On Q Professional Investigations

A team of researchers, including an assistant professor at the University of California, Riverside Bourns College of Engineering, have identified a weakness believed to exist in Android, Windows and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone.

The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Among the apps they easily hacked were Gmail, CHASE Bank and H&R Block. Amazon, with a 48 percent success rate, was the only app they tested that was difficult to penetrate.

The paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks,” will be presented at the 23rd USENIX Security Symposium in San Diego. Authors of the paper are Zhiyun Qian, of the Computer Science and Engineering Department at UC Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao.

The researchers believe their method will work on other operating systems because they share a key feature researchers exploited in the Android system. However, they haven’t tested the program using the other systems.

The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers. Once a user downloads a bunch of apps to his or her smart phone they are all running on the same shared infrastructure, or operating system.

“The assumption has always been that these apps can’t interfere with each other easily,” Qian says. “We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user.”

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone. Once that app is installed, the researchers are able to exploit a newly discovered public side channel — the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)

Read More

The computer forensics expert who recovered the text messages that brought down parliamentary Speaker Peter Slipper has warned that any messages or files you think you have deleted from your smartphone are still there if someone really wants to find them.

The national head of the IT forensics practice at corporate advisory firm PPB Advisory, Rod McKemmish, was brought in by the legal team of Mr Slipper’s former staffer James Ashby, as some of the messages he had received from the former speaker had been deleted.

He was able to use an automated forensic process to bring the messages back from the dead.

“The delete button on the phone should really be called the ‘hide’ button, because the data is still there, you just can’t see it,” Mr McKemmish said. “In the forensic process we can bring it all back.”

While most politicians and business people are unlikely to be communicating about the sort of topics that brought down Mr Slipper, many might rethink the privacy of their communications.

With soaring levels of smartphone penetration in Australia, it is fair to assume that a significant amount of sensitive discussions take place via SMS.

Mr McKemmish said his skills were increasingly being called upon to investigate corporate cases, where firms were concerned about confidential information residing on the phones of staff leaving. Most phones have a “factory reset feature”, which is supposed to revert the phone to the state when it was first used, but it’s insufficient.

IBRS technology analyst James Turner said businesses needed to be more alert to the permanent nature of digital communication, as more important conversations were handled by SMS and email.

“This can be share price-impacting information, because deals can be made via an SMS that are worth a lot of money,” he said. “The audit trail is all important when it comes to being able to report that due process has been followed, so i f people are using electronic communications, then they must expect that there is a record.”

Not all communication via SMS or email is related to big deals of course. Much could be slotted into the files marked “harmless banter” or “office gossiping”. Common stuff, but not necessarily words that people want to be accessible once the messages have been deleted.

Unfortunately for regular texters,cA computer forensics expert and adjunct professor at Queensland University of Technology, Bradley Schatz, says smartphones were designed to hold on to data as a guard against accidental loss.

He says there are a number of factors that will govern how long a message exists on a phone after it has supposedly been deleted, but a basic guide is that it will remain somewhere on the phone until all available space for new data has been exhausted.

“The memory inside many of these small-scale digital devices is called flash memory, which is the same kind of memory that you would find in a USB key,” Schatz said.

Read More

J. Keith Mularski’s world has expanded greatly since he stopped selling discount furniture to join the FBI in 1998. Especially since he transferred from Washington, D.C., in 2005 to fill a vacancy in the Pittsburgh field office’s cyber squad — which he now heads.

Since then, Supervisory Special Agent Mularski has been recognized as a foremost expert on cyber crime. His profile has risen even more since the Justice Department used Mularski’s sleuthing to bring two indictments with worldwide ramifications.

In May, five Chinese Army intelligence officers were charged with stealing trade secrets from major manufacturers including U.S. Steel, Alcoa and Westinghouse.

In June, a Russian man was charged with leading a ring that infected hundreds of thousands of computers with identity-thieving software, then using the stolen information to drain $100 million from bank accounts worldwide.

Mularski, 44, said in April during an oral history interview for the National Law Enforcement Museum that he became a furniture salesman out of college because jobs were hard to come by then. He spent about five years in the business before joining the FBI.

