Category

Data Privacy

The Glass House

By | Data Privacy | No Comments

—“There is no security without privacy”

 

April 2020. Globally, everyone who can is working from home. This is a break in history, we are never going back. Old standards of time in the office have been forcefully shattered.

In the news, people are concerned about increased cyber attacks and are right to do so. A recent article in Harvard Business Review gives good advice for what to do when working remotely. We are told to remind people that confidential information is still confidential even though they aren’t in the office and we rely on a belief that humans won’t make a mistake.

And that’s where we stop. Is this the moment when the world wakes up to realize we live in a Glass House? That for years, whether working in the office, at home or at Starbucks, we’ve been surveilled, tracked and catalogued and now that problem is exponentially worse? That our organizations continue to be breached not because our security is failing us but that our lack of privacy is. Even today, our vulnerabilities, our research, the next innovation, our weaknesses are visible. The walls that cyber security had created are transparent. The activities we take online, whether through our Starbucks app or through our trusted browser for work are immediately gathered and instantly analyzed. There is a $30b market driven just by how many links can be made between countless pieces of internet traffic. Your internet provider gets it and sells it, the plumbing of the internet gets it and sells it, and clearly social media gets it and sells it.

 

So… is all lost?

 

No, the internet is and can be a force for good. The internet can be the conduit for information that crosses socio-economic levels, it can be the tool that allows many to achieve and thrive. We need to take action to change the playing field:

– Encourage and reward new business structures. Beyond non-profits or charities, Public Benefit Corporations or B-Corps showcase the ability to achieve a social good while being profitable and embed and increased level of trust for customers.

– Innovate new revenue or success models. Allow consumers (or organizations) to decide what information to share. What is the minimum needed to have beneficial transactions and how can you revoke data access on demand, even after sharing? GDPR and CCPA are great vehicles for class action but the average American cannot enforce the “right to be forgotten” when hundreds of brokers receive our data daily. We can allow control and sharing of data and streamline the process to make it easy for general public. We can also allow consumers to receive compensation for the use of their data and evolving the “freemium” online apps.

– Create a new compact between employees and companies. Recognize the link between individual privacy and corporate security. Enable enterprise protections that make the walls of the Glass House opaque or at least provide some intelligent filters. This level of control is critical achieving Zero Trust.

If we do this, the freedom and explosion in productivity we will have discovered from remote working won’t die because of a pandemic of cyber attacks. It will thrive because we recognized the opportunity of this moment and took the steps to protect it.

 

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

Security Considerations for Enterprise Remote Access

By | Data Privacy, Data Protection, Information Security | No Comments

Remote-access technologies are top-of-mind for most IT professionals now, and remote work is a trend which is likely here to stay for the long term. If you’re looking to update your organization’s security policy, NIST has recently published an excellent bulletin outlining some of the unique security challenges posed by remote work.

NIST categorizes remote-access technologies into four main categories: Tunneling, Portals, Direct Application Access, and Remote Desktop Access.  With the rise of BYOD (bring your own device) policies and cloud-based applications, it has become common for organizations to employ multiple solutions for remote access, each with their own unique security considerations.   Regardless of which remote-access technologies your organization is using, it is important to continually ensure each is being used in a way that protects data from compromise.

The NIST bulletin highlights a few important points:

  • Organizations should assume that devices used for remote work will be compromised. Make sure that sensitive data is encrypted, or better yet, implement solutions that don’t store any sensitive data on client devices.
  • Devices used in external environments are under greater risk for compromise than devices in enterprise environments, so tighter security controls are advisable. Security controls can also vary widely by device, so you may need to give more specific security guidance for BYOD devices used for remote work.
  • Each additional form of remote access that is exposed increases the risk of compromise. This can be mitigated by implementing tiers of access for different client devices, and by situating remote access servers so they serve as a single point of entry.

Grey Market Labs is a Public Benefit Corporation with the mission to “protect life online”. Our Advisory services can help you navigate the conflicting and overwhelming enterprise privacy and data protection guidance. Our products provide cost-effective and comprehensive privacy-as-a-service, delivering proactive internet protection for remote work and distributed teams. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online. CONTACT US to see how we can solve some hard problems together.

The Risks with Increased Use of Virtual Environments

By | Data Privacy | No Comments

On Wednesday, the FBI released a PSA (I-040120-PSA) on threats associated with the increased use of virtual environments (https://www.ic3.gov/media/2020/200401.aspx). With the massive increase in remote and telework, the attack surface (i.e. the available prey for hackers hunting online) has massively increased. The term “shooting fish in a barrel” is very relevant and likely underestimates the risk to businesses and governments. A few things stand out:

  1. Terms of Service – read them! As the recent Zoom issues highlighted, free software is not free. If you or your organization aren’t paying a license fee, then you and your data are how those companies are making their money. The data sharing economy has made this freemium model ubiquitous. As a leader in your organization, make sure your security, IT and/or risk leaders have read the terms of service for each product in use – you will be surprised how many tools claim ownership of your corporate data. Choose ones that prioritize protection of their customers and their data.
  2. Immature Security – while online collaboration tools have security features, most weren’t designed to protect against sophisticated Chinese or Russian attacks. With the rapid increase in the use of tools like Zoom, they have become a lucrative target for nation-state hackers. Look for tools that have supported Federal Government customers, especially the DoD, as they have usually gone through strict vetting procedures.
  3. Limited or Shared Resources – to keep costs low or to rapidly grow capacity, organizations regularly purchase refurbished equipment, allow Bring Your Own Device (BYOD) or, in cloud computing, share resources with other companies. In both scenarios, you are opening your company to threats from poorly maintained or recycled equipment, or from data leakage with poorly designed collaboration tools. Focus on systems that allow single tenancy (one organization per installation), comprehensive isolation (beyond browsers and applications) and leverage virtual desktop interfacing (VDI) or similar as they can mitigate the issues of poorly refurbished or employee provided computers.

Finally, many of the suggestions in the FBI letter rely on your employees and system users to be vigilant for recognizing scams and suspicious online activity. The more platforms and technology can automate these best practices, the more proactive our defenses will become and the less we will have to worry about human error.

As a Public Benefit Corporation, Grey Market Labs was created to help protect life online. If you are concerned about Data Privacy and Employee Protection (especially for your most sensitive work), please reach to us directly: info@greymarketlabs.com. We can guide you through these privacy and cybersecurity challenges and, if our products are not the best fit, recommend one of our vetted partners to best meet your needs.

Not-so-Private Browsing Mode

By | Data Privacy, Data Protection | No Comments

Have you ever used a “private” browsing window before?  You might know it as “Incognito Mode” in Chrome, “InPrivate” in Edge, or “Private Browsing Mode” in Safari & Firefox.  These private modes may do little more than tell the browser to forget what you did once you close the window.  Search history, pages visited, and what you typed in will be deleted when the browser closes.  However, there are many misconceptions about what private means.  A scientific study conducted on the Misconceptions About Private Browsing Mode found that most users grossly overestimate the protections provided by private browsing modes.   A very important aspect to recognize is that these private browsing modes are concerned about privacy within the scope of the device you are using.  For example, users sharing a laptop may want to use a private browsing mode to conceal login credentials and browsing history from other users of the device.  Information sent over the internet, however, is subject to the same scrutiny as any other traffic sent in regular browsing mode and can be tracked.   So that means, your search history that’s not stored by the browser can still be stored and saved by your search provider, e.g. Google, and traced back to you using more advanced fingerprinting techniques which a private browser does not prevent.

The study found that the wording of the various private browsing disclosures by the major browsers led to many misconceptions and overestimation of the level of privacy actually provided.  The paper’s introduction highlights such misconceptions: “This overestimation reaches far; Eric Schmidt, former CEO of Google, once stated, ‘If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use incognito mode, and that’s what people do.'”  This statement by Schmidt, falsely implies that incognito mode provides more protections than it actually does.  Assuming the intent was not to mislead then that means even the CEO of Google at that time had grossly overestimated the protections provided by private browsing.

Since even the CEO of one of the biggest companies in the world has misconceptions about the protections provided by one of his company’s most popular pieces of software, we thought we’d put together a list to help you.  Below, we’ve provided a few of the key items that the average private browsing window does and does not protect you from:

Private Browsing does NOT:

  1. Prevent websites from tracking you
  2. Prevent malware and viruses
  3. Hide the websites you visit
  4. Hide your location
  5. Hide your downloads
  6. Block Ads

Private Browsing does:

  1. Prevent your web activity being saved locally by the browser
  2. Prevent most data that is usually saved in non-private browsing sessions from being exposed
  3. Share data between other private browsing tabs during a session
  4. Make you feel safer without providing the level of protection you need to be anonymous

Uses for Private Browsing:

  1. On a shared computer with other users such as a family computer or in a library.
  2. To avoid leaving a trace of past activity on any computer.
  3. To log into the same site with a second account.
  4. To test how a site looks to a new user.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

DNS: Tracking mitigation upended

By | Data Privacy | No Comments

DNS ad-based tracking gets a boost

On 11/22/2019, the co-founder of NextDNS posted an article (https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) addressing 3rd-party tracking capabilities with DNS. If you haven’t read it yet, it’s worth a read to see how far-ranging the technical challenges are. At Grey Market Labs we’re acutely aware of tracking techniques that range from simple to complex to downright scary, so this technique wasn’t a surprise. Instead it just was another step towards a future where tracking mitigation is impractical for all but the most sophisticated users.

Some DNS history and how we got here…

DNS began in the 80s when everyone on the internet more or less trusted everyone else, at least when it came to allowing computers to talk to each other. That trust was fine when the set of computers was small and trust was a reasonable expectation. There was even a single group responsible for allowing new computers and domains to connect and they manually maintained a master list. By the late 80s there were many more computers connecting to this new internet and the management overhead was untenable. Simplifying a bit, an automated system was built that allowed computers to be dynamically added to networks using the existing DNS strategy.

For a while this also worked quite well and solved the scale problem. Unfortunately, it didn’t solve the trust problem — after all, who is allowed to update this list? If anyone can update the list of computer “addresses” then anyone can change their addresses. Imagine if the phone book caused reality instead of representing reality… If the phone company misprinted your phone number in the phone book, just like that, it’s your new number. If they misprinted your street address you had to move, sorry. If they left off your phone number, you no longer have one. That’s the strength of DNS when it comes to finding computers. One can only imagine a business bribing the phone book printer to leave off a particular company or to misprint their address. I’m sure that never happened though. DNS has that ability, and there were lots of compromises that follow that analogy.

On the subject of the phone company…

Ever wonder why with caller ID on your phone, a caller is able to misrepresent who they were? Fake FBI scams have caller ID reporting “Federal Bureau of Investigations”, social security number scammers show up as “Social Security Administration”, etc. It turns out that phone companies, when they built the networks MANY years ago, they also relied on trust that was reasonable to expect then, but is not reasonable to expect now. They have made progress here but it’s yet another example of existing systems that fail (or refuse?) to evolve and are ultimately exploited.

So what exactly was Grey Market Labs expecting here?

That “single step towards a future that we believe will prevent many tracking mitigations” was the use of CNAMEs to disguise the ultimate target of a DNS request. Most DNS ad blockers (and some that are designed purposefully to prevent tracking independent of advertisements) use a blacklisting or whitelisting technique. This means that bad sites (advertisers) are blocked and good sites (the people using the advertisers but aren’t running their own ads, such as such as a news site) are allowed. Once a CNAME is set correctly, the ads appear to come directly from the news site so blocking it will prevent access to the news site itself. And it turns out big sites are actually using this already (snippet from Medium article):

foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, washingtonpost.com, weather.com, coach.com, gap.com,  cnn.com,  arstechnica.com, saksfifthavenue.com, t-mobile.com, statefarm.com

Ultimately, if traditional DNS blockers come up with a way around the problem that NextDNS mentioned, that’s great! It really is a solution that’s mostly dealt with at the DNS layer. But tracking and advertising companies have more steps lined up to enable these news sites (any site really) to win the tracking game. One such step is by using a proxy. By adding a proxy the traffic can be made to appear to originate from our example news site directly, which will prevent DNS-related blocking (and CNAME cloaking mitigation) from working. Try not to forget that the primary reason companies continue to push the boundaries of ad-tech is to make money.

Fortunately, our Opaque line of products is already capable of dealing with this, and many other innumerable challenges, in a future-resilient way. The best part is, administrators/gurus/users don’t have to bother with changing DNS providers, updating configurations, or applying security patches–that’s all our job.

So, which advertiser/tracking database is your activity stored in? When is the last time you saw a meaningful (or any) report about your DNS usage?

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online.

Contact us to see how we can work together.

Cyber Liability Insurance: Part of a comprehensive security plan

By | Data Privacy, Information Security, Risk and Liability | No Comments

It seems like every day there is a new story about a data breach and how millions of sensitive user records have been exposed.  The financial and healthcare industries are two of the biggest targets with some of the most sensitive data about people’s daily lives.  Theft and exposure of this data can open up these institutions to huge financial losses in the form of lawsuits and lost business.  Companies need ways to prevent and mitigate these potential losses.  Well-designed security protocols and software can prevent many of the data breaches that happen daily.  There will always be some risk of a breach but the use of best practices and strong security software reduces the number of attack vectors and thus significantly diminishes the risk.

Knowing that there always remains the risk of a breach, the question every company should be asking is: Should Your Business Get Cyber Liability Insurance?  As the CEO of LowCards.com (a free consumer resource website covering the credit card industry) points out, “many businesses are now turning to cyber liability insurance to minimize their risk of loss.”  Bill Hardekopf provides a great 101 on Cyber Liability Insurance and why you should consider it.  An important takeaway from the article is that “The insurance provider will evaluate policies, software and hardware to check for potential areas of weakness.”  The provider may even set a minimum standard for obtaining insurance or charge higher premiums for companies with weaker practices and software. Even if the standards aren’t there today, they will be emerging, and they will begin to affect rates and overall liability of a data compromise or a breach.

A good analogy to cyber liability insurance is property insurance, something every business should have.  Basic safety measures like fire extinguishers and smoke detectors are often minimum standards for even obtaining property insurance.  More advanced features like a security alarm system result in discounts on the premium paid for insurance.  In the same way with cyber liability insurance, installing anti-virus software or an advanced counter-exploitation platform could be considered a minimum standard or result in reduced premiums.

Given the importance of preventing a data breach most companies already implement counter measures.  However, given the likelihood a business will be the target of a successful data breach, companies should also consider adding cyber liability insurance.   Having a comprehensive plan for prevention and mitigation will help a company weather any storm that confronts them.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.

Is your VPN doing everything it promises to protect your privacy?

By | Data Privacy | No Comments

Commercial VPN services have recently gained widespread popularity and many present themselves as a solution for online privacy.  Some of them even claim to enable anonymous internet browsing. However, as pointed out in a recent Forbes article, Too Many VPNs Put Our Privacy And Security At Risk, the current VPN market is more of a minefield than an utopia.   Numerous VPN services been found to have significant security flaws, and some have been found to be downright malicious – they could potentially be exploiting your data rather than protecting it. While this is concerning on its own, it also highlights a need to better understand how a VPN fits in with a holistic approach to internet privacy.

Commercial VPNs create an encrypted “tunnel” for your web traffic between two points, your computer and your VPN provider.  If properly configured, anyone eavesdropping on that connection would only see that you were connected to a VPN; they wouldn’t be able to see your requests to individual websites.  This is valuable protection, especially if you are concerned about the trustworthiness of a Wi-Fi hotspot or ISP.   But because that tunnel sends all your traffic through the VPN provider, it’s of utmost importance that you use a trustworthy provider with a business model that aligns with your best interests.

However, even the best VPN is only a tool that can protect part of your digital footprint across the internet.  Potential privacy compromises are still possible at points before or after the VPN.

While it is often claimed that VPNs enable ‘anonymous’ surfing by obscuring your IP address, this is only successful in defeating the most rudimentary of tracking attempts.  Routine browsing activity generates a huge amount of metadata that can be used to uniquely identify and track users without relying on an IP address.  Techniques like browser fingerprinting, network traffic analysis, and even browser cookies can leverage this metadata to track users’ activity through a VPN.

A holistic approach to privacy also goes beyond protecting users’ browsing activity; it also includes the privacy and security of data already on your systems.  Any computer browsing the open internet, whether behind a VPN or not, is a potential vector for data compromise through malware, phishing, targeted attacks, or unintentional disclosure. A VPN can be a valuable tool for protecting your privacy, but it is far from a comprehensive solution.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.

The Socially Conscious Network

By | Data Privacy | No Comments

Ginny!” said Mr. Weasley, flabbergasted. “Haven’t I taught you anything? What have I always told you? Never trust anything that can think for itself if you can’t see where it keeps its brain?

-Arthur Weasley, Harry Potter

Any sufficiently advanced technology is indistinguishable from magic

-Isaac Asimov

Arthur Weasley from Harry Potter, being a wizard and having magic to rely on, didn’t need modern technologies like phones or cars. However, given his job in the department of Misuse of Muggle Artefacts Office at the Ministry of Magic he learned about how muggles (non-magic folks) created technologies to solve the issues which previously had only been solved by magic.

Today’s technologies, like cell phones, work almost like magic. They can provide us with the world’s knowledge in seconds or allow us to talk face to face with anyone in the world. They can get us almost anywhere in the world in less than a day. In a sense, without further investigation, they work like magic. If we think of magic as a basic law or force of nature then there is no intermediary step. It just works like gravity just works. But the reality is far more complicated when we think of something like a car where the basic forces of thermodynamics, friction, and combustion are harnessed to create a vehicle which can travel great distances through simple controls.

