A lot of the accolades are warranted, but my focus in this write-up is on the area of user data privacy and how the Chrome browser seems to have built-in tools that are a reg-flag for privacy violations in spite of Google’s Privacy Policy.

Our position is that the Chrome browser is “chatty”,  and acts as a keystroke logger in the area of search. In fact, the folks at Scroogle characterized Google Chrome as a browser that tends to “phone home a lot”.  And here’s why:

• It is common knowledge now that when a user conducts a search using a search engine, Google stores three main types of information in a log file: the user’s IP address (a unique network address given by an Internet service provider), the words the user searched for, and a cookie identifier (unique value given to every Web-browser that visits a web page). See here for more details.

• According to Google, the Omnibox (which combines search with the address bar) is supposed to automatically suggest websites as you type and you “can disable Omnibox suggestions by unchecking the box in the “Privacy” section of Goggle Chrome’s options. As it turns out, you can disable Omnibox suggestions, but the browser conveniently ignores your choice and uses auto-suggest anyway.

• The Chrome browser uses a client_id variable which is unique for every Chrome user, and which can be used to create exact user profiles of a user’s actions while using Google Chrome. According to Google’s Privacy Policy:
  “The client ID is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how Google Chrome is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics.”

• Apparently, there is no option to prevent Chrome from recording History and downloads, options which  are available in Firefox, Opera and Internet Explorer 9. I found it really annoying that Google deliberately removed the option to disable history, especially since it was tied to the search engine a user may be using at any point.
  For example, here’s how Firefox does it:
  

Auto-complete and “predictive” search may have their uses, but the fact that a user’s keystrokes are sent to a search engine in real-time and are tied to the user’s IP address does not look like protecting privacy. This is doubly worrisome since we learned a long time ago that Google was uploading the history data in Chrome offsite – to its data centers.

• Google Update does more than update your Chrome browser to the latest version. It “periodically sends information to Google about how you obtained the browser, how often you use the Chrome browser, and specifically, “whether you used Google Chrome in the last day, the number of days since the last time you used it, and the total number of days that Google Chrome has been installed”

Here’s how to lock down Google’s Chrome browser:

There are some tools available that you can install to help you remove the client_id that Google tags you with in order to track your usage of the browser. See Unchrome,  Chrome Privacy Protector  and Chrome Privacy Guard. Ultimately, I prefer not having to deal with yet another software for a feature Google should have made available or not included in the first place. So we will fix this at the source.

• First thing is to resolve the privacy issue by making Chrome open up in private browsing or incognito mode permanently. To do this, right-click on a Chrome shortcut, select properties. The “Shortcut” tab will open up. On the “Target” address, add –incognito at the end so it will look like this:
  \google\Chrome\Application\chrome.exe — incognito

To address the history palava, make the relevant files in the default folder read-only. These files are “Archived History”, “History” and “Visited Links” and can be found in the “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default” folder in Windows Vista and 7.  XP users can find the folder here: …\Local Settings\Application Data\Google\Chrome\User Data

1. Create a blank home page by going to options and setting the home page to about:blank
2. Close the Chrome browser and navigate to “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default”. Delete the files called “Archived History”, “History” and “Visited Links”. Do not close the folder.
3. Open Chrome, but do not visit any site. This will allow the browser to recreate the files you just deleted. The big difference now is that those files are empty and you want to keep them that way by doing the next step.
4. Locate the new archived history, history and visited links files and make them read-only by right-clicking, selecting properties and checking the “Read-only” box.
5. Open Chrome and enjoy

The next hurdle is the search engine spying that is built into the Chrome browser. While this knowledge is not new, it is still disturbing that the browser tracks every keystroke you type while using the location bar. A quick check with Wireshark will educate you on this.

The ability of browsers to tie your search to your IP address is troubling. To prevent this, create your own “search engine” by doing this:

• On the “Basics” section of the Options page, select “Manage search engines”.
  In the “Other search engines” section, click on the “Add a new search engine” box and type in a name. Call it anything you want, like “Private”.
  Enter a keyword in the Keyword box and http://%s in the URL box. This prevents Chrome from piping every URL you type in the location bar to a search engine. Unfortunately, this also messes up searching.
  If you must set up a default search engine, I recommend Scroogle at www.scroogle.org and you can use this on the URL box – https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?Gw=%s

A little paranoid? I don’t think so. It’s all about choices. There are things we must do online and it is inevitable that some of our private information will be exchanged. But users need to know that they have the option of turning something off, if they do not need it. If a “malicious” software installed a keylogger on a user’s computer, we would cry blue murder. How is the keystroke tracking behavior by search engines different?