“I was in private industry beforehand. But I’ve kind of always liked computers,” Mularski told The Associated Press during a recent interview.

All 56 FBI field offices have cyber squads. Mularski chose Pittsburgh largely because of family considerations — he grew up in suburban White Oak, the son of a steelworker.

“It kind of looked like cyber was the wave of the future,” Mularski said. “The majority of all my computer training was just on-the-job training at the bureau.”

It has proved remarkably effective.

Even before the Chinese and Russian cases made worldwide headlines, Mularski was making cyber waves.

He made his reputation infiltrating Dark Market in 2006. The worldwide Internet forum allowed crooks to buy and sell stolen identity and credit card information.

Mularski infiltrated the network by pretending to be a notorious Polish computer hacker using the screen name “Master Splyntr” — a takeoff on the cartoon rat who guides the Teenage Mutant Ninja Turtles.

Mularski was inspired while watching the cartoon character with his young son: “He’s a rat that lives underground. It was perfect,” he said.

Mularski befriended the criminal mastermind behind the site and persuaded him to let Mularski move the operation onto new computer servers. The servers happened to belong to the FBI, which led to more than 60 arrests worldwide.

Misha Glenny, a British journalist who specializes in cyber crime, wrote a book about the case called “Dark Market, How Hackers Became the New Mafia.”

“Keith Mularski is not without technical ability, but his real talent lies in convincing experienced cyber criminals that he is one of them and not a law enforcement officer,” Glenny told the AP.

His aw-shucks demeanor also makes him an ideal team player.

“He has an understanding of the whole grid, and then he develops relationships, whether it’s with victims, the private sector, and our international partners,” said David Hickton, the U.S. attorney in Pittsburgh.

Those partnerships are important because the United States doesn’t have extradition treaties to bring the Chinese and Russian suspects here for prosecution. Those defendants could be arrested if they travel into areas that cooperate with the U.S., but Hickton and Mularski said that’s not the only purpose served by those indictments.

“The best result is to be able to get cuffs on a guy,” Mularski said. “But you have to measure how you can impact each (criminal) organization.”

In the Russian case, Mularski got a federal judge in Pittsburgh to allow the Justice Department to monitor some 350,000 computers infected with malicious software, so the thievery could be stopped.

The Chinese indictment, meanwhile, was a “put up” to the Chinese government’s rumblings that the U.S. government should “shut up” about ongoing cyberspying allegations unless they could be proved, Mularski said.

Some cases produce a more tangible result.

Read More

WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use.

In response to questions about the matter, a senior Department of Homeland Security official confirmed that the attack had occurred but said that “at this time,” neither the personnel agency nor Homeland Security had “identified any loss of personally identifiable information.” The official said an emergency response team was assigned “to assess and mitigate any risks identified.”

One senior American official said that the attack was traced to China, though it was not clear if the hackers were part of the government. Its disclosure comes as a delegation of senior American officials, led by Secretary of State John Kerry, are in Beijing for the annual Strategic and Economic Dialogue, the leading forum for discussion between the United States and China on their commercial relationships and their wary efforts to work together on economic and defense issues.

Computer intrusions have been a major source of discussion and disagreement between the two countries, and the Chinese can point to evidence, revealed by Edward J. Snowden, that the National Security Agency went deep into the computer systems of Huawei, a major maker of computer network equipment, and ran many programs to intercept the conversations of Chinese leaders and the military.

American officials say the attack on the Office of Personnel Management was notable because while hackers try to breach United States government servers nearly every day, they rarely succeed. One of the last attacks the government acknowledged occurred last year at the Department of Energy. In that case, hackers successfully made off with employee and contractors’ personal data. The agency was forced to reveal the attack because state disclosure laws force entities to report breaches in cases where personally identifiable information is compromised. Government agencies do not have to disclose breaches in which sensitive government secrets, but no personally identifiable information, has been stolen.

Read More

If you’re a Comcast cable customer, your home’s private Wi-Fi router is being turned into a public hotspot.

It’s been one year since Comcast (CMCSA) started its monster project to blanket residential and commercial areas with continuous Wi-Fi coverage. Imagine waves of wireless Internet emitting from every home, business and public waiting area.

