Remember last week when I reported on a “small” privacy blunder committed by Facebook and their data portability app? Security software maker Symantec announced over the weekend that they noticed Facebook’s Android app behaving inappropriately, to the tune of uploading the phone number of the device to Facebook’s servers the first time the app is installed and launched, prior to any logins or other interaction by the phone owner. According to Facebook, they never used this information, and have since deleted it from their databases. Seeing as the Android Facebook app has been downloaded by several hundred million people, up until this “bug” was discovered and remedied, several hundred million people had their phone numbers harvested by Facebook without their explicit permission.
What this means for you:
Maintaining control over the privacy of your personal data requires constant vigilance on your part, and trustworthiness on the part of those who are requesting the use of your data. In this specific instance, a list of several hundred million mobile numbers isn’t very useful without any other meta data, but it highlights the larger issue at hand: can Facebook be trusted to be good stewards of your personal data? Should they have ever been trusted to the extent that most people have up until now? Recent events should put a great deal of caution into even the most open social networker, and should serve as a red-flag warning to everyone. Organizations are only as good as the people who run them. Apps are only as good as the people who program them. If your privacy is important to you, pay close attention to how others respect that privacy. Don’t reward bad or careless behavior with your dollars or loyalty, and don’t let inertia alone keep you from making informed choices.
FYI: “Facepalm”: http://en.wikipedia.org/wiki/Facepalm
After four years of research and debate, the Federal Trade Commission has updated the Children’s Online Privacy Prevention Act with much stricter rules that hit internet advertisers right in the moneymaker. Written originally in 1998, COPPA was enacted to protect minors under the age of 13 by requiring any company collecting data on that demographic to adhere to strict privacy protection guidelines as well as putting well defined limits on advertising and marketing targeting minors. Since 2000, when it first went into effect, the internet and online advertising has changed significantly, and the FTC has amended COPPA, over the strenous objections from the industries affected.
What this means for you:
Whether you are a parent or an organization who markets to this particular demographic, you should take a moment to understand how COPPA may impact you. The new rules have been expanded in the following ways:
- The guidelines now include a wide range of digital media and devices, including smartphones, tablets, mobile gaming devices and mobile apps.
- The definition of “Personal Information” (previously only protected was the child’s name, address and email) has been expanded to cover a larger variety of data types including: geolocation, photos, videos, recordings, screen names and cookies. Just about anything that could be used to identify or track a child has been included.
- Any organization or platform must ask permission from a parent or guardian before collecting the information, and must include links to an official privacy policy governing the use of that data.
- In the case of any organization collecting information without consent, parents and guardians have a right to receive a full description of what was collected on their child and also the right to have that info be deleted immediately.
- Targeted advertising that is based on a minor’s online data profile are no longer permitted without parental/guardian consent.
The trick, of course, is paying attention to what your child is doing online, and especially to what they are seeing onscreen. Advertisers are extremely clever, and this segment of the market is extremely valuable to them. The howls of protest will soon subside as they devise even more subtle ways to get parents to open up their wallets. Caveat Emptor!
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
BlackBerry (formerly RIM) has been struggling in the smartphone market, having recently fallen into 4th place behind even Microsoft’s fledgling foray into that space. Despite the recent release and generally positive reviews of their 10-series phones, the mobile device manufacturer ceded their corporate dominance years ago to the crushing flood of iOS and Android devices primarily because of the company’s failure to stay competitive on the software side. In a move that has analysts scratching their head, BlackBerry is now making a play via software with a new platform called “Secure Work Spaces” which aims to allow for peaceful and secure co-existance of personal and corporate data on smartphones, including iOS and Android devices.