Next we need to disable the automatic opening of files.

You cannot control the setting to automatically open certain downloaded files in the browser – a practice you should stay away from as much as possible. It is preferable to download and scan before opening a file. Drive-by downloads use this vector to drop stuff on your computer.
The option to manage this feature tends to be grayed-out on first use, unless you allow Chrome to open a file – see the complaints here. Thankfully, exe files are not allowed.

Again, in contrast, here’s how applications are managed in Firefox:

Notice the options to “Always ask”, “Save File” etc.

To fix this annoyance, open a blank tab and type in chrome://plugins/ or about:plugins to pull up the settings for the plug-ins installed with Chrome and turn off what you do not want.

For those not afraid of looking under the hood:
Close Chrome. Browse to: Users\<profile>\AppData\Local\Google\Chrome\User Data\Defaul (Windows Vista/7) or In Linux it is usually $HOME/.config/google-chrome/Default/Preferences.

Open the Preferences file in a text editor. Look for these lines:

“download”: {
“directory_upgrade”: true,
“extensions_to_open”: “flv”,   [ change this to ]    “extensions_to_open”: “”,
“prompt_for_download”: false
}

For those who are interested, here’s a link on customizing chrome.

Final thoughts are that Google’s Chrome browser may be a good fit for many users, but given the subtle and sometimes aggressive data gathering tools built into the browser, there is a lot to be worried about in the area of user data privacy. While data breach and hacking seem to be a daily occurrence these days, it won’t hurt a user to take some precautions in limiting the amount of information unwittingly sent to vendors just because you installed their software on your computer.

Here are some other things you could do:

Set the browser to automatically delete cookies every time you close it.

Whenever possible, use the private browsing feature built into most modern browsers.

Use specific browsers for specific purposes – general browsing, search, online banking etc. and customize each browser accordingly.

You can also get an alternative Chrome-like browser called Iron that is based on the free Source code “Chromium” – without the problems of privacy and security baggage of Google Chrome.

While the media has been abuzz about the exploits of Anonymous and LulzSec, the bigger question we should be asking is, are any of their exploits new or did they just give us a wake up call that there is no security, at least in the way we normally define it. What they have demonstrated is that security is a term we use to make ourselves feel good.

A quick look at their “victims” shows that most of the organizations they targeted have tons of money to throw at security, and some are known vendors of security “solutions”. Whether it is RSA, CitiGroup, Bank of America, the CIA, the U.S. Senate, Fox News, Barracuda, Northrup Gruman, Lockheed Martin, Comodo, Yahoo! and countless others too “insignificant” to get on the front page like Distribute IT, the recent attacks clearly show that any one can be had.

It could have been worse and these attacks could have gone on quietly, as I am sure they have been for quite  a while. I strongly believe that what the LulzSEC and Anonymous groups exposed were events that happened regularly but were covered up by the affected organizations.

The effect of such cover-ups were a false sense of security on the part of the general populace and the tendency by most organizations to believe that just installing a security appliance was enough. It also gave vendors of security products license to continue milking millions of dollars from the government, consumers and businesses until the holes in their products were exposed.

Rather than demonize these groups, organizations and businesses should be thankful that someone has provided a yardstick by which you can hold your security vendors accountable. There is now a talking point of “how can you guarantee that what happened to Citi won’t happen to us and if it happens, can you fix it without billing us additional millions”.

Indeed, as the group wrote:

“Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere.”

Their activities in the past few weeks, if anything has put a little pressure on IT professionals saddled with the task of protecting a network to get off the World of Warcraft and actually do some continuous monitoring and vulnerability scanning; it gives security professionals food for thought when they go on an risk assessment assignment because they will actually be forced to do a thorough assessment instead of check-boxing their way through. CFOs should be thankful because now they have a reason to demand that the money budgeted for security is actually being spent on security and not on some cool gadget that is completely useless in protecting the organization from security breaches.

Finally, while there are ethical gaps in the way these groups did their “ethical hacking”, I hope it gives us reason to think twice before we put confidential information in insecure locations. But from the mostly negative and arguably silly comments you read on websites that report on the activities of these groups, a lot of people still do not seem to get it. There is a lot of focus on the what instead of the why and how. If the systems that were compromised were secure in the first place, could they have gained access? What does a hack teach the organization that was hacked? If these guys could get into our corporate systems and tell us, who else got in and did not tell us?

