Welcome to the September mid-month installment of Secure Group’s Security and Privacy Roundup. Our newsletter focuses on relevant news articles about security and privacy issues in the world today, in order to inform our customers and anyone interested in these issues.This is the third installment of our bi-monthly compilation, and we hope it proves informative.
There are a few compelling stories this month worth following. In order to keep things as relevant as possible, the stories are posted in descending order, with the latest entries first. Remember, check out our previous entries as well!
- September 11th - Half of iOS devices running out-of-date versions, putting users at risk
- September 9th - Data Breach captures data from 10.5 million health-care insurance customers
- September 9th - Library Bows to Police Pressure, Suspends Tor Node
- September 7th - New Android Porn malware takes photo and demands your money
- September 3rd - Department of Justice (DOJ) now requires Warrants to be issued for use of ‘Stingrays'
- August 31st - EFF Want to Overturn Florida Case Allowing Warrantless searches of Americans’ Cell Phone Location Records
A great deal of focus has been put on Android for device and OS fragmentation issues, and resultant vulnerabilities such as Stagefright and Certifi-gate. According to recent research by Duo Security, iOS users may not be much safer. According to their research, half of iOS devices are running a version if iOS below 8.3, and nearly a third are running 8.2 or lower.
Those running 8.3 or lower are susceptible to over 100 known flaws, including Ins0mnia and QuickSand. The former allows apps to “violate background app rules” to steal data or drain the phone’s battery, while Quicksand exposes enterprise credentials and sensitive config details, according to Duo Security R&D program manager, Mike Hanley. Those running 8.2 are susceptible to over 160 flaws. In addition, the 14% who have not yet updated to version 8 are susceptible to 260+ flaws.
According to estimates presented by the security company, twenty million iPhones in use today are running on old hardware that cannot receive security updates. If Apple drops support for its oldest platform (4S), that number will jump to 60 million.
Educating users on the importance of updating is key to protecting them. In an enterprise setting, however, you cannot rely on the users to protect your network, nor can you assume that avoiding Android devices will keep you safe. A mobile device management solution is key to protecting yourself, as is limiting the number of devices supported, even in a BYOD solution. Secure Group recommends that if you are not prepared to dedicate resources to an MDM solution, and the required research and planning to properly deploy a BYOD solution, it is best to drastically limit the devices supported, and to provide a secure, supported communication device to your organization. Secure Phone and SAS can provide you with completely secure encrypted communication, as well as a fully developed management solution.
The US Health Care industry and its affiliates are apparently under siege, as yet another health-care related target has fallen to cyber-criminal activity. The insurance firm Excellus has reported that hackers have managed to gather the personal details of over 10.5 million customers, 7 million of which are “members, patients or others who’ve done business” with BlueCross BlueShield, and the rest Lifetime Health Care customers.
The information gathered is primarily from customers in New York and surrounding regions, specifically BlueCard and BlueCross BlueShield of Central New York, BlueCross and BlueShield of Rochester, and BlueCross BlueShield of Utica-Watertown. Also caught up in the data-heist were members of other plans who sought treatment in the companies 31 county upstate New York service area.
Interestingly enough, the attacks were discovered in early August, but notifications only began being delivered on September 9th, leaving a rather significant gap in which this personal information could have been used. Not to mention that the intrusion resulting in the theft of this data began almost two years ago.
Of even more concern is this - while the data stolen was encrypted, this would not have affected the hackers, who stole the data with administrative credentials. According to WIRED, an Excellus spokesperson told them that by gaining administrative access to the company’s network, encryption could easily bypass encryption, likely by accessing decryption keys available to administrators.
This is one of the largest problems of enterprise systems, and one of the largest problems with the government and law enforcement’s desire to circumvent encryption. While transparency in the corporate world makes sense, it proves a micro-cosm for encryption problems as a whole, proving that any back-door into an encryption system will eventually be exploited. For protecting private data, it is important not to rely on solutions designed for big business, in which administrative access gives complete access to all keys. Any encryption system that provides blanket access to an administrator or group of administrators should be treated as suspect. For example, if encrypting email, PGP encrypts data with session keys, which are then destroyed after use. While it is possible to decrypt these, it takes time and computing power. The real strength of the system is that if one key is compromised, it does not provide access to the remainder.
The tech industry and law enforcement are in pitched battle over improving encryption to protect user’s privacy, or providing back-door access to law enforcement in order to allow them access to monitor for criminal activity. The recent spate of cyber-attacks agains health-care show definitively that back-door access of any type provides a weakness that can be exploited. When choosing your encryption solution/s, whether it be voice encryption, messaging encryption, or email encryption, be sure to choose one like Secure Group, in which the company does not store your personal keys.
Libraries around the world are committed to the freedom to read in privacy, and some have taken steps to protect this right. The Kilton Public Library, in Lebanon, New Hampshire was one of these libraries until just recently, selected to take part in a joint Library Freedom Project and Tor Project program, serving as a pilot location to install Tor relays, and eventually exit nodes, in public libraries all over. The Tor Project includes the Tor Browser, which can help users to surf the internet anonymously.
Unfortunately, Kilton library drew some attention for this move by some powerful players. Just days after announcing participation in the program, a regional Department of Homeland Security office contacted the local police to spread fear, uncertainty, and doubt about Tor. The police then added their two bits with the library board, who suspended the program until a vote is held on September 15th.
Update: Kilton Library has reactivated their Tor Node! According to a post on freekeene.com, several other libraries have been in contact about following suit. This is a victory for privacy and online anonymity, and Secure Group commends the Kilton Public Library, and any others joining this worthy goal.
Surfing for porn, whether on a PC or on a mobile device has always been a risky proposition, exposing its users to any number of malware and viruses. It is no surprise then that a new malware has been found exploiting this market. However, it is not that malware is encountered while attempting to find porn that is the surprise, it is the implementation of the malware itself.
The Android malware, found within apps called “Adult Player” and “Porn Droid”, immediately snaps your picture, and locks your phone with a new pin code as soon as the app is downloaded, and permissions given. It then demands 500$ through a Paypal My Cash card in order to delete the photo, and unlock your phone. In an attempt to look official, it plasters USA government branding, and words the ransom for unlocking your phone as a fine.
This ransomware has been identified as a variant of LockerPIN, an agressive malware that changes your PIN randomly, meaning the attackers cannot unlock your phone. In other words, do not pay the ransom for the convenience of getting your phone back to working order. The device will NOT be unlocked. Typical pin resetting software was relatively easy for the tech savvy to remove, by simply rebooting your device into Safe Mode and performing a few steps.
The only way to remove this version is by wiping the device (a factory reset), and losing all data in the process.
Secure Phone is not susceptible to such attacks, because it limits users to one installation method, and prevents any installation of ‘piggy-back’ malware. For those without such protection, your safest bet is not to install anything from a source other than the Google Play Store. While permission schemas can be suspect on some apps on the Play Store, very few harmful apps actually make it onto the platform.
September 3rd - Department of Justice (DOJ) now requires Warrants to be issued for use of ‘Stingrays’
Smartphone users just became a little safer from surveillance without oversight. The Department of Justice (DOJ) released a number of policy changes regarding the use of fake cell-towers, commonly used to intercept private conversations on unsuspecting smartphone users.
“Stingrays’, otherwise known as fake cell-towers, IMSI catchers, cell-site simulators, and more, are a tool used by law enforcement to trick nearby phones into connecting with them. This allows the agents to learn the unique identifying number of the device and to track it’s location in real time. The data that can be collected by these devices goes well beyond location however - all mobile traffic can be intercepted (voice, data and text). Until recently, law enforcement’s use of these devices have been shrouded in secrecy.
The primary of the DOJ’s very welcome policy changes is that law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator, except under “exigent circumstances or exceptional circumstances” where the law does not require a search warrant and obtaining one is “impracticable”. Departments will be required to track and report the number of times the technology is deployed under these exceptions.
The policy also governs how long data can be kept from a given operation, and on which targets. For example, when the equipment is used to locate a given device, all data must be deleted “as soon as the device is located, and at least once daily”. In addition, data contained on the phone itself, such as emails, text, contact lists and images, cannot be collected.
While this policy is a positive step, it does not have the force of law, and doesn’t provide remedy to people whose data was gathered by previous operations without a warrant, nor will it keep evidence in violation of this policy out of court. The policy also does not apply to “national security” usage.
As EFF points out, without a statute or court decision giving this voluntary policy the force of law, there are no consequences if law enforcement agents ignore the policy and use IMSI Catchers without warrants. The warrant requirement needs to be extended to all state and local law enforcement as well.
Secure Group too commends the DOJ for taking this initiative, and hopes it is a sign of things to come. Until IMSI Catchers (cell-site simulators) are no longer able to be deployed at a whim by law enforcement, our privacy continues to be at risk, and products like Secure Phone will continue to be required. We urge other law enforcement agencies to take similar stances, and push for legal change as well, in order to build trust and transparency.
August 31st - EFF Want to Overturn Florida Case Allowing Warrantless searches of Americans’ Cell Phone Location Records
The question of whether Americans’ locational data is free from warrantless search and seizure is to be argued in the Supreme Court. A recent Florida court case hinged strongly on just such information from the defendant’s cell phone. In the court case of Quartavious Davis v. United States, primary evidence in the case includes 67 days worth of locational data, detailing more 11000 cell site locations, pinpointing the defendant at various robberies without obtaining a search warrant. The trial court denied Davis' motion to suppress the records and Davis was ultimately convicted. The EFF filed an amicus brief with the Supreme Court of the United States, challenging this ruling.
In this amicus brief (an amicus brief is a brief filed with the court by an interested party who is not one of the litigants), the EFF states that Americans have the right to expect that digital records of their daily travels (when they leave home, where they go, and how long they stay) is private information, and should be protected by the Fourth Amendment’s guarantee against unreasonable searches and seizures.
The decision in Davis’ case by the U.S. Court of Appeals for the Eleventh Circuit conflicts with an earlier decision from the Florida Supreme Court, and a later decision from the U.S. Court of Appeals for the Fourth Circuit, which found people do have an expectation of privacy in locational and cell phone records, and that police should require a warrant to get them. The Eleventh Circuit’s decision ignores that nearly all Americans carry a cellphone, and potentially leave a digital trail that is accessible at any time. Without a strong ruling, the public is at risk from overzealous law enforcement, and cannot be guaranteed any level of constitutional protection with regards to their locational information.
Until clear rulings are obtained, Secure Group recommends that smartphone users disable locational services on their phone and its apps. Unfortunately, this will not entirely protect from IMSI catchers and location tracking based on cell towers. Locational information can be made difficult to obtain by sticking to data-only communication, avoiding baseband communication methods such as SMS messaging and standard cellular voice traffic. Our Secure Phone can help with this.
Thanks for reading! We hope this newsletter proves informative. Please leave comments below, or contact us!