech processing, according to Microsoft.

     

    "When you acquire, install and use the Program, Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks," the privacy policy states. "Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

    http://thehackernews.com/2014/10/download-Windows-10-keylogger.html

  • finfisher used by spyagencies to spy on other countries (example Pakistan and India)

    "CSPF noted that a screenshot containing targets list of a Pakistani customer has 16 Indian IP addresses and only 2 Pakistani IP Addresses, suggesting that limited “domestic” use.

    "One of the Exe’s leaked by Wikileaks 'finfisher.2.zip' MD5:074919f13d07cd6ce92bb0738971afc7 when opened shows the image of 'khushab nuclear reactor ' in Pakistan." The report reads.

    "This might have been used to target Indian Officers as they might be tempted to click on it and view the image".

    You can find the full report here:
    http://securityresearch.cysecurity.org/wp-content/uploads/2014/09/An-Indian-perspective_finspy.pdf
    http://www.ehackingnews.com/2014/10/pakistan-targets-indian-officials-with.html

    So here is the problem

    you have a private spytech firm that can monitor people with their phones across borders and for that reason has legal and illegal installations across the world to follow them

    so they probably have such installations in India an Pakistan and they have clients in India and Pakistan and probably those two are using it against ..... each other

    which makes of this firm a real..... spy agency not a technology company

  • the wireless intercepting spying module against you is brought to you by mail

    and it will work untill the moment you open it

    but.... it makes it possible to be sent to people close to you who know nothing about spying and only have to put the package at a location close to you and change it batteries from time to time (just as watering plants)

    source

    "The Raspberry Pi hack board overcame a variety of capability and power issues granting it up to 300 hours of power and the ability to report location without GPS, which would drain batteries and be ineffective most of the time.The board can be used to target specific organisations, shipping companies, or any entity along the shipping route, provided the truck either stopped or moved slowly on last mile trips.

    Pesce got around the location issue by calling Apple's Wi-Fi location mapping through an undocumented API used in the iSniff project. He published the software to GitHub for users to build the system, which was still being continually upgraded. "It reads in Kismet XML output, reads all BSSIDs, and queries Apple's undocumented APIs to populate a Google Map," he said.
    http://www.theregister.co.uk/2014/10/03/mail_this_hacker_board_to_attack_wifi_networks_across_the_globe/?mt=1412592264116

  • this is why newspapers need protective communicationtools for their sources

    a few have them

    but not in Belgium or the UK

    maybe with this case against a source of the dailymail this will change

    because the police will use any law or any possibility to know who is your source if they don't like the information

    source http://www.dailymail.co.uk/news/article-2780809/How-police-hacked-Mail-Sunday-Officers-used-anti-terror-laws-seize-phone-records-identify-source-exposed-Chris-Huhne-s-speeding-points-fraud.html

  • why full encryption an sich is not an easy fix for everything to be secured

    "Android has included full disk encryption (FDE) support since version 3.0, but versions prior to 4.4 used a fairly easy to bruteforce key derivation function (PBKDF2 with 2000 iterations). Additionally, because the disk encryption password is the same as the lockscreen one, most users tend to use simple PINs or passwords (unless a device administrator enforces password complexity rules), which further facilitates bruteforcing. Android 4.4 replaced the disk encryption KDF with scrypt, which is much harder to crack and cannot be implemented efficiently on off-the-shelf GPU hardware. In addition to enabling FDE out of the box, Android L is expected to include hardware protection for disk encryption keys, as well as  hardware acceleration for encrypted disk access. These two features should make FDE on Android both more secure and much faster.
    http://nelenkov.blogspot.be/2014/10/revisiting-android-disk-encryption.html

    using full disk encryption an sich tells nothing about the quality of that encryption and try to explain that to a manager or even a simple user

    even if you use passwords to access the encryption or the screen this doesn't mean that you don't need a password Policy with some strenghts

    and if you don't have that and like Apple forget to activate its anti-bruteforce défenses in the icloud than your full disk encryption may help you with the simple stupid finder of your android tablet but not against the person who has stolen it to copy the data on it

    so if this is sufficient all dépends on the kind of data that you have on your android device and who is out to get it

  • contactinformation of one fourth of the whole US population was breached in JP Morgan

    yeah we have all that hype about BIG data and the one thing about BIG data is that a breach of BIG data is always BIG or would be say staggering BIG, unbelievable BIG (and so always Worth the time, investments and resources that the attackers have used to attain their goal). They are always Worth their attacking investment because you will always win statistically. Take that only 2% falls for your phishing campaign. Well if you have to invest a million to get to that banking data, than a database of a 1000 people or 100.000 wouldn't be Worth the money. The possibility that you will lose are still enormous. BUt if you obtain a database of 70 million people, than even two percent will give you so many leads that you would be rich if you know how to use it (or you can sell it to people who have the knowledge and infrastructure to do so).

