Category Archives: Security

A call for a code of tech ethics?

Facebook and the like need to craft a professional code of ethics for the technology industry.

Source: A Facebook request: Write a code of tech ethics – Los Angeles Times

Where this is headed, naturally, is the concept of licensed professional engineers (P.E.) in software engineering. Development of a professional engineering licensing exam for software engineering was done many years ago. I believe Texas was the only state to offer the exam; however, due to low participation, they are discontinuing the software engineering PE exam as of April 2019.

U.S. Copyright Office expands copyright exemptions for fair use, security research and other activities

The Digital Millennium Copyright Act prohibited bypassing copyright protection systems thwarting many activities normally considered lawful such as “fair use”, use of snippets for education and critique, and investigations by computer security researchers.

The U.S. Copyright Office in the Library of Congress has issued a final rule clarifying (and expanding) exemptions for permissible activities.

See: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies – Final Rule

Bloomberg’s “hacked” Supermicro server boards article comes under fire

We thoroughly evaluate the claims made by Bloomberg in their Supermicro China tampering stories and found them likely impossible or implausible at best. We take stock of sources and discuss the next steps calling for formal SEC and shareholder investigations of Bloomberg.

Source: Investigating Implausible Bloomberg Supermicro Stories

Apple and Amazon, both named as allegedly using the allegedly hacked servers, have denied the Bloomberg accusations. Apple has called for Bloomberg to retract the article. The U.S. Department of Homeland Security issued a statement appearing to agree with Apple.

The Bloomberg article, as noted in the linked story, appears to have numerous technical inaccuracies.

#Intel intros new notebook processors, high performance, lower power, integrated 802.11ac

From the spec sheet, the new CPUs provide high performance at low battery power consumption, and integrated Gigabit Wi-Fi (802.11).

See Intel’s page on the new processors for more information.

Meltdown and Spectre are the names given to a security vulnerability that takes advantage of speculative branch execution to capture the side effect of cached data, thereby revealing protected data. However, just one of the two new processors addresses Meltdown while the other does not. Neither addresses Spectre.

Intel launched new eighth-generation processors slated for laptops this week: Ultra-low power 15-watt Whiskey Lake U-series chips and extremely low power five-watt Amber Lake Y-series chips. After the launch, Intel was asked if these two processor families include hardware fixes for Meltdown and Spectre.

Source: Intel’s New ‘Whiskey Lake’ CPUs Have a Hardware Fix for Meltdown | Digital Trends

Microsoft urges regulation of face-recognizing tech

  • When face recognition is used to gain access to a secure location or function, what happens when one’s likeness is stolen and reproduced?
  • What happens when the local police monitor all political rallies and use facial recognition to identify each individual in attendance?
  • What if businesses scan your face upon entry and dynamically change prices based on their estimates of your income and wealth?

Microsoft’s chief legal officer on Friday called for regulation of facial recognition technology due to the risk to privacy and human rights.

Source: Microsoft urges regulation of face-recognizing tech

Really glad to see Microsoft addressing these issues and working to take privacy seriously as a competitive alternative to Facebook and Google.

Disclosure: I am a former Microsoft employee.

Consumers said to want more #IoT devices for security, protection and willing to share that data with insurance companies

Specifically, consumers say they’d share more data with their insurance company in exchange for smoke, fire and water alarm systems (and presumably also theft) that send data to their insurance company.

“Consumers appreciate the safety and security value propositions of smart home products”

Source: Report: Nearly half of broadband internet households interested in IoT-based insurance | Insurance Business

Everyone wants to be inside your bedroom now, from your smart phone, to your Amazon Alexa device, to your set-top-box (which logs everything you watch) to your home security systems (which, in some cases, log everyone in and out and share with a network provider).

HP computers and data privacy and spying

I have an older HP desktop computer. I’ve long observed significant slow downs as various background tasks were underway and I had assumed it was just anti-virus software running in the background. But it was not – instead, the HP Support Assistance was frequently scanning the entire system, using 55% of the CPU and hogging the disk input/output, tremendously slowing down the system. I finally disabled the HP software as I had never seen any value from it.

Then I went to read the HP Privacy policy (which may be different today from what it was when I bought the computer years ago).

(Click on any image to read the full size screen capture of the HP privacy policy).

In addition to the data collected by HP, HP also “deduces” attributes about you, and collects data when you use social media logins to access anything. This means when you log in to a site using your Facebook login, data about your visit is collected by Facebook and shared with Facebook’s partners (which is literally the entire world).

HP remotely spies on your use of HP printers, collecting a database of pages printed, type of print media used, what ink you are using, including what brand of ink, and the names of the applications from which you print.

HP also purchases information from third party data services, social media networks and advertising networks. Ad networks are used to track every web site you visit online. HP uses this, as they disclose, to get your name, address, “preferences, interests and certain demographic data”. Clearly, HP is buying data about us from Facebook, Google and Twitter.

This example illustrates the pervasive – and nasty – web of anti-privacy efforts underway by the high tech industry. The entire industry works together to intensely monitor, intercept and collect enormous quantities of data about every one of us. Further, they use automated software systems to analyze and interpret this data to then draw inferences about us.

A previous post on my SocialPanic.org blog found that inferences made by Facebook and Twitter were completely wrong – but there is no way to correct that. In most cases there is no way to know what inferences companies like HP have made about us.)

What Can You Do?

  • Delete the HP support assistant. I have found no value from having run it on this computer for many years. Optionally, disable it in the Windows Task Scheduler so it does not run.
  • Delete or disable other software that you do not need or us.
  • Do not use social media logins to web sites other than the social media web site.
  • Use privacy enhanced browsing to minimize tracking across the web. First, never use Chrome. Google logs every web site you visit. Use the Epic Privacy Browser or use Mozilla Firefox with the Privacy Badger and Ghostery plug ins. Use the Cookie-AutoDelete plugin to automatically remove tracking cookies when leaving a web site (you can optionally “white list” web sites so that cookies and logins remain active, if you wish).
  • The Epic Privacy Browser includes access to a proxy server to hide your IP address from web sites.
  • When using mobile phones, note that operating systems such as Android always track your location if Location Services is enabled (such as using mapping). Most people leave Location Services on all the time, and Google uses that to build a database of everywhere you travel and every place you visit. Google also records information about WiFi networks and Bluetooth devices within range of your phone. Even when location services is turned off, WiFi access points and even some Bluetooth devices can reveal your location anyway. Disabling WiFi and Bluetooth will reduce this data collection.

The tech industry has been operating in a free wheeling, Orwellian 1984 world of intense spying on everyone who uses online services including web sites, monitoring our email communications, our social media Likes, every where we travel, and even monitoring our use of home printers.

Automobiles are also now collecting information about our use of the vehicles, including our driving habits and locations visited.

They argue that if we don’t like this, then we should not use online services or we should not use printers or we should not drive a car. These arguments are wholly unrealistic.

Yet most people seem oblivious to this: Facebook has been widely exposed as a massive global surveillance network and propaganda platform – yet financial analysts say they see little harm to Facebook’s business as few seem to care.

Minor security problem at Veoh.com

Veoh was established years ago as a video sharing service. Perhaps as many as ten years ago, I set up two accounts there. One for my self, to which I uploaded just two videos, plus a second one to test out for a daughter who was about to do a study abroad – she could use that account to post videos. We never used this one, though, and the account languished.

I did not remember the password to that second account – but I had saved it in the browser’s automated login feature! Thus, I could log in to the account.

I thought perhaps I’d change the password to something new. Fortunately, their security prevented me from changing the password by requiring me to enter the current password before I could proceed. But I did not know the current password!

Then I noticed the email address set up for the account was an old one that my daughter used years ago. The email address probably does not exist any more. However, I could change the email address! And I did not have to enter the current password to do so!

I then logged out, went to the login screen and said I had forgotten the password. Veoh sent me a password reset link and I quickly reset the password.

This is another example – albeit a minor one – of a potential security vulnerability. I could change the email address and then use that to set a new password – but I could not directly change the password without providing the current password! Obviously, it would be safer for them to have a secondary authentication step on changing the email address.

Online service seem to be full of these poor security practice examples.

Venmo’s broken security

I just changed the password on an account that is not mine – but it had my email address and frequently sent me financial transaction reports in the clear. This is a lesson for how insecure online services are today – and the severe privacy problems inherent in sloppy cloud computing businesses.

Someone entered my email address for their account at Venmo. Month’s ago. Apparently Venmo NEVER VERIFIED the email address. Consequently, I receive their emailed financial transaction correspondence – for several months. Guess their customer never noticed they were not receiving emails? (Or is Google broken and one email address is being delivered to different people? Anything is possible!)

See Updates at the bottom of this post – I will be updating this post

Example

Venmo sent me financial updates like this one – sending me the name and photo of the person that I had just paid (Privacy? Hello? Remember, I am not and have never been a customer of Venmo!)

Financial records are protected by law (which law, depends on various factors). At a minimum, disclosure of your personal financial information to governments is covered by the Financial Privacy Act of 1978 and other disclosures by the Gramm-Leach-Bliley Act of 1999. They are also subject to privacy policies Did Venmo disclose to their customers that their personal financial information may be disclosed to completely random strangers on the Internet?

Then again, Venmo, I think, may be a social network for money transactions, where it posts all of your transactions online. Judging from a search for Venmo on Twitter, Venmo is used mostly for paying off sexual favors/sugar daddy transactions/pictures of private body parts. It may well be that the purpose of Venmo is to share one’s financial transactions with everyone else! There is no financial privacy on Venmo!

Unable to Contact Venmo

Months ago I attempted to notify Venmo of this problem but they ignored me. Venmo only enables customers to contact them – see their Contact Us page. If you do not have an account number, you cannot contact them to fix this! I had no way to contact them!

I sent a description of the problem to them on Twitter. They never replied.

This is not my problem to solve and I did not want to waste a lot of time dealing with trying to fix their problem – both the customer – and me – are the victims of their defects. I never volunteered to become a party to their financial correspondence and they do not provide an obvious way for me to get rid of it or fix this for their actual customer.

Months later, as I reviewed old email I ran across this problem again.

Trying to Fix the Problem

Keep in mind – non customers cannot contact Venmo (see their Contact Us page link, above).

Today I figured I’d try to log in to the account, possibly find the individuals phone number and call them directly to let them know. (I’ve done this previously as I receive erroneous correspondence from other vendors who never verified customer entered email addresses – there is literally no easy way for drive by victims to correct this – especially when my own email address is abused this way every week.)

Today, I went to the account – entered my own email address which they’ve used incorrectly – and said I’d forgotten my password. They sent me a password reset link. I changed the account password. I should never have been allowed to do this without a secondary authentication step!

I cannot log in to the account because they do have two-factor authentication set up (good!). Their password change should have used 2FA, but they did not.

The owner of the account cannot log in either because it let me change the password – Venmo should never have allowed me to do that. I’ll be happy to give the password to Venmo if they care enough to follow up with me and fix their serious security flaws.

Venmo then emailed me to let me know that the account had been changed.

Follow up

Now that I have done this, I have again attempted to notify Venmo of their poor security through their Twitter support account. Venmo is a service of Paypal.

  • This is scary when a financial service does not verify the email address and sends correspondence to the wrong person, and further enables anyone with a reset link to reset the password.
  • You should not use a financial service that does not respond when someone notifies them of a security problem – months ago.
  • I am hopeful this finally gets their attention, they fix the problem, and they enable their actual customer to get their account set up properly.
  • All companies need to provide a simple way for “drive by victims” of incorrect email addresses an easy way to fix this problem. This is a serious issue; my email account generally receives emails intended for other people many times per week, including documents marked confidential. Yet I often have no way to contact anyone to get them to fix the problem.
  • These are extremely serious security problems, not just at Venmo.
  • If I do not hear from them, I will print out this blog post and mail it to the CEO of the company and the Federal banking regulator. No one should have to go to such lengths to get them to fix their security problems. Good grief. I am hopeful this post might get someone at Venmo to care about this.

Details and Screen Shots

First, I said I forgot my password and they emailed me a link to reset the password, with no attempt to verify my credentials, nor use the two factor authentication they have set up on the account:

I then successfully began the log in process:

The following confirms they had two-factor authentication set up for the account – but they did not use this for the password change. Further, this screen appears after I have “logged in” using the email address and new password I created for their customer’s account:

Basically, Venmo has significant security problems. Will be interesting to see if they FINALLY contact me and fix their broken security. I have sent them a link on their Twitter support account explaining what was done and a link to this web page. I want them to fix this and I hope they want to fix this too.

Been dealing with several levels of security problems today and information and security are two words that should never appear in the same sentence. The tech sector is a mess.

I will update this post in the future if I hear anything.

RELATED

UPDATES 10 MARCH 2018

The problem is I am not a customer and I do not have an account on file with Venmo!

After I replied that I am not a customer, they have provided me with this information which may be of use to others:

UPDATES MARCH 11 2018

Late in the day, Venmo Support emailed me to say they have removed my email address from the account and I should no longer receive emails from Venmo. Their response did not explain how my email address became associated with the account, nor did it explain what steps they are doing to protect passwords being changed by non-Venmo customers. At this time, I strongly recommend not opening an account and not using Venmo due to their security and privacy problems – which appear to remain unresolved.