All Posts By

gml_admin

The New Dirty Word: Default

By | Data Privacy, Information Security | No Comments

It’s 10PM and you’re ending your day but hackers are just getting started. Maybe a cup of brute-force strength hacking techniques to start their day? Before you drift to sleep, you can’t help but start thinking about that new corporate application you installed today. Did you configure everything correctly with the right passwords, settings, and certificates? You can check tomorrow but business doesn’t stop and with employees working from home, “business hours” are a thing of the past. Besides, everything you tested worked great and did what it was supposed to do so you know things will probably work fine. And they do for months… until something strange starts happening and you see that new competitors are taking your business by selling a product that looks eerily similar to yours. How could they have copied it so well? You suspect that you may have a mole in your organization and so you begin analyzing the network traffic of all your employees. But what you end up seeing is something unexpected, outside traffic not tied to any of your users is coming in and stealing your internal corporate data. How is this happening? After much investigation and discussions with the provider of the application, you discover that there were default settings you had to change and you are told it’s your fault for not changing them.

It was recently reported by Hacker News that over 200,000 businesses were susceptible to being hacked because of not changing a default setting in Fortigate VPN.  Customers have been told that it’s unfortunate they didn’t follow instructions but nothing is going to change.  “For its part, Fortinet said it has no plans to address the issue, suggesting that users can manually replace the default certificate and ensure the connections are safe from MitM attacks.”  I don’t know about you but if I have 200,000 clients buying a VPN that can be hacked because my clients aren’t aware of what they need to configure, then something needs to change. “‘The Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine,’ Hertz and Tashimov noted.  ‘These types of businesses require near enterprise grade security these days, but do not have the resources and expertise to maintain enterprise security systems. Smaller businesses require leaner, seamless, easy-to-use security products that may be less flexible, but provide much better basic security.’”

This is akin to the early days of home Wi-Fi where every router was public and not password protected. A common tactic of wardriving forced the consumer router industry to wake up and make their routers private and put default random passwords on the box like happypuppy632.  Perhaps this bad publicity will force a change to the default behavior for Fortigate VPN but that remains to be seen. For liability, Fortinet may publicly be pushing a hard line but perhaps changes will be quietly made in future releases. It defeats the purpose of an application explicitly designed for privacy to be insecure out of the box when so many will just plug it in and start using it while unaware of the dangers.

 

At Grey Market Labs we believe you shouldn’t need a computer science degree to be safe online. That’s why our solutions are built with Security and Privacy by Design, striving toward our mission to protect life online. Our products accelerate your business and work online and in the cloud, making you more productive and ensuring privacy and security especially with in a world of remote work.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Not all Scraping is Created Equal

By | Data Privacy | No Comments

CREXi and CoStar Group both sell real estate information to help customers follow trends and more accurately value properties. Having the right information when buying or selling a commercial property worth $100M can make or break a deal and shift profits into the hands of those with more knowledge.

These companies have trade secrets on how they gather the information, aggregate it, model with it, and produce recommendations, charts, reports, etc. Recently, CoStar Group sued CREXi for “massive” copyright infringement and intellectual property theft [1]. It is alleged that CREXi employees were creating fake accounts to access CoStar’s data. Generally, creating a “fake” account is a violation of the terms of service. It’s even more egregious if it is being done to steal (or scrape) data and reuse/sell it for profit.

In a similar manner, Google scrapes many sites at varying intervals. They keep the news results fairly up to date, and when displaying things like the news, they have advertisements. Is Google stealing someone else’s copyrighted works so they can sell ads? Google has a News Initiative [2] that is drawing attention from France and Australia [3], to name a few. Selling someone else’s news is illegal in some countries and jurisdictions. There’s got to be a limit to what one can “borrow” from another before it’s the equivalent of stealing, copyright infringement, or just not classic “fair use.”  Is it OK for Google to scrape a news site for information that it then monetizes indirectly (via advertisements) but not OK for CREXi to scrape CoStar’s website and resell that information directly? There’s clearly a difference, but like many of these differences, they’re not black or white; context is required, and they’re usually a shade of grey.

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Do you control YOUR data and how exactly do you “control” it?

By | Data Privacy, Data Protection | No Comments

Privacy legislation has been on the horizon for almost as long as security legislation. Every year, digital tracking techniques get better (or creepier, depending on your perspective).  What if all these privacy rules/regulations actually came to fruition? What does “controlling your data” really mean – for the end user and corporations alike?

It’s hard to imagine what the internet would be like without advertisement supported projects like the Google search engine. That search engine is good because it uses data from a variety of sources to improve it. Microsoft uses data from Microsoft 365 (formerly Office 365) and its operating systems (e.g. Windows 10) to “improve user experience.” LinkedIn uses data about users to bolster professional networks (and in many cases social networks). What if all the data about your enterprise – including all your users—was configurable by you, and Google, Microsoft, Facebook, Apple, nation states, hackers, data brokers, etc. couldn’t see any of it. Maybe you’ve never thought you could control your enterprise user data to that extent … but we help make that happen.

There are speculations on what the technology landscape could look like when you start to control your own data, including this recent article from CMS Wire. The author mentions that some cookies are on the chopping block (3rd party cookies specifically). Fortunately for big tech they already have workarounds. Facebook has been allowing 1st party cookies for a while now but back-end data sharing agreements (which you probably agreed to with the Terms of Service) will continue to be a ripe source of data. Unfortunately for the end users, there’s really no functional change in the data that is exposed, stored, mined and monetized — even with GDPR and CCPA in full effect.

Truly controlling your enterprise data, including effectively masking your external enterprise footprint, is what we at Grey Market Labs enable with our Opaque platform. We expose privacy controls that administrators can understand and integrate with your existing infrastructure. Opaque is your “easy button” for digital privacy to the outside world (i.e. outside your corporate footprint).  Sometimes you need to control what users within and outside your organization have access to. We recently announced a partnership with Virtru to bring their TDF-enabled encryption and access controls to Opaque. Share data from within our platform to a user in another cloud, manage their access as desired, and get full audit of when they access it. If you need more granular controls (such as preventing a user from copying text you shared) you can share the data to have it open within Opaque directly – completely clientless. Our Virtru integration is a welcome layer of our defense in depth strategy.

Grey Market Labs® and Virtru Partner to Deliver Secure Analytics

By | Data Privacy, Data Protection | No Comments

Even with technological advancements in data processing, machine learning, and other analytics, organizations face challenges when sharing valuable data with collaborators due to a lack of transparency and ownership of data once it leaves its source point. Enterprises and agencies often rely on virtual machines to safely collaborate on their most sensitive information without losing control and giving up access to third parties, but existing solutions restrict the ways in which data can be classified, protected, audited, and shared across different platforms.

Grey Market Labs® and Virtru solve this problem by enabling data owners to maintain full lifecycle control over their sensitive information and securely share it for approved analysis. Grey Market Labs®’ Opaque platform offers patented secure virtual environments in which individuals can view and manipulate their TDF-protected data without ever having to expose this sensitive information.

Virtru’s Trusted Data Platform (TDP) is powered by the Trusted Data Format (TDF)—an open standard for object-level encryption created by Virtru Co-Founder and CTO, Will Ackerly, that keeps data protected and under the owner’s control. This technology ensures that companies can send information in a secure way that limits exposure risks.  Combined with the Opaque platform collaborators can have the assurance that content will always remain under their ownership, protected from misuse or unauthorized access.

Together, Virtru and Grey Market Labs® provide the ability to:

  • Share data more securely by adding persistent protections and attribute-based access control (ABAC). The Opaque platform uses TDF protections to ensure the integrity of sensitive data as it is shared from its original owner, so it can be trusted to inform business decisions and remain protected regardless of how it is analyzed or manipulated. Data owners can revoke, expire, or audit access to information at any point in its lifecycle, making it easier to share and collaborate with multiple parties. With ABAC, data created by different organizations in different applications can carry the same protections and access policies—whether the content is being collaborated on within a secure enclave, shared in transit, or brought outside of Opaque for offline consumption.
  • Improve performance with expanded access to analytic tools. By enabling granular audit of users and data activity, Opaque makes it easy for organizations to provide assurances that information can securely travel across environments and systems it might not otherwise be permitted to reach. As a result, end-users can ingest and analyze their most sensitive data using a broad array of collaboration and analytic tools, whether desktop, web-based, or cloud-based. Each Opaque virtual environment can be preloaded with the applications needed for an individual data analyst to perform his or her work and since each environment is isolated, owners are granted administrative rights to their virtual environments enabling them to safely configure instances on-demand.
  • Increase data transparency and accountability. By increasing transparency into where and how data is being shared, organizations can enhance trust and ensure they are safeguarding private information while providing the defensible audit of data to ensure regulatory compliance or third-party audits.

For more information, please contact Kris Schroeder, CEO at Grey Market Labs.

The Challenge of In-House Data Protection and Privacy

By | Data Privacy, Data Protection | No Comments

If you are a mid-size or larger business, you have an overworked security team. Those teams have responsibility across dozens of business areas, from executive protections, to cyber defense, to insider threat and more, many with competing priorities. Increasingly, security practitioners recognize that protecting customer or individual privacy is the most proactive way to protect the most important and sensitive activities of an organization (Apple Declines new API’s Due to Privacy Concerns).

