Several days ago a security researcher discovered hidden software running on many cell phones produced by a company named Carrier IQ. It appears that on certain phones with certain carriers it logs every keystroke, and tracks practically everything the subscriber does with their phone. Predictably, most people are not very happy about this and there has been a firestorm on technology news sites. I have tweeted, and Google Plus'ed several thoughts on the subject myself. I am not going into a lot of great detail on what has been covered very thoroughly by other forums. But this whole thing makes me think - are we really in an era where there is a total lack of expectation of privacy.
I remember 10-15 years ago seeing occasional articles about how the average person's name came up on some computer screen many times a day around the world. Surely now, that is many thousands of times per day and the detail and quantity of the information vastly expanded. But what about a 100 years ago. Did you have an expectation of privacy more so than today, or was there an openness of your life commensurate with the technology of the time. What about when photographic technology came along and suddenly a person's image could be captured walking down the street and printed in a newspaper. Consider that certain personal information has always been stored in the public domain - property records, birth and death records, income and asset information for tax purposes. What's the difference? In my mind the difference is the ability to aggregate, store and process and turn this data into intelligence. A hundred years ago there was a sizable amount of information available about an individual, but it required a lot of footwork to bring it all together. Now that information is brought together, aggregated, correlated and processed constantly. In fact there is new category of workers who specialized in crunching numbers, visualizing data and producing marketable intelligence - the "Quants" as Scott Patterson calls them in his book, The Quants: How a New Breed of Math Whizzes Conquered Wall Street and Nearly Destroyed It . The difference is astounding and leads us, or at least me, to believe that we do in fact need to be more cautious about privacy than in the past.
To what lengths should you go to protect or guard your privacy. I know some people who have zero social media footprint for just this reason. Still others refuse to use free, ad-based email providers like Gmail, Yahoo mail, and Hotmail to reduce the footprint of their "dossier". I remember reading somewhere that people who utilize free services on the internet like storage, email, and social media are not really getting the services free, but rather are making "micro-payments" in their privacy and liberty and because they are "micro", they seem insignificant at any point in time, but taken together represent a stunningly comprehensive view of who you are over a period of time. The other side of the story comes from those who simply say "there is no privacy therefore I will make everything public". These people freely post there whereabouts using social tracking sites like FourSquare and post thousands of pictures, intimate accounts of activity, purchases, etc on social media sites like Facebook or Google +. Are they right? I don't know.
My opinion on this is black and white. With the existing privacy laws and regulations in the U.S. I am not ready to throw all my information into the pile, at least not voluntarily. Unlike Europe (specifically Germany) where privacy laws are more up to date and stringent, the U.S. just leaves too much up to the goodwill of the collector. So while I may have a Facebook, LinkedIN and Google + profile, I try to limit their reach into my private life and spend a great deal of time tweaking settings because of it. However in the future, if and when the laws and regulations in the U.S. become more stringent, I can see an advantage to sharing more information and ultimately living the true digital life.
---
Now, bringing this back around to Carrier IQ and cellphone spying. I think cellphone carriers have a legitimate right to log some data for service assurance as long as their is an opt-out, and the software is not hidden with no ability to disable it - this is why I believe Carrier IQ's software is similar to a "rootkit". It is unconscionable for them or any other vendor to be keystroke logging and tapping into communications that would ordinarily be not visible. (https). Bad form and I support the folks who believe it may violate U.S. wiretapping laws.
Friday, December 2, 2011
Thursday, July 21, 2011
IE 9 Tops in blocking Socially Engineered Malware according to NSS Labs Report
Having recently posted tips on security suggesting that Firefox and other browser options offered a more secure browsing experience for the average user - I find it very interesting and worthy of comment the recent report from NSS Labs on browser security. Browser security covers a lot of ground and the NSS Labs report covers specifically "Socially Engineered Malware", in their words,
This differs from exploit-based, drive-by attacks and according to the report is the predominant internet threat at this time. The report is careful to point out that it does not evaluate the overall security of the browser or add-ons/extensions in terms of vulnerabilities.
Their findings indicate IE9 blocks 92% of this category of malware.
So, what does it really mean. It means simply this, the largest percentage of malware problems today are coming from this kind of attack and Internet Explorer 9 is the best at preventing this form of attack.
I believe IE9 still has some significant overall security challenges but I wanted to post the link to this report and briefly discuss it because it is significant that, without add-ons, IE9 is reportedly doing a very good job blocking this class of malware delivery.
IE9 uses two techniques to attain this protection.
You can read more about this and other security technology built into IE 9 here.
I've given it some more thought on how I recommend browsers and talk about browsing security to family, friends and co-workers given this report. It's an interesting report and to me, shines new light on IE9 as well as how users are actually compromised. My own browsing protection strategy has been crafter to protect more against the so-called "drive-by" exploit, java and javascript exploits and click-jacking. Perhaps that is from working in the Security field and being cautious about what links I follow and the email I receive.
