Tag: Privacy Protection

It’s 3 a.m. Do you know what your iPhone is doing?

Mine has been alarmingly busy. Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same — and Apple could be doing more to stop it.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address -— once every five minutes.

Our data has a secret life in many of the devices we use every day, from talking Alexa speakers to smart TVs. But we’ve got a giant blind spot when it comes to the data companies probing our phones.

You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, “What happens on your iPhone stays on your iPhone.” My investigation suggests otherwise.

IPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.

And your iPhone doesn’t only feed data trackers while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.

“This is your data. Why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?” says Patrick Jackson, a former National Security Agency researcher who is chief technology officer for Disconnect. He hooked my iPhone into special software so we could examine the traffic. “I know the value of data, and I don’t want mine in any hands where it doesn’t need to be,” he told me.

Read More

At least two Calgary malls are using facial recognition technology to track shoppers’ ages and genders without first notifying them or obtaining their explicit consent.

A visitor to Chinook Centre in south Calgary spotted a browser window that had seemingly accidentally been left open on one of the mall’s directories, exposing facial-recognition software that was running in the background of the digital map. They took a photo and posted it to the social networking site Reddit on Tuesday.

The mall’s parent company, Cadillac Fairview, said the software, which they began using in June, counts people who use the directory and predicts their approximate age and gender, but does not record or store any photos or video from the directory cameras.

Cadillac Fairview said the software is also used at Market Mall in northwest Calgary, and other malls nationwide.

“We don’t require consent, because we’re not capturing or retaining images,” a Cadillac Fairview spokesperson said.

The software could, for example, say approximately how many men in their 60s used the directory, but not store images of those men’s faces or collect any other biometric data, the spokesperson said.

Instead, they said the data is used in aggregate to understand directory usage patterns to “create a better shopper experience.”

The use of facial recognition software in retail spaces is becoming commonplace to analyze shopper behaviour, sell targeted space to advertisers, or for security reasons like identifying shoplifters.

Read More

“Prosecutors like to say they are “doing God’s work” by representing the interests of victims. An ex-prosecutor I interviewed for my book, Making a Case for Innocence, used those words when I asked her why some prosecutors are willing to lie or hide evidence to get a conviction, and why some prosecutors seem more focused on winning cases than getting to the truth.

“At the end of the day, we want justice,” she said.

A vague answer, at best.

Still, it might explain the tunnel vision I see infecting some prosecutors: Too many of them seem so driven in their mission to “put the bad guys away,” that they become overconfident in their rightness and are tempted to bend the rules—all to ensure a “mission accomplished.”

I admit, it rubs me the wrong way when a government employee suggests that justice is only served by a conviction. Putting “bad guys” away is all well and fine, but some prosecutors seem to forget that not everyone sitting at the defendant’s table is a “bad guy.”

To a degree, it’s a problem of philosophy: Many prosecutors are in the business of pursuing guilt, so they see it everywhere. To a hammer, everything looks like a nail. And many police departments view themselves more as law enforcers than as society’s protectors, or as crime preventers.

Meanwhile, many criminal defense attorneys and investigators feel as strongly as prosecutors do that they are doing “God’s work.” By protecting the rights of people charged with crimes, they counterbalance the power of prosecutors and police, and thus, make our system fairer for all.

We don’t know the exact number of innocent people currently incarcerated, but we can estimate based on exoneration rates:”

Read More

“It’s a classic, if gruesome, staple of Hollywood action movies. The villain, desperate to gain access to the secret government vault, tricks the biometric security system by opening the door with the severed finger — or dangling eyeball — of the security guard.

In the real world, fake fingerprints and other forms of biometric spoofing pose serious challenges to the security community. Just this week, a team of Japanese researchers proved how easy it is to copy someone’s fingerprints from a “peace” sign selfie. A few years back, a hacker scanned the fingerprints of the German defense minister using a publically available press photo. The same hacker once fashioned a fake thumb out of wood glue to fool Apple’s Touch ID sensor.

