Tag Archives: privacy

Moving forward: Who cared about encrypted phone calls to begin with…The Great SIM Heist


TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys.

-The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle.

This news made a number of people upset, but after studying it for several weeks and trying to consider the macro effects to regular end users and corporations I have reached a contrarian point in my analysis.

Who cared?  Nobody (enough)

Sure the implications are published and are known, but who ever considered their cell phone encrypted and secure mobile device? I don’t think any consumer ever had that feeling and most professionals that WANT security in their communications use special precautions – such as the Black Phone.

So, if nobody expected it, demanded it, and the feature was primarily used to help billing than what SHOULD happen moving forward?

  • The primary lesson here is that our assumptions must be revisited, challenged, valued, and addressed at the base level of service providers
  • Second, businesses that depend (if they ever did so for instance on mobile device encrypted communication) on such safeguards – must pay for it

I would be interested in others points of view on the lessons forward. I have spent a good deal of time coordinating with leaders in this space and believe we can make a difference if we drop the assumptions, hopes, and focus on actual effective activities.

Helpful links on the Black Phone by SGP:

Why I preferred Anonymous hacking the FBI laptop for those UDID

Today NoVA Blogger David Schuetz (@darthnull) was recognized for his hard work in uncovering the mystery of the UDID that Anonymous stated was pilfered from the FBI.  The fact that the FBI had these (or the threat) opened an interesting and heated discussion around the privacy and security channels.  The concerns were on privacy, rights of the users, and of course the weakness of the FBI security controls.  Interesting enough the FBI was direct and absolute that they did not have this data / it was breached.

@darthnull interviewed on NBC News discovered it was actually stolen from a small (relative to the FBI) organization in Florida called BlueToad.  This organization showed a 98% correlation in the datasets, and put out a press release stating the facts as they know them …

Please read all the details on this report, see the news story video, and additional links and resources.

This scenario is actually worse than if the FBI had the data.  In this situation we see a demonstration where a single small business recorded the UDID for their application.  These UDID are used throughout the App Universes (Apple and Google), despite the providers recommending to NOT use these.  The simple reason is these are essentially sensitive data – dare I say eventually PII.

The use of the UDID is even requested as a secure token for enterprise tools such as the GOOD email app messenger.  In fact, many tools, apps, games, and other smartphone platform applications utilize these UDID as the key identifier of the user.  The problem here is that if each App is collecting each UDID (even if done once and then switched to a better practice), that means there are A LOT of these databases lying around.

The quantity of such repositories of such UDID is large – marketing firms, analytics, games, productivity apps, enterprise MDM apps, etc…  It would be interesting to determine how many Apps are using these IDs, but ultimately it is irrelevant when we realize the breadth of these records across so many parties, at some point we just accept the data is retrievable.   The UDIDs are especially utilized across the mobile advertising & developer testing industry – as a means, for instance, of tracking marketing for instances, and within analytics (now part of a COPPA legal complaint).

The takeaway here is that enterprises should evaluate as part of their mobile strategy the authentication methods and dependencies deployed for these devices.  If the UDID is being utilized in a “multi-factor” / “token” method, it should be reconsidered or at least the risk mitigated given the simplicity and likely broad amount of existing databases with such records.  A positive note is that since March Apple has begun rejecting Apps that access these UDID, and a great write-up on the impact and effect can be found here at VentureBeat.  To be clear there will be alternatives in the future to UDID, but their unique nature and “assignment” to a person will not likely reduce the sensitivity of the “token”, as it will be employed similarly.

Congrats to David for solving the mystery and helping illuminate this poor security practice of app developers.


James DeLuccia

Security and Privacy risks from Facebook Apps

The trust and complexity of such relationships between key Apps, users, and our data is a challenge for individuals and businesses.  A recent study was done of 500,000 FaceBook Apps (bear in mind this is ONE platform for Apps dedicated to it, so extrapolation and assumptions are needed, cautiously, for other platforms), and found interesting facts.

The study was done by Secure.me who sells reputation services, so a grain of salt needs to be taken, but as the research shows (even with a grain of salt) there are enough considerations to impact most information security, compliance programs, and risk treatment plans.

A snippet of the findings include:

  • About six out of ten of the apps (63%) can post on to timeline (honestly, do you even know what others in the platform are seeing regarding your own data/timeline/posts/and associations?)
  • More than two thirds of the apps (69%) know stored email address
  • Nearly every third app (30%) knows the account’s birthday
  • 5 out of 100 apps (5%) access your photos and videos, going beyond the profile picture
  • Every tenth app (10%) is informed about hobbies and interests
  • 10% of the apps have access to your geo information including check-ins, hometown or current city
  • 1 out of 5 apps (21%) can access personal data of your “friends” including friends’ birthdays, education and work history

Check out their post here on the details.

The action here for businesses is to review their social media strategy as it is integrated within the enterprise security & risk programs and the privacy elements of the business.  Note, the social media considerations listed above are partial inputs into this broader program that considers such risks.  It would be nice to have dedicated teams for each type of program (social media, cloud, etc…), but in most mature organizations the framework and practices exist and simply should be augmented.  This study is a nice input providing awareness to singular risks.

I have been doing research on this very problem within the smartphone app space.  To identify similar trust threats and privacy concerns.  Much to be done…if others know of existing research, kindly share!


James DeLuccia IV

Denial Of Service Attacks (DoS); Treasury, DOJ, NYSE, S. Korea

These past few days have seen numerous packet attacks against some very prominent institutions.  Now while most of these are simply PR and marketing front-ends, and not truely the operating environments, the attacks are annoying and introduce a few specific threats and concerns that should be considered today in your environment and for the future of the internet.

More packets are not the answer – The typical response to an attack is to attack back, or add encryption, or create greater integrity checks on the data.  Adding to the pile of data pushing through a pipe (by increasing size for cryptos and md5 hashes) only clogs the system that is already clogged.  Careful consideration should be taken in rolling out additional solutions without consideration to the matrial effect such solutions and technologies will have on the environment and attack threat.

Seperate is not always separate – It is common and best practice to operate core business services on secure environments that are resilient to such DDoS attacks and other common public internet attack vectors.  Unfortunately sometimes the technical architectures overlap and cross as a result of cost management and simple lack policies and procedures.  These public attacks should highlight the need to carefully review:

  1. Your current redudant