Tag Archive for PII

| January 17, 2012
One comment

QR Codes Can Put Users at Risk

-Updated 01-26-12- It was just a matter of time and now the Websense (WBSN) ThreatSeeker Network has started spotting spam messages that lead to URLs that use embedded QR codes. According to a report at Help Net Security, this is a clear evolution of traditional spammers towards targeting mobile technology. The spam email messages look like traditional pharmaceutical spam emails and contain a link to the Web site 2tag.nl. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL. When the QR code is read by a QR reader, it automatically loads the spam URL.

QR Codes Can Put Users at RiskQuick Response codes (QR codes) are a “new” type of barcode that can be used for a variety of purposes tracking, ticketing, labeling of products, etc. They can be put anywhere, in magazines, buses, websites, TV, tickets, and on almost any object which they might want to learn more about.

QR codeHelp Net Security writes that when used for legitimate purposes, they make life easier for users. “All you need to ‘visualize such a code is a smartphone with a camera and a QR reader application to scan it – the code can direct you to websites or online videos, send text messages and e-mails, or launch apps,” point out BullGuard’s researchers.

Unfortunately, QR codes can just as easily be used to compromise users’ mobile devices. “Much like URL shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception,Joe Levy, CTO of Solera Networks told DarkReading. “QR codes … provide a direct link to other smartphone capabilities such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities.”

Mobile malwareThere are several ways attackers are already using malicious QR codes to perpetrate their scams. A recent attack via QR code “Attaging” took place in Russia and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm” sent a series of expensive text messages ($6 each), racking up unwanted charges.

On Apple (AAPL) iOS devices, hackers are sending users to websites that will jailbreak the device and install more malicious malware. Tomer Teller, security evangelist at Check Point Software Technologies, told DarkReading, “a user scans a barcode and is redirected to an unknown website … the user phone will be jailbroken and additional malware could be deployed (such as key loggers and GPS trackers).

Google AndroidOn the Google (GOOG) Android  … Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode and it will redirect to a website that will download the Android Application” according to the article.

In addition, attackers are using QR codes to redirect users to fake websites for phishing. “A QR code will redirect to a fake Bank that will look exactly like your bank. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her (information) and hand it to the attackers,” Teller says. According to Mobile Commerce News some apps, like the NeoReader from Neomedia, that collect personally identifiable information (PII). This information is then sent to third parties who mine the data and possibly resell it.

mobile QR based paymentThe trend to mobile QR-based payment systems from firms like LevelUp, Kuapay, and Paypal are developing will drive QR code malware forward Mr. Levy says. “As our mobile devices and our wallets continue to converge through such technologies as near field communications (NFC), Bump and QR, malware authors are bound to prefer these very direct paths to the money. After all, these devices and apps are well on the road to becoming our new currency.”

So how do you protect yourself and the data on your mobile?

  • Download an app that scans QR codes and barcodes and shows the URL to which the codes want to take you. “Only use QR code reader software that allows the user to confirm the action to be taken i.e. visit a website link,” Paul Henry, security and forensic analyst at Lumension told DarkReading. “If you do not know and trust the link, cancel the action.
  • Do not scan QR codes from random stickers on walls and similar surfaces. Help Net Security says scammers are counting on people to do that because they can’t curb their curiosity.
  • Consider installing a mobile security app on your device, especially if it runs the Android OS. “Android is an open platform, which means that its source code can be examined by criminals and exploited easily when they find a weakness in, say, the Android browser,” according to the article. “That’s why most malicious apps transmitted via QR codes target the Android-based smartphones.”

rb-

I am not a fan of QR codes they seem to take you to an advertisement. Most of the destinations are fluff at best and dangerous at worst. Now that they have become nearly ubiquitous, they present more risk than necessary. Avoid QR codes.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| January 3, 2012
Comments Off on Internet of Things

Internet of Things

Internet of ThingsOnce upon a time, back in 2005, there was a time when “using the Internet” always meant using a computer. Today getting on the Intertubes is an expected feature for many devices. The next digital frontier is the physical world, where the “Internet of Things.” The Internet of Things will bring an online ability to objects.

Twine Sensor Connects Household Objects to the Internet

Twine Sensor Connects Household Objects to the Internet Tested.com notes a Kickstarter project from two MIT Media Lab alums who developed a way to make the Internet of Things more available. A small, durable “Twine” sensor listens to its environment and reports back over Wi-Fi. The creators hope their new product will let regular users, even those without programming knowledge, digitally manage their surroundings.

