Top Lesser Known Security/Privacy concerns Today

September 12, 2013

Not a complete list, but some important items that not everyone is aware of.

Metadata — Metadata is the information found about data. Even if your data is encrypted, there is still a lot of metadata that can be just as revealing as the data itself. Some examples include:

  • Sending encrypted email — hackers will still know whom it went to and when it went to them.
  • Bitrates — certain traffic bitrates can be linked to movies, music, etc.
  • Proxy servers — using an anonymous proxy? Without random packet delay, the traffic going out is easily matched to the traffic coming in. With this it's not too hard to figure out what data is going where.

Lack of Perfect Forward Secrecy (PFS) usage — Many TLS implementations have refused to offer PFS. Without it, if a hacker ever obtains the private key — even after the key expires — all communications it ever encrypted could be decrypted. Where do most people store their expired SSL keys? Do they keep them just as secure as their active ones?

Lack of Pre-Internet Encryption (PIE) — Unless the data you are putting on the internet is encrypted using a secret key that is not itself stored on the internet, your data is not truly secure.

Difference of opinion — If company 1 needs the last 4 digits of your credit card to reset your password, and company 2 shows you the last 4 digits of your credit card so you can see what card you're using, this makes social reverse engineering very easy. With enough pieces of the puzzle you can take over all accounts owned by a single entity.

Java/JavaScript — So many holes in the past, and there will continue to be holes in the future. Now that everything uses JavaScript — Mozilla even removed the ability to disable it from their UI — there are going to be many problems to come in this area.

References:

Back to blog