Your Android phone may be passing your texts to China

Blu phone Security firm Kryptowire discovered that at least hundreds of thousands of Android phones in the US are configured to automatically send all text messages, call logs, location information, contact lists and more to servers in China every 72 hours. This is all invisible to the end user.

In the US, the dangerous software, made by Adups, is known to be on 120,000 phones made by BLU Products. The software appears to have been designed primarily for the Chinese market and impacts in the US may have been unintentional. Adups provides the software to ZTE and Huawei, two of the largest phone makers in the world.

This is not a bug but an intentional feature of the software. It is not yet clear whether this is abusive data collection for marketing or usage data, or whether this is part of a major surveillance activity by the Chinese government. An attorney for Adups says that the software helped identify junk texts and calls and that the information (at least for BLU customers) was deleted.

Read more in this NYTimes article.

Dutch ISPs no longer required to retain data

Tulips and windmill

DutchNews.nl reports that ISPs in the Netherlands will no longer be required to retain data for law enforcement.

Since 2009, national laws have required keeping records on the activities of all users for a period of one year. In 2014 the EU determined that such mass storage was a violation of fundamental privacy rights.

This court ruling brings the EU and Dutch rules into accord by ending the data retention requirement.

Security risk of Uber abusing trust & tracking reporters

Party in limo In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.

First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.

Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them.

Apparently Uber has an internal tool called “God View” which is fairly widely available to employees and allows tracking of any car or customer. Obviously such information must exist within the Uber systems for them to operate their business, but this access for personal or inappropriate business purposes is very worrying, possibly putting the security of customers at risk.

While Uber is the company that got caught, the potential for this kind of abuse exists in a tremendous number of businesses. We give sensitive personal information to these companies in order to allow them to provide the services that we want, but we are also trusting them to treat the data appropriately.

Last year there was a scandal within the NSA about a practice called “LOVEINT”. The name is an inside joke. Signals intelligence is called “SIGINT”, human intelligence is called “HUMINT”, so intelligence about friends and lovers was called “LOVEINT”. In practice, people within the NSA were accessing the big national databases to look up information on current or former partners, celebrities, etc.

The exact same risk exists within all of these businesses, but generally with far weaker internal controls than in the government.

I think that the solution to this is not to insist on controls that would be difficult to enforce, or to ban the keeping of information which they really do need, but rather to give users visibility into when their information is viewed, why, and by whom. Abuse could then be quickly detected and exposed, while allowing the business to continue to operate as they need to.

https://www.youtube.com/watch?v=XM8_JeVHwwo

[powerpress]

Good articles for more info from: The Verge, Forbs, & Forbs again

Security of offshore servers becoming even more illusory.

EU flag on keyboard

If this amendment passes, it will significantly reduce the perceived advantages of using servers outside the US. No only would the server still be subject to whatever legal process exists in the hosting country, but they would also be open to legal hacking by the USG.

Newly Proposed Amendment Will Allow FBI to Hack TOR and VPN Users | Hack Read

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

What is up with those "fake" cell towers?

HiRes When you think your phone is connected to your wireless provider, you might actually be connected to a rogue tower set up to capture your data.

Such devices have been demonstrated at the Black Hat security conference and a law enforcement fake tower called “Stingray” has been known for some time. Recently sophisticated secure phones have been able to detect these fake towers and people are starting to map them. Popular Science covered it here, and here.

There is very little transparency around law enforcement or US Intelligence use of such devices, so the could just as easily be operated by foreign intelligence services, criminals, or hackers. If we had strong end to end encryption there would be little to worry about, but many Internet connections and all phone calls are vulnerable to this attack.

https://www.youtube.com/watch?v=FR-9A6FVVHk

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

SWCAAS - Secret Warrant Compliance as a Service

FISA court order cropped

Here is a new “as a service” offering I had never considered. Companies are supporting ISPs in responding to classified FISA court search warrants for the ISPs, including helping to capture the data and deciding if the request is proper.

Meet the shadowy tech brokers that deliver your data to the NSA | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Ars tests Internet surveillance—by spying on an NPR reporter | Ars Technica

Selfiehenn 300x400

Ars technica in conjunction with NPR conducted an excellent experiment showing how much and what kind of information can be obtained through capture off the wire. This is the type of information that a national intelligence service would see by tapping into ISPs.

They simulated this by using a penetration testing device installed at NPR reporter Steve Henn’s house (with his cooperation).