A basic Twine unit senses temperature and motion, but other options like moisture detection, a magnetic switch, and more can be added using a breakout board. The various sensors and built-in Wi-Fi can be powered by either a mini-USB connection or two AAA batteries, which will keep it running for months. Twine readings get wirelessly loaded into the appropriately named Spool web app, where users can set simple if-then triggers that create SMS messages, tweets, emails, or specially configured HTTP requests.

For a donation of $99 or more will get you a basic unit when they ship in March.

Related articles

THE SMART FRRRIDGE. Chilly Forecast for Internet Frrridge

Internet FridgeThe Smart Frrridge is a new version of the familiar kitchen apparatus. According to Medienturn the new fridge comes with a built-in computer that can be connected to the internet. It is one of a growing class known as “Internet appliances” that include not only smartphones but also web-enabled versions of typical household appliances.

The refrigerator keeps an eye on the food in it by using RFID technology, a digital camera, and image processing. These technologies allow the fridge to keep track of what’s in it, how long has this been there, should it be trashed?

To keep in contact with the Smart Frrridge all you have to do is to pick up your mobile phone and call. It will be able to suggest a menu that uses the foods inside and generate a shopping list of the missing ingredients and place the order online.

The Smart Frrridge cab also be used to watch television, listen to music, to take a photograph, save it to an album, or post it to a website, or send it to an email recipient. The comes with a docking station you can just dock in your Apple (AAPL) iPod or iPhone and start using all your favorite cooking apps.

Related articles

SCADA: How Big a Threat?

Cyber attackerThere are reports of two recent cyber attacks on critical infrastructure in the US. Threatpost says the hacker who compromised the water infrastructure for South Houston, TX, said the district used a three-letter password, making it easy to break in.

There are also reports that a cyberattack destroyed a water pump belonging to a Springfield, IL water utility. There are mixed reports that an attacker gained unauthorized access to that company’s industrial control system.

According to DailyWireless, Supervisory Control And Data Acquisition (SCADA) software monitors and controls various industrial processes, some of which are considered critical infrastructure.

Researchers have warned about attacks on critical infrastructure for some time, but warnings became reality after a highly complicated computer worm, Stuxnet, attacked and destroyed centrifuges at a uranium enrichment facility in Iran.

German cybersecurity expert Ralph Langner found Stuxnet, the most advanced worm he had ever seen. The cybersecurity expert warns that U.S. utility companies are not ready to deal with the threat.

In a TED Talk Langner stated that “The leading force behind Stuxnet is the cyber superpower – there is only one, and that’s the United States.”

In a recent speech at the Brookings Institution, he also made the bigger point that having developed Stuxnet as a computer weapon, the United States has in effect introduced it into the world’s cyber-arsenal.

Related articles

New NIST Report Sheds Some Light On Security Of The Smart Grid

NISTDarkReading reports the National Institute of Standards and Technology (NIST) released a report (PDF) by the Cyber Security Coordination Task Group. The report from the Task Group which heads up the security strategy and architecture for the nation’s smart power grid includes risk assessment, security priorities, as well as privacy issues.

The smart grid makes the electrical power grid a two-way flow of data and electricity allows consumers to remotely monitor their power usage in real-time to help conserve energy and save money. DarkReading says researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who found multiple vulnerabilities in smart meters, including devices that don’t use encryption nor do they authenticate users when updating software. He was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked (PDF) about his worries over utilities “self-policing” their implementations of the security framework. “This is history repeating itself,” Mr. Flick said in an interview with DarkReading.

According to DarkReading, the report recommends smart grid vendors carry out some pretty basic security practices:

  • Audit personally identifiable information (PII) data access and changes;
  • Specify the purpose for collecting, using, retaining, and sharing PII;
  • Collect only PII data that’s needed;
  • Anonymize PII data where possible and keep it only as long as necessary;
  • Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks;
  • Network perimeter devices should filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial-of-service attacks;
  • The AMI system should use redundancy or excess capacity to reduce the impact of a DoS;
  • AMI components accessible to the public must be in separate subnetworks with separate physical network interfaces;
  • The AMI system shall deny network traffic by default and allows network traffic by exception;
  • Consumers’ access to smart grid meters be limited. Authorization and access levels need to be carefully considered.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| December 15, 2011
Comments Off on Mobile Device Info

Mobile Device Info

Mobile Device InfoIn case there was any doubt that mobile devices are the real deal, here are some stats from Digby. Globally, 80% of consumers have used computers to get access to the Web within the previous seven days. Sixty percent used their mobile devices to do so. 25% of US mobile web users only access the web from their mobile phones.