What this means for you:
Corporations struggle with allowing their employees to use corporate phones for business, and vice versa, with corporate phones and personal usage, primarily because the risk of security breaches is much higher on the personal side. BlackBerry’s new platform is designed to create a partition that keeps the two work spaces (see what they did there?) separate, giving enterprises complete control over corporate data without the distasteful invasion and control over the personal aspects of devices. There are other companies working on this same concept, and have been in the space longer, but BlackBerry’s reputation (and probably some nostalgic sentiment) may win the heart’s and minds of corporate IT managers. Seeing as BlackBerry has historically been a company that depends on hardware sales for revenue, many think that BlackBerry is either making a desperate or cunning pivot to the software space, knowing that there is little chance they can recover any ground in the mobile device race.
Facebook offers its users the ability to upload your email contact list, presumably so you can discover which of your friends are on Facebook (that you haven’t already befriended). Once you’ve done this, you also have the ability to download those contacts via an archiving tool called DYI (Download Your Information), that delivers this information via a simple HTML file. Unfortunately, an unintended “bug” in DYI exposed a rather distasteful (though expected) Facebook practice called data correlation. Here’s what happened:
Say you uploaded a contact “[email protected]” to Facebook, but that’s all the data you had on Mr. Smith: just his email address. Another Facebook user also knows Mr. Smith, but also happened to have his phone number and mailing address as well. Facebook’s data correlation practices stores all data on John Smith, regardless of who uploaded it, in a single record, creating a comprehensive data profile on Mr. Smith. See where this is going? Before they fixed this bug, when you went to download your contact info via DYI, not only would you get the email address you knew about, you’d also get any other contact information uploaded by other users, even if you didn’t know the other person who uploaded the contact info about John Smith!
According to Facebook, this data correlation is done to make “Friend” recommendations to you based upon everything it knows about an individual, across its entire store of information.
What this means for you:
It’s not clear whether Facebook intends to notify any of the six million individuals who are affected by this bug, and supposedly this has been fixed so that Facebook users only have access to the data they uploaded minus the data correlation ties Facebook makes in its internal database. According to Facebook, this security bug wasn’t exploited intentionally or maliciously, and it wasn’t possible for anyone using the tool to access information about users they didn’t already have some form of contact info on already.
This does highlight a larger privacy issue that probably won’t be resolved anytime soon, but has been ongoing for Facebook ever since it first appeared. Your friends have access to your PII (Personally Identifiable Information) and regardless of your own personal wishes, you have no ability to control whether or not they share that information, on Facebook or any other social networking site. As is always the case, if you are concerned with the visibility of your personal information on the internet, do regular searches on your name via Google to see what comes up in public, and work back towards the source to remove that information if necessary. Unfortunately, the Internet never forgets, and there is no “100% guaranteed erase” button, so its sometimes impossible to completely remove that data from public view.
Security researchers at Skycure have discovered another weakness in smartphone security, and this could impact you despite whatever security measures you’ve taken personally. Most smartphone operating systems, iOS and Android included, offer the ability to “remember” the SSID’s and passwords of Wifi networks you have accessed with your smartphone, and have the ability to automatically connect to that network the next time you are in range. Skycure has alleged that at least one major carrier, if not all of them, are also pre-programming certain SSID’s into phones straight from the factory, ostensibly to provide customers with a convenient connection with carrier-hosted or sponsored Wifi hotspots. For example, AT&T iPhones allegedly are shipping with the “attwifi” SSID preprogrammed into the phone, and will supposedly automatically join that wifi network, presumably in use by AT&T’s retail storefronts, if it comes across it.
Here’s why this is bad: hackers could spoof any SSID that you’ve set your smartphone to remember and autoconnect, and they’ve got a straight shot at your phone. Normally, this wouldn’t be a problem, as this requires guessing what SSIDs are stored on your phone, and then getting close enough to that phone with the spoofed Wifi network. But with the above, it would be trivial to sit in a crowded mall or any high-traffic walkway, scanning for AT&T iPhones, knowing that some, if not all, will autoconnect to a fake “attwifi” SSID without the owner ever being aware that they just got hacked.
What this means for you:
This exploit seems to be fairly new, and though Skycure claims to have seen this happening in the wild, it’s not widespread, yet. The best course of action is to disable the “autoconnect” setting for any wifi network you have used with your mobile device, whether it be smartphone, tablet or laptop. It will mean a few seconds of inconvenience anytime you are out and about and trying to get internet access, but it may mean the difference between keeping your cellphone secure or getting it hacked.
UPDATE: By default, Android phones will store SSIDs and passwords for any wifi network you add to your phone, and will automatically connect to that network whenever it is range. There is NO way to disable the autoconnect functionality built into the native Android settings. However, you can use an app to control automatic connections. I am currently testing this app, which is “free” but ad-supported. I’ve not tested it long enough to give a recommendation, but it does allow you to toggle the autoconnect functionality on or off per hotspot. On iOS devices, the only way to natively disable the “auto-join” feature is to actually connect to one of the pre-defined hotspots, eg. visit a local AT&T store, and then turn “Auto-join” off for that particular network.
In a public event hosted by the Reddit.com, infamous NSA whisteblower Edward Snowden answered questions posted by Reddit users on a variety of topics. Of particular note was his response to a question about whether encrypting emails would be an effective way to keep the NSA (or anyone else, for that matter) out of your business. Snowden’s response was both heartening and depressing at the same time:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
What this means for you:
Imagine you want to send a package that contains some very valuable items to a friend on the other side of the world. You carefully wrap the items and then lock them in a briefcase, which is in turn handcuffed to an armored guard, who is then transported via armored truck to your friend’s house. He makes sure that the package is put into your friend’s hands and verifies that your friend is indeed who he says he is, and he even calls you to let you know that the package has been delivered safely. This is analogous to using email encryption to send an email to a friend.
Unfortunately, your friend’s house has a broken lock on the front door, and he carelessly leaves the valuable items in plain view of a window that is also unlocked. That’s analogous to the weak endpoint security Snowden at the end of his response.
In other words, it doesn’t matter how much security you engage on your end if your recipients don’t engage in the same level of security. To use another real-world analogy: cyber attacks are like water – they will flow into every nook and cranny, looking for a way in. It doesn’t matter if 99% of the surface it is covering is impenetrable. That last 1% provides the hairline crack needed to seep in and destroy everything from the inside.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
There’s a whole lot of spying going on: the US and China continue to bicker over who’s spying on who, and the Washington Post fumbles an early scoop that clearly confuses what may end up being the biggest information leak since the Wikileaks scandal. In the midst of this surveillance brouhaha, the confidential source that triggered the Washington Post story has stepped forward in the form of an IT security analyst employed by the spookiest of spook agencies, the Central Intelligence Agency and the National Security Agency. Based upon the information this whistleblower has provided to news agencies, the American Civil Liberties Union has brought suit against the president, the NSA and Verizon for illegal spying, and more are on the way.
What this means for you:
Though the details are still being argued over, it appears the NSA has had an ongoing warrant with Verizon that has provided them with calling histories for just about any domestic Verizon customer, all under the umbrella of the controversial Patriot Act. Now, before you start worrying if your recorded phone calls will be leaked and become the next YouTube sensation, the information collected is data-based (numbers, times, geographic locations) as opposed to them eavesdropping in on your conversations, Hollywood “listening post”-style. Given the vast computational power the NSA has at its fingertips, this is still amazingly comprehensive, and gives them the ability to very accurately profile any US Verzion customer based upon that history.
Sadly, once again, there’s very little you can do as an individual, other than to write your congressperson, or boycott just about every major telecommunications provider and credit card company out there, because it seems that all of them have been forced to cooperate with the NSA at one point or the other under the Patriot Act. The Wired article also makes a very good point: threats to our security can just as easily come from the inside as the outside. Unfortunately, for all involved, it also demonstrates the trend that trusted insiders can easily become the biggest security breach an organization has ever known.
Have you thought about what access your employees have to confidential information? How much trust have you invested in them? Do you have sufficient controls in place to protect your company from inadvertent security breaches caused by a trusted employee? What if that same employee was to deliberately breach your security?
Apple officially announced the next version of their mobile device operating system at the Worldwide Developer Conference on June 10th. The rumors of a redesigned interface proved to be true, as iOS 7 showed off a completely reskinned interface that features a more muted color scheme with “flattened” elements, a marked departure from the infamous “lickable” buttons and widgets of previous iterations. The new look was also backed by many updates to interface mechanics, expanded multitasking, redesigns of some of the built-in apps, and the launch of Apple’s own streaming music service, a direct competitor of similar services like Spotify, Pandora, and Google’s Music All Access.
What this means for you:
If you have an iPhone 4 or iPad 2 or newer, then the OS update will be automatically pushed out to you when it is released this Fall. Aside from the new look, iPhone users will enjoy the new “control center” function – a slide-up widget that allows you to access commonly used iPhone settings like toggles for Wifi, Bluetooth, Airplane Mode. The expanded multi-tasking capabilities will now grant the ability to all apps to work in the background (iOS 6 restricted this capability to a handful Apple apps only) without significant drains on the battery, so content-based apps can grab content as it becomes available (push-based) versus when requested by the user (pull-based).
If you are an Android user, you may be scratching your head and wondering why it’s taken Apple so long to bring features like the above to the iPhone. To be fair, Apple has been focusing their energy on a foolproof OS, which sometimes means making compromises on capabilities, but with an eroding marketshare and Samsung hot on their heels, the gloves have come off in the smartphone wars. For a full list of features, you can visit Apple’s iOS 7 website.
Proving that sometimes our Congress people come by their paychecks honestly, a bi-partisan privacy caucus led by Joe Barton (Rep. TX) sent a list of questions to Google’s CEO Larry Page, asking him point blank about several privacy issues, including whether or not Google would allow the use of facial recognition technology on the device.
Supposedly, Google has maintained from the start that facial recognition would never be implemented without “strong privacy protections in place.” In a Google+ post Friday, they reiterated this position and stated that Google “…won’t be approving any facial recognition Glassware at this time.”
What this means for you:
By default, Android OS-based devices can only install software via Google’s Play store. Software distributed via Play must go through Google’s approval process, much like apps on Apple’s iTunes store, so you can assume that Google will be true to their word and prevent distribution of facial recognition apps simply by not approving them. However, unlike iPhones, many versions of Android allow “sideloading” of apps with a simple settings change. Sideloading in the Android ecosystem is well established – Amazon.com has an app store that requires sideloading to be enabled, and instructions for enabling this capability are easily found on their website and many, many others.
Bottom line: this is yet another Pandora’s box that won’t be closed. Facial recognition is a reality, and portable, undetectable devices capable of performing this function are only a step away from today’s consumer technology. Technology (and scientific progress in general) advances despite legal or cultural ramifications. One could argue that society only advances in light of controversial technologies like Google Glass. We are only beginning to glimpse the potential of an always connected and much less private world. Google Glass is only one step in a long, uphill climb.
The upcomign Black Hat security conference features a topic that may give traveling iPhone users second thoughts about using a public charging station to juice up their phones. Three security researchers from Georgia Institute of Technology have built a prototype device that can hack an iPhone through the dock connector merely by being plugged in. Supposedly this hack can be accomplished on the latest iOS update, and does not require any interaction from the user, nor does it rely on the device being jailbroken.
What this means for you:
I’ve always viewed public charging stations as being rather sketchy to begin with, especially the ones that charge you for the service and offer “highspeed charging” which could easily fry your phone’s battery if not the device itself. I’d rather spend a few extra minutes locating a regular wall outlet and using my own equipment. Supposedly the prototype that will be demonstrated at the upcoming conference is too big to fit into a standard Apple-branded iPhone charger, but the designers of the device inferred that stealthier versions wouldn’t be hard to produce at all.
Most modern smartphones combine data and power in the same port (Android phones and most tablets also feature this same convenience) so it may not be just iPhones that will be vulnerable to this method of attack. For now, make sure you use chargers you know are safe regardless of what type of mobile device you use, and avoid public charging stations. This particular cow is well on its way out of that barn.