The amount of information is amazing. Even seemingly inactive devices are constantly making requests and connecting to services.

While many connections to key services like email and banking are encrypted, most others are not, revealing a great deal about Steve’s research activities.

It is absolutely worth a read.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Vodafone shows global scope of surveillance

Vodafone logo

Vodafone Lays Bare Scale of Phone Tapping - WSJ

Vodafone recently released a "Law Enforcement Disclosure Report”. Because Vodafone provides services in so many countries, this provides a unique  insight into the range of surveillance capabilities and requirements across a spectrum of nations. In six countries they are required to provide direct connections to their network for the local government. This allows those governments to capture content and meta-data without making individual requests to Vodafone. They are not saying which 6 countries those are out of fear of penalties or retaliation.

In Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey it is illegal to reveal information about various kinds of intercepts, so the report does not provide information on those countries.

The report also provides good information on the frequency of requests for information from various countries.

One lesson from this is, despite the impression one might have gotten from the Snowden leaks, the US is far from the only country doing this kind of surveillance. 

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Australians, you need to start taking ownership of your own encryption

Australia computer mouseAttorney General's new war on encrypted web services - Security - Technology - News - iTnews.com.au Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.

Australians may want to start to start taking steps to protect themselves now.

End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.

Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.

Finally, let your voice be heard on this issue by reaching out to your members of parliament.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 16: Leaking mobile apps, surveillance, TorMail, UK censorship, and SHA-1

PrivacyPodcastGraphicIn episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:Biological Advanced Persistent Threats The Apps on your mobile devices that may be enabling surveillance Why you may soon know more about how much information your service providers are revealing to the government The total compromise of the TorMail anonymous email service How the British government is using pornography as a trojan horse for Internet Censorship. And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web

Turkey is preparing to implement massive new Interenet censorship and surveillance scheme.

Turkey map flagTurkey Debates New Law to Control Web Users - Emerging Europe Real Time - WSJ Turkey already requests more takedowns from Google than any other country in the world, almost 1700 in the first half of 2013. They have a history of blocking popular websites like Youtube, and Vimeo, and Prime Minister Erdogan lashes out against Twitter at every opportunity.

Now the government is about to enact sweeping new powers to force providers to keep complete records of all user activity for 2 years, and give the government total access to that information.

This appears to be a reaction to citizen use of social media to coordinate protests and spread information about Turkish government corruption.

Unless they implement a ban on privacy technologies, VPN services like Anonymizer Universal will provide a way of getting around this kind of logging. I would strongly suggest that people in Turkey make a habit of always using VPNs, and moving to search engines, email, and social media platforms located outside of the country.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Facial recognition apps: I both desire and fear them.

B W Mask ImageFacial recognition app matches strangers to online profiles | Crave - CNET Google has adopted a privacy protecting policy of banning facial recognition apps from the Google Glass app store. I appreciate the effort to protect my privacy but facial recognition is probably the ONLY reason I would wear Google Glass.

I am hopeless at parties or networking events. I have no ability at all to remember names, and I know I am far from alone in this. The ability to simply look at someone and be reminded of their name, our past interactions, and any public information about their recent activities, would be absolute gold.

Obviously I am less enthusiastic about having third party ratings of my intelligence, integrity, hotness, or whatever, popping up to the people looking at me. As usual, humans are in favor of privacy for themselves but not for others.

A new app is coming out soon called Nametag, which is planned to do exactly this. On iOS, Android, and jail broken Glass, you will be able to photograph anyone and, using facial recognition, pull up all available social media information about them.

To opt out you will need to set up an account with NameTag, and I presume you will also need to upload some high quality pictures of yourself so they can recognize you to block the information. Hurm…..

Whatever we all think about this, the capability is clearly coming. The cameras are getting too small to easily detect, high quality tagged photos are everywhere, and the computing power is available.

While citizens have some ability to impact government surveillance cameras and facial recognition, it will be much harder to change course on the use of these technologies with private fixed cameras, phones, and smart glasses. Even if we convince device makers to block these applications, the really creepy people will jailbreak them and install them anyway.

For years I have said that the Internet is the least anonymous environment we inhabit. With this kind of technology, it may soon be much easier to hide yourself online than off. Police really don’t like you wearing masks.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Advice from the USG on securing yourself from surveillance

Sochi MapRussia's Surveillance State | World Policy Institute In March of 2013 the Bureau of Diplomatic Security at the US State Department issued a travel advisory for Americans planning to attend the 2014 winter Olympics in Sochi, Russia.

As I blogged before, this is expected to be one of the most aggressively surveilled events ever.

The advice for cyber protection in the advisory is interesting:

Consider traveling with “clean” electronic devices—if you do not need the device, do not take it. Otherwise, essential devices should have all personal identifying information and sensitive files removed or “sanitized.” Devices with wireless connection capabilities should have the Wi-Fi turned off at all times. Do not check business or personal electronic devices with your luggage at the airport. … Do not connect to local ISPs at cafes, coffee shops, hotels, airports, or other local venues. … Change all your passwords before and after your trip. … Be sure to remove the battery from your Smartphone when not in use. Technology is commercially available that can geo-track your location and activate the microphone on your phone. Assume any electronic device you take can be exploited. … If you must utilize a phone during travel consider using a “burn phone” that uses a SIM card purchased locally with cash. Sanitize sensitive conversations as necessary.

Obviously this is not just good advice for attending the Olympics, but would also apply to China, or any other situation where it is important to protect your electronic information.

The ability to conduct sophisticated surveillance and cyber attack is widespread. If you are engaged in business that is a likely target of economic espionage, then you should be following these kinds of practices any time you travel anywhere, and perhaps even at home.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

NSA's TAO -- Leaked catalog of tools and techniques

NSA's TAO -- Dark Reading

The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.

None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.

We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.

Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.

This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.

For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.

If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Government to launch 'Netra' for internet surveillance - The Times of India

Government to launch 'Netra' for internet surveillance - The Times of India

India is preparing to deploy a comprehensive Internet content monitoring system. They claim that it will be able to trigger on messages containing specific words. There is also mention of capturing “dubious voice traffic” over Skipe and other voice channels.

Use of VPNs like Anonymizer Universal will allow traffic to pass through these systems unanalyzed, but the fact that you are using a VPN will be visible.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast – Ep.11: Lavabit & Silent Circle Shutdown, Hoarding Bitcoins, and “Spy” Trash Cans in London

Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer. In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.

Please leave any questions or feedback in the comments section. Thanks for listening.

Lavabit and Silent Mail shutdowns

There has been a lot of chatter about implications of first Lavabit and then Silent Circle's Silent Mail being shut down by their operators.

In both cases, it appears that there was information visible to the services which could be compelled by search warrants, court orders, or national security letters.

I want to assure Anonymizer users that we have no such information about Anonymizer Universal users that could be compelled. While we know who our customers are, for billing purposes, we have no information at all about what they do.

This has been tested many times, under many different kinds of court orders, and no user activity information has ever been provided, or could be provided.

No warrant needed for cell location information in the Fifth US Circuit

ArsTechnica has a nice article on a recent ruling by the US Fifth Circuit court of appeals.

In this 2-1 decision, the court ruled that cellular location information is not covered by the fourth amendment, and does not require a warrant. The logic behind this ruling is that the information is part of business records created and stored by the mobile phone carriers in the ordinary course of their business.

Therefor, the data actually belongs to the phone company, and not to you. The Stored Communications Act says that law enforcement must get a warrant to obtain the contents of communications (the body of emails or the audio of a phone call) but not for meta-data like sender, recipient, or location.

The court suggests that if the public wants privacy of location information that they should demand (I suppose through market forces) that providers delete or anonymize the location information, and that legislation be enacted to require warrants for access to it. Until then, they say we have no expectation of privacy in that information.

The Fifth Circuit covers Louisiana, Mississippi, and Texas.

This ruling conflicts with a recent New Jersey Supreme Court, which unanimously ruled that law enforcement does not have that right, which ruling only applies in New Jersey.

Montana has a law requiring a warrant to obtain location information, while in California a similar bill was vetoed.

It seems very likely that one or more of these cases will go to the supreme court.

The Privacy Blog Podcast – Ep.9: Government Surveillance Programs, Facebook Shadow Profiles, and Apple’s Weak Hotspot Security

Welcome to the June edition of the Privacy Blog Podcast, brought to you by Anonymizer. In June’s episode, I’ll discuss the true nature of the recently leaked surveillance programs that has dominated the news this month. We’ll go through a quick tutorial about decoding government “speak” regarding these programs and how you can protect yourself online.

Later in the episode, I’ll talk about Facebook’s accidental creation and compromise of shadow profiles along with Apple’s terrible personal hotspot security and what you can do to improve it.

Thanks for listening!