Privacy

Privacy and anonymity

Apple and “identity pollution”

Apple has obtained a patent for “identity pollution,” according to the Atlantic.

I am of not just two, but a great many minds about this.  (OK, admit it: you always knew I was schizophrenic.)

First off, I wonder how in the world they got a patent for this.  OK, maybe there isn’t much in the way of prior art, but the idea can’t possibly be called “non-obvious.”  Even before the rise of “social networking” I was prompting friends to use my “loyalty” shopping cards, even the ones that just gave discounts and didn’t get you points.  I have no idea what those stores think I buy, and I don’t much care, but I do know that they have very little about my actual shopping patterns.

In our advice to the general population in regard to Internet and online safety in general, we have frequently suggested a) don’t say too much about yourself, and b) lie.  Isn’t this (the lying part) exactly what Apple is doing?

In similar fashion, I have created numerous socmed accounts which I never intended to use.  A number of them are simply unpopulated, but some contain false information.  I haven’t yet gone to the point of automating the process, but many others have.  So, yet another example of the US patent office being asleep (Rip-Van-Winkle-level asleep) at the technological switch.

Then there is the utility of the process.  Yes, OK, we can see that this might (we’ll come back to the “might”) help protect your confidentiality.  How can people find the “you” in all the garbage?  But what is true for advertisers, spammers, phishers, and APTers is also true for your friends.  How will the people who you actually *want* to find you, find the true you among all the false positives?

(Here is yet another example of the thre “legs” of the security triad fighting with each other.  We have endless examples of confidentiality and availability working against each other: now we have confidentiality and integrity at war.  How do you feel, in general, about Apple recommending that we creating even more garbage on the Internet than is already there?)

(Or is the fact that it is Apple that is doing this somehow appropriate?)

OK, then, will this work?  Can you protect the confidentiality of your real information with automated false information?  I can see this becoming yet another spam/anti-spam, CAPTCHA/CAPTCHA recognition, virus/anti-virus arms race.  An automated process will have identifiable signs, and those will be detected and used to ferret out the trash.  And then the “identity pollution” (a new kind of “IP”?) will be modified, and then the detection will be modified …

In th meantime, masses of bandwidth and storage will be consumed.  Socnet sites will be filled with meaningless accounts.  Users of socmed sites will be forced to spend even more time winnowing out those accounts not worth following.  Socnet companies will be forced to spend more on storage and determination of false accounts.  Also, their revenues will be cut as advertises realize that “targetted” ads will be less targetted.

Of course, Apple will be free to create a social networking site.  They already have created pieces of such.  And Apple can guarantee that Apple product users can use the site without impedance of identity pollution.  And, since Apple owns the patent, nobody else will be able to pollute identities on the Apple socnet site.

(And if Apple believes that, I have a bridge to sell them …)

Words to leak by …

The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media.  (Like this one?)

This wasn’t “smart.”  Obviously some “pork” barrel project dreamed up by the DHS “authorities” “team” (“Hail” to them!) who are now “sick”ly sorry they looked into “cloud” computing “response.”  They are going to learn more than they ever wanted to know about “exercise” fanatics going through the “drill.”

Hopefully this message won’t “spillover” and “crash” their “collapse”d parsing app, possibly “strain”ing a data “leak.”  You can probably “plot” the failures at the NSA as the terms “flood” in.  They should have asked us for “help,” or at least “aid.”

Excuse, me, according to the time on my “watch,” I have to leave off working on this message, “wave” bye-bye, and get some “gas” in the car, and then get a “Subway” for the “nuclear” family’s dinner.  Afterwards, we’re playing “Twister”!

(“Dedicated denial of service”?  Really?)

Howto: Phish HSBC credit card numbers

Like many other people, I try helping developing countries when I can. So to help boost GDP in Eastern Europe and Africa (or ‘redistribute the wealth’ if you will) here’s a quick tutorial that will help scammers get HSBC customers’ credit card numbers. All the steps below are done by the real HSBC, so you don’t even need to “fool” anyone.

An HSBC customer who has gone through this process before won’t be able to distinguish between you and the real HSBC. Customer that has not been through this process certainly won’t know better anyway. In fact, you can do it to HSBC employees and they won’t know.

