Vodafone Iceland Hacked

Vodafone Iceland’s servers were hacked on 30 November 2013. Hackers managed to steal confidential account information including customer names, email addresses, social security numbers, and SMS messages.

If you’re a Vodafone Iceland customer it’s a good idea to change your password. And if you’ve sent any confidential information via SMS (such as credit card details, passwords, etc) you should look into that as well.

This is a good time to remind everyone that SMS messages are not very private. Most phone companies keep all SMSs, usually for law enforcement reasons.

Skype Privacy

In the distant past, Skype messages were encrypted and were considered secure and private. But lately there’s been growing evidence that they are no longer private. It seems that Microsoft (the new owners of Skype) have been monitoring messages.

Ars Technica did an experiment by sending a unique link. They monitored their server logs and found that someone (or some system) at Microsoft accessed the link. In less technical terms, this is proof that that Microsoft have full access to your Skype messages. Details of the experiment are here.

Also, another company called H-Online recently did a similar experiment and came to the same conclusion.

This isn’t a risk for most people, it’s just something to be mindful of. Especially if your work requires privacy.

German Privacy

It’s been revealed that the German ministry for home affairs (and thus the German police) are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary.

Skype used to be secure, encrypting data before being sent across a P2P network. Now we see that some authorities have a way to eavesdrop.

So just keep in mind that if you value privacy you shouldn’t be using the networks shown above. It’s also a good time to remind you that SMSs are often recorded for the same reasons.

More details here.

Facebook Apps

As Facebook continues to grow and become a larger part of everyone’s lives, security and privacy concerns have become more important than ever. So a company called Secure.Me has stepped in with a tool to warn you about privacy issues, called App Advisor.

Facebook allows 3rd party “apps” to use your data for various things. Like collecting your friends’ birthdays to remind you of them, or sharing your game updates with everyone. But it’s not always clear what personal information is collected or shared. Secure.Me’s new App Advisor tool tells you, in plain English.

It comes out on Wednesday and installs as a browser plugin. It supports Firefox, Chrome, and Safari. (If you’re still using IE I highly recommend installing Chrome).

How does Secure.Met App Advisor work?

It starts working when you load Facebook on your PC (so it won’t work on your iPhone). It then notices what Facebook Apps you’ve added to your account. This part is great, because most people don’t know what Facebook Apps they’ve added, or won’t remember what they added 2 years ago.

Then it looks up each app in their database, and tells you what they know about the app.

I think it’s brilliant. It gives you independent advice about Facebook apps, when you need it, and without having to really do anything.

When it launches on Wednesday I’ll update this post with more information.

LinkedIn iPhone App

LinkedIn has an iPhone and iPad app. One of its features is “an opt-in feature which allows users to view calendar entries within the app“.

Some security researchers have been analysing this app and have discovered that when using the calendar feature it sends data to LinkedIn’s servers. It sends all of your calendar events, without explicitly asking for your permission.

This is considered a privacy risk. If you use the LinkedIn app on iOS, turn off the feature.

You should expect LinkedIn to make a statement about this issue, and eventually resolve it. I’ll post any updates here as they happen.

Update 7 Jun 2012:

LinkedIn have responded to these privacy concerns – you can read their comments here. Basically they confirm the privacy issues and justify it. They’ve also made changes to their iOS app to address the issue, the updated version is 5.0.3.

And at the same time someone in Russia claims to have hacked LinkedIn’s servers and has a list of over 6 million hashed password. A hashed password means they can’t read your password yet but given enough time it can be found. This incident is unconfirmed by LinkedIn, but it would be a good time to change your account password.

Phone Tracking

Mobile phones (or cell phones or hand phones, depending where you are in the world) can be used to track the location of people. This has always been possible, because of how the cellular network works. But now it’s easier for hackers.

The GSM system (used by most phone companies) has a test mode built in. A recent demonstration by a university showed that anyone can access this test mode and request the location of any phone, if they have the right skills and equipment. The equipment doesn’t cost very much, and the skills can be shared on the internet.

Mobile phones use base towers to handle the communication. The phone network needs to keep track of which towers are closest to you. And by using triangulation, an approximate position can be calculated.

Here is the research paper by University of Minnesota explaining how they tracked phones: Location Leaks on the GSM Air Interface.

What can you do?

