Aconiac Security Group Blog
The official Aconiac company blog
Welcome to the Aconiac Security Group Blog
This blog includes company news, company statements, tutorials, guides and much more. So please add this blog to your RSS reader and let us help you to become better security professionals.
Disclaimer: The views of individual bloggers may not be the views of Aconiac as a whole.
0
As some of you may have noticed, Google has received some heat the last couple of weeks due to claims that they intercepted private data from open wifi-networks when driving around to complete Google Street View coverage. One of the many articles on this subject can be found here: http://www.computerworld.com/s/article/9176810/Google_stops_sniffing_Wi_Fi_data_after_privacy_gaffe
First off: I am very much against any form of privacy infringement and believe quite strongly that most forms of proactive surveillance against non-criminals are futile at best and damaging for national security at worst. However this whole case is just somewhat ridiculous.
Yes, Google made a mistake in not disabling that specific piece of software, but calling the data they gathered private is a bit of a joke. What they gathered was data sent unencrypted over a public network. If you’re sending confidential information over a public network unencrypted, Google stealing your deep-dark secrets is the least of your worries. They did it by mistake – many others do it intentionally!
In fact where I’m sitting right now, I can see no less than 7 open wifi-networks. Most are private homes and most of them have, according to Kismet, traffic flowing over them right now. This means that if I wanted to, I could activate software like Kismet or Wireshark and use this to steal every single bit of unencrypted data sent over this network. In fact, I would be able to do this with almost no chance of ever being detected in doing so. Even if the network owners tried to catch me, they most likely would not be able to. That’s simply how easy and risk-free it is.
The reason why I can do this, is because wifi-networks work by transmitting data outward on a given frequency and then let all clients in that network receive all data. It’s then the client’s computer that needs to filter out what was meant for it and what was meant for everyone else. If a computer behaves “nicely” it’ll discard anything not meant for it, but if it’s been put up to intentionally receive everything, you’ve created a so called “sniffer” and all unencrypted data is up for graps.
While software like Wireshark allows you to only “sniff” data sent over the network you’re connected to, Kismet let’s you “sniff” from any network without ever connecting to that network. This effectively makes you completely invisible to the network owners, so they have no way of knowing, that you’re stealing everything they send.
Sadly, most users are completely oblivious to these facts and use open networks as if they we’re their home networks. And sadly in some cases they even are (as was the case with most of the 7 networks here). So effectively, when Google was driving around gathering private data from open wifi-networks, they weren’t really “sniffing” because they had no intention of gathering that data. The users on those networks were however shouting every single bit of so called “private” information in all directions, forcing Google wifi-analysis software to capture and save it.
Now, to be fair: Google weren’t really being smart here and should not have captured data sent over unencrypted networks. It was a bad move and while they didn’t intend to do so, it probably still didn’t give them a boost in their reputation!
That being said, I must however still say, that the real problem here is the user and the open networks. If you don’t want your data to be scooped up by Google, don’t send it unencrypted over an open network. Chances are someone far worse than Google is listening in – especially if it’s a public network near train stations or the like. Sending data over a open wifi-network is, for all intents and purposes, the equivalent of shouting the same information out your office window.
Back in April 2010 we published a blog post describing the secure way of working from open wifi-networks – We recommend you read up on that and use the techniques mentioned there in order to keep private data private in the future.
NOTE: This news item was originally posted on December 30, 2008
2008 will soon be over and a new and exciting year lies in front of us. 2008 was an interesting year for computer security. We saw, once again, escalating threats towards companies from almost all fronts. Especially the leaks of unencrypted data in England, the automated SQL injection mass-attacks and the attacks on social network services were some of the big public problems in 2008.
But then how will 2009 be? Now, it’s obviously very hard to predict the future in such a dynamic world, however we have made an effort to come up with our ideas for what might be, the 10 biggest security threats in 2009:
- Weak economy
The economic crisis, which right now is devastating many businesses all over the world, will most likely result in companies having to cut down on expenses. In these kinds of expense cuts, typically what gets cut first is the administrative expenses like e.g. computer security and preventive measures. We can therefore expect to see an increase in the amount of security issues in software and systems developed in 2009.
- Lack of education
One of the greatest threats towards security in a company is and will always be education. This has been, in our minds, the biggest issue in 2008 and actually have always been the biggest issue. Users of IT solutions do not understand the security problems in such a way, that they can effectively protect themselves. We will therefore, once again this year, probably see an increase in successful hacker attacks – attacks that largely could be prevented by increased education.
- Mobile devices
Employees are becoming more and more mobile as each day passes. One of the big things that really got a boost in 2008 was mobile broadband. This technology specifically, can lead to employees beginning to do their jobs outside of the company’s secure parameters. A trend that could ultimately lead to catastrophic data leakage, that is if it is not prevented by good policies and encryption.
- Outsourcing
Due to the economic crisis, a lot of companies will probably begin to outsource certain tasks to cheaper labor in other countries. This act however has a lot of serious security implications, since the company now no longer has control of how its data is handled. It is therefore extremely important, that companies make a proper security policy with their outsourcing partner and that this policy is actually followed.
- Espionage
The time when hackers were just small kids in a basement is, by far, over. Today several indications are showing that hacking has, in several cases, been used by e.g. China to attack government institutions in the USA. This type of attack, which for the record can have catastrophic consequences, will likely escalate in 2009, where we will see even more examples of this form of Internet warfare.
- Anonymity/Privacy
While nations all over the world are using more and more censorship and surveillance, many freedom-loving employees will begin to work harder to secure their privacy and the right to free speech. This will probably manifest itself in an increased use of software to break blocking mechanisms and hide information about the user. With this increased usage, it will become much harder for companies to identify malicious users, since it will now not only be the criminals who are attempting to hide from identification.
- Apple’s Mac OS X
While viruses and spyware are everyday fears of Windows users, Apple’s Mac OS X has up until now avoided most problems. They’ve actually avoided it so well, that many Mac users are now, mistakenly, believing Mac OS X can not be infected with malicious software, like e.g. a virus. Apple had a record high sale of Macs in 2008 and as their market share increases, so will the number of attacks on the platform increase. Sooner or later it will therefore become a security risk to have an unprotected Mac OS X on the company network and companies should therefore implement effective security policies for Mac users.
- Insecure websites
A lot of companies and government institutions still have websites with several security issues of varying types. With the increasing economic crisis and the likewise increasing amount of computer criminals, it is very likely many more companies will be attacked from the web this year. Even many more than earlier years.
- SMS Scams (SMiShing)
With the expanded use of SMSs for almost any thinkable communication, criminals will soon begin to notice the possibilities in the use of SMS to scam individuals and companies. Most do not know, that it is extremely easy to fake an SMS so that it seems as if the SMS is from “Mom” or “The Boss”. This makes it easy for criminals to scam people into wiring funds or giving out passwords.
- Social networks
Social networks are not as big of a threat as some security companies would have you believe, however there are several dangers you should take seriously as a company owner. Like e.g. in 2008 there were several attempts at spreading viruses through Facebook and especially MSN Messenger is often a target for computer criminals. All of these attacks can however generally be avoided with simple education of one’s employees. We don’t recommended blocking the access to social networks for your employees, even though we know certain companies do this today.
Back to top
