Archive for the ‘Cell phone’ Category

As I do almost every day, I was looking through security news this morning. An article by Graham Cluley about a security issue—CERT CVE-2015-2865 —with the SwiftKey keyboard on Samsung Galaxy phones caught my eye. The security issue with the keyboard is because it updates itself automatically over an unencrypted HTTP connection instead of over HTTPS and does not verify the downloaded update. It cannot be uninstalled or disabled or replaced with a safer version from the Google Play store. Even if it is not the default keyboard on your phone, successful exploitation of this issue could allow a remote attacker to access your camera, microphone, GPS, install malware, or spy on you.

Samsung provided a firmware patch early this year to affected cell phone service providers.

What to do: Check with your cell phone service provider to see if the patch has been applied to your phone. I talked to Verizon this morning, and my phone does have the patch. Do not attach your phone an insecure Wi-Fi connection until you are sure you have the patch—which is not a good idea anyway.

~

An interesting article in Atlantic Monthly discusses purging data in online government and corporate (think insurance or Google) databases when it is two years old, since they cannot keep these online databases secure. I can see their point, but some of that information may actually be useful or even needed after two years. For instance, I would prefer that background checks were kept for longer than two years, although I would certainly like the information they contain to be secured.

Maybe archiving is a better idea instead of purging. It is interesting option, and it certainly deserves more thought.

~

Lastly, LastPass: I highly recommend password managers. I tried LastPass and it was not for me. I do not like the idea of storing my sensitive information in the cloud (for “cloud” think “someone else’s computer”), but it is very convenient. Most of the time, you achieve convenience by giving up some part of security.

LastPass announced a breach on Monday –not their first. They said that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

For mitigation: They have told their user community that they will require verification when a user logs in from a new device or IP address. In addition,

  1. You should change your master password, particularly if you have a weak password. If you used your master password on other sites, you should change those passwords as well.
  2. To make a strong password, make it long and strong. It should be at least 15 characters—longer is better—contain upper- and lowercase letters, digits, and symbols. It should not contain family, pet, or friend names, hobby or sports references,  birthdates, wedding anniversaries, or topics you blog about. Passphrases are a good idea, and you can make them even more secure by taking the first letter of each word of a long phrase that you will remember. For example:

    I love the Wizard of Oz! It was my favorite movie when I was a child.

    becomes

    IltWoO! IwmfmwIwac$

    Everywhere a letter is used a second time, substitute a numeral or symbol, and it will be difficult to crack:

    IltWo0! 1>mf3wi<@c$

  3. When you create a LastPass master password, it will ask you to create a reminder. Let’s say you took your childhood dog’s name, added the number “42,” and the color “blue” because he had a blue collar to make your new master password: osC@R-forty2-Blew! If your reminder is “dog 42 blue,” your password could be much easier to crack. Maybe you even talked about Oscar in a Facebook post. So again, do not use a pet’s name in your password. Then put something in for the reminder that has no relation to your password: “Blank” or “Poughkeepsie” for instance.
  4. Keep your master password someplace safe. Do not leave a copy in clear text on your phone or your computer or taped to your monitor. Put it in a locked drawer or better—your safe deposit box.
  5. Back up your password database periodically to a device you store offline, and printing the list and storing both the printout and the backup in a sealed envelope in your safe deposit box is a good idea as well.
  6. Use two-factor authentication. If you don’t know anything about it, this Google account article will explain it.

Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.

 

App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text https://silentcircle.com/pricing Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.

Sources
http://en.flossmanuals.net/basic-internet-security/ch048_tools-secure-textmessaging/
http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication
http://www.bbc.co.uk/news/technology-16812064
http://www.practiceunite.com/notifications-the-3-factor-in-choosing-a-secure-texting-solution/
http://www.tomsguide.com/us/iphone-jailbreak-risks,news-18850.html

When you send a message, who controls your messages? You write them and you get them, but what happens in the middle? Where are they stored? Who can read them? Email, texts, instant messaging and Internet relay chat (IRC), videos, photos, and (of course) phone calls all require software. Those programs are loaded on your phone or your tablet by the device manufacturer and the service provider. However, you can choose to use other – more secure – programs.

In the old days of the 20th century, a landline telephone call (or a fax) was an example of point-to-point service. Except for wiretaps or party lines, or situations where you might be overheard or the fax intercepted, that type of messaging was reasonably secure. Today, messaging does not usually go from your device—whether it is a cell phone, laptop, computer, or tablet—directly to the receiver’s device. Landlines are becoming scarcer, as digital phones using Voice over IP (VoIP) are becoming more prevalent. Messages are just like any other Internet activities: something (or someone) is in the middle.

It’s a lot like the days when an operator was necessary to connect your call. You are never really sure if someone is listening to your message.

What that means is that a digital message is not be secure without taking extra precautions. It may go directly from your device to your provider’s network or it may be forwarded from another network; it often depends on where you are located in relation to a cell phone tower and how busy it is. Once the message has reached your provider’s network, it may bounce to a couple of locations on their network, and then—depending on whether your friend is a subscriber of the same provider—the message may stay on the same network or it may hop to another provider’s network, where it will be stored on their servers, and then finally be delivered to the recipient.

Understand that data has different states and how the data is treated may be different depending on the state. Data can be encrypted when it is transmitted and it can be encrypted when it is stored, or it can remain unencrypted in either state.

Everywhere it stops on the path from your device to the destination, the message is stored. The length of time it is kept in storage depends on the provider’s procedures, and it could be kept for weeks or even years. It gets backed up and it may be sent to offsite storage. At any time along its travels, it can be lost, stolen, intercepted or subpoenaed. If the message itself is encrypted, it cannot be read without access to the key. If the application is your provider’s, they may have access to the message even if it is encrypted if they have access to the key.

Is the message sent over an encrypted channel or is it sent in plain text? If you are sending pictures of LOLZ cats, who cares? But if you are discussing, say, a work-related topic, or a medical or any other confidential issue, you might not want your messages available on the open air. In fact, it’s better for you and your employer if you keep your work and personal information separated on your devices. This can happen by carrying a device strictly for work or maybe through a Mobile Device Management application your employer installed that is a container for your employer’s information. If you do not keep your information separate and your job suddenly comes to an end, they may have the right to wipe your personal device or you may not be able to retrieve any personal information stored on a work phone. Those policies you barely glanced at before you signed them when you started working at XYZ Corporation? It is a good idea to review them at least once a year and have a contingency plan! I have heard horror stories about baby pictures and novels that were lost forever after a job change.

Are you paranoid yet? If not, I have not explained this very well!

A messaging app that uses encryption can protect your communications with the following disclaimers. These apps cannot protect you against a key logger or malware designed to intercept your communications. They cannot protect you if someone has physical or root access to your phone. That is one of the reasons that jail-breaking your phone is such a bad idea—you are breaking your phone’s built-in security protections.

An app also cannot protect you against leaks by someone you trusted with your information. Remember: If you do not want the files or the texts you send to be leaked by someone else, do not send the information.

If you decide that you want to try one or more messaging applications, it is really important to read the documentation thoroughly so you understand what the app does and what it does not do and how to use it correctly. And, finally: Do not forget your passphrase!! Using a password manager such as KeePass or LastPass is a necessity today. Also back up your passwords regularly and put a copy—digital and/or paper—of any passwords you cannot afford to lose in a safe deposit box or cloud storage. If you decide to use cloud storage, make sure you encrypt the file before you upload it. Cloud storage is a term that means you are storing your stuff on someone else’s computer.

Part 2

Your cell phone can be taken over by hackers who will view through your camera and watch you enter your passwords and other information.  Here in Austin at the IEEE “Globecom” conference on global communication last December, I attended a presentation from Temple University researchers who compromised an Android cell phone. 

Doctoral candidate Longfei Wu and five colleagues from Temple University, the University of Massachusetts, and Beijing University exploited vulnerabilities in the Android cell phone to seize control of the camera.

Having done that – and having reduced their footprint to one pixel – they then watched finger touches to the keyboard in order to guess passwords.  Some sequences were more secure than others.  1459 and 1479 were easy to identify.  1359 and 1471 were harder to guess.  The fundamental fact remains: They took control of the camera without the cell phone owner being aware of it.

Moreover, the Android operating system does not provide you with a log file of usage.  There is no way for you to review what your phone has been doing. However, the researchers fixed that. 

“We make changes to the CheckPermission() function ofActicityManagerService, and write a lightweight defense app such that whenever the camera is being called by apps with CAMERA permission, the defense app will be informed along with the caller’s Application Package Name.

[…]

There are three parts of warnings in our defense scheme. First, an alert dialog including the name of the suspicious app is displayed. In case the warning message cannot be seen immediately by the user (e.g., the user is not using the phone), the defense app will also make sound and vibration to warn the user of spy camera attacks. Besides, the detailed activity pattern of suspected apps are logged so that the user can check back.” — from “Security Threats to Mobile Multimedia Applications: Camera-based Attacks on Mobile Phones”,IEEE Communications Magazine, March 2014.”

If you want to protect your phone, you have to figure out how for yourself.  Very few ready-made defense apps exist for Android, or iPhone.  You could join a local hacker club such as DefCon.  (For Ann Arbor, it is DefCon 734; for Minneapolis it is DC612.)  That brings up the problem of trust.  When I go to computer security conferences, I never take a computer; and I do not answer my phone.  I do trust the organizers of our local groups, LASCON, ISSA, OWASP,  and B-Sides; but I do not trust everyone who comes to every meeting.  If you want someone to “jailbreak” your phone, and program something on it for you, then you really need strong trust.  It is best to do it for yourself.

“Unfortunately, it’s not uploaded online. To support the defense scheme, I modified the Android system and generate new image files. This means if someone want to use the defense function, he/she must flash the phone. As a result, all the installed stuff may get lost. I think people wouldn’t like that to happen. Besides, the Android version I used for testing is 4.1-4.3, while the most recent release is 5.0.” – Longfei Wu, reply to email.

As “the Internet of Things” connects your washing machine and your car to your home thermostat and puts them all online along with your coffee-maker and alarm clock, all of them connected to the television box that never shuts off and always listens, you will be increasingly exposed to harm.

More websites that value privacy are shutting down … Groklaw, Lavabit, and Silent Circle.

While I agree with much of what Pamela Jones said in this article, http://www.groklaw.net/article.php?story=20130818120421175, I can’t agree with her conclusion to get off the Internet. “They” win then, don’t they?

I also have to agree with PandoDaily’s Adam L. Penenberg that their owners shutting down these 3 websites in particular was not such a great idea. http://pandodaily.com/2013/08/20/why-shutting-down-groklaw-lavabit-and-silent-circle-was-a-bad-move/  Like the guy said in The Godfather, “Go to the mattresses!” Keep people interested in fighting for their rights.

Now, back to the usual type of privacy-impacting shenanigans this website looks at. This article talks about how stores want to personalize your shopping experience for your shopping habits, kinda like Amazon already does. http://pandodaily.com/2013/08/23/customer-stalking-coming-soon-to-a-store-near-you/

I like coupons as well as the next person, but … it’s c-r-e-e-p-y! Facial recognition software, emotion-sensing technology … Carmel Deamicis calls it customer stalking and I don’t want to be stalked. Next thing you know, I’m gonna have one of those coffee machines that brews individual cups of coffee at a bazillion dollars per cup sitting in my kitchen and I’m going to feel bad every time I throw one of those little cups away. And, besides which, the type of coffee that goes in them is kinda nasty.

I don’t like it when Amazon tells me what I’ve looked at and what I’ve bought and what somebody else that bought what I bought bought … Geez, is that even grammatical?!

But what I do know is this: It’s creepy.

NSA peepers

Posted: June 9, 2013 by IntentionalPrivacy in Cell phone, Privacy, Social media
Tags: , , , , ,

Coming on the heels of the Verizon snooping story last week is a remarkable article by The Washington Post that alleges the NSA collects data, codenamed “PRISM,” from “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Make sure you watch the video also.

Then there’s the AP surveillance case, which you can read about here.

One of my favorite quotes from one of my favorite movies, Sneakers, is where Cosmo saysThere’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!”

Yes, I believe that’s true.

Business Insider wrote another article here about a statement issued by US Director of National Intelligence James R. Clapper Jr., which declares PRISM is used lawfully to gather foreign intelligence.

What can you do about snooping?

  • Don’t use Facebook, Yahoo, Hotmail, Gmail, Skype, YouTube, etc.
  • Maintain your super secret data on an encrypted computer running something like SELinux using TEMPEST technologies that never connects to the Internet. Never!
  • Don’t use a cell phone to make important calls and don’t carry a cell phone with you. In fact, don’t make important calls from land lines either.
  • Have your super secret conversations in person in a windowless room that you’ve swept for bugs.
  • You ought to be shredding your discarded paperwork anyway!

I mean, I could go on … but is any of this practical? Not really (except for the shredding).

The ACLU says:

In 2012, Sens. Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) wrote, “When the American people find out how their government has secretly interpreted the Patriot Act, they are going to be stunned and they are going to be angry.”

Am I surprised about the WP expose article? No. The sad thing? Do I feel safer because of this snooping? No, not really. Yes, I understand that there have to be tradeoffs between privacy and security.

I ran across this new app called “Wickr,” available from the iTunes store. I haven’t tested it yet, but it sounds amazing. It is supposed to be available for Android soon. Best of all, the basic version is FREE.

What does Wickr do? It’s an app that sends encrypted communications—photos, video, texts, email—to people you trust. Then, at a predetermined time, that communication will self destruct. It uses Advanced Encryption Standard (AES), Elliptic Curve Diffie-Hellman (ECDH), and Transport Layer Security (TLS) algorithms for encryption, which Wickr talks about here https://www.mywickr.com/en/downloads/RSA_Security_Announcement.pdf

Caveat: Don’t lose your password! You lose access to your account. Also, make sure that you read the “Frequently Asked Support Questions” before you install the app, so that you understand how it works.

More stories about Wickr:

http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryption-app-a-3-year-old-can-use/

http://www.npr.org/2012/12/04/166464858/online-privacy-fix

http://bits.blogs.nytimes.com/2012/06/27/an-app-that-encrypts-shreds-hashes-and-salts/

FTC Cellphone PROTECT Initiative

Posted: November 2, 2012 by IntentionalPrivacy in Cell phone, Identity theft
Tags: , ,

The FTC’s new program to help combat cellphone theft started on November 1, 2012. The major carriers–AT&T, Sprint, T-Mobile, and Verizon–have launched databases for stolen smart phones, so when a cellphone user reports that their cellphone has been stolen, that device will not be able to be used again. http://www.fcc.gov/document/announcement-new-initiatives-combat-smartphone-and-data-theft

The FTC advises cellphone users to lock their phones with a passcode to protect any information on their phone, use software to help locate lost devices and either install a remote-wipe application or enable the feature to remotely wipe a stolen device.

If your cellphone has been provided by your employer, look to them for guidance first.

For more information on how to better protect your cellphone, your provider should provide more information. Search their website using keywords such as “lock,” “locate device,” and “remote wipe.”

Here are a couple articles on what to do:

http://www.pcmag.com/article2/0,2817,2352755,00.asp

http://forums.att.com/t5/Apple-Community-Discussion/How-to-SECURE-YOUR-new-iPhone-4S-PLEASE-TAKE-THE-TIME-TO-READ-IT/td-p/3210869

I use Prey at https://preyproject.com/ to track my Mac and Windows laptops. Prey will also work for iOS, Linux, Ubuntu, and Android. While I don’t currently use a smart phone, when I had an Android (company supplied), I tried the Remote Wipe feature provided by our IT department and it worked perfectly. I also used the free version of Lookout for Android.