security

What Gunther Oettinger, the EU’s new digital commissioner, thinks of the nude selfie situation

We didn't pass comment on the theft of nude photos of famous women here at Photocritic because... oh because what the hell did you expect us to say? We can't quite establish what makes us more incensed: the misogyny of threatening women with nude photos of themselves or the puritanism of suggesting that people shouldn't be able to share slightly risqué photos of themselves with their lovers. Only then does the neo-luddism of Joe and Jospehine Bloggs, spouted forth on the question of selfies—nude or otherwise—social media, hacking, and cloud storage come into consideration. So rather than raise our blood-pressure beyond what is necessary, we said nothing. However, now that Günther Oettinger has made a pronouncement on the situation, we can't contain ourselves. According to him, you see, it's all the victims' fault: they were stupid for placing their images online and there's no helping them.

If someone is stupid enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them. Stupidity is something you can only partly save people from.

There are plenty of people who take a similar stance to Oettinger: that personal responsibility is the crux of this matter. Much like one mitigates against car theft by parking in a secure place, locking your vehicle, and not leaving valuables on display, one doesn't upload sensitive information to cloud storage facilities where you're relying on other people to provide the security. Using the example of the Enigma, my grandfather taught me that if you can make something, you can break it, too. Nothing is thoroughly secure and thus to a degree I can understand this philosophy. It is, though, a question of calculated risk: much like I expect an airport parking service to keep my car safe when I'm overseas, I rather expect Dropbox to do its best by the back-up copies of my book manuscripts, too. If individuals aren't convinced by the efficacy of cloud storage they are within their prerogative not to use it. But Günther Oettinger is not Joe Bloggs and he's the sort of person who should know better.

That's quite enough!

Who is is Günther Oettinger and why should his comments create such outrage and consternation? Günther Oettinger is set to assume the post of EU Commissioner for Digital Economy and Society in November 2014. The expectations of the role were set out in a letter from Jean-Claude Junker (President of the European Commission) to Oettinger when offering him the post:

We must make much better use of the opportunities offered by digital technologies which know no borders.... You should set clear long-term strategic goals to offer legal certainty to the sector and create the right regulatory environment to foster investment and innovative businesses. You should also ensure that users are at the centre of your action.... You will also need to ensure that the right conditions are set, including through copyright law, to support cultural and creative industries and exploit their potential for the economy.

The person who is responsible for fostering innovation in and the expansion of digital technology, particularly with respect to business, across the European Union doesn't appear to have a clear understanding of the principles of cloud storage: how it works, how it is used, and what its potential is. Furthermore, he finds it appropriate to victim-blame those who've suffered the indignity of having their personal information splashed across international media.

It's an extraordinary comment from someone who is expected to advocate for digital solutions and development. Rather than claiming that someone is stupid for entrusting their sensitive data into the supposedly secure vaults of companies and expecting them to remain safe from prying eyes behind passwords and firewalls and whatever else they use—those same companies which have access to our credit card details whenever we spend money with them—it would have been better to recognise that a facility with so much potential also has its shortcomings and that perhaps working towards ensuring digital security was a priority for his office.

Nothing to see here

This isn't even behaviour that can be regarded as ostriching; it's an abrogation of his responsibilities and a remarkable display of ignorance pertaining to his office. We might need to be cautious and sceptical when it comes to sharing, storing, or spending our data, but he should be positive and creative about its possibilities. In the unlikely event that Oettinger reads this, I'd like to offer him some advice.

Whether you approve or not, the digital economy is a pandora's box that has been opened. Along with the threat of every type of cyber-crime from data theft and misappropriation to DDOS attacks comes untold and exciting potential. From Amazon to Apple, Facebook to Flickr, and Tesco to Twitter, people are spending more time and money online and using it to share and store more information as a consequence. In addition to the engineers and visionaries who choose to push this as far as they can take it, you're one of the people who's been appointed to harness the potential from this chest of wonders, not blame the general public when things go wrong, and none of this—the perils, pitfalls, and positives—are going anywhere. This is your job now: you need to get to grips with it.

For the rest of us: If it's any consolation, the man does have a teenaged son.

What's the situation with the Snapchat hack?

The Snapchat security vulnerability is a story that has quietly grumbled on over the Christmas and New Year period, but is hopefully reaching some kind of resolution, at least for the bugs highlighted on Christmas Eve. To recapitulate, Gibson Security discovered potential exploits in Snapchat's Find Friends feature and informed the app's developers of them in August 2013. One of these bugs allowed someone to upload a list of random telephone numbers and match them to Snapchat users' names. The other allowed the creation of multitudes of dummy accounts. Bring on the spammers and maybe even stalkers, then. Although Snapchat made some moves to address the faults, it didn't close the loopholes entirely. Gibson Security, therefore, took it upon itself to document Snapchat's API on Christmas Eve, making the vulnerability obvious for anyone who wanted to abuse it. The hole was exploited on New Year's Eve, when 4.6 million of Snapchat users' partially redacted names and telephone numbers were published online, albeit for a limited period of time.

With the ante having been upped, Snapchat has been forced to issue an update to its app that patches the vulnerability. It hasn't been released yet, but when it is, it will allow users to opt out of the Find Friends feature after they have verified their telephone number. Snapchat has also stressed that no other information, including images, was accessed during the attack.

Bugs happen and so do security breaches; what matters is how companies and developers respond to them. Perhaps the most disturbing element of this situation isn't that Snapchat users' details could potentially have been exploited, but Snapchat's ostrich approach to security. Rather than addressing the situation thoroughly and immediately when first informed of it, it made a half-baked attempt to implement a patch that could still be exploited. When it was called out, it reacted slowly with a fix that is opt-in rather than opt-out, and it hasn't apologised to its users. Food for thought.

You can read what Snapchat had to say for itself on its blog.

Adobe's security breach in October was far more serious than believed

Adobe announced that it had suffered a security breach in early October that had resulted in the compromise of approximately 3 million customers' data as well as the loss of some proprietary source code. Attackers made away with customers' names, encrypted payment card numbers, and card expiration dates as well as the code for the ColdFusion web application and its Acrobat programmes. KrebsOnSecurity, the firm that spotted the initial attack has now placed the figure of customers affected by the breach at some 38 million, and the source code that was lifted is also said to include Photoshop. According to the KrebsOnSecurity blog, it has taken some time to uncover the extent of the violation because:

At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that — in addition to the credit card records – tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.

Over the weekend, a large file of username and hashed password pairs was posted by AnonNews.org, which appear to be Adobe account details.

Adobe has contacted all of the active customers whom it believes to have been affected and claims that there has been no 'unauthorised activity' on any of the compromised accounts since the attack. It now remains for the inactive customers to be contacted. And regardless of whether users were active or inactive, their passwords were reset if Adobe believed that they were affected by the attack.

Whether Adobe chose to downplay the extent of the attack earlier in the month because it couldn't be certain of the number of affected customers or because it prefered to minimise the damage does not present it in the best light. One scenario makes it look careless, the other deceptive. I wonder how many customers are now looking for alternative products and providers... or waiting for a replicant based on the stolen code?

(Headsup to Engadget)

Update! Heather Edell, Adobe's Senior Manager of Corporate Communications emailed me in the early hours of 30 October. She stated that:

In our public disclosure, we communicated the information we could validate. As we have been going through the process of notifying customers whose Adobe IDs and passwords we believe to be involved, we have been eliminating invalid records. Any number communicated in the meantime would have been inaccurate. So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and what were at the time valid, encrypted passwords for approximately 38 million active users. We have completed email notification of these users. We believe the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident. Our notification to inactive users is ongoing. We currently have no indication that there has been unauthorized activity on any Adobe ID account involved in the incident.

In short: 2.8 million users had their names, encrypted payment card numbers, and card expiration dates filched by the attackers. An additional 38 million users had their user IDs and encrypted passwords stolen. However, because Adobe was unable to validate the number of users affected by the loss of user IDs and encrypted passwords, it did not disclose this initially. It has waited until it has more accurate figures.

Adobe's undergone a security breach. Time to reset your passwords.

Adobe has issued a communication to all of its customers this morning that it has sustained an attack to its network and its system has been breached. As a consequence, anyone who has conducted a transaction with Adobe has potentially had their name, encrypted payment card number, and card expiration date accessed by the attackers, although the number of affected customers has been placed at 2.9 million by Adobe's Chief Security Officer, Brad Arkin. Adobe does not believe that any decrypted card numbers were removed from their systems. The recommendation is for all Adobe customers to change their account passwords, which you can do by following this link, and to change the passwords of any accounts that might share your original Adobe password or ID. You should also keep a close eye on your bank transactions, be alert for any unusual payments, and to notify your bank if you spot anything untoward.

In addition to customer data, proprietary sourcecode for the ColdFusion web application and Acrobat programmes were filched. This has the potential to open up millions of users to security breaches, if the hackers can capitalise on any security holes or bugs in the code. Just think how many people use Acrobat.

The breach was spotted by Brian Krebs of Krebson Security; he has asserted that the hackers responsible were also behind the LexisNexis hack and it probably commenced at some time in mid-August.

Keep alert, people, and please remember to practise proper password security.

(Most information came direct from Adobe, some additional details from Ars Technica)