Technologizer » Security

Your TSA at Work

Harry McCracken — Tue, 27 Dec 2011 16:02:43 +0000

Cupcakes: Potential terrorist weapons. Hummus: Perfectly safe.

More on Carrier IQ

Harry McCracken — Mon, 05 Dec 2011 18:07:30 +0000

Security researcher Dan Rosenberg says that most of the hubbub over Carrier IQ is overblown–but there’s still reason to be concerned.

Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right. I believe the following points need to be addressed. Note that most of the burden in this situation falls not on CarrierIQ but on the handset manufacturers and carriers, who are ultimately responsible for both collecting this information and establishing service agreements with consumers.

Is Carrier IQ As Bad As It Seems?

Ed Oswald — Fri, 02 Dec 2011 01:03:21 +0000

The controversy over the nature of Carrier IQ’s phone-monitoring application is deepning, with Minnesota Senator Al Franken demanding answers over what the company is doing with the information it collects. Carrier IQ’s code is apparently on millions of devices, and is known to be currently used by at least one manufacturer, HTC, and two carriers, AT&T and Sprint.

Apple chimed in, and says it used Carrier IQ in “most” of its pre-iOS 5 products. It says the code will be removed completely in a future software update, and the submission of diagnostic data is opt-in.
Franken asks Carrier IQ to provide details on what exactly the software records, where the data is transmitted to, and whether or not protections are in place to protect the security of those affected. He is also calling upon the company to give consumers a method of opting out of the process.

“This news underscores the need for Congress to act swiftly to protect the location information and private, sensitive information of consumers”, he says. “Right now, Carrier IQ has a lot of questions to answer”.
Since the story came to a head over the past week, several companies have come forth to clarify their position on Carrier IQ. Verizon has denied the use completely in any of its smart devices, while Sprint and AT&T both admitted to use of the software.

“In-line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance”, AT&T spokesperson Mark Seigel says, calling it a network management tool. Sprint echoed AT&T’s position, calling the software an “integral part” of its network management.

The biggest question remains as to what exactly Carrier IQ is doing. While the researcher — Trevor Eckhart — makes claims of keylogging, at no time does he actually prove what is being sent. This is crucial to the entire story. If this software is just sending behavior, it’s no different from the data many of us agree to opt-in to for those “customer experience” surveys. If its actually sending content, that’s completely different.

Here’s the thing, as John Graham-Cumming puts it: “What isn’t delved into is what the application does with the information. Without that it’s not possible to tell if there’s something really scary going on or not”. And that’s very important, because if we don’t know this, it sounds a lot like Chicken Little.

[UPDATE: A Carrier IQ executive gave All Things D's John Paczkowski more information on what the software captures and transmits--and says it doesn't involve any personally-identifiable information. Just data on issues such as dropped calls.]

Smartphone Spyware Kerfuffle

Harry McCracken — Wed, 30 Nov 2011 16:41:11 +0000

Android developer Trevor Eckhart says that Carrier IQ, a piece of software preinstalled on millions of smartphones to help wireless carriers monitor the quality of their service, secretly monitors users’ activities, records keystrokes, and transmits them to the company. I’m not a security expert, so I can’t judge the accuracy of his claims. But I do know this: The Carrier IQ folks need to clearly and honestly explain what’s going on. So far, their response has consisted mostly of threatening Eckhart and releasing a defensive-sounding statement that’s rife with buzzwords.
How about a calm, plain-English FAQ on what the software does and doesn’t do?

Android Fragmentation Equals Android Insecurity

Harry McCracken — Mon, 21 Nov 2011 19:09:46 +0000

My recent TIME.com column on Android fragmentation didn’t provide an exhaustive list of reasons to be frustrated by the degree to which the Android ecosystem is dominated by old versions of the software. In fact, I didn’t mention one of the biggest ones: Old versions of Android don’t have the newest security fixes, and are therefore potentially dangerous.

Now a security company called Bit9 has released what it calls the Dirty Dozen List of insecure smartphones. They’re all Android models running old versions:

Samsung Galaxy Mini
HTC Desire
Sony Ericsson Xperia X10
Sanyo Zio
HTC Wildfire
Samsung Epic 4G
LG Optimus S
Samsung Galaxy S
Motorola Droid X
LG Optimus One
Motorola Droid 2
HTC Evo 4G

Bit9 explains its methodology–which looks pretty serious to me–in this PDF.

Whenever I gripe about Android fragmentation, I hear from people who tell me that I’m all worked up over nothing. (Typical comment: “Mr. McCracken, like so many tech journalists, you have totally missed the point here. Believe it or not, Android “fragmentation” is not the massive problem it’s made out to be.”) But I’d like to hear anyone explain to me why this isn’t anything to be concerned about.

Fake Battery Apps Invade Androidland

Harry McCracken — Mon, 17 Oct 2011 15:02:39 +0000

More evidence that Android is the Windows of mobile operating systems: It’s under attack by sleazeware. PCWorld’s Tom Spring reports:

Brandt says that one Android battery app, called both Battery Doctor and Battery Upgrade, is particularly problematic: Not only does it not upgrade a battery or extend a charge, but when it’s installed and unlocked, it harvests the phone’s address book, the phone number, the user’s name and email address, and the phone’s unique identifying IMEI number. With a phone user’s name, IMEI, and wireless account information, an attacker could clone the phone and intercept calls and SMS messages, or siphon money from a user by initiating premium calls and SMS services. Once the battery app is installed the program sends the phone ads that appear in the drop down status bar of the phone at all times – whether the app is running or not. Lastly it periodically transmits changes to the user’s private information and phone-hardware details to its servers.

Chrome OS: Hacked!

Ed Oswald — Thu, 04 Aug 2011 20:29:15 +0000

Well, somebody’s finally done it. Google’s been selling us for quite a while on just how secure Chrome is, and they haven’t really lied to us. Getting into the OS or the browser for that matter has proved pretty darn difficult. But at the Black Hat security conference two researchers with White Hat Security have gotten into Chrome OS.

The flaw is in ScratchPad, a Chrome app that allows users to compose text files and then save them to Google Docs. Through it, the attacker can gain access to a person’s e-mail, contacts, and Google Docs and Voice accounts. Give Google some credit here though, the two redarchers working on this – Matt Johanson and Kyle Osborn — said they spent months looking for a hole, and must have only found one now.

To their credit, Johanson and Osborn have informed Google of the flaw and said that it and some other flaws had been addressed, but that some issues do remain. Chrome OS does remain one of the most secure platforms, thanks to Google’s work in ensuring holes are closed.

White Hat’s work came actually as a result of a Google query to the firm on finding security flaws within Chrome OS. The ScratchPad bug was one of those found as a result. The two researchers also said they continue to look for issues, but are treating it more like they would a mobile phone.

That’s because of the way the operating system is built. Since most apps are web-based, functionality is gained through the addition of extensions, much like a browser or mobile phone. Chrome OS is only as powerful as you’ll make it — so the entry point for an attacker is likely to be through an extension rather than the OS itself.

What’s that mean? Google’s going to need to be very careful about Chrome OS extensions.

Turkish Authorities Claim Arrest of 32 “Anonymous” Hackers

Doug Aamoth — Mon, 13 Jun 2011 19:59:23 +0000

Hot on the heels of Spain’s recent arrest of three members of the hacking group known as “Anonymous,” Turkish police are now claiming to have rounded up an additional 32 members of the group.

According to Security Week:

The Anatolia news agency said today that the suspects were taken into custody after conducting raids in a dozen cities for suspected ties to Anonymous.

The group recently targeted Web sites of the country’s telecommunications watchdog, the prime minister’s office and parliament as a protest to Turkey’s plans to introduce Internet filters.

Spanish authorities arrested three members late last week with alleged ties to the infamous PlayStation Network hacks. The BBC reports that in retaliation to the arrests in Spain, other members of Anonymous apparently knocked Spain’s police website offline for about an hour yesterday.

(via Slashdot)

(This post republished from Techland.)

Now Nintendo Admits It Was Hacked, Says No Customer Data Stolen

Matt Peckham — Mon, 06 Jun 2011 14:25:53 +0000

As this week’s E3 games conference and debut of Nintendo’s Wii successor looms, Nintendo’s admitting that Sony’s not the only victim of hacktivist ne’er-do-wells—yep, Nintendo was hacked, too.

Nintendo acknowledged a security breach in a statement yesterday, explaining that its U.S. servers came under cyber-fire a few weeks ago, but stressed that no personal user data was in breach. By comparison, Sony’s seen troves of sensitive personal data repeatedly stolen (and reportedly distributed) as hackers took turns assaulting the electronics conglomerate’s many corporate facets.

The PlayStation Network went down April 20th and didn’t fully return to life until last Wednesday, June 1st. And just last Friday, Sony was hacked again—specifically Sony Pictures, the company’s TV and film production unit—by a group calling itself “LulzSec,” as part of a campaign dubbed “Sownage.” (Get it? Sony + Ownage?) LulzSec had previously claimed credit for recent attacks on PBS and FOX.com.

The same group’s taking credit for the Nintendo hack, yesterday tweeting ”Nintendo, we just got a config file and made it clear that we didn’t mean any harm,” while adding “Nintendo had already fixed it anyway.”

Nintendo’s statement jibes with the hack group’s claims.

“The server contained no consumer information,” said Nintendo in a press statement (via Reuters), adding “The protection of our customer information is our utmost priority.”

Unlike prior attacks by hack group “Anonymous,” which targeted Sony in retaliation for its lawsuit against PS3 root-key cracker George Hotz, LulzSec claims it’s hacking for the greater good.

“We love Nintendo and Sega, if anything we’d hack *for* them,” tweeted LulzSec just this morning. “If you’re listening Nintendo/Sega, you, you uh… you want Sony hacked more?

Wild guess here: I’m pretty sure Nintendo/Sega don’t.

(This post republished from Techland.)

Mac Security Attacks: Keep Calm and Carry On

Harry McCracken — Fri, 03 Jun 2011 18:05:34 +0000

My TIME.com Technologizer column this week is a look at the recent Mac Defender trojan attacks, and how Mac users should respond to the first really meaningful security issue in OS X history.