Tuesday, April 14, 2015

Make Sure Google Isn't Indexing Your External Hard Drive


There's a great article on CSO that highlights the danger of misconfigured "personal cloud" services, such as hard drives or routers that enable you to backup your documents, and access them anywhere remotely. Take a look at examples of personal documents that were out there on Google, in the public domain, free for the taking, all because someone inadvertently made their files available remotely without fully understanding the impact.

The article states:
The files were easily located on Google, using standard search operators.

allinurl:ftp:// XXXX filetype:txt | xls | doc | docx | jpg | jpeg | pdf

You can replace XXXX to match any host name you choose, such as:
  • comcast.net
  • bhn.net
  • mchsi.com
  • optonline.net
  • cox.net
  • rr.com
  • verizon.net
The bottom line: ensure that you don't inadvertently or knowingly enable public FTP access to your "personal cloud", and never store sensitive account or other information in an unencrypted document or text file.

Thursday, February 12, 2015

What happens to your accounts after you die? Designate a "digital heir" for your accounts

What happens to your accounts after you pass away? When I pass away, I will hopefully have sufficient local backups of meaningful content, such as any notes, journal entries, works that I have created, or our treasured family photo library. But, there would still be a good portion of family history and valuable content in my email, and social networking accounts. And, what if something happened to the local backups? It is important to make preparations for family members to gain access to any content that may still be available in your online accounts after you pass away. Here are some options with a few sites where you can designate someone to have access to your data after you pass away:
  • Google Inactive Account Manager: Share data with trusted friends or family members after a certain inactivity period, or delete your data altogether.

    Google states, "...You can choose to have your data deleted—after three, six, nine or 12 months of inactivity. Or you can select trusted contacts to receive data from some or all of the following services: +1s; Blogger; Contacts and Circles; Drive; Gmail; Google+ Profiles, Pages and Streams; Picasa Web Albums; Google Voice and YouTube. Before our systems take any action, we’ll first warn you by sending a text message to your cellphone and email to the secondary address you’ve provided."
  • Facebook Legacy Contact: Facebook allows users to designate a contact that has permission to download a copy of everything you shared on Facebook, write a pinned post, respond to new friend requests, update profile picture and cover photo after your account is memorialized. A friend or family member can submit a request to Facebook to have your account memorialized after you pass away.
  • Microsoft Next-of-kin Process: Once a request is received, Microsoft can provide a copy of all of the email, attachments, address book, and contacts list on a DVD.
  • Yahoo: As of the publication date of this article, Yahoo does not provide the option to recover the contents of your Yahoo accounts if you pass away. A family member can, however request that the Yahoo account be closed and all subscriptions and billing associated with your account terminated after you die.
  • Twitter: Twitter has a process that will allow a family member to request that your account be deactivated after you pass away.
There is still much progress to be made in this area, and I'm sure that "digital estate planning" will continue to evolve over the next few years as more companies provide users with options for controlling the access to your digital accounts after you pass away. In the meantime, don't forget to make local backups.

Wednesday, September 03, 2014

How celebrity photos were likely stolen from iCloud backups

Wired has an interesting article that discusses how sensitive celebrity photos may have been leaked from iCloud backups. The article describes using a password guessing tool called iBrute that leverages a flaw in "Find My iPhone" infrastructure to brute force a user's iCloud username and password. Once the iCloud credentials are obtained, attackers can use the forensics tool Elcomsoft Phone Password Breaker (EPPB) to impersonate an iPhone and download the entire iCloud backup, which includes not only photos, but texts, email, and much more sensitive information.

Apple has apparently fixed the "Find My iPhone" flaw that allows iBrute to guess iCloud passwords (it now times out after 5 attempts). And there is currently an investigation into the data leaks. In the meantime, if you're an iCloud user, it might be a good idea to setup two-factor authentication, and make sure that you're using a unique, hard-to-guess password. Also, don't do stupid things with your smartphone.

UPDATE: Tim Cook addresses iCloud security issues and promises increased security and account activity notifications.

Also, Ars Technica has a great article that details some real-world testing they did trying to crack their own devices using some of the techniques mentioned above.

Wednesday, June 11, 2014

Mario Maker

This is a pretty compelling argument for buying a Wii U. Combine the awesomeness of the Mario platformer franchise with the creativity of Minecraft and you get Mario Maker. Cue the awesome community-created levels, a la Little Big Planet, and Nintendo may have a huge success on their hands. Now if they would only release it for iOS and Android.

Friday, January 10, 2014

Gmail Setting to Enhance Privacy and Eliminate Spam from Google+

Google released a new Gmail feature that allows people from Google+ to send you an email. What could possibly be wrong with this? For those who want to opt-out of this feature, simply login to Gmail, click Settings (the gear icon), and find the setting called "Email via Google+," and change it to "No one":

Monday, December 16, 2013

Purchased movies in the cloud pulled due to licensing agreements

When was the last time you purchased a movie? What format was it in? DVD, Blu-ray, iTunes, Vudu, Amazon, Google Play? It is very likely that you used some sort of cloud-based video service such as Amazon's Instant Video service, Vudu, or UltraViolet. These formats are becoming more and more common as our devices are more connected, and the old, physical media model is going away. Having your entire movie collection in an online library, accessible from any connected device sounds awesome, right?

But, what happens when a movie you buy is pulled by the content provider and you are not able to watch it? I know, I know, first world problem. But, that's what's happened to consumers of Amazon's Instant Video service, who purchased Christmas videos. Disney, the owner of the content, has a license restriction with Amazon that allows them to pull the content whenever they want. In this case, Disney wanted certain Christmas videos only available for viewing on their TV channel, and not through any other means. So those Christmas videos customers purchased? Well, they won't be available for viewing again in their video libraries until July 2014. Something to be aware of the next time you purchase a movie.

UPDATE 12/17/13: Amazon said that this was apparently a glitch and has apologized. Although they still retain control to enable/disable purchased items in your online video library.