Have I Been Hacked? Asking Can Be Perilous
16th February, 2019 | Cyberprivacy | Entropic
Organizations that provide free and commercial "Have I Been Hacked?" or "Dark Web Scanning" services, including ones established immediately after the announcement of a data breach, can be justified by the best of intentions. Ultimately however, the way that these services amass stolen information from the dark web, and disseminate it to their customers, makes them subject to the same types of problems that have impacted the companies that they collect information about.
By using these services, you might actually be exposing more about yourself, and even raising further attention to your stolen personal information.
How to Evaluate Facial Recognition from a Privacy Perspective
19th January, 2019 | Biometric Privacy | Entropic
While Amazon, Facebook, Google, Microsoft, and of course the Chinese and US governments tend to get the most media attention these days when it comes to facial recognition, there are actually now more than 100 companies across the globe, along with many academic institutions who are actively engaged in developing and/or selling facial recognition technologies.
If you are tasked with the responsibility of evaluating or implementing some type of facial recognition, then you most likely have heard that the U.S. Government National Institute of Standards and Technology (NIST) maintains an ongoing facial recognition vendor test for vendors that wish to benchmark their performance against their peers in the industry, and build brand visibility.
While this industry benchmark is intended to convey performance of these vendors, consumers of this information should understand that this is not a U.S. government endorsement of these vendors from a privacy or security perspective. With the slow response that governments typically have to enacting laws to protect individuals from the misuse of emerging technology, it's basically up to the entities who are developing and implementing facial recognition systems, to be responsible when handling the information of others, and to find resources to assist them in this process.
The Food of Facial Recognition: Your Regularly Updated Photos & Videos
9th January, 2019 | Biometric Privacy | Entropic
In recent years, facial recognition technology has evolved significantly, and is greatly improving the ability to efficiently detect people in still images and video. The improvements in facial recognition, along with increased availability is now empowering more and more uses of the technology across various industries.
A major benefit of facial recognition technology is about improving upon historically established use cases where people needed to be efficiently verified by another person. This manual verification process can be time consuming, mundane, and becomes increasingly difficult with shortages of staff, and where large numbers of people need to be verified in a short space of time.
A recent example of this is the US Customs and Border Protection, who are working with airports and airlines to deploy facial recognition across major airports in the US, such as Washington Dulles Airport to facilitate automated verification of travelers.
Is AirDrop Over-Advertising Your Apple Device?
30th November, 2018 | Cyberprivacy | Entropic
When properly configured, AirDrop is a handy and secure way to transfer items between Apple devices, such as URLs, Files, Photos and Notes. A significant advantage of using AirDrop, is that items are transferred directly between devices using a decentralized (P2P) peer-to-peer approach, and don't go through a central authority.
This means that your fleeting need to transfer a confidential item to someone, or between devices, doesn't result in a copy being left lying around on an intermediary server somewhere. This is typically the case if you choose to send something to someone via e-mail or instant messaging.
For those of us that use AirDrop to conveniently transfer items between devices, a less considered privacy problem with this feature has to do with the broadcasting of the name of your iPhone, iPad or Mac when you are not using this feature. By default, Apple uses your actual name when naming your device. This, in combination with a discoverability setting might leave you open to harassment or social engineering attacks.
Still Using Skype? Time to Abandon Ship
16th November, 2018 | Cyberprivacy | Entropic
Skype was originally pioneered by the Swede Niklas Zennström and the Dane Janus Friis, in cooperation with Ahti Heinla, Priit Kasesalu, and Jaan Tallinn, Estonians who developed the backend that was also used by Kazaa, the popular decentralized file sharing application.
Following it's launch in August 2003, Skype quickly gained popularity as a secure, decentralized peer-to-peer messaging app. In the following years, Skype was acquired and sold by eBay, and had other key investments from firms including Silver Lake, and Andreessen Horowitz. It was eventually acquired by Microsoft in 2011, for $8.6 billion.
At the age of 15 years old in 2018, with broader availability to consumers and businesses through Microsoft branding and integration into their Windows operating system, Skype's total number of users now approaches half a billion.
Decentralized apps have been around longer than many of us realize, even before the inception of blockchain. When these apps first emerged, they were considered bandits and outliers due to the decentralized nature of their technology. Though there was heavy usage, many users of these apps were still concerned about the "edgy" nature of these apps, and the possible association with a criminal ecosystem. Now in 2018 with the broad recognition of blockchain, and related decentralized technologies, Skype with it's broad customer base might have completely dropped off of our radar, though we might still have a dormant account.
preFlect v1.2 Release - Deter Photographers. Document Photos.
4th November, 2018 | Product Release
We are proud to announce the launch of preFlect v1.2 - an App that helps you efficiently capture information about a photo as it is being taken, and embed it back into the photographers own photo as an additional "track" of information.
preFlect can help you defend your privacy by documenting incidents where you are being photographed without your consent.
It can also be used to conveniently document events, such as events with family, friends, and work where photos are taken, to help you recall the details at a later time.
Captured information can include pictures of the original photographer, where and when the photo was taken, and your own comments about the event at which the photo was taken, which you can add or edit at a later time.
As well as adding your own comments to events captured on your smartphone, you can also publish this event information, instantly making it available to anyone else who has a copy of the original photo, and analyzes it using preFlect.
Is it Possible to Deter an Unwanted Photograph?
3rd November, 2018 | Cyberprivacy | Entropic
When it comes to having your photo taken by others, for many of us there is a right time and a wrong time.
Some of the reasons why we may not be favorable to having our photo taken at any given time, include our perception of how well presented we are, whether or not we have the energy or mood to present a nice smiling image for the camera, and perhaps other details, such as our current location, since this tends to reveal regular lifestyle habits which we might prefer to keep private.
Celebrities and public figures, many of whom have a love/hate relationship with the press and paparazzi, can also have a pronounced sensitivity to having their photo taken at the wrong time.
The Explosion of Available Cameras
The prevalence of cameras beyond the traditional dedicated-purpose camera has exploded over the past 15 years - most notably with the introduction of smartphones and tablets. Other examples are security & monitoring cameras, cameras attached to vehicles that perform street mapping, autonomous driving, and information collection, and cameras such as Facebook Portal that can now follow us around as we move within our own home. In addition, the availability of methods to distribute and share photos has increased massively. We have been forced to accept the reality that our photo could be taken at any time or place and distributed to any given number of people instantaneously, without having much say about it.
The Less Considered Perils of SMS Two-step Authentication
26th October, 2018 | Infrastructure | Entropic
In previous articles, we have discussed different types of two-factor authentication (2FA) that are offered by Internet and social media companies to provide additional sign-in protection for your account.
The well established SMS-based 2FA option has been the primary choice for thousands of companies, including financial institutions - many of whom appear to be locked in to offering only this one type of 2FA sign-in protection.
Additionally, many of these companies have either forced or are planning to force their customers to migrate to this type of account protection under the assumption that this approach is the greater good for protecting their customer's accounts.
But without understanding all of the options, forcing a single approach for 2FA account protection, will only solidify a new playbook of problems, vulnerabilities and exploits.
How to Boost your Yahoo! Sign-In Security
17th October, 2018 | Cyberprivacy | Entropic
This breach collectively consisted of two major events instigated by Russian hackers contracted by the Russian Federal Security Agency (or FSB) - one that occurred in late 2013 and one in late 2014. This resulted in the loss of names, addresses, security questions, DOB, and hashed passwords for all of Yahoo's then user base - over 3 billion users. Magnifying the impact was that Yahoo! took over 2 years to report this breach to authorities and their customer base.
What we can learn from this is that at any time, your personal information might be in transit to hackers who have already found and exploited a previously unseen vulnerability in a given service. Additionally, we know that you are more likely to find out about the theft of your personal information months or years later. With this delay in discovery and reporting in mind, it's very good plan to regularly and frequently check the security of your Yahoo! account.
Updates: How to Boost your Facebook Sign-In Security
28th September, 2018 | Cyberprivacy | Entropic
1) Facebook has announced another major data breach of almost 50 million user accounts. Hackers have exploited a vulnerability in the "View As" feature of Facebook that allows users to see what their profile looks like to other people.
2) Emerging research by Northeastern, and Princeton University working with Gizmodo has revealed that Facebook is now using your phone number that you entrust to them when setting up SMS-based two-factor authentication (2FA) for other purposes, aside from enhancing the security of your account. Specifically, they are using it to improve the granularity of their advertising services, including enhancing the ability for advertisers to target you more directly.
