Skype in China

People in China using Skype, or people elsewhere using Skype to talk to people in China, should be aware that some conversations are being monitored by the Chinese government. This article explains how this was recently exposed.

The system listens for sensitive terms (mostly political subjects) and logs conversations that meet this requirement. This works differently to how the Germans are doing it.

Gmail Can Encrypt Connections Automatically

Gmail has a new feature to always encrypt connections. It’s always been possible but not everyone uses it.

What’s encryption? Say you’re at work (or at school, or at a library or an internet cafe) and using a computer to read Gmail – it’s technically possible for someone to monitor everything going out to the internet. Encryption protects your privacy in this situation, making it difficult for someone to monitor your internet usage.

How do you use it? Inside Gmail go to the Settings menu. You get the following options:

  1. Always use https (select this option to use encryption)
  2. Don’t always use https

https

Pros:

  • It provides a good level of privacy, especially if you’re using someone else’s network. This is great for public networks (e.g. libraries), offices, and internet cafes.
  • It’s easy to use. Just turn it on, never think about it again.

Cons:

  • It slows Gmail down a bit (every single part of your Gmail emails needs to be encrypted then decrypted, this takes a small amount of time).

I strongly encourage you to use this feature. Every little bit of additional security helps, especially when it’s so easy to use.

Note that using this form of encryption only protects your privacy between the computer you’re using and Gmail. Emails were never meant to be secure or private.

Facebook Exposes Birth Dates

dates A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

Tracking Mobile Phones

It’s no secret that mobile phones can be tracked by phone companies. The technology has existed for years and there are usually privacy laws in place so the facility isn’t abused.

A new system has been designed to track mobile phones in a defined area such as a shopping centre. It works by tracking the unique IMEI number that every GSM phone transmits.

phoneThey can’t track your name or phone number using this, but they can work out your shopping habits such as which shops you walk into. If they were extra smart they would link your name, when you pay for something with a credit card, to your phone’s ID. But they haven’t done this yet.

It’s already been installed in two US shopping centres (one of them is Gunwharf Quays in Portsmouth).

Apart from marketing and security data this provides to its operators it’s a privacy issue to regular people. Read the full article here.

Privacy of Olympic tickets

6.8 million Olympic tickets have been printed and will be carried by people attending Olympic events in China this year. What’s different this year is that each ticket will contain a tiny microchip.

This chip will contain visitor’s photo, passport details, address, email address, and phone number. (Photo and passport data will only be on tickets for the opening and closing ceremonies).

US passportThat’s a lot of information recorded on the actual ticket itself. Usually tickets just have a serial number, or sometimes even a person’s name.

Chinese Olympic organisers have their reasons, they want to protect the events against known protestors.

Another perspective is that this is a privacy risk for people purchasing and carrying the tickets. A visitor carrying one of these tickets has no control over:

  • who gets to read the information stored here
  • whether the information is accurate
  • any other information stored on the chip (you can’t know what’s on it)

There isn’t anything you can really do other than choose whether or not to attend. If you wish to attend and purchase a ticket just be aware that this private information will be written on the ticket and will be readable by anyone with the correct equipment.

CSS Exploit

CSS is a web design technology that almost every web site today is using. It controls things like colour, fonts, and most of the design on every web page.

design A flaw has been discovered that can allow web site creators to know if you’ve been to a particular site. An example has been presented that lets web site owners know if you visit Digg, Del.icio.us, Reddit, and Facebook without having to ask.

This is more of a privacy concern rather than a security risk. The following tips will avoid it but it’s a little impractical to do:

  • Turn off JavaScript (a lot of web sites today require JavaScript)
  • Clear your browser history after you finish reading any pages you don’t want others to know about

It’s a documented bug in the CSS standard that might not get fixed for a while.

Identity Theft Using LimeWire

Here’s an interesting story that hopefully raises your awareness of identity theft.

Lime Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.

Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.

Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.

In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.

G-Archiver Password Theft

G-Archiver is an archival tool for Gmail. It lets you backup your Gmail emails to your computer. It’s been discovered that it also has a darker purpose.

emailG-Archiver costs US$29.95, and it does what it claims. To use it you enter your Gmail username and password, and it downloads emails to your computer as a backup.

Unfortunately the program has also been sending people’s usernames and password to the program’s creator (identified as John Terry).

If you’ve used G-Archiver before then uninstall it and change your Gmail password.

GSM Encryption

Most mobile phones in the world (also called cell phones, or hand phones) use the GSM network, and GSM generally uses an encryption protocol called A5.

phone booths A5 encryption was always a weak design but the equipment to decode it used to cost between US$70,000 and US$500,000 so it wasn’t very common.

Now some new research shows it can be cracked with around US$1000 of equipment. This makes it accessible to most businesses and individuals. It’s still theoretical though it won’t be long until anyone can download the software required to do it.

What does this mean to phone users?

Conversations carried out over mobile phones should not be considered secure. If the technology exists for competitors to sit outside an office and listen in on calls then you should change how you carry out business.

Apart from this new research on cracking the encryption there’s another method that has existed since phone networks began operation. All mobile phone carriers have the ability to record conversations for law enforcement purposes. They just have to press some buttons on their computer and your conversations get recorded. So you shouldn’t be sharing trade secrets on the phone anyway.

And now’s a good time to mention that SMS messages have never been secure. Most GSM networks keep a log of all SMS messages and this information is available to law enforcement agencies (or to anyone corrupt at the phone companies or to anyone that hacks into a phone company’s network).

Some articles to read if you need more information: here, here and here.