All Posts By

gml_admin

Dec 20
2

Not-so-Private Browsing Mode

By | Data Privacy, Data Protection | No Comments

Have you ever used a “private” browsing window before?  You might know it as “Incognito Mode” in Chrome, “InPrivate” in Edge, or “Private Browsing Mode” in Safari & Firefox.  These private modes may do little more than tell the browser to forget what you did once you close the window.  Search history, pages visited, and what you typed in will be deleted when the browser closes.  However, there are many misconceptions about what private means.  A scientific study conducted on the Misconceptions About Private Browsing Mode found that most users grossly overestimate the protections provided by private browsing modes.   A very important aspect to recognize is that these private browsing modes are concerned about privacy within the scope of the device you are using.  For example, users sharing a laptop may want to use a private browsing mode to conceal login credentials and browsing history from other users of the device.  Information sent over the internet, however, is subject to the same scrutiny as any other traffic sent in regular browsing mode and can be tracked.   So that means, your search history that’s not stored by the browser can still be stored and saved by your search provider, e.g. Google, and traced back to you using more advanced fingerprinting techniques which a private browser does not prevent.

The study found that the wording of the various private browsing disclosures by the major browsers led to many misconceptions and overestimation of the level of privacy actually provided.  The paper’s introduction highlights such misconceptions: “This overestimation reaches far; Eric Schmidt, former CEO of Google, once stated, ‘If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use incognito mode, and that’s what people do.'”  This statement by Schmidt, falsely implies that incognito mode provides more protections than it actually does.  Assuming the intent was not to mislead then that means even the CEO of Google at that time had grossly overestimated the protections provided by private browsing.

Since even the CEO of one of the biggest companies in the world has misconceptions about the protections provided by one of his company’s most popular pieces of software, we thought we’d put together a list to help you.  Below, we’ve provided a few of the key items that the average private browsing window does and does not protect you from:

Private Browsing does NOT:

  1. Prevent websites from tracking you
  2. Prevent malware and viruses
  3. Hide the websites you visit
  4. Hide your location
  5. Hide your downloads
  6. Block Ads

Private Browsing does:

  1. Prevent your web activity being saved locally by the browser
  2. Prevent most data that is usually saved in non-private browsing sessions from being exposed
  3. Share data between other private browsing tabs during a session
  4. Make you feel safer without providing the level of protection you need to be anonymous

Uses for Private Browsing:

  1. On a shared computer with other users such as a family computer or in a library.
  2. To avoid leaving a trace of past activity on any computer.
  3. To log into the same site with a second account.
  4. To test how a site looks to a new user.

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

Dec 10
4

DNS: Tracking mitigation upended

By | Data Privacy | No Comments

DNS ad-based tracking gets a boost

On 11/22/2019, the co-founder of NextDNS posted an article (https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) addressing 3rd-party tracking capabilities with DNS. If you haven’t read it yet, it’s worth a read to see how far-ranging the technical challenges are. At Grey Market Labs we’re acutely aware of tracking techniques that range from simple to complex to downright scary, so this technique wasn’t a surprise. Instead it just was another step towards a future where tracking mitigation is impractical for all but the most sophisticated users.

Some DNS history and how we got here…

DNS began in the 80s when everyone on the internet more or less trusted everyone else, at least when it came to allowing computers to talk to each other. That trust was fine when the set of computers was small and trust was a reasonable expectation. There was even a single group responsible for allowing new computers and domains to connect and they manually maintained a master list. By the late 80s there were many more computers connecting to this new internet and the management overhead was untenable. Simplifying a bit, an automated system was built that allowed computers to be dynamically added to networks using the existing DNS strategy.

For a while this also worked quite well and solved the scale problem. Unfortunately, it didn’t solve the trust problem — after all, who is allowed to update this list? If anyone can update the list of computer “addresses” then anyone can change their addresses. Imagine if the phone book caused reality instead of representing reality… If the phone company misprinted your phone number in the phone book, just like that, it’s your new number. If they misprinted your street address you had to move, sorry. If they left off your phone number, you no longer have one. That’s the strength of DNS when it comes to finding computers. One can only imagine a business bribing the phone book printer to leave off a particular company or to misprint their address. I’m sure that never happened though. DNS has that ability, and there were lots of compromises that follow that analogy.

On the subject of the phone company…

Ever wonder why with caller ID on your phone, a caller is able to misrepresent who they were? Fake FBI scams have caller ID reporting “Federal Bureau of Investigations”, social security number scammers show up as “Social Security Administration”, etc. It turns out that phone companies, when they built the networks MANY years ago, they also relied on trust that was reasonable to expect then, but is not reasonable to expect now. They have made progress here but it’s yet another example of existing systems that fail (or refuse?) to evolve and are ultimately exploited.

So what exactly was Grey Market Labs expecting here?

That “single step towards a future that we believe will prevent many tracking mitigations” was the use of CNAMEs to disguise the ultimate target of a DNS request. Most DNS ad blockers (and some that are designed purposefully to prevent tracking independent of advertisements) use a blacklisting or whitelisting technique. This means that bad sites (advertisers) are blocked and good sites (the people using the advertisers but aren’t running their own ads, such as such as a news site) are allowed. Once a CNAME is set correctly, the ads appear to come directly from the news site so blocking it will prevent access to the news site itself. And it turns out big sites are actually using this already (snippet from Medium article):

foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, washingtonpost.com, weather.com, coach.com, gap.com,  cnn.com,  arstechnica.com, saksfifthavenue.com, t-mobile.com, statefarm.com

Ultimately, if traditional DNS blockers come up with a way around the problem that NextDNS mentioned, that’s great! It really is a solution that’s mostly dealt with at the DNS layer. But tracking and advertising companies have more steps lined up to enable these news sites (any site really) to win the tracking game. One such step is by using a proxy. By adding a proxy the traffic can be made to appear to originate from our example news site directly, which will prevent DNS-related blocking (and CNAME cloaking mitigation) from working. Try not to forget that the primary reason companies continue to push the boundaries of ad-tech is to make money.

Fortunately, our Opaque line of products is already capable of dealing with this, and many other innumerable challenges, in a future-resilient way. The best part is, administrators/gurus/users don’t have to bother with changing DNS providers, updating configurations, or applying security patches–that’s all our job.

So, which advertiser/tracking database is your activity stored in? When is the last time you saw a meaningful (or any) report about your DNS usage?

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

Oct 18
3

Cyber Liability Insurance: Part of a comprehensive security plan

By | Data Privacy, Information Security, Risk and Liability | No Comments

It seems like every day there is a new story about a data breach and how millions of sensitive user records have been exposed.  The financial and healthcare industries are two of the biggest targets with some of the most sensitive data about people’s daily lives.  Theft and exposure of this data can open up these institutions to huge financial losses in the form of lawsuits and lost business.  Companies need ways to prevent and mitigate these potential losses.  Well-designed security protocols and software can prevent many of the data breaches that happen daily.  There will always be some risk of a breach but the use of best practices and strong security software reduces the number of attack vectors and thus significantly diminishes the risk.

Knowing that there always remains the risk of a breach, the question every company should be asking is: Should Your Business Get Cyber Liability Insurance?  As the CEO of LowCards.com (a free consumer resource website covering the credit card industry) points out, “many businesses are now turning to cyber liability insurance to minimize their risk of loss.”  Bill Hardekopf provides a great 101 on Cyber Liability Insurance and why you should consider it.  An important takeaway from the article is that “The insurance provider will evaluate policies, software and hardware to check for potential areas of weakness.”  The provider may even set a minimum standard for obtaining insurance or charge higher premiums for companies with weaker practices and software. Even if the standards aren’t there today, they will be emerging, and they will begin to affect rates and overall liability of a data compromise or a breach.

A good analogy to cyber liability insurance is property insurance, something every business should have.  Basic safety measures like fire extinguishers and smoke detectors are often minimum standards for even obtaining property insurance.  More advanced features like a security alarm system result in discounts on the premium paid for insurance.  In the same way with cyber liability insurance, installing anti-virus software or an advanced counter-exploitation platform could be considered a minimum standard or result in reduced premiums.

Given the importance of preventing a data breach most companies already implement counter measures.  However, given the likelihood a business will be the target of a successful data breach, companies should also consider adding cyber liability insurance.   Having a comprehensive plan for prevention and mitigation will help a company weather any storm that confronts them.

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.

Oct 08
6

Is your VPN doing everything it promises to protect your privacy?

By | Data Privacy | No Comments

Commercial VPN services have recently gained widespread popularity and many present themselves as a solution for online privacy.  Some of them even claim to enable anonymous internet browsing. However, as pointed out in a recent Forbes article, Too Many VPNs Put Our Privacy And Security At Risk, the current VPN market is more of a minefield than an utopia.   Numerous VPN services been found to have significant security flaws, and some have been found to be downright malicious – they could potentially be exploiting your data rather than protecting it. While this is concerning on its own, it also highlights a need to better understand how a VPN fits in with a holistic approach to internet privacy.

Commercial VPNs create an encrypted “tunnel” for your web traffic between two points, your computer and your VPN provider.  If properly configured, anyone eavesdropping on that connection would only see that you were connected to a VPN; they wouldn’t be able to see your requests to individual websites.  This is valuable protection, especially if you are concerned about the trustworthiness of a Wi-Fi hotspot or ISP.   But because that tunnel sends all your traffic through the VPN provider, it’s of utmost importance that you use a trustworthy provider with a business model that aligns with your best interests.

However, even the best VPN is only a tool that can protect part of your digital footprint across the internet.  Potential privacy compromises are still possible at points before or after the VPN.

While it is often claimed that VPNs enable ‘anonymous’ surfing by obscuring your IP address, this is only successful in defeating the most rudimentary of tracking attempts.  Routine browsing activity generates a huge amount of metadata that can be used to uniquely identify and track users without relying on an IP address.  Techniques like browser fingerprinting, network traffic analysis, and even browser cookies can leverage this metadata to track users’ activity through a VPN.

A holistic approach to privacy also goes beyond protecting users’ browsing activity; it also includes the privacy and security of data already on your systems.  Any computer browsing the open internet, whether behind a VPN or not, is a potential vector for data compromise through malware, phishing, targeted attacks, or unintentional disclosure. A VPN can be a valuable tool for protecting your privacy, but it is far from a comprehensive solution.

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.

May 15
6

Permanent Impressions – how what you do online defines you forever

By | Information Security

Imagine strolling through the mall, visiting several stores, trying on some clothes, and reading a magazine that you picked up at Barnes & Noble while you sip your coffee from Starbucks.  Each stop you made and each item you purchased left some impression.  Maybe you had a nice conversation with the sales associate that helped you in the fitting room or the barista that made your drink.  Likely, those encounters won’t leave lasting memories.  The most enduring impression may be the credit card or the Starbucks rewards app you used to make a purchase.  You might also be on a few security cameras.  Maybe also, you have some store apps with location tracking that notify you of a deal when you walk in.  All of these things could leave a lasting impression with a store.  Each of these impressions or encounters leaves a trail or fingerprint.

Now, think of the mall as the internet and each store as a website.  Each store is a business trying to sell you as much as they can.  They want to remember what items you look at and what you buy.  All of this is much easier to do through the internet than in a mall.  Some stores are owned by the same corporate conglomerates and some are independent.  Some data is easily shared between stores helping to create a better profile of your shopping behavior.  However, when you visit a website, you are anonymous unless you create an account and make a purchase, right?

Actually, you’re not as anonymous as you might think to that website you are visiting.  Your browser shares a wealth of information about the computer you are using.  It doesn’t share your name but, it does provide information about the resolution of your monitor(s) or handheld device, the operating system you are using, the specific browser version you are using, and even what fonts you have installed.  It also shares many more seemingly mundane details.  All these details add up to make your unique, digital fingerprint (See for yourself).  Unlike with a real fingerprint, nobody is scanning that last item you touched at the mall or running a DNA test on the coffee you drank to better identify you (hopefully).

So why do I care if my digital or real fingerprint is unique and people can see it?  My fingerprint isn’t known to anyone so how does it help a website to track it?  Well, chances are you visited quite a few stores on the internet looking for the best deal and your digital fingerprint is being collected by each of those sites.  Those sites that share information with affiliate sites can now combine that information to begin creating a partial profile of your viewing behavior.  Remember that stop to read a magazine at Barnes & Noble or instead on the web when you went to TMZ to find out what Kim Kardashian was wearing last week so you could buy that dress?  News sites rely on advertising and those advertisers are keen to track who you are and what you read to better target you with the items you want to buy.  The kicker here is that the advertising is typically fed in from a larger advertising network which is distributed across thousands of sites.  Much like the stores with shared owners, these ad networks are collating your profile across many independently owned news sites.  The stores in can turn can pay for this information to better target your profile.

Are we still anonymous at this point?  Let’s say for the sake of argument that we are but that this anonymous profile has grown quite substantially and can be confidently linked together via your unique fingerprint.   Now, you’ve done your homework and you’ve found a great knockoff of that Kardashian dress and you’re ready to buy.  So, you create an account (or you don’t) and you put in your payment method, name, and shipping address.  At this point you are no longer anonymous to the site you are making a purchase from.  Along the way though, you left quite a trail with your unique fingerprint.  Each place that fingerprint was shared via common owners or ad networks has now potentially left an indelible profile of your online behavior.   All of this is now linked to your name and home address.

This is just one very common scenario through which you expose yourself daily on the web.  There are much more complex methods for uniquely identifying users.  Some banks even track biometric factors such as mouse movement and keystrokes for fraud prevention but these same techniques have also been used for more malicious purposes such as gathering insider trading information or compromising information about prominent individuals.

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission of protecting life online for people and organizations. Focused on building the most comprehensive and realistic counter-exploitation platform for the enterprise, our software and hardware products are creating a future with privacy-as-a-service. Our Opaque platform delivers proactive internet protection from the moment of access to countering exploitation of digital interactions, behavior and activity. Bottom line, we prevent digital exploitation and stop the targeting of corporations, agencies and their employees online.

Contact us to see how we can work together.

May 15
6

The Socially Conscious Network

By | Data Privacy

Ginny!” said Mr. Weasley, flabbergasted. “Haven’t I taught you anything? What have I always told you? Never trust anything that can think for itself if you can’t see where it keeps its brain?

-Arthur Weasley, Harry Potter

Any sufficiently advanced technology is indistinguishable from magic

-Isaac Asimov

Arthur Weasley from Harry Potter, being a wizard and having magic to rely on, didn’t need modern technologies like phones or cars. However, given his job in the department of Misuse of Muggle Artefacts Office at the Ministry of Magic he learned about how muggles (non-magic folks) created technologies to solve the issues which previously had only been solved by magic.

Today’s technologies, like cell phones, work almost like magic. They can provide us with the world’s knowledge in seconds or allow us to talk face to face with anyone in the world. They can get us almost anywhere in the world in less than a day. In a sense, without further investigation, they work like magic. If we think of magic as a basic law or force of nature then there is no intermediary step. It just works like gravity just works. But the reality is far more complicated when we think of something like a car where the basic forces of thermodynamics, friction, and combustion are harnessed to create a vehicle which can travel great distances through simple controls.

We know a car doesn’t think, at least not yet, but they are getting smarter and simply pressing on the gas pedal is no longer “driving by wire” where the input clearly leads to an expected output. Modern cars have antilock brakes which modify the pressure applied to slow down a car despite how hard the brake is pressed. This is handled by algorithms and calculations being computed by a processor within the car. In effect, a simple brain within the car. Still, such behavior is relatively easy enough to understand. There is still a defined cause and effect. Pressing the brake still slows you down but now it is done more effectively to reduce the risk of the brakes locking and the tires skidding.