Angry Birds know where you live

Angry Birds know where you live75% of the public may be giving away their physical location when downloading smartphone applications, according to mobile security vendor AdaptiveMobile. 69% of smartphone users say such privacy breaches are unacceptable, yet Help Net Security reports that 75% fail to read the terms and conditions, which include access to data such as their physical location.

Consumers are outraged that their data may not be secure but are unwilling to protect themselves,” AdaptiveMobile VP of Handset Security, Ciaran Bradley says in the article. “We are downloading more apps than ever before, but people are unaware that their location and other information can be harvested by applications.

AdaptiveMobile research has shown that common applications including Angry Birds, Jaws, and Paper Toss have access to information including location coordinates and owner’s name, which can be shared with up to 17 different external domains including advertisers.

Consumers and the wider mobile industry need to become savvier about the information which is shared by apps,” Mike Hawkes, Chairman of The Mobile Data Association told Help Net Security. “It is becoming commonplace that personal information is shared with advertisers and developers.”

Mr. Bradley told Help Net Security that iPhone users are the most careless, with 65% completely unaware that free applications may compromise their privacy. Windows Phone users are more responsible, with 29% promising to stop downloading free applications if they had any doubt that their personal information was not safe. Windows Phone users are generally cautious, 95% of them are ‘quite’ or ‘very’ concerned about privacy infringements.

If we are to slow the rise in cybercrime, consumers need to become more aware of the need for phone security” concluded Mr. Bradley. “Not only will this frustrate hackers and other cybercriminals, but also ensure that consumers can have a safe mobile experience.”

rb-

I wrote about mobile apps stealing PII here and here.

Related articles

Cisco’s Tablets Are Doing So Well, They’re Planning At Least Two More Models For Next Year

Cisco Cius tabletThe Cisco Cius tablet for enterprises sounded like a hard sell when Cisco introduced it. But the company is apparently proving experts wrong, including me (I wrote about the Cius here and here) because Cisco‘s (CSCO) tablets are doing well enough that the company plans to release two new form factors next year, including a 10-inch version according to the BusinessInsider

Product manager Chuck Fontana told the BusinessInsider that 1,000 companies have already bought the tablet, He wouldn’t share device unit sales, but some deployments are in the hundreds, and one company plans to buy 1,500 for its mobile sales force. The tablets are sold as part of a broader communications package and include Cisco’s teleconferencing and collaboration services.

But underneath they’re straight Google (GOOG) Android tablets and can run any Android app. To prevent employees from downloading malware-infested or low-quality apps, Cisco has rolled out a custom app store called AppHQ, where every app is vetted.

The BusinessInsider says the Cius is an interesting demonstration of how the relative openness of Android versus iOS is helping it gain traction in surprising places. Cisco didn’t go to quite the lengths that Amazon (AMZN) did with the Kindle Fire, where it basically forked Android and created a custom OS. But Android is open enough that Cisco could build its own app store and ship it with its own apps front and center.

That couldn’t have worked with the iPad, where Apple (AAPL) controls the experience.

So would Cisco consider offering a Windows tablet instead once Microsoft (MSFT) Windows 8 comes out?  “No,” said Fontana, “we’re not looking to do anything from a Windows perspective. Our core approach remains on Android.

Related articles

People Are Losing Interest In The Microsoft Tablet, And It’s Not Even Out Yet

Microsoft TabletApple‘s (AAPL) iPad has already taken about 11% of the PC market, and by the time Microsoft (MSFT) and its partners get around to releasing a real competitor next year, it may be too late according to a new study from Forrester Research (FORR) in the BusinessInsider.

Near the beginning of 2011 according to the article Forrester surveyed 3,835 consumers who were considering buying a tablet. When asked which operating system they’d like on it, 48% said Windows, well ahead of iOS (16%) and Google’s (GOOG) Android (9%). The second most popular choice was “undecided” with 16%.

In September, Forrester asked the same question of a different group of 2,229 consumers. This time, iOS came in number one with 28% of the vote. Windows had only 25%, and Android was at 18%. A whole 24% were still undecided.

Overall, interest in Windows tablets dropped 21 percentage points in six months.

