This had to happen sooner or later. A virus has been discovered that can affect Android phones. It uses the conference call feature of the phone to send your conversations to a remote server (spying on your conversations).

The virus is reported to now be on over 150,000 phones. This is quite serious. There are also two strains of the virus now, indicating that people are working on making things worse for everyone.

This virus is called HongTouTou. It was discovered in an app called Dynamic Footprint Wallpaper, hosted on an app store in China. More information here.

How can a phone get a virus?

Android phones are smartphones, meaning the phone is actually a computer. And like any other computer you can download and install programs onto it, commonly called Apps.

Now the philosophy behind Android phones is that it’s less regulated than other phones, such as Apple’s iPhone, and you’re free to install any app you want. Even ones that contain viruses.

With Android phones you have a choice where to download your apps from. And unfortunately this included untrusted sources where people can add viruses to apps. It’s all very similar to Windows PCs and the popular viruses from a few years ago.

What about iPhones and other phones?

This particular virus only affects Android, not any other phones.

How to avoid HongTouTou?

For now the best thing to do is to only use app stores you trust. Don’t rush into downloading an app just because it’s popular or cool, read up on it first.

The following message gets sent to BlackBerries. The idea is that people believe what’s written there and forward it to all their contacts. Then each one of those people repeats the same process.

It’s a hoax. No damage can be done by the message, whether you forward it or not. And of course it will annoy people if you do forward it. It’s also very unprofessional to forward things like this to work contacts.

The message reads:

Do not accept this contact : 21536 (mireya diaz) she’s a hacker!!!! She will format ur blackberry and all ur contacts also.

Att: if one of ur contacts accept her u will get hacked also!!! Send this to all ur contacts

And don’t take the mentality that you should forward it “just in case”, or that it’s “better to be safe than sorry”. This is the wrong attitude. Make a stand and accept that it’s a hoax, and let others know.

There’s also something called a “barcode photo” that people talk about on BlackBerry forums. I don’t use a BlackBerry so I don’t know what this is, but apparently you shouldn’t share this barcode with people you don’t trust. It lets strangers add your BlackBerry to their contacts and send you hoaxes etc. You should stay in control of your privacy and choose who to share details with.

Some people know what a cookie is, what it’s good for and how it can be abused. If you don’t here’s a very short summary:

• Cookies are codes that web sites save to your computer
• They’re used to help web sites remember who you are. E.g. when you log onto eBay and come back the next day, it remembers who you are.
• Marketing companies use them to keep track of how many of their ads you saw and where you might have seen them

So they’re not really a bad thing but marketing companies use them to track things about you. Then there are programs that try to delete them off your PC. Usually these programs are branded with words like “anti-spyware”, this isn’t completely accurate but that’s where you’ll see them. This is all fine so far.

And you can always delete cookies yourself. In Internet Explorer there’s an option in the Tools menu. All other browsers have similar options, usually in a tools or settings menu.

But there’s another kind of cookie that often gets overlooked – they’re called Flash cookies.

Unlike regular cookies, Flash cookies are not stored in your web browser’s settings. Deleting all privacy data leaves Flash cookies alone. Even deleting all cookie files off your drive skips Flash cookies.

Flash has a feature that lets web sites store a bit of information on your computer, just like a regular “cookie”. By itself this is harmless, but some developers have taken advantage of its features and use them to track you just like regular cookies. This by itself could be seen as a minor annoyance, it’s not dangerous.

But it’s also possible for a web site to restore a cookie that you deleted. Now this is a misuse of privacy. You see, when you tell your computer to delete all privacy data, and it later reappears, things are happening against your will – this is morally bad. The way they do it is developers create some code that uses Flash to store a copy of a cookie and if the cookie is gone it rewrites it.

What can you do about it?

On Windows you can install “Better Privacy” or “Ccleaner”.

On Mac OS X you can install “Flush.app” or delete the Flash cookie files the hard way.

There’s also a great deal more information in this article.

It’s now up to Adobe (the company that makes Flash) and web browsers to treat this as a privacy bug and to improve their browsers.

Phones have become quite sophisticated devices recently, hence the term “smartphone”. They can connect to the internet, download programs, and keep track of your life. All useful features.

Phones can also be used to spy on you, as some people in United Arab Emirates discovered. In this case a network carrier (Etisalat) sent their customers an update that installs on their BlackBerry phones. They told their customers that the update was “required for service enhancements.”

