It’s a Vulnerable World: July 2015

Oh, the wonderful things hackers can do, especially when we let them. July 2015 has been a month of vulnerabilities, insecurities and computer malfunctions:

[Image: Yuri Samoilov]

July kicked off with the announcement that PandaLabs had detected more than 225,000 new malware strains every day from January to March 2015, a 40% increase over 2014’s Q1. The multinational security lab did not have specific numbers regarding Africa, but reported “It is safe to say that Africa has a high rate of infection, but a low targeted rate of attacks. One of the most common forms of malware currently being distributed is ransomware…Unfortunately the number of victims paying the ransom is growing and this is primarily due to the lack of backups and efficient backup procedures in Africa.”

July 8 proved to be a day of glitches in which separate computer malfunctions brought the New York Stock Exchange to a halt and grounded United Airlines flights. In both incidents, computers—not hackers—have been held accountable.

Security researchers Charlie Miller and Chris Valasek successfully hacked the controls of a Jeep Cherokee in motion, and estimated another 471,000 vehicles are similarly vulnerable to such an attack. Fiat Chrysler initially responded with a software update, but followed up in late July with a recall of 1.4 million vehicles. WIRED’s report on the hackable Jeep later snowballed into similar reports of vulnerabilities with GeneralMotors’ OnStar system, satellites and even sniper rifles.

The United States Federal Trade Commission filed a complaint on July 21 against Lifelock and accused the company of “continuing to make deceptive claims about its identity theft protection services” and “failing to take steps required to protect its users’ data.” The claim is especially worrisome given that Lifelock collects sensitive personal data including social security, credit card and bank account numbers.

[Image: Anthony Quintano]

Flyer beware: Dell reminded travelers that in-flight Wi-Fi is as insecure as any other public Wi-Fi.

HP Fortify released a study that revealed ten top smartwatches have significant security vulnerabilities, including insufficient authentication; lack of encryption; insecure interfaces, software and firmware; and privacy concerns. The study asked “whether smartwatches are designed to store and protect the sensitive data and tasks for which they are built.”

Elastica Cloud Threat Labs discovered phishing web pages on Google Drive and suggested Google’s Single Sign On (SSO) procedures for multiple services make it attractive to hackers. The report concludes, “While the cloud offers unprecedented benefits to its users, it is challenging the traditional security model, and necessitating a modern, flexible security stack designed to account for its borderless perimeter.”

If we've missed any July vulnerabilities, let us know in the comments below. Surf secure and stay Rando!

Pro-Encryption Arguments from Access Now’s Crypto Summit 2015

Global digital freedom advocate Access Now held its first Crypto Summit on July 15 in Washington, DC. The event examined the intersection of encryption and government as a matter of United States policy and for its domestic and international implications.

[Image: EFF Photos]

A session titled “What is the Law and What Should it Be?” brought together panelists Nate Cardozo, Electronic Frontier Foundation; Carrie Cordero, Georgetown University Law Center; Jamil Jaffer, George Mason University Law School; and Sarah McKune, Citizen Lab, who debated the necessity, legality and (im)possibility of government backdoors for encrypted communications.

Some of our favorite pro-encryption arguments from the discussion include:

“Encryption is becoming more and more popularized, more ubiquitous, more accessible. But the fact that it’s more accessible is also the reason why those of us in civil society are becoming more secure. Because there are certain barriers to entry for civil society groups and activists to actually enhance their digital security. So the more encryption is implemented by design, the more it’s built in, the less impediments there are to civil society actually using this for their work” (McKune, 16:10-16:37).

“I keep all of my contraband in a safe. When law enforcement wants to search my safe, which they do, they get a warrant—a search warrant. And what do they do? They try and crack the safe, they get a blow torch, they get the best safe cracker. What they don’t do is go to Brinks and say, with the next safe you sell, you have to give us the combo” (Cardozo, 25:26-25:53).

“I’ve heard the concern and the criticism that people in the privacy community and the security community who are concerned about [encryption] are not willing to admit that this can and will be a barrier to law enforcement, that in fact some people will be hurt, some people may even die because of the deployment of encryption. I’m not afraid to say that. What I haven’t heard from the other side is the fact that people can and will and do die because of the failure to deploy encryption, whether it is the battered spouse who is killed after her husband gets into her phone, whether it’s the person who’s shot for their phone, which would be a worthless brick if encryption were turned on, whether it’s the human rights activist in Burma—I can think of many, many other examples where thanks to encryption, people survive. So, are you willing to admit, Ms. Cordero and Mr. Jaffer, that encryption saves lives as well?” (audience member Kevin Bankston, Open Technology Institute, 35:38-36:43).

