Radio Freethinker

Vancouver's Number 1 Skeptical Podcast and Radio Show

Posts Tagged ‘Hacking’

Pre-infected PCs

Posted by Don McLenaghen on July 27, 2011

In a recent hearing of the House Oversight and Government Reform Committee, Greg Schaffer (acting deputy undersecretary of the Department of Homeland Security National Protection and Programs Directorate) stated that there were instances where consumer electronics were imported with hardware/software security risks[1]…These risks were implied to be purposeful and with the intent of surveillance, spying or as a potential weapon (as in a kill switch on electronics). In plan speak; it was the judgment of DHS that there were actual attempts at ‘cyber surveillance’ and perhaps ‘cyber sabotage’.

The risks come in two forms, first direct inclusion…where the actual devices are ‘altered’ at the source. So, for example, a number of business security experts have suspected that china has used it manufactural ‘centrality’ (ie. Everything is “made in China”) to facilitate industrial espionage. Others also suspect that the Chinese (or Indians, Israel, Russians, etc…) have included security back doors for political/military spying or added command code to shut down critical systems.

Another risk comes from the globality of production. There has been some concern about supply-chain security[2], as computers, portable devices and other electronic devices pass through several suppliers before the final product goes on sale. A federal report released January on the supply chain between the United States and China speculated the possibility that somewhere along the line someone could compromise a component or design a capability that could enable cyber-attacks. These inclusion expand the possible perpetrators of ‘cybercrime’ to non-obvious industry, third-party nations or non-government groups (such as terrorist et al). It seems highly unlikely, and the importance of Schaffers comments, that such ‘cyber-attacks’ have already occurred and is perhaps as common an issue as ‘civilian’ viruses on the internet.

Of course there is a difficulty between identifying ‘real’ intent versus accidental. During the design phase of software (including that imbedded in hardware) or hardware, it is common practice to include back-doors, quick-switches and tracking logs to facilitate debugging[3]. Occasionally…well actually often, this code gets left in due to forgetfulness. Anyone who plays video games knows there are all kinds of ‘hacks’ that can be used to ‘alter’ game play. Almost all were created not for the benefit of the player but to make the life of the programmer easier. Of course it is almost impossible to determine whether these ‘developmental’ tools where left in on-purpose or accidental.

Occasionally, infection happens accidentally. At a recent conference IBM was embarrassed to discover on a USB memory stick they were handing out was malware[4]. It was via this ‘accidental’ contamination that the Stuxnet virus[5] made its way to the Iranian processing plants.

The Stuxnet virus[6] stunned the tech world. For those who do not know, Stuxnet was a virus that most analysts believe was created by either or both Israel and the US to delay Iran’s attempts at developing a nuclear power. The unique thing about this virus vs. the billions already breeding on the Internet is the specificity of this one. It seems it was designed to infect ANYTHING it came in contact with but to only ‘damage’ Iranian centrifuge motors…from what I understand; they could cause the motors to spin out of control to the point of self-destruction.

The creation of the Stuxnet virus…the suspected attacks on Lithuania by Russian nationals in response to ‘political dispute’[7]…an attack on Georgia “from the former soviet countries” as a prelude to ‘physical’ attack[8]…the numerous claims that Chinese ‘hackers’ have infiltrated US (and others) military networks[9]…all these point to another major issue that has arisen – the militarization of the internet.

This can be a huge issue these days because in a recent press release, the US Pentagon added cyber-attacks as a legitimate causa-belli or justification for war[10]. This means that if there is a major malfunction of some key hardware/software and the US believe the source pre-infected electronics from…let’s say China…it could see this as an act of war and respond militarily.

As innocents, we the people are placed in a bad spot…on the one hand we have to be worried that electronics we are purchasing may come ‘pre-infected’ with spy war (targeting not only our own personal data but that of our infrastructure or government) while knowing that our own espionage agencies are likewise turning the internet into the next battlefield. I think what worries me the most is not the loss of privacy or even the fact my own country is actively participating in contaminating yet another miracle of science for military use…no what worries me is the mis-call.

