Hack Updates Uber denies security breach despite reports of logins for sale online, The Guardian, March 30, 2015 “Technology site Motherboard was able to verify that some of the stolen credentials were valid and included names, usernames, passwords, partial credit card numbers and telephone numbers for Uber users.” In the past, “Uber has been criticised in the past for the way it handles customer data and the ability of staff to access a “god mode”, which allowed employees to track riders using the GPS in their smartphones and the Uber app.. . . Uber now enforces a “strict policy prohibiting all employees at every level from accessing a rider or driver’s data” except for “legitimate business purposes”, although what constitutes a business purpose is not defined.” Via @GuardianTech @SamuelGibbs Note: Have you heard of Uber ETA? Because it’s the creepiest thing ever. Once you start your ride, you’re given a link to share with your friends showing your ride in real time.
On the upside, maybe they implemented this as a protection feature. No need to “drop-a-pin-and-roll!!!” (The Daily Show – The Fault in Our Schools (3:30-3:37) – 3:08-3:37 is the fuller clip) Verizon Wireless Customers Can Now Opt Out of ‘Supercookies’, NYTimes, March 31, 2015 “In the past, Verizon allowed users to unsubscribe from the marketing side of the program, but they had no option to disable being tagged with the customer codes. Some security researchers quickly illustrated that third parties, like advertisers, could easily exploit Verizon’s persistent tracking to continually follow a user’s web browsing activities.. . . To disable the header tracking, users can opt out of the program called Relevant Mobile Advertising. When that happens, Verizon stops inserting the header, according to the company. Users can unsubscribe from the program on Verizon’s website or by calling 1-866-211-0874.” Via @NYTimes @bxchen Note: Just you average, everyday, here’s how to disable the constant-tracking-of-your-every-move update. Massive denial-of-service attack on GitHub tied to Chinese government, Ars Technica, March 31, 3025 “The massive denial-of-service attacks that have intermittently shut down GitHub for more than five days is the work of hackers with control over China’s Internet backbone, according to two technical reports published Tuesday that build a strong case that government authorities are at least indirectly responsible. Further Reading GitHub battles “largest DDoS (Distributed Denial of Service)” in site’s history, targeted at anti-censorship tools HTTP hijacking used to redirect Baidu search engine traffic into a massive DDoS. GitHub officials have said the torrent of junk data pummeling their servers is the biggest they have ever seen.” Note: On a Computer-Science-As-Art front, this DDoS is a Monet. As far as consumer protection goes, it’s is a nightmare.“This attack demonstrates how the vast passive and active network filtering infrastructure in China, known as the Great Firewall of China or ‘GFW,’ can be used in order to perform powerful DDoS attacks,” the Netresec researchers wrote in a report published Tuesday. “Hence, the GFW cannot be considered just a technology for inspecting and censoring the Internet traffic of Chinese citizens, but also a platform for conducting DDoS attacks against targets world wide with help of innocent users visiting Chinese websites.”” Don’t Touch This AT&T Gigapower: The company wants you to pay it not to sell your data., Slate, March 31, 2015 “I wouldn’t touch Gigapower with a 10-foot Internet cable.” Auerbach explains that “AT&T collects [information on your complete Web-browsing habits], shares it with advertising providers, and then profits off of the advertising revenue generated by the personalized ads.” There’s no “direct exchange of information for cash”; AT&T is smarter than that. AT&T uses “deep packet inspection, which means it basically sniffs all the traffic that goes across its network.. . . DPI is popular among the governments of China, Iran, and other countries that monitor the Internet activity of their residents.” Note: A service provider that tracks users using the same technology as China, Iran, and other monitoring countries? No thanks. But hey, as Ars Technica said, at least AT&T is up-front about how much my data is worth ($29/month). Via @Slate @FutureTenseNow @AuerbachKeller All Together Now Our Data Our Health: A Future Tense event reccap., Slate, March 31, 2015 Joel Selanikio, a Georgetown University assistant professor of pediatrics and CEO of Magpi contended that “that few of us know what to make of that data, and fewer still know what the companies who collect it are doing with it.” He further explains that “we’ve made a deal with the companies that are monitoring us through these devices, but we rarely know what that deal is or what we’ve signed up for.” Medical device security expert, Kevin Fu, summed up the event, stating: “Ultimately, concerns about medical devices may be overblown.. . . [The] biggest concern is the possibility that patients might start to refuse medical care on the basis of sensationalized fears. Instead of wringing our hands . . . we would do well to advocate for greater care, clearer policies, and more robust privacy standards.” Via @Slate @Jacob_Brogan Note: I definitely know people who are fearful of new, integrated systems because they don’t trust who is holding the data, and thus they lose out on medical treatment. That shouldn’t be happening. At the same time, medical data needs to be incredibly secure, because if it’s available on the cloud, it essentially cannot be deleted. So the only way that we are going to assuage the fears of the general public is to get the engineers, the privacy experts, and some translators 🙂 in a room, and lay down the law (so to speak) as to not only what kinds of systems need to be built, but also what language we can use to educate patients to assure them that their care is first and foremost, with the technology merely allowing their care providers to provide better care. Monitoring Your Privacy Program: Part Three, IAPP, March, 24, 2015 “In addition, organizations often underestimate the importance of training. Having great procedures and monitoring in place are a waste of time if employees aren’t aware of them and how to execute on them. Training should be repeated on a regular basis to catch new employees and update veteran employees on changes to the training.” Via @IAPP Note: This article is just a reminder that you can have the greatest privacy program ever in place, but if your employees aren’t trained properly, Target, Home Depot, etc. all still happen, because those were user authentication compromises using key loggers obtained through e-mails. What we, in the networking world, would call a “Level 8 Error”. (“User” or “Political” Layer Error – see OSI: Securing the Stack, Layer 8 — Social engineering and security policy Tech Target, “While not included in the OSI model, this human layer does exist. The eighth layer is the layer at which technology interfaces with people. The eighth layer deals with people and policies. Let’s begin by talking about people.”) Also see RITA — The Reliable Internetwork Troubleshooting Agent, an April Fool’s RFP from 1998): “o Political Layer: Strike advocates of disruptive or obstructive policies with RITA, preferably on the top of the skull. In extreme cases insertion of RITA into bodily apertures may become necessary. WARNING: subsequent failure to remove RITA may cause further problems. o Religious Layer: Strike advocates of disruptive or obstructive religions, and their vendor representatives, with RITA, preferably on the top of the skull. In extreme cases, the RITA may be used as a phlactory, funerary urn, or endcap for bus-and-tag cables.” The Internet of Things makes E.T. Look Inept Amazon moves towards Internet of Things shopping with Dash, The Guardian, April 1, 2015 “The Dash Button is a single-use Wi-Fi enabled ordering device, you press it and it orders directly for you. Of course, until Amazon perfect drone delivery, the new toilet roll may not quite arrive in time … but for plenty of other products will.. . . The future could see a home filled with buy buttons for branded products and machines that can instantly re-order supplies when the coffee, washing powder or nappies run out.” Via @GuardianTech @SamuelGibbs Note: I distinctly remember when my family got a printer a few years’ back, and one day, after a few months of use, we got an e-mail requesting confirmation that we had ordered ink. Uh, nope. So we looked into it. Apparently, the printer had “E.T. phone home”-ed, and when the ink level got low, automatically ordered more ink. In all reality, it’s a major time saver.
One thought on “The SDK: The Privacy Edition 2015.04.01”