What they didn’t tell their customers is that the update contains spyware made by a company called SS8 Networks. This spyware sent information to their company using the phone (which incidentally drained their batteries from uploading so much data).

It’s still unclear what this spyware actually does, or why it was installed on their customers’ phones. You can read more information on this incident here.

In theory phone spyware could activate the phone’s microphone and/or camera and send information to another site. Or it could intercept SMS’s and phone calls. And so many phones these days also GPS receivers in them so spyware could also theoretically keep track of your location. This is all scary stuff.

There isn’t much we can do about this threat at the moment, if your life or work involves privacy then consider using an old phone with limited features instead of today’s smartphones.

When you visit a web site then later visit another web site, your web browser keeps a history of these sites. You can see this history by going to your browser’s menu and clicking on History.

In the past this history was private because it exists only on your PC. But recently it’s been proven that it’s possible for web sites to get a peek into your browser history. This could be a privacy concern for some people. Here’s how it works.

Some people have come up with some clever code they can place on their site. It basically asks your browser if you’ve visited a particular site before. For a demonstration click here and click on the Get Started link in the centre. Don’t worry, nothing bad will happen, it’s just a demonstration.

So how does this affect you?

You just need to be aware that privacy on the internet is fairly limited these days. If you have something to hide (for whatever reason) or you’d just like a bit more privacy, there are steps you can take to prevent this. It’s a bit technical for beginners but with a bit of effort it’s achievable.

• Some browsers now have a “privacy” mode. For example, Google Chrome calls it “incognito”. Privacy mode doesn’t keep track of which sites you’ve been to.
• You can use Firefox and install something called the “NoScript addon”. This will block the code I mentioned above.

Yesterday a web site published a hack for Facebook that lets anyone read anyone’s profile. It was possible to read details such as location, gender, relationship status, political views, religious views, etc. It didn’t matter what privacy settings people had set, this hack made it all visible.

Today Facebook have acknowledged the problem and fixed it.

This is a good reminder that when you publish information online, you lose some control over it. If something is so private that you can’t risk others seeing it then don’t publish it.

You can read more about the exploit here.

A business owner in USA had been twittering about his upcoming holiday, and provided further updates when they’d left home for their holiday. Then their home was burgled. Was is chance or did someone know the house would be empty via Twitter?

It’s not possible to know but it certainly raises awareness about how safe it is to tell strangers about your travel plans. And this doesn’t just apply to Twitter, but to any social site where you’re giving personal information to strangers.

Read the full article here.

Social web sites are all the rage these days, such as Facebook, MySpace, Twitter, and there are hundreds of less popular ones as well. The idea with them is that all your friends and family can join and you can share aspects of your life such as photos and comments.

Often these same sites will ask for other passwords, in an effort to help you find more of your friends and family. For example, when you sign up to Badoo.com it asks you for your MSN username and password. They do this so they can log into MSN with your account, get a list of your contacts, and invite them to join Badoo. Facebook can do this too only on a grander scale.

It’s good in theory but there are some large risks involved. When you sign up and are prompted to enter your MSN details (or any other account), consider these questions:

• Who runs Badoo? Is it some guy sitting at home with no one to answer to?
• Do you trust the company (such as Badoo) and all of their employees?
• What is their privacy policy? Who are they accountable to if they breach their privacy policy?
• Do they store your MSN password? (You have no way of knowing this for sure)
• Have their servers been hacked and is someone else also capturing your password? (Again you have no way of knowing this, web sites get hacked every day)

You can see where this is leading. If you enter your other passwords into someone’s web site you’ve lost control and put yourself at some risk.

So when you sign up to a new site and it asks you for other passwords you already have, your initial reaction should be to refuse. Then consider if the benefits of doing so are worth the risk.

I’d like to thank our regular reader Nick for bringing this issue up.

Limewire is a P2P file sharing program that’s been around for a long time. People use it to share files, and unfortunately most people use it to trade illegally copied music and movies (copyright violation).

When you install Limewire you need to turn some options off, otherwise it could also share your personal documents with everybody. Personal documents include Word files, your photos, etc.

If you use Limewire versions 4 or 5 click on this link and follow the instructions shown.

