Big Data security and privacy risk podcast

October 1, 2013 Comments Off on Big Data security and privacy risk podcast

I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.

My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.

10 simple things you can do to strengthen your online privacy

June 13, 2013 Comments Off on 10 simple things you can do to strengthen your online privacy

It’s been a very disheartening couple of weeks for people concerned with protecting personal information. From the US Supreme Court’s ruling about routine DNA collection to the ongoing revelations about the NSA Prism program, it’s easy to feel helpless in the face of such massive data collection. And while the amount of surveillance – from governments, corporations, and even nosy individuals – is likely to increase, there are a few basic things you can do to help safeguard your data from others.

  1. Reduce your activity on social networks. Did you know that banks routinely check out your FaceBook profile? And now the IRS has joined the party.
  2. Encrypt important files. TrueCrypt is an excellent choice for this essential task.
  3. Use a secure search engine. Google is very clear about how it stores your search history. If this bothers you, take a look at DuckDuckGo and ixquick.
  4. Use a more secure browser. Chrome is a good choice, but there are additional offerings out there. You can expect this market to heat up in the wake of all these snooping disclosures.
  5. Clear your browser cookies regularly. Many web sites inspect these cookies to get a much better idea of your browsing history.
  6. Use TOR or a VPN. These options both offer greatly improved communication security. TOR is easy to set up and use, too.
  7. Create multiple email addresses. There’s no reason to route everything through a single address. Instead, consider setting up different accounts at various providers.
  8. Put your phone in airplane mode when you’re not using it. Your phone constantly transmits details about your location back to your service provider. If you’re not actively using it, why broadcast that information?
  9. Pay cash. Do you really need to charge that burger?
  10. Be stingy with what you share. It may sound anachronistic in this age of updating FaceBook with every trivial aspect of life, but consider simply entering less data about yourself online. For example, there’s no reason for you to provide an e-commerce site with your home, work, and mobile phone numbers.

I’ll be adding more tips to the list, so if this topic interests you be sure to check back here from time to time or follow me on Twitter at @RD_Schneider.

Data never really disappears, particularly when it’s supposed to

May 9, 2013 Comments Off on Data never really disappears, particularly when it’s supposed to

If you have a teenage son or daughter, you may be familiar with an app called ‘Snapchat’. Its claim to fame – that is, until earlier today – is that it deletes all messages (text, photo, or otherwise) within a few seconds, thus keeping sensitive information safe from the prying eyes of parents, police, marketers, and all sorts of other nefarious characters.

But lo and behold, as it turns out, Snapchat actually doesn’t delete the data after all. Instead, it’s simply moved to a hidden directory, where with proper time and tooling, it can be recovered. You can read all about it here.

Whether or not you’re prone to sharing too much information, the takeaway from this little debacle is that data never really goes away, especially once a smartphone gets involved – not to mention the cloud. Keep that in mind the next time you’re tempted to use technology to record, say, or write something that you don’t want anyone else to see or hear. 

Speaking about enhanced security capabilities for Hadoop

February 11, 2013 § 1 Comment

I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:

  • The key diverse technologies contained within a typical Hadoop environment
  • Current and trending security risks characteristic in Hadoop implementations
  • Setting and attaining realistic goals
  • Contrasting open-source vs. proprietary Hadoop security tools
  • Protecting your Hadoop landscape through controlled access
  • Inherent differences safeguarding data-at-rest vs. defending data while in motion

I hope you can join me there – it should be a very interesting conference.

Two recent examples of international suspicion of U.S. cloud computing providers

December 11, 2012 Comments Off on Two recent examples of international suspicion of U.S. cloud computing providers

I’m fortunate to attend and speak at many cloud computing and Big Data events all around the world. I also work with large global corporations and governments to help design and deploy these types of environments. I really enjoy getting to meet such a diverse array of people.

Whenever I give a talk about the potential for cloud computing, I notice – without fail – one common thread among all of these audiences: vast misgivings about cloud computing solutions provided by American corporations. The perception is that the U.S. government will – as a matter of course – intercept, amass, and analyze all transactions, stored information, and network traffic for these cloud environments. Even if routine analysis isn’t being performed, these audiences figure that it only takes a phone call from a U.S. government representative for these cloud providers to “open the kimono”, without telling the customer of course. We’ve already seen examples of these back doors – consider how AT&T opened their network to comprehensive and clandestine monitoring by the NSA.

The people who share these concerns with me aren’t drug kingpins, terrorists, or Washington lobbyists. They’re executives and technology leaders at very reputable global powerhouses that are operating under strict fiduciary and regulatory guidelines. I know for a fact that these reservations – particularly of the PATRIOT Act – are costing American businesses money.

Many people have told me that they go out of their way to store their data in non-U.S. cloud providers, and that they don’t even trust an American cloud provider that’s storing data in Europe or Asia.

Two stories in the news recently highlight the international resistance to American-based cloud computing vendors. In the first case, the British government barred Amazon and Google from participating in the UK’s G-Cloud platform initiative. Service features, enterprise-readiness, and other factors appear to be behind this decision, but a major concern also appears to be

Many of these cloud services store initial data in Europe but then back it up to somewhere where the laws are different and you can’t do that

Coincidentally, a couple of days later we learned of a report that indicates that

U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments

At first glance, all of this may be perceived as simply an issue between the American government and the rest of the world. But dig a little deeper and you’ll soon realize that any government has the potential to snoop on information stored within or passing through its borders, or maintained by a firm under its jurisdiction.

Doubt me? How do you feel about hosting your most sensitive data on third party servers based in Shanghai? This problem will only become more prominent in coming years, as more applications and related data move to the cloud, and globalized technology providers try to meet this demand.

What’s the solution? That’s a topic for another time.

Facebook follows you into the drugstore

September 24, 2012 § 1 Comment

By now I think most people understand that everything they do or say on Facebook will be recorded. And I’ve already written about how banks are poking around your Facebook profile and activity. But there’s a new development underway that takes intrusive analytics to the next level: Facebook is now “partnering” with data aggregators such as Datalogix to link your offline purchases with your online profile.

Datalogix has purchasing data from about 70m American households largely drawn from loyalty cards and programmes at more than 1,000 retailers, including grocers and drug stores. By matching email addresses or other identifying information associated with those cards against emails or information used to establish Facebook accounts, Datalogix can track whether people bought a product in a store after seeing an ad on Facebook.

This is yet another reason to use a variety of different email addresses for your online and offline activities, and to only provide the bare minimum of requested information when registering for a site or offline program. While it’s not foolproof, it does help reduce the ease of the cross-system joins that are at the heart of many of these privacy-eroding analytic schemes.

Three free password strength web sites

September 14, 2012 Comments Off on Three free password strength web sites

As our data increasingly moves online, creating, managing, and using passwords is more important than ever before. Getting a password stolen – or decrypted by an unauthorized third party – can be very painful. Things are much worse if your broken password unlocks lots of doors. For this reason, it’s extremely unwise to use the same password for different websites, since a breach at one site exposes you everywhere. With this in mind, it’s smarter to create distinct passwords for each web site, application, email service, and so on. However, given the proliferation of online resources, many people must manage dozens of different logins, and some have many more. For example, I maintain nearly 200 different passwords.

When it comes to setting up passwords, there’s a perception that a strong password is hard to create – and even more difficult to remember. This is why I use a third party password management tool. There are many on the market, but I like Callpod Keeper. It’s up to you to set a master password, but once you’ve done that Keeper will generate passwords for each site you visit. Another choice is to simply create your own passwords on a site-by-site basis and store them in Keeper.

Regardless of where and how you create your password, it’s natural to wonder how secure it is. Believe it or not, it will often take a brute force decryption attack longer to break an easy-to-remember phrase than a short, unmemorable, cryptic password. To help you gauge the relative strengths of your passwords, take a look at each of these helpful sites:

1. How Big is Your Haystack? This site is from Gibson Research, provider of many excellent networking and security utilities.

2. Dropbox’ zxcvbn password strength estimator. This utility was created as a companion piece to a really well written blog post. I like how this utility shows you play-by-play of how a brute force attack might be launched against your password.

3. How Secure is My Password? Color-coding (red is bad, green is good) adds a nice visual effect that tells you how long it will take to break your password.

As you experiment with these sites, I recommend trying a variety of passwords and phrases. Don’t forget to thrown in special characters, uppercase, numbers and so on.

Now Facebook is data mining your messages for political sentiment

January 14, 2012 Comments Off on Now Facebook is data mining your messages for political sentiment

Here’s yet another example of the illusion of privacy when using social media:

Facebook has cut a deal with political website Politico that allows the independent site machine-access to Facebook users’ messages, both public and private, when a Republican Presidential candidate is mentioned by name. The data is being collected and analyzed for sentiment by Facebook’s data team, then delivered to Politico to serve as the basis of data-driven political analysis and journalism.

Even though your personally expressed thoughts are being aggregated, which should  – in theory – strip out your identity, the potential for abuse of this kind of data mining is staggering.

Use encryption and the cloud to shield your data at the border

December 21, 2011 Comments Off on Use encryption and the cloud to shield your data at the border

When you pass through customs (U.S. or elsewhere), your data is more vulnerable than ever before thanks to modern data forensics tools paired with raw computing power. Whether you want to protect your personal or business data, check out this informative guide from the Electronic Frontier Foundation about how to defend your privacy at the border.

Our lives are on our laptops – family photos, medical documents, banking information, details about what websites we visit, and so much more. Thanks to protections enshrined in the U.S. Constitution, the government generally can’t snoop through your laptop for no reason. But those privacy protections don’t safeguard travelers at the U.S. border, where the U.S. government can take an electronic device, search through all the files, and keep it for a while for further scrutiny – without any suspicion of wrongdoing whatsoever.

Where Am I?

You are currently browsing the privacy category at rdschneider.

%d bloggers like this: