Should Apple map your travels? Should police seize your cell phone data?

Thanks to Kenny Ketner for pointing this Apple privacy invasion out to me. TalkingPointsMemo reports that Apple iPhones and iPads are tracking every move we make (if we own one). I would assume iPod Touches are also guilty. Sam Biddle, the author, has a map on the article showing everywhere he's been for the last six months.

At this point it looks like the information isn't transmitted to anyone, it's only gathered on the i-device and the computer it is tied to. But does that really matter? Why gather that much information on your customers? There is no reason if you don't intend to use it - or find a use for it. Which begs the question of whether or not Apple or any company has the right to be gathering the data in the first place. But even if you do have the right and you do have a use for it, gathering it could put your customers at risk in a number of ways. Which leads us into the second half of this post:

infosec island reports that Michigan state police are using data extraction devices to collect data from cell phones when they make a traffic stop, and have been for several years. According to the report the extraction devices used by the Michigan police are capable of breaking encryption if data collected is encrypted. According to a brochure for the UFED mobile data extraction device it can extract:

• Call logs, including SIM deleted call history
• Contacts
• Phone details (IMEI / ESN, phone number)
• ICCID and IMSI
• Text messages (SMS), including SIM deleted messages
• Photos
• Videos
• Audio files
• SIM location information: TMSI, MCC, MNC, LAC
• Image geotags

If that's not enough:

 

The UFED’s SIM ID cloning feature allows data extraction from PIN locked SIMs, phones with missing SIM cards, and phones without network service. The cloned SIM card also allows access phones without connecting to a network, preventing incoming calls and messages, while preserving the existing call and message history.

 

Now we have police downloading the data from cell phones of people who have done nothing more than be pulled over for speeding. Shouldn't that fall under the heading of unreasonable search and seizure? Today it's not unusual for someone to have more of their personal lives on their cell phones than in the filing cabinet in their home office. Maybe even more than is in their computer. To say that police can download that data without having to get a warrant or even have probable cause is a gross violation of privacy and civil liberties.

I can understand and to some extent agree with the "border" searches of laptops. Sort of. But the pseudo-justifications given for those searches and seizures do not apply to most, if not all, of the people giving up their cell phone data because an officer said they had to. If it was an iPhone, they've given their life history for the last 6 months. I can already see misuses and abuses for such information. Imagine if you happened to be in the area of an unsolved crime at the wrong time. It wouldn't be the first time limited circumstantial evidence has been hyped into a conviction.

The ACLU of Michigan has requested info on what types of data has been gathered and what is being done with it. The state has agreed - if the ACLU will cough up over $500,000 to pay for it. From here something smells rotten in the state of Michigan.

What data is gathered about us, how it is gathered and who gathers it should be something we have a lot more awareness of and say in. Apple's movement mapping and Michigan's data theft are two things that must be brought to a screeching halt.

Watch those unsolicited insurance calls

Originally published 3/31/11 on lubbockonline.com/glasshouses

When I got home from work my wife told me about a phone call she'd received just before I arrived. A foreign man told her he was from the insurance company. I suppose it's obvious he wasn't, or I wouldn't be writing about it. He knew her name. He knew she was in Lubbock, but that was about all he knew. She asked him what insurance company he was from, and he said his company represents all of the online companies. He could tell her what companies he represents, but not who our insurance company is, even though he claimed to represent them. When he asked for her birthday, address and if she'd had any wrecks or tickets she told him if he represented our insurance company he should already have that information. He hung up on her. For amusement I called the number that the caller ID gave when he called. It wasn't an insurance company. I've included a few seconds of it for your amusement and edification. Never trust an unsolicited phone call from 'your' insurance company, mortgage company, bank, whatever. Don't let them push you into proving who you are. They called you. If they don't know who you are hang up, call your real insurance company, bank, whatever, and find out if they need to talk to you. If it was actually them, they'll understand. If they don't, find one that will.

Who knows more about you than Google? Your cell phone provider.

Originally published 3/30/11 on lubbockonline.com/glasshouses

Malte Spitz, a German politician and privacy activist sued Duetsche Telekom and obtained 6 months of their records on him - including location data. He gives details in his blog, but perhaps the most interesting result of his efforts is the animated map of his movements during that 6 months. If you put it in satellite view, it's even a little creepy.
Mr. Spitz also makes the data available for download to play with if you want. But all of the data isn't there. Even though the telecom company routinely gathered and kept the numbers of the people he communicated with, both phone calls and texts, they did not release that information to him. So the data is incomplete. Part of the information given of the map is the number of calls and texts sent and received each day. With the phone numbers you could probably have identified his best friend, his wife or significant other, etc. The cell phone company had that information, and if he surfed the web on his phone a lot more, just waiting for someone to break in and take it. Or bid high and buy it.
Online many services are paid for with our personal information. I don't agree with that, I don't like it, but I understand it. I believe we should control what happens to our information, and we should know how it is being used by the people we're giving it to, and be able to tell them how they can and can't use it. When it comes to cell phones, cable companies, ISP's and the like, they have no right to any more information than necessary to verify we are who we say we are and determine our bills. We are already paying them for the right to use their services.

Update: The New York Times has an in-depth article on this:  It’s Tracking Your Every Move and You May Not Even Know

Google Apps now more secure than many banks

Who knew that Google would make it's free app offerings more secure than many banks make account access? Mark Hachman at PCMag.com reports that Google Apps Taps Phone for Two-Layer Security.

It's pretty cool. It's only available right now for enterprise customers right now, but it is going to be available soon for everyone who uses Google Apps and has a cell phone via sms texting. There are apps for Android and Blackberry phones, with an iPhone app in the works. This is a good thing. It makes it much more difficult to hack into someone's Google Apps and gives yet another multi-factor authentication option.

After reading the PCMag story, I checked the "Krebs on Security" blog to see if he had anything to say about the new Google Apps feature. He blogged about it earlier this week. In Google Adds 2-Factor Security to Gmail, Apps he notes that the free two factor authentication offered by Google is better than that offered by many banks. The lousy online security offered by many banks is a topic Brian Krebs talks about a lot, and one I talked about in regard to Plains Capital Bank suing their customer last year. Brian saw a bonus in Google's new feature that didn't occur to me, although it seems an obvious way to pay for people making free use of it. Offer the service to banks. Google can probably offer the service at a nice profit for Google and still be far cheaper than solutions that require banks to buy hardware. The hardware will be provided by the customers. It's a win for everyone.

Android rootkit revealed at defcon18

esecurityplanet.com reports that researchers Nicholas Percoco and Christian Papathanasiou wanted to prove that it's not hard to create rootkits for Android devices. They succeeded with a rootkit that can exploit vulnerabilities to gain access to the phone or mimic real apps to fool users into downloading it.

Rootkits are nasty, mangy, fang-toothed things that get into your system, whether it's a computer or a smartphone, and hide itself from casual (and often intense) examination. Cell phone rootkits have been around for a little while, but as they become more commonly available and more people get smart phones serious effort may go into producing and deploying rootkits to mine this looming mountain of data.

javascript:void(0)

Tori Pennington could have lived

Last Saturday Tori Pennington's body was found by her 12 year old son. In Tuesdays Avalanche-Journal Robin Pyle reported that she was allegedly killed by a man she met through an online dating service. At the time I'm writing this not a whole lot is known, other than she had been talking with Dustin Kendrick online and over the phone for an undisclosed amount of time. It is presumed that this was their first face-to-face meeting. This isn't the first online relationship in Lubbock to end in murder. In 2004 Joanna Rogers disappeared and was later found dead in the Lubbock Landfill. Her killer was initially connected to her by chat records and emails on his computer. We can only guess at the number of people in Lubbock who have been beaten by people they met online but never reported it.

Sometimes bad things happen. But often they can be avoided, and meeting online doesn't have to be any more dangerous than any other way to meet people. So here I am going to suggest a few steps to take when meeting people online. They won't guarantee your safety, but they will at least reduce the risk. They aren't in order of importance because they are all important.

• If you're looking for dates online, go to a large, reputable site that does at least a little checking on it's members. The final call is still up to you, but every extra bit of screening helps.


• Spend plenty of time getting to know them online before meeting in person. The longer you interact and the more you see of their actions, the more likely you're seeing "the real them."


• Don't give them your address or home phone. Give a cell phone number - in most cases you can't get an address by looking up a cell phone number on the internet. With land lines you can.


• I don't care how nice he (or she) is, the first few times you meet in person, don't meet at home, a hotel, or any place you will be alone. That includes going there after the dinner, movie, whatever. Meet in public places, preferably with friends. They will probably see things you don't - good and bad.  You will have to judge at what point you feel 'safe' being alone, but the first date definitely isn't it.


• Alchohol impairs judgment. Drink little or none the first few dates.


• When you do decide it's ok to meet in more private places, make sure someone knows where your going. Having a friend call to check up on you isn't a bad idea, and it can give you an out if you're getting uncomfortable.

To find more ideas for safely dating people you meet online, google "online dating guide" or "safe online dating."

My prayers go out to Tori Pennington's family, especially her children.

Ford: First Online Road Devices

Or maybe First Online Road Death? That last is a little unlikely, but in the realm of possibility. Ford is bringing a new meaning to "mobile device," and adding to the list of web-enabled devices. With Microsoft, Ford developed Sync and started putting it in some Ford vehicles in 2008. Sync allows you to connect bluetooth phones or USB devices like MP3 players to your car and control them with voice commands. It's a really neat bit of technology, but Ford wasn't satisfied to rest on their laurels.

Kevin Spiess report on Neoseeker.com, "Ford to use Windows CE in some 2011 models." With the functionality of a full OS, Sync will become more powerful, offer more control options, and will provide wifi connectivity for web browsing when parked. As delivered from the factory the web browsing will only work when the vehicle is in park, but I figure about 2 weeks (or less) after the first wifi enabled Ford is delivered there will be a way to activate browsing while driving.

But as surprising and innovative as wifi enabling a car may be, what is more impressive is that Ford is thinking about security long before implementing wifi in the cars - both to protect users data and to protect the system from malware that might endanger the car and it's occupants. That's important since connectivity will include social networks and other high risk locales.

The security features are pretty decent. A hardware firewall between the engine computer and the entertainment computer is one nice thing. They can't totally separate the two because they need to share things like GPS data and highway speed, to name a couple of things. To help protect from malware Sync will only accept software from Ford, and it won't allow installation through the wifi connection. There are other features to keep your data safe in your car.

And the security doesn't just cover electronic assets. There are features that will make Ford vehicles with Sync unattractive to thieves, too. Engine immobilizer keeps the engine from turning over unless a coded key is used, and a keycode allows the car to be opened even if the keyfob is left in the car.

Ford is taking a lead position in bringing the automobile to the internet, and vice-versa. It will be interesting to see where this trend goes over the next few years.

Obama = Bush

Now that I've got your attention, yes, I mean that. When it comes to citizens privacy rights, I can see no discernable difference between their administrations. Obama is continuing the national phone monitoring that was started by the Bush Adminstration. A program that is unconstitutional and does little if anything to benefit national security.

If that wasn't bad enough, last night I saw two articles talking about a case being argued today in Philidelphia. The first was at Cato-at-liberty.org and was pretty short. The headline says it all:

The Government Can Monitor Your Location All Day Every Day Without Implicating Your Fourth Amendment Rights

The second was an opinion piece by Catherine Crump at the Philadelphia Enquirer. It began with,

"If you own a cell phone, you should care about the outcome of a case scheduled to be argued in federal appeals court in Philadelphia tomorrow. It could well decide whether the government can use your cell phone to track you - even if it hasn't shown probable cause to believe it will turn up evidence of a crime."

The Obama administration is asserting that U.S. citizens have no reasonable expectation of privacy when it comes to their cell phones. This premise comes from the "third party doctrine." The third party doctrine is controversial to say the least, and in the modern age the equivalent of completely removing all Fourth Amendment protections without the pesky need to actually repeal it.

