Paranoid Technology All things cybersecurity


7 Scary Security Predictions (& Resolutions) for 2018

Information security has become a source of fear and uncertainty for many organizations, so this year’s scary security predictions are backed up by recommended New Year’s resolutions. If you’re unsure of how to action this advice, just talk to us.

  1. Artificial intelligence (AI) is dead, long live artificial intelligence – AI is an overused term and hard to achieve; the early stages of AI are mostly machine learning and a long way from nirvana. Information security leverages machine learning to detect and understand complex patterns of machine-2-machine (m2m) and machine-2-human (m2h) interaction. Machine learning outputs will be fed to decision support solutions, driving automated outcomes via complex workflow engines. Before this vision can be realized, full integration of security operations automation is needed. Right now the market remains fragmented and solves for specific problems; the vision is to create solutions that address security’s complexity while integrated with the many facets of business operations. Before making the move to “AI”, it’s important to get your own house in order:

Who has my Data and Why?

Decided to dedicate this entry on how personal information is collected by everyday services we use and how it could impact our lives…

Security professionals quite often find themselves explaining how to protect one’s privacy, but the response is usually one of the following:

  • I have nothing to hide
  • This sounds like a conspiracy theory
  • Glazed eyes

People are focused on the menial conveniences they receive using these free applications in exchange for data… In technology if something is free – never forget – you are the product!!  Even applications and devices we pay for are disrespectfully collecting information in the name of customizing our experience. There is a massive information gathering wars between:


Simple OpSec Resolutions for Outside the Office

The New Year has citizens and organizations alike reviewing their operational security practices; the expectation is that privacy rights will diminish, government surveillance will increase, and yet attacks and breaches will continue unabated.  To protect yourself and to strengthen the human element of your organization, review the below list of 2017 operational security (OpSec) resolutions.  Improving organizational security maturity starts with you.

General Hygiene

  1. Browse privately: move to Firefox; it's highly functional and Mozilla doesn't track your web browsing; that said, Firefox does use Google Safe Browsing in the background, which means that Firefox checks sites for phishing risk before proceeding; the net result being that if you want truly private browsing, you need to turn safe browsing off.
  2. Protect your passwords: don't keep them on a post-it, or use the same password over and over again.  It's easy to get lazy with this one.  Use a password manager like KeePass, or if you can't bring yourself to invest in a tool, at least make your common passwords more complicated (yet understandable); something like "thing#year#iD".  We recommend that our clients use complex passwords, use long passwords, and rotate passwords.  Your corporate information security program is hopefully enforcing something similar already.
  3. Take care with sensitive searches: search companies make money by tracking what you search; if you have something sensitive to search for, even if it's just something health related, use an alternative browser like DuckDuckGo.  The results are less targeted, but your privacy remains intact.
  4. Avoid public wi-fi: it's free for a reason - large retailers and their wireless partners love your usage data; wi-fi networks of any sort are riskier, easier to spoof (and therefore hack), and cause your device to automatically broadcast to those connection points in the future, thus increasing your risk; if you must use public wi-fi, go through a VPN, or to avoid it, use a tethered smart phone connection.
  5. Treat PII like cash: be selective on when and who you disclose your personally identifiable information (PII) to, to avoid future headaches. For example, avoid disclosing your email or phone number to retailers in exchange for discounts; if you do, be aware that you've just become a permanent member of their database, to be marketed to and sold, over and over again, until you die (or change your identity).
  6. Beware of the shoulder surfers: if you are the kind of person who works in public places a lot, seriously consider investing in a privacy filter to protect yourself from prying eyes.
  7. Don’t get Phished: Although it's 2017, phishing is still in style; it's the single biggest attack vector, so be paranoid about every e-mail  you receive. Pay special attention to the ones with attachments and links; hover over the links and verify that the link is going to the address displayed in the message. Do not open attachments unless it is a trusted source.
  8. Anti-Virus (AV): Todays threat landscape is dynamic and while AV vendors are having a tough time keeping up, AV software will still protect you from a wide variety of known threat vectors.

Lessons on Trust and Apple’s Stance Against the FBI – Learned from the Syrian Refugee Crisis

Our team has been researching trust networks for a while, and this example from the Syrian Refugee Crisis was worth sharing as there are several hidden lessons in the story. You've probably been following the news about the Syrian refugee crisis.  This article is not about the significant humanitarian and political challenges and complexities of that situation, but rather what we can learn from their ordeal about trust-networks and apply it to Information Security, specifically to the current stand-off between Apple and the FBI…

Large numbers of men, women and children are trying to journey from Turkey to Greece every day, hoping for a better life and to escape from the horrors of war...The success to death ratio is quite high, but people keep trying; one can't help but ask oneself, why?  Why do the refugees trust these people traffickers, why do they get on leaky boats and make the trip, knowing there is a good chance that they will never make it? The answer to this question is Trust...


Does the Patriot Act apply to D**k Pics?

After a period of silence watching and obsorbing events around us, we are back with this funny bit on Patriot Act... As you might have followed the intelligence agencies are trying to renew the Patriot Act program under the radar, which is set to expire on June 1, 2015.

Even after the Snowden Revelations the ignorance of the general public on the effects of this program to personal freedoms, the very essence of the U.S. - "Freedom of Speech" is very concerning.  Understandably the technical nature of the Snowden documents are  somewhat intimidating and  people cannot relate to most of these programs unless given a concrete example.  Up until now!!


CIGI-Ipsos Global Survey on Internet Security and Trust

Ipsos on the behalf of the  Centre  for  International Governance  Innovation  (“CIGI”)  between  October  7,  2014  and  November  12,  2014.
The  survey  was  conducted  in  24  countries—Australia,  Brazil,  Canada,  China,  Egypt,  France,  Germany,  Great  Britain,  Hong  Kong,  India,  Indonesia,  Italy,  Japan,  Kenya,  Mexico,  Nigeria,  Pakistan,  Poland,  South  Africa,  South  Korea,  Sweden,  Tunisia,  Turkey  and  the  United  States—and  involved  23,326  Internet  users...


NSA’s MYSTIC Program – Where is it deployed?

mystic-logoOn March 18 Washington Post published an article detailing another NSA program based on Snowden documents. According to these documents the NSA has a surveillance system that is capable of recording 100% of  a foreign country's phone calls.

Some details of the system - from the Washington Post article:

".... In the initial deployment, collection systems are recording “every single” conversation nationwide, storing billions of them in a 30-day rolling buffer that clears the oldest calls as new ones arrive, according to a classified summary.

The call buffer opens a door “into the past,” the summary says, enabling users to “retrieve audio of interest that was not tasked at the time of the original call.” Analysts listen to only a fraction of 1 percent of the calls, but the absolute numbers are high. Each month, they send millions of voice clippings, or “cuts,” for processing and long-term storage. ...."


Zuckerberg Calls Obama about NSA’s antics…

fb-markzuckerbegMark Zuckerbeg apparently called President Obama the day after more revelations from Edward Snowden documents came into light that NSA was using a system called Turbine to emulate Facebook servers for hijacking user accounts and hacking into computer systems.

Zuckerberg who has been speaking against NSA's intrusive surveillance operations for a while now wrote on his page:

"I've called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform."

On his personal page Zuckerberg further said -


GCHQ Tops the Cake with Spying on Yahoo Messenger

optic-nerveAccording to the Guardian newspaper British intelligence agency GCHQ collected millions of people's webcam chats and stored still images of them, including sexually explicit ones in a program called Optic Nerve. Wow! This really tops the cake and takes the UKUSA intelligence sharing agreement to a new level. Let's not forget the "Five Eyes" alliance with Canada, Australia and New Zealand either...

The implications of GCHQ's actions can be far reaching, given that quite a bit of the images captured were sexually implicit ones - just the thought of your government wanting to collect your naked images while chatting is extremely disturbing. Well the thought of being naked in front of the chat is a little disturbing too, but I guess one will think twice before doing that now. Especially the bad guys!


Drones may be the Next Target for Hackers!

captured-us-droneIn December 2011 Iran National TV aired views of a RQ-170 Sentinel claiming that they hacked the ultra secret surveillance drone; researchers questioned Iran's capability to accomplish such a complicated task, the U.S. government immediately denied the incident. Granted Iran might have obtained "external guidance" in bringing the drone down, but it is now proven that this type of hack is quite plausible.

As a result drone manufacturers are scrambling to make drones immune to such attacks by use of unpredictability, GPS independent guidance / mission control systems... This is a very hot topic because the whole war strategy is now shaping around Low Intensity Conflicts (LIC) and drone warfare... Without drones delivering strategic blows this strategy will fail in the long term.;)

In the civil arena - now there are talks of commercial drones filling up the skies - FAA authorized the use of commercial drones and the testing will soon start in the second quarter of 2014.

Of course the threat level of a military drone being hijacked and a commercial drone being hijacked is two separate issues - but regardless of military or commercial; drones raining down on our heads is still not a happy thought.