The Carrier IQ Saga

The story so far: security researcher Trevor Eckhart exposed some very disturbing information about the "Carrier IQ" application here. This set off a small firestorm, which quickly got much bigger when Carrier IQ responded by attempting to bully and threaten him into silence. This did not go over well. After he refused to back down, they retracted the threats and apologized.

Eckhart followed up by posting part two of his research, demonstrating some of his findings on video. Considerable discussion of that demonstration ensued, for example here and here and here. Some critics of Eckhart's research have opined that it's overblown or not rigorous enough. But further analysis and commentary suggests that the problem could well be worse than we currently know. Stephen Wicker of Cornell University has explored some of the implications, and his comments seem especially apropos given that Carrier IQ has publicly admitted holding a treasure trove of data. Dan Rosenberg has done further in-depth research on the detailed workings of Carrier IQ, leading to rather a lot of discussion about Carrier IQ's capabilities -- there's some disagreement among researchers over what Carrier IQ is doing versus what it could be doing, e.g.: Is Carrier IQ's Data-Logging Phone Software Helpful or a Hacker's Goldmine?

Meanwhile, the scandal grew, questions were raised about whether it violated federal wiretap laws, a least one US Senator noticed, and Carrier IQ issued an inept press release. Phone vendors and carriers have been begun backing away from Carrier IQ as quickly as possible; there were denials from Verizon and Apple . T-Mobile has posted internal and external quick guides about Carrier IQ. Some of the denials were more credible than others. There has been some skepticism about Carrier IQ's statements, given their own marketing claims and the non-answers to some questions. There's also been discussion about the claims made in Carrier IQ's patent.

Then the lawsuits started, see Hagens Berman and Sianna & Straite and 8 companies hit with lawsuit for some details on three of them.

Attempts to figure out which phones are infected with Carrier IQ are ongoing. For example, the Google Nexus Android phones and original Xoom tablet seem to not be infected, nor do phones used on UK-based mobile networks, but traces of are present in some versions of iOS, although their function isn't entirely clear. A preliminary/beta application that tries to detect it is now available. Methods for removing it have been discussed.

Meanhile, A Freedom of Information Act request's response has indicated (per the FBI) that Carrier IQ files have been used for "law enforcement purposes", but Carrier IQ has denied this. And there seems to be a growing realization that all of this has somehow become standard practice; as Dennis Fisher astutely observes, With Mobile Devices, Users Are the Product, Not the Buyer.

Those are the details; now what about the implications?

Debate continues about whether Carrier's IQ is a rootkit and/or spyware. Some have observed that if it's a rootkit, it's a rather poorly-concealed one. But it's been made unkillable, and it harvests keystrokes -- two properties most often associated with malicious software. And there's no question that Carrier IQ really did attempt to suppress Eckhart's publication of his findings.

But even if we grant, for the purpose of argument, that it's not a rootkit and not spyware, it still has an impact on the aggregate system security of the phone: it provides a good deal of pre-existing functionality that any attacker can leverage. In other words, intruding malware doesn't need to implement the vast array of functions that Carrier IQ already has; it just has to activate and tap into them.

Which brings me to a set of questions that probably should have been publicly debated and answered before software like this was installed on an estimated 150 million phones. I'm not talking about the questions that involve the details of Carrier IQ -- because I think we'll get answers to those from researchers and from legal proceedings. I'm talking about larger questions that apply to all phones -- indeed, to all mobile devices -- such as:

  • What kind of debugging or performance-monitoring software should be included?
  • Who should be responsible for that software's installation? Its maintenance?
  • Should the source code for that software be published so that we can all see exactly what it does?
  • Should device owners be allowed to turn it off/deinstall it -- or, should they be asked for permission to install it/turn it on?
  • Will carriers or manufacturers pay the bandwidth charges for users whose devices transmit this data?
  • Should carriers or manufacturers pay phone owners for access to the device owners' data?
  • Where's the dividing line between performance-measuring data that can be used to assess and improve services, and personal data? Is there such a dividing line?
  • Will data transmission be encrypted? How?
  • Will data be anonymized or stripped or otherwise made less personally-identifiable? Will this be done before or after transmission or both? Will this process be full-documented and available for public review?
  • What data will be sent -- and will device owners be able to exert some fine-grained control over what and when?
  • Who is is responsible for the security of the data gathered?
  • Who will have access to that data?
  • When will that data be destroyed?
  • Who will be accountable if/when security on the data repository is breached?
  • What are the privacy implications of such a large collection of diverse data?
  • Will it be available to law enforcement agencies? (Actually, I think I can answer that one: "yes". I think it's a given that any such collection of data will be targeted for acquisition by every law enforcement agency in every country. Some of them are bound to get it. See "FBI", above, for a case in point.)

Lots of questions, I know. Perhaps I could summarize that list by asking these three instead: (1) Who owns your mobile device? (2) Who owns the software installed on your mobile device? and (3) Who owns your data?

Use of the Black Hole exploit kit and Java exploits is growing

Security experts are increasingly concerned about the growth of Java as the application of choice for criminals. Java either is or will imminently become the favorite application attack vector, surpassing even PDF and SWF files.

Vyacheslav Zakorzhevsky, a security expert with Kaspersky Lab, has written that a Java exploit first published in October and used in drive-by attacks has found its way into the Black Hole exploit kit, aimed primarily at “users in Russia, the US, the UK and Germany.”

“Java is probably the vector most commonly exploited by cybercriminals,” says SophosLabs security expert Paul Baccas, “and we don't see any sign of this situation changing anytime soon.  The Black Hole exploit pack is the most commonly used malicious software installer that SophosLabs have been seeing in the last three months.” Together they make a noxious cocktail.

