Wednesday, August 25, 2010

Apple patenting "traitorware"

Julie Samuels of the Electronic Frontier Foundations (EFF) "Deeplinks" blog has a lot to say about Apple's recent application for a patent on "Systems and methods for identifying unauthorized users of an electronic device." It doesn't sound too bad, does it. How do we identify someone who's stolen our $500 iPhone or our $1500 laptop? Use Apples newest development in user identification and monitoring, of course!

This technology is waaaay beyond what would be necessary to tell whether a device is stolen or not. With this "traitorware" as the EFF is calling it, Apple can collect and store biometric data on you, tell if the device has been jailbroken (and take action if it has), alert the appropriate parties of where the device is ... here's the EFF's partial list of what Apple's proposed system can do:

  • The system can take a picture of the user's face, "without a flash, any noise, or any indication that a picture is being taken to prevent the current user from knowing he is being photographed";
  • The system can record the user's voice, whether or not a phone call is even being made;
  • The system can determine the user's unique individual heartbeat "signature";
  • To determine if the device has been hacked, the device can watch for "a sudden increase in memory usage of the electronic device";
  • The user's "Internet activity can be monitored or any communication packets that are served to the electronic device can be recorded"; and
  • The device can take a photograph of the surrounding location to determine where it is being used.

In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple's "invention," this information "can be gathered every time the electronic device is turned on, unlocked, or used." When an "unauthorized use" is detected, Apple can contact a "responsible party." A "responsible party" may be the device's owner, it may also be "proper authorities or the police."

There is no need for Apple, or anyone, to gather that much information about you as a purchaser of their products. This is information that can be used to steal your identity. We're not talking about a single biometric identifier - that would be bad enough. Apple want to gather your picture, voiceprint and heartrhythm at least, and maybe more. They want to monitor your internet usage - and log not just where you go, but record the actual data packets that are being sent to and from your device. They want to monitor memory usage for patterns that may indicate the device has been jailbroken - even though jailbreaking is legal.

With this patent application Apple is reaching far beyond any information they have a right or a need to gather. Pray the patent is denied and that Apple doesn't try to change it and reapply. This is an idea whose time will never come.

iTunes breach: Much ado about nothing.

It's a big story. It was reported on TechCrunch that there's a flaw in iTunes that allows bad guys to go in and empty your bank account if you have Paypal selected as the payment method. One poor customer racked up $4700 worth of charges in a matter of hours. Other customers were reporting hundreds and thousands of dollars stolen. The story grew from there.

There was just one problem. It was wrong. The real culprit wasn't a flaw in iTunes or Paypal, it was a successful phishing attack that harvested peoples usernames and passwords, allowing the hackers to access accounts and rack up charges as if they were the legitimate owners.

An overzealous reporter or editor at TechCrunch fails to adequately check a story, uses twitter to verify that there's a problem, and runs with it. There was a real newsworthy story here, but it wasn't a flaw in iTunes, it was gullible users passing on their passwords.

Don't trust requests for identifying information in email. Don't trust anything in such an email, and whatever you do, don't give out your information just because the email looks pretty. You'll keep your account and your sanity intact.

 

Monday, August 23, 2010

e-trash: Trashing computer/Trashing TV. Not the same thing.

Getting ready to upgrade that computer? Considered what you were going to do with the old one?

No, I'm not going to recommend a worthy charity - though I won't discourage donating a fairly recent computer. I am going to recommend that before you donate it, or throw it in the dumpster if it's that bad off, you perform a secure wipe of the drive. Simply deleting the files won't protect them. There are plenty of utilities to recover deleted data, and often we don't even think about what is on our hard drives. Financial records, journals or diaries, family photos, personal correspondence, business records or ideas and more things that we might not want a stranger seeing are all on our computers. Yet so often we just give them to charity or toss them in the dumpster without a second thought.