This adds to the list of reasons not to use this ailing type of 2FA to secure your account. 2FA is still a crucial part of securing your account, however there are better types of 2FA offered by Facebook - such as authenticator app-based 2FA. All forms of protection come with their own caveats, as illustrated in the updated Facebook 2FA options shown further in this article.
3) Instagram, a subsidiary of Facebook is rolling out support for authenticator-app based 2FA, which will allow their users to move beyond SMS-based 2FA.
Who Else Can Access Your Tweets?
26th September, 2018 | Cyberprivacy | Entropic
In our previous article we reviewed the current options available for boosting your Twitter sign-in security.
The need to continue delivering information efficiently to its users over the years has driven Twitter to establish a vast global computing infrastructure spanning five continents, with data centers consisting of thousands of servers.
To ensure efficiency and redundancy, much of the information that flows through this infrastructure is copied and duplicated across many different servers, for instance in caches, which helps to ensure information can be accessed efficiently across different regions.
Each of the countries that host Twitter computing infrastructure also have their own distinct regulations that designate access to the information that reaches those regions, such as access by local government authorities and law enforcement.
In this article we'll discuss the options Twitter provides to control your Tweet privacy - who can read your Tweets, and based on these options, who else might be able to access and accumulate your Tweet history over time.
How to Boost your Twitter Sign-In Security
19th September, 2018 | Cyberprivacy | Entropic
It was May 2013 when Twitter first introduced their SMS-based Two-Factor Authentication system, which they named "Login Verification". This was done in response to a breakdown in the security of their username/password based sign-in security that was rapidly becoming vulnerable to spear-phishing attacks, and other types of data breaches.
Amongst other key events, the most noteworthy was the use of spear-phishing to gain access to the Twitter accounts of The Associated Press, and on April 23rd 2013 make false posts that caused the Dow Jones to plunge 143 points. Since then, hackers have managed to find ways to bypass SMS-based two-factor authentication, putting more pressure on Twitter to provide additional options to help enhance sign-in security for their users.
How to Review Your Amassing Facebook Data
12th September, 2018 | Cyberprivacy | Entropic
In our previous article we reviewed the current options available for boosting your Facebook sign-in security.
In this article, we'll show you how to download and interpret the data that Facebook accumulates about you, with a focus on identifying the more important elements of your personal information.
The use of a centralized storage approach - holistic elements of your personal information that are stored and replicated across the globe, continues to be the single most significant vulnerability of Facebook.
This approach to information storage makes Facebook data centers very high value targets which are subject to a constant barrage of attempted infiltrations from nation states, cybercriminals, or seemingly legitimate entities, such as Cambridge Analytica that find ways to circumvent legal and technical loopholes, to glean and leverage your personal information.
If you have opted not to #DeleteFacebook, then at the very least you should regularly review the information that is accumulating about you in Facebook data centers across the globe. You can do this using the Download Your Information feature that Facebook provides in Settings.
How to Boost your Facebook Sign-In Security
28th August, 2018 | Cyberprivacy | Entropic
It was May 2011 when Facebook first established its SMS-based Two-Factor Authentication system, which they originally named "Login Approvals".
Since then, due to widespread security issues with SMS-based two-factor authentication, they have been pressured into providing additional options to help enhance sign-in security for their users. This includes introducing their own authenticator feature into the Facebook App, called Code Generator, the ability to use security keys on Android smartphones, and finally in May of this year, announcing support for third-party authenticator apps, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator.
Two-Factor Authentication (2FA) can significantly boost the security of your Facebook account by requiring a second piece of information, or action before allowing you to sign in. It should be noted that this feature does not eliminate the need to maintain your password. This is something that you'll need to continue to regularly change, record, and remember.
And, Your Exact Location in Your Living Room Is?
21st August, 2018 | Cyberprivacy | Entropic
In a previous article, we touched on the Google Titan Security Key, as an example of how companies are trying to extend the sensory reach of their devices, using Bluetooth LE (BLE) to gain better visibility into your lifestyle.
Companies that produce intelligent IoT devices for the home are increasingly being pressured to not only improve the usability and reliability of their products, but also to ensure they coexist seamlessly with other products from other manufacturers. This includes being more intuitive to their surroundings, including how they sense and interact with other devices and people.
