Tag Archives: Security

Private Data in the Digital Age

Former U.S. spy agency contractor Edward Snowden is wanted by the United States for leaking details of U.S. government intelligence programs

Former U.S. spy agency contractor Edward Snowden is wanted by the United States for leaking details of U.S. government intelligence programs

In a scenario where someone has a file of information stored on a private server with the intent to keep it private, is it ever justified for someone else to expose a security flaw and post the information anonymously on the internet? There exists a fine line where “It depends” on the scenario. But this classification simply does not do the case justice as there are extraneous circumstances where this kind of theft and distribution is justifiable.

One such case is whistle-blowing. Edward Snowden is still a man of much controversy. Exiled for leaking sensitive government documents, some label him a hero, others a traitor. Snowden was former Special Forces and later joined the CIA as a technology specialist. He stole top-secret documents pertaining to the National Security Agency and FBI tapping directly into the central servers of leading U.S Internet companies to extract personal data. Snowden leaked these documents to the Washington Post, exposing the PRISM code, which collected private data from personal servers of American citizens. This program was born out of a failed warrantless domestic surveillance act and kept under lock and key to circumvent the public eye. Americans were unaware and alarmed by the breadth of unwarranted government surveillance programs to collect, store, and search their private data.

Although Snowden illegally distributed classified information, the government was, in effect, doing the same but with personal data of its constituents. I would argue that Snowden is a hero. He educated the American people about the NSA overstepping their bounds and infringing upon American rights. Governments exist to ensure the safety of the populace, but privacy concerns will always be in conflict with government surveillance and threat-prevention. The government should not operate in the shadows; is beholden to its people, and they are entitled to know what is going on.

The United States government charged Snowden with theft, “unauthorized communication of national defense information,” and “willful communication of classified communications intelligence information to an unauthorized person.” The documents that came to light following Snowden’s leaks only pertained to unlawful practices, and did not compromise national security. Therefore, it appears as though the government is trying to cover up their own mistakes. Perhaps this is most telling in one of Edward Snowden’s recent tweets :

“Break classification rules for the public’s benefit, and you could be exiled.
Do it for personal benefit, and you could be President.” – @Snowden

This commentary on Hillary Clinton shows that in the eyes of the government who is right and wrong changes on a case to case basis. In many ways, Snowden’s case mirrors Daniel Ellsberg’s leak of the Pentagon Papers in 1971. The Pentagon Papers contained evidence that the U.S. Government had mislead the public regarding the Vietnam war, strengthening anti-war sentiment among the American populace. In both cases, whistle-blowing was a positive force, educating the public about abuses happening behind their back. While in general practice, stealing private information and distributing it to the public is malpractice, in these cases, the crime of stealing was to expose a larger evil and provide a wake-up call for the general population.

Alternatively, in the vast majority of cases accessing private files via a security flaw is malicious, and the government should pursue charges. While above I advocated for a limited form of “hacktivism,” it was a special case to expose abuses by the government which fundamentally infringed on rights to privacy. In almost all cultures, religions and societies stealing is recognized as wrongdoing and should rightfully be treated as such. Stealing sensitive information and posting it online should be treated in a similar manner. Publishing incriminating files about someone else online can ruin their life chances. For example, during the infamous iCloud hack, thousands of nude or pornographic pictures of celebrities were released online. This was private information which the leaker took advantage of for personal gain. For many female celebrities it was degrading and humiliating. Therefore, the leaker responsible for the iCloud leaks was not justified in  taking and posting the files. While the definition of leaking sensitive information for the “common good” can be in itself a blurred line, but a situation like the iCloud leak evidently did not fit in this category. Hacking Apple’s servers to access and leak inappropriate photos can only be labeled as a malevolent attack on female celebrities, which could have potentially devastating repercussions for their career.

While the iCloud hack was a notorious use of leaking private data in a hateful way, there are more profound ways which posting private data can destroy someone’s life. Most notably, stealing financial information and identification (such as SSID) can have a huge, detrimental effect on someone’s life. My grandmother was a victim of identity theft, where someone she knew and trusted stole her personal information and used it for personal gain. This same scenario plays out online constantly and can drain someone’s life savings, reduce their access to credit and loans, and leave them with a tarnished reputation. Again, we draw a line between leaking something in the public’s interest and exposing a security flaw for the leaker’s benefit. By gaining access to personal files, hackers could wreck havoc and destroy lives. Obviously this type of data breach is unacceptable, and cannot be justified.

Overall, taking sensitive material and posting it anonymously online can generally be regarded as malpractice, however, their are exceptions such as whistle-blowing where the leaker is doing so for the common good. These cases are far and few between, and the “bad cases” have harming repercussions which can follow someone throughout their life. Ultimately, to recall Snowden’s case, everyone has a right to privacy. This is why someone leveraging a security flaw and posting files online is wrong from the get go, because it supersedes personal secrecy. In an increasingly digital world it is difficult to keep anything private, but everyone has a fundamental right to privacy which should not be disrespected or infringed upon.

Disproving Einstein: the Phenomenon of Quantum Entanglement and Implications of Quantum Computing

Quantum-Entanglement

Albert Einstein famously disparaged quantum entanglement as “spooky action at a distance,” because the idea that two particles separated by light-years could become “entangled” and instantaneously affect one another was counter to classical physics and intuitive reasoning. All fundamental particles have a property called spin, angular momentum and orientation in space. When measuring spin, either the measurement direction is aligned with the spin of a particle -classified as spin up- or the measurement is opposite the spin of the particle -classified as spin down. If the particle spin is vertical but we measure it horizontally the result is a 50/50 chance of being measured spin up or spin down. Likewise, different angles produce different probabilities of obtaining spin up or spin down particles. Total angular momentum of the universe must stay constant, and therefore in terms of entangled particles, they must have opposite spins when measured in the same direction. Einstein’s theory of relativity was centered around the idea that nothing can move faster than the speed of light, but somehow, these particles appeared to be communicating instantaneously to ensure opposite spin. He surmised that all particles were created with a definite spin regardless of the direction they were measured in, but this theory proved to be wrong. Quantum entanglement is not science fiction; it is a real phenomenon which will fundamentally shape the future of teleportation and computing.

Continue reading

Cyber Security Awareness: What is Malware?

What is Malware?

Malware is any type of malicious software that can infect your computer and slow performance, monitor usage, steal sensitive information, or gain access to privileged areas on your computer.  These can be harmful to your computer and your files. This post will discuss the different types of malware, how to tell if your computer is infected, prevention, and removal. For more detailed information about computer security resources, check out the IT Help Services Security Center online or stop into the IT Help Center for a free Security Check-up. Continue reading

Operation “Aurora”: Zero Day Exploit

Users of Microsoft Internet Explorer should be aware of a new zero-day exploit dubbed “Operation ‘Aurora'”. This exploit, which has been demonstrated effective in Internet Explorer 6, 7, and 8, allows a remote attacker to gain full control over a target computer.

Users who fall victim to this attack are usually the targets of “spear phishing” (a phishing attacked directed to a specific person or group of people.) They receive a link from someone (e.g. over IM, e-mail) and are directed to a website with specially crafted Javascript code. At this point, if the person being attacked is using Internet Explorer, the code causes a moment of confusion that allows the attacker to inject arbitrary code into the target system. In the worst case, this allows the attacker to take full control over the exploited computer. The entire process can be viewed below thanks to the crew at the security blog Praetorian Prefect. They have a great explanation of the exploit here and a video here.

OIT Software Support recommends that users of Internet Explorer switch to another web browser for the time being. A list of supported browsers can be found here on our website. Follow the link for your operating system.

As always, make sure to update your operating system often. Directions for that process can be found here.

Virus Prevention

As a general rule of thumb, there are some things that are good to do to keep your computer running its best.

  1. Keep everything up to date!
  2. Don’t click links you’re unsure about.
  3. Don’t visit questionable websites.
  4. Run an anti-virus program.
  5. Scan with an anti-virus program and an anti-spyware program at least once a month.

Keeping programs up to date is one of the easiest ways to prevent a Virus or Spyware infection. Windows XP, Vista, and Mac OS X will all prompt you to install updates if you have it configured to do so. It is configured as such by default.

As for updating all the other programs installed, we use a program called Secunia PSI. It scans your computer for all the programs installed that it has in its database. It then checks it against the current versions of those programs and provides you with links to where to download updates. You can download it here. It’s an amazing tool to know what to update.

As a general rule, you should keep your Operating System (XP, Vista, OSX) as well as Java and Adobe Flash Player up to date. Those are the most common ways viruses and spyware can gain access to your computer.

As a rule of thumb, don’t click on links to suspicious websites. In many programs, you can mouse over the link to see the HTTP address. Just remember to air on the side of caution.

Don’t go to suspicious sites.  If you’re not sure about the site, try searching Google for it.  If a lot of hits come up like “Spyware, removal of spyware, virus related” etc, don’t go to that site.  Also, if you had gotten a virus in the past from a questionable website, don’t go to that website again.

Run an anti-virus program.  This should be really easy for people affiliated with UMass.  UMass has a site license for McAfee Enterprise Virus Scan.  You can get it on the OIT website here.  If you have an older version of McAfee Enterprise Virus Scan installed, uninstall it first.  It might cause weird errors to occur if installing just over the older version.  Also, if you have any other anti-virus programs installed, you should only have one installed.  You shouldn’t have more that one anti-virus program installed, as they tend to fight each other and slow everything down.  Uninstall all but one anti-virus program.

