What your smartphone photos know about you
Thursday, February 23, 2012 - 06:53

 

Have you ever taken a picture with your smartphone or a digital camera and emailed it or posted it online? All digital pictures contain information, called metadata, such as the size of the file, the type of camera used to take the picture, image resolution, and, if available, GPS coordinates. 

 

Including GPS data, also referred to as geotagging, is particularly concerning. There has been an explosion in the number of devices (iPhones, Androids, Blackberries, etc.) that include GPS locator technologies. What if you or a friend takes a picture with one of these smartphones and posts it online? Could someone else download the picture and look at this metadata to see where the picture was taken? 

 

Today, the short answer is yes. If I take a photo with my iPhone or Android phone, the picture is automatically tagged with GPS information. When I email, text, tweet or upload that photo to a website, the metadata, including GPS information, is uploaded with it. Some sites/clients will remove the metadata on pictures.  Facebook strips the metadata, including any geotagging information. Twitter clients can be configured to do the same, but it is very much dependent upon the client you use. Other services like Flickr or Picasa have different ways of handling location information in the metadata.  

 

A geotagged picture posted online, together with information gleaned from social media, could be used to figure out where you live, work or shop. Check out this video on how the location information could be leaked (http://www.youtube.com/watch?v=N2vARzvWxwY).

 

You should be in control of your online identity and determine if you want others to know this type of information about you. To learn more about geotagging and how to disable it on your mobile device, visit the excellent blog post at icanstalku.com for more information (http://icanstalku.com/how.php).

Traveling with Laptops, Smartphones, or Tablets?
Monday, February 13, 2012 - 13:05

A New York Times story this week offers interesting insight into device security in the age of digital espionage. The article discusses the dangers of traveling to China and Russia with a laptop or smartphone full of information.

 

Kenneth Lieberthal, a China expert at the Brookings Institution, told the Times that he never travels with his "work" or "personal" laptop or cellphone, choosing instead to take loaner replacements. His behavior is typical for officials at American government agencies, research groups and companies that do business in China and Russia, according to the article:

 

"If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated," says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence.

 

So what can you, as a traveler, do to protect yourself abroad? Consider the following suggestions:

 

  1. Consider taking a loaner laptop that has been wiped clean;
  2. Make sure the computer is up to date on patches (Windows Update or Apple's Software Update);
  3. When you return, completely wipe the device(s);
  4. Access Duke resources via the vpn (portal.duke.edu);
  5. Check mail via a web browser (exchange.oit.duke.edu or webmail.duke.edu);
  6. Turn off bluetooth on your devices that you take with you;
  7. Make sure the microphone and cameras on your devices are turned off.

 

For additional questions/help, please contact your local IT support staff or the IT Security Office (security@duke.edu).

An Analysis of the Strategic Forensics Password Dump
Wednesday, January 4, 2012 - 10:00

More than 1 million records, including user names, email and home addresses, phone numbers and credit card details, were published on the Internet after a Christmas Eve attack on the security firm Strategic Forecasting Inc. Among those records: 860,160 "StratFor" account passwords, which are still available for anyone on the Internet to download.

 

Earlier this week, The Tech Herald published a detailed analysis of the "StratFor" password dump. The analysis includes many interesting stats, but possibly the most interesting was how quickly those passwords could be cracked.

 

The StratFor passwords were released as hashes, which require decoding to be read as usable passwords. However, with just under five hours spent running a free, easily available password-cracking utility on a single desktop computer, The Tech Herald was able to recover 81,883 passwords from hashes on the list. The bulk of the recovered passwords were recovered in just two hours. 

 

Of the 81,883 passwords that The Tech Herald took the time to crack, 96.5 percent of the passwords were 10 characters or less. Even worse, 36.8 percent were six characters or less. Such short passwords make for easily cracked hashes, which result in easily compromised accounts.

 

The Tech Herald analysis is absolutely worth reading, but even without reviewing the complete stats, the information above is a great reminder of why it's important to use long passwords. Even more importantly, it's a great reminder of why two-factor authentication must quickly become the standard for authenticating users. It seems that the technology required to crack these hashes has already outpaced the length of password most users are willing to use. Two-factor authentication is the only real solution to this problem.

 

Read the full article at The Tech Herald: http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List

Pages

More