“Any public debate should account for international human rights law and that includes the right to freedom of expression, it includes the right to benefits of scientific progress, of which encryption and other digital advancements are and the UN Special Rapporteur on Freedom of Expression has addressed this issue and he is very concerned about efforts such as these to undermine digital security standards that encryption helps support. I think we need to take into account that international human rights law perspective as well, which the United States is itself trying to advance in many different fora. If we weaken that or don’t follow that ourselves, it’s definitely going to put us in a difficult spot when we try to advocate the same to repressive regimes such as China” (McKune, 1:08:59-1:09:47).

“We have not gone dark. We are simply going from what is the best Golden Age of Surveillance to…the Silver Age of Surveillance. Because it is still so much more surveillance and so much more access than the government has ever had to the communications of everybody including criminals than it had prior to the internet or even prior to encryption” (audience member, 1:12:56-1:13:25).

To watch the full debate of “What is the Law and What Should it Be?” and other Crypto Summit panels, go to https://www.accessnow.org/page/content/crypto-summit/#program.

EPIC Files Complaint Against Uber's Approach to Privacy

Lately, Uber has been making headlines worldwide—a suspension in France, protests in South Africa, the defeat of a mayor in New York City.

The world is embroiled in a debate over the extent to which Uber should coexist with traditional taxi services and the louder the conversation becomes, the more distracted users are from the real issue: privacy.

Yes, Uber can feel like a win-win for driver and passenger alike, but its convenience comes at a cost.

Last month, the Electronic Privacy Information Center (EPIC) filed a complaint with the United States Federal Trade Commission regarding the presentation and content of Uber’s revised Privacy Policy, which went into effect July 15. The complaint criticized as deceptive a May 28 statement from Uber which claimed “users will be in control: they will be able to choose whether to share the data with Uber” when in fact, several clauses of the Privacy Policy show just how little control users have over their data. 

Farewell, privacy: Uber's permissions for Android

Of note, Uber retains the right to track user location, regardless of permissions, and Android users must opt-in to all data requests in order to use the service:

• If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

• The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent.

 

EPIC has further taken issue with Uber’s excessive collection of data, which ranges from contacts in a user’s phone to device information to permanent log records, especially given the young company’s questionable record regarding security, which includes launch parties that share private data and a 2014 breach of drivers’ records that took 4 months to discover and another 5 months to disclose. 

Recent breaches from Anthem to OPM prove that hackers know where to go for data that matters. Uber’s database of 8 million users worldwide has been described as “a sitting duck for hackers” and as its records of who-went-where-when-and-with-whom-and-what balloons, it only grows more desirable.

EPIC’s request includes an investigation into Uber’s business practices, a cessation of contact information collection and the deletion of location data upon trip completion, measures that would make Uber’s database far less attractive to hackers and far less marketable for the company itself.

Because, who knows what Uber might do with all that data? Determine the best city for a one-night stand? Orchestrate a massive political campaign? Offer it to the mayor of New York? The possibilities are endless.

Ashley Madison Breach Redefines Ethical Hacking

Hackers known as the Impact Team have compromised the personal information of 37 million members of cheating website Ashley Madison. To date, two users' personal information has been revealed.

Krebs on Security revealed part of the Impact Team's message.

The Impact Team's motivation? To shut the website down.

At issue is Ashley Madison's "full delete" feature, an option that charges users to remove all evidence of their existence from the website. 

According to Krebs on Security, the Impact Team justified their actions: “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and  address, which is of course the most important information the users want removed.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Ashley Madison countered the claim in a July 20 acknowledgement of the hack: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.” 

A closer look reveals “full delete” is just the tip of Ashley Madison’s privacy shortcomings.

In a 2012 Inc. interview, Ashley Madison founder and CEO Noel Biderman referred to his website as a “sociology experiment” and to himself as the “gatekeeper” of its data: “We realized we have so much anonymous data and we could go through our data to show the true reasons men and women have affairs, what their demographics are, whether there really is a two-year itch or a seven-year-itch.”

The fact is, hacked or not, users of Ashley Madison have long been defined by their data. Ashley Madison’s media page is littered with analyses of aggregate data. For South Africa alone, which has 175,000 users, the company has published information about when men and women login, the search terms they use and the neighborhoods of Cape Town they predominate. 

Even more disconcerting, the data has not been kept in-house. South Africa’s Dr. Eve, a couples and sex therapist, made no secret of her relationship with Ashley Madison in 2014: “In the last 18 months I have been privileged to be utilizing the database of AM for my research into Cyber Infidelity.” Dr. Eve’s research resulted in Cyber Infidelity: The New Seduction, a book that terms Ashley Madison as Dr. Eve’s “new home” and features Biderman’s praise on the front cover.

Biderman once boasted, “We’ll help you meet someone and not get caught. If you want to be clandestine, we’re an intelligent choice.” His assertion now rings hollow.

The Impact Team has asked Ashley Madison to make a choice: shut down or risk users’ privacy. Given its previous treatment of user data and lack of reaction to what has been leaked so far, Ashley Madison appears to be choosing self-interest over privacy, lending a whole new meaning to “the most recognized name in infidelity.”

