Bugged- A Glitch in Google Voice Recognition

 

Spy

Bugged and tapped conversations have been used throughout history by all kinds of people from allies to enemies, heroes to villains, and detectives to outlaws. History would tell quite a different story if bugged conversations did not exist, but what about your own conversations? Could your computer microphone be the bug in your home or office? Unauthorized sites could be using a glitch in Google Chrome’s voice command to record your private conversations right from your own computer, compromising personal and company information.

Tal Ater, a web developer, discovered the glitch in Google Chrome’s voice command in mid September of last year. Ater then reported the problem to Google.

“I reported this exploit to Google’s security team in private on September 13. By September 19, their engineers identified the bugs and suggested fixes.”

Within two weeks, Google was able to create a patch for the problem. So all is as it should be, correct?

Not exactly.

After waiting a month and a half, Ater did not see any changes made to the user’s desktop. Realizing the need for this glitch in voice command to be rectified, Ater contacted Google again inquiring about the delay. Not long after, Ater received an answer from Google. “There was an ongoing discussion within the Standards group, to agree on the correct behavior- ‘Nothing is decided yet.’”

How are information prowlers using Google Chrome?

After you give permission to the visited site to use your microphone, the glitch in Chrome’s voice command gives access not only to the site, but also to hidden pop-under windows sometimes disguised as an advertisement banner. After shutting down voice command, the pop-under window can continue to “listen” in without any evidence that the voice command is still recording. Google’s voice command records your conversation from “speech-to-text” and sends back your conversation in text form to the malicious pop-under window, highlighting key words that you may have spoken during the recorded conversation with your coworker, lawyer, or kids, creating an information smorgasbord for microphone prowlers by sending your conversation directly to the permitted websites!

Ater released a source code and created a YouTube video that shows exactly how the glitch in Chrome leaves you vulnerable.

An answer is still being formed by Google’s Standards group in regards to an implementation of the solution to the major glitch in voice control.

Ater, Tal. “Chrome Bugs Allow Sites to Listen to Your Private Conversations.” www.talater.com. N.p., 2014. Web. 27 Jan. 2014. <http://talater.com/chrome-is-listening/>

World’s Largest Beverage Company Compromised

 

coke cans

The importance of encrypting data has become more prevalent with recent data breeches at retail stores and social networking sites. The latest company to join the list of offenders or victims, depending on how you look at it, is Coca-Cola.

Last week the Wall Street Journal (WSJ) reported that Coca-Cola had exposed a security breech from within their own company, compromising the personal information of about 74,000 North American employees and contractors.

The breech was due to a few laptops being stolen by a former employee that had been assigned to the task of maintaining and disposing of company equipment. Coke reported that it is company policy for all equipment to prevent information from being exposed, however, the stolen laptops were not yet encrypted so the information was easily accessible.

“Coke said the laptops were later retrieved, and it has ‘no indication’ the personal information had been misused. It didn’t say how it learned of the theft or how the computers were recovered.” Reported the WSJ.

18,000 of the effected employees are being sent letters to notifying them that their personal information which included Social Security numbers, addresses, and license numbers have been compromised. Coke has offered to cover identity-theft services to all parties involved at no charge.

The breech was initially discovered on December 10, 2013, but was not shared with the effected parties until Friday January 24, 2014 leaving some employees feeling uneasy. Coke identified the reason for the delay in notifying the employees as needing time to go through the recovered laptops and identifying all of those involved.

Coke explained the process in a memo to employees: “To expedite the process, we brought in extra crews that worked long hours, including throughout the holiday period and on weekends, to sort through the data.”

Even though the hardware was physically stolen, if the information was properly protected this breech could have been easily been prevented. When a computer or network contains personal data, there should always be a barrier to protect the information. This will ensure that the information can only be viewed by authorized users. For this reason, many companies turn to authorization software, like PortalGuard, to make sure that only authorized users are viewing the information.

Source:

http://online.wsj.com/news/articles/SB10001424052702304632204579341022959922200?mod=WSJ_hp_LEFTWhatsNewsCollection

Hacking Your Way to Love

OK Cupid Couple

In this blog, we certainly do not condone hacking in any manner. However, this morning there was a hacking love story that popped up in my newsfeed regarding OK Cupid, a hacking of a different kind on an online dating website.  Using mathematics, Chris McKinlay cracked OK Cupid’s algorithm for selecting a mate.

The way that OK Cupid works its magic is by asking specific questions with different levels of importance on each topic.  The questions asked by OK Cupid can range from, if the person has a dog, wants kids, or what they like to do in their leisure time. McKinlay, like many people, was searching for that perfect companion to share the rest of his life with. However, he noticed that there were only about 100 matches that were found in the greater Los Angeles area and thought that this did not seem accurate.