For those of us who grew up during the latter part of the cold war was not the possibility that the USSR and the USA would actual launch a nuclear war but that due to some electronic malfunction (movie: Failsafe) or rogue individual (movie: Dr. Strangelove) a war would occur by accident. When I look at the power and more importantly the accessibility of the internet I worry.

In the old days, if an individual ‘went rogue’ they picked up a gun and shoot a number of people…lots of local harm but no real risk of global conflagration…or that a fanatic would have to ‘pass as normal’ until they attained a unique position of power from which they could launch a ‘meaningful’ attack. No, now it is possible for a series of simple accidents…a youthful hacker creates a ‘virus’ to do ‘cool things’ (maybe cause motors to spin out of control or electrical circuits to shut down during the full moon) and a lax or lazy official who downloads this virus (like onto an USB stick of music to play at work) and contaminates a ‘critical network’ (like nuclear power plant control system). This combined with the rapidity of contagion via the internet; the uncertainty of knowing if an ‘attack’ was deliberate or accidental’ and lastly the now stated policy of nuclear powers to see cyber-attacks as ‘acts of war’ (allowing for physical attacks in response to cyber-attacks)…all these factors remind me all too well of the time when I went to bed uncertain I would wake to the world I knew or to a nuclear holocaust…perhaps an existential fear for the ‘cyber generation’.

Posted in Blogs, Don's Blogs | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a Comment »

Is Privacy Forfeited with Modern Technology?

Posted by Ethan Clow on May 5, 2011

With all the modern technology and innovative ways of sharing information we all try to seek out a way to balance how much information we want to share with how much privacy we want to give ourselves. But in the last few weeks a couple stories have cropped up that really make we wonder how possible it is to balance the privacy side with the option to share and utilize our huge social network.

This jumped to mind when I read about Apple Iphone’s and Ipad’s were secretly tracking personal data about their users…and for what purpose? No one knows.

Researchers Pete Warden, a writer, and Alasdair Allan, a senior research fellow in astronomy at the University of Exeter, were the ones who uncovered this issue. They were working on some location data visualization projects and during that process discovered suspicious files on their Iphones.

What’s happening is that devices running iOS 4 are gathering location and storing it in an unencrypted file. The file, named “consolidated.db,” and it contains location data about cell towers the device accessed and Wi-Fi networks that it was within range of, plus other information, like the direction a device was facing as determined by the digital compass that became standard on the iPhone 3GS.

This data allows your information to create a digital map of where you were when you used your phone or Ipad. The file includes latitude-longitude coordinates and a timestamp. However, the coordinates aren’t always correct, probably because your location is being triangulated between cell phone towers.

According to Allan and Warden, the tracking didn’t begin until iOS 4, which was released in late June 2010. The previous version of iOS did in fact track a similar set of information, including cell towers and GPS information, but the data was not stored in a simple directory format.

The database of location information is stored primarily on your phone, though due to the iOS device backup system in iTunes, these files can also end up on your computer. When iTunes saves these backups, which are set by default to be stored every time you sync an iOS device, the data file goes along with it.

The concern as the researchers point out, is that this information is unencrypted. To quote the researchers: “By passively logging your location without your permission, Apple [has] made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements,”

This news has caused quite an uproar. Senator Al Franken, who is the chair of a new privacy panel for the US Government, sent a letter to Steve Jobs requesting an explanation. In addition the Federal Communications Commission (FCC) is also reportedly looking into the matter, while a Congressman from Washington State has followed Franken’s lead, promising to ask questions of his own.

But should we be getting so worked up over this? Why exactly is Apple doing this? We have a couple theories so far.

It turns out this isn’t new information. Location tracking was discussed last year by Digital forensic specialists and Apple did respond in a 2010 letter that its location tracking was purely to improve its services.

In addition, this isn’t breaking any rules. Apple clearly spells out in its Terms of Use that it has the right to “collect, use, and share” location data any time it pleases. Apple isn’t the only company to do this either. Some phones running Google’s Android OS also store location information

It’s also worth noting that there is no evidence that this data is being sent to Apple, the researchers also admitted that there is also “no immediate harm that would seem to come from the availability of this data.”

In terms of privacy, cell phone companies have always had this data and normally it would take a court order to retrieve this kind of data by law enforcement, which occasionally happens.

Apple has stated that they collect the data anonymously in a form that does not personally identify someone and its used by Apple and their partners and licensees to provide and improve location-based products and services.

It’s also worth noting that an Iphone’s position isn’t being continuously tracked. It tends to only get information related to when a location-related feature or app is used.

So why is the file unencrypted? Based on what I read, it probably has something to do with how Iphone collects location of available wi-fi networks. Apple’s iOS devices have three ways to determine your location: They can collect GPS data (provided the device supports GPS and can get a signal from enough GPS satellites), utilize cell tower triangulation (provided we’re talking about an original Iphone or a 3G Ipad and a cell connection can be established), or refer to a database of known Wi-Fi networks.

A few years ago, Apple began building its own list of database of Wi-Fi networks and their locations. As they build their global database of Wi-Fi networks and locations, collecting data from iOS devices worldwide is an ideal way to maintain and update that database. (And Apple’s not alone in doing that)

Another possibility is that third party apps are “sandboxed” from IOS to protect privacy. Therefore it’s conceivable that some location data had to be unencrypted for these apps to use.

But why does an iPhone or 3G Ipad store months and months of data? The consensus view — it’s probably a bug. Simply for performance and space reasons, it would make sense that a location cache be cleaned out periodically — just as any cache file on any desktop or mobile platform should be cleaned out. The fact that data isn’t being culled from the file means it likely got overlooked among other iOS engineering issues over the past year or two. The bug theory seems to have more credence after Apple announced  a fix to help the problem. The update will limit the amount of data kept in the location file, will prevent iTunes from backing up the file to users’ computers and will delete all information in the file when users turn off location services.

In many ways I think the Iphone controversy is a bit overblown. But privacy fears were not allayed when another major company faced a similar situation. Sony, the company behind the Playstation 3 was hacked.

Sony's new slogan?

Over the past few weeks gamers were mystified when Sony’s online gaming network crashed. However that confusion soon turned to outrage when Sony later admitted the network was hacked and its users personal information was stolen.

Sony stated that hackers stole information including the names, address (city, state, zip), country, email address, birthdates, PlayStation Network password and login, and handle/PSN online ID. They also said it’s also possible that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network password security answers may have been obtained.

Worse, it’s also possible that credit card information was stolen as well.

This is a good time to mention to any of our listeners who used Sony’s Playstation network to consider cancelling your credit cards and change all your passwords.

Sony is in hot water for this. Not only for the breach of security but also delaying informing its customers for over a week.

Already, the UK Information Commission is looking into the issue. In addition, Sony received a letter from the US Congress, the letter, which was written by the Subcommittee on Commerce, Manufacturing and Trade, asks a number of security and privacy related questions that Sony has never disclosed to the public. They included when the intrusion occurred, if Sony knew who was responsible for the attack and when the company notified law enforcement. The letter also asked Sony to explain what it knew about the type of data that was stolen by the hackers and if it included any credit card information

A class action law suit was filed against Sony by the Rothken law firm in a California district court as well.

According to security researchers, hackers have been observed on underground forums selling credit card information stolen from Sony. Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.

Sony is now claiming they were the victim of a  “of a very carefully planned, very professional, highly sophisticated criminal cyber-attack designed to steal personal and credit card information for illegal purposes,” – source BBC

Yes, Sony is claiming they were hacked by the group Anonymous, although they aren’t sure if the data theft was part of the hacking attack.

Either way it leaves us with some disturbing questions. To what extent can we expect our privacy to be maintained while engaging in the online social networking technologies we enjoy? Apple may have spooked a few people with its Iphone tracking but Sony clearly dropped the ball on their security that has resulted in credit card information falling into the wrong hands. Are they on the hook for this loss of data? Do corporations in general have a responsibility to protect private information or is it buyer beware?

As technologies advances, and as hackers learn and adapt new ways of breaking past security, what role does the consumer take in this odd dance? Will security standards eventually have to be dropped in order for folks to use such new technologies as Ipads and smart phones? If so, where does that put privacy rights? I clearly don’t have an answer to that question. But I do think it’s worth asking.

Posted in Blogs, Ethan's Blogs | Tagged: , , , , , , | Leave a Comment »


Get every new post delivered to your Inbox.

Join 642 other followers