Article 43

 

Broadband Privacy

Tuesday, January 14, 2014

My Leaked Apple Email Address

The mail logs gleaned some interesting stuff today.

A few SPAMS ALLEGEDLY FROM AMERICAN EXPRESS were sent to my apple store email address.

The alarming part is that email address is used only for purchases from the APPLE STORE.

Until now I guess.

Jan 14 11:32:16 sendmail[17633]: xxx: from=<AmericanExpress@welcome.aexp.com>, size=13616, class=0, nrcpts=1, msgid=<yyy@mymailserver>, proto=ESMTP, daemon=MTA, relay=[5.239.152.216]

Jan 14 11:32:20 spamd[30436]: spamd: result: Y 8 RCVD_ILLEGAL_IP, RCVD_IN_HOSTKARMA_BL, RCVD_IN_PSBL, RDNS_NONE scantime=4.8, size=14223, rhost=mymailserver,raddr=127.0.0.1, rport=12345, mid=<yyy@mymailserver>, tests=RCVD_ILLEGAL_IP, RCVD_IN_HOSTKARMA_BL, RCVD_IN_PSBL, RDNS_NONE

Jan 14 11:32:20 sendmail[17633]: xxx: to=<my-apple-store-email-address>

The question is how did that email address get shared?

Was it sold/given away, was somebody’s database broken into, or did PHISHERS find it by accident?

Better check that credit card.

Posted by Elvis on 01/14/14 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Saturday, October 05, 2013

Google Browser Spy Cam

google1.gif

Google Switches On Browser Spy Cam in Chrome

By Paul Wagenseil
Tech News Daily
August 1, 2013

Google’s frequent Chrome browser updates are rarely exciting, but one new feature built into the latest version ought to wake you up.

Chrome 21, RELEASED July 31, fully implements WebRTC (for “real-time communication"), a new standard that lets websites and Web applications use your computer’s camera and microphone - all the better to see and hear you with, of course.

Previously, websites and apps had to use browser plug-ins such as ADOBE FLASH PLAYER or Microsoft Silverlight for audio and video interaction with the user.

WebRTC leverages the powers of HTML5, the next generation of code underlying the Web, to build multimedia features directly into the browser. Google’s Chrome blog already points to a couple of fun sites that let you TAKE YOUR PICTURE with the browser or PLAY A VIRTUAL XYLOPHONE.

That all sounds great, but there doesn’t seem to be any way to disable WebRTC in Chrome 21.

An email seeking clarification from Google was not immediately returned.

“This is a standard JavascriptAPI [application-platform interface], and just like other Javascriptcomponents cannot be enabled/disabled by itself,” said Johannes Ullrich, chief technical officer at the SANS Technology Institute’s Internet Storm Center. “You would have to compile your own custom version of Chrome.”

Chrome requires websites and apps to ask the USER’S PERMISSION to access the camera and microphone. Yet any good hacker will tell you it’s just a matter of time before someone finds a way around that and uses WebRTC to have an unauthorized look at what people are doing in front of their computers.

To be fair, WebRTC may not be any less secure than what it’s replacing.

“The risk isn’t really larger than having Flash installed (of course, more and more people disable or do not install Flash),” Ullrich told SecurityNewsDaily via email. “Flash already had the ability to access the camera and microphone, and had some vulnerabilities that allowed websites to trick the user into ENABLING THE CAMERA/MICROPHONE VIA CLICKJACKING.”

Besides Chrome, only the forward-looking Opera browser has implemented WebRTC. Mozilla Firefox and Microsoft Internet Explorer are working on including it in future versions.

Chrome users concerned about their privacy can’t simply refuse to update to Chrome 21, because Chrome automatically updates itself. (For the technically skilled, there are ways to turn automatic updating off.)

If you’re worried, put black tape over your Webcam when you’re not using it. If you’re using a desktop PC, there may be a way to disconnect the built-in microphone.

Chrome 21 also FIXED 26 different, mostly moderate, security flaws. The single one rated “critical” is related to a tab-handling issue found only in the Linux version of the browser.

Most of the other flaws apply to all versions of Chrome, and are rated as “low” to “high” threats.

UPDATE: A spokeswoman for Google told SecurityNewsDaily in an email, “We are working closely with the W3C [World Wide Web Consortium] to ensure there is a high standard of security and transparency with the GetUserMedia API [which enables WebRTC in Chrome], including ensuring the user is in control of whether and how media is used, and to make any usage transparent through in-product notifications.

“For example,” she said, “the user needs to give permission for a site to use the camera by clicking ‘allow’ and a persistent notification that the camera is turned on will be present until the camera is turned off to remind users.”