Comcast has been swapping out customers’ old routers with new ones capable of doubling as public hotspots. So far, the company has turned 3 million home devices into public ones. By year’s end it plans to activate that feature on the other 5 million already installed.

Anyone with an Xfinity account can register their devices (laptop, tablet, phone) and the public network will always keep them registered — at a friend’s home, coffee shop or bus stop. No more asking for your cousin’s Wi-Fi network password.

But what about privacy? It seems like Comcast did this the right way.t’s potentially creepy and annoying. But the upside is Internet everywhere.

Outsiders never get access to your private, password-protected home network. Each box has two separate antennae, Comcast explained. That means criminals can’t jump from the public channel into your network and spy on you.

And don’t expect every passing stranger to get access. The Wi-Fi signal is no stronger than it is now, so anyone camped in your front yard will have a difficult time tapping into the public network. This system was meant for guests at home, not on the street.

As for strangers tapping your router for illegal activity: Comcast said you’ll be guilt-free if the FBI comes knocking. Anyone hooking up to the “Xfinity Wi-Fi” public network must sign in with their own traceable, Comcast customer credentials.

Still, no system is foolproof, and this could be unnecessary exposure to potential harm. Craig Young, a computer security researcher at Tripwire, has tested the top 50 routers on the market right now. He found that two-thirds of them have serious weaknesses. If a hacker finds one in this Comcast box, all bets are off.

“If you’re opening up another access point, it increases the likelihood that someone can tamper with your router,” he said.

Read More

Google and Microsoft will add a “kill-switch” feature to their Android and Windows phone operating systems.

The feature is a method of making a handset completely useless if it is stolen, rendering a theft pointless.

Authorities have been urging tech firms to take steps to help curb phone theft and argued that a kill-switch feature can help resolve the problem.

Apple and Samsung, two of the biggest phone makers, offer a similar feature on some of their devices.

The move by Google and Microsoft means that kill switches will now be a part of the three most popular phone operating systems in the world.

Growing problem

Smartphone theft has become a big problem across the world. According to a report by US authorities:

Some 3.1 million mobile devices were stolen in the US in 2013, nearly double the number of devices stolen in 2012

One in three Europeans experienced the theft or loss of a mobile device in 2013

In South Korea mobile device theft increased five-fold between 2009 and 2012

In Colombia criminals stole over one million devices in 2013

In an attempt to tackle the issue, policymakers have launched an initiative called Secure our Smartphones.

As part of it, they have urged technology firms to take steps to make it less attractive for robbers to steal mobile devices.

“An activated kill switch converts an easy-to-sell, high-value multimedia device into a jumble of plastic and glass, drastically reducing its street value,” the report by New York Attorney General said.

Explainer: How a kill switch works

A “hard” kill switch would render a stolen device permanently unusable and is favoured by legislators who want to give stolen devices the “value of a paperweight”

A “soft” kill switch only make a phone unusable to “an unauthorised user”

Some argue that the only way to permanently disable a phone is to physically damage it

Experts worry that hackers could find a way to hijack a kill signal and turn off phones

If a phone is turned off or put into aeroplane mode, it might not receive the kill signal at all, warn experts

Read More

Today’s world is becoming more and more mobile every day. In fact, 91% of all people own a mobile device and 56% own some type of smart device. It is no surprise that today there are more mobile devices on the earth than there are people! Equally impressive is that the amount of data we consume is becoming increasingly focused on mobile devices. In fact, according to Pew Research, 55% of all internet traffic in the United States is from a mobile device, which is a first for overall internet traffic.

Mobile data is not just a part of the Big Data world; it is one of the largest contributors. Mobile device data, particularly smart devices, will contribute to approximately 8 zettabytes of data by 2015. To put a zettabyte in perspective, think of 250 billion DVDs containing around 36 million years of HD video. The total data would equal approximately 1 zettabyte.

With these statistics in mind, it would make sense that every digital investigation scenario will contain data from mobile devices. With that being said, collecting and analyzing mobile data is not only vital, but paramount to solving today’s crimes. Mobile device data, combined with data from other big data repositories, like hard drives, network shares, and offline servers paints a much better picture than relying on a single source.

So, what types of mobile device data are most important to investigations? The answer to that is quite simple, everything! From the standard SMS, MMS, Contacts, and Call Logs to the meaty data involving the posting, sharing, commenting, chatting, bashing, liking, favoriting, tweeting, and browsing in social media to the locating, logging and storing files in applications. Factor in that all this data is stored on the device, and not on a network server, with your mobile provider, or your company. Now, multiply the fact that most of today’s communication occurs outside of the normal SMS/MMS via messaging applications, and you realize a mobile forensic solution that can effectively uncover this important data is now a necessity.

A perfect example of this happened recently when I spoke to a group of over 200 forensic examiners. I simply asked them to raise their hands if they had examined a mobile device for an investigation. Immediately hands shot up from over 80% of the attendees. I asked them to continue to leave their hands up if during the last examination of a mobile device they looked at any application data from third party applications on the smart device. Only 5 hands remained up. That is less than 3% of the attendees, which is typical, if not a little high, for the normal educational seminar I conducted. Mobile device hardware, operating systems and applications are advancing at a pace never seen before. Should not our investigative tools and priorities advance as well?

The ability to search and recover mobile data from applications on smart devices is difficult and often limited when using current mobile solutions. Research shows that only 5 to 10% of the entire user data area is examined by typical mobile forensics tools. This leaves 95% of application data unanalyzed, and a lot of times uncollected. The net result shows that most examiners have minimal insight into the mobile application data because of the lack of support of their current tool, the lack of time and the lack of training.

Read More

Google is already receiving demands from people to remove links from its search results just days after Europe’s highest court said people worried about their privacy have the “right to be forgotten” on the Internet.

The European Court of Justice on Tuesday found Google and other search engines control information and are responsible for removing unwanted links if requested. In the ruling, the court decided that Google results linking to a newspaper’s notice about a Spanish man’s social security debts in 1998 were no longer relevant and must be deleted.

Google can, however, decline requests the company believes are in the public interest to remain in its search results.

Google declined to say how many people have requested information to be taken down as a result of the ruling. But some of the people who have requested that Google remove unsavory Web pages about them demonstrate the murky situation Google finds itself in: A politician, a poorly reviewed doctor and a pedophile are among the first to have issued take-down requests.

A person with knowledge of the requests said a man convicted of possession of child pornography has requested that Google (GOOG, Fortune 500) remove links to Web pages about his conviction. A former politician has also requested that the search engine remove links to a news article about his behavior while he was holding office. And a physician has requested that links to a review site be removed.

Google has not yet taken the links down. The company said it first needs to develop a procedure to handle a potential flood of requests for removal.

“The ruling has significant implications for how we handle take-down requests,” a Google spokesman said. “This is logistically complicated — not least because of the many languages involved and the need for careful review. As soon as we have thought through exactly how this will work, which may take several weeks, we will let our users know.”

Google is used to handling take-down requests. The search engine said it received more than 25 million requests from companies claiming Google results linked to material that infringes on copyrights. Google also receives thousands of requests from governments to take down links to websites that violate laws. Google complies with fewer than half of the government take-down requests but does not specify its compliance rate for copyright-related requests.

But copyright and many other laws are considerably clearer-cut that the test of “relevance to public interest,” which Google will now need to abide by in the European Union.

Read More

SAN FRANCISCO (AP) — Legislation unveiled Friday in California would require smartphones and other mobile devices to have a “kill switch” to render them inoperable if lost or stolen — a move that could be the first of its kind in the country.

State Sen. Mark Leno, San Francisco District Attorney George Gascon, and other elected and law enforcement officials said the bill, if passed, would require mobile devices sold in or shipped to California to have the anti-theft devices starting next year.

Leno and Assemblywoman Nancy Skinner, both Democrats, co-authored the bill to be introduced this spring. They joined Gascon, New York Attorney General Eric Schneiderman and other authorities who have been demanding that manufacturers create kill switches to combat surging smartphone theft across the country.

Leno called on the wireless industry to step up as smartphone robberies have surged to an all-time high in California.

“They have a choice. They can either be a part of the problem or part of the solution, especially when there is one readily available,” Leno said.

Leno and Gascon said they believe the bill would be the first of its kind in the U.S. Gascon and Schneiderman have given manufacturers a June 2014 deadline to come up with solutions to curb the theft of smartphones.

CTIA-The Wireless Association, a trade group for wireless providers, says a permanent kill switch has serious risks, including potential vulnerability to hackers who could disable mobile devices and lock out not only individuals’ phones but also phones used by entities such as the Department of Defense, Homeland Security and law enforcement.

The association has been working on a national stolen phone database that launched in November to remove any market for stolen smartphones.

“These 3G and 4G/LTE databases, which blacklist stolen phones and prevent them from being reactivated, are part of the solution,” Michael Altschul, CTIA’s senior vice president and general counsel, said in a statement. “Yet we need more international carriers and countries to participate to help remove the aftermarket abroad for these trafficked devices.”

Almost one in three U.S. robberies involve phone theft, according to the Federal Communications Commission. Lost and stolen mobile devices — mostly smartphones — cost consumers more than $30 billion in 2012, the agency said in a study.

In San Francisco alone, about 60 percent of all robberies involve the theft of a mobile device, Police Chief Greg Suhr said. In nearby Oakland, such thefts amount to about 75 percent of robberies, Mayor Jean Quan added.

“We’re in California, the technological hub of the world,” Suhr said. “I can’t imagine someone would vote against” the proposed kill switch law.

Gascon said the industry makes an estimated $7.8 billion selling theft and loss insurance on mobile devices but must take action to end the victimization of its customers.

“This is one of the areas in the criminal justice system where a technological solution can make a tremendous difference, so there’s absolutely no argument other than profit,” Gascon said.

In 2013, about 136 million smartphones were sold in the U.S., according to International Data Corp., a Massachusetts-based researcher. More than 1 billion smartphones were sold worldwide last year, accounting for $330 billion in sales, IDC said. That’s up from 725 million in 2012.

Last year, Samsung Electronics, the world’s largest mobile phone manufacturer, proposed installing a kill switch in its devices. But the company told Gascon’s office the biggest U.S. carriers rejected the idea.

A Samsung statement issued Friday said the company doesn’t think legislation is necessary and it would keep working with Gascon, other officials and its wireless carrier partners to stop smartphone theft.

Apple Inc., the maker of the popular iPhone, said the “Activation Lock” feature of its iOS 7 software released in the fall is designed to prevent thieves from turning off the Find My iPhone application, which allows owners to track their phone on a map, delete its data, and remotely lock the device so it cannot be reactivated.

“This can help you keep your device secure, even if it is in the wrong hands, and can improve your chances of recovering it,” Apple spokeswoman Trudy Muller said Friday without commenting specifically about the proposed legislation.

Gascon has praised Apple for its effort but reiterated Friday that it is still too early to tell how effective its solution will be.

View Source

The U.S. Supreme Court is delving into the technology-versus-privacy debate, agreeing to hear two cases that test whether police making an arrest may search cellphones without a warrant.

The court’s announcement Friday that it would take the cases came just hours after President Obama outlined his proposals to address government retention of citizen phone data as part of his speech outlining reforms at the National Security Agency.

The court said it would hear arguments, likely in April, in two cases with conflicting decisions from the lower courts.

In one case, from California, David Riley was pulled over for expired tags. When police then discovered loaded guns in his vehicle, they arrested Riley and searched his smartphone. Investigators found photos and contacts linking Riley to gang activity, and prosecutors used the smartphone information at trial to win a conviction. Riley received a prison term of 15 years to life.

The California Supreme Court, which had previously ruled that such searches are legal, left Riley’s conviction in place.

Across the country, a federal appeals court in Boston reached the opposite conclusion, barring all warrantless cellphone searches except in emergency situations. The Obama administration appealed that ruling, contending that immediate searches of cellphones are especially important because the information contained in them can be so easily and quickly erased.

The Supreme Court’s eventual decision in these cases could lay the groundwork for future rulings on the NSA’s collection of cellphone metadata.

However the Supreme Court rules, its decision will have enormous practical consequences, since 90 percent of all Americans own mobile phones.

View Source