Unfortunately, modern PC makers don't make it as easy as it could be to securely delete data. Well, maybe fortunately. When you perform a secure erase you won't recover the data unless God reaches down and recovers it for you. If you have a Mac, the ability is built into the Finder in the "Secure Empty Trash" under the Finder menu and in the "Disk Utility" program in Applications/Utilities. You can't erase the drive you're booted from, so you have to put a little thought and work into erasing a drive on the Mac, too.

If you have a Mac, boot from the OS X install disk or the Restore disk that came with your computer. Select Disk Utility from the appropriate menu - which one varies by OS version - select the erase tab, and the secure option - then choose just how secure. Writing over the entire drive with zeroes will decent protection from the casual new owner who is a little curious about what you may have had on your computer. But for real security select the 7 pass overwrite. Then go about your life for a while. It will take 7 times as long for a 7 pass overwrite as it would for a single pass - and a single pass can take hours (or days) on a drive that's a few hundred gigabytes. If you're computer is a laptop, make sure you're plugged into the wall for this operation.

If you have a PC there are a few options, free, commercial and shareware. If you're getting ready to retire your PC, here are a few of the freebies (as good a most for pay) for you to try:

Eraser from Heidi Computers. Received 4 out of 5 stars from CNET editors and 3.5 stars from users. Biggest complaint was lockups and crashes.

DBAN aka Darik's Boot and Nuke. Download the disk image. Burn it to a CD or DVD, boot the computer and erase the HD. Received 4.5 stars on CNET from both the editors and users.

Freeraser from Codyssey. It works on individual files, so if you know what files or folders you want to securely delete and don't want to take the time required to wipe then entire drive, this is a good option. Has only 2 user reviews on CNET, both 5 stars. Has a decent staff review, but no ratings, on PCWorld.com. But no complaints with over 4,000 downloads says the software works as described.

 

 

Friday, August 20, 2010

Facebook brings us location as no one else can

<blockquote>If you're like me, when you find a place you really like, you want to tell your friends you're there. Maybe it's a new restaurant, a beautiful hiking trail or an amazing live show.</http://lubbockonline.com/node/add/blog-postblockquote>

That's Michael Eyal Sharon on the Facebook Blog introducing Places. Places is the new feature being rolled out by Facebook that allows you and your friends to let people know where you are. Well, your friends can put you where they are unless you block that function. According to Mr. Sharon you are always given the option of choosing who sees your location. I'm sure we can, but is Places starting at the point Facebook was in 2005, or in 2009? Things have changed a lot in 5 years. If you don't believe it, or if you haven't seen Matt Mckeons graphic animation of the changes in how much of your information is public by default in Facebooks privacy settings.

Four Square, the current king of location sharing networks, has to be watching this development closely. No one can ignore it when Facebook moves into their space. Does any other company claim membership of 1/14 of the worlds population? That's some heavy competition if any of your users are also theirs. And with 500,000,000 users, odds are some of them are.

I've posted my opinion of Foursquare and other services that allow you to broadcast where you are (and where you aren't) before. Foursquare has some really good sharing controls. But Facebook has a tendency to water down it's controls as time goes on. I haven't seen the privacy controls for Places yet, but if the privacy policy follows the trend set by Facebook, in five years or less Places will be broadcasting most users location to every business in a 100 yard radius, and everyone unless you specifically tell it not to. A nightmare for privacy and personal security.

Location broadcasting services are working hard to make themselves useful additions to your social networking experience. And they are providing some interesting services. With proper privacy controls and a little common sense they can be useful. But can you trust Facebook to maintain the proper privacy controls in light of the lowsy record Facebook has when it comes to maintaining users privacy?

Thursday, August 19, 2010

Google CEO: People want Google to tell them what to do

Eric Schmidt, Google's CEO sat down with a bunch of Wall Street Journal Editors recently. Holman W. Jenkins, Jr. took the interview and turned it into an article, "Google and the Search for the Future." After reading the article I wish I could afford Google stock. Mr. Schmidt appears to have far reaching vision, and enough of it to keep Google at the forefront of our online life for a good while. But at the same time, I cringe to think of what his vision means for our privacy.

