Security risk of Uber abusing trust & tracking reporters

Party in limo In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.

First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.

Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them.

Apparently Uber has an internal tool called “God View” which is fairly widely available to employees and allows tracking of any car or customer. Obviously such information must exist within the Uber systems for them to operate their business, but this access for personal or inappropriate business purposes is very worrying, possibly putting the security of customers at risk.

While Uber is the company that got caught, the potential for this kind of abuse exists in a tremendous number of businesses. We give sensitive personal information to these companies in order to allow them to provide the services that we want, but we are also trusting them to treat the data appropriately.

Last year there was a scandal within the NSA about a practice called “LOVEINT”. The name is an inside joke. Signals intelligence is called “SIGINT”, human intelligence is called “HUMINT”, so intelligence about friends and lovers was called “LOVEINT”. In practice, people within the NSA were accessing the big national databases to look up information on current or former partners, celebrities, etc.

The exact same risk exists within all of these businesses, but generally with far weaker internal controls than in the government.

I think that the solution to this is not to insist on controls that would be difficult to enforce, or to ban the keeping of information which they really do need, but rather to give users visibility into when their information is viewed, why, and by whom. Abuse could then be quickly detected and exposed, while allowing the business to continue to operate as they need to.

https://www.youtube.com/watch?v=XM8_JeVHwwo

[powerpress]

Good articles for more info from: The Verge, Forbs, & Forbs again

Facebook Messenger alarmism is distracting from real Internet privacy issues

FacebookMessenger nouveau logo

The Internet is on fire with outrage right now about the security warnings in the Facebook Messenger app. The furor is based on the viral spread of a post on the Huffington Post back in December of last year. The issue has come to the fore because Facebook is taking the messaging capability out of the main Facebook app, so users will have to install the Messenger app if they want to continue to use the capability.

The particular problem is with the warnings presented to users when they install the app on Android. Many articles are describing this as the “terms of service” but the warning are the standard text displayed by Android based on the specific permissions the app is requesting.

Here are the warnings as listed in that original the Huffington Post article:

  • Allows the app to change the state of network connectivity
  • Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation.
  • Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
  • Allows the app to record audio with microphone. This permission allows the app to record audio at any time without your confirmation.
  • Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.
  • Allows the app to read you phone's call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
  • Allows the app to read data about your contacts stored on your phone, including the frequency with which you've called, emailed, or communicated in other ways with specific individuals.
  • Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others.
  • Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
  • Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed.

This strikes me as more an inditement of the over broad requests for permissions by apps in Android than any particular evil intent on Facebook’s part. Obviously many of these things would be very bad indeed, if Facebook actually did them. After significant searching I have not seen any suggestion at all that Facebook is or is likely to do any of these things without your knowledge.

Many articles are ranting about the possibility that Facebook might turn on your camera or microphone without warning and capture embarrassing sounds or images. Doing so would be disastrous for Facebook, so it seems very unlikely.

After reviewing the actual Facebook privacy policies and terms of service in the Messenger app, I don’t see any sign that these actions would be permitted but of course Facebook does have the right to change the policies, basically at will.

Don’t take from this that I am a Facebook apologist. Anyone looking back through this blog will see many cases where I have criticized them and their actions (here, here, here, here for example). There are major problems with the amount of data Facebook collects, how they collect it from almost everywhere on the Internet (not just their website or apps), and their privacy policies. I have turned off location tracking for the Messenger app on my iPhone because I don’t want Facebook tracking that.

However….. Facebook is not going to start turning on your camera at night to take naked pictures of you! There is a lot about privacy on the Internet to worry about, lets stay focused on the real stuff rather than these fantasies.

Canvas Fingerprinting: a reality check

Fingerprint to binary

The Internet is buzzing with discussions about a new kind of tracking called Canvas Fingerprinting. In fact, the technique goes back to a paper by Mowery and Shacham back in 2012. Canvas Fingerprinting gets most of its information from the hardware and software used to render images on a given computer. When asked to render a geometric curve or a modern font to the screen, the system has many decisions to make in the process of turning that into the brightness and color values of the pixels in the image. The technique for creating the Canvas Fingerprint is to give the browser a somewhat complex image to render, capture the actual pixel values produced, which is then hashed down to make the actual fingerprint.

Canvas Fingerprinting is really just another technique for capturing information about a user’s computer as part of a larger system fingerprint. I have been talking about tools like Panopticlick which take all kinds of different information they can see about your computer’s configuration to try to create a unique identifier. Testing my computer right now it says that my browser fingerprint contains at least 22 bits of entropy and is unique among the roughly 4.3 million users they have tested so far. Panopticlick uses information about the browser, operating system, time zone, fonts, plugins, and such to create the identifier.

By comparison, Canvas Fingerprinting contains on average 5.7 bits of entropy meaning that about one in 52 people on the Internet would have the exact same fingerprint. That makes it a lousy identifier on its own.

The real power of this new technique is in combination with other fingerprints like those used in Panopticlick. By combining the two there is about 27.7 bits of entropy which would identify me to one in 218 Million people. Once of the strengths of Canvas Fingerprinting is that it captures very different kinds of information than many other methods. For example, because a windows machine comes with a whole bunch of fonts installed, knowing that a computer is running windows immediately tells you a lot about the fonts. The two bits of information are hight correlated. The Canvas Fingerprint mostly gives information about the graphics subsystems. Knowing the operating system does not tell you very much at all about the specific chipset or firmware in the graphics processor, they are mostly independent.

So, in short Canvas Fingerprinting is not that big a deal, and folks should not get so worked up about it, however system fingerprinting in general IS a big deal. It is now good enough to allow individual users to be tracked even if they are deleting all their cookies and hiding their IP addresses with tools like Anonymizer Universal. System fingerprints are not identifying in the same way an IP address is, but they do allow a person to be recognized when they revisit a website, or a cooperating website.

Current best practice to minimize System Fingerprint based tracking (including Canvas Fingerprinting) is to run the browser inside a clean and un-customized virtual machine, which you then revert back to the clean state at the end of every use. That will give your browser a maximally generic identifier, while also eliminating all other kinds of tracking techniques.

Chicago to track cell phones with streetlight poles

Chicago Street Sign

The city of Chicago is getting ready to deploy several monitoring stations on light poles along Michigan Avenue. In addition to collecting environmental information like sound volume, light intensity, and air quality, the devices will also count people by detecting wireless signals from passing mobile devices.

The system is designed to only count devices without capturing unique identifiers. While this may be true, it would certainly be easy to change in the future with only a tiny tweak to the software.

This set up looks similar to the tracking trashcans I discussed last year.

Capturing this kind of data is inevitable, and would be invisible if the city had not announced its intentions. The key will be to ensure appropriate protections for collected information, whoever does the collecting. It is refreshing that all of the data captured as part of this project will be published immediately. Assuming nothing is held back that will give a clear sense of exactly what kinds of information can be extrapolated from the raw data.i

Additionally architectural changes like the random MAC addresses in iOS 8 can significantly improve privacy in the face for such monitoring and tracking.

Chicago Tribune - New sensors will scoop up 'big data' on Chicago

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Law enforcement access to your cell tower location may require a warrant

Antennas on roof

A federal appeals court in Atlanta ruled that there is an expectation of privacy in cell tower location information, and therefor it is protected by the Fourth Amendment. This runs counter to other recent rulings that allow access to the information without a warrant under the Stored Communications Act.

The recent ruling relies on precedent from the 2012 Supreme Court decision in United States vs. Jones which stated that a warrant was required to place a tracking device on a suspects car. Phone records provide the same information, just with a different technical means.

This would not apply to intelligence gathering activities, nor would it prevent access to your location information with a warrant. It is a move to recognize that our personal information, about which we have real privacy interests, is increasingly existing in the networks of third parties. Laws that assume anything sensitive would be on paper and stored in your house or on your person are absurdly outdated.

For now this is only a local precedent. The issue will almost certainly end up in the Supreme Court at some point.

A tiny change in iOS 8 prevents WiFi tracking of iOS devices

IOS8 MAC Randomization

News just broke of a new feature in iOS 8 announced at Apple’s WWDC which was not covered in the big keynote. Advertisers and retail outlets have been using Wi-Fi to track mobile devices for some time. I talked about a network of Wi-Fi tracking trashcans last year in the podcast.

This works because, by default, most mobile devices are constantly on the lookout for Wi-Fi networks. The device communicates with visible base stations to see if they are known, if they are secure, and what they are called. That communication reveals the MAC address of the device’s Wi-Fi.

Like the address on your house, your phone number, or IP addresses, MAC addresses are globally unique identifiers. Everything that can speak Wi-Fi has its own individual MAC address. This makes it a great hook for tracking. If someone sets up a bunch of Wi-Fi base stations, most mobile devices going by will try to connect, giving it their MAC address. By looking at the pattern of those connections, the device can be tracked. 

More sophisticated solutions have even used signal strength to triangulate the location of devices within a small area.

The big news is that Apple is going to randomize the MAC addresses of iOS 8 devices when they are probing for networks. If the device were to probe network base stations A, B, and C they would all see different MAC addresses and think that they were tracking different devices. The iPhone or iPad would still use its real MAC when establishing a full connection, but would not provide it to all of the networks it only probes but never actually uses.

This is a really small change which provides significant privacy gains. It is similar to the decision Apple made to use randomized IPv6 addresses by default, rather than ones which uniquely identify the computer or mobile device.

Of course, Apple is also working hard to track us all with iBeacons at the same time….

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Why you need to double check your iPhone Bluetooth settings

iPhone control panelApple Keeps Turning Bluetooth On When You Update Your iPhone Recent iOS updates have automatically re-enabled Bluetooth for many users who keep it turned off for battery conservation or privacy reasons.

The increasing use of iBeacons and other Bluetooth based tracking systems make this a bigger privacy worry than before. Tracking via Bluetooth is now a widely and actively used tool in retail and other areas.

Conspiracy theorists suggest that Apple is doing this intentionally to increase the usefulness of iBeacons to track people, and thus encourage their adoption. While this is an appealing idea, the jury is still out on this one.

If you are concerned about this kind of tracking, you can quickly disable Bluetooth in the control center on your iPhone by sweeping up from the bottom of just about any screen and tapping the Bluetooth button. It is fairly easy and convenient to keep Bluetooth turned off most of the time, and just enable it when you want to use a wireless headset or other Bluetooth device for a short while.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Gmail plugin enables tracking when and where you open your email.

Email in crosshairs A Stranger Can Find Out Where You Are By Getting You To Open An Email - On The Media

The ability to use remotely loaded images in HTML emails for tracking has been known for years, but perhaps not widely known.

The On The Media: TLDR podcast just re-surfaced the issue in the above article, where they talk about a free Gmail plugin called Streak, which provides this capability.

It automatically embeds the hidden images in emails you send, then lets you see when and even where the recipient opens them.

Because they appear to use IP address based locations, you can block the “where” part by using Anonymizer Universal.

You can block this tracking completely by turning off the loading of images in your emails. Of course, if you then choose to load images, know that you are also enabling tracking. If you block image loading you will also find that your email become much less attractive and significantly more difficult to read.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Did you give Google permission to track your every movement?

Google’s Location History Browser Is A Minute-By-Minute Map Of Your Life | TechCrunch

TechCrunch has a nice article on the location tracking of Android based devices.

It is an “opt in” thing, but I suspect that most people are robo-approving all the questions they are asked when they are trying to get their new phones or tablets set up for the first time.

In this case, you may have given Google permission to track and maintain high resolution location information on you. That information is used to discover where you live and work, to improve weather, travel, and traffic information.

If you follow this link, you can see a track of your activities for up to the last 30 days. Really cool in a very frightening way.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Would you sell your privacy for $20 per month?