But before you toss your new iPhone out the window or put on gloves every time you take a selfie, you might want to hear about a new technology that can tell if a biometric image like a fingerprint or an iris scan is really “alive.”

Matthew Valenti is the West Virginia University site director for the Center for Identification Technology Research, a multi-institution collaboration that has developed and patented anti-spoofing technology based on something called liveness detection.

“There are subtle features that are only present in a living person,” Valenti told Seeker. “Your fingers, for example, have tiny pores in them, and the signal processing algorithms used to scan your fingerprint can look for the presence of sweat in your pores. A spoof wouldn’t have that.”

Valenti’s colleague Stephanie Schuckers at Clarkson University is a pioneering researcher in liveness detection. She has tested her perspiration algorithms against fake fingers made out of wax and Play-Doh, and also a few dozen cadaver fingers from the morgue. Schuckers’ algorithms are the core technology behind NexID Biometrics, a private company claiming that its software can spot a fake fingerprint with 94 percent to 98 percent accuracy.

Still, liveness detection is so new that you won’t even find it on the latest biometric gadgets like the new MacBook Pro. So should we be concerned that hackers and identity thieves are scouring Instagram looking for fingerprints to steal?”

Read More

A group of 51 suburban families filed a federal lawsuit against their Illinois school district, the U.S. Department of Education and the U.S. Justice Department on Wednesday, alleging that the district is violating students’ privacy and safety by allowing transgender students to use restrooms and locker rooms of the gender with which they identify.

Northwest suburban Township High School District 211 was forced to do so by the Department of Education, which charged that not accommodating the locker room choice of one transgender student who filed a complaint with the federal agency was a violation of Title IX, which prohibits discrimination on the basis of sex.

But the lawsuit filed by Alliance Defending Freedom and the Thomas More Society, on behalf of the 73 parents and 63 students, maintains that the 1972 federal law actually authorizes schools to retain single-sex restrooms and locker rooms, and Title IX is being unlawfully redefined by the Department of Education, which has overstepped into Congress’ purview in broadening its interpretation.

“Protecting students from inappropriate exposure to the opposite sex is not only perfectly legal, it’s a school district’s duty,” said Jeremy Tedesco, senior counsel of Alliance Defending Freedom.

“Allowing boys into girls’ locker rooms, a setting where girls are often partially or fully unclothed, is a blatant violation of student privacy.

The school district should rescind its privacy-violating policies, and the court should order the Department of Education to stop bullying school districts with falsehoods about what federal law requires.”

Read More

“Net scum have bashed florists with distributed denial of service attacks over Valentine’s Day in a bid to extract ransoms, security analysts say.

The attacks affected almost a dozen florists who were customers of security company Incapsula, and likely many others not monitored by the firm.

Security bods Ofer Gayer and Tim Matthews say one of their florist customers received a ransom note after a distributed denial of service attack.

“Of those sites (with inflated traffic), 23 per cent showed a sharp increase in attack traffic,” the pair say.

“There does not appear to be a trend in attacks against all online florists, but rather targeted attacks.”

Some sites received attacks that sent a flood of over 20,000 requests a second. In one instance the content distribution network provider counted the attack as legitimate traffic, bringing down the site “with a great loss of revenue”.

Attackers are in some instances attempting to exploit the Shellshock vulnerability against florists in a bid to breach the sites.

Distributed denial of service attacks are a common extortion tool in the lead up to big public events. Betting companies are understood to routinely pay off attackers who threaten to knock the sites offline during major sporting events.”

View More

Over 190.3 million people in the US own smartphones, but many do not know exactly what a mobile device can disclose to third parties about its owner. Mobile malware is spiking, and is all too often pre-installed on a user’s device.

Following its findings in 2014 that the Star N9500 smartphone was embedded with extensive espionage functions, G DATA security experts have continued the investigation and found that over 26 models from some well-known manufacturers including Huawei, Lenovo and Xiaomi, have pre-installed spyware in the firmware.

However, unlike the Star devices, the researchers suspect middlemen to be behind this, modifying the device software to steal user data and inject their own advertising to earn money.

“Over the past year we have seen a significant increase in devices that are equipped with firmware-level spyware and malware out of the box which can take a wide range of unwanted and unknown actions including accessing the Internet, read and send text messages, install apps, access contact lists, obtain location data and more—all which can do detrimental damage,” said Christian Geschkat, G DATA mobile solutions product manager.

Further, the G DATA Q2 2015 Mobile Malware Report shows that there will be over two million new malware apps by the end of the year.

During the second quarter of 2015, researchers saw 6,100 new malware samples every day. By comparison, in the first quarter of 2015, they saw about 4,900 malware apps per day, representing an increase of almost 25% quarter over quarter.

Additionally, the first six months of 2015 has already broken all previous malware records—over a million new Android malware strains (1,000,938) were discovered within just six months. In those six months, the analysts have already discovered almost as many Android malware instances as in the whole of 2013.

“An estimated 2.5 billion people worldwide use a smartphone or tablet to go online. Chatting, surfing and shopping are possible anytime, anywhere thanks to smartphones and tablets. At the same time, the number of mobile malware apps has sharply increased in the past three years,” added Geschkat.

In the second half of 2015, G DATA security experts expect yet another significant increase in Android malware instances—in tandem with that malware becoming more refined.

“Hacking Team, an IT company that develops a wide range of malware for intelligence services and governments, suffered a cyber-attack this year,” the report noted. “After this attack, corporate data and source code for an Android malware strain were published. G DATA security experts expect cyber criminals to exploit this easily accessible knowledge base and publish large numbers of more mature Android malware.”

View Source

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.
Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting too heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

View Source

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.
View Source

Pomona, NY – Night sights have grown in popularity over the last few years, due primarily to the growing interest in personal protection.

Because night sights work in low, or no light situations, it makes them perfect for home protection, especially if the need arises to seek out your weapon very quickly in the dark.

Kahr Firearms Group has just announced that some of their C-Series pistols will now be offered with night sights. Three of their most popular 9mm models; the CM9093N, CW9093N, and the CT9093N will now be available with night sights.

All three models feature a black polymer frame, matte finish stainless steel slide, a drift-adjustable white bar-dot combat rear sight, and a pinned in polymer front night sight.

The CM9 features a 3.1” barrel length; an overall length of 5.42”, a slide width of .90”, the height is 4.0” and weighs in at just 14 oz.

It has a 6+1 capacity and comes with one 6-round flush floorplate magazine.

The CW9 features a 3.56” barrel, an overall length of 5.9” and a height of 4.5”. It weighs 15.8 oz. without the magazine.

Capacity is 7+1, and comes with one 7-round stainless magazine.

Lastly, the CT9 offers a 3.965” barrel, an overall length of 6.5”, a slide width of .90”; height is 5.08” and weighs just 18.5 oz. without the magazine.

Capacity is 8+1 and comes standard with one 8 rd. stainless magazine. Cost of the three models featuring night sights is $499 for the CM9093N, $495 for the CW9093N, and $485 for the CT9093N.

Recently, Kahr Firearms Group announced that effective June 1, 2015 through September 30, 2015, Kahr will send one free magazine with the purchase of specific C-Series guns, which includes these 3 models with the night sights.

To receive a coupon for a free magazine, just log onto the Kahr website at www.kahr.com/MagPromo2015.asp and fill out the online form or download the coupon, fill it out and mail, email, or fax it along with a copy of the firearm receipt and the firearm serial number.

The new firearm must have been purchased during the summer promotion period to qualify. Any form submitted without a copy of the receipt and the serial number will not qualify for the magazine promotion. Allow 6 weeks for processing, shipping and delivery.

For more information about Kahr Firearms Group products, log onto www.kahr.com.


View Source