Mobile Privacy October 12, 2012Posted by Heather Mark in InfoSec & Privacy, Laws and Leglslation, privacy.
Tags: Dr. Heather Mark, Heather Mark, Location Privacy Protection Act, mark consulting group, mobile privacy, privacy
add a comment
Smartphones have changed the way we interact with our world. They’ve introduced a new level of convenience, but they’ve also introduced a new potential threat to our privacy. As consumers, we should be informed about the choices that we make on our smartphones and how they might impact us. For example, I upgraded my iPhone to iOS 6 this afternoon. (I know. I’m a little late on that one.) Anyway, when I was done I got two prompts. The first asked if I wanted to enable location services. I said yes, knowing that meant that 1) I could use the “find my phone” app, as well as many other apps that come in handy for a frequent traveler, and; 2) that it meant that Apple would have access to my location data. The next prompt suggested that Apple could improve its products and services if I just allowed my phone to send occasional reports to headquarters. That one I declined. I don’t necessarily want Apple to have access to all of my activities on my smartphone.
Now, I’m not naive enough to believe that my simple selection means that I have safely secured my data and mobile behavior entirely. There are companies that are taking advantage of the fact that privacy laws have not kept pace with technology. We know for example, that there are companies that offer device fingerprinting services for fraud prevention that also happen to sell mobile device behavior analytics to marketers. Consumers don’t have any way of knowing that their behavior is being tracked and they have no way to opt out.
This week, Sen. Franken (D-Minn) and Sen. Blumenthal (D-Conn) introduced a bill designed to protect mobile privacy. The Location Privacy Protection Act of 2011 is meant to protect consumer privacy by informing users of how and with whom their location data is shared. There are four primary requirements of the bill. Distilled to their basics, those requirements are:
1) Gain consumer consent before collecting location data
2) Get consumer consent before sharing that data
3) Assist in understanding and investigating crimes that involve the misuse of location data
4) create criminal penalties for those that abuse location services or use so-called “stalking apps.”
While I applaud the move to ensure that mobile users are protected from entities divulging their location without the knowledge or consent of the consumer, I wonder if the law goes far enough in protecting consumer privacy. What about those device fingerprinting activities? Do you think the proposed bill goes far enough? Too far? What would you like to see in terms of mobile privacy protection?
EMV: Payment Security Endzone? September 29, 2012Posted by Heather Mark in Industry News, PCI DSS.
Tags: 2010 Outback Bowl, Chip & PIN, College Gameday, Dr. Heather Mark, EMV, mark consulting group, PCI DSS, Western States Acquiring Association
1 comment so far
As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen. As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines. Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post. Mission accomplished.
On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach. It was well-attended and had a number of interesting sessions. Not surprisingly, much of the talk centered around EMV, of Chip & PIN. Some wondered whether EMV meant the end of PCI DSS. Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies. (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here. Simply adding additional layers of authentication doesn’t change the type of data that is collected. In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.
Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought. Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology. Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data. That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be. Even the best defensive line sometimes gives up the big play.
So – to the question in the title – does EMV represent the winning score? My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern. After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line. It was a long, brutal game and you really couldn’t tell who was going to win. You just gotta keep putting your best players on the field and keep those trick plays coming.
What do you think of EMV? Touchdown, fumble, or forward progress?
“Why does the FBI have your UDID (and 12.4 million more)?” FBI Laptop Hacked…1 million Apple IDS posted online September 4, 2012Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: anonymous, Apple, Christopher Stangl, Cyber Action Team, data breach, fbi, Hacked, mark consulting group, UDID
add a comment
*UPDATE* It was reported yesterday that the FBI laptop was not, in fact, the source of UUIDs that were hacked. A company called Blue Toad revealed that it was the source of the stolen ids. It’s not clear how the data was stolen from Blue Toad or what, if any relationship exists between the company and the laptop that was first identified as the source of the breach.***
According to NBC News, hackers associated with the anti-government group AntiSec have hacked an FBI Agent’s laptop and posted over 1 million Apple Unique Device Identification Number or UDIDs online. The Apple UDID is used by Apple to determine what applications are running and to lock down the phones, IPads and computers from other applications. Alone, they do not represent personally identifiable information but However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard of Apple’s security guidelines by iOS game and app developers, it’s possible to determine a user’s identity through an UDID alone. According to the story:
“The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force. “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” the posting states. “During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.”
Why the FBI has such a list of over 12 million UDIDs is an interesting question. Why the list would be on a laptop is another interesting question. To check whether your iPhone, iPad or iPod Touch’s UDID might be among those affected, a Unix developer based in Florida has already posted a tool: http://kimosabe.net/test.html
Tags: china, cyber espionage, cybercrime, cybersecurity, Hanjuan Jin, information security, mark consulting group, motorola, security
add a comment
According to a story in CIO, a former Motorola employee was sentenced to 4 years in prison for theft of trade secrets. For more information on the cyber espionage threat, you can read my article: “The Rise of CyberEspionage” published in The Counter Terrorist Magazine.
Below is an excerpt of the CIO article.
“Hanjuan Jin, 41, a nine-year Motorola software engineer, conducted a “purposeful raid to steal technology,” U.S. District Judge Ruben Castillo said while imposing the sentence, according to a statement by the department.
The Judge did not however find her guilty of three counts of economic espionage for the benefit of China and its military, although he found by a preponderance of the evidence, that Jin “was willing to betray her naturalized country,” according to the department. Jin had earlier been convicted by the court of three counts of theft of trade secrets.
Judge Castillo’s order was not immediately available on the website of the U.S. District Court for the Northern District of Illinois, Eastern Division where Jin was on trial.
Jin, who is a naturalized U.S. citizen born in China, was stopped from traveling on a one-way ticket to China on Feb. 28, 2007 at O’Hare International Airport by U.S. customs officials who are said to have seized from her possession more than 1,000 electronic and paper documents from Motorola.”
Companies need to be vigilant and understand that the same techniques used to steal national secrets are being employed in US businesses. While not exclusive to China, they certainly represent the greatest threat today.