The BusinessInsider says the study is probably a bit skewed but says the data shows a real perception shift: consumers are thinking of tablets more like smartphones and less like PCs. That perception could carry through to the next time they’re thinking of buying a new computing device.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Tablet computing | Tags: , , , , , , , , , , , , , , , , , , , ,
| April 6, 2011
Comments Off on BP Data Spill

BP Data Spill

Data breachNational Public Radio (NPR) reports that British Petroleum‘s (BP) problems in the U.S. now include a data spill as well as the oil spill. BP is paying compensation amounting to $4,000,000,000 to victims of its mishap incident disaster in the Gulf of Mexico last summer. Now BP has lost the personally identifiable information (PII)  on approx. 13,000 of its victims are seeking compensation for oil spill damages. NPR reports that names, addresses, phone numbers, and social security numbers, were lost opening these people to identity theft.

BP Gulf of Mexico oil spillBP spokesman Curtis Thomas told NPR that the oil giant mailed letters to roughly 13,000 people whose data was stored on the missing computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored. The company also reported the missing laptop to law enforcement, he said. The laptop was password-protected, but the information was not encrypted, Mr. Thomas said.

The employee lost the laptop on March 1 during “routine business travel,” said BP’s Thomas, who declined to elaborate on the circumstances. “If it was stolen, we think it was a crime of opportunity, but it was initially lost,” Thomas said. Asked why nearly a month elapsed before BP notified residents about the missing laptop, Mr. Thomas said, “We were doing our due diligence and investigating.”

Matt O’Brien, the part-owner of Tiger Pass Seafood, a shrimp dock in Venice, La., who said he had filed a claim with BP, told an AP reporter this was the first he had heard about the possible compromise of his personal information by BP. “That’s like it’s par for the course for them.” Mr. O’Brien said of BP, “They can’t seem to do nothing right.”

Once again, 13,000 lives are disrupted because a single laptop that was not encrypted, was lost or stolen “during routine business travel.” SophosNaked Security blog pointed out in 2008 that laptops are easy to lose. The security vendor cited a survey that found that 12,000 laptops are lost every week at U.S. airports alone.

In that 2008 survey, almost three years ago now, 53% of people said that their laptops contained confidential business information, with two-thirds having taken no measures to secure their data. Clearly, some companies still aren’t taking proper measures.

rb-

As BP again has demonstrated, we all need to lift our game, As Sophos says, even if your organization is willing to take risks with your own data, firms have a clear moral duty not to take risks with data you keep about other people.

During these economic times, many organizations are saving a few pennies by doing as little as possible about encryption-related security. Why not consider the value of encryption to your business, instead of considering only the cost?

What do you think?

Oil spills, Data spills, Outrageous gas prices – Is BP out to get the U.S.?

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , ,
| January 17, 2011
Comments Off on Mobile Apps Sending User Data

Mobile Apps Sending User Data

Mobile Apps Sending User DataThe Wall Street Journal has continued its excellent work on data privacy. The WSJ is reporting that like many Facebook applications, many popular mobile apps are sending user data from phones to third parties. They found that most of the popular apps running on Apple (AAPL) iPhone‘s and Google (GOOG) Android systems, had sent the phone’s unique device ID to other firms without asking the user’s permission.

Big Brother WatchTechEye says that the iPhone was much worse than Google’s Android, although both Apple and Google have promised not to let such practices take place. Michael Becker of the Mobile Marketing Association told TechEye there is no anonymity. Alex Deane, director for Big Brother Watch, said  “This is alarming news. Most users of these apps don’t know this is happening and many of them wouldn’t use the app if they did know,” Mr. Deane told IT PRO. “Importantly, lots of these apps are mainstream ‘normal’ apps. It’s not just shady operators doing this

The WSJ reports that mainstream mobile productivity, games, and music apps are sending user data elsewhere. The data is mostly sent to ad companies so they can tailor ads to the user’s history for better results. The paper found that 56 of the apps in the investigation sent unique information to other companies without the user knowing or agreeing to the sharing. 47 of the apps sent the mobile phone’s location to third parties, and five of the apps sent age, gender, and personal details to outsiders. Eighteen of the 51 iPhone apps sent information to Apple.

The Journal found:

  • iPhone appThe app that shares the most personal info is an iPhone app called TextPlus 4. The app sent the unique ID of the device to eight ad companies and sent the zip code, user’s age, and gender to two more firms.
  • The free and paid versions of the wildly popular Angry Birds app on an iPhone. The apps sent the phone’s UDID and location to the Chillingo unit of Electronic Arts Inc., which markets the games.
  • The popular music site Pandora was a big offender,  sending age, gender, location, and phone identifier to various ad networks.
  • Google AndroidBoth Android and iPhone versions version of Paper Toss sent the phone ID number to at least five ad companies.
  • The Android app for social networking site MySpace sent age and gender, device ID, user’s income, ethnicity, and parental status to Millennial Media, a big ad network.

Among all the mobile apps tested by the WSJ, the most widely shared detail was the unique ID number assigned to every mobilephone. It is effectively a “supercookie,” says Vishal Gurbuxani, co-founder of Mobclix Inc., an exchange for mobile advertisers. The “UDID,” or Unique Device Identifier is set by the phone makers, carriers or makers of the operating system and typically can’t be blocked or deleted.

The WSJ has released a short video explaining its investigation,

Super CookiesThe great thing about mobile is you can’t clear a UDID like you can a cookie,” Meghan O’Holleran of Traffic Marketplace told the WSJ. Traffic Marketplace which is an Internet ad network that is expanding into mobile apps uses UDID’s, “That’s how we track everything.” Ms. O’Holleran told the WSJ that Traffic Marketplace monitors smartphone users whenever it can. “We watch what apps you download, how frequently you use them, how much time you spend on them, how deep into the app you go,” she says.

According to the WSJ, Mobclix matches more than 25 ad networks with 15,000 apps seeking advertisers. The company collects mobile phone IDs, encodes them, and assigns them to interest categories based on what apps people download and how much time they spend using an app, among other factors. By tracking a phone’s location, Mobclix also makes a “best guess” of where a person lives, says Mr. Gurbuxani, the Mobclix executive. Mobclix then matches that location with spending and demographic data from Nielsen Co.

Mobclix logoMobclix uses the data to place a user in one of 150 “segments” it offers to advertisers, from “green enthusiasts” to “soccer moms “to “die-hard gamers.”  “Die-hard gamers” are 15-to-25-year-old men with more than 20 apps on their phones who use an app for more than 20 minutes at a time. “It’s about how you track people better,” Mr. Gurbuxani told the WSJ.

Google was the biggest data recipient in the WSJ tests. Its AdMob, AdSense, Analytics, and DoubleClick units collectively heard from 38 of the 101 apps. Google’s main mobile ad network, AdMob lets advertisers target phone users by location, type of device and “demographic data,” including gender or age group. Google, whose ad units work on both iPhones and Android phones, says it doesn’t mix data received by these units.

Google AdmobApple operates its iAd network only on the iPhone. Apple targets ads to phone users based largely on what it knows about them through its App Store and iTunes music service according to the WSJ article. The targeting criteria can include the types of songs, videos, and apps a person downloads, according to an Apple ad presentation reviewed by the Journal. The presentation named 103 targeting categories, including karaoke, Christian/gospel music, anime, business news, health apps, games, and horror movies.

According to the WSJ, the ad networks offer software “kits” that automatically insert ads into an app. The kits track where users spend time inside the app. A developer quoted in the WSJ article says ads targeted by location bring in two to five times as much money as untargeted ads. In its software-kit instructions, Millennial Media lists 11 types of information about users that developers may send to “help Millennials provide more relevant ads.” They include age, gender, income, ethnicity, sexual orientation, and political views.

Apple iAd networkThe WSJ also claims that most of the apps don’t have written privacy policies. Forty-five of the 101 apps didn’t offer privacy policies on their websites or inside the apps at the time of testing. Neither Apple nor Google requires app privacy policies. Both Google and Apple say that they require apps to ask permission to send information to third parties. However, many app developers skirt the rules the WSJ reports.

Apple says iPhone apps “cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.” Many apps tested by the Journal appeared to violate that rule, by sending a user’s location to ad networks, without informing users. Apple declined to discuss with the WSJ how it interprets or enforces the policy.

Millennial MediaGoogle doesn’t check the apps running on Google’s Android operating system because third parties build the phones. Google requires that before users download Android apps that the developer identifies the data sources the app intends to use. Possible sources include the phone’s camera, memory, contact list, and more than 100 others. If users don’t like what a particular app wants to access, they can choose not to install the app, Google says. Google told the WSJ that app makers “bear the responsibility for how they handle user information.” “Our focus is making sure that users have control over what apps they install, and notice of what information the app accesses,” a Google spokesperson says.

rb-

The trade in your personal information grows as technology evolves. The WSJ says that Apple has recently filed a patent for a system for placing and pricing ads based on a person’s “web history or search history” and “the contents of a media library.” For example, home-improvement advertisers might pay more to reach a person who downloaded do-it-yourself TV shows, the document says. The patent application also lists another possible way to target people with ads: the contents of a friend’s media library.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
« Older Entries   Recent Entries »