Security lessons from Pokemon Go - Catch them all!

IMG_0810 When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.

Criminals have jumped quickly on the piecemeal global rollout of the game. Players unwilling to wait for the official release in their countries have been looking for the game on unofficial app stores. A version with the Android trojan DroidJack has been seen which allows the attacker to take complete control of the victim’s phone and access any files or information. The vast majority of users should absolutely avoid any third party app stores. Only get your software from known and reputable sources and don’t do anything to bypass the phone’s security. The best practice is to stick with the app store that came with your phone.

Even the official version of the game raises some troubling privacy concerns. By design the application tracks you when you are using it, and you are strongly encouraged to be using it all the time. This is hardly the only application tracking you, but the privacy policy on the game is not great. Also, it is likely to be disproportionately tracking children. Always think about who has access to your information and how it can be used for and against you. The tracking data might be ok in the hands of the current company but if it is sold or stolen, you might be less happy with the people who have it.

Conventional muggers have also discovered the power of Pokemon Go to lure their victims. In the game players need to search out fixed locations called Poke Stops and Gyms. Criminals can add capabilities to these virtual constructs to make them even more interesting and attractive. If the location is dark and somewhat hidden it becomes the perfect location for an ambush. The divide between virtual and physical keeps getting narrower. Physical attacks are launched from cyberspace and cyber attacks can start with physical device access. We can’t just focus on the digital risks of tools and attacks, but must also consider how it could impact us in the the analog world.

Finally, this game is causing people to walk into the street, down dark alleys, and into rough neighborhoods without paying attention or taking appropriate care. Like distracted driving, this is another example of our immersion in the electronic realm causing us to neglect the basics of staying safe in the here and now.

I find it fascinating that one program, and a game at that, can have so many and varied security implications. Now, I am off to catch me some Pokemon, I think there are some down my driveway!

2 Apple security fumbles: Random MAC and Password Prediction

Apple Store Chicago Apple is getting taken to task for a couple of security issues.

First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.

Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.

https://www.youtube.com/watch?v=ceC9jMIpszI

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

Check your phone for evil Tor app

TorAppLogo Fake Tor browser for iOS laced with adware, spyware, members warn | Ars Technica

There are a number of different Tor anonymity service apps in the Apple iOS app store. According to several people at Tor, one of them is unofficial and loaded with adware and spyware.

The bad one is "Tor Browser”. If you have it, you should un-install it immediately.

Apple has been requested to remove the app from the store, but no action has been taken so far.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Why you need to double check your iPhone Bluetooth settings

iPhone control panelApple Keeps Turning Bluetooth On When You Update Your iPhone Recent iOS updates have automatically re-enabled Bluetooth for many users who keep it turned off for battery conservation or privacy reasons.

The increasing use of iBeacons and other Bluetooth based tracking systems make this a bigger privacy worry than before. Tracking via Bluetooth is now a widely and actively used tool in retail and other areas.

Conspiracy theorists suggest that Apple is doing this intentionally to increase the usefulness of iBeacons to track people, and thus encourage their adoption. While this is an appealing idea, the jury is still out on this one.

If you are concerned about this kind of tracking, you can quickly disable Bluetooth in the control center on your iPhone by sweeping up from the bottom of just about any screen and tapping the Bluetooth button. It is fairly easy and convenient to keep Bluetooth turned off most of the time, and just enable it when you want to use a wireless headset or other Bluetooth device for a short while.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast – Ep.12: The Court Ruling Against Google’s Wi-Fi Snooping, Vulnerabilities in the iPhone Fingerprint Scanner, and Security Tips for iOS 7

Welcome to the 12th episode of The Privacy Blog Podcast brought to you by Anonymizer. In September’s episode, I will talk about a court ruling against Google’s Wi-Fi snooping and the vulnerabilities in the new iPhone 5s fingerprint scanner. Then, I’ll provide some tips for securing the new iPhone/iOS 7 and discuss the results of a recent Pew privacy study.

Hope you enjoy – feel free to add questions and feedback in the comments section.