The challenge is in the implementation – some companies with in-house engineering skill, or the resources to hire consulting firms, have tried to enact “enterprise privacy” by cobbling together integrations of “no track” VPN providers, isolated browsers, and imposing increasingly strict firewall and application rules. The end result is an increasingly costly environment to maintain and, in the end, a net decrease of the end user productivity with restrictions on internet services. In fact, these environments can be so brittle they actually increase the chance of compromise, since failure of one piece in this puzzle. For example, last month seven ‘no log’ Hong Kong VPN providers were accused of leaking 1.2TB of user logs onto the internet via unsecured Elasticsearch cluster (“No track” UFO VPN exposes user data). If any company or individual employees used those servers during that time, they were exposed and were ripe targets for hacking. Whether this was a misconfiguration or something worse, exposed VPNs are just one example of the fragility that comes with home-grown privacy solutions.

The goal should be to isolate external-facing internet activity and implement an architecture that enables zero-trust. While that sentence is buzzword heavy, the isolation approach limits exposure of any one component of a system, so if a VPN is compromised it doesn’t necessarily mean the company will be impacted. Also, when you bring in zero-trust concepts to a completely controlled environment, a company can increase the level of data sharing that is available while at the same time increasing data protection and privacy. Expect and ask more from the tech industry.

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Security Considerations for Enterprise Remote Access

By | Data Privacy, Data Protection, Information Security | No Comments

Remote-access technologies are top-of-mind for most IT professionals now, and remote work is a trend which is likely here to stay for the long term. If you’re looking to update your organization’s security policy, NIST has recently published an excellent bulletin outlining some of the unique security challenges posed by remote work.

NIST categorizes remote-access technologies into four main categories: Tunneling, Portals, Direct Application Access, and Remote Desktop Access.  With the rise of BYOD (bring your own device) policies and cloud-based applications, it has become common for organizations to employ multiple solutions for remote access, each with their own unique security considerations.   Regardless of which remote-access technologies your organization is using, it is important to continually ensure each is being used in a way that protects data from compromise.

The NIST bulletin highlights a few important points:

  • Organizations should assume that devices used for remote work will be compromised. Make sure that sensitive data is encrypted, or better yet, implement solutions that don’t store any sensitive data on client devices.
  • Devices used in external environments are under greater risk for compromise than devices in enterprise environments, so tighter security controls are advisable. Security controls can also vary widely by device, so you may need to give more specific security guidance for BYOD devices used for remote work.
  • Each additional form of remote access that is exposed increases the risk of compromise. This can be mitigated by implementing tiers of access for different client devices, and by situating remote access servers so they serve as a single point of entry.

Grey Market Labs is a Public Benefit Corporation with the mission to “protect life online”. Our Advisory services can help you navigate the conflicting and overwhelming enterprise privacy and data protection guidance. Our products provide cost-effective and comprehensive privacy-as-a-service, delivering proactive internet protection for remote work and distributed teams. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online. CONTACT US to see how we can solve some hard problems together.

The Risks with Increased Use of Virtual Environments

By | Data Privacy | No Comments

On Wednesday, the FBI released a PSA (I-040120-PSA) on threats associated with the increased use of virtual environments (https://www.ic3.gov/media/2020/200401.aspx). With the massive increase in remote and telework, the attack surface (i.e. the available prey for hackers hunting online) has massively increased. The term “shooting fish in a barrel” is very relevant and likely underestimates the risk to businesses and governments. A few things stand out:

  1. Terms of Service – read them! As the recent Zoom issues highlighted, free software is not free. If you or your organization aren’t paying a license fee, then you and your data are how those companies are making their money. The data sharing economy has made this freemium model ubiquitous. As a leader in your organization, make sure your security, IT and/or risk leaders have read the terms of service for each product in use – you will be surprised how many tools claim ownership of your corporate data. Choose ones that prioritize protection of their customers and their data.
  2. Immature Security – while online collaboration tools have security features, most weren’t designed to protect against sophisticated Chinese or Russian attacks. With the rapid increase in the use of tools like Zoom, they have become a lucrative target for nation-state hackers. Look for tools that have supported Federal Government customers, especially the DoD, as they have usually gone through strict vetting procedures.
  3. Limited or Shared Resources – to keep costs low or to rapidly grow capacity, organizations regularly purchase refurbished equipment, allow Bring Your Own Device (BYOD) or, in cloud computing, share resources with other companies. In both scenarios, you are opening your company to threats from poorly maintained or recycled equipment, or from data leakage with poorly designed collaboration tools. Focus on systems that allow single tenancy (one organization per installation), comprehensive isolation (beyond browsers and applications) and leverage virtual desktop interfacing (VDI) or similar as they can mitigate the issues of poorly refurbished or employee provided computers.