Airbnb’s Kindness Campaign Overlooks Unkind Privacy Policy

Go look through their windows so you can understand their views.

Sit at their tables so you can share their tastes.

Sleep in their beds so you may know their dreams.

Airbnb’s recent ad campaign purports to explore the kindness of strangers but comes across as a little, well, unsettling.

Airbnb has defended its campaign: “Kindness is the foundation of our entire community—Airbnb hosts aren’t just sharing their homes, they’re sharing part of themselves. When guests open their doors, they’re opening their hearts and minds as well.”

In the words of Airbnb co-founder Brian Chesky, “The breakthrough of Airbnb is that it does more than give you a place to sleep—it changes the way you experience the world because when we trust in the kindness of our fellow man, we discover that the world isn’t such a scary place after all.”

All this talk of kindness is enough to make you forget that Airbnb is also a successful venture capital-backed startup, valued at $25.5 billion and third to Uber and China’s Xiaomi Corp. Its ability to raise $1.5 billion in a private funding round last month was a feat that has been matched only by Uber, China’s Alibaba, and Facebook.

Airbnb’s website boasts more than 35 million guests and 1.2 million listings in more than 34,000 cities and 190 countries worldwide. Airbnb is big and is only expected to get bigger, which is perhaps why the company has chosen to focus on kindness rather than the implications of having a significant portion of the world’s population on its platform.

Nearly simultaneous with the kindness campaign, Airbnb released updated versions of its Terms of Service and Privacy Policy earlier this month, which went into effect for new users July 6 and will go into effect for existing users on August 6.

The Privacy Policy includes few changes and is hardly unique, but is a good reminder of how not private data can be when engaging with a global platform. Of note:

Airbnb collects and analyzes your information whether you are logged in or not: “Airbnb uses cookies and other similar technologies, such as mobile application identifiers, on the Platform. We may also allow our business partners to use their cookies and other tracking technologies on the Platform. As a result, when you access or use the Platform, you will provide or make available certain information to us and to our business partners. While you may disable the usage of cookies through your browser settings, we do not change our practices in response to a "Do Not Track" signal in the HTTP header from your browser or mobile application.”

“By using the Platform, you consent that Airbnb, in its sole discretion, may, either directly or through third party companies and individuals we engage to provide services to us, review, scan, analyze, and store your communications, whether done manually or through automated means.”

“We may also receive, store and process Log Data, which is information that is automatically recorded by our servers whenever you access or use the Platform, regardless of whether you are registered with Airbnb or logged in to your Airbnb account, such as your IP Address, the date and time you access or use the Platform, the hardware and software you are using, referring and exit pages and URLs, the number of clicks, pages viewed and the order of those pages, and the amount of time spent on particular pages.”

Facebook and Google are likely sharing and collecting your information as well:  “We receive, store and process information that you make available to us when accessing or using our Platform and Services. Examples include when you link your account on a third party site (e.g. Facebook) to your Airbnb account, in which case we will obtain the Personal Information that you have provided to the third party site, to the extent allowed by your settings with the third party site and authorized by you.”

“Some portions of the Platform implement Google Maps/Earth mapping services, including Google Maps API(s). Your use of Google Maps/Earth is subject to Google's terms of use and Google's privacy policy, as may be amended by Google from time to time.”

Airbnb is prepared to share your information with the government: “We will use commercially reasonable efforts to notify users about law enforcement requests for their data unless providing notice is prohibited by the legal process itself, by court order we receive, or by applicable law; or based on information supplied by law enforcement, we, in our sole discretion, believe: (a) that providing notice could create a risk of injury or death to an individual or group of individuals, (b) that the case involves potential harm to minors, or (c) that harm or fraud could be directed to Airbnb, its Members, the Platform, or Services.”

Your information is Airbnb’s asset to sell: “If Airbnb undertakes or is involved in any merger, acquisition, reorganization, sale of assets or bankruptcy or insolvency event, then we may sell, transfer or share some or all of our assets, including your Personal Information. In this event, we will notify you before your Personal Information is transferred and becomes subject to a different privacy policy.”

Airbnb claims no responsibility for your privacy: “No method of transmission over the Internet, and no method of storing electronic information, can be 100% secure. So, we cannot guarantee the absolute security of your transmissions to us and of your Personal Information that we store.”

What is most significant about Airbnb’s Privacy Policy is how commonplace it has become. The websites users around the globe have come to rely upon for everyday life are collecting, analyzing, sharing and selling our Personal Information—and making a tremendous profit in the process. If Airbnb’s kindness campaign comes across as a bit unsettling, it’s because we—the data subjects—know just what it feels like to have our windows looked through, our tables sat at and our beds slept in. Kindness, to us, is the opportunity to choose whom we invite into our lives.