Most of us will recall that on March 17 2011,  RSA Security admitted that cyber-attackers had breached its network and obtained “information relating to the SecurID technology.” SecurID generates security tokens by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password (a process commonly known as two-factor authentication in access control systems).

Since that RSA announcement, several Department of Defense contractors or their subsidiaries have disclosed that their networks were targets of cyber-attacks apparently using information stolen from RSA.

Big players in the military industrial complex like Northrop Grumman Corp, Lockheed Martin, L-3 Communications pretty much have the military technology secrets of the United States. They provide command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.

Since the RSA breach, they have all reported intrusion attacks that involved the use of information stolen from remote-access security tokens which according to RSA executive chairman Art Coviello, “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

That broader attack seem to be under way because on of the seemingly random but targeted attacks against contractors with ties to the nation’s defense systems:

• On May 21, it was reported that Lockheed Martin shut down remote access to its internal network after a “significant and tenacious attack on its information network”.
• On May 26, Northrop Grumman shut down remote access to its network without warning, forcing the company to go through a domain name and password reset across the entire organization.
• On May 27, an attack on L-3 Communications Holdings using spoofed pass codes from a cloned RSA SecurID token was reported by Reuters.

There are speculations that the RSA breach may have occurred through a remote device or VPN client or with the help of an insider since an attacker would need at least one employee’s user name and pass code as well as have some idea of which services that employee had access to in order to break into a SecurID-protected network.

Anush Gosh, a former scientist with the Defense Advanced Research Projects Agency (DARPA) argues that the RSA attack was very sophisticated, and was probably executed by people who had plans for what to do with the keys.

Wired goes further to opine that “the attacks suggest the RSA intruders obtained crucial information — possibly the encryption seeds for SecurID tokens — that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets”.

Even RSA characterized the breach as an “advanced persistent threat,” or APT – an unusually sophisticated attack in which intruders use social engineering coupled with undisclosed or so-called zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property.

Now that those plans seem to be in full motion, the big question is, is it time for RSA to break its silence on the matter and tell the American public what actually happened. It may not be pretty, but at least we will know what is coming. After all, most IT security folks have a thing or two against security by obscurity.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can secure your network and data without upfront or out-of-pocket cost here.

The same cannot be said of executives in small and medium-sized organizations, especially when it comes to loss of personal information, including credit card data, patient records or other financial information, stored by the company. Data breaches happen and information is lost every day due to small mistakes that could have been avoided. For small businesses, these events can be devastating.

With news makers such as Wiki Leaks and other high-profile breaches over the last several months, you never know where your information will end up if it lands in the wrong hands – so of course, you must protect it.

With the advances in technology, it is not uncommon to find a user lugging around a laptop with 500GB of hard drive space. That is a lot of  space for corporate data and with the breaches like we have witnessed recently – Wiki Leaks, HBGary, etc. you never really know who will end up with your corporate data should it get stolen.

Couple that with the fact that small organizations do not have the resources to set up a sophisticated VPN architecture that would require a user to log in the mother-ship before accessing data. They cannot afford expensive data plans.

Research records from the Ponemon Institute show that over 75% of organizations are aware of an incident in the organization where confidential or sensitive information was at risk as a result of a lost or stolen laptop.

It is assumed that presently, almost 40% of sensitive and confidential corporate information is being accessed at any given time by remote workers, including corporate execs.

It is strongly believed in the IT security field that humans are the weakest link in the area of data security and that employees are careless. Moreover, in many small businesses and organizations there is no IT personnel to take ownership of securing corporate data.

It is not uncommon to find contents on the laptops of executives that could put the company at risk should it get on the wrong hands – pictures and videos of a wild night out, for example.

While most modern laptops contain whole-disk encryption software, not many users are aware of them. The are also location tracking, and file-level encryption.

Expanded use of encryption has become the most popular technology solution to data protection. So here is a round-up a few tools that could be useful for the traveling executive:

AxCrypt:

AxCrypt – Personal Privacy and Security with AES-128 File Encryption and Compression for Windows 2000/2003/XP/Vista/2008/7. Double-click to automatically decrypt and open documents. Store strong keys on removable USB-devices.

Features:
Seamless integration with Windows Explorer.
Double-click to decrypt, open and re-encrypt.
No configuration required.
Many languages supported.
Extensive command-line interface for scripting and programming.

TrueCrypt:

Main Features:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire partition or storage device such as USB flash drive or hard drive.
• Encrypts a partition or drive where Windows is installed (pre-boot authentication).
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides plausible deniability, in case an adversary forces you to reveal the password
• Hidden volume (steganography) and hidden operating system.
• Encryption algorithms: AES-256, Serpent, and Twofish.

Personally, I believe this should be your first choice. What you can do is create an encrypted file on your system that the software mounts as an encrypted virtual hard drive and you can dump all your critical documents in there. It is possible to use a folder, file or image as a key (password). So for example, you can create a text file of your favorite movies and use that as your key – one less password to remember.

The nice thing about TrueCrypt  is that depending on how paranoid you are, the options are endless.

MyTextIsTreasure:

I stumbled on this during a frustrated search for a password “holding cell”. With so many passwords, login credentials, online subscriptions etc. to manage, I was getting irritated by the limitations of an Excel spreadsheet and a plain text file was dangerous at best.

It is a simple password manager for your PC and Smartphone. It works like a text editor and uses a strong cryptography algorithm to generate the end file.

What MyTextIsTreasure (MTT) does is give you a notepad-like page that you can type your sensitive data in and secure with a password. It has been an awesome tool because I can save it on an FTP site, a USB flash disk or a Synced online folder without worrying about unauthorized access.

Features:

• It is a password manager
• It works like a simple text editor
• It protects your private information using the known crypt algorithm AES
• It can be installed in your PC and in your Smartphone
• You can organize passwords by categories like credit cards, websites, forums, internet banking, personal life, and so on.

You don´t have to fill a lot of fields and follow a square structure.

SecureFolder Portable:

This is another application that allows you to hide, lock and encrypt folders using 256-bit AES encryption through an intuitive and simple interface. If you had the app installed on a laptop, you can password protect a specific folder use the tool to open the folder when you need access to it.

Key Features:

• Unlimited number of folders can be protected.
• Intuitive & easy-to-use interface.
• NTFS, FAT32 and FAT volumes are supported.
• Implements 256-bit AES (Rijndael) to encrypt files.
• Effective password protection.
• System Cleaner, File shredder, Virtual Drive.
• Removing or uninstalling will not uncover locked folders.
• Windows Explorer integration.
• Supports Drag & Drop.

It is compatible with Windows XP, Vista, 7

WinSCP:

WinSCP is a SFTP client and FTP client for Windows. Its main function is the secure file transfer between a local and a remote computer. It uses Secure Shell (SSH) and supports, in addition to Secure FTP, also legacy SCP protocol.

Portable PGP:

Portable PGP is a fully featured, lightweight, java based, open source PGP tool.
It allows to encrypt,decrypt,sign and verify text and files with a nice and absolutely straight graphical interface.
It’s absolutely simple to use and provides everything you need to get started with PGP cryptography.

There is a USB-Stick version of PortablePGP which comes as a simple zip file that you can decompress on the root folder of your USB drive and allows to run PortablePGP on both Window and Linux platforms without the need of installing it and without the need to have a Java virtual machine installed(a private JRE is bundled in)

Requirements:
Java Runtime Environment 6 (or greater)
Java(TM) Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

HaDES:

HaDES (Short for Hard Disk Encryption System) is an enterprise level open source hard disk encryption tool, which enhances TrueCrypt by adding functionality that enables TrueCrypt for enterprise use, for example multi-user capability and recovery

HaDES Additional Features:Creates a virtual encrypted disk within a file and mounts it as a real disk

• several users have access to the encrypted disk via username and password
• Encrypts a partition or drive where Windows is installed (pre-boot authentication)
• Users can be administrated in volumes and partitions with multi-user capability:
  • users can be created
  • users can be deleted and
  • every user has the possibility to change his or her password.

Ultimately, the best way to protect corporate data is to assess risks by identifying and classifying confidential information and them implementing the following:

• Educate employees on information protection policies and procedures, then hold them accountable
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Integrate information protection practices into businesses processes

FreeOTFE:

FreeOTFE is a free, open source, “on-the-fly” transparent disk encryption program for PCs and PDAs with a simple goal: the secure storage of bulk data, while making it readily accessible to authorized users.

With this software, you can create one or more “virtual disks” on your PC/PDA. These disks operate exactly like a normal disk, with the exception that anything written to one of them is transparently, and securely, encrypted before being stored on your computer’s hard drive.

Features include:

Highly portable – Not only does FreeOTFE offer “portable mode”, eliminating the need for it to be installed before use, it also offers FreeOTFE Explorer – a system which allows FreeOTFE volumes to be accessed not only without installing any software, but also on PCs where no administrator rights are available. This makes it ideal for use (for example) with USB flash drives, and when visiting Internet Cafés (AKA Cybercafés), where PCs are available for use, but only as a “standard” user.

