Security lessons from Pokemon Go - Catch them all!

IMG_0810 When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.

Criminals have jumped quickly on the piecemeal global rollout of the game. Players unwilling to wait for the official release in their countries have been looking for the game on unofficial app stores. A version with the Android trojan DroidJack has been seen which allows the attacker to take complete control of the victim’s phone and access any files or information. The vast majority of users should absolutely avoid any third party app stores. Only get your software from known and reputable sources and don’t do anything to bypass the phone’s security. The best practice is to stick with the app store that came with your phone.

Even the official version of the game raises some troubling privacy concerns. By design the application tracks you when you are using it, and you are strongly encouraged to be using it all the time. This is hardly the only application tracking you, but the privacy policy on the game is not great. Also, it is likely to be disproportionately tracking children. Always think about who has access to your information and how it can be used for and against you. The tracking data might be ok in the hands of the current company but if it is sold or stolen, you might be less happy with the people who have it.

Conventional muggers have also discovered the power of Pokemon Go to lure their victims. In the game players need to search out fixed locations called Poke Stops and Gyms. Criminals can add capabilities to these virtual constructs to make them even more interesting and attractive. If the location is dark and somewhat hidden it becomes the perfect location for an ambush. The divide between virtual and physical keeps getting narrower. Physical attacks are launched from cyberspace and cyber attacks can start with physical device access. We can’t just focus on the digital risks of tools and attacks, but must also consider how it could impact us in the the analog world.

Finally, this game is causing people to walk into the street, down dark alleys, and into rough neighborhoods without paying attention or taking appropriate care. Like distracted driving, this is another example of our immersion in the electronic realm causing us to neglect the basics of staying safe in the here and now.

I find it fascinating that one program, and a game at that, can have so many and varied security implications. Now, I am off to catch me some Pokemon, I think there are some down my driveway!

Security risk of Uber abusing trust & tracking reporters

Party in limo In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.

First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.

Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them.

Apparently Uber has an internal tool called “God View” which is fairly widely available to employees and allows tracking of any car or customer. Obviously such information must exist within the Uber systems for them to operate their business, but this access for personal or inappropriate business purposes is very worrying, possibly putting the security of customers at risk.

While Uber is the company that got caught, the potential for this kind of abuse exists in a tremendous number of businesses. We give sensitive personal information to these companies in order to allow them to provide the services that we want, but we are also trusting them to treat the data appropriately.

Last year there was a scandal within the NSA about a practice called “LOVEINT”. The name is an inside joke. Signals intelligence is called “SIGINT”, human intelligence is called “HUMINT”, so intelligence about friends and lovers was called “LOVEINT”. In practice, people within the NSA were accessing the big national databases to look up information on current or former partners, celebrities, etc.

The exact same risk exists within all of these businesses, but generally with far weaker internal controls than in the government.

I think that the solution to this is not to insist on controls that would be difficult to enforce, or to ban the keeping of information which they really do need, but rather to give users visibility into when their information is viewed, why, and by whom. Abuse could then be quickly detected and exposed, while allowing the business to continue to operate as they need to.

https://www.youtube.com/watch?v=XM8_JeVHwwo

[powerpress]

Good articles for more info from: The Verge, Forbs, & Forbs again

Law enforcement access to your cell tower location may require a warrant

Antennas on roof

A federal appeals court in Atlanta ruled that there is an expectation of privacy in cell tower location information, and therefor it is protected by the Fourth Amendment. This runs counter to other recent rulings that allow access to the information without a warrant under the Stored Communications Act.

The recent ruling relies on precedent from the 2012 Supreme Court decision in United States vs. Jones which stated that a warrant was required to place a tracking device on a suspects car. Phone records provide the same information, just with a different technical means.

This would not apply to intelligence gathering activities, nor would it prevent access to your location information with a warrant. It is a move to recognize that our personal information, about which we have real privacy interests, is increasingly existing in the networks of third parties. Laws that assume anything sensitive would be on paper and stored in your house or on your person are absurdly outdated.

For now this is only a local precedent. The issue will almost certainly end up in the Supreme Court at some point.

Did you give Google permission to track your every movement?

Google’s Location History Browser Is A Minute-By-Minute Map Of Your Life | TechCrunch

TechCrunch has a nice article on the location tracking of Android based devices.

It is an “opt in” thing, but I suspect that most people are robo-approving all the questions they are asked when they are trying to get their new phones or tablets set up for the first time.

In this case, you may have given Google permission to track and maintain high resolution location information on you. That information is used to discover where you live and work, to improve weather, travel, and traffic information.

If you follow this link, you can see a track of your activities for up to the last 30 days. Really cool in a very frightening way.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

No warrant needed for cell location information in the Fifth US Circuit

ArsTechnica has a nice article on a recent ruling by the US Fifth Circuit court of appeals.

In this 2-1 decision, the court ruled that cellular location information is not covered by the fourth amendment, and does not require a warrant. The logic behind this ruling is that the information is part of business records created and stored by the mobile phone carriers in the ordinary course of their business.

Therefor, the data actually belongs to the phone company, and not to you. The Stored Communications Act says that law enforcement must get a warrant to obtain the contents of communications (the body of emails or the audio of a phone call) but not for meta-data like sender, recipient, or location.

The court suggests that if the public wants privacy of location information that they should demand (I suppose through market forces) that providers delete or anonymize the location information, and that legislation be enacted to require warrants for access to it. Until then, they say we have no expectation of privacy in that information.

The Fifth Circuit covers Louisiana, Mississippi, and Texas.

This ruling conflicts with a recent New Jersey Supreme Court, which unanimously ruled that law enforcement does not have that right, which ruling only applies in New Jersey.

Montana has a law requiring a warrant to obtain location information, while in California a similar bill was vetoed.

It seems very likely that one or more of these cases will go to the supreme court.

Amazing power and danger of data retention

This Blog has an interesting article and link to the website of a german newspaper article (translated here).

The story is about a german politician Malte Spitz who sued to obtain the retained cell tower records for his own phone, then provided them to the newspaper. The newspaper has created a nice map and timeline tool to allow you to play Spitz's movements over 6 months. The resolution is impressive and should be a real wake up call about the level of detailed information being gathered on us all.

Of course, if the phone company was capturing GPS or WiFi based location information the data would be much more accurate. While GPS would quickly drain the battery, many modern phones have WiFi enabled all the time, so that information would be readily available without any additional impact on the phone's performance.