The third party doctrine says that once you knowingly give information to a third party you lose the right to the Fourth Amendment protections. Just to help keep things clear, the Fourth Amendment says:

Fourth Amendment – Protection from unreasonable search and seizure.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The third party doctrine is based on the premise that, since the phone company, your ISP, and any other company you may give data to is not within the four walls of your home or on your person, that data is no longer protected by the Fourth Amendments clause against unreasonable searches and seizures.

Forget whether or not you are doing anything illegal. Under the third party doctrine the government can subpoena your browsing history from your ISP without having to prove probable cause. Anything you put on Facebook (not that Facebook is private), and possibly even anything you backup to Carbonite or other online backup service.  I say possibly to the backup services because they are usually encrypted, so a "reasonable expectation of privacy" can be argued. The same can't be said for email, cell phones, text messages or almost anything sent over the internet.

I don't know about you, but almost everything I do that doesn't involve direct, face to face communication goes through a third party before reaching it's destination. There is almost nothing I do that the government can't look into for no other reason than curiosity using the third party doctrine. Knowing the history of the American colonies and the revolution, I know the founding fathers never intended the government to have that kind of power.

Anatomy of a Craigslist scam

Our van went belly up a couple weeks ago, and we need another one. A friend sent me a link to a van for sale on Craigslist for $300.  Here is the listing:

$300 OR BEST OFFER
1996 CHRYSLER TOWN & COUNTRY LX MINIVAN
MOVING SOON & I CAN'T BRING IT WITH ME

- 106,970 MILES
- SECOND & 3RD ROW CUP HOLDERS ON BOTH SIDES
- SEPARATE REAR HEAT & AC
- AC/HEAT
- SEVEN PASSENGER
- NEWLY REBUILT AUTOMATIC TRANSMISSION
- ROOF RACK
- 3.8 LITER V6
- DUAL FRONT AIR BAGS
- AUDIOVOX 12.1 INCH DROP-DOWN DVD PLAYER
- GREY UPHOLSTERY
- METALLIC GREEN
- TINTED WINDOWS
- TWO SLIDING DOORS
- STEREO WITH CD & CASSETTE PLAYER
- HAS NO MECHANICAL PROBLEMS
- SECOND ROW FOLD-IN-FLOOR BUCKET SEATS
- FWD
- NEW TIRES
- POWER STEERING, WINDOWS, SEATS & DOORS

CONTACT ME @xxxxxx@yahoo.com

What makes this a classic scam is the appeal to our greed, in this case our desire to get something really good for as close to nothing as we can manage. Looking at the listing again, there was an obvious clue this was bogus from the start: 1996 Chrysler vans didn't have fold in the floor 2nd row seats. I know this because the van that died was a loaded 1998 Caravan. But not noticing that, this was still obviously too good to be true. It was probably a typo, though, so I checked it out. I clicked on the email address and sent a query. Shortly I received this email:

[caption id="attachment_875" align="alignnone" width="500" caption="Odd name for a personal website..."][/caption]

The URL seems a little odd for a personal website, but I'll check it out...

[caption id="attachment_878" align="alignnone" width="500" caption="Appears to be a graphic, except for the phone entry fields"][/caption]

Here's where the warning bells become intolerable. Some of this may be my own paranoia, but...

• He's holding a raffle to see who gets to look at his van?


• He's using a graphic for text - classic scam move. It's a lot more work than simply typing the text in - unless you're creating a bunch of ads. Then it's easier to create one document to upload instead of two or three (text and art)


• He's using the Craigslists automated phone system to set this up? If he really works for them, he's fired.


• He wants me to give him my phone number so Craigslists APS can text me?


• I can give him as many textable numbers as I want to, he doesn't mind.

I checked the page source, and the only thing the page did is make sure you actually put something in the fields. It didn't check what you put in, just that the fields weren't empty. so I entered u, u, u. It worked. It sent me to a 5 second countdown page, which I think was setting up a hotmail account to email my phone number to. It then sent me here:

[caption id="attachment_885" align="alignnone" width="500" caption="Same page, but single code entry field now."][/caption]

Just the blank field I'm supposed to wait and fill in when I get texted. The other hole in the blue is some of the 'text' that has a bit of cloudiness around it. That's a visual clue it's an image file, not actual text.

I look at the pagesource on this page and find a couple of interesting tidbits. There is a hotmail address and a password that I think are auto-generated every time someone enters data into the fields on the previous page. I'm pretty sure that's the case because the hotmail account is different every time. Yes, I clicked on it several times. Was that smart? Not really. I'm as protected as I can be, but there's no guarantee the doesn't have something new on his site that could compromise my computer.

Am I being paranoid? Craigslist didn't think so. By the time my friend saw the ad and told me, it had already been pulled off the site. It still showed up as a result in searches, but when you tried to go to it a page saying the ad had been marked for deletion popped up.

So what was he trying to accomplish? At first I thought he was just generating phone lists to sell. After all, all he asked for was a phone number. Then I realized what he really wanted was numbers to cell phones. SMS messaging capable cell phones that he could send simple little, "your code is: xxxxx" sms messages - at 9.99 per message. If the ad appeared in 10 cities long enough to get 1000 valid, textable numbers in each city that would be roughly $100,000 to the conman. Not a bad morning for a crook.

UPDATE: Once I was someplace I could log into hotmail, I went through the process again and tried the hotmail account and password that were on the page. Not only did it create a hotmail account, there was an email from Craigslist - it had created a new account on Craigslist. I imagine it also placed more ads. I'm bordering legality here (the scammer sent me the account info in the source code of the page), so I'm not going any further, but I suspect that the account on craigslist may have the same username and password as the hotmail account. Of course, this is all automated, so it doesn't have to be the same.

Every little thing you do...

One of the more exciting trends in social networking is the ability to use software on your phone or iPod to report your location to your favorite social network account so your friends can see where you are. Personally I don't think it's a good idea, but I'm into protecting privacy. I do think people are not thinking enough about what they are revealing about themselves as they surf the web, and now they're making it easy for the obsessive, the stalker, the thief to track them down. Last spring a reporter tracked a women using the positioning data that was being posted by her phone at set intervals - he never met her and did not know her, but was able to see where she went and even view what he thought was her apartment through a webcam - and he knew the location of the apartment because it was fed through her cell phone. He didn't even have to dig, she was giving it all up voluntarily. Imagine if he had been a serial criminal of any sort. She was handing herself to him.

I was reading two articles, one in the Examiner about the nifty things that are so useful, but potentially so invasive to our privacy, and one at TechCrunch that talked about attaching your location to your Twitter, Facebook or MySpace account. Both point out that as we move to an online society it will become harder and harder to keep anything to ourselves. And most of us apparently don't understand that we are giving it up voluntarily. From students at Oxford to teachers in North Carolina screaming "invasion of privacy" because they got in trouble for pictures and statements on their Facebook pages, it is becoming more an more obvious that the average person online does not realize that once it's online it is out, and it can't be put away again. Is the answer stricter privacy controls? Is it tighter oversight of the social networks? I don't believe it's either. I believe it's education. Children and adults need to learn to keep some things private. They need to know that, while it might be neat to have your whereabouts posted where your friends can see them, unless you can make sure that only your friends see them, it can be painting a target on your back.

Tomorrow we'll start looking at ways to make that target a little harder to see.

Healthcare workers not hip to HIPAA

According to the Modern Healthcare website, a significant number of healthcare employees don't know that they are subject to HIPAA regulations. It's apparently a failure to communicate. The American Recovery and Reinvestment Act of 2009 extended who has to comply to HIPAA regulations, but as many as 50%+ of newly affected workers failed to get the memo. I'd be less concerned if I didn't wonder how many of the employees who were already affected by HIPAA haven't got the memo yet.

England has had it's worst consumer data breach in a while courtesy of a Verizon T-Mobile employee who sold customer info. Hey Verizon T-Mobile, I want better controls over my data! Can you hear me now?

[Edited @ 1:57pm because apparently I have subconscious issues with Verizon]