Free songs

Privacy

Prodigy/Telmex E-Mail Vulnerabilities Exposes Thousands of Accounts and Puts Millions At Risk

Over the past few weeks I have been working with  El Economista on the discovery and disclosure of a massive security hole in Prodigy’s  (Telmex) mobile email and web based mail systems in Mexico.

The hole has exposed at least several thousand email accounts, even enabling the indexing of email accounts and messages by Google and  putting all Telmex customers who have an email on the Prodigy.net.mx and several other domains at risk.

Read More»

Ignite Portland 11: Pwnd By Devices

My Ignite Portland presentation “Pwnd By Devices”…had a blast doing this, even though it was freaking hard:

Read More»

Privacy Invasion Lawsuit Names 18 Companies

Several companies have ben named in a class-action lawsuit as a result of mobile applications uploading contacts to servers without users’ consent. The mobile app developers who were following this practice were doing so to provide more personalized recommendations regarding who they should follow on their social networks, however they did so without user consent or knowledge.

Read More»

California Attorney General Harris Announces Agreement to Strengthen Privacy for Mobile Apps

California Attorney General Harris announced an agreement committing the leading operators of mobile application platforms to improve privacy protections for millions of consumers around the globe who access the Internet through applications (“apps”) on their smartphones, tablets and other mobile devices. The agreement is with the six companies whose platforms comprise the majority of the mobile apps market: Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion.

How GadgetTrak Handles Contact & Photo Backups

It was recently discovery that social media startup Path has been uploading contact information to their servers without its users’ consent. The discovery was by Arun Thampi using Aldo Cortesi’s excellent mitmproxy tool which allows researchers to intercept data transmitted by apps to remote servers even if being sent via SSL. This discovery has led to quite an outrage online, as users were not told their address books were being uploaded to Path’s servers. To make matters worse if your contact information is on your friend’s phone your contact details including phone number are now sitting on Path’s servers. The information was not encrypted and there is no word yet how the information was being protected on the servers.

Mobile privacy is something that we hear at GadgetTrak anticipated and worried about early on. GadgetTrak Mobile Security uploads your photos and contacts to our servers, however we encrypt the data on your device with a privacy key that you choose with AES 246 bit encryption before data is transmitted over a secure connection. This model of backup is often referred to as “host proof” backup where not even we have access to our customer’s data. For example if we were subpoenaed for back up data by a government agency all we could provide is an encrypted blob, only our customer has the key to decrypt the data.

This approach helps ensure the privacy of our customers on several levels, first by not even allowing any employees access to the data. This ensures that your data is not used for any other purposes and ensures your data is kept private from ANY prying eyes. Second, if our systems were compromised the damage would be minimal as an attacker would not be able to do much with the encrypted data.

Government Access To Cell Phone Records & Location Data

Today the  Supreme Court unanimously ruled that the police violated the Constitution when they placed a Global Positioning System tracking device on a suspect’s car and monitored its movements. This helps clarify in many regards the extent to which law enforcement can track private property without a warrant.  This raises questions for some in the mobile realm regarding what level of access that law enforcement have when conducting an investigation.

The first step law enforcement take is to determine the service provider from the phone number, there are a number of services that allow users to do this free. The next step is to determine probable cause or exigent circumstances such as a child abduction, missing person, fugitive etc. The provider will then send information to the law enforcement agent to complete, that information is then faxed back.

The law enforcement agent can send a preservation letter to the provider to ensure that records are not discarded regarding the target phone number, such as text messages and voicemail which is sometimes only retained for 72 hours. The next step is a subpoena, this will allow law enforcement access to basic transaction data, this is limited to account details, billing records and account notes.  This is usually sent via fax to a specific number at a provider for this purpose.

In order to get deeper information a court order or search warrant is filed. When this happens law enforcement can get detailed records including incoming and outgoing calls, cell tower locations and general location information, text message content, voicemail content and other information.

The hierarchy of protection regarding your cell data is as follows:

  1. Transaction records ( name, number billing)
  2. Numbers dialed, incoming and outgoing
  3. Location data, from cell towers
  4. Content of stored communication such as email, voice, text messages
  5. Content of telephone conversations ( wiretap )
It is a crime to access electronic communications without the proper authorization and it is outlined to law enforcement pretty clearly the process and circumstances the data should be accessed. According to  18 U.S.C. §§ 2701-2711  Section 2703(c) a court order, search warrant or customer consent is required for the release of electronic communications including location data. A  subpoena can be used to obtain basic transactional data, but cannot be used to get location information.

 

 

 

 

Location Tracking with Stingrays & Universal Software Radios

The Wall Street Journal recently reported on the FBI’s cell phone tracking tools collectively referred to as “Stingrays” being the forefront of a new Fourth Amendment battle. The tools were used to track Daniel David Rigmaiden who was arrested for fraud, he has stated he is innocent and requested information regarding the tools used to track him, which the FBI are not keen to give up as they state it would provide criminals with knowledge to evade the tools which are being used without a warrant.

U.S. Patent and Trademark Office - Harris Stingray II

The Stingray devices are wireless surveillance tools that operate as multi-channel software defined radio which mimics a cellular base station and collects information from a phone even if the device is not in use. The tools are used to gather unique device IDs and subscriber IDs from target phones (MIN, IMSI, MEID, IMEI). In addition these devices can track location using a method similar to cell tower triangulation but a bit in reverse. Instead of getting location and signal strengths from the towers, a surveillance vehicle that is running the device will drive around a target location and gather the signal strength from the target device as it connects from different locations.  This allows the operator to get a fairly accurate location via triangulation of  the target phone.

The reason for using tools such as this is to circumvent the need to get information from carriers directly, which requires a subpoena, and a court order and possibly even a search warrant depending on the information requested. By intercepting the signals with these devices, law enforcement is able to essentially cut out the middle man. However as the case with Mr. Rigmaiden shows at special court order was still granted before the tool was used. The question for the courts is if the use of these tools require the same protections for monitoring citizens as other methods.

Read More»

Scarlet Johansson Leaked Photos EXIF Data

Recently Scarlet Johansson has been added to the list of celebrities who have had photos taken on their phone compromised. The media is stating this is an apparent ring of hackers that are stealing the data from celebrities phones and laptops, however this theory seems suspect.

More likely is that the images are being stolen from cloud and backup services, where data sits unencrypted, not directly from the devices themselves. I took a look at the recent alleged  images ( research! ) and scanned them for EXIF data to see what information I could find about the images. One of the images had quite a bit of data embedded, I was able to see that the photo was taken with Blackberry Bold 9000 taken on October, 12, 2010 at 8:02PM. It is interesting that these photos are over a year old. Unless the image data and EXIF tags were tampered with the image came directly from the phone and was not modified by any applications like Photoshop, or compressed by any service. The images could have been emailed to another party as an attachment, it is highly likely that an email account or backup service was compromised.

The second photo that shows Johansson’s backside was not taken with the same phone, very little EXIF data was embedded in the image, but it was taken at a much higher resolution of 300 px/inch, the image also uses Progressive DCT encoding vs Baseline DCT like we have on the Blackberry device.

Several celebrities have had images leaked lately Vanessa Hudgens reportedly had nude images leaked after someone hacked her Gmail account. Odds are something similar has happened here, particularly given the age of the images.

Celebrity security needs to be taken as seriously as government security, all data should be encrypted even personal images and data. If celebrities are using cloud services they need to make sure the data is encrypted before it is backed up.

Tor On The Iphone & Other Unusual Devices

Mobile privacy: TOR on the iPhone and other unusual Devices from Deepsec Conference on Vimeo.

Facial Recognition & Iris Scanning iPhone App Privacy Concerns


Recently BI2 Technologies in Plymouth, Massachusetts has stared deploying their new smartphone-based scanner called Mobile Offender Recognition and Information System MORIS which allows police officers to run iris and facial recognition scans in the field.

When attached to an iPhone, MORIS captures photos of a person’s face and runs the image through software that hunts for a match in a BI2-managed database of U.S. criminal records.

The company is dismissing privacy concerns, saying the only people who can use the device are pre-authenticated and that no data stays on the device. However the entire system is run through BI2 who is also managing the criminal image database. The technology being used is unregulated, the agencies that are using the technology state they are instructing the officers to use the technology only when they suspect a crime, this however of course makes the use of this technology a bit vague.

False Positives

The technology that is being used is not always accurate,particularly facial recognition where false positives are highly likely, as even the most recent technology and algorithms have only an 80% accuracy rate. In Massachusetts they have already been running all DMV images through facial recognition software mapping facial data points and comparing them to images of other people. This led to at least one false positive where a person was accused of having a fake drivers license.

Around 40 agencies across the US will be deploying these devices to the field. There is no discussion regarding the depth of training that the officers using these tools will be going through. What happens when you look like a criminal and your face is scanned during a routine traffic stop? Although technology can be useful, if the people utilizing it are not trained properly it can have adverse effects.

What I find disturbing is that there does not appear to be any oversight regarding what new technology law enforcement deploy.

Counter Measures

From what I can tell the device is transmitting data over 3G and Edge data connections and scanning the database remotely, conceivably the tech could then be thwarted by using cell phone jammers, which although illegal are not difficult to obtain. I am also curious if colored contacts would in some way impede the iris scanner’s capability, from what I have read it could.