Youry's Blog

Youry's Blog

Archive for the ‘SecurityNews’ Category

Yosemite, iOS 8, Spotlight, and Privacy: What you need to know By Rene Ritchie, Monday, Oct 20, 2014 a 8:31 pm EDT

leave a comment »

According to Landon Fuller, who collected the data in the first place,
this is not just about Spotlight, and the data will continue to be
sent to Apple even if Spotlight Suggestions -- or any of a number of
other seemingly relevant system configuration options -- are disabled.

See

https://github.com/fix-macosx/yosemite-phone-home

for the raw data and analysis, without either the Apple apologism of
iMore or the journalistic spin of the Washington Post article they
cite.

Of course it is in Apple's interest to say that they care about
security and privacy, to emphasize how much effort they put into
minimizing data (we've heard this one from James Clapper before!), and
to claim that their snooping serves to benefit users by providing more
accurate answers.  None of this changes the surveillance they have
built into their system or how difficult it is to avoid!

Yosemite, iOS 8, Spotlight, and Privacy: What you need to know
By Rene Ritchie, Monday, Oct 20, 2014 a 8:31 pm EDT
http://www.imore.com/yosemite-ios-8-spotlight-and-privacy-what-you-need-know

A story made the rounds earlier today calling into question the new Spotlight Suggestions feature in OS X Yosemite and iOS 8. In an effort to garner attention, it reports the collection and usage of the information required to enable this feature in a needlessly scary way. As any long time reader knows, security and privacy are always at odds with convenience, yet features like Spotlight Suggestions — and Siri before it — do an excellent job balancing as much convenience as possible with maintaining as much privacy and security as possible. Here’s Apple’s statement on the matter:

“We are absolutely committed to protecting our users’ privacy and have built privacy right into our products,” Apple told iMore. “For Spotlight Suggestions we minimize the amount of information sent to Apple. Apple doesn’t retain IP addresses from users’ devices. Spotlight blurs the location on the device so it never sends an exact location to Apple. Spotlight doesn’t use a persistent identifier, so a user’s search history can’t be created by Apple or anyone else. Apple devices only use a temporary anonymous session ID for a 15-minute period before the ID is discarded.

“We also worked closely with Microsoft to protect our users’ privacy. Apple forwards only commonly searched terms and only city-level location information to Bing. Microsoft does not store search queries or receive users’ IP addresses.

“You can also easily opt out of Spotlight Suggestions, Bing or Location Services for Spotlight.”

Here’s the original charge:

Apple has begun automatically collecting the locations of users and the queries they type when searching for files with the newest Mac operating system, a function that has provoked backlash for a company that portrays itself as a leader on privacy.

The “backlash” cited by the sensationalistic story is not the result of the story but the result of sensationalism, and that’s disappointing. We depend on major publications to provide us with accurate information for our benefit, not for their own benefit. Where they could have taken the time to look into it, assess the facts, and help people understand, they chose to double down on FUD, and that’s not only disappointing, it’s distressing.

So what are the facts? Apple discloses how Spotlight Suggestions work in both the Spotlight section of System Preferences on the Mac, and in the Spotlight section of Settings > General on iPhones and iPads.

There’s also a Spotlight Suggestion check box on both so that you, the person using the device, can easily turn it off if you value privacy and security over convenience. (And if you are such a person, and have already disabled location services, Spotlight honors that setting and doesn’t send the information.)

Apple links to the following text right from the prefs/settings pane on both OS X and iOS. Not only is it simple to find, it’s plainly written and understandable:

When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft’s Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services.

If you do not want your Spotlight search queries and Spotlight Suggestions usage data sent to Apple, you can turn off Spotlight Suggestions. Simply deselect the checkboxes for both Spotlight Suggestions and Bing Web Searches in the Search Results tab in the Spotlight preference pane found within System Preferences on your Mac. If you turn off Spotlight Suggestions and Bing Web Searches, Spotlight will search the contents of only your Mac.

You can turn off Location Services for Spotlight Suggestions in the Privacy pane of System Preferences on your Mac by clicking on “Details” next to System Services and then deselecting “Spotlight Suggestions”. If you turn off Location Services on your Mac, your precise location will not be sent to Apple. To deliver relevant search suggestions, Apple may use the IP address of your Internet connection to approximate your location by matching it to a geographic region.

Apple has also posted a privacy section on their website, and an updated version of their iOS 8 security document that reiterate what they’re doing and their long-standing position on privacy. Here’s the relevant parts:

To make suggestions more relevant to users, Spotlight Suggestions includes user context and search feedback with search query requests sent to Apple.

Context sent with search requests provides Apple with: i) the device’s approximate location; ii) the device type (e.g., Mac, iPhone, iPad, or iPod); iii) the client app, which is either Spotlight or Safari; iv) the device’s default language and region settings; v) the three most recently used apps on the device; and vi) an anonymous session ID. All communication with the server is encrypted via HTTPS.

The white paper goes on to explain how locations are blurred, anonymous IDs are only kept for 15 minutes, recent apps are only included if they’re on a white list of popular apps, etc. (It starts on page 40 of the above-linked PDF if you’re curious about the specifics.)

So, again, Apple is only doing what they need to do to provide the conveniences of the feature they announced — the same way they’ve needed to collect enough data to answer questions with Siri in the past, or show you locations on Maps, or find your iPhone, iPad or Mac, and the list goes on.

If you don’t like or want it, you can turn it off. That’s the real story here — education. How it works, and what you can do with it and about it.

If you have any concerns or questions about Spotlight Suggestions, let me know in the comments!

Written by youryblog

October 24, 2014 at 2:17 PM

” Get Naked in Person, Not on Facebook” from pcmag.com

leave a comment »

Get Naked in Person, Not on Facebook http://www.pcmag.com/article2/0,2817,2413629,00.asp
“Self-destructing’ Snapchat and Facebook Poke messages can actually be copied, but that shouldn’t be a surprise. Protect yourself.”

Very good: ”

Oh, Those Teenagers
Teenagers overlook this because teenagers are actually clinically brain damaged. They’re biologically programmed to ignore risk and act on emotion. So I can excuse 15-year-olds who sext their boyfriends. It’s a horrified, facepalming excuse, but forgive them, for they know not what they do.

(Teenagers, I’m speaking from personal experience here as someone who spent ages 13 to 16 screaming, crying, thrilled, miserable, in love, in love, in love, out of love, hopeful, and always passionate about something.)”

But what’s about other people. They are almost the same 🙂

 

Written by youryblog

December 31, 2012 at 5:40 PM

“Kill the Password: Why a String of Characters Can’t Protect Us Anymore” By Mat Honan 11.15.12

leave a comment »

Kill the Password: Why a String of Characters Can’t Protect Us Anymore
By Mat Honan 11.15.12 6:30 AM

“It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you. Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.”  see more here http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

Written by youryblog

November 21, 2012 at 9:15 PM

Posted in Business, SecurityNews

Panetta Warns of Dire Threat of Cyberattack on U.S. New York Times (10/12/12) Elisabeth Bumiller; Thom Shanker

leave a comment »

Panetta Warns of Dire Threat of Cyberattack on U.S.
New York Times (10/12/12) Elisabeth Bumiller; Thom Shanker

from http://technews.acm.org/

U.S. Defense Secretary Leon Panetta yesterday warned of the potential for disastrous consequences if an enemy of the U.S. were to carry out a cyberattack on the nation’s critical infrastructure. Panetta says the U.S.’s adversaries are becoming increasingly aggressive and are improving their technology, so much so that they could launch cyberattacks on vulnerable computer systems used to operate the power grid, transportation system, financial networks, and the government. He says these attacks could result in the derailment of passenger trains carrying dangerous chemicals, the contamination of water supplies in major U.S. cities, or the failure of the nation’s power grid. Panetta says the most worrisome scenario is a cyberattack on critical infrastructure carried out in tandem with a physical attack, which would amount to a cyber-Pearl Harbor that would cause physical destruction and the loss of life, and could terrorize the populace to such an extent that it would create “a profound new sense of vulnerability.” However, Panetta says improved cyberdefenses alone will not prevent a cyberattack against the nation’s critical infrastructure, which is why the Defense Department has developed the ability to conduct “effective operations” to mitigate threats to U.S. interests in cyberspace.

Written by youryblog

October 12, 2012 at 7:48 PM

Posted in SecurityNews

Tagged with

100,000 IEEE User Passwords, IDs Exposed On Internet

leave a comment »

100,000 IEEE User Passwords, IDs Exposed On Internet. IEEE admits it exposed user IDs and passwords for roughly 100,000 members, but otherwise remains mum.
Sep 26, 2012 | 03:48 PM | By Brian Prince, Contributing Writer Dark Reading
see more here http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240008028/ieee-user-passwords-ids-for-100-000-exposed-on-internet.html?goback=.gde_52513_member_169619759

Written by youryblog

October 10, 2012 at 7:39 PM

Posted in Interesting, SecurityNews

Tagged with

Saving Us from Facebook (and Ourselves) by Chunka Mui (on the Harvard Business Publishing website)

leave a comment »

Saving Us from Facebook (and Ourselves)  by Chunka Mui  (on  the Harvard Business Publishing website):

The paper starts from this:

“Stop worrying and learn to love the bomb.” That was Dr. Strangelove’s advice on nuclear weapons. Similarly, there are those who argue for a Strangelovian attitude toward technology’s erosion of personal privacy. They believe, essentially, that we should stop worrying and learn to love the lack of privacy. Scott McNealy, the (then) CEO of Sun Microsystems, captured this sentiment eloquently years ago, “You have zero privacy anyway. Get over it.”

“Prompted by audits and recommendations by the Irish Data Protection Commissioner, Facebook has agreed to deactivate its facial-recognition capabilities in Europe and to erase all facial-recognition data that it has collected for European users.”

See full paper on http://blogs.hbr.org/cs/2012/10/europe_saves_users_from_facebo.html?utm_source=twitterfeed&utm_medium=linkedin&goback=.gde_3746653_member_173013323

Written by youryblog

October 9, 2012 at 4:41 PM

Posted in Business, Interesting, SecurityNews

Tagged with

Security Issues WorldWide

leave a comment »

In this post I’m going to collect most interesting/dangerous security breaches from my point of view. For example, I still have an account at Yahoo and just today I’ve got information that Yahoo have lost 400,000 passwords. I don’t know is it necessary or not to collect this information in my Blog, but we will see later. If this information is useless, later I’ll delete this post.

  1. This drone can steal what’s on your phone By Erica Fink @EricaFink March 20, 2014: 8:10 AM ET http://money.cnn.com/2014/03/20/technology/security/drone-phone/index.html
  2. ‘Red October’ Cyber Espionage Campaign Uncovered   Chloe Albanesius By Chloe Albanesius  January 14, 2013 12:38pm EST http://www.pcmag.com/article2/0,2817,2414260,00.asp
  3. You Must Read it: The Cybercrime Economy The cyber Mafia has already hacked you
    By David Goldman @CNNMoneyTech July 27, 2011: 9:45 AM ET http://money.cnn.com/2011/07/27/technology/organized_cybercrime/“There are probably some corporations and credit cards that haven’t been hacked,” said Kim Peretti, director in PricewaterhouseCoopers’ forensic services practice. “But you have to assume you’ve been compromised.”
  4. The Cybercrime Economy Nations prepare for cyber war
    By David Goldman @CNNMoneyTech January 7, 2013: 5:40 AM ET http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html?source=linkedin&goback=.gde_52513_member_202973816“In 2012, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return, Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least 12 of the world’s 15 largest military powers are currently building cyberwarfare programs, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.”
  5. 2012-07-13 Yahoo Officials Confirm Hackers Nabbed 400,000 Passwords By CIOinsight on  Article Views: 1517
    Less than 5 percent of the Yahoo accounts had valid passwords listed, the company contends.
    “Yahoo officials confirmed that an older file from the Yahoo Voices (formerly Associated Content) was stolen July 12 by hackers, allowing them to get their hands on more than 400,000 user credentials.”

Written by youryblog

July 16, 2012 at 10:22 AM