TrueCaller and NumberBook

TrueCaller is an app that came out recently from the country of Sweden. NumberBook is another app that has the concept TrueCaller has. These apps all came out in 2012 in the past 6 months. Both apps are to allow the person to look up any person he or she is looking for or the opposite which they search by the person’s phone number and the app gives you the name of that person who is calling you.

How both apps work? And from where do these apps get the information?

The system these apps work is when you download the app on your device weather it was a smart phone or a PC, the software sync your contacts that you have in your device and publish them. Also, another point is that the app publishes your most common name in devices of people who have that app. For Example, if your name is “Faris” and your name is Ben in the contacts list of three of your friends, and your name is “Faris Almathami” in two of the contacts lists of your friends devices so your name in the app is gonna be “Faris”.

The topic of TrueCaller and NumberBook is not only a security as security people might think, but it’s also a huge privacy issue. I think your phone number is something you wouldn’t like to share with everyone, especially if you are the kind of an important or famous person. These apps seem to be completely legal but I think both apps break the privacy for too many people who don’t have the chance to not allowing other people to get their numbers or names by numbers.

I personally got an idea for people who want to change their names in these apps which is:

* Get about 10 different devices or more and make sure these devices don’t have any contacts in them.

* Save your number with a totally different name or just a weird one; for example, (Irvine’s boutique) or (In-n-out) or anything you think the person who is looking your number up would think is wierd.

* Save another contact that has your actual name, nickname or the name you think would save you as in their devices with a weird number like (1234567890) or just (1).

* Download both apps in all devices.

* Allow both apps to sync or save all contacts in all devices.

* Done – check.

http://articles.economictimes.indiatimes.com/2012-06-20/news/32337276_1_popular-app-phone-numbers-user-base

http://www.haplessgeek.com/2012/09/analyzed-true-caller.html

http://www.1mobile.com/numberbook-359806.html

Carrier IQ

About a month and a half ago it was revealed that there has been tracking software pre-installed on over 141 million cell phones. The software designed by Carrier IQ is responsible for recording and reporting metrics to your phone carrier. This discovery forces a dialogue about the trust relationship that is established between the customers and their carrier and exactly how the carrier treats the information that is being is being stored. There have been many allegations about what is exactly being tracked by the software, some true and some more along the lines of half-truths.

As it turns out Carrier IQ was intended to be a utility that allows for a carrier to be able to intelligently diagnose network and phone issues that a customer might be experiencing. For example, prior to the development of Carrier IQ, a carrier might only be detecting that 1 out of every 100 phone calls being placed on their network are being dropped; when in reality it might be much closer to 8 or 9 calls out of those 100 placed. This disparity between the actual numbers and the ones being recorded by the carrier allowed Carrier IQ to see a possible use case and ended up meeting the needs of the carrier.

They haven’t explicitly admitted everything they track, but have specifically said that they track call drops correlated with GPS information, SMS information, web history and application/CPU usage.

Carrier IQ has made an effort to create a line in the proverbial sand in what they do and do not want to collect from users. They say that they don’t collect any content, whether it be what was actually sent in an SMS text message or the contents of a webpage that you access. They do however track the metadata for your activity, this includes who you sent your SMS message to and if it was successfully sent. The same can be said about your web history, they are tracking the URLs being accessed not what is actually being displayed on your screen.

Carrier IQ thinks that what they are collecting is harmless to the consumer but a debate is now forming on what type of information should be okay to track and what really shouldn’t be. Carrier IQ has stated that they don’t capture the content of what the user is doing. Content is really an ambiguous term. Carrier IQ might not consider my URL history to be a private matter. I consider pretty much all of my usage history sans maybe CPU utilization to be a private matter (no matter how mundane my life really is). Its something that really shouldn’t existing in a database somewhere, ready to be hacked, subpoenaed or looked at by a rogue employee that has decided that they want to know more about me. What becomes even more disconcerting is that this information is being tracked even while I am out of the country, on a Wi-Fi network not even connected to their cellular network.

Who knows, maybe I’m just being a paranoid parrot. Maybe no one really cares anymore about their privacy, it has been said by numerous individuals that “Privacy is dead – get over it.” I for one don’t like it and I think I’ll take my ball and go home. In all seriousness though, this software really should be industry vetted to make sure that it cannot be exploited by malicious individuals and it should be established exactly what information each carrier is tracking and for how long. This would allow consumers to identify what tabs the carriers are keeping on their customers; which I’m sure most consumers won’t like and allow for free market forces to stifle the ones being over exuberant with this tracking technology.

http://www.theverge.com/2011/12/5/2609662/carrier-iq-interview

http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/

http://www.edition.cnn.com/2011/12/02/tech/mobile/carrier-iq-reactions/

Anonymity Online Through The Tor Project

Since it’s release in 2002, the Tor (short for The Onion Router) has been a system running intended to enable online anonymity.

Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user’s location or usage from someone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including “visits to Web sites, online posts, instant messages and other communication forms”, to the user. It is intended to protect users’ personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored.

http://www.torproject.org/

I have tried using Tor years ago and it seems somewhat practical, but effective for someone who would like anonymity online. The Tor client software can be run through virtually anything that uses the internet on your computer. The downside I found with it though was that sometimes it can cause slow speeds, due to running through other people who have slow internet. Also the fact that you are volunteering yourself while on the Tor network, might make some uneasy about using it.

Have any of you guys used Tor? and if not, do you think it is worth using it to protect your privacy?

Black Boxes in Personal Vehicles

It is virtually impossible to buy a car these days without it containing at least one computer system. Cars are now being equipped with black boxes which monitor your driving, such as brake application, steering, etc. Information which is collected by the card could be used in the court of law, and essentially your car could be used to ‘testify against you’.

I know that they have been installing black boxes inside firetrucks, and they log everything that happens when the truck is turned on, such as its speed, applying brakes, and whether or not everyone’s seat belts are buckled while its in motion but I didn’t think they would start to put them into personal vehicles.

I think that its interesting that they are implementing black boxes into cars. It is scary to think about the amount of information that could be collected about an individual regarding where they drove, how fast they were driving, and how it could be used. Other than using it for motor vehicle accidents, the information could potentially be used many other types of crimes as well.

Source:

http://openchannel.msnbc.msn.com/_news/2011/11/11/8743687-digital-evidence-becoming-central-in-criminal-cases

Real World Pen Testing

Want to get into pen testing? Knowing the following attack vectors is a good place to start. View the source for more detailed information on each category.

• Information Gathering

• Goal: Employee Information

• Social Engineering

• Goal: Gain Employee Credentials by directly asking for them
• Goal: Enticing Users to a Website

• Phishing

• Goal: Internal Access via Employees

Source:
http://blog.opensecurityresearch.com/2011/11/just-that-easy-real-world-pen-testing.html

Government requests to Google for information on users has spiked.

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.

http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

http://m.wired.com/threatlevel/2011/10/google-data-requests/

“Silk” – smooth for id thieves?

The EFF Electronic Frontier Foundation has recently given it’s thumbs up to Silk the new browser for Amazon’s Kindle. Silk uses the cloud accelerator to improve performance. The issue up to this point is that this better performance comes with a negative side; namely security.

The issue at heart is that while using the cloud information is sent to Amazons servers and stored to ‘predict’ what website the user will go to next; therefore speeding things up. That information is store for up to thirty days. While Amazon says the information is kept private (unlike Facebook) there are some doubts. The EFF has approved Silk because the cloud can be turned off and Amazon has claims that secure web page visits (SSL and HTTPS) are not routed through Amazon’s servers therefore no information is stored. Still concerns do exist. Besides storing information about what sites a user visits, their search history is also stored. Sometimes that search history contains personal information.

Although the cloud can be turned off my concern is that the common user will not do it. Most people do not know that their information is being stored; they just happily click away thinking that once they turn off the computer all the information disappears. I also feel that Amazon, while saying all the right things now, will more than likely sell that information in the future. We are talking about a company that makes their profit selling things after all.

http://news.cnet.com/8301-1009_3-20123464-83/amazons-silk-browser-now-eff-approved-really/?tag=mncol;txt

Behavioral monitoring malware

Behavioral monitoring malware is a new class of malware that mines many of the social networking sites for behavioral patterns. What I mean by behavioral patterns is that it will monitor what kind of websites you like, who you associate with, the kinds of things you buy. This kind of information is a goldmine for marketers. It allows them to build profiles of individuals outside a greater scope of sex, age, and location. Now they can know that your friends with x,y,z or that your a Chihuahua enthusiast who loves NASCAR. This kind of information can  be more insidious then more conventional malware.

