Archive for Privacy

Mobile Apps Put “Billions” Of User Records At Risk

Posted in Commentary with tags , on June 17, 2015 by itnerd

It appears that if you use mobile apps, though which ones are in question, you might be exposing the data stored within them to being swiped. Here’s what I mean via The Globe And Mail:

Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

The team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps.

“In almost every category we found an app which has this vulnerability in it,” said Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.

Team leader Eric Bodden said the number of records affected “will likely be in the billions.”

Here’s a description of the issue from the same article:

The problem, Bodden said, is in the way developers – those who write and sell the applications – authenticate users when storing their data in online databases.

Most such apps use services like Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data.

While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software’s code, called a token.

Attackers, Bodden says, can easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server.

The good news is that nobody has actually used this exploit for nefarious purposes. Yet. But you know that this is coming now that this info is public. So what’s being done about this? Apple, Google, Amazon and Facebook are all apparently taking action. But app developers need to do the same. The fact is that with everyone and their dog using smartphones and tablets, this is a really, really big deal. Swift action needs to be taken by all concerned or this could get really ugly.

Password Service LastPass Hacked…. Users Asked To Change Master Password

Posted in Commentary with tags , , on June 16, 2015 by itnerd

I get that having multiple passwords for each and every online service that you use can be a pain. But it make you more secure which is why I keep encouraging users to do that. I also get that to keep yourself sane you may require a password management system to keep track of all those passwords. The problem with that is that if you pick something that is cloud based, you run the risk of it being hacked and your digital life being left in a state where it is under threat.

Today, we’re being provided a great example of that with the news that popular cloud based password management service LastPass was hacked. Here’s what the company said on their blog:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

Lovely. Here’s what they are doing about it:

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Now, if you need a product to keep track of your passwords, it should be local to your devices and not be cloud based. Such an application is eWallet which I reviewed here and while it does have the ability to sync over WiFi to keep all your devices up to date, it only does a sync to devices that are paired to each other, such as an iPhone and a Mac, and only on the same WiFi network. Your data doesn’t take a trip to the cloud so you don’t get exposed to this sort of hack.

In the meantime, if you’re a LastPass user, I’d strongly suggest taking their advice. Then I would strongly suggest reconsidering your password management strategy as this sort of hack could have catastrophic results for end users.

AdultFriendFinder Hacked… 3.5 Million Accounts Compromised

Posted in Commentary with tags , , on May 24, 2015 by itnerd

If you find your dates or whatever it is you’re into on AdultFriendFinder…. Not that there’s anything wrong with that…. You might have a reason to worry. About 3.5 million personally identifiable records were leaked from systems belonging to the adult oriented website which confirmed the breach after the hack first surfaced in April:

Word of Adult Friend Finder’s problems first surfaced last month. An IT consultant and Darknet researcher, who prefers to be known as Teksquisite, discovered the files on a forum in April. Salted Hash, looking to confirm her findings, discovered the same posts and files in short order.

The hacker claiming responsibility for the breach says they’re from Thailand, and started boasting about being out of reach of U.S. law enforcement because of location alone. As for local law enforcement, they’re confident they can bribe their way out of trouble, so they continued to post Adult Friend Finder records.

Using the handle ROR[RG], the hacker claims to have breached the adult website out of revenge, because a friend of theirs is owed money – $247,938.28. They later posted a $100,000 USD ransom demand to the forum in order to prevent further leaks.

In all, across 15 different CSV files, ROR[RG] posted 3,528,458 records. The files are database dumps with 27 fields in total; the most important being IP address, email, handle, country, state, zip code, language, sex, race, and birth date. Dates confirm that the data is at least 74-days old.

Here’s what AdultFriend Finder had to say:

“FriendFinder Networks Inc. has just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue. We have already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert, Mandiant, a FireEye Company, the law firm of Holland & Knight, and a global public relations firm that specializes in cyber security.

“Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation. We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected.”

Sure you will. Either you were covering things up until you were forced to admit it, or you were asleep at the switch or your IT security sucks. That’s bad any way you slice it and users of the website should be outraged. The only good thing that they did was that they got Mandiant to look into this. Maybe they will whip your website into shape.

So, why am I being so harsh on AdultFriendFinder? Simple, this hack hurts people who really didn’t need the fact that they surf the Internet looking for Mr./Ms. Right or Mr./Ms. Right Now. Let me illustrate how this hurts people:

The problem that came to light was that, buried in the data, people were using their work email address to register for Adult Friend Finder. It was noticed by some folks I spoke with who were familiar with the data, that there were email addresses for folks serving in the US Army, US Airforce, Australian military as well as members of the Colombian, Brazilian and the Canadian Forces. That was just based on a cursory search.

Further to that end, according to the leaked data, government related email addresses showed that staffers from around the world had registered with their work email. Rather amazing that people would do such a thing.

So, why is this a problem? Well, an enterprising sort could track a person back through some simple searches. In one scenario someone would be possibly able to find a military personnel’s home address, current station, and…the names of his wife and children just as an example scenario.

Now, I could say that anyone who is dumb enough to use their work e-mail address to register on this site deserves to have their privacy invaded. But that’s wrong. Nobody needs to have their privacy invaded. Ever. Hopefully the low lives who are responsible get caught and jailed as hacks that violate the privacy of people should not be tolerated.

Woman Gets Fired Because She Deleted App From Her Workplace That Tracked Her 24/7

Posted in Commentary with tags on May 11, 2015 by itnerd

A California woman is suing her former employer for invasion of privacy, labor infractions, and wrongful termination after she was fired. Here’s the shocking part. She was fired because she installed a GPS-enabled app called Xora that tracked her every move. As in 24/7 around the clock even when she was not working.

Wow.

Here’s a snippet from ARS Technica who broke the story:

Plaintiff Myrna Arias, a former Bakersfield sales executive for money transfer service Intermex, claims in a state court lawsuit that her boss, John Stubits, fired her shortly after she uninstalled the job-management Xora app that she and her colleagues were required to use. According to her suit (PDF) in Kern County Superior Court:

After researching the app and speaking with a trainer from Xora, Plaintiff and her co-workers asked whether Intermex would be monitoring their movements while off duty. Stubits admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone. Plaintiff expressed that she had no problem with the app’s GPS function during work hours, but she objected to the monitoring of her location during non-work hours and complained to Stubits that this was an invasion of her privacy. She likened the app to a prisoner’s ankle bracelet and informed Stubits that his actions were illegal. Stubits replied that she should tolerate the illegal intrusion…..

Intermex did not immediately respond for comment.

She’s looking to get something north of $500K from her ex-employer.

My take? If this isn’t the ultimate in invading someone’s privacy, I don’t know what is. I really hope that Intermex comes out on the wrong end of this lawsuit and/or the bad press that this is generating hurts them financially. There’s no way that this can be considered to be acceptable behavior by an employer.

You can bet that I’ll be watching this for further developments.

Bell Stops Tracking Its Users For Profit

Posted in Commentary with tags , on April 14, 2015 by itnerd

You might remember that Canadian telco Bell Canada was tracking their users online activities unless they opt out of the program so that they could create detailed profiles about them for advertisers. And to make a few bucks off of that as well. That seems to have come to an end for now. The Canadian Privacy Comissioner has told Bell that what they’re doing is not cool:

In a report made public last Tuesday, [Privacy Commissioner Daniel] Therrien’s office ruled the program violated federal privacy laws, and should be limited to only those customers who explicitly volunteer to be tracked.

Bell initially blew the commissioner off. But they changed their tune when the report was made public. The telco is now going stop tracking users and delete the data that they’ve collected. That’s cool. Except for the fact that Bell is also going to reintroduce the program and ask users to opt in. Honestly, I would never do that and I cannot see why anyone else would. Which is why Bell made it an opt out program rather than an opt in program. But at least its legal now. Hopefully the Privacy Commissioner is keeping an eye on them to make sure that they don’t do anything else that violates privacy laws in Canada.

New Zealand Customs Officials Want Your Passwords And Encryption Keys

Posted in Commentary with tags on March 20, 2015 by itnerd

Seeing as I just came back from that part of the world a week ago, news that New Zealand Customs officials wanting to have the power to compel travelers to hand over passwords to electronic devices as well as encryption keys. The thing that has got people upset is that they would not require reasonable suspicion to do so. Though the person who runs NZ Customs says that’s not its intention. Here’s what New Zealand Customs Services chief executive Carolyn Tremain had to say:

“The reality is we have 11 million people crossing the border and a limited amount of resources which we are always going to prioritise by taking a risk-assessment approach. We are not saying every 10th person would be inspected.”

She also goes on to say that countries including Canada do this now. My understanding is that in Canada, this is only done if there are reasonable and probable grounds to do so. So it’s not quite the same thing. But perhaps someone in the know could clarify this.

Here’s why this isn’t going to have the desired effect for New Zealand or anyone else who thinks this is a good idea. People will just travel with clean computers, smartphones, etc, and download anything they need while in the country from their Dropbox account or some other cloud service. Or they will back up their laptop or smartphone to the cloud, wipe the devices, cross the border, and restore it in their hotel room. That’s very easy to do these days. Either way, Customs will never see it and they will not stop a single evil doer.

Now I don’t have a problem if you give customs officials the ability to get access to laptops and smartphones when you suspect that someone has done something wrong. But to have the blanket ability to do so is the wrong approach. New Zealand really needs to rethink this as it’s really not a good idea.

Office Of Auditor General Loses Sensitive Data On USB Drives…. Yikes!

Posted in Commentary with tags , on March 19, 2015 by itnerd

It’s bad enough that there are hackers and other evil doers out there trying to break into your IT infrastructure to get their hands on data that they can use for whatever evil purposes that they have in mind. But what’s worse is when you lose some form of removable media with sensitive data on it and you have no idea where it might be. Here’s a case in point served up from the Office Of The Auditor General here in Canada who lost a bunch of encrypted USB drives:

An internal investigation at the Office of the Auditor General found that about 22 per cent of the encrypted USB drives entrusted to employees were lost, according to newly released documents.

The Star obtained a briefing note through an access to information request that details how the encrypted portable data storage devices were handled by workers at the office of the federal government watchdog, with little done to ensure information technology security measures were followed.

“The management of these USB drives was not strictly enforced. Employees were given IT Security information sessions on how to report stolen or lost devices but there was never any real accountability if a USB drive was lost,” says the Sept. 22, 2014 memo prepared by Jean-Charles Parisé, chief information officer and departmental security officer with the Office of the Auditor General.

The Office Of The Auditor General for their part says there’s nothing to see here:

“We have always encrypted (since 2008), so we were not worried about losing the data. We couldn’t lose data, but it became a bit troublesome to have to manage those (devices). They’re easy to lose . . . . So, we decided we had to do away with (them),” Parisé said in a telephone interview Wednesday.

The institution has since moved mostly to using a secure file transfer (secure FTP) site to exchange information with outside institutions and has recalled all the USB devices, except for those currently being used in ongoing audits, such as the investigation into Senate expense claims.

Well, at least the drives are encrypted. That will stop the casual user from getting access to that data. But a more skilled user may have a shot at getting to that data. After all, nothing is hacker proof. And according to the story, the data on those drives is likely information containing identifying information about individuals or institutions that is not secret or classified. That’s not good. As for them moving to methods like secure file transfer services, at least there’s no physical media to lose. But it leaves them wide open to social engineering attacks and password cracking attempts unless they use some form of two factor authentication to stop that from happening. That’s because all that usually stands between a hacker and the data is a password. Thus I’m implying that they might have traded one problem for another.

Clearly there needs to be a major shift in terms of how data is handled and secured to stop situations like this from happening. Hopefully, it doesn’t take a major negative event for that shift to take place.

Follow

Get every new post delivered to your Inbox.

Join 333 other followers