Why does it make me cringe? Two quotes from the article, one a direct quote of Mr. Schmidt, seem to put Google on the path to becoming Big Brother, although a much kinder, gentler big brother than imagined by George Orwell:

"I actually think most people don't want Google to answer their questions," he elaborates. "They want Google to tell them what they should be doing next."

Let's say you're walking down the street. Because of the info Google has collected about you, "we know roughly who you are, roughly what you care about, roughly who your friends are."

We all know that Google knows a great deal about us. And I'm pretty sure that it has better than a rough idea who a lot of people's friends are. What's a little scary is the CEO of Google thinks that most of us want Google to tell us what to do. What's scarier is that he my be right.

 

George Orwell 1984 Signet Classic

Wednesday, August 18, 2010

Disney Internet group sued for breaking privacy policy

Dan Goodin reports in the Register that Disney internet division is being sued, along with Clearspring Technologies, Warner Brothers and several other companies for using "locally shared objects," also known as flash cookies to track users across multiple sites.

According to the complaint, the sites use Flash cookies without giving users an appropriate explanation of what Flash cookies are and what they do. Flash cookies are a problem. They are difficult to remove, and once they're removed they can respawn without losing the data from the deleted cookie. Compared to regular cookies, Flash cookies can hold a lot more data can share data across domains. That means that multiple sites (i.e. Disney and Warner Brothers) can share data about what you do on their sites. That's not possible with normal browser cookies.

Flash cookies are a real problem. Adobe has officially stated that such use of Flash was never intended and they are against the policy. But Flash cookies have been around for years and Adobe still hasn't provided an easy way to delete them and/or keep them from respawning.

Tuesday, August 17, 2010

S.N.A.P. the Social network privacy app for iPhone and iPod Touch

Bit Systems has created S.N.A.P. the Social Network Analyzer for Privacy. It's something like reclaimprivacy.org, but for your phone. It analyzes your privacy settings on Facebook and lets you know how public you're really being. The app is free from the iTunes App store, so if you have iOS 4, download it, go to Facebook and check your privacy settings. See how you're doing and how much you're revealing about yourself to the world.

Monday, August 16, 2010

Web Tracking - Incredibly pervasive

There was an interesting piece on C-Span the other day about web tracking. It was an interview with Julia Angwin, Wall Street Journal (WSJ) Senior Technology Writer. She was being interviewed because of a report done by the WSJ on July 30th. The report is called, "The Web's New Gold Mine: Your Secrets," and even surprised me a little with some of what they learned. I was only able to listen to about 10 minutes of the 35 minute interview then, but even that had some interesting discoveries. I'll be going back to listen to the rest and I will be checking out the WSJ report. SomWall Street Journale of this I've talked about before, but here are some of the tidbits from the first 10 minutes (italics are my comments):

<blockquote>The top 50 websites in the U.S. were examined. After visiting all 50 over 3000 tracking devices had been installed on the computer. The average was 64 tracking devices per site, but the biggest offender was dictionary.com

The WSJ reporters were uprised by scope and invasiveness of the tracking, <i> which tells me they haven't been listening to groups like the EFF.</i>

Some of the trackers were programs that actually had the ability to log keystrokes. <i>This is something I wasn't aware of. It's disturbing.</i>

The file created by these trackes is supposedly anonymous. <i>Ms. Angwin later tells that someone sent them personal information gleaned from a supposedly anonymous file. It was all a little off - zip code one digit off, age a little off, etc. My experience tells me that was done on purpose, not because they couldn't get the right information.</i>

Beacons - Live software programs that launch invisibly while on page and monitor your activity - <i>these probably included the keylogger, but they didn't explicitly say that in the interview.</i>

Flash Cookies - cookies that live in Flash video player - harder to find and delete than standard cookies and almost universally condemned, even by the tracking industry's trade organization.<i>And yet they're still being used.</i></blockquote>

It looks like an interesting, informative report. Check it out.

Friday, August 13, 2010

So you want to be a hacker: More resources, free and not

There are thousands of resources on the web that will teach you how hackers do what they do. They range from the legitimate resources like SANS, Security Focus (with hundreds of others) to much less savory - which we won't go into here. 

Not everyone finds these things interesting, but everyone can benefit from learning a little bit about how hackers and identity thieves operate, and there are a lot of sites that will teach you without exposing you the risks searching the seamier side of the web might. So here are a few places you can go to either learn more about computer security or learn more about how the bad guys take advantages of computer insecurity:

Wikipedia, about.com, howstuffworks.cometc. Go to these sites, type in your query, and pick the topic that most closely matches what you're looking for. About.com and howstuffworks.com usually have short courses in topics like computer security, networking, etc. At these sites you can learn the basics of just about any topic, not just computers.

csrc.nist.gov is the Computer Security Resource Center at the National Institute of Standards and Technology. Here you can find the security standards government computers are supposed to comply with (and usually don't) and you can find instructions for seriously hardening your system against attack.

Security Focus is a Symantec site that reports on vulnerabilities and has a number of security related email lists covering topics from security basics to Windows and Apple specific lists. It links to the Symantec connect site, where you can find forums and blogs on a number of topics, most related in some way to Symantec products.

SANS is THE place to go for security training. There are other places that offer good and recognised training, but SANS is the one place everyone in security knows. You could say they're the Microsoft of security, but without all the hate and ill feelings. They have a large library of free security papers written by security professionals.

 

Thursday, August 12, 2010

So you want to be a hacker 2

If you feel like you're making progress at Hackthissite.org but something's lacking, you might take a gander at social-engineer.org, a site that looks at the human side of the security equation.

Unlike hackthissite, social-engineer is a work in progress, seeking the aid of others in the community to help fill in the gaps of the site. But it does have interesting and useful information. Some of the videos in the resource section look dated, but the information is still good. The most interesting parts of this site would be the blog, podcast and newsletter. The "Framework" is the most in need of information. It's basically a wiki waiting to be filled, although there is some interesting information in it.

But if you're cruising through 'hackthissite,' know everything 'social-engineering.org can teach, are ready to go to the next level, and think you might like to get serious, maybe even make a career of this security stuff, maybe it's time to look into Offensive Security, SANS, or other groups offering certification courses online and off. Depending on the certification you're seeking, courses can run a few hundred to a few thousand dollars. It seems expensive, but the amount of information in these courses is unbelievable, and well worth the price.

Wednesday, August 11, 2010

So you want to be a hacker...

Have you ever wondered how hackers and crackers (white hats and black hats) learn their trades? There are probably as many ways to become a hacker as their are hackers. One thing I've noticed is that a number seem to come sciences such as physics and mathematics. Others were inspired when some script kiddy at the school they taught at (and administered the server to) hacked into the school server. Some wanted to get into the school server.

If you'd like to try your hand at becoming a hacker, a fair start is at hackthissite.org. As the name suggests, hackthissite.org is a site with "missions" that teach you ways to hack into a site. The missions range from basic, suitable for students with little or no knowledge of computer security, to steganography, the art of hiding information. They also have a forum section that has discussions on a number of technical issues, including building your own computer. There are forums dedication to the missions, but be sure you've made real effort to solve the puzzle before asking for help.

So what are you waiting for? Head to hackthissite.org and become the nations next ├╝ber hacker.

Tuesday, August 10, 2010

Is Ground Zero mosque a First Amendment issue?

I've been reading a lot of interesting things about the Cordoba Mosque. Some interesting, some amusing, some disturbing, but all hyped up and full of hyperbole:

Paul Shmelzer of the Minnesota Independent reports that Muslim groups are upset that Minnesota Governor Tim Pawlenty said the Ground Zero mosque is "inappropriate."

I would say he's probably right. If it is really being placed there to build bridges, it's planners need to wake up, because it is having the opposite effect. National head of the Anti-Defamation league Abraham H. Foxman used the example of the Carmelite convent established near Auschwitz as a model(1) for how the mosques planners should act:

The lessons of an earlier and different controversy echo in this one. In 1993, Pope John Paul II asked 14 Carmelite Nuns to move their convent from just outside the Auschwitz death camp. The establishment of the convent near Auschwitz had stirred dismay among Jewish groups and survivors who felt that the location was an affront and a terrible disservice to the memory of millions of Jews who died at the hands of the Nazis in the Holocaust.

Just as we thought then that well-meaning efforts by Carmelite nuns to build a Catholic structure were insensitive and counterproductive to reconciliation, so too we believe it will be with building a mosque so close to Ground Zero.

Is it really that hard to understand? The Carmelites had no connection to Hitlers death camps, yet Pope John Paul II understood that the location of the convent was an afront to the Jewish community and that it should be moved. Feisal Abdul Rauf should be able to understand the same of his Cordoba mosque.

I even read a translated Arabic article that said the U.S. government should confiscate all funds set aside for the mosque. But while I agree that the mosque should not be built two blocks from Ground Zero and that it is offensive to many, we have a document that says our federal government cannot stop it's being built. Unless there is proof that it will be a haven/planning center for terrorists, no one will argue that it is not being built by an established religion. As such the First Amendment to the Constitution applies.

If a project with the stated purpose of "building bridges" causes this much controversy and animosity, it needs to be re-evaluated. It's obviously heading in the wrong direction at the outset.

 

(1)Mr. Foxman didn't include the entire Carmelite Auschwitz story. The convent was moved, but the controversy is ongoing.

OUR VIEW; 'GROUND ZERO' MOSQUE? OFFENSIVE, BUT AMERICAN.(Editorials): An article from: The Santa Fe New Mexican (Santa Fe, NM)

Monday, August 9, 2010

Social Networks enhance political protesting in Middle East

In an opinion piece by Mona Eltahawy at the Washington Post tells us that free speech is getting a boost in the Middle East, thanks to social networking sites like Facebook, Twitter and Youtube. This is the result of an event I blogged about a little over a month ago, the death of Khaled Said.
Khaled Said's alleged murder by two Egyptian police officers spread quickly on Facebook and Twitter. Shortly after that Facebook groups were started in Khaleds name, and protests were organized.
Ms. Eltahawy discusses the events since his death, including the trial of two of the officers involved in the beating. The trial isn't over, but the fact that there was a trial says a lot.
The beauty and power of the internet is wrapped up in the fact that no one really controls it. As governments and industries try to control what can be transmitted and who can transmit it the freedom that many of  us take for granted is threatened. It may not seem like a big deal to those of us in countries who enjoy constitutional protections, but the activists in countries that don't enjoy those protections can tell you that it is a very big deal, indeed.

Friday, August 6, 2010

TSA:Oops, we accidentally stored the unstorable images

Do you remember the TSA telling us that airport full body scanners wouldn't violate privacy? That the images couldn't be saved or moved from the machine? I blogged about the scanners several times, here, here, and here to link to a few.

It's now being widely reported and that the feds accidentally saved tens of thousands of scans on a scanner in Florida. Declan Mcullogh on CNET give us some more details, such as this admission:

This follows an earlier disclosure (PDF) by the TSA that it requires all airport body scanners it purchases to be able to store and transmit images for "testing, training, and evaluation purposes." The agency says, however, that those capabilities are not normally activated when the devices are installed at airports.

So much for "incapable of saving images." And that's just one scanner.

Thursday, August 5, 2010

Counterspy: If you've done nothing wrong...

There's a new privacy blog at called "Counterspy" by Barton Gellman, and investigative reporter who wants people to understand what privacy is - and it isn't what Larry Ellison, Marc Zuckerberg or Janet Napolitano would have you think it is. The problem is, in the story he writes about it on Techland.com he doesn't tell us where it is (fortunately someone asked and the link is in the comments - the blog is here).

Mr. Gellman makes some very good points. We all have things that, while not illegal or even immoral, we may not want to be common knowledge. An employer may not want employees to know he's contemplating layoffs (he may be seeking other options) and companies don't publish trade secrets. Do you tell your employer you're looking for another job?

But his best response to those who say, "if you're not doing anything wrong, you have nothing to hide," isn't a statement, it's a reference. Remember the Jim Carrey movie, "Liar, Liar?"

Think about it.

Wednesday, August 4, 2010

Android rootkit revealed at defcon18

esecurityplanet.com reports that researchers Nicholas Percoco and Christian Papathanasiou wanted to prove that it's not hard to create rootkits for Android devices. They succeeded with a rootkit that can exploit vulnerabilities to gain access to the phone or mimic real apps to fool users into downloading it.

Rootkits are nasty, mangy, fang-toothed things that get into your system, whether it's a computer or a smartphone, and hide itself from casual (and often intense) examination. Cell phone rootkits have been around for a little while, but as they become more commonly available and more people get smart phones serious effort may go into producing and deploying rootkits to mine this looming mountain of data.

javascript:void(0)

Tuesday, August 3, 2010

Data from 100,000,000 Facebook users harvested

I'm not sure how big a deal I think this really is. Rachel Quigley of London's Daily Mail reports information from 100 million Facebook users has been harvested and put it up on Pirate Bay for download.

Why am I not sure it's a big deal? Well, partly because Facebook is right when it says the same data is already accessible through search engines such as Google and Bing. We're not talking about someone breaking into Facebooks servers and stealing data or hacking into accounts to steal it. We're talking about someone who wrote a program to harvest the readily available information people have made public. The guy didn't even harvest it with nefarious plans, he just wanted to show how vulnerable people are making themselves. Of course, he doesn't have to have nefarious plans if he's going to release all of the information to the world.

Regardless of Ron Bowles intent in harvesting and publishing the information, I have to disagree with the Mail's opening sentence:

The privacy of millions of Facebook users has been jeopardised after some of their details were harvested and published on the internet.

No ones privacy is in jeopardy that wasn't already in jeopardy. It might be marginally more in jeopardy, but face it, even if people have posted information that will allow someone to guess the password (and they probably have) to their bank account, they're still one in a group of 100 million. So they were one in a group of 500 million before - the information was already public, and they did it themselves.

I'm going to download the file out of morbid curiosity and see how long it takes to get bored and how much useful information is actually there. I'll let you know if I find anything interesting. 

Monday, August 2, 2010

Smart Phones becoming big targets

Redorbit.com reports that Smartphones were a big topic at the Blackhat computer security conference last week. There are a number of factors that push this trend:

1. Smartphone users tend to have their phones with them.

2. They tend to trust their phones with large and ever increasing amounts of personal and financial information.

3. They are downloading huge numbers of apps without giving much thought to security.

There have been a couple of incidents recently that underscore the importance of security on your Smartphone. Just last Friday I blogged briefly about the wallpaper apps from China that harvested information from the phones it was installed on. Redorbit tells of another case:

"A hacker from Russia cracked into a legitimate game, planted a virus and then offered the infected app for free at a copycat website ... The software app was modified to make the smartphone call eight telephone numbers that charged premium rates and then channeled most of the charges back to the hacker. The calls added a total of $12 to a smartphone owner’s monthly bill. The software was programmed to repeat the calls once per billing cycle."

Smartphones are great tools and the apps you can get for them are amazing, but even a simple cell phone is a small computer. Some Smartphones are actually very powerful computers that we still treat like the simple phones we had 10 years ago. That's going to have to change.