Through this information they could then targets ads just for you or extending beyond marketing, unique attacks. We’ve talked about phishing attempts before in class and how its always kind of broad message to get as many people as possible. Thanks to behavioral pattern malware they can now easily tailor specific attacks just for you even if your some nobody. The usual malware targets things like credit cards or accounts and passwords. While these can cause trouble and be an inconvience you can at least cancel a credit card or change your password. But once they know who you are your in trouble. You can’t just change everything about yourself. Your not going to get rid of your friends and family and stop liking the things you do.

Some of the interesting technical aspects about this malware is it’s able to recognize who is on the fringe of social connections. That is if I’m someone who posts prolifically on twitter or Facebook and have lots of followers/friends, I’m going to stand out as a greater target compared to someone who has very few. Since I would have lots of connections I become a greater target because through my connections it can move on to new targets. Another interesting thing is that they infect unconventionally comapared to the usual malware. Most malware attempts to infect as many devices as fast as possible, while behavior patter malware would want to take its time in order to go unnoticed and collect as much information as it could.

http://www.pcworld.com/article/207659/malware_aimed_at_social_networks_may_steal_your_reality.html

Preventing skimming

For those who don’t know skimming is when a person records the information on a credit or debit card without the persons permission, and in most cases without them knowing. Skimming has been going on for a long time and continues to be a big issue. Just recently a German man was sentenced to three years in prison for bringing skimming equipment into the UK. SANS had a article about this in there news bits that read:

A German man has been sentenced to three years in prison for bringing card skimming technology into the UK. Thomas Beeckmann was arrested at Victoria Station in London in June; investigators say he was carrying sophisticated skimming equipment, some of which would allow users to retrieve data captured by skimmers though Bluetooth technology from a distance of 100 meters. Beeckmann’s sentence includes time for refusing to divulge his laptop encryption password to law enforcement officials as well as for possessing skimming equipment.
-
http://www.bbc.co.uk/news/technology-15312057

-
http://www.h-online.com/security/news/item/Sentenced-German-engineer-modified-ca

rd-terminals-for-criminal-gangs-1362217.html

Law enforcement in the United States as well as other countries are continuously investigating skimming attacks. But the problem I have found is that even with investigations and prison sentences, skimming attacks are still to easy to preform with little risk of getting caught. Equipment to perform simple skimming attacks is very easy to come by. A simple search around the internet and you can find a place to purchase some equipment at not to high of a price. Also people don’t really watch out for skimming much, which makes it easy to get away with and not get caught. If people don’t know its happening there not going to report it to the police.  An article at merchantequip.com said:

Skimming most commonly occurs in restaurants, where the card owner looses contact with the card and a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand.

Which brings to question, how many people even think about whats happening to their card when they give it to the waiter or waitress at a restaurant.

What to do to prevent skimming? I doubt it will ever just stop happening, so the best thing to do is just be aware of how it can happen, and watch out for it. If your careful about how you use your card, and who you give it to there’s less chance your cards information will be stolen.

Tools to make your browser safer.

With the ever growing complexity of modern day web browsers, there follows new and dangerous exploits for them. To get around this there exists a variety of plugins for the popular browsers. These plugins attempt to increase your security on the net no only against malicious attacks but also against companies tracking your usage.

The first plugin is called Noscript. Located here: http://noscript.net/ . Noscript disables javascript, java, flash, and other things that  might run on websites. A bar pops up on the bottom of the screen notifying users that its blocking scripts. From here you can choose to permanently enable them or just enable them for a session. Users might want to use a tool like this because exploits can be automatically loaded through things like javascript wiht out any sort of user input. Plus it can also block trackers. Currently there is only a Firefox plugin but supposedly they are working on a chrome one.

Another useful tool is Ghostery http://www.ghostery.com/ . This program blocks most of hte popular tracking methods that websites use to gather information. Whether they be plugins, scripts or tracking bugs. The program notifys you of when its found something and pops up in the corner what they are. It allows you to then click on them to find out more about what that particular tracker is and what it does. This program has a lot of overlap with Noscript in that usually noscript blocks them before it does. Ghostery works with all of the popular browsers.

The last one is Priv3 http://priv3.icsi.berkeley.edu/index.html . This disables all of the buttons for social network sites on other websites. These buttons enable the social network sites to track you on the internet even when you don’t click on any of them. So if your looking for more privacy this might be useful. Again noscript tends to block these already. Priv3 is currently only for Firefox.