I am not ready to say dump Firefox with security add-ons yet but I am using this as a catalyst to investigate and research browser security even further. I know this is a pretty simplistic analysis at this moment but my hope is that it will serve for both myself and the reader as a point of departure for a closer look at the browser security and just what that means.
-tm
>
"a web page link that directly leads to a download that delivers a malicious payload whose content type would lead to execution, or more generally a website known to host malware links."
This differs from exploit-based, drive-by attacks and according to the report is the predominant internet threat at this time. The report is careful to point out that it does not evaluate the overall security of the browser or add-ons/extensions in terms of vulnerabilities.
Their findings indicate IE9 blocks 92% of this category of malware.
So, what does it really mean. It means simply this, the largest percentage of malware problems today are coming from this kind of attack and Internet Explorer 9 is the best at preventing this form of attack.
I believe IE9 still has some significant overall security challenges but I wanted to post the link to this report and briefly discuss it because it is significant that, without add-ons, IE9 is reportedly doing a very good job blocking this class of malware delivery.
IE9 uses two techniques to attain this protection.
- SmartScreen URL Filter (which is in IE8 as well)
- SmartScreen Application Reputation (new to IE9)
You can read more about this and other security technology built into IE 9 here.
I've given it some more thought on how I recommend browsers and talk about browsing security to family, friends and co-workers given this report. It's an interesting report and to me, shines new light on IE9 as well as how users are actually compromised. My own browsing protection strategy has been crafter to protect more against the so-called "drive-by" exploit, java and javascript exploits and click-jacking. Perhaps that is from working in the Security field and being cautious about what links I follow and the email I receive.
I am not ready to say dump Firefox with security add-ons yet but I am using this as a catalyst to investigate and research browser security even further. I know this is a pretty simplistic analysis at this moment but my hope is that it will serve for both myself and the reader as a point of departure for a closer look at the browser security and just what that means.
-tm
>
Tuesday, July 12, 2011
Secunia PSI and some security tips...
I've cleaned up quite a few malware infested personal computers over the years. Frequently, no Anti-virus (AV) software or out of date AV Software is at least a partial cause.
Sometimes it's a lack of consistent updating of the Operating System or software from Microsoft. Microsoft Windows has the ability to be set to update itself and they also offer a free, decent, auto-updating, Anti-Virus product called Microsoft Security Essentials which can be downloaded here .
What about all that other software on your personal computer? Some of the most frequent hacking attacks are being directed against ancillary software such as Adobe Acrobat Reader, Adobe Flash, Firefox, Wireshark and others.
Sometimes it's a lack of consistent updating of the Operating System or software from Microsoft. Microsoft Windows has the ability to be set to update itself and they also offer a free, decent, auto-updating, Anti-Virus product called Microsoft Security Essentials which can be downloaded here .
What about all that other software on your personal computer? Some of the most frequent hacking attacks are being directed against ancillary software such as Adobe Acrobat Reader, Adobe Flash, Firefox, Wireshark and others.
Some people can have dozens of software packages and keeping them up-to-date can be difficult and is frequently where individuals can be most susceptible to compromise.
Enter Secunia PSI (Personal Software Inspector). This is a free tool (if used for personal use) that will inspect your software, detect out-of-date or vulnerable software and offer to update. It will also detect and install missing security patches and provides you with a nice Dashboard of your personal computer's software status.
Secunia PSI can be downloaded here.
So, here is a quick survey of a few things you can do to reduce the chances of getting compromised.
- Use Anti-Virus Software and keep it up to date.
- Consider using Firefox or Google Chrome browser, Internet Explorer is less safe, more on why in another post.
- Consider using a plugin called Ghostery. It blocks ads, spyware, malware and gives you control over javascript. Works in Safari, IE, Firefox, and Chrome. More on this in a later post.
- Consider installing and using Secunia PSI.
- Do NOT open links, PDF’s or other junk via email. Google what people send you and let Ghostery tell you what it finds on that link.
- DO NOT ever use a USB thumb drive you find. Bad, Bad, Bad!
- Set your AV Software to scan USB drives and to have “Real-time” protection on and to scan all downloads.
- DO NOT frequent file sharing sites. The content is probably illegally copied and highly likely to be a delivery platform for much badness.
4.
5.
6.
7.
8.
Monday, July 11, 2011
Malware sleuthing...
Pretty nice blog post over on the Mandiant blog on replacement of the fax server DLL in Windows to hide Malware. Windows is fertile ground for this type of manipulation. I look forward to studying and talking more about this type of thing in upcoming posts. In the mean time enjoy this analysis by Nick Harbour.
What the fxsst?
What the fxsst?
Subscribe to:
Comments (Atom)
View Todd Magers CISSP | JNCIA's profile