And if you’re wondering who would be silly enough to share private documents on a P2P network, here are some real life examples the article gives:

• An executive at a Manhattan production company accidentally leaked over 2,700 documents including the names, birth dates, and social security numbers of contractors, as well as scripts of episodes currently in pre-production
• A paralegal/transcription service leaked more than 5,000 documents including medical records and confidential attorney/client information
• A bookkeeper at a food service company leaked thousands of files including scanned driver’s licenses, social security, and insurance cards

AllFacebook has listed 10 privacy settings they recommend if you worry about how your personal details are shared with the public. The settings are listed below, together with my comments:

1. Use Your Friend List – This is just grouping friend according to your own social circles, and you can apply privacy policies to each group. Makes sense since not all friends are created equal.
2. Remove Yourself From Facebook Search Results – This prevents people finding you on Facebook, good for school teachers etc.
3. Remove Yourself From Google – This prevents Google indexing your details. I believe this is a good thing, sometimes Google knows too much about about people.
4. Avoid the Infamous Photo/Video Tag Mistake – This setting lets you control who can see photos of you.
5. Protect Your Albums – This is similar to item 4, it also limits who can see your photos.
6. Prevent Stories From Showing Up in Your Friends’ News Feeds – It basically stops gossip.
7. Protect Against Published Application Stories – Some Facebook applications are silly and embarrassing, this tip explains them.
8. Make Your Contact Information Private – You can control who gets to see your phone number, email address, etc
9. Avoid Embarrassing Wall Posts – You can prevent friends posting embarrassing things on your Facebook wall.
10. Keep Your Friendships Private – You can prevent others seeing your friend list.

The article explains these 10 things in great detail, with screen shots. It’s easy enough for anyone to follow. Read it here.

This one of those legal spyware programs I mentioned recently. Mobile Spy is used to secretly record SMS and calling data on a phone. It already existed for Symbian and Windows Mobile phones – now it’s available for iPhones.

They claim it runs in a stealth mode to make it difficult to detect. It silently records all SMS text messages and information about all calls. It then uploads this information to a private account on the web.

Apparently future versions of this program will also capture GPS information and details of any emails sent or received.

Why is this legal?

I can’t really comment on the legal side, and it would be different in each country. The company that makes it, Retina-X Studios, is selling this product to worried parents or employers to monitor their children/staff.

How is it installed?

Someone has to have physical access to the iPhone to install it. They need to purchase the program (US$99), and it seems the phone needs to be "jailbroken" – a hack that voids the phone’s warranty.

How can you prevent it?

Firstly, don’t lend your iPhone to people or leave it lying around.

I’m not aware of any anti-virus programs for the iPhone that detects this yet but I have my bets on F-Secure, they’re fully aware of what’s happening here. I’ll post an update when something new comes up.

A keylogger is a small program that sits on your PC quietly capturing each key you press on your keyboard. It either logs each keystroke to a file, or sends it off somewhere on the internet.

It’s used to spy on people. By capturing keystrokes your login and password can be revealed, as well as other confidential information. And usually they’re what’s known as “stealthy” programs – most of the time you wouldn’t know it’s there.

Where do they come from?

There are quite a few keyloggers available. Most are written by hackers (the bad kind). A few are written by commercial software companies (more on that below). 

Are they legal?

Usually no. They’re used as spyware to capture your passwords which is illegal in most places.

How can you detect them?

Use a good anti-spyware program. Most antivirus packages come with this feature these days, others are available separately. There are free ones too. Search Google for current a list.

But there’s another kind of keylogger that you can’t detect this way. You can buy a little plastic device that plugs in between your keyboard and your PC. Since it’s directly connected to the cable hanging off your keyboard it can detect every key stroke and record it. Someone has to have physical access to your PC to install it (and to later remove it). You need to look at the back of your PC where the kayboard plugs in to detect it. Search here for a list of these devices.

News

Recently a US court has looked at a commercial keylogging company called CyberSpy and decided it’s illegal. They’ve ordered CyberSpy to stop selling their software (called RemoteSpy). Unfortunately there are too many alternatives for people keen on spying and stealing passwords. More on this here.

People in China using Skype, or people elsewhere using Skype to talk to people in China, should be aware that some conversations are being monitored by the Chinese government. This article explains how this was recently exposed.

The system listens for sensitive terms (mostly political subjects) and logs conversations that meet this requirement. This works differently to how the Germans are doing it.

Gmail has a new feature to always encrypt connections. It’s always been possible but not everyone uses it.

What’s encryption? Say you’re at work (or at school, or at a library or an internet cafe) and using a computer to read Gmail – it’s technically possible for someone to monitor everything going out to the internet. Encryption protects your privacy in this situation, making it difficult for someone to monitor your internet usage.

