In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.
First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.
Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them.
Apparently Uber has an internal tool called “God View” which is fairly widely available to employees and allows tracking of any car or customer. Obviously such information must exist within the Uber systems for them to operate their business, but this access for personal or inappropriate business purposes is very worrying, possibly putting the security of customers at risk.
While Uber is the company that got caught, the potential for this kind of abuse exists in a tremendous number of businesses. We give sensitive personal information to these companies in order to allow them to provide the services that we want, but we are also trusting them to treat the data appropriately.
Last year there was a scandal within the NSA about a practice called “LOVEINT”. The name is an inside joke. Signals intelligence is called “SIGINT”, human intelligence is called “HUMINT”, so intelligence about friends and lovers was called “LOVEINT”. In practice, people within the NSA were accessing the big national databases to look up information on current or former partners, celebrities, etc.
The exact same risk exists within all of these businesses, but generally with far weaker internal controls than in the government.
I think that the solution to this is not to insist on controls that would be difficult to enforce, or to ban the keeping of information which they really do need, but rather to give users visibility into when their information is viewed, why, and by whom. Abuse could then be quickly detected and exposed, while allowing the business to continue to operate as they need to.
Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.
It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection.
The ISP can easily modify the data stream to remove the request, causing your computer to connect without any encryption. According to the standard, the user is supposed to get a warning about this, but in practice almost all software just fails silently.
The best way to protect yourself against this attack is to encrypt your email end to end. You can use SMIME, which is built into most email clients, or GPG. GPG can be stronger, but it is harder to use, and easy to misuse. Either will significantly improve your security.
The next step is to use a VPN like Anonymizer.com to protect you against your ISP. It will also protect you against anyone else in the path between your computer and your VPN service. Unfortunately between them and the destination server, you are still vulnerable to any hostile ISPs.
- Who do you / can you trust for privacy?
- How to protect yourself against new DarkHotel type WiFi attacks
- More proof that the web security model is totaly broken
The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.
GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.
If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.
The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.
The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.
- A recent revealed compromise of the Tor anonymity system
- Why Canvas Fingerprinting both is and is not a big deal
- The coming conflict between US searches and EU privacy
- How even genealogy information can compromise your identity
- An update on Chinese censorship
- Why the security model of the web is hopelessly broken
- Russia’s continuing crackdown on the Internet
- and finally how Lightbulbs, among other things, can
- compromise your network
- A decision giving Canadians more rights to Anonymity
- Iraq's recent blocking of social media and more
- Iran's outright criminalization of social media
- A court decision requiring warrants to access cell tower location data
- Another court stating that irrelevant seized data needs to be deleted after searches
- A massive failure of data anonymization in New York City
- A court requiring a defendant to decrypt his files so they can be searched
- The Supreme Court ruling protecting cellphones from warrantless search.
- Phone tracking streetlights in Chicago
- And a small change for iPhones bringing big privacy benefits
- The Heartbleed bug, and why it is such a big deal.
- A major vulnerability in Internet Explorer, and why we are focusing on the wrong thing.
- The reasons behind recent pushes for national Internet sovereignty.
- and finally about the increasingly international reach of US search warrants.
In episode 17 of The Privacy Blog Podcast for February, 2014 I talk about:
- The just completed RSA Security conference
- How an email can expose your location
- A guy who suffered extortion because his username was so valuable.
- What happened in the latest Bitcoin fiasco
- Exactly how secure Apple’s iMessage protocol is
- And finally how insurance companies may drive changes in cyber security
In episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:Biological Advanced Persistent Threats The Apps on your mobile devices that may be enabling surveillance Why you may soon know more about how much information your service providers are revealing to the government The total compromise of the TorMail anonymous email service How the British government is using pornography as a trojan horse for Internet Censorship. And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web
This is episode 15 of the Privacy Blog Podcast for December, 2013 In this episode I talk about:
How people are tracking the biggest ever theft of Bitcoins
A keylogger that has compromised 2 million accounts
Why a majority of Turks may be at risk of identity theft
How an anonymous bomb hoaxer got caught
A demonstration of activating iSight cameras without the indicator light
and finally, some thoughts on staying safe this holiday season.
This is episode 14 of the Privacy Blog Podcast for November,2013.In this episode I talk about: How your phone might be tracked, even if it is off The hidden second operating system in your phone Advertising privacy settings in Android KitKat How Google is using your profile in caller ID and the lengths to which Obama has to go to avoid surveillance when traveling.
Welcome to episode 13 of our podcast for September, 2013.In this episode I will talk about: A major security breach at Adobe How airplane mode can make your iPhone vulnerable to theft Russian plans to spy on visitors and athletes at the winter Olympics Whether you should move your cloud storage to the EU to avoid surveillance Identity thieves buying your personal information from information brokers and credit bureaus How to stop google using your picture in its ads Why carelessness lead to the capture of the operator of the Silk Road And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.