As for whether malicious actors could access the camera or microphone surreptitiously, “Because both the user consent (infobar) and notification mechanisms (system tray and persistent bubble) are in the browser, it’s isolated from website content and therefore much harder to be broken by malicious sites.”

SOURCE

Posted by Elvis on 10/05/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Lavabit

spying.jpg

Cheeky Lavabit *did* hand over crypto keys to US government after all - printed in a 4-point font

By Paul Duncan
Naked Security
October 4, 2013

Just under two months ago, we wrote about the closure of secure EMAIL SRERVICE Lavabit.

Lavabit’s founder, Ladar Levison, explained that he was in a spot of legal bother that made it impossible for him to continue to operate with a clear conscience, so he would suspend the service.

He also noted that, much as he wanted to, he couldn’t give details about said legal bother.

All he could do was to point out that he had lodged an appeal and hoped to open up the service again one day.

Of course, the smart money was that law enforcement wanted access to data belonging to a certain Mr EDWARD SNOWDEN, the National Security Agency (NSA) whisteblower, who was known to be a Lavabit user.

We HEDGED OUR BETS on Naked Security, since the only thing we knew we knew was that we didn’t know whether the kerfuffle involved Snowden at all.

But recently unsealed COURT DOCUMENTS [PDF, 162 pages, 16MB] now tell a bit more of the story.

The name Snowden is still mentioned only in passing (various redactions have suppressed names throughout the unsealed documents).

So we still don’t have official confirmation that Snowden, amongst others, was the target of the investigation.

lb-warrant.png

That, however, hardly matters any more.

What matters is the intriguing tale of the court requiring Lavabit to hand over its SSL private keys, and Lavabit arguing that it ought not to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

Very greatly simplified (and I hope I have not oversimplified to the point of misunderstanding), the court wanted Lavabit to enable law enforcement to intercept so-called email metadata for a particular user.

But due to the use of SSL/TLS at all times, with data kept encrypted in transit and at rest, even accessing mail headers was no simple matter - unless law enforcement were given Lavabit’s private keys.

(A MiTM, or man-in-the-middle, attack on encrypted traffic is trivial if you have all the encryption keys and certificates to use “in the middle.")

Eventually, Lavabit had little choice but to comply, turning over five SSL private keys.

It still wasn’t game over for Lavabit user’s privacy, however, because Levison gamely supplied the cryptgraphic material in printed form, stretched over 11 pages in a four-point font.

lb-key.png

To say that the law enforcement officers were underwhelmed is the understatement of the year, and matters were soon back in court, with “handing over the keys” quickly redefined to mean, “handing over the keys as computer-readable PEM files suitable for immediate use, and no more mucking around.”

Indeed, to guard against further stalling tactics, the government petitioned the court to fine Levison $5000 for every day he continued to dither.

At this point, Levison folded and complied, but pulled the plug on Lavabit at the same time, and that was that for the men-in-the-middle.

The New York Times REPORTS that a prosecutor referred to the abrupt shutdown of Lavabit as “just short of a criminal act,” but, then, nearly-a-crime isn’t actually a crime.

What can we learn from this?

Aside, of course, from the fact that the government didn’t let up for a minute, giving back in court to Lavabit as good as it got - better, in fact, were it not for Levison’s confounded coup de grce.

To me, one of the most interesting aspects of this story is the recognition by a non-tech-savvy court that at least part of the problem was the regrettable fact that Lavabit would need to put the privacy of 400,000 users at risk to secure the lawful surveillance of just one person.

As the court pointed out (this is a transcript, not a written judgement):

[Y]ou’re blaming the government for something that’s overbroad [the requirement to hand over the all-revealing SSL keys], but it seems to me that your client is the one that set up the system that’s designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another. And to say you can’t do that just because you’ve set up a system that everybody has to—has to be unencrypted, [read: in which all users are encrypted in the same way] if there’s such a word, that doesn’t seem to me to be a very persuasive argument.

In short, the court is as good as saying, “If you wanted to come up with this ‘but what about the privacy of all the 399,999 other users’ argument, why didn’t you implement the system so their individual privacy was better protected?”

After all, Lavabit could have taken an approach more like the one used by Kiwi internet showman Kim Dotcom’s Mega service, so that each user’s encrypted traffic and content could stand (or fall) alone.

Of course, that wouldn’t have stopped Levison shuttering the entire service, effectively DDoSing all his users to protect the privacy of one of them.

But from a cryptographic point of view, it would have made a lot more sense to me.

SOURCE

Posted by Elvis on 10/05/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, July 07, 2013

For Sale - Your Cell Phone Records

attnsa.jpg

AT&T has announced that it will begin SELLING customers smart phone data to the highest bidder, putting the telecommunications giant in line with Verizon, Facebook and other competitors that quietly use a consumer’s history for marketing purposes.