In June of 2012, Mckinlay was working on his mathematics thesis and wondered if he could use math to get more matches on OK Cupid.

“I started thinking about it when I was in dissertation mode, so I was applying grad student mentality to everything back then,” McKinlay said.

Using the math and programing skills he already knew, he built a bot to troll the website and do some research to find out certain answers that related to women within a demographic. He then focused on a couple of questions that he thought would help him find his perfect match.

By applying his theory, the website turned up a staggering number of women that were a good match. This lead to 88 dates over three months until he met Christine Wang; they immediately clicked leading to an engagement after one year.

Good Morning America interviewed Christian Rudder, co-founder and president of OkCupid, and he thought McKinlay’s approach was “pretty cool… In general, whatever people need to do to make OkCupid work for them, we support. The point is to help people find dates — that’s our only goal. We’re totally happy for people to ‘hack’ us. As long as no one is being treated with disrespect or being tricked, which it doesn’t sound like he was doing, then we’re game for it.”

Source:

http://gma.yahoo.com/blogs/abc-blogs/genius-okcupid-hack-led-true-love-212911321–abc-news-topstories.html


Identifying Authentication Challenges in Education: A look within our clients

Apple on keyboard

Recently, while looking through our customer base, we noticed a very interesting trend within our post-secondary education clients. Once we recognized this trend, we wanted to take a moment and identify this top issue and look at some of the reasons why this could be so?

We identified that the most common hurdle that our clients are facing within the education industry is account lockouts, a.k.a. self-service password reset (SSPR).

When looking at the grand scheme of things, this is not really a surprise.  Schools have a large number of users that are vastly made up of students that have many things on their minds; surely, they will lock themselves out of their account at one point. Add to the mix of faculty and staff, some of which may be adjunct or part-time employees of the college or university, and you have quite the cocktail of end-users. One more piece to add to this puzzle is new students, both freshmen and transfer students that are trying to remember all of the before mentioned things and learn a new campus.

Education Link Banner

When looking at this breakdown of some of the list of possibilities above, the picture becomes a little clearer of why SSPR would be top of the charts. Without a SSPR solution set in place, this could mean an influx of Help Desk calls to unlock the students and faculty’s accounts. This would bog down the phone lines and prevent other, more important tech issues from being solved.

Also, think about it from a cost perspective.

At the start of any semester, there would be a large number of calls placed to the Help Desk to assist in unlocking the accounts. For the school, that means that there may be a need to have extra staff on hand to cover these simple calls. But adding extra staff is not as simple as it sounds: the extra staff costs the college wages, extra training, and the cost of extra equipment needed for them to do their jobs. All of those extras can add up in a hurry!

At the end of the day, PortalGuard understands this is a pain point for the education industry and has provided affordable solutions to help reduce Help Desk calls and also provide strong authentication security on the backend.

The N.S.A. Gets Crafty

How the N.S.A. Uses Radio Frequencies to Penetrate Computers

New details have been exposed that the National Security Agency has the ability to access computers even when they are “air gapped.” This term refers to computers that are not connected to a network, wireless, or LAN.

This information was leaked in association with the Snowden exposer that was made public last year. The New York Times article on Tuesday described that the N.S.A. had implanted hardware in almost 100,000 computers around the world that allowed them to access the computers via radio waves.

“The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.”

In order to install this hardware successfully on the machines, spies and sometimes manufactures would implant the hardware on the machines, making it possible for the computer to be tracked. This was a step in the right direction as far as gaining access to information that previously was unavailable to US Intelligence Agencies.

The article goes on to explain that, in the recent past, the Chinese Army has performed similar covert operations to US companies and government organizations. The N.S.A. and the United States Cyber Command have been victims to the Chinese attacks; the attacks were used to mostly gather and steal secrets or intellectual property.

In the article, James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington, was quoted. “What’s new here are the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before… Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”

Sources:

http://www.nytimes.com/2014/01/15/us/NSA-effort-pries-open-computers-not-connected-to-internet.html?hp&_r=0

http://www.stratcom.mil/factsheets/Cyber_Command/

When Will We Learn? An observation about security

Dan_Ariely_speaking_at_TED_in_2009

A friend sent me a great TED Talk video this morning, “Are we in control of our own decision?” by Dan Ariely, behavioral economist and author of the book Predictably Irrational.  This video was excellent, well worth a watch and opened my eyes helping me understand some social behaviors.  Personally, I love to consider different perspectives and think outside of the box, whether this makes me genius or crazy has yet to be determined…

The video discusses many examples and makes different comparisons to prove his point on how the actions of people are “predictably irrational”, this made me think about authentication and security naturally.  When looking at recent security breaches in the media, the problems do not seem like new issues, just a recycled story of how information was compromised due to a lack in security.  It would seem that when it is a hot topic in the media many people talk about the issue, but few take action to protect themselves which leads to more security breaches down the line.

After watching this video it became apparent why this may happen.  Dan explains that when a person is faced with a problem and there are many or complex options they are less likely to act.  This could explain why security issues are continuous and abundant.  There are so many options out there which can overwhelm the general public and organizations alike.  If the public or corporation is unsure which angle to cover or how to best protect their information, they are very likely just fold their arms, do nothing and hope for the best.

Dan also spoke about the need to seeing something to believe it, for instance making it tangible.  When security is approached this way it makes more sense, when it comes to protecting a physical asset it is a lot easier to comprehend the risk because it is a tangible object.  People take out insurance policies on their homes, cars and even their lives because it is easier to picture your life with or without their presence.

However, when it comes to the security of identity theft through a security breach it is harder to envision the impact, which results in less people taking it as serious as they should until it is too late and the information is compromised.

All-in-all, this helped me understand a little more why history seems to repeat itself so often.  However, it raised a question in my head… Why do we not learn from others mistakes when it comes to security?

Sources:

http://www.ted.com/talks/dan_ariely_asks_are_we_in_control_of_our_own_decisions.html

http://danariely.com/about-dan/

Small Town Data Breach

 

Greenland, New Hapmshire

While watching the news over the weekend I saw a news story that struck close to home for multiple reasons. The Town Hall computers in Greenland, New Hampshire were hit by CryptoLocker, a malicious software that attacks the user’s hard drive and locks the owner out of their documents and files.  As a long time New Hampshire resident and internet security junky, it was a shock to see this story so close to home. The way that a CryptoLocker attack works is a ransom must be paid to the hacker to regain access to their files.

The data that was compromised contained eight years of documents that included energy bills, proposals and letters the town issue on a regular basis to residents.

Town Administrator Karen Anderson was interviewed in an article in the local online newspaper Seacoast.com. In the article Anderson said she did not learn of the virus until after the deadline to pay the ransom had passed.  She also told reporters that the computer that was initially affected had been removed, however the attack did spread throughout the network.

The amount of the ransom was not disclosed, but it was determined that the information was not worth trying to pay the hackers demands.  This was not the first case of CryptoLocker that the Northeast has seen, Swansea, Massachusetts had a run in with the malware that ended with the town paying $750 to retrieve their data.

This just reinforces that no matter the size of the business your information is at higher risk if it is not protected correctly and to make sure and run regular backups of your files.  Granted this breech was small, but it could have been much larger and effected more data.

Sources:

http://www.seacoastonline.com/articles/20140102-NEWS-401020387?cid=sitesearch

en.wikipedia.org/wiki/CryptoLocker

http://townmapsusa.com/images/maps/map_of_greenland_nh.jpg

Social Network Hacked: Snapchat, what happened and why they think it happened

snapchat-numbers-posted-online

Snapchat is one of the hottest social networks out there with millions of users worldwide sharing photos, most of them ‘selfies’ of their users. What makes Snapchat so unique is the App allows you to send the photos which self-delete off of the recipient’s phone a few seconds after viewing.  This mega social network is the latest to get hacked, exposing 4.6 million users’ names and phone numbers.

Fox Business interviewed Adam Levin, co-founder of Identity Theft 911.  “This is a big deal… Anytime you have a hack, it impacts what people do. It’s important to remember that any technology can be defeated, and you should always look at things skeptically.”

Snapchat responded to this recent hacking event saying that the motivation of the hack was to expose Snapchat’s lack of security.  “It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal.  Security matters as much as user experience does.”

It definitely is a little unnerving when you find that security features are not at the top of the priority list when companies are developing a product, and only come into light once the users are personally effected.

With this hack in place it is a reminder to keep vigilance over your personal information.  Many people use the same screen name across multiple accounts, which means the other accounts may also be susceptible to being hacked.

Not only did this hack show the users of Snapchat the application’s vulnerabilities, it also reminds us all to be careful with what they share on social media networks in general.

Sources:

http://en.wikipedia.org/wiki/Selfie

http://www.foxbusiness.com/personal-finance/2014/01/02/snapchats-hack-what-users-should-do-now/

http://hackersnewsbulletin.com/2014/01/proved-snapchat-hack-joke-4-6m-usernames-plus-numbers-posted-online.html