Nothing. Law enforcement organisations have always had access to your phone’s location. Hackers now have it as well. If you need to keep your location private then don’t carry a mobile phone. You could also keep it turned off until you need it, but as soon as you turn it on the cell network will know your location.

Android Phone Virus Listens In On Calls

This had to happen sooner or later. A virus has been discovered that can affect Android phones. It uses the conference call feature of the phone to send your conversations to a remote server (spying on your conversations).

The virus is reported to now be on over 150,000 phones. This is quite serious. There are also two strains of the virus now, indicating that people are working on making things worse for everyone.

This virus is called HongTouTou. It was discovered in an app called Dynamic Footprint Wallpaper, hosted on an app store in China. More information here.

How can a phone get a virus?

Android phones are smartphones, meaning the phone is actually a computer. And like any other computer you can download and install programs onto it, commonly called Apps.

Now the philosophy behind Android phones is that it’s less regulated than other phones, such as Apple’s iPhone, and you’re free to install any app you want. Even ones that contain viruses.

With Android phones you have a choice where to download your apps from. And unfortunately this included untrusted sources where people can add viruses to apps. It’s all very similar to Windows PCs and the popular viruses from a few years ago.

What about iPhones and other phones?

This particular virus only affects Android, not any other phones.

How to avoid HongTouTou?

For now the best thing to do is to only use app stores you trust. Don’t rush into downloading an app just because it’s popular or cool, read up on it first.

 

BlackBerry Hoax Message

fire The following message gets sent to BlackBerries. The idea is that people believe what’s written there and forward it to all their contacts. Then each one of those people repeats the same process.

It’s a hoax. No damage can be done by the message, whether you forward it or not. And of course it will annoy people if you do forward it. It’s also very unprofessional to forward things like this to work contacts.

The message reads:

Do not accept this contact : 21536 (mireya diaz) she’s a hacker!!!! She will format ur blackberry and all ur contacts also.

Att: if one of ur contacts accept her u will get hacked also!!! Send this to all ur contacts

And don’t take the mentality that you should forward it “just in case”, or that it’s “better to be safe than sorry”. This is the wrong attitude. Make a stand and accept that it’s a hoax, and let others know.

There’s also something called a “barcode photo” that people talk about on BlackBerry forums. I don’t use a BlackBerry so I don’t know what this is, but apparently you shouldn’t share this barcode with people you don’t trust. It lets strangers add your BlackBerry to their contacts and send you hoaxes etc. You should stay in control of your privacy and choose who to share details with.

Flash Cookies

Some people know what a cookie is, what it’s good for and how it can be abused. If you don’t here’s a very short summary:

  • Cookies are codes that web sites save to your computer
  • They’re used to help web sites remember who you are. E.g. when you log onto eBay and come back the next day, it remembers who you are.
  • Marketing companies use them to keep track of how many of their ads you saw and where you might have seen them

So they’re not really a bad thing but marketing companies use them to track things about you. Then there are programs that try to delete them off your PC. Usually these programs are branded with words like “anti-spyware”, this isn’t completely accurate but that’s where you’ll see them. This is all fine so far.

And you can always delete cookies yourself. In Internet Explorer there’s an option in the Tools menu. All other browsers have similar options, usually in a tools or settings menu.

But there’s another kind of cookie that often gets overlooked – they’re called Flash cookies.

Unlike regular cookies, Flash cookies are not stored in your web browser’s settings. Deleting all privacy data leaves Flash cookies alone. Even deleting all cookie files off your drive skips Flash cookies.

Flash has a feature that lets web sites store a bit of information on your computer, just like a regular “cookie”. By itself this is harmless, but some developers have taken advantage of its features and use them to track you just like regular cookies. This by itself could be seen as a minor annoyance, it’s not dangerous.

But it’s also possible for a web site to restore a cookie that you deleted. Now this is a misuse of privacy. You see, when you tell your computer to delete all privacy data, and it later reappears, things are happening against your will – this is morally bad. The way they do it is developers create some code that uses Flash to store a copy of a cookie and if the cookie is gone it rewrites it.

What can you do about it?

On Windows you can install “Better Privacy” or “Ccleaner”.

On Mac OS X you can install “Flush.app” or delete the Flash cookie files the hard way.

There’s also a great deal more information in this article.

It’s now up to Adobe (the company that makes Flash) and web browsers to treat this as a privacy bug and to improve their browsers.