AT&T thinks that Austin, TX residents will sell their on-line privacy for less than $20 per month. AT&T is launching a service called U-verse with GigaPower, which will provide 300Mbps of bandwidth to the home initially, increasing to 1Gbps in 2014. The cost of the service is $99 per month, but they have a special offer.

If you sign up for the Premier plan you can get the service for $70 per month. Additionally a bunch of setup and install fees are waived and you get free HBO. If you follow the footnote on the offer, you will see that Premier is only available if you agree to participate in the “AT&T Internet Preferences” program.

This invites AT&T to monitor your Internet usage to better profile you and so more effectively target ads at you.

GIGAOM reports that AT&T says "we will not collect information from secure (https) or otherwise encrypted sites, such as online banking or when a credit card is used to buy something online on a secure site. And we won’t sell your personal information to anyone, for any reason.”

I am pleased that they are not doing active man in the middle attacks on customer encryption, but that is a very very low privacy hurdle.

So, is $20 per month enough for you to allow AT&T to monitor, record, and monetize everything you on the Internet? Let me know if the comments.

Of course, if you use Anonymizer Universal for all of your on-line activity, there is nothing for them to see.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 14: Mobile device privacy and the anti-surveillance tent.

Standard Profile PictureThis is episode 14 of the Privacy Blog Podcast for November,2013.In this episode I talk about: How your phone might be tracked, even if it is off The hidden second operating system in your phone Advertising privacy settings in Android KitKat How Google is using your profile in caller ID and the lengths to which Obama has to go to avoid surveillance when traveling.

Tech companies respond to reports of NSA tracking switched-off mobile phones | Privacy International

Tech companies respond to reports of NSA tracking switched-off mobile phones | Privacy International

Based on a single line in a Washington Post article, Privacy International has been investigating whether it is possible to track cell phones when they have been turned off. Three of the 8 companies they contacted have responded.

In general they said that when the phone is powered down that there is no radio activity, BUT that might not be the case if the phone had been infected with malware.

It is important to remember that the power button is not really a power switch at all. It is a logical button that tells the phone software that you want to turn the phone off. The phone can then clean up a few loose ends and power down… or not. It could also just behave as though it were shutting down.

They don’t cite any examples of this either in the lab or in the wild, but it certainly seems plausible.

If you really need privacy, you have two options (after turning the phone “off”):

1) If you can remove the phone’s battery, then doing so should ensure that the phone is not communicating.

2) If you can’t remove the battery (hello iPhone) then you need to put the phone in a faraday cage. You can use a few tightly wrapped layers of aluminum foil, or buy a pouch like this one.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 13: Adobe, Russia, the EU, Experian, Google, Silk Road, and Browser Fingerprinting

Welcome to episode 13 of our podcast for September, 2013.In this episode I will talk about: A major security breach at Adobe How airplane mode can make your iPhone vulnerable to theft Russian plans to spy on visitors and athletes at the winter Olympics Whether you should move your cloud storage to the EU to avoid surveillance Identity thieves buying your personal information from information brokers and credit bureaus How to stop google using your picture in its ads Why carelessness lead to the capture of the operator of the Silk Road And how Browser Fingerprinting allows websites to track you without cookies.

Please let me know what you think, and leave suggestions for future content, in the comments.

No warrant needed for cell location information in the Fifth US Circuit

ArsTechnica has a nice article on a recent ruling by the US Fifth Circuit court of appeals.

In this 2-1 decision, the court ruled that cellular location information is not covered by the fourth amendment, and does not require a warrant. The logic behind this ruling is that the information is part of business records created and stored by the mobile phone carriers in the ordinary course of their business.

Therefor, the data actually belongs to the phone company, and not to you. The Stored Communications Act says that law enforcement must get a warrant to obtain the contents of communications (the body of emails or the audio of a phone call) but not for meta-data like sender, recipient, or location.