RT news
July 6, 2013

The company claims its new privacy policy, to be updated within “the next few weeks,” exists to deliver “mor erelevant advertising” to users based on which apps they use and their location, which is provided by GPS-tracking. Apparently recognizing the natural privacy concerns a customer might have, AT&T assured the public that all data would be aggregated and made anonymous to prevent individual identification.

A letter to customers, for instance, described how someone identified as a movie fan will be sent personalized ads for a nearby cinema.

“People who live in a particular geographic area might appear to be very interested in movies, thanks to collective information that shows wireless devices from that area are often located in the vicinity of movie theaters,” the letter states. “We might create a ‘movie’ characteristic for that area, and deliver movie ads to the people who live there.”

A June 28 blog post from AT&Ts chief privacy officer Bob Quinn said the new policy will focus on “Providing You Service and Improving Our Network and Services,” but the online reaction has been overwhelmingly negative, with many customers looking for a way to avoid the new conditions.

“You require that we allow you to store a persistent cookieof your choosing in our web browsers to ”OPT-OUT” one person wrote. “No mention of how other HTTP clients, such as email clients, can opt out. If you really did care about your customers, you would provide a way for us to opt out all traffic to/from our connection and mobile devices in one easy setting.:

One problem for any customer hoping for a new service is the lack of options, smartphone or otherwise. Facebook, Google, Twitter and Verizon each store consumer data for purposes that have not yet been made clear. And because of the profit potential that exists when a customer blindly trusts a company with their data, small Internet start-ups, including AirSage and many others, have developed a way to streamline information into dollars.

The nefarious aspect of AT&Ts announcement is underscored by the recent headlines around the National Security Agency, which has spent years has compelling wireless corporations to hand over data collected on millions of Americans. Unfortunately for the privacy of those concerned, AT&Ts new policy may only be a sign of things to come.

“Instead of merely offering customers a trusted conduit for communication, carriers are coming to see subscribers as sources of data that can be mined for profit, a practice more common among providers of free online services like Google and Facebook,” the Wall Street Journal wrote about the matter in May.

SOURCE

Posted by Elvis on 07/07/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Thursday, June 06, 2013

Warrentless Wiretapping - Verizon

spying.jpg

By Glenn Greenwald
The Guardian
June 5, 2013

NSA collecting phone records of millions of Verizon customers daily
Top secret court order requiring Verizon to hand over all call data shows scale of domestic surveillance under Obama

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret COURT order issued in April.

The order, a copy of which has been obtained by the Guardian, REQUIRES VERIZON on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The documentshows for the first time that under the Obama administration the communication records of millions of US citizens are being collected INDISCRIMINATELY and IN BULK - regardless of whether they are suspected of any wrongdoing.

The secret Foreign Intelligence Surveillance Court (FISA) granted the order to the FBI on April 25, giving the government unlimited authority to obtain the data for a specified three-month period ending on July 19.

Under the terms of the blanket order, the numbers of both parties on a call are handed over, as is location data, call duration, unique identifiers, and the time and duration of all calls. The contents of the conversation itself are not covered.

The disclosure is likely to reignite longstanding debates in the US over the proper extent of the government’s domestic spying powers.

Under the Bush administration, officials in security agencies had disclosed to reporters the large-scale collection of call records data by the NSA, but this is the first time significant and top-secret documents have revealed the continuation of the practice on a MASSIVE SCALE under President Obama.

The unlimited nature of the records being handed over to the NSA is extremely unusual. FISA court orders typically direct the production of records pertaining to a specific named target who is suspected of being an agent of a terrorist group or foreign state, or a finite set of individually named targets.

The Guardian approached the National Security Agency, the White House and the Department of Justice for comment in advance of publication on Wednesday. All declined. The agencies were also offered the opportunity to raise specific security concerns regarding the publication of the court order.

The court order expressly bars Verizon from disclosing to the public either the existence of the FBI’s request for its customers’ records, or the court order itself.

“We decline comment,” said Ed McFadden, a Washington-based Verizon spokesman.

The order, signed by Judge Roger Vinson, compels Verizon to produce to the NSA electronic copies of “all call detail records or ‘telephony metadata’ created by Verizon for communications between the United States and abroad” or “wholly within the United States, including local telephone calls”.

The order directs Verizon to “continue production on an ongoing daily basis thereafter for the duration of this order”. It specifies that the records to be produced include “session identifying information”, such as “originating and terminating number”, the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI) number, and “comprehensive communication routing information”.

The information is classed as “metadata”, or transactional information, rather than communications, and so does not require individual warrants to access. The documentalso specifies that such “metadata” is NOT LIMITED to the aforementioned items. A 2005 court ruling judged that cell site location data - the nearest cell tower a phone was connected to - was also transactional data, and so could potentially fall under the scope of the order.

While the order itself does not include either the contents of messages or the personal information of the subscriber of any particular cell number, its collection would allow the NSA to build easily a comprehensive picture of who any individual contacted, how and when, and possibly from where, retrospectively.

It is not known whether Verizon is the only cell-phone provider to be targeted with such an order, although previous reporting has suggested the NSA has collected cell records from all major mobile networks. It is also unclear from the leaked documentwhether the three-month order was a one-off, or the latest in a series of similar orders.

The court order appears to explain the numerous cryptic public warnings by two US senators, Ron Wyden and Mark Udall, about the scope of the Obama administration’s surveillance activities.

For roughly two years, the two Democrats have been stridently advising the public that the US government is relying on “secret legal interpretations” to claim surveillance powers so broad that the American public would be “stunned” to learn of the kind of domestic spying being conducted.

Because those activities are classified, the senators, both members of the Senate intelligence committee, have been prevented from specifying which domestic surveillance programs they find so alarming. But the information they have been able to disclose in their public warnings perfectly tracks both the specific law cited by the April 25 court order as well as the vast scope of record-gathering it authorized.

Julian Sanchez, a surveillance expert with the Cato Institute, explained: “We’ve certainly seen the government increasingly strain the bounds of ‘relevance’ to collect large numbers of records at once ֗ everyone at one or two degrees of separation from a target but vacuuming all metadata up indiscriminately would be an extraordinary repudiation of any pretence of constraint or particularized suspicion.” The April order requested by the FBI and NSA does precisely that.

The law on which the order explicitly relies is the so-called “business records” provision of the Patriot Act, 50 USC section 1861. That is the provision which Wyden and Udall have repeatedly cited when warning the public of what they believe is the Obama administration’s extreme interpretation of the law to engage in excessive domestic surveillance.

In a letter to attorney general Eric Holder last year, they argued that “there is now a significant gap between what most Americans think the law allows and what the government secretly claims the law allows.”

“We believe,” they wrote, “that most Americans would be stunned to learn the details of how these secret court opinions have interpreted” the “business records” provision of the Patriot Act.

Privacy advocates have long warned that allowing the government to collect and store unlimited “metadata” is a highly invasive form of surveillance of citizens’ communications activities. Those records enable the government to know the identity of every person with whom an individual communicates electronically, how long they spoke, and their location at the time of the communication.

Such metadata is what the US government has long attempted to obtain in order to discover an individual’s network of associations and communication patterns. The request for the bulk collection of all Verizon domestic telephone records indicates that the agency is continuing some version of the data-mining program begun by the Bush administration in the immediate aftermath of the 9/11 attack.

The NSA, as part of a program secretly authorized by President Bush on 4 October 2001, implemented a bulk collection program of domestic telephone, internet and EMAIL records. A furore erupted in 2006 when USA Today reported that the NSA had “been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth” and was “using the data to analyze calling patterns in an effort to detect terrorist activity.” Until now, there has been no indication that the Obama administration implemented a similar program.

These recent events reflect how profoundly the NSA’s mission has transformed from an agency exclusively devoted to foreign intelligence gathering, into one that focuses increasingly on domestic communications. A 30-year employee of the NSA, William Binney, resigned from the agency shortly after 9/11 in protest at the agency’s focus on domestic activities.

In the mid-1970s, Congress, for the first time, investigated the surveillance activities of the US government. Back then, the mandate of the NSA was that it would never direct its surveillance apparatus domestically.

At the conclusion of that investigation, Frank Church, the Democratic senator from Idaho who chaired the investigative committee, warned: “The NSA’s capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything: telephone conversations, telegrams, it doesn’t matter.”

Additional reporting by Ewen MacAskill and Spencer Ackerman

SOURCE

Posted by Elvis on 06/06/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 2 of 24 pages  <  1 2 3 4 >  Last »

Statistics

Total page hits 8242158
Page rendered in 1.2308 seconds
41 queries executed
Debug mode is off
Total Entries: 3105
Total Comments: 337
Most Recent Entry: 04/23/2018 10:03 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 11
Total anonymous users: 0
The most visitors ever was 114 on 10/26/2017 04:23 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

The foundation of all Mental Illness is the unwillingness to experience legitimate suffering. - Carl Jung

Search


Advanced Search

Sections

Calendar

April 2018
S M T W T F S
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

Must Read

Most recent entries

RSS Feeds

Today's News

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights