Wednesday, November 28, 2007

Is Your iPhone Tracking You?

by: Dr. Steffen Schmidt
As if life were not insecure enough, every day there are new claims that our security and privacy are at risk. The following was posted just hours ago and raises some interesting privacy issues with iphone use. Of course, we have indicated in previous posts (and in our first book “Who is You”) that wireless phones and computing is not secure at all unless encrypted.

“As I sit here applying a new layer of Reynolds tin foil to my international hat of conspiracy, its been proven that Apple tracks iPhone usage and tracks IEMI numbers of all their iPhones worldwide. Hidden in the code of the “Stocks” and “Weather” widgets is a string that sends the IMEI of your phone to a specialized URL that Apple collects.

When the widgets perform a query an IMEI is handed off to Apple’s servers:

dgw?imei=%@&apptype=finance

This let[s] Apple knows which app you are using when connecting with your iPhone. Obviously, they know the IP address you were using, the stocks companies you are interested [in], and so they can track down their customers all around the world. This also proves that there are probably other apps that do the same. Weather.app is also acting the same way. (Offset 13AE0)

Any attempts to modify the URL to exclude the IMEI information will not allow you to retrieve any information in the “Stocks” and “Weather” apps. It is still unknown if any other applications leak information to Apple HQ.

And did you know you actually consented to this gross invasion of privacy?

When you interact with Apple, we may collect personal information relevant to the situation, such as your name, mailing address, phone number, email address, and contact preferences; your credit card information and information about the Apple products you own, such as their serial numbers and date of purchase; and information relating to a support or service issue.

Obviously “Weather” is kinda benign, but Apple knowing your Stock habits, isn’t that a little personal? What’s next, they read your email too? Now who thinks I’m crazy?”


This is posted on the following web site and while we cannot verify the accuracy we will be more careful using our iPhone until this is cleared up.

http://uneasysilence.com/archive/2007/11/12686/
The reality of life in the early 21st century is that we should suspect that most of what we do is being monitored, tracked, scrutinized, and recorded. Hopefully the privacy intruder is relatively benign such as we assume that Apple and iphone folks are,. Unfortunately often it is malignant and dangerous to our personal health, safety and financial protection.

Labels: , , , ,

Thursday, November 22, 2007

Brit Data Loss Hits 40% of Population; Bureaucrats should be sent to US Guantanamo Bay Military Detention center for Training.

Prof. Steffen Schmidt

The story datelined London, Nov. 21, 2007 opened this way:

The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era. The New York Times, “Data Leak in Britain Affects 25 Million”, by ERIC PFANNER

The data was on two disks that were sent by private delivery service, TNT, unregistered. The disks were apparently protected by a password but the data was not encrypted and were sent by Her Majesty’s Revenue and Customs the tax collection agency to the National Audit Office, which monitors government spending.

It appears to me that the bureaucrats in the British government who handle such sensitive information in such an astounding volume, were never once told about identity theft and were not trained in handling such life changing information. This is not shocking to me at all since identity theft protection data handling has been cavalierly ignored by governments, by private companies and corporations as well as non-profits, clubs, social organizations, educational institutions, insurance, and health care providers.

According to the New York Times,

The data went astray in October, after two computer disks that contained information on families that receive government financial benefits for children were sent out from a government tax agency unregistered, via a private delivery service. The episode is one of three this year in which the agency improperly handled its vast archive of personal data, according to an account by the chancellor of the Exchequer — including the sending of a second set of disks when the first set did not arrive.

This data loss apparently contained personal information on 40 percent of the population of the country. The disks included people’s names, addresses, bank account numbers, and their national insurance numbers, the British equivalent of Social Security numbers. The disks also contained data on almost every child under 16 in Britain.

Experts said the information could allow crimes beyond identity theft. Some people use the name of a child or part of an address as a password on a bank account, so the combination of these details could allow someone to break their code.
Apparently the government also waited an ungodly time before informing banks so that they could put higher levels of security in place and monitor unusual activity on people’s accounts.

The British Prime Minister Gordon Brown apologized and the head of the tax agency resigned. Oh goody! That will calm the nerves of half of the population of Britain who are now faced with years of anxiety over their personal information.

Government Information Commissioner Richard Thomas said he was shocked at the scale of the security breach.

“It's almost certain that they have broken the data protection law. This is a shocking case. I'm at a loss to find out what happened in this situation,” he told BBC radio.

He also said his office had been issuing warnings about data protection to organizations for years.

“We've been all the time saying that the more you are collecting personal data, for understandable reasons, the more the risks increase and the more you must be aware of what can go wrong.” Globe and Mail

The irony is that in Europe it is illegal to collect and sell personal information of people but of course that does little to stop a “junior” staff member of the tax collection agency from sending disks with all this vital data. I find it mind boggling to begin with that a “junior” staff member would be allowed to even touch such data. I also find it criminally neglectful that so much vital information would all be aggregated in a single location.

What can we learn?

First of all, this example is proof positive that we need massive and highly intrusive data protection training for employees who handle such information.

Secondly, this tragedy demonstrated clearly that encryption is not an option but should be an absolutely required, mandated, and it’s omission a punishable offense.

Third, the case suggests that my computer and information geek friends need to develop a radical new best practice for data storage and management. I would suggest a system of distributed and disaggregated data storage, where filed are NOT all kept together on data bases and where piece of identity information for each file are also not stored together. The algorithms for managing this information would be written in such as way that when data is needed it seeks the required information, and then temporarily assembles the pieces of each persons record for specific use. When the operation is finished the assembled data evaporates and the encrypted system goes back to disaggregated storage.

One side effect of the data loss was to deal a blow to Britain’s plan to issue a national ID card.

Critics of Britain's plans for compulsory identity cards said on Wednesday the multi-billion pound scheme should be ditched after the data loss.

Opposition politicians and opponents said loss showed the government could not be trusted to bring in ID cards, which would involve one of the world's biggest IT schemes.

The Globe and Mailhttp://www.theglobeandmail.com/servlet/story/RTGAM.20071121.wukdatalosss1121/BNStory/International/home

Labels: , , , , , , , , , , , , , ,

Wednesday, November 21, 2007

New Risks you Cannot Control


In the world of risks we are confronted with a range of dangers from sloppy personal behavior (losing your wallet at the State Fair) to flaws in the most basic computation and processing systems. Our identity theft protection project (funded in part by the national Science Foundation and by the Center for Information protection) deals mostly with human behavior flaws that lead to data loss risks.

At the other end of the spectrum it was revealed this week there are other and much larger risks as John Markoff writes in the New York Times, (Nov. 17, 2007).

“One of the world’s most prominent cryptographers issued a warning on Friday about a hypothetical incident in which a math error in a widely used computing chip places the security of the global electronic commerce system at risk.”

Adi Shamir, a professor at the Weizmann Institute of Science in Israel, circulated a research note about the problem to a small group of colleagues. He wrote that the increasing complexity of modern microprocessor chips is almost certain to lead to undetected errors.

Historically, the risk has been demonstrated in incidents like the discovery of an obscure division bug in Intel’s Pentium microprocessor in 1994 and, more recently, in a multiplication bug in Microsoft’s Excel spreadsheet program, he wrote.

“A subtle math error would make it possible for an attacker to break the protection afforded to some electronic messages by a popular technique known as public key cryptography.”

Although it’s inappropriately complex for a discussion such as ours here, we do wish to point out that this is one of those “systemic breakdown” as opposed to the “personal behavioral breakdown” which we are studying and for which we are seeking solutions through highly targeted and systematic education and training.


The lesson for those of us working in the area of critical information protection is clearly that there needs to be a range of security assessment starting with hardware and software makers (including cell phone companies whose microwave transmissions are woefully insecure) to the personal behavior of employees handling sensate material and ultimately to ourselves in our daily behavior. (This is outlined in our first book “Who is You: The Coming epidemic of Identity theft”)


Labels: , , , , , , , ,

Monday, November 19, 2007

Information Protection and Behavior Modification


In 2006-2007 the National Science Foundation (NSF) and the Iowa State University Center for Information protection (CIP) funded a study on information and identity theft protection of which I am the PI (Principal Investigator). The NSF-CIP project is directed at identifying factors that lead to data and critical information loss and then designing targeted and appropriate educational/training programs that change people’s behavior and lead to more “Security Consciousness” – (SEC-CON).

As a result of this research we are now developing best practices for information and ID protection. Our colleagues in computer science, computer engineering, mathematics, and management information systems (MIS) are working on parallel discoveries that will make information more secure and personal identities less vulnerable. Their work and ours will be incorporated into corporate, government, non-profit organizations and into individual practices.

I am delighted to report some preliminary findings which can help secure information.

Individuals need to have personal security of personal data high on their “awareness” list. In fact research shows that ID security needs to become a “second sense”. It should never be something we do once a month or quarterly.

There is now significant evidence that there is an “Unwarranted Trust” - UT -factor which basically “disarms” people’s behavior when it comes to securing and protecting sensitive data. Understanding UT as a sociological and psychological behavioral phenomenon, we feel, is THE single most critically important factor in successful “Security Behavior Modification” – SBM.

The second phase of the NSF-CIP project is designed to modify and improve and develop a continuous improvement paradigm for training systems for employees who have access to critical information. As one of our sponsors who is with a large multinational company pointed out at a recent briefing SBM is invaluable not only for the protection of traditional data of concern such as Social Security and Credit Card numbers and birth dates but also as a means of sensitizing employees to the risk of revealing or losing proprietary information, business plans, patents, and other information that should be secured and protected.

For more information on the National Science Foundation/Center for Information Protection project please contact us at ---
Michael McCoy - 559 Ross Hall Ames, IA. 50011-1204 or email: mrmccoy@iastate.edu


Steffen Schmidt

Labels: , , , , , , , , , , ,

Saturday, November 17, 2007

Only If You Must

I can not remember a seminar or lecture that I have given when I have not been asked, “What should I do when someone asks me for my Social Security number?”

I always answer, “Give it out only if you must.”

Each person must make a decision whether to give out there SS# or not, but remember each business asking for it can decide whether or not to do business with you. So you must decide, does the benefit of giving out your SS# outweigh the risk? You need to ask yourself, “DO YOU FEEL LUCKY”. (Clint Eastwood)

The Social Security Administration states:
“Your Social Security number and our records are confidential. We do not give your number to anyone, except when authorized by law. You should be careful about sharing your number with anyone who asks for it (even when you are provided with the benefit or service). (SSA Publication No. 05-10064)

Labels: , , ,

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft