Cupcakes: Potential terrorist weapons. Hummus: Perfectly safe.
Cupcakes: Potential terrorist weapons. Hummus: Perfectly safe.
Security researcher Dan Rosenberg says that most of the hubbub over Carrier IQ is overblown–but there’s still reason to be concerned.
Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right. I believe the following points need to be addressed. Note that most of the burden in this situation falls not on CarrierIQ but on the handset manufacturers and carriers, who are ultimately responsible for both collecting this information and establishing service agreements with consumers.
The controversy over the nature of Carrier IQ’s phone-monitoring application is deepning, with Minnesota Senator Al Franken demanding answers over what the company is doing with the information it collects. Carrier IQ’s code is apparently on millions of devices, and is known to be currently used by at least one manufacturer, HTC, and two carriers, AT&T and Sprint.
Apple chimed in, and says it used Carrier IQ in “most” of its pre-iOS 5 products. It says the code will be removed completely in a future software update, and the submission of diagnostic data is opt-in.
Franken asks Carrier IQ to provide details on what exactly the software records, where the data is transmitted to, and whether or not protections are in place to protect the security of those affected. He is also calling upon the company to give consumers a method of opting out of the process.
Android developer Trevor Eckhart says that Carrier IQ, a piece of software preinstalled on millions of smartphones to help wireless carriers monitor the quality of their service, secretly monitors users’ activities, records keystrokes, and transmits them to the company. I’m not a security expert, so I can’t judge the accuracy of his claims. But I do know this: The Carrier IQ folks need to clearly and honestly explain what’s going on. So far, their response has consisted mostly of threatening Eckhart and releasing a defensive-sounding statement that’s rife with buzzwords.
How about a calm, plain-English FAQ on what the software does and doesn’t do?
My recent TIME.com column on Android fragmentation didn’t provide an exhaustive list of reasons to be frustrated by the degree to which the Android ecosystem is dominated by old versions of the software. In fact, I didn’t mention one of the biggest ones: Old versions of Android don’t have the newest security fixes, and are therefore potentially dangerous.
Now a security company called Bit9 has released what it calls the Dirty Dozen List of insecure smartphones. They’re all Android models running old versions:
Bit9 explains its methodology–which looks pretty serious to me–in this PDF.
Whenever I gripe about Android fragmentation, I hear from people who tell me that I’m all worked up over nothing. (Typical comment: “Mr. McCracken, like so many tech journalists, you have totally missed the point here. Believe it or not, Android “fragmentation” is not the massive problem it’s made out to be.”) But I’d like to hear anyone explain to me why this isn’t anything to be concerned about.
More evidence that Android is the Windows of mobile operating systems: It’s under attack by sleazeware. PCWorld’s Tom Spring reports:
Brandt says that one Android battery app, called both Battery Doctor and Battery Upgrade, is particularly problematic: Not only does it not upgrade a battery or extend a charge, but when it’s installed and unlocked, it harvests the phone’s address book, the phone number, the user’s name and email address, and the phone’s unique identifying IMEI number. With a phone user’s name, IMEI, and wireless account information, an attacker could clone the phone and intercept calls and SMS messages, or siphon money from a user by initiating premium calls and SMS services. Once the battery app is installed the program sends the phone ads that appear in the drop down status bar of the phone at all times – whether the app is running or not. Lastly it periodically transmits changes to the user’s private information and phone-hardware details to its servers.
By Ed Oswald | Posted at 1:29 pm on Thursday, August 4, 2011
Well, somebody’s finally done it. Google’s been selling us for quite a while on just how secure Chrome is, and they haven’t really lied to us. Getting into the OS or the browser for that matter has proved pretty darn difficult. But at the Black Hat security conference two researchers with White Hat Security have gotten into Chrome OS.
The flaw is in ScratchPad, a Chrome app that allows users to compose text files and then save them to Google Docs. Through it, the attacker can gain access to a person’s e-mail, contacts, and Google Docs and Voice accounts. Give Google some credit here though, the two redarchers working on this – Matt Johanson and Kyle Osborn — said they spent months looking for a hole, and must have only found one now.
Hot on the heels of Spain’s recent arrest of three members of the hacking group known as “Anonymous,” Turkish police are now claiming to have rounded up an additional 32 members of the group.
According to Security Week:
The Anatolia news agency said today that the suspects were taken into custody after conducting raids in a dozen cities for suspected ties to Anonymous.
The group recently targeted Web sites of the country’s telecommunications watchdog, the prime minister’s office and parliament as a protest to Turkey’s plans to introduce Internet filters.
Spanish authorities arrested three members late last week with alleged ties to the infamous PlayStation Network hacks. The BBC reports that in retaliation to the arrests in Spain, other members of Anonymous apparently knocked Spain’s police website offline for about an hour yesterday.
(This post republished from Techland.)
As this week’s E3 games conference and debut of Nintendo’s Wii successor looms, Nintendo’s admitting that Sony’s not the only victim of hacktivist ne’er-do-wells—yep, Nintendo was hacked, too.
Nintendo acknowledged a security breach in a statement yesterday, explaining that its U.S. servers came under cyber-fire a few weeks ago, but stressed that no personal user data was in breach. By comparison, Sony’s seen troves of sensitive personal data repeatedly stolen (and reportedly distributed) as hackers took turns assaulting the electronics conglomerate’s many corporate facets.
My TIME.com Technologizer column this week is a look at the recent Mac Defender trojan attacks, and how Mac users should respond to the first really meaningful security issue in OS X history.
ZDNet blogger Ed Bott, who’s known more for his reporting on Microsoft than on anything Apple, has been hot on this story since the get go. He reported Wednesday that as if on cue the Mac Defender creators have released a new version of the malware application that requires no password at all to install.
See, Mac users -including myself–have accurately pointed out that basically all attempted malware for the Mac required the user to enter the administrative password. If you did that, it was your own stupid fault for getting infected. With MacGuard, it’s completely different.
Apple has published instructions for removing Mac Defender–the malware I encountered yesterday in its Mac Protector variant–and says that it’s working on an OS X update that will detect and remove it automatically.
“A conservative is a liberal who’s been mugged.” I thought of that old wisecrack this morning when I encountered something I’d never seen before: a serious trojan attack on my Mac.
The attack in question was an instance of Mac Protector, a variant of the Mac Defender attack that’s been in the news this month (my friend Ed Bott has written about it repeatedly). I was browsing in Safari and suddenly got this window, looking a bit like OS X’s Finder and a bit like iTunes (click on it to see it at a larger size):
Facing increasing criticism of his company’s handling of the PSN hack — and now apparently a new security issue — Sony’s CEO Sir Howard Stringer has suddenly become much more vocal in striking down critics. The company’s new logic appears to be that “no network is 100 percent secure,” and that the attack on its servers was “unprecedented.”
Stringer’s comments came in the form of interviews with several outlets, including Bloomberg, Reuters, the Wall Street Journal, and others. He argued that the company’s notification of the hack within a week was faster than other companies have alerted their own users of data loss, sometimes months after the fact.
Here’s a problematic side effect of Android fragmentation: if there’s a serious security issue and it gets fixed in the new version of Android, the vast majority of users may have no way to get it.