    So big data is not about bigger risks but about ENORMOUS risks. It is not just adding data and so adding risks but accumulating risk by increasing exponently the risks and the impact of the loss. In fact there is no way to calculate the risk and the possible conséquences.

    Take for example this phrase in the legal document JP Morgan had to publish in the US

    " JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to  http://www.sec.gov/Archives/edgar/data/19617/000119312514362173/d799478d8k.htm

    so how would you calculate the risk ? If you have a set a second verification of every transfer above 100 dollars and that happens with x number of people you have a certain amount for each transfer - except if you review that process now immediately and not only lower the limit for each transaction but also for subsequent transactions

    the second risk is how you would caculate the investment in your treatment of all these complaints ? Imagine that you have now 10.000 calls a day. Well, how much would your investment be to handle 100.000 calls a day and how much would you have to invest in your backoffice operation to keep it running ?

    and we could go on ? How many people would limit now their online transactions and prefer to go to the bank or the ATM increasing the cost of personnel and maintenance of these installations ? How many people would leave your bank ? How many other new or typical attacks would you face now every day because the whole world knows that you have left some stupid vulnerabilities open for months on your websites ?

    because all that big data was breached by

    'a few stupid vulnerabilities on some websites and a password of an employee with administrative rights (if the articles were right)'

    that is the result if you don't invest in double authentification and vulnerability defense and pathching and security monitoring

    oh you say you invest already millions - yes, but these millions didn't cover your risks of BIG data

    this is why BIG data is not so interesting .... especially linked to the FrontOffice

    if you want to use big data, do it somewhere well protected in the backoffice and so on

    of yes, all that writing that it are only contactdetails and there is no problem because of it doesn't understand that the information is perfect to launch phishing campaign (between 2 and 10% of the people contacted fall for it)

  • this is why securityteams need a cover identity online for their work

    you can get doxed

    and you can get exposed

    and you get be targeted

    and this could be a vulnerability or become one later on

    this is for pastebin but imagine this kind of doxing for a bank or something else ?

    source http://pastebin.com/gtmixBwr

  • leak :pixheaven.net is attacked over and over again

    this is not the first publication on pastebin of their database although this one doesn't take the passwords but nothing guarantees that they have fixed all their sql injections yet

    source http://pastebin.com/42q2yRMR

  • for police and intelligence agencies firechat is the perfect application during #occupycentral in Honk Kong

    first you shut down the mobile networks

    than you hype an application that keeps the instant-information-addicted people using the phone without knowing that you can see everything

    than you set up a certain number of listening posts and you know everything 'in the air' that can be checked with the information from your infiltrators

    than you start your desinformation campaign, stirring up dissent among organizers and backing up more radical elements to create that dissent

    perfect, not ?

    read what firechat does for the moment and you understand what happened or is happening with the movement in HongKong (off course the numbers were impressive, but who cares about the number of protestors if they achieve nothing else but 'talks' - they are history if they achieve nothing fast and they know it)

    https://www.bellingcat.com/news/rest-of-world/2014/09/29/occupycentral-mesh/

  • Nominee in the European Commission for dataprotection says US will give EU citizens same privacyrights

    the socalled safe harbor agreement that was never really enforced, controlled or used

    "She also said that the success of the EU-US agreement for data protection in the framework of judicial and police cooperation for criminal matters (so-called "Umbrella agreement") depends on whether the US will guarantee EU citizens rights of effective judicial redress regardless of nationality or residence.

    ‘The US Administration has committed itself to legislation that would provide EU citizens with the guarantees given to US citizens and residents in the US Privacy Act. If legislation is adopted, this would be a major breakthrough, a step that the Union has been fighting for the past 10 years,’ she said.
    http://www.privacylaws.com/int_enews_October14_1

    these privacyrights in the US privacy act go much further than in most European countries making it in fact possible to advance the European privacyrights in a reverse way. If we got better rights for our data in the US why can't we get at least the same rights in our European country ?

  • the polaroid 100$ spycamera for the rest of us

    The camera has respectable guts; it’s not a GoPro, but it takes high-quality video at 720p or 1080p resolution with a wide angle lens that’s slightly recessed into the cube for protection. To switch back and forth, you unscrew a little door in the back; that’s also where you insert your SD card. You press the big button on top once to take a still image, twice for a video. It’s easy to balance the Cube between two fingers, or snap it onto something metallic using the magnet at the bottom (there’s also a line of accessories).To view your photos and footage, you plug the camera into your computer via a micro USB.
    http://www.wired.com/2014/10/cute-camera-revive-polaroid-brand/

    http://www.theverge.com/2014/1/6/5282760/polaroid-unveils-tiny-cube-c3-action-camera

    http://www.ammunitiongroup.com/work/polaroid-c3/

    http://polaroidcube.com/polaroid-cube.html

  • you can try now the most secured mobilphone in this betaprogram

    IntegriCell is now an authorized Cryptophone reseller.  Over the next few months, we will be releasing a series of products that combine IntegriCell’s enterprise mobile security expertise with Cryptophone’s high-integrity mobile technologies. We are currently seeking pilot customers to work with during our launch phase of these hardware and software solutions.  If you are interested in getting your company enrolled as part of these pilots, please contact the IntegriCell team via email at pilot@integricell.com

  • one very interesting thing about leaked 'classified documents' we seem to forget

    "It is also worth considering that a document can be classified for no other reason than it was authored by someone within the NSA. The internal documents might be aspirational (a bid for budget to try something), self-aggrandising (exaggerating capabilities to get employment), blue-sky, or even a misdirection.

    Assuming that all leaked documents is a revelation is therefore dangerous. And treating every spy and spook as some kind of superhero is a dangerous distraction from their real capabilities and their everyday activities, and the invasions of privacy we can demonstrate and act upon
    http://www.theregister.co.uk/2014/09/18/spies_arent_superheroes/

    leaked classified documents are for this reason only the start of the article, not the end of it

    and they still need some other confirmation to be worthy of publishing as 'truth' without any doubt except if there are between the leaked documents so many other documents from other people and projects that confirm what is written

  • #leak update 1 : 5 million mostly Russian GMail accounts leaked with passwords (download)

    this is the download for now 

    https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

    Do not try them because if you try them you may be doing something illegal in your country.

    UPDATE 1 : it seems now that it are mostly Russian users so a local Gmail server will have been compromised or it is an infection or phishing campaign in Russia which has resulted to this file (and added with Junk to inflate the numbers and to increase the media attention because who cares about a few thousand of even a million Gmail accounts)

    but in Reddit there are also others who have found their passwords in it and they didn't live in Russia

    First it is a collection of old stuff, stupid stuff and working stuff (around 60% says some anonymous tester for what it is Worth)

    Secondly it is time to add your telephone number to your Google account as double authentification (and keep your mobile from downloading unknown apps and malware)

    Losing your emailaddress is something very essential because you will lose the possbility to change other passwords, verify changes and transactions and your contacts may receive trusted malware and spam. In mailboxes you can also find personal information that you can use to bypass other securityquestions or passwords to other services and networks or interesting contacts for social engineering

    and what is more important your gmail account also gives you access to youtube (have porn), your surfhistory and plenty of other resources

    GMAIL is the single biggest security failure of an unique passwords for many services (lose it all at once)

    you can suppose that passwordchecking software is already busy trying the same passwords on other services and on Gmail.

    Use always an unique password for your email.

  • Google doesn't want you to block even malicious ads in their appstore

    source http://news.yahoo.com/disconnect-mobile-yanked-again-google-153335716.html

    mynote : what do you expect from the super privacy- thief amongst thiefs...

    and they don't check or control the apps for malicious code or privacy incursions before they are accepted at the appstore - neither does Apple by the way

  • #ukraine 38 million Ukranians have all their data on Russian social media

    the two biggest social networks that Ukranians use are Russians which means that all their data is on Russian servers and in Russian hands and falls under Russian laws and is now controlled by friends of Putin who have ousted directors who were too independent

    source http://globalvoicesonline.org/2014/09/01/ukraine-russia-social-networks-information-war/

  • the e-gate of the future at the airport with plenty of privacy problems

    "

    source and more : http://leaksource.info/2014/09/08/e-gate-because-we-say-so/

  • this is why Captcha is a bad idea for anonymous services like #TOR

    this is how the owner of Silk Road on TOr was discovered

    people say don't mix driving and drinking

    well don't mix TOR with anything outside TOR

    you may crash during the ride

    "The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”

    “The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”
    http://techcrunch.com/2014/09/06/the-feds-found-the-silk-roads-ross-ulbricht-thanks-to-a-leaky-captcha/?ncid=rss

  • a rogue spynetwork has placed those rogue telephone towers to steal your messages

    we have been publishing lately about several firms that were offering a private costly spy infrastructure to follow mobiles and to intercept all their messages and information

    in the US a network of such stealth interceptors has been discovered

    the privacy commission in Belgium is investigating the presence of one such interceptor tower in Belgium and one that is said to be installed in Holland

    http://venturebeat.com/2014/09/02/who-is-putting-up-interceptor-cell-towers-the-mystery-deepens/

    "The towers were revealed by Les Goldsmith to Popular Science last week. He’s CEO of ESD America, which builds the super-secure Cryptophone 500 for clients that need the military-grade security and can handle the phone’s estimated $3,500 price tag."