How do you use it? Inside Gmail go to the Settings menu. You get the following options:

1. Always use https (select this option to use encryption)
2. Don’t always use https

Pros:

• It provides a good level of privacy, especially if you’re using someone else’s network. This is great for public networks (e.g. libraries), offices, and internet cafes.
• It’s easy to use. Just turn it on, never think about it again.

Cons:

• It slows Gmail down a bit (every single part of your Gmail emails needs to be encrypted then decrypted, this takes a small amount of time).

I strongly encourage you to use this feature. Every little bit of additional security helps, especially when it’s so easy to use.

Note that using this form of encryption only protects your privacy between the computer you’re using and Gmail. Emails were never meant to be secure or private.

A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

It’s no secret that mobile phones can be tracked by phone companies. The technology has existed for years and there are usually privacy laws in place so the facility isn’t abused.

A new system has been designed to track mobile phones in a defined area such as a shopping centre. It works by tracking the unique IMEI number that every GSM phone transmits.

They can’t track your name or phone number using this, but they can work out your shopping habits such as which shops you walk into. If they were extra smart they would link your name, when you pay for something with a credit card, to your phone’s ID. But they haven’t done this yet.

It’s already been installed in two US shopping centres (one of them is Gunwharf Quays in Portsmouth).

Apart from marketing and security data this provides to its operators it’s a privacy issue to regular people. Read the full article here.

6.8 million Olympic tickets have been printed and will be carried by people attending Olympic events in China this year. What’s different this year is that each ticket will contain a tiny microchip.

This chip will contain visitor’s photo, passport details, address, email address, and phone number. (Photo and passport data will only be on tickets for the opening and closing ceremonies).

That’s a lot of information recorded on the actual ticket itself. Usually tickets just have a serial number, or sometimes even a person’s name.

Chinese Olympic organisers have their reasons, they want to protect the events against known protestors.

Another perspective is that this is a privacy risk for people purchasing and carrying the tickets. A visitor carrying one of these tickets has no control over:

• who gets to read the information stored here
• whether the information is accurate
• any other information stored on the chip (you can’t know what’s on it)

There isn’t anything you can really do other than choose whether or not to attend. If you wish to attend and purchase a ticket just be aware that this private information will be written on the ticket and will be readable by anyone with the correct equipment.

CSS is a web design technology that almost every web site today is using. It controls things like colour, fonts, and most of the design on every web page.

A flaw has been discovered that can allow web site creators to know if you’ve been to a particular site. An example has been presented that lets web site owners know if you visit Digg, Del.icio.us, Reddit, and Facebook without having to ask.

This is more of a privacy concern rather than a security risk. The following tips will avoid it but it’s a little impractical to do:

• Turn off JavaScript (a lot of web sites today require JavaScript)
• Clear your browser history after you finish reading any pages you don’t want others to know about

It’s a documented bug in the CSS standard that might not get fixed for a while.

Here’s an interesting story that hopefully raises your awareness of identity theft.

Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.

Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.

Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.

In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.

G-Archiver is an archival tool for Gmail. It lets you backup your Gmail emails to your computer. It’s been discovered that it also has a darker purpose.

G-Archiver costs US$29.95, and it does what it claims. To use it you enter your Gmail username and password, and it downloads emails to your computer as a backup.

Unfortunately the program has also been sending people’s usernames and password to the program’s creator (identified as John Terry).

If you’ve used G-Archiver before then uninstall it and change your Gmail password.

Most mobile phones in the world (also called cell phones, or hand phones) use the GSM network, and GSM generally uses an encryption protocol called A5.

A5 encryption was always a weak design but the equipment to decode it used to cost between US$70,000 and US$500,000 so it wasn’t very common.

Now some new research shows it can be cracked with around US$1000 of equipment. This makes it accessible to most businesses and individuals. It’s still theoretical though it won’t be long until anyone can download the software required to do it.

What does this mean to phone users?

Conversations carried out over mobile phones should not be considered secure. If the technology exists for competitors to sit outside an office and listen in on calls then you should change how you carry out business.

Apart from this new research on cracking the encryption there’s another method that has existed since phone networks began operation. All mobile phone carriers have the ability to record conversations for law enforcement purposes. They just have to press some buttons on their computer and your conversations get recorded. So you shouldn’t be sharing trade secrets on the phone anyway.

And now’s a good time to mention that SMS messages have never been secure. Most GSM networks keep a log of all SMS messages and this information is available to law enforcement agencies (or to anyone corrupt at the phone companies or to anyone that hacks into a phone company’s network).

Some articles to read if you need more information: here, here and here.