The court suggests that if the public wants privacy of location information that they should demand (I suppose through market forces) that providers delete or anonymize the location information, and that legislation be enacted to require warrants for access to it. Until then, they say we have no expectation of privacy in that information.

The Fifth Circuit covers Louisiana, Mississippi, and Texas.

This ruling conflicts with a recent New Jersey Supreme Court, which unanimously ruled that law enforcement does not have that right, which ruling only applies in New Jersey.

Montana has a law requiring a warrant to obtain location information, while in California a similar bill was vetoed.

It seems very likely that one or more of these cases will go to the supreme court.

Cloud and telecom needs the same legal protection as snail mail.

The ACLU just posted an article about a recent federal magistrate judge's ruling. It is a somewhat bizarre case. The DEA had an arrest warrant for a doctor suspected selling prescription pain killer drugs for cash. They then requested a court order to obtain his real time location information from his cell provider.

The judge went along, but then published a 30 page opinion stating that no order or warrant should have been required for the location information because the suspect had no expectation of location privacy. If he wanted privacy, all he had to have done is to turn off his phone (which would have prevented the collection of the information at all, not just established his expectation).

So, if this line of reasoning is picked up and becomes precedent, it is clear than anyone on the run needs to keep their phone off and / or use burner phones paid for with cash.

My concern is that, if there is no expectation of privacy, is there anything preventing government entities from requesting location information on whole populations without any probable cause or court order.

While I think that the use of location information in this case was completely appropriate, I would sleep better if there was the check and balance of the need for a court order before getting it.

This is another situation where technology has run ahead of the law. The Fourth Amendment was written in a time where information was in tangible form, and the only time it was generally in the hands of third parties, was when it was in the mail. Therefor search of mail in transit was specially protected.

Today, cloud and telecommunication providers serve much the same purpose as the US Postal Service, and are used in similar ways. It is high time that the same protection extended to snail mail be applied to the new high tech communications infrastructures we use today.

Will a warrent be required to access your email.

Email Privacy Hearing Set To Go Before The House On Tuesday | WebProNews

The House Judiciary Committee is going to be discussing the Electronic Communications Privacy Act. There is a chance that they will strengthen it.

This act was written decades ago, before there were any real cloud solutions. Email was downloaded by your email client, and immediately deleted from the server. They law assumed that any email left on a server more than 180 days had been abandoned, and so no warrant was required for law enforcement to obtain it.

These days, with services like gmail, we tend to keep our email on the servers for years, with no thought that it has been abandoned. Law enforcement is opposing reforms of this law because it would make their work more difficult. Doubtless it would, as does almost any civil liberty.

Earlier this month Zoe Lofgren introduced the Online Communications and Geolocation Protection act, amending ECPA. It would require a warrant to obtain cell phone location information. There is clearly some momentum for reform.

Printers watermark your documents

It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used. SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.

The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.

Google tricks iOS Safari into tracking you

Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.

iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.

The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.

Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).

My suggestion:

  1. On your iOS device (iPhone, iPad, iPod Touch) go to "Settings", select "Safari", scroll down and "Clear Cookies and Data". Do this frequently.
  2. Don't log into Google or other social media sites through the browser, only use the dedicated apps.
  3. Use those social media apps to "like" or "+1" content, rather than doing so in the browser.
  4. Protect your IP address with a tool like Anonymizer Universal so these sites can't just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.

The WSJ had the first article I saw on this, but it is paywalled.

9 to 5 Mac has a nice article on it.

John Battelle's searchblog tries to look at this issue from both sides.

Sneaky tracking code (finally) purged from Microsoft sites • The Register

It looks like Microsoft got caught using "evercookie" or "supercookie" technologies to recreate tracking cookies even after users have tried to delete them from their browsers.

Sneaky tracking code (finally) purged from Microsoft sites • The Register

Researchers show about a dozen US ISPs redirecting search requests

Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:

Netalyzr's measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users' entire web search traffic via Paxfire's web proxies.

This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.

There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.

If you are running FireFox you can install the "HTTPS Everywhere" extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.

Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.

I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.