Now, let’s move on from our car metaphor and look at something much more amorphous like a website such as Facebook. I think to many of the billions of users Facebook seems like a much simpler concept than a car. I’m sure some people have more confidence that they could build Facebook before they could ever build a car. Facebook was a simple website to connect people and share information that was originally invented by a college student. Since then, Facebook has grown and evolved into something much, much bigger than one college student could ever have imagined. In a sense, it has taken on a life of its own.

For the average user, you click a few buttons, download an app or go to a website and enter your personal information. From there, you can “privately” share your thoughts and communicate with your “friends”. Almost like magic, you can connect to any of the billions of users who would also like to connect with you.  But Facebook is not magic; It is technology. A far more advanced technology than the basic car that Henry Ford first mass produced. Unlike a physical car where the user had full and exclusive access to see all the internal workings should he or she choose, a user of an information technology like Facebook does not.

Why is this? Because we cannot see where Facebook keeps its brain. With vast processing power sitting on secured, proprietary servers, Facebook is more like a free taxi from a “friend” whom we don’t know very well. Imagine, this friend keeps a video camera in his car and records your every move. He assures you that it is just to serve you better and for your safety but you have to trust him that this is true. Since this is your “friend”, someone you’ve established a trusted relationship with, you agree to these recordings which you are assured are only to better help you. Or maybe he doesn’t even tell you if he is recording. You notice a camera but you trust that if he is recording then he is recording for his own benefit or protection and would never use it for any nefarious purpose.  Extend this scenario to Facebook or Uber and you might see where this is going. They are no longer just recording your every move, they are making decisions to “better serve you”. Your lips look chapped as you dryly swallow?  How about a bottle of water for $1. Thanks! I was parched. This is great that you are keeping such a close eye on me to better meet my needs.

Unlike an attentive, close friend, corporations like Facebook are not your friends.  Your friends are hopefully focused on your well-being. Also, unlike your friends, they will remember every time you ever “poked” someone. A good friend will forgive and forget.   You know your friend. You know her brain is in her head. You trust her. You don’t know Facebook. You don’t know where it keeps its brain or what it thinks or who it shares its brain with. In minutes an analytics company can pay a hefty sum to find out your most intimate details you shared with Facebook. A true friend would never do this and say it was for your best interests.

Sites like Facebook and LinkedIn offer at their core a simple service but benefit greatly from something called the network effect. But why did we ever invite them in to listen to our every conversation? Was it trust, ignorance, or just convenience? There was a user agreement when we signed up and probably never read but we had to accept it to use the service. Just standard legal stuff right?  Most services clearly state that they have the right to use your data in any way they want? If you’re not worried then you haven’t imagined the possibilities. Remember, if a service is free and the company doesn’t sell anything to you then you are the product and the company is selling you. There is no free lunch in this world unless your bubby takes you to Denny’s for the senior special.

So, it’s hopeless and this is just the cost of doing business, right?  Wrong, there is a solution. A new social contract must be created. A socially conscious terms of service that’s puts the user’s interests first. One that balances the user’s privacy with the needs for advanced technological services. One that respects our humanity and remembers what is most important. A contract that gives you the same level of trust as that of a friend.  And with that contract the technological know-how to actually back it up.  A contract is step one.  This is a fair and balanced terms of service that protects the user’s interests.  Competence is step two.  We all have friends we trust to keep our secrets but not necessarily to deliver an important letter on time.  You need a company that can protect your data, maintain good records and securely use that information to assist you.  Transparency is step three. You need to see where the brains are kept and how decision are made. The process should be clear and auditable.

Grey Market Labs is focused on these goals. We realize this social contract is a paradigm shift the world needs now. The technological age does not mean the end of privacy. As lofty as it may sound democracy depends on privacy, privacy with accountability. We cannot rely on government regulation alone to drive these changes forward.   We also cannot rely on other corporations whose business it is to sell your data.

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission of protecting life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of behavior and activity online.

Contact us to see how we can work together.