All you need is a toll-free number for them to call (feel free to forward it to Nigeria). The nice thing about HSBC is that the process below is identical to how the real HSBC asks customers for information. In other words: HSBC is training their customers to follow this path. I propose a new term for HSBC’s method of breeding phish: spowning (spawn+p0wn).

Step 1:

Prepare an email that looks like:

Dear :

As a service to our customers and in an effort to protect their HSBC Premier  MasterCard  account, we are attempting to confirm recent charge activity or changes to the account.

Please contact the HSBC Premier Fraud Servicing Center to validate the activity at 1-888-206-5963 within the Continental United States. If you are calling from outside the United States, please call us collect at 716-841-7755.

If the activity is unauthorized, we will be able to close the account and reissue both a new account number and cards. Please use the Subject Reference Number below, when calling.

At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority. We appreciate your business and regret any inconvenience this may have caused you.

Sincerely,

Security & Fraud Risk HSBC USA

Alert ID Number :  10917558

Note:  Emails sent to this repository will go unmonitored.  Please do not reply to this email. —————————————– ************************************************************** This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************** “SAVE PAPER – THINK BEFORE YOU PRINT!”

Step 2:

Replace the phone numbers with your own. The above are HSBC’s.

Don’t worry about the ‘alert ID’. Just make something up. Unlike other credit cards, the caller (me, in this case) can’t use the alert ID to confirm this is really HSBC.

Step 3:

Blast this email. You’re bound to reach plenty of HSBC card holders. The rest you don’t care about anyway.

Main perk: Before the customer gets to speak to a human they need to enter full credit card number and 4 digit SSN. So even the most lazy scammer can at least get those.

For the overachieving scammers, have a human answer and ask for  Card expiration and Full name on the card before agreeing to answer any other questions from the customer. This is all standard procedure at HSBC so customers shouldn’t be suspicious.

Oh, and if the customer who happens to be a security blogger tries to authenticate you back, tell them to hang up and call the number on the back of their card. That will shut them up.

At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority.

If it really was, you wouldn’t make me such an easy target for scammers. But thanks for playing.

 

Phecal photo phorensics

I suppose I really can’t let this one … pass …

Last weekend a young woman fell to her death while on a tandem hang glider ride with an experienced pilot.  The pilot, owner of a company that takes people on hang gliding rides for kicks, promises video of the event: the hang glider is equipped with some kind of boom-mounted camera pointed at the riders.

Somehow the police investigating the incident suspected that the pilot had swallowed the memory card from the video camera.  (Presumably the video was running, and presumably the pilot knew it would show something unfortunate.)  This was later confirmed by x-rays.

So, this week we have all been on “memory card movement” watch.

And it has cr… I mean, come out all right.

The speed of “social” …

I made a posting on the blog.

Then I moved on to checking news, which I do via Twitter.  And, suddenly, there in my stream was a “tweet” that, fairly obviously, referred to my posting.  By someone I didn’t know, and had never heard of.  From Indonesia.

This blog now has an RSS feed.  Apparently a few people are following that feed.  And, seemingly, every time something gets posted here, it gets copied onto their blogs.

And, in at least one case, that post gets automatically (and programmatically) posted on Twitter.

I would never have known any of this, except that the posting I had made was in reference to something I had found via those stalwarts at the Annals of Improbable Research.  I had made reference to that fact in the first line.  The application used to generate the Twitter posting copies roughly the first hundred characters of the blog post, so the Improbable Research account (pretty much automatically) retweeted the programmed tweet of the blog posting that copied my original blog posting.  I follow Improbable Research on Twitter, so I got the retweet.

This set me to a little exploration.  I found, checking trackbacks, that every one of my postings was being copied to seven different blogs.  Blogs run by people of whom I’d never heard.  (Most of whom don’t seem to have any particular interest in infosec, which is rather odd.)

Well, this blog is public, and my postings are public, so I really can’t complain when the material goes public, even if in a rather larger way than I originally thought.  But it does underline the fact that, once posted on the Internet, it is very unsafe to assume that any information is confidential.  You can’t delete data once it has passed to machines beyond your control.

And it passes very, very fast.

C-30

C. S. Lewis wrote some pretty good sci-fi, some excellent kids books (which Disney managed to ruin), and my favourite satire on the commercialization of Christmas.  Most people, though, would know him as a writer on Christianity.  So I wonder if Stephen Harper and Vic Toews have ever read him.  One of the things he wrote was, “It would be better to live under robber barons than under omnipotent moral busybodies.”

Bill C-30 (sometimes known as the Investigating and Preventing Criminal Electronic Communications Act, sometimes known as the Protecting Children from Internet Predators Act, and sometimes just known as “the online spy bill”) is heading for Committee of the Whole.  This means that some aspects of it may change.  But it’ll have to change an awful lot before it becomes even remotely acceptable.

It’s got interesting provisions.  Apparently, as it stands, it doesn’t allow law enforcement to actually demand access to information without a warrant.  But it allows the to request a “voluntary” disclosure of information.  Up until, law enforcement could request voluntary disclosure, of course.  But then the ISP would refuse pretty much automatically, since to provide that information would breach PIPEDA.  So now that automatic protection seems to be lost.

(Speaking of PIPEDA, there is this guy who is being tracked by who-knows-who.  The tracking is being done by an American company, so they can’t be forced by Canadian authorities to say who planted the bug.  But the data is being passed by a Canadian company, Kore Wireless.  And, one would think, they are in breach of PIPEDA, since they are passing personal information to a jurisdiction [the United States] which basically has no legal privacy protection at all.)

It doesn’t have to be law enforcement, either.  The Minister would have the right to authorize anyone his (or her) little heart desires to request the information.

Then there is good old Section 14, which allows the government to make ISPs install any kind of surveillance equipment the government wants, impose confidentiality on anything (like telling people they are being surveilled), or impose any other operational requirements they want.

Now, our Minister of Public Safety (doesn’t that name just make you feel all warm and 1984ish?), Vic Toews, has been promoting the heck out of the bill, even though he actually doesn’t know what it says or what’s in it.  He does know that if you oppose C-30 you are on the side of child pornographers.  This has led a large number of Canadians to cry out #DontToewsMeBro and to suggest that it might be best to #TellVicEverythingRick Mercer, Canada’s answer to Jon Stewart and famous for his “rants,” has weighed in on the matter.

As far as Toews and friends are concerned, the information that they are after, your IP address and connections, are just like a phone book.  Right.  Well, a few years back Google made their “phone book” available.  Given the huge volume of information, even though it was anonymized, researchers were able to aggregate information, and determine locations, names, interests, political views, you name it.  Hey, Google themselves admit that they can tell how you’re feeling.

But, hey, maybe I’m biased.  Ask a lawyer.  Michael Geist knows about these things, and he’s concerned.  (Check out his notes on the new copyright bill, too.

The thing is, it’s not going to do what the government says it’s going to do.  This will not automatically stop child pornography, or terrorism, or online fraudsters.  Hard working, diligent law enforcement officers are going to do that.  There are a lot of those diligent law enforcement officers out there, and they are doing a sometimes amazing job.  And I’d like to help.  But providing this sort of unfiltered data dump for them isn’t going to help.  It’s going to hurt.  The really diligent ones are going to be crowded out by lazy yahoos who will want to waltz into ISP offices and demand data.  And then won’t be able to understand it.

How do I know this?  It’s simple.  Anyone who knows about the technology can tell you that this kind of access is 1) an invasion of privacy, and 2) not going to help.  But this government is going after it anyway.  In spite of the fact that the Minister responsible doesn’t know what is in the bill.  (Or so he says.)  Why is that?  Is it because they are wilfully evil?  (Oh, the temptation.)  Well, no.  These situations tend to be governed by Hanlon’s Rzor which, somewhat modified, states that you should never attribute to malicious intent, that which can adequately explained by assuming pure, blind, pig-ignorant stupidity.

QED.

If you don’t want people to know, then shut up.

The CIA is complaining that news media and other entities are giving away information about it’s agents and operations.

Trouble is, the information being analysed has been provided by the CIA.

If the CIA is being too eager to promote themselves, or careless in censoring the material they do provide, is that the fault of the media?

In doing the CISSP seminars, I use lots of security war stories.  Some of them are from my own work.  Some of them I’ve collected from the attendees over the years.  It’s not hard to use the story to make a point, but leave absolutely no clues as to the company involved, let alone individuals.

Vodafone Hacked – Root Password published

Looks like a nice one:

The Hacker’s Choice announced a security problem
with Vodafone’s Mobile Phone Network today.

An attacker can listen to any UK Vodafone customer’s phone call.

An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.

The technical details are available at http://wiki.thc.org/vodafone.

News article:
http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html