According to Oracle, there are more than 13 thousand million devices running Java. Criminals are turning to Java because they are businessmen – they tend to perform cost-benefit analyses. “Having so many devices using the same software is a great opportunity,” says Luis Corrons, technical director at Panda Labs. “That’s why cybercriminals have targeted Windows for so many years.” But since Microsoft started to build a more secure operating system, criminals have had to look elsewhere to get a good return. “The main condition,” continues Corrons, “is that it has to be widespread, such as PDF, Flash, and browsers. That’s the case with Java; it is widespread and it is really convenient for everyone, both users and cybercriminals.”

The problem with Java, says ESET senior research fellow David Harley, comes “from the fragmentation of its implementations across platforms and devices,” and he’s not sure “how far it’s possible to fix it across the board.”

If Oracle cannot fix it, it falls on the user to take more care (as it does in all security matters). It is worth noting that according to Microsoft research (Microsoft Security Intelligence Report, v11), the use of an exploit peaks a full two months after the software has been patched. Zealous patching is a great part of the solution.

“Once again we see that malware writers are forging ahead and are continually improving their creations,” concludes Zakorzhevsky. “It is, therefore, critical that all users install Java updates from Oracle in a timely manner.”

Microsoft software bug linked to "Duqu" virus

News of Duqu surfaced in October when security software maker Symantec Corp said it had found a mysterious computer virus that contained code similar to Stuxnet, a piece of malicious software believed to have wreaked havoc on Iran's nuclear program.

Government and private investigators around the world are racing to unlock the secret of Duqu, with early analysis suggesting that it was developed by sophisticated hackers to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines.

Details on how Duqu got onto infected machines emerged for the first time on Tuesday as Microsoft disclosed its link to the infection.

Separately, Symantec researchers said they believe hackers sent the virus to targeted victims via emails with tainted Microsoft Word documents attached.

If a recipient opened the Word document and infected the PC, the attacker could take control of the machine and reach into an organization's network to propagate itself and hunt for data, Symantec researcher Kevin Haley told Reuters.

He said some of the source code used in Duqu was also used in Stuxnet, a cyber weapon believed to have crippled centrifuges that Iran uses to enrich uranium.

That suggests that the attackers behind Stuxnet either gave that code to the developers of Duqu, allowed it to be stolen, or are the same people who built Duqu, Haley said.

"We believe it is the latter," he said.

Products of Facebook

Your information is valuable! If privacy is of any concern DO NOT USE social media sites....get your own personal site/blog and be in control!!  Get a Quote Now!


Privacy and concerns

As the world's largest community operator one would expect Facebook to be at the front of the debate on privacy. However Facebook is front, center, left and right - why? Is it because Facebook has scaled so quickly and is breaking new ground or are there fundamental cultural issues regarding Facebook's view of community?

Facebook has a history of being 'liberal' with members privacy:

  • According to SAI sources the following exchange is between a 19 year old Mark Zuckerberg and a friend shortly after he launched Facebook,
    Zuck: Yeah so if you ever need info about anyone at Harvard
    Zuck: Just ask.
    Zuck: I have over 4,000 emails, pictures, addresses, SNS
    [Redacted Friend's Name]: What? How'd you manage that one?
    Zuck: People just submitted it.
    Zuck: I don't know why.
    Zuck: They "trust me"
    Zuck: Dumb f***s.
  • Nov 2007 - Facebook launched Beacon - a part of Facebook's advertising service that sent data from external sites to Facebook. The controversial service created considerable concerns around privacy and Facebook later shutdown the service after first changing the system to be opt-in.

  • Feb 2009 - Facebook cut its TOS from 15 to 5 pages and users alleged Facebook's new terms claimed ownership over their photos, videos and other content posted to the site. Facebook quickly backtracked saying users, not Facebook, own the content - however there remains no export functionality.

  • Dec 2009 - Facebook announced new privacy changes in this blog post where users had privacy settings such as Posts I create (status messages, links, photos, videos and notes) auto defaulted to 'everyone' meaning the world via search engines.

  • Dec 2009 - Facebook notified users of privacy changes via a pop-up notification. While the message claimed that Facebook was displaying the message to give users more privacy controls, blindly clicking “next” was a way to make much of your data public. And in fact, some data like the Friends List has become more public without any settings changes by users (Mashable). Zuckerberg declared privacy as, "no longer a social norm"

  • Apr 2010 - Facebook launched Instant Personalization default opting-in all members. This made stirred up lawmakers. US Senator Charles Schumer raised concern to the FTC about how Facebook disseminates information.

  • May 2010 - Privacy blunder which exposed live chat sessions as detailed in a Tech Crunch blog titled, 'Major Facebook security hole lets you view your friends’ live chats.'

Source: IT Toolbox


May 13, 2010 at 7:22pm ET by Danny Sullivan

Are a significant number of people cancelling their Facebook accounts because of privacy concerns? The easy answer would be for Facebook to publish cancellation stats. I asked; they declined and gave me growth figures instead. Those growth figures suggest that yes, the privacy issues might be hurting.

Does Interest In Deleting = Quitting?

I’ve written twice this week now about how search-related data shows a spike in people seeking information about how to cancel their Facebook accounts:

But does that interest translate into actual cancellations? I asked Facebook if it would provide month-by-month figures for those deleting their accounts, along with user growth figures. Instead, I was provided this:

We don’t release the specific data you’re looking for. I can say that since our recent developer conference, Facebook has grown by more than 10 million active users.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles