This is the 49th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded December 16, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast:
You should really always be thinking about how your search queries could end up putting you on a “sucker list”.
There there seem to be two levels of exploiting your search queries:
- Direct categorization by the search engine, which leads to more targeted advertising – We may not think about how the entities that have access to our search queries might use them against us (or for us, in their interpretation – “all the better to serve you relevant content, my dear”). In fact, Mikko Hypponen says in his Ted Talk from October, 2013, “We are brutally honest with search engines. You show me your search engine history, and I will find something incriminating or embarrassing in 5 minutes.” So, I’d like you to ask yourself, “Do you really want to trust the guys – whose livelihood is derived from selling information about you – to know exactly what your most burning questions are?”
- Luring to pages that collect information – These pages try to get you to “self-screen”, using the byproducts of failed searches and application forms (called remnants), which have value to some bottom-feeders
There’s a big profit in just trying to categorize people, especially if they can identify people who are better than average candidates for any type of businesses they can sell the lists to.
There can also be a lot of bait and switch tactics to get around Google’s predator defences. This is one of the reasons that “data never dies”. As soon as it’s captured, the data is copied and correlated with other data that makes it more valuable. It will quickly end up in a place where you can’t delete it.
Product vendors need to stop assuming that nobody cares about the data they collect and/or send over the Internet. It used to be that the Internet was mostly insecure because not much was encrypted.
Now, with Google, Facebook, Twitter and many of the most popular sites using the TLS standard for encrypting all data to and from their sites (even if it’s not a form with sensitive data), there’s an expectation that if your product doesn’t secure its communications, it can be the weakest link for customer privacy. So, all data has to be encrypted properly, which means using standard protocols for authenticating end points and encrypting messages.
Not using proper data security within new products is inexcusable.
The reason I say “standard protocols” is that very often, vendors think they are being clever by inventing their own way of hiding or securing data. This rarely works, especially these days, when virtually every new product is being analyzed by researchers or bad guys to find vulnerabilities.
There’s plenty of free software available that can do security properly (e.g. http://libsodium.org ), so why would you try to invent your own, which is going to cost a lot of money, and more than likely will be bypassed at some point.
This is all aside from the fact that many product manufacturers seem intent on violating customers’ privacy to gain added “Lifetime Value” from them.
BadBIOS is back – this time on your TV
Just like in the days when laptops started to come with built-in webcams, and we recommended covering the camera with some tape, sounds like it’s time to recommend explicitly disabling microphones on all devices. This is probably easier said than done, though…
Your Internet router is a security risk
It’s time to dust off that router that never gets touched (or updated). There are many different types of vulnerabilities in those home Internet wifi routers that go beyond not changing those default credentials. It’s worth two minutes to login to your router and to check for any updates that may have been released since you purchased it.
The Healthcare Internet of Things: Becoming a Reality
IoT goes beyond FitBit’s and heath tracking apps. Soon we will start to see much more “invasive” use of this technology including thermostats that automatically adjust based on your body temperature and lights that auto-adjust based on your mood and time of day. If anything, something to be aware of especially when it comes to your personal information being used by these devices.
While Facebook M is still in beta…it’s interesting to see where AI is going and how we may rely more on AI in the future. I like to mention Facebook M because it’s taking AI like Apple’s Siri to the next level and it shows some of the limitations of AI. Meaning, there may be a “human” assisted infrastructure to modern AI implementations. It will also be interesting to see how modern AI is secured and the privacy implications associated with this technology.
Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening!