Monday, July 14, 2014

Justification for Your Paranoia

So, I spent most of the last week trying to teach myself how to perform SQL injection attacks on web applications, which is a lot more boring and frustrating than it sounds (zzzzzzzzzzz). While I try to get the analytical side of my brain to wake up so I can get some work done today, here are a few interesting articles to make you more paranoid about your data than you already were...

  1. Google Drive could have been leaking your private files:
    disturbing privacy problem was discovered in Google Drive which could have resulted in information stored on the cloud service being accessed by unauthorised parties. In a nutshell, the risk existed if you stored files that included a clickable URL on your cloud file sharing service. If someone (you, or someone you have shared permissions with to access the file) opens the file on the Web-based service and clicks on the embedded hyperlink, then the owner of the third-party website being linked to could receive a referrer URL. 
    This was only a problem if, (a) the sharing settings were set to “anyone with the link”, and (b) the file contained hyperlinks to third-party websites in its content. 
    Google has fixed the issue, but Dropbox and most other cloud storage services use similar sharing systems and have similar vulnerabilities.
    Of course, you could just be smart enough to not put your private data in the cloud. I personally share a lot of things this way using GoogleDrive, but it is always someone else's intellectual property, because, really, why would I put my own stuff on a cloud drive? 
  2. If you care about privacy Mobile Apps Suck:
    To summarize the article: everything used in web-apps to track you (Cookies, Javascript, etc.) all exist in mobile apps and there are no convenient browser plugins to stop them. Ads, Analytics, and Monetization tricks are the worst, since things like Google Analytics (very popular in Android Apps) extracts your geolocation data and more. Even with geolocation turned off, just about anyone can use Google Maps and IP addresses to find everywhere you've been.
  3. As more things become able to connect to the internet even LIGHTBULBS can expose your network passwords...
    In a proof-of-concept attack, Internet connected LED lightbulbs were used to gain access to the Wi-Fi network that controls them. LIFX smart lightbulbs can be controlled with iOS and Android devices. LIFX was made aware of the problem and has issued a firmware update to address it. The attackers were able to trick the devices into revealing the network password.
    If it makes you feel better, they had to be within 30 meters of the devices they were targeting (so sitting in a car by the curb outside your house).
  4. If you use an iPhone, don't use GMail:
    Researchers at Lacoon Mobile Security have uncovered an issue in Google's Gmail application for iOS that could help an attacker performing a man-in-the-middle attack. An analysis of the application revealed it does not perform certificate pinning. As a result, an attacker launching a man-in-the-middle attack can open and modify Gmail's encrypted communications. The victim would not receive any indication anything suspicious was going on. 
    Most of the things you can do to mitigate this risk fall into the "you need to be an IT professional" category: performing network analysis, only connecting through VPNs, and modifying configuration profiles.
    Of course, why would any sane person use an iPhone anyways...
  5. There may be some new hope for keeping your IMs safe:
    The Invisible IM project aims to develop a means for people to communicate "without leaving a retrospectively recoverable forensic trail behind on third-party servers." The technology establishes a local XMPP server on a user's computer, which then connects to the Tor network. A secure mode will be available that will prevent anyone from knowing who is on someone else's buddy list or even if they have ever communicated through Invisible IM.
    Of course, if you really need this sort of thing, you shouldn't trust it. Remember that the Tor network is partly funded by US Government entities (such as the Naval Research Laboratory).