TAILS LiveCD:

The Amnesiac and Incognito LiveCD System is a secure web browsing platform that is ideal for travelers who frequent Internet Cafés and want to prevent the possibility of their systems being compromised.

From the website:

The Amnesic Incognito Live System (Live CD, Live USB) is aimed at preserving your privacy and anonymity by forcing all outgoing connections to the Internet to go through the Tor network; and not leaving any trace on local storage devices unless explicitly asked.

It’s a LiveCD which means that you do not have to install it. You set your laptop’s BIOS to boot from CD and no changes are made to your operating system. The software can also be to run off of a USB stick.

Some important features of TAILS include:

• Tor and the Vidalia graphical front-end
• Firefox preconfigured with: Torbutton for anonymity and protection against evil JavaScript
• FireGPG for e-mail encryption
• All cookies are treated as session cookies by default; the CS Lite extension provides more fine-grained cookie control for those who need it
• OnBoard virtual keyboard as a countermeasure against hardware keyloggers
• Shamir’s Secret Sharing – a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.
• To prevent cold-boot attacks and various memory forensics, Tails erases memory on shutdown and when the boot media is physically removed.

Of course there other LiveCDs out there like Kiosk from rPath, Webconverger and Ubuntu Kiosk. The difference is that TAILS has the tor software enabled by default.

Necessary Warning:
Please bear in mind that the subject of encryption can get overwhelming at times. If you are not comfortable using these tools, please seek assistance. We must tell you that you bear total responsibility for lost data – seriously. Do not attempt disk/folder encryption if you have no clue on how to go about it.
Enough said.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can protect your mobile users and data in transit without upfront or out-of-pocket cost here.

With that, Facebook announced Login approvals,  “…a Two Factor Authentication system that requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognized computer.”

The idea behind the new feature is to help users combat unauthorized access or the now infamous “I have been hacked” incidents that have plagued users of the Social Network. The new feature, which is currently optional is expected to add a second layer of protection to users’ login process.

What exactly is it? Here is Facebook’s explanation of Login Approvals:

In essence, the process works in three steps:

1. Turn on Login Approvals
2. Confirm that you have access to the phone you are using
3. Enter the security code you received from Facebook to confirm that “you are who you say you are”

In other words, if you want to avail yourself of this “Two-Factor” authentication, you have to first, give Facebook your mobile phone number and second, incur text message charges from your provider.

But the idea of treating this as a token-based two-factor authentication is a little misleading and the explanation given by Facebook is very weak at best, to wit:

“…Similar features on other websites require you to download authentication apps or purchase physical tokens to act as your second factor”

That is not quite true. A couple of sites make you set up static second factor that could be numbers or an image which you have to enter or reference before final login. And you do not have to pay anything for it. Most online investment brokers provide this feature which seems to work really well.

Then there is this bizarre claim that two-factor authentication as implemented by other websites “…require a lot from the user before being able to turn on the feature”. Again, not true. When you set up an account with most sites that offer two-factor authentication, you are made to create the second factor during the setup process and it is a one-time deal until it is time to renew the password or “token”. Plus, how difficult can it be to enter a 5 or 6 digit preset or random PIN that expire at given intervals? There are even applications that users can install that will generate random tokens without opening up another attack vector – SMS spamming.

The second issue is, why are users being tied to a specific device or computer? There seems to be a tacit assumption that all Facebook users have their own computers and that is clearly not the case. Some users access their accounts in multiple ways – desktop in the morning, an internet Café in the afternoon and in a different city in the evening? So what happens to people who traverse continents regularly and do not want to be gouged for “roaming charges”?

The weakness in this implementation have caused some critics to downgrade Login Approvals to “part-time” two-factor authentication because once you have approved the browser instance you use to login daily, it does not require execution of the second authentication until you have removed it from the list.  Moreover, the user will be forced to re-authenticate from a different browser. So if you are like most people these days who use Chrome, Firefox, Opera and Internet Explorer on the same computer, albeit for different purposes, you will be doing a lot of authentication texting which could be another headache for Facebook as users may now have to deal with text hijacking by the “bad” guys. What happens if the database holding the phone numbers gets compromised? Don’t be surprised to see spam texters chomping at the bits for this scenario to play out.

Here’s the link to Facebook’s Login Approval announcement page.