Finally, many of the suggestions in the FBI letter rely on your employees and system users to be vigilant for recognizing scams and suspicious online activity. The more platforms and technology can automate these best practices, the more proactive our defenses will become and the less we will have to worry about human error.

As a Public Benefit Corporation, Grey Market Labs was created to help protect life online. If you are concerned about Data Privacy and Employee Protection (especially for your most sensitive work), please reach to us directly: info@greymarketlabs.com. We can guide you through these privacy and cybersecurity challenges and, if our products are not the best fit, recommend one of our vetted partners to best meet your needs.

Not-so-Private Browsing Mode

By | Data Privacy, Data Protection | No Comments

Have you ever used a “private” browsing window before?  You might know it as “Incognito Mode” in Chrome, “InPrivate” in Edge, or “Private Browsing Mode” in Safari & Firefox.  These private modes may do little more than tell the browser to forget what you did once you close the window.  Search history, pages visited, and what you typed in will be deleted when the browser closes.  However, there are many misconceptions about what private means.  A scientific study conducted on the Misconceptions About Private Browsing Mode found that most users grossly overestimate the protections provided by private browsing modes.   A very important aspect to recognize is that these private browsing modes are concerned about privacy within the scope of the device you are using.  For example, users sharing a laptop may want to use a private browsing mode to conceal login credentials and browsing history from other users of the device.  Information sent over the internet, however, is subject to the same scrutiny as any other traffic sent in regular browsing mode and can be tracked.   So that means, your search history that’s not stored by the browser can still be stored and saved by your search provider, e.g. Google, and traced back to you using more advanced fingerprinting techniques which a private browser does not prevent.

The study found that the wording of the various private browsing disclosures by the major browsers led to many misconceptions and overestimation of the level of privacy actually provided.  The paper’s introduction highlights such misconceptions: “This overestimation reaches far; Eric Schmidt, former CEO of Google, once stated, ‘If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use incognito mode, and that’s what people do.'”  This statement by Schmidt, falsely implies that incognito mode provides more protections than it actually does.  Assuming the intent was not to mislead then that means even the CEO of Google at that time had grossly overestimated the protections provided by private browsing.

Since even the CEO of one of the biggest companies in the world has misconceptions about the protections provided by one of his company’s most popular pieces of software, we thought we’d put together a list to help you.  Below, we’ve provided a few of the key items that the average private browsing window does and does not protect you from:

Private Browsing does NOT:

  1. Prevent websites from tracking you
  2. Prevent malware and viruses
  3. Hide the websites you visit
  4. Hide your location
  5. Hide your downloads
  6. Block Ads

Private Browsing does:

  1. Prevent your web activity being saved locally by the browser
  2. Prevent most data that is usually saved in non-private browsing sessions from being exposed
  3. Share data between other private browsing tabs during a session
  4. Make you feel safer without providing the level of protection you need to be anonymous

Uses for Private Browsing:

  1. On a shared computer with other users such as a family computer or in a library.
  2. To avoid leaving a trace of past activity on any computer.
  3. To log into the same site with a second account.
  4. To test how a site looks to a new user.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

DNS: Tracking mitigation upended

By | Data Privacy | No Comments

DNS ad-based tracking gets a boost

On 11/22/2019, the co-founder of NextDNS posted an article (https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) addressing 3rd-party tracking capabilities with DNS. If you haven’t read it yet, it’s worth a read to see how far-ranging the technical challenges are. At Grey Market Labs we’re acutely aware of tracking techniques that range from simple to complex to downright scary, so this technique wasn’t a surprise. Instead it just was another step towards a future where tracking mitigation is impractical for all but the most sophisticated users.

Some DNS history and how we got here…

DNS began in the 80s when everyone on the internet more or less trusted everyone else, at least when it came to allowing computers to talk to each other. That trust was fine when the set of computers was small and trust was a reasonable expectation. There was even a single group responsible for allowing new computers and domains to connect and they manually maintained a master list. By the late 80s there were many more computers connecting to this new internet and the management overhead was untenable. Simplifying a bit, an automated system was built that allowed computers to be dynamically added to networks using the existing DNS strategy.

For a while this also worked quite well and solved the scale problem. Unfortunately, it didn’t solve the trust problem — after all, who is allowed to update this list? If anyone can update the list of computer “addresses” then anyone can change their addresses. Imagine if the phone book caused reality instead of representing reality… If the phone company misprinted your phone number in the phone book, just like that, it’s your new number. If they misprinted your street address you had to move, sorry. If they left off your phone number, you no longer have one. That’s the strength of DNS when it comes to finding computers. One can only imagine a business bribing the phone book printer to leave off a particular company or to misprint their address. I’m sure that never happened though. DNS has that ability, and there were lots of compromises that follow that analogy.

On the subject of the phone company…

Ever wonder why with caller ID on your phone, a caller is able to misrepresent who they were? Fake FBI scams have caller ID reporting “Federal Bureau of Investigations”, social security number scammers show up as “Social Security Administration”, etc. It turns out that phone companies, when they built the networks MANY years ago, they also relied on trust that was reasonable to expect then, but is not reasonable to expect now. They have made progress here but it’s yet another example of existing systems that fail (or refuse?) to evolve and are ultimately exploited.

So what exactly was Grey Market Labs expecting here?

That “single step towards a future that we believe will prevent many tracking mitigations” was the use of CNAMEs to disguise the ultimate target of a DNS request. Most DNS ad blockers (and some that are designed purposefully to prevent tracking independent of advertisements) use a blacklisting or whitelisting technique. This means that bad sites (advertisers) are blocked and good sites (the people using the advertisers but aren’t running their own ads, such as such as a news site) are allowed. Once a CNAME is set correctly, the ads appear to come directly from the news site so blocking it will prevent access to the news site itself. And it turns out big sites are actually using this already (snippet from Medium article):

foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, washingtonpost.com, weather.com, coach.com, gap.com,  cnn.com,  arstechnica.com, saksfifthavenue.com, t-mobile.com, statefarm.com

Ultimately, if traditional DNS blockers come up with a way around the problem that NextDNS mentioned, that’s great! It really is a solution that’s mostly dealt with at the DNS layer. But tracking and advertising companies have more steps lined up to enable these news sites (any site really) to win the tracking game. One such step is by using a proxy. By adding a proxy the traffic can be made to appear to originate from our example news site directly, which will prevent DNS-related blocking (and CNAME cloaking mitigation) from working. Try not to forget that the primary reason companies continue to push the boundaries of ad-tech is to make money.

Fortunately, our Opaque line of products is already capable of dealing with this, and many other innumerable challenges, in a future-resilient way. The best part is, administrators/gurus/users don’t have to bother with changing DNS providers, updating configurations, or applying security patches–that’s all our job.

So, which advertiser/tracking database is your activity stored in? When is the last time you saw a meaningful (or any) report about your DNS usage?

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

Cyber Liability Insurance: Part of a comprehensive security plan

By | Data Privacy, Information Security, Risk and Liability | No Comments

It seems like every day there is a new story about a data breach and how millions of sensitive user records have been exposed.  The financial and healthcare industries are two of the biggest targets with some of the most sensitive data about people’s daily lives.  Theft and exposure of this data can open up these institutions to huge financial losses in the form of lawsuits and lost business.  Companies need ways to prevent and mitigate these potential losses.  Well-designed security protocols and software can prevent many of the data breaches that happen daily.  There will always be some risk of a breach but the use of best practices and strong security software reduces the number of attack vectors and thus significantly diminishes the risk.

Knowing that there always remains the risk of a breach, the question every company should be asking is: Should Your Business Get Cyber Liability Insurance?  As the CEO of LowCards.com (a free consumer resource website covering the credit card industry) points out, “many businesses are now turning to cyber liability insurance to minimize their risk of loss.”  Bill Hardekopf provides a great 101 on Cyber Liability Insurance and why you should consider it.  An important takeaway from the article is that “The insurance provider will evaluate policies, software and hardware to check for potential areas of weakness.”  The provider may even set a minimum standard for obtaining insurance or charge higher premiums for companies with weaker practices and software. Even if the standards aren’t there today, they will be emerging, and they will begin to affect rates and overall liability of a data compromise or a breach.

A good analogy to cyber liability insurance is property insurance, something every business should have.  Basic safety measures like fire extinguishers and smoke detectors are often minimum standards for even obtaining property insurance.  More advanced features like a security alarm system result in discounts on the premium paid for insurance.  In the same way with cyber liability insurance, installing anti-virus software or an advanced counter-exploitation platform could be considered a minimum standard or result in reduced premiums.

Given the importance of preventing a data breach most companies already implement counter measures.  However, given the likelihood a business will be the target of a successful data breach, companies should also consider adding cyber liability insurance.   Having a comprehensive plan for prevention and mitigation will help a company weather any storm that confronts them.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.