Wednesday 31 July 2013

Moscow to Start Tracking Mobile Users in Metro System

This past Monday, Russian newspaper Izvestia reported that Moscow’s metro system will be implementing an elaborate mobile device tracking system that they say will help authorities recover stolen phones. Nope, not suspicious at all.
Image courtesy of whatleydude through Creative Commons
The system experts believe will be implemented is called a “stingray” or “IMSI catcher” and basically tricks phones into using a fake cell tower. The systems have a range of about five meters and will track SIM cards rather than actual devices. As mobile users pass the devices, the system will track SIM card’s mobile subscriber numbers (MSIs), figure out the target’s route, and then relay the data to the station manager.
In an interview with Ars Technica, Privacy International’s Eric King said:
Many surveillance technologies are created and deployed with legitimate aims in mind, however the deploying of IMSI catchers sniffing mobile phones en masse is neither proportionate nor necessary for the stated aims of identifying stolen phones.
Likewise the legal loophole they claim to be using to legitimize the practice—distinguishing between tracking a person from a SIM card—is nonsensical and unjustifiable. It's surprising it's being discussed so openly, given in many countries like the United Kingdom, they refuse to even acknowledge the existence of IMSI catchers, and any government use of the technology is strictly national security exempted.
Apparently, such a tracking system shouldn’t even be legal in Russia, but authorities are saying that because the system tracks SIM cards, which are technically owned by the service provider and not the mobile phone operator, the system is legal.
Experts have pointed out that for the system to be effective, multiple IMSI catchers would need to be deployed in each station, making the system financially ridiculous if its purpose truly is to track stolen phones.

Wednesday 24 July 2013

Syrian Electronic Army Hacks Viber Support Desk

The Syrian Electronic Army is at it again. This time hacking the support page for the Israel-based instant messaging and VoIP service Viber.

The pro-Assad hacking group claimed to have access to Viber customers' personal details including email addresses and phone numbers, though Viber representatives say no such personal information was accessed.

"Yesterday, the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.

The hacked page was defaced with a blue banner that read "Hacked by the Syrian Electronic Army". The SEA can add Viber to a relatively impressive list of hacked sites and Twitter feeds including those of The Financial Times, the Associated Press, The Onion, The Guardian, Al Jazeera, and others.

Monday 22 July 2013

Experts Say Non-U.S. VPNs Provide Better Protection

CSO Online published an awesome piece pointing out that non-U.S.-based VPNs (like SumRando) can provide an edge in protecting your information from surveillance programs.
Foreign VPNs can make snooping more difficult for U.S. government agencies because the service providers are immune from the Patriot Act. If the provider does not keep any logs on its subscribers, then collecting data would be even more difficult. [CSOOnline]
Did I mention that SumRando never keeps logs?
Remember, a VPN works by encrypting all of the information coming and going from your computer. So even if an agency like the NSA were to intercept that data stream, all they’d have is a bunch of heavily garbled content that could take years to decrypt.
The problem with American-based VPNs, as the article points out, is that they are subject to American laws like the PATRIOT Act that could require them to turn over user information. In that case, any encryption would be rendered useless because the company could turn over plain-text records.

A solid VPN along with updated anti-virus software and strong passwords should act as the foundation of every web user’s privacy and security arsenal. SumRando VPN offers 10 GB of service for free and never logs your data. Why not give us a try?

Wednesday 17 July 2013

Google Has Your Wi-Fi Password. Does the NSA?

Just in case you haven’t already donned a tinfoil hat in light of Edward Snowden’s NSA revelations, here’s a little extra motivation. According to the Electronic Frontier Foundation (EFF), Android users who use the “back up my data” feature on their devices could be serving up their Wi-Fi passwords to data harvesters like the NSA.
Disclaimer: No evidence exists that the NSA is actually logging passwords and it is irresponsible to suggest otherwise unless actual evidence is provided. EFF has demonstrated that it is simply possible.
“The ‘Back up my data’ option in Android is very convenient,” wrote Micah Lee, staff technologist at the EFF. “However, it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.” [ArsTechnica]
Ostensibly, Android’s backup feature is outstanding and frankly a responsible thing to use. It sends data including your call logs, system settings, and browser bookmarks to Google’s cloud so they can be easily retrieved should you lose your phone. Unfortunately, since the data is sent in plain text, any information requests could very well include more sensitive data like your Wi-Fi passwords.
“Since backup and restore is such a useful feature, and since it's turned on by default,” wrote Lee, “it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext Wi-Fi passwords for the majority of password-protected Wi-Fi networks in the world.”
And if that’s not unsettling enough, don’t forget that Google also mapped most of those Wi-Fi networks with their Street View program. It wouldn’t take much to link the location of the network and the corresponding password for anyone interested in snooping.

Have we mentioned you should use a VPN when you’re on Wi-Fi?

Wednesday 10 July 2013

News Round-Up!!!

China and U.S. talk Cybersecurity
As part of the fifth annual session on political and economic issues, China and the United States have turned the discussion towards matters of cyber espionage. According to Vice President Joe Biden, the two nations are working on developing "trust."
Both countries have been running long campaigns against each other in the digital realm, and it might be a lot to ask them both to lay down their arms, but talks are certainly a positive first step.

Pirate Bay co-founder developing spy-proof messaging app 

In light of a global freak out in response to government surveillance, Pirate Bay co-founder Peter Sunde has teamed up with a couple developers to create a messaging app that is completely snoop-proof. 

According to Sunde, the app will be called Hemlis (Swedish for ‘secret’) and will feature end-to-end encryption.
"All communication on today's networks is being monitored by government agencies and private companies. The politicians are not going to stop it, they're actually asking for more," Sunde said in a video. "That's why we decided to build a messaging platform where no one can spy on you, not even us."
U.S. Emergency Alert System is Hackable
If you’ve ever lived in the States, you’re probably familiar with the phrase, “We interrupt this broadcast for a special announcement.” The system is designed to interrupt live TV and Radio with information about local and national emergencies. But after the most recent firmware update, it looks like the system is hackable.
Cue the zombie apocalypse pranks.

According to security firm IOActive, “An attacker who gains control of one or more DASDEC systems can disrupt these stations’ ability to transmit and could disseminate false emergency information over a large geographic area. In addition, depending on the configuration of this and other devices, these messages could be forwarded to and mirrored by other DASDEC systems.”

Thursday 4 July 2013

FTC Updates Rules to Protect Kids from Data Collection

The U.S. Federal Trade Commission hasn’t been given enough credit in their efforts to protect Americans’ privacy. Earlier this year, the FTC pushed congress to legislate transparency for data brokers, and now they’ve updated the 1998 Children’s Online Privacy Protection Act to address data collection when it comes to kids.

According to the FTC, the revised rule “addresses changes in the way children use and access the Internet, including the increased use of mobile devices and social networking.” The new policy requires that websites targeting children under 13 and sites that knowingly collect information from children under 13 acquire parental permission before “collecting, using, or disclosing such personal information, and keep secure the information they collect from children.”

At the FTC, protecting children’s privacy is a top priority,” said FTC Chairwoman Edith Ramirez. “The updated COPPA rule helps put parents in charge of their children’s personal information as it keeps pace with changing technologies. [FTC]

Needless to say, the new rule has met ire from marketers, advertisers and other businesses that frequently deal in personal information. Morgan Reed, executive director of the Association for Competitive Technology expressed concern at the logistics of implementing a rule targeting a select demographic.

“How do we make the goals of COPPA function in a technological world where a parent might hand their tablet computer from the front seat of the car to the back seat of the car? How does the developer know when he has to change behaviour?”  Reed said.

Certainly, there will be substantial challenges in implementing a rule like this, but I think we can all agree this is a step in the right direction.

Anyone concerned about his or her privacy or that of a loved one should also consider using a VPN to secure the data coming in and out of their computer.

Private Parts is the official blog of SumRando VPN and is basically the coolest thing on the web. You can try SumRando for free here.