We know a car doesn’t think, at least not yet, but they are getting smarter and simply pressing on the gas pedal is no longer “driving by wire” where the input clearly leads to an expected output. Modern cars have antilock brakes which modify the pressure applied to slow down a car despite how hard the brake is pressed. This is handled by algorithms and calculations being computed by a processor within the car. In effect, a simple brain within the car. Still, such behavior is relatively easy enough to understand. There is still a defined cause and effect. Pressing the brake still slows you down but now it is done more effectively to reduce the risk of the brakes locking and the tires skidding.

Now, let’s move on from our car metaphor and look at something much more amorphous like a website such as Facebook. I think to many of the billions of users Facebook seems like a much simpler concept than a car. I’m sure some people have more confidence that they could build Facebook before they could ever build a car. Facebook was a simple website to connect people and share information that was originally invented by a college student. Since then, Facebook has grown and evolved into something much, much bigger than one college student could ever have imagined. In a sense, it has taken on a life of its own.

For the average user, you click a few buttons, download an app or go to a website and enter your personal information. From there, you can “privately” share your thoughts and communicate with your “friends”. Almost like magic, you can connect to any of the billions of users who would also like to connect with you.  But Facebook is not magic; It is technology. A far more advanced technology than the basic car that Henry Ford first mass produced. Unlike a physical car where the user had full and exclusive access to see all the internal workings should he or she choose, a user of an information technology like Facebook does not.

Why is this? Because we cannot see where Facebook keeps its brain. With vast processing power sitting on secured, proprietary servers, Facebook is more like a free taxi from a “friend” whom we don’t know very well. Imagine, this friend keeps a video camera in his car and records your every move. He assures you that it is just to serve you better and for your safety but you have to trust him that this is true. Since this is your “friend”, someone you’ve established a trusted relationship with, you agree to these recordings which you are assured are only to better help you. Or maybe he doesn’t even tell you if he is recording. You notice a camera but you trust that if he is recording then he is recording for his own benefit or protection and would never use it for any nefarious purpose.  Extend this scenario to Facebook or Uber and you might see where this is going. They are no longer just recording your every move, they are making decisions to “better serve you”. Your lips look chapped as you dryly swallow?  How about a bottle of water for $1. Thanks! I was parched. This is great that you are keeping such a close eye on me to better meet my needs.

Unlike an attentive, close friend, corporations like Facebook are not your friends.  Your friends are hopefully focused on your well-being. Also, unlike your friends, they will remember every time you ever “poked” someone. A good friend will forgive and forget.   You know your friend. You know her brain is in her head. You trust her. You don’t know Facebook. You don’t know where it keeps its brain or what it thinks or who it shares its brain with. In minutes an analytics company can pay a hefty sum to find out your most intimate details you shared with Facebook. A true friend would never do this and say it was for your best interests.

Sites like Facebook and LinkedIn offer at their core a simple service but benefit greatly from something called the network effect. But why did we ever invite them in to listen to our every conversation? Was it trust, ignorance, or just convenience? There was a user agreement when we signed up and probably never read but we had to accept it to use the service. Just standard legal stuff right?  Most services clearly state that they have the right to use your data in any way they want? If you’re not worried then you haven’t imagined the possibilities. Remember, if a service is free and the company doesn’t sell anything to you then you are the product and the company is selling you. There is no free lunch in this world unless your bubby takes you to Denny’s for the senior special.

So, it’s hopeless and this is just the cost of doing business, right?  Wrong, there is a solution. A new social contract must be created. A socially conscious terms of service that’s puts the user’s interests first. One that balances the user’s privacy with the needs for advanced technological services. One that respects our humanity and remembers what is most important. A contract that gives you the same level of trust as that of a friend.  And with that contract the technological know-how to actually back it up.  A contract is step one.  This is a fair and balanced terms of service that protects the user’s interests.  Competence is step two.  We all have friends we trust to keep our secrets but not necessarily to deliver an important letter on time.  You need a company that can protect your data, maintain good records and securely use that information to assist you.  Transparency is step three. You need to see where the brains are kept and how decision are made. The process should be clear and auditable.

Grey Market Labs is focused on these goals. We realize this social contract is a paradigm shift the world needs now. The technological age does not mean the end of privacy. As lofty as it may sound democracy depends on privacy, privacy with accountability. We cannot rely on government regulation alone to drive these changes forward.   We also cannot rely on other corporations whose business it is to sell your data.

 


 

Grey Market Labs is a Public Benefit Corporation founded with the social mission of protecting life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of behavior and activity online.

Contact us to see how we can work together.