Improving the sensory awareness and response of their devices can not only provide intuitive benefits to their customers, but also helps companies glean increasingly refined telemetry about how people move throughout their home, along with their activities in each location therein. The resulting data revenue can help them further refine their products and services, as well as generating revenue by making this data available to third parties.
GPS Is No Longer Enough
Consider your physical location as tracked by your smartphone, and how valuable this is to companies like Google who, for instance use it to provide you with critical information on traffic congestion in Google Maps.
Which Notes Do You Really Need in iCloud?
14th August, 2018 | Cyberprivacy | Entropic
If you are the type of person who loves using Apple devices, but are weary about how much of your personal data is seeping into iCloud, we'll discuss a few privacy checks that you can perform regularly to mitigate this problem.
The more of your information that Apple can push to iCloud, the better it is for their bottom line, since this gives them more opportunities to sell you things like additional iCloud storage.
By simply using and maintaining your Apple device(s) over time, the overall volume of information that "seeps" to iCloud increases. This is largely due to default configuration changes made during key events, that can change the data being collected. Some examples include:
How to Boost your Gmail Security
8th August, 2018 | Cyberprivacy | Entropic
Over the years, Google has continued to evolve the ways they can help improve the level of sign-in security for their users.
Their 2-Step Verification feature, a type of two-factor authentication (2FA), now has several different options and, additionally Google has decided to start producing their own security key.
With these recent events, we thought it would be a good time to review the options, and provide an overview of what methods are currently available to secure your Google account.
Don't Forget your Keys, Dave
30th July, 2018 | Cyberprivacy | Entropic
Phishing, along with a host of other types of cyber attacks against their customers, has gradually forced many companies to introduce multi-factor authentication into their account sign-in process for their customers.
For an average consumer, multi-factor authentication has always been a relatively cumbersome process, which is why companies that develop these types of authentication products have invested a lot to make them less cumbersome and more user friendly, without compromising on the quality of their devices and the security of their users.
Google, as an example currently supports several options as part of their 2-Step Verification feature, including the use of an Authenticator app, such as Google Authenticator and third party security keys, which allow you to sign-in to Google by plugging the key into your notebook/PC, or placing it near your mobile device.
What has your Nest Protect been Gossiping about Lately?
22nd July, 2018 | Cyberprivacy | Entropic
Earlier this year, Google reported having sold over 11 million Nest devices to date. Perhaps one of the most essential, trusted, and well engineered of these devices is the Nest Protect Smoke + CO Alarm.
The conveniences of this device, which include intelligent notifications of smoke and carbon monoxide alarms (from home and away), remote management, automatically lighting the way in the dark, combined with the overall reliability of this device make it a solid choice for a consumer looking to upgrade their legacy smoke/CO alarm.
Amongst all of the Nest devices, this one is in the top category for having the most sensors and transceivers. Given the essential need for smoke/CO alarms, combined with the Nest Protect's capabilities of 24x7 collection of activity in your household, we decided to further investigate this device to better articulate what it gives to your home vs. what it takes.
Who Else Can Read Your Gmail?
13th July, 2018 | Data Security | Entropic
In a previous article, we discussed some ways that you might unwittingly disclose your physical location while using Google. Amongst the services of Google, the most widely used include Search, Android, Gmail, Chrome, Maps, YouTube, Google and Play Store - each of which have users numbering in the billions. Additionally, services such as Google Docs and Drive are also very popular.
If you depend on any of these services, it's important to be aware of what other Apps might also have access to your personal information on Google. This is because over time for instance, by using a mobile or web-based App, you may have unwittingly authorized one or more of them with specific levels of access to your Google account information - for instance Gmail, Google Drive, or Calendar.
Decentralize to Protect your Data
26th June, 2018 | Data Security | Entropic
While most of us rely on encryption and authentication to protect our most critical files and other information, the reality is that these approaches to securing information have shown a continual pattern of failure since their inception. Compounding this issue is that over the past 20 years, we have carried forth an endemic fortress-based mindset of protecting information into the digital world, by consolidating massive amounts of sensitive information and concentrating it select physical locations using cloud-based infrastructure. This approach has dangerously centralized and even duplicated masses of stored information, in the name of manageability and cost savings.
By prioritizing manageability and cost savings over security, we have unwittingly created high value targets for cybercriminals, and further increased the motivation and ease at which they can extract large amounts of information for sale, distribution and exploitation.
Unwittingly Revealing your Location to Others via Google
20th June, 2018 | How To | Entropic
For billions of us, Google is an everyday part of our lives. We depend on it for searching, e-mail, shopping, evaluating businesses, networking with others, finding our way around, and a host of other daily routines.These conveniences are too good to resist, but with these conveniences comes a loss of personal privacy.
A company can glean a lot of valuable information about an individual by tracking only their location, and in turn this information can ultimately be translated into company revenue. In this process however, others might also gain access to this information.
The Genetic Fortress
11th June, 2018 | Data Security | Entropic
Companies that provide Genetic genealogy services offer individuals the option to submit a sample of their DNA, to enhance their ability to explore their ethnic origins, their family heritage, and discover and reunite with lost relatives. Similarly, Personal genomics companies also offer individuals this option to help them better understand their genetic traits, and how that might affect them in their lifetime, along with their descendants and relatives.
Despite the advantages that these services bring, the widespread use of expiring security and storage technologies to protect this information represents the next significant new threat to the loss of our privacy and individuality.
A River of Facebook Profiles
23rd May, 2018 | Data Security | Entropic
In our previous article, we introduced a model to help describe the lifecycle of information after it has been disclosed to an organization by another individual or organization. In this article we'll focus on another phase of this lifecycle - the Third Party Sharing phase, and describe how it applies to the 2014 mass extraction of 87 million+ user's Facebook profiles performed by Global Science Research (GSR), which were subsequently sold to SCL Elections and Cambridge Analytica, a subsidiary.
The Fuel of Facebook
15th May, 2018 | Data Security | Entropic
In our previous article, we introduced a model to help describe the lifecycle of information after it has been disclosed to an organization by an individual. In this article we'll focus on one particular phase of this lifecycle - the Collect & Send phase, and describe how it applies to Facebook.
When you think of how users interact with Facebook, you might picture someone using an app on their phone, or a browser on their PC to interact with the social network. However, over the years through third party integrations, company acquisitions, and the evolution of the Facebook Platform, the number of products and services they now offer, along with the volume of information that they collect from their users, has massively increased.
The Information Disclosure Lifecycle
5th May, 2018 | Data Security | Entropic
Organizations are constantly challenged to continually improve their security posture, and protect the information they rely on to do business. Many now also rely heavily on curating information about individuals who have consented to share, as they go about their daily lives.
Blockchain is helping to improve these organizations cybersecurity posture, in areas such as multi-factor authentication (MFA), and the Internet of Things (IoT). Some of these improvements are detailed in this article by Christina Comben, originally posted on CoinCentral.com
With the recent increase in events surrounding the handling, processing and protection of information, we thought it would be a good idea to create a draft model that would allow us to better describe the lifecycle of information after it has been disclosed to an organization by an individual.
Best Practices for Decentralizing Information
27th April, 2018 | Data Security | Entropic
In our previous article, we discussed how the fortress mindset has influenced how we instinctively protect information. Today, encryption and authentication are the foundation of how we secure information that is holistically stored in one location - the fortress.
If an attacker knows that all of the information they seek is holistically secured in one place, their motivation to break through the barriers that protect this place becomes very high. Over time, both encryption and authentication have had to adapt to contend with evolving attack techniques, many of which exploit vulnerabilities arising from the need to balance security with convenience for the user.
Decentralizing the Information Fortress
17th April, 2018 | Data Security | Entropic
Over the past 20 years, as a result of implementing cost savings, better efficiency, and improved manageability, we have seen a significant migration of software, hardware, and data to public and private cloud-based storage infrastructure.
Within these fortresses of information - data centers, and possibly unbeknownst to many, a large amount of personal information continues to accumulate.
Panwrypter v2.0 "Langkawi" Release
5th April, 2018 | Product Release
We are pleased to announce the launch of Panwrypter v2.0 - an App to protect your most important files, using a type of decentralized protection called bitwise depletion.
This release improves upon convenience & ease of use, and introduces additional, advanced security features...
Tutorial: Protect Files while Traveling with Panwrypter
29th March, 2018 | Tutorial
You may travel as part of conducting business with regional offices and customers. During travel, you may habitually choose to store sensitive files on your notebook, or on a USB stick. Using this approach vs. cloud storage might give you some peace of mind that the sensitive information is physically with you at all times.
During travel however, when your carry-on or checked-in luggage is not with you, this information might be vulnerable to unauthorized access....