Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
Ahead of a court order that is still pending, Google has blocked delivery of a single email mistakenly sent to a wrong address at the request of the sender’s employer. As most of you can attest, doing something like this, while technically possible within certain parameters, is usually not done for a variety of reasons, not the least of which is opening the Pandora’s box of requests for Google to do the same thing for every email sent to the wrong address or for the wrong reasons. In this particular instance, the sender was a contractor for Goldman Sachs, and the email in question contained significant sensitive customer data sent to the wrong address. Rather than risking a signficant exposure for the customers whose data was contained in the email, on top of saving Goldman Sachs from considerable liability, Google acquiesced to the request, which normally requires a court order.
What this means for you:
The only reason this was even possible in the first place was because the unintended recipient hadn’t actually accessed the account since the email was sent, and therefore Google knew for certain that the email wouldn’t have been read, and there could be “un-sent.” You may have experienced both the relief and disappointment of attempting to “unsend” emails via your own company’s Exchange server, which can call back unread emails, but once the email has been opened by the recipient, intended or not, there’s no way to unsend it. What you should really be taking away from this was why someone was using email to send a report with such sensitive information in the first place. In this case, convenience and ease of use led to a near-catastrophic breach. Do you use email to exchange confidential information with other parties? If you do, you should carefully consider the consequences of a mis-delivered email, and what it might cost your organization.
As a parent, there is perhaps nothing more frightening than to have your child’s well-being threatened, and when that threat comes from a device meant to help safeguard children (and relieve parental anxiety), the impact can have far-reaching implications. Proving that some hackers out there have no grasp of human decency or compassion, there have been at least two separate known incidents of network-enabled baby monitors being hacked and then used to audibly taunt and yell at the toddlers devices were monitoring. In both cases, the devices weren’t hacked in the true sense of the word, but were exploited through a weakness that is common across the internet: easy-to-find default passwords. The parents, not knowing that the passwords should be changed, left the devices configured as they came out of the box, and the baby-screamers used that opening to perpetrate their irredeemable acts.
What this means for you:
In comparison to the above, getting hacked as an adult seems almost laughable, but when you think about it, it’s just as scary. In case you missed my blog about “ratting” and you aren’t feeling insecure enough about your security and privacy, you should have a read. The lesson hard-learnt here is this: make every attempt to understand all the devices you use, especially the ones that may be safeguarding the security, privacy and happiness of your family. Read the instructions that come in the box, and if they are incomprehensible, get on the internet and ask questions, or grab your nearest tech geek to have them review the device for potential security issues. Don’t take for granted that a device manufacturer (or website publisher, or software programmer) has your security and privacy top of mind when they are making and marketing their product. The lure of profit encourages even the most trusted brands to cut corners on occasion, which can lead to scary situations like the above.
Unless you’ve been living under a rock for the past year, most will leap to the conclusion that I’m writing about the ongoing government snooping that seems to permeate the internet these days. Unfortunately, another of the tech industry’s dirty little secrets is being dragged out into the light of day, and it’s something you’ve probably known all along but didn’t want to acknowledge: Your email is not private. Microsoft recently underlined and highlighted this fact by releasing details on an investigation into an ex-employee’s attempt to sell confidential information. The individual in question was identify primarily through the contents of his Hotmail account, which Microsoft openly admits to reading. While this may seem to be a blatant and gross invasion of privacy (it is), it’s also well within Microsoft’s rights as outlined in the Terms of Service every single customer agrees to when creating and using the free webmail account.
What this means for you:
Before you think this is a Microsoft bashing party, Google and Yahoo have the same sort of Terms of Service, as does just about any other email provider out there. They can read your email any time they want to, and they don’t have to get a search warrant like law enforcement supposedly has to do. They own the equipment, software and data services that deliver your email, and they assert openly in the Terms of Service in one way or another that your email is not yours to keep private. You might also want to review your employer’s information security policy: it’s highly likely that they advise you that any email transmitted through their servers is company property, and is subject to review at any time. This is not something new – policies like this have been around since email first started being used in large organizations that could afford lawyers.
The only way to keep email truly private is to use end-to-end encryption, a process that most people find daunting to establish, and inconvenient to use. Until there is a radical change in how we communicate on the internet, the only way to truly keep things away from prying eyes is to not put them on the internet in the first place.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
From the moment it was announced, Google Glass has been a favorite target in the growing privacy debate in our always-online and increasingly less-private society. Initially, privacy advocates were worried that Glass wearers could record others without their permission or even awareness. Now, we have to worry about the possibility that the device itself could fall victim to remote access malware, like we recently wrote about here and here. Grad students from Calforina Polytechnic have created a trojan application that purports to be a note-taking application, but instead takes photos without the wearer’s knowledge, recording images every 10 seconds while the device appears to be off, and uploading the photos via Glass’s built-in data connection to a specified destination conceivably anywhere on the internet.
What this means for you:
Before you go running for the pitchforks and torches, the app was created as a proof-of-concept to demonstrate a key weakness in Google Glass’s current operating system. This app’s ability to take pictures while the device reports itself as “off” is a violation of Google’s Terms of Use for the device, but that TOU is completely toothless as the OS in its current state can’t enforce that restriction. Worse still, the app itself actually made it through Google Play’s screening process and was available for a short while on the official app store. It might still be there if not for the students’ professor tweeting about it, and Google consequently pulling it for TOU violations. Google’s position was that this was a desired outcome, and the reason that Glass is still in limited to release to developers and their early-adopter aka beta tester program called Glass Explorers.
I’m fairly certain the students in question weren’t the first to dream up this concept, and you can bet that hackers with much more nefarious intent are impatiently waiting for the inevitable arrival and wide-spread use of wearable technology. The current, laser-hot focus of the privacy debate may be on the NSA and Ed Snowden’s disturbing revelations for the moment, but it seems the government isn’t the only one spying on us. In the words of the sage Walt Kelly (of Pogo comic strip fame), “We have met the enemy, and they are us.“
About a year ago, I shared an article from Ars Technica detailing a chilling and degrading hacker activity called “ratting” wherein your computer could be hacked into covertly spying on you. This disturbing trend now appears to be spreading to Android smart phones; for a short while before it was detected and removed, a seemingly legitimate app was available on the Google Play store that was purportedly for parents to keep an eye on what their children were doing on their smart phones. Unfortunately for the 50 or so people who actually downloaded the program, the real purpose of the app was to install a remote access trojan platform on the device which would enable someone to illicitly use the phones cameras and mics to spy on the user, as well as control other aspects of the phone like sending texts, making calls and sending emails.
What this means for you:
The app was built on a software development platform that is being marketed specifically to hackers, and one of the key selling points is this kit’s ability to build apps that can “hide” from Google’s security scans that usually prevent malware from being uploaded to the Play store. Translation: you can expect more apps like the one mentioned above to appear on the Google Play store. Where before you could, with maybe 99% effectiveness, depend on Google to protect you from harmful apps, you can no longer take for granted that if an app appears on the Google Play store that it is 100% legitimate. To protect yourself as an Android user, you should:
- Make sure to have a reputable Anti-malware app installed (I like Webroot’s Security & Antivirus).
- Read carefully the access permissions each app is asking for before installing.
- Pay attention to user reviews and install count. If the app only has a small number of reviews and installs, give it a few days and check back to see the app survives internet scrutiny.
Fortunately, Google has a means to automatically reach out to any Android phone and purge apps that it has found to be harmful, but it’s much safer and less stressful to avoid being victimized in the first place.
Another day, another social networking site hacked. This time, unfortunately, it was new internet darling SnapChat that was breached, exposing over four million mobile numbers and user names. The hacker(s) who published the data did so purportedly to compel Snapchat to take action on security flaws in its platform that have been known since earlier in the year, but remained unpatched up to (and even past) the public release on Dec 31, 2013 of the information harvested by exploiting the security flaws.
What this means for you:
SnapChat is very popular with younger generations who moved to the service for a variety of reasons, not the least of which was more privacy (from Facebook-savvy parents and authority figures) and less permanence (Snaps are deleted forever within seconds of being shared). Irony aside, the data exposed in the security breach reveals sensitive personal data from millions of individuals, many of whom are probably minors, a demographic that may include your child(ren).
You can check this website to see if any of your family’s mobile numbers were leaked by this SnapChat hack. While the data released isn’t as sensitive as bits like Social Security numbers, birthdates or debit card pins, some other services do use mobile numbers as identifying data, alongside usernames which many people (including Snapchat teens) like to re-use as part of their online “brand.” Armed even with these slender morsels, clever social engineers can wedge their way into someone’s online presence and use it as a stepping off point for a complete takeover of an identity, leading to credit fraud, theft and much, much worse.
While analyzing the data trail of the recent, highly-publicized Adobe security breach and data theft, researchers also discovered data that appears to have been stolen from a prominent online broker of limousine and towncar services. Among the some 850,000 customer records discovered were such illustrious names as Donald Trump, LeBron James and Tom Hanks as well numerous other wealthy and/or famous individuals. The data also included credit card information, pickup times and locations and even ID numbers of private airplanes used by this company’s customers. The records also included notes on customer behaviors and activities including a number of tidbits that could prove embarrassing or even potentially incriminating. Even if the data were to somehow avoid falling into the hands of police or tabloids, it’s highly likely that cybercriminals will have already cherry-picked many of the customer records for their potential use to fuel spear-phishing attacks and other focused cyber-espionage attempts on corporate and government targets.
What this means for you:
You may have enforced rigor and discipline in your own technology, to the point where you feel fairly confident that you can avoid most attempts to compromise your technology security, but the above points out an uncomfortable reality: you cannot control what information is being gathered about you whenever you interact with the rest of the world. You have two choices here: acceptance and vigilance – be watchful and cautious, and come to grips with the fact that 100% security is impossible, or move to a bunker in the wilderness, off the grid and completely isolated from society. However distasteful and infuriating the former may feel some days, the latter is just not a practical choice (or even possible) for most people.











Google’s New Advertising Shill: You!
MetaFilter user Andrew Lewis coined a phrase that has become the rallying cry for internet privacy watchdogs over the past 3 years, “If you are not paying for it, you’re not the customer; you’re the product being sold.” He was speaking of Digg’s redesign in 2010 in which the emphasis of the site shifted away from user-centric content curation and towards a model that was clearly intended to monetize Digg’s large userbase. Since then, the phrase has been applied to many services, including the 800-lb gorilla of free internet services, Facebook, and dozens of other social media sites that use advertising money to fund their “free” services. Savvy users will note that Google has been leveraging this model on a less obvious (but no less profitable) basis ever since Google search arrived and Gmail extended its tendrils into millions of users’ daily online existence.
The subtlety was cast aside boldly last week when Google announced a change to its privacy policy that granted itself the right to utilize its users’ likeness and content authored on any one of its many properties to advertise to other users. This includes content and reviews written by users on G+, YouTube, Zagat, and the Google Play store. The new policy is the default, and users must opt out if they prefer to not participate in this endorsement model. Clearly, Google is hoping to entice advertisers with the very real impact of recommendations made to users by people they know. But many are angered by this change, and the internet outrage is spreading.
What this means for you:
If you have a Google account, then you are automatically opted in to this advertising model. To opt out, you must go to your Account settings under the Google+ section, and look for the “Shared Endorsements” link to disable your participation in the program. If you actually go do this, you’ll note that Google has written quite the argument as to why you might want to stay opted-in: “Your friends might not be able to benefit from your wisdom.” Depending on your level of participation in online reviewing/commenting/rating, participating in this program may be no big deal, or a very big deal. Either way, you should consider the implications for your online brand, whether current or planned, and the impact on your privacy, especially if your face and words could start appearing on thousands of monitors around the world.