The last way to protect yourself is to run full scans with your anti-virus and anti-spyware software once per month, whether you think you need it or not.  Think of it like an oil change for your car.  It cleans out all the sludge that may build up, whether you see it or not.  If you have the version of McAfee Enterprise Virus Scan distributed from the OIT site mentioned above, McAfee will update itself every day, and run a full scan in the background once a week.  You should also run a full scan once a month with your anti-spyware software of your choice.  We use Spybot Search and Destroy, which can be found here.

I Hate Change or: the Dangers of Getting Attached to Applications and Operating Systems

Change can be difficult. When you’ve invested time and energy in learning something new, especially something as complicated as an operating system (e.g. Windows 98, Windows XP, Mac OS 9), it can be quite frustrating to be told that you should upgrade to something new. Waiting a little while to perform upgrades is actually a good idea. As any early adopter of Windows Vista can tell you, making the switch from Windows XP was extremely painful because there were many kinks to work out of Vista. However, with a few years under its belt, Vista is, arguably, a more secure operating system.

Of course, many users still prefer Windows XP, which is okay, but users need to stay extra vigilant. Hanging on to an older application or operating is fine until the developer stops supporting it and providing updates. This is the case with operating systems such as Windows 98 and Mac OS 9. When, this happens it is important to upgrade! This means switching to any new version of an application or operating system. For example, an upgrade from Windows 2000 could be any version of Windows XP or any version of Windows Vista. An upgrade for Adobe Acrobat Reader would be from Version 8 to Version 9. Upgrades often add new features to software

Updates are different from upgrades in that they work to fix existing problems in software. They are important because they help keep your application or operating system secure. When you apply updates to Windows or Mac OS X, you are improving the security and stability of your computer. Here are some advantages of performing updates:

  1. Bug Fixes: No one is perfect. When a programmer develops an application and distributes it to users, there are often “bugs” waiting to be found. Bugs are simply unexpected situations that cause programs to crash or malfunction. Programs are not smart. They do what they are programmed to do and handle situations that they are programmed to handle. Programmers try to think about all the sorts of things that could go wrong when an application is running in the real world by giving users error messages or warnings. (e.g. If a program asks a user for a date in the format MM/DD/YYYY and the user types in YYYY/MM/DD, the program will ask the user to type the information in correctly.) However, sometimes there are problems which programmers don’t consider. When an application runs into these situations, it could crash, malfunction (i.e. appear to be working correctly, but really processing information incorrectly. This is especially dangerous because users don’t know that something has gone wrong!) Updates often fix these “bugs.”
  2. Security: Bugs can leave your operating system or application open to attack. A bug can be exploited by a virus or an attacker to do bad things to your files or even turn your computer into a zombie computer! Zombie computers can be used to attack other computers, send out spam messages, and even delete or ransom your files.
  3. Improvements: Many developers like getting user input. When they come out with a new version or update for a program, they often add new features which will make the program more useful or usable.

The main reasons to perform upgrades are:

  1. To take advantage of new features. Upgrades often change how existing features work or offer new features altogether.
  2. Your current application / operating system is no longer supported. When your program or operating system is no longer supported by the developer, they will no longer patch the program to ensure that it remains secure. When this happens, it’s important to take the step to upgrade to a supported version of the application or operating system.

The moral of the story is: keep yourself up-to-date to keep yourself sane and your computer secure. OIT Software Support suggests that you use a program called Secunia PSI if you run Windows. Secunia PSI will scan all the programs on your computer and will tell you which ones are out-of-date. It will then show you what to do to update them.

As always, if you have any questions, please call OIT Help Services at 413.545.9400.

“Conficker Worm Could Create World’s Biggest Botnet”

I saw this article on Slashdot today and wanted to warn everyone out there. Nine million infected computers running Microsoft systems is an incredible amount of machines compromised.

Make sure your McAfee Enterprise is up to date and your Windows machine has installed all the latest updates!

As the article states, the worm propagates through un-patched Windows systems and through USB thumb-drives. This means that having a secure system or up-to-date virus protection is NOT ENOUGH! You need a combination of both. This is good computer usage in practice anyway, but we see an incredible amount of un-patched XP and Vista systems come in with virus infections.

What you see when an infected USB-drive is plugged-in

What you see when an infected USB-drive is plugged-in

The above image shows what happens when you plug-in an infected USB-stick into a machine. Notice the “Publisher not Specified,” text in gray under the open option? That should be your first clue right there. Do NOT click on this, as this will launch the virus and infect your computer.

It’s just that little yellow icon in your system tray, that little place with icons by the time in the bottom left. Click – Express Install – Done. It’s really that simple.

For those that are interested, the Microsoft Security Bulletin can be read here.