3 Reasons Crypto Needs Privacy

In 2012, a senate report disclosed the fact that international banking giant HSBC was involved in laundering money for terrorists and drug cartels. Billions of dollars were laundered over a period of seven years, much of that occurring before the Satoshi Nakamoto white paper had been published.

And yet, some might say that private crypto transactions are only for criminals. Really?

As the HSBC case illustrates, criminals don’t need privacy. All they need is a high-profile partner willing to look the other way.

So, who does need private transactions?

You and I do. If we want to be free, safe, and secure, that is.

Privacy in Cryptocurrency and Blockchain

Cryptocurrencies like Bitcoin are not really anonymous - they are pseudonymous. While your name may not be tied to every address you ever send BTC to and from, every transaction is recorded in the blockchain for everyone to see. All I need to do in order to tie you to a certain transaction is to verify that one of the public keys in question is associated with a wallet in your possession.

San Francisco Blockchain Week 2018 hosted an important fireside chat about this very issue entitled “The Privacy Hype.” The talk can be seen here:

Alternative cryptocurrencies have devised ways to obscure the details of transactions by default. This is a much-needed feature that protects individual rights and allows cryptocurrency to achieve its full potential as an empowering decentralized technology.

Here are three reasons crypto needs privacy.

1) Crypto Needs Privacy for Protection Against Censorship

The march toward online censorship has taken dramatic strides over the last several years. Often times, this includes stonewalling the financial activities of an individual or organization. Thankfully, cryptocurrency provides for the possibility of preventing such draconian measures.

In a paper published earlier this year, Jerry Britto explains why we need private transactions. He likens private cryptocurrency to cash in that both are untraceable. Without cash, society takes a sharp turn toward totalitarianism, he argues:

“In a world without cash (a bearer and peer-to-peer form of money) all transactions must be necessarily intermediated by financial institutions. Intermediated transactions are by their nature subject to surveillance and control. If third-party financial institutions must be part of all transactions, then they will be privy to the intimate details of everyone’s financial life. They can also choose to disallow certain transactions and potentially even certain persons from transacting.”

‌If all of us used a currency that allowed for private transactions (like Monero), however, this would not be the case at all. By protecting privacy, currencies like Monero protect individual sovereignty. 

2) Private Transactions Support Individual Sovereignty 

While a surveillance state empowers large organizations and powerful financial institutions, private transactions empower individuals.

An article authored by Abhimanyu Krishnanon of InvestinBlockchain.com describes the issue quite well:

"Privacy coins are one of the most hotly debated issues in the cryptocurrency market. Unlike many other coins, they rile up all of the powers in charge, from tech monopolies to governments to banks, thanks to their potential to pull the rug out from underneath them and invert the flow of power."

But this is not the primary reason that crypto needs privacy. Rather, it’s a potential side effect. The real reason, as you may have noted by now, is all about power to the people. 

 
3) Private Transactions Put Power in the Hands of the People

As government whistleblower and privacy pioneer Edward Snowden has intimated when speaking of other privacy-centric coins, privacy and security go hand-in-hand.

Agree. Zcash's privacy tech makes it the most interesting Bitcoin alternative. Bitcoin is great, but "if it's not private, it's not safe." https://t.co/HqwQOvSCiz

— Edward Snowden (@Snowden) September 28, 2017

Being private means you can rest easy knowing that no one will be scrutinizing your financial activities.

If you’re a political activist living in a nation controlled by an oppressive government, you don’t have to fear your activities being slow-rolled by regulatory authorities. If you’re an independent journalist, you don’t have to worry about having your freedom restricted through financial channels. And if you just want to have full control of your own financial actions, you’re covered there as well, of course.

How do we conduct private transactions? Simple - use a currency that prevents user transactions from being identifiable.

Monero Enables Private Transactions

Monero (XMR) is the original privacy coin and was introduced in April 2014. Monero uses three privacy technologies to hide information about transactions:

• Ring signatures
• Ring confidential transactions (RingCT)
• Stealth addresses

These technologies hide the sender, amount of coin being sent, and receiver, respectively. Transactions on the Monero blockchain can’t be linked to any specific user because all the details of the transactions are obfuscated by default.

Monero is based on the CryptoNote protocol and has a dynamic block size, dynamic fees, and is ASIC-resistant. These features and more make it stand out from the pack of privacy coins.

You can learn more about the specifics of Monero on the official Monero website.

Brave: A New Dimension of Privacy-Focused Browsing and User-Driven Content Rewards

Somehow, privacy has become somewhat of a controversial concept in recent years.

Some people say if you have nothing to hide, then privacy should be of no concern to you. But can the issue be reduced to such a binary perspective?

As journalist Glenn Greenwald explains in the Ted Talk below, privacy is an important and fundamental right for everyone. He poses a simple question to those who proclaim that privacy concerns are only for the paranoid. 

He asks them for usernames and passwords to all of their email accounts.

Of course, no one ever agrees to this. And yet, many people have no problem with websites tracking their browsing habits with cookies, search engines logging their searches, email clients archiving their messages, and intelligence agencies collecting and storing almost every piece of virtual information available.

We won’t dive into the ethical, legal, or political implications of privacy concerns here. But we will discuss one piece of software putting browsing back into the hands of users via blockchain technology.

Brave is a browser unlike any other.

Browsing the web is a necessity for most everyone these days. You’re using a web browser right now to read this article. 

But what do you know about your browser and the company who created it?

Did you know your browser has a “fingerprint” that can be used to track you, regardless of your apparent IP address? 

Ever see ads for something you just searched for or clicked on? Thank the cookies stored in your browser for allowing companies to better target you with advertisements. This kind of browsing experience is broken, since ads become ubiquitous and ad revenue gets gobbled up by a small group of megalithic corporations. 

By contrast, Brave is “on a mission to fix the web.” Brave describes itself as:

“Much more than a browser, Brave is a new way of thinking about how the web works. Brave is open source and built by a team of privacy focused, performance oriented pioneers of the web.”

Brave has features no other browser to date has ever incorporated, including:

– Built-in TOR functionality (more on this below)

– One-click anti-tracking mechanism (shields)

– Reward system based on the Basic Attention Token (BAT)

In Brave, users can open a new tab with TOR (short for The Onion Router, TOR anonymizes web traffic by routing your requests through a series of servers located in different countries around the world).

Even without using TOR, Brave users still enjoy a degree of privacy that users of other browsers do not. 

“Shields up” means that you are protected from a variety of ad trackers and third-party fingerprinting attempts. Because this may break the functionality of some sites, you can “lower your shields” with a single click and turn off the privacy-enhancing features of the browser.

But wait, there’s a problem. 

If advertisers can’t track you in order to market their products and services, and websites can’t host those ads for affiliate revenue, how will any site remain profitable in this new internet? 

Creator Rewards: How it Works

If you’re not yet impressed, just wait. The coolest and most revolutionary feature of Brave is the built-in Basic Attention Token (BAT) wallet. This wallet enables users to send BAT to creators of sites they enjoy.

Do you own a website? Consider registering with Brave Rewards. Once you’re set-up, users who visit your site while using Brave can send you BAT if they like your content.

This system has been created in an attempt to overthrow the existing online revenue model of users having to tolerate advertisements so that websites can be profitable. Sacrificing privacy becomes a necessity in that model, as ad trackers embedded in your browser cache enable companies to target you with user-specific advertisements (not to mention even more intrusive tracking methods like browser fingerprinting). 

Because websites can be rewarded with BAT instead of having to rely on ad revenue, the entire paradigm changes. 

The Basic Attention Token is listed on major exchanges like Coinbase and Poloniex. Although getting website creators and internet users to participate in the BAT ecosystem is a core goal of Brave, using the built-in BAT wallet is optional. 

And as you might imagine, most sites have yet to register with Brave rewards. But don’t let that stop you from sending them BAT — the tokens will be stored in a wallet and waiting for them until they do decide to register.

Be Brave When Browsing: Download the App

You can download the Brave app on your phone and get Brave on your desktop to enjoy this new browsing experience. 

Personally, when it comes to browsers on mobile, I don’t use anything else anymore. Brave is so fast that it’s too painful to use anything else. And avoiding ads without even having to install a browser extension is quite convenient. 

Brave is slowly starting to integrate more browser extensions into its software as it matures, grows, and transforms. One day the browser may be even more user-friendly than its competitors.

At that point, Brave’s mission to “fix the web” will be almost complete.

Top 7 Cloud Security Threats You Need to be Ready for in 2019

As we approach the end of the second decade in the 21^st century, more and more of our virtual world is moving to the cloud. Cloud computing has made possible what was once only dreamed of. With this revolutionary new way of storing and managing data has come countless advantages.

Companies can now have remote access to their most vital data. Teams no longer need to share the same physical space in order to collaborate. We now rely less on physical hardware, saving workspace and reducing the need for creating new computing devices that tend to become obsolete in a few years or less.

But with this increased convenience has come challenges as well. The greatest of those challenges has, without a doubt, been the new security concerns that cloud-based solutions have created.

The Cloud Security Alliance has noted that cloud servers are easily accessed while also being high-priority targets for hackers because of their tendency to contain veritable mountains of important and valuable information.

In other words, cloud providers are a hacker’s most whimsical wish – a honeypot of data just waiting to be plundered. Many people fail to consider this fact when contemplating the top cloud security threats this year. 

Fortunately, there are some simple ways to mitigate the threats that cloud-based systems and others face.

Begin by using two-factor authentication (2FA) such as security keys or 2FA apps. Use strong passwords and password managers. Use threat modeling apps, keep an eye on your security audits, and exercise due diligence when it comes to installing routine software upgrades and security patches. 

All of these little things combine to make a big difference.

Here are the top 7 cloud security threats you should be prepared for in 2019.

Data Breaches

The last few years have seen a slew of data breaches on a scale the world has never seen before. Some of these, such as the Cloudflare incident happened as a direct result of increased usage of cloud providers.

Using two-factor authentication such as an authenticator app or security key is a vital security measure that many people neglect to make use of. 

While it’s not a cure-all, it definitely makes compromising an account much more difficult. Instead of just obtaining a password, attackers have to go the extra mile to also compromise the second method of authentication, which is much more difficult to accomplish.

 

A security key is the most secure method of 2FA – the physical key creates a unique code for every log-in. Some security keys require you to push a button with every log-in, others do not.

Security keys are like small flash drives that have to be connected to your device in order to generate a unique code that allows you to log in securely. So the one drawback is that they can’t be used on mobile devices.

Another drawback of security keys is that they are supported by a limited number of services at the moment and require the Google Chrome browser (which is the worst browser available in terms of privacy). But you can still use a security key for your Facebook, Dropbox, and Gmail accounts.

A back-up method of 2FA, such as SMS text or an authenticator app can be set up as an alternative. This way, if you want to log in via mobile or you don’t have your key on hand, you’re not locked out of your accounts.

Authenticator apps are also very secure because they create a locally-stored, unique one-time code that is good for 30 seconds from its creation time. Having the code generated locally means you can retrieve it even if your phone is offline or in airplane mode.

 

While each code expires after 30 seconds, you don’t have to open the app and rush to enter the code before the next one appears or anything like that. This method of 2FA can seem foreign to someone who has never used it, but it’s no different than receiving a new text twice every minute.

Choose one of these methods over SMS text whenever you can. An SMS message can be intercepted before it reaches the server that sends it to you. An attacker can forward the message to their own phone, at which point they can log-in as long as they have cracked your password first.  

However, no approach is 100% perfect, and even if it does approach perfection it might not be the case tomorrow.

Credentials Being Compromised

A significant number of security threats can be avoided just by using secure passwords.

For best results, choose unique passwords with a minimum of 14 characters including lower-case and upper-case letters, numbers, and special characters. 

Remember that length is more important than complexity. This is due to the fact that using password cracking programs requires time. A password with eight characters might take a day or two to crack. A password with 14 characters or more might take years.

Never use the same password twice – if a single account becomes compromised, and you use that password elsewhere, you’re screwed. Secure password managers come in handy here.

 

Personally, I’m a fan of the Blur password manager. Blur allows you to create masked emails for new accounts and will automatically generate secure passwords for you. The paid version allows you to sync your data across multiple devices and browsers through the cloud. All you need is the Blur browser extension. Blur also has its own privacy-focused browser for mobile devices.

Of course, Blur suffered a breach of its own in late 2018. It’s exactly this kind of thing that prevented me from using password managers of any kind for quite some time.

You have to feel bad for them, it must be rather embarrassing for a cybersecurity-focused company to suffer a breach like that. Fortunately, the company claims that only encrypted passwords were stolen, meaning it’s unlikely that the hackers gained any actionable information.

In addition, put your most important passwords on a regular rotation schedule. If your passwords change constantly, they become a whole lot more difficult to compromise.

Direct Denial of Serivce (DDoS) Attacks

While DDoS attacks are nothing new, the widespread use of cloud providers has coincided with an increase in their use.

Cloud providers often have existing security protocols to prevent these kinds of attacks. Yet they still happen.

Keeping constant eyes on your security audits and sharing crucial information with administrators can help to mitigate this threat.

Hacked APIs and Interfaces

The majority of cloud apps and services utilize APIs for cross-cloud communications.

The Cloud Service Alliance recommends implementing threat modeling apps and performing thorough code reviews to harden your systems against this threat.

Lack of Due Diligence

This one applies not just to cloud services, but technology in general.

Failure to conduct routine maintenance such as software updates and security audits is one of the main reasons for major hacks.

It’s not about how hackers win – it’s about how those who get hacked lose.

Account Hijacking

This often happens as a result of phishing attempts.

Hackers have figured out that sometimes, they don’t even have to hack anything – simply using social engineering tactics can gain them account credentials. At that point, nothing else matters.

 

Phishing comes in many forms. Sometimes it can be as simple as tricking an individual into sending an unknown party some information. All an attacker needs to do is spoof their email and speak with authority in order to get someone to send the requisite info.

Other times it may mean getting someone to click a link, download a file, or visit a malicious website that appears to be legitimate. All of these methods have been used in the past and seem to be increasing in number and severity.

Educating employees about how to spot and avoid phishing tactics is an investment every company ought to make. Simply being aware of the potential for phishing emails and phone calls greatly reduces the chances of such attacks being successful.  

Malicious Insiders

This may be a somewhat less common threat, but when it happens, it can be devastating.

A malicious insider is like a spy – they can roam about your data undetected and steal it from right under your nose.

Even the National Security Agency (NSA) – a government agency tasked with cybersecurity matters – saw a major leak of confidential documents in 2013 due to an insider threat. For months, a certain someone was snooping around opening classified documents and no one had any idea this was happening.

A way to avoid this is to set up adequate detection methods that alert you to the presence of someone poking around in your system. Simply using canary tokens will give you better detection than most companies today.

Canary tokens are files that alert you when opened. They look and act just like regular word documents, images, PDF files, or other file formats. But what an attacker doesn’t know is that the moment he or she opens that file, an alert will be sent to your email inbox.

Of course, it’s preferable to make those files inaccessible in the first place. But in the event of a breach or an insider threat, knowing what has just happened allows you to mitigate further damage and take measures to better protect yourself in the future.

Top 7 Cloud Security Threats You'll Possibly Combat This 2019 Reviewed

While these may be the top 7 cloud security threats you’ll possibly combat this 2018, this is by no means a complete list. It does, however, give you a good idea of the types of vulnerabilities inherent in cloud-based systems.

When it comes to preventing these threats, remember the little things – complex, unique passwords, multifactor authentication, network isolation, regular backups and software updates, and so on.

A large proportion of major breaches don’t occur as a result of some super sophisticated hacking method – rather, they happen because someone failed to take simple measures to protect their systems.

This often takes the form of an individual falling victim to a phishing attack, someone using a password like “p@ssw0rd,” or failing to install routine software updates that include the latest security fixes.   

Make sure that doesn’t happen to you by remembering the top 7 cloud security threats you’ll possibly combat in 2019.

Privacy Practices and Secure Communications to Mitigate Attack Risk

It’s a common misconception that privacy concerns are only for the paranoid or those with something to hide. In reality, having greater privacy is often a prerequisite to having greater security.

If your information is made private, it’s a lot harder to compromise.

Hackers need something to bite on in order to take a chunk of your life or business and tear it to shreds. Don’t give them that initial morsel. Do all you can to step into the shadows.

A few simple methods to help prevent attacks include having better privacy practices and avoiding phishing tactics.

Best Privacy Practices for Companies

The methods described here apply to both individuals and corporations of all sizes. Here are a few things that can be done to make some of the actions of your company opaquer:

·       Use DuckDuckGo as your default search engine. DuckDuckGo does not track its users, meaning there will be no trace of what your employees search for. This will alleviate some concerns over corporate espionage. In addition, DuckDuckGo generally yields better research results than most other search engines.

·       Use Protonmail for all company communications. Protonmail is an encrypted email service based in Switzerland. Free accounts come with up to 500 megabytes of storage. Emails sent to these accounts cannot be seen by outside sources. Encrypted emails also come with the option of setting an expiration date – meaning they will delete themselves without a trace after a set amount of time, from one hour to twenty-eight days.

·       Use Signal 2.0 for all cell phone communications. Signal allows for the same kind of security provided by Protonmail, but for texts and voice calls. Just as with encrypted emails, encrypted texts can be set to self-destruct after a time.

Better privacy practices won’t solve all your problems. But they are a big step in the right direction.

Privacy Practices and Detection

If you can’t prevent an attack, you need to at least know it’s happening. If not, there’s no end to the damage that can be done. Many corporations and nearly all individuals have no detection whatsoever.

Hi business owners and entrepreneurs, are you all ready for GDPR? On 25th of May, the General Data Protection Regulation (GDPR) will take effect. The GDPR is the European Union's new data privacy law. It impacts how all businesses, big and small, collect and handle personal data about their customers. Even though we're in Australia and don't have to comply with the new GDPR requirements. However I thought it is a good idea to get everything set up. I think sooner or later this will come to Australia. Also if you're running FB ads, you have to make sure you comply with FB's private data policy. Make sure you have your privacy policy in place on your landing page. At AuBiz, we've updated our Privacy Policy to make sure we provide information around the rights individuals have under the GDPR and to include more details around our processing of personal data including marketing opt-in and cookie policy.

A post shared by AuBiz Consulting (@aubizconsulting) on May 22, 2018 at 2:13pm PEven                       

Take the National Security Agency (NSA), for example. For months, Edward Snowden was opening classified documents and downloading them.

He managed to escape undetected the entire time. An insider threat escaped the awareness of the NSA due to poor detection. How can you prevent this from happening?

StationX Canary Tokens allow you to create files that will act as trip wires for unauthorized access to your data. If someone opens a Canary Token, you will receive an email notification immediately. This lets you know someone has been poking around in your system.

While it’s ideal to not get compromised in the first place, having adequate detection ensures that you can mitigate the damage done by an attacker. After receiving news that you have been hacked, you can shut down all systems, preventing further intrusions.

Phishing and Privacy Practices

Most of the time, however, detection won’t be much of a concern.

Hackers have figured out that the best way to gain access to a system is to go straight to the source via social engineering. Hackers have begun to turn into amateur spies worldwide.

The majority of successful hacking today is not done by means of some sophisticated computer program or network attacking technique.

It’s simply accomplished by using phishing tactics.

Again, education is the single most important aspect that is being constantly overlooked in the IT field.#CyberAware #Cybersecurity #Cyber #WomeninTech #DataBreach #Infosec #Security #Privacy #MobileSecurity #AndroidDev #iOSDev #Hacking #Ransomware #AI #Bots #Malware #DDoS pic.twitter.com/VD7Hk6L4lr

— Digital Forensics (@ForensicsCorp) May 21, 2018

Educating employees about phishing is one of the simplest and cheapest ways for companies to prevent attacks. Many organizations have already begun incorporating such education into their standard training programs.

Phishing emails, phone calls, and websites are the most common techniques used by hackers.

Emails

Never click a link or download an attachment in an email without being 100% certain that it’s from a trusted source.

In fact, it’s best to not even open emails unless you can tell they’re from someone you know. Be sure to check the address the message was sent from. A common tactic is to use a name from your contacts with a single letter changed.

Another way to help avoid this is to use separate email addresses for your inbox. Give one address out for general purposes and another for strictly business.

This way, if an email comes from your general address, you will know to be on high alert for anything suspicious.  

Make it a rule to never click a link or download an attachment in an email, period. This shouldn’t be hard to do.

With cloud storage, you don’t need to send email attachments as often as in the past. And you can always find a link on your own rather than trying to go there directly through the email.

Phone Calls

Phone calls are a more sophisticated form of social engineering. A caller might impersonate someone higher up the corporate ladder and ask for sensitive information.

Again, the easiest way to avoid this is to make it a rule to never share information whenever possible. Verify the source, and then see if there’s some other way to do what’s needed.

Fake Sites

Fake websites are perhaps the most difficult phishing traps to avoid. They can look exactly like the real thing. It’s even possible for an attacker to fake the SSL certification and padlock image in the URL.

 The only way to avoid these attacks is to constantly check the web address word for word. If anything appears to be off, don’t enter any personal information. In addition, most browsers and anti-virus programs have features that will warn you of potentially fake sites.

No Cause for Concern with Good Privacy Practices

Using encrypted communication, having some detection set up, and avoiding phishing will go a long way towards achieving freedom from many of the most common cybersecurity concerns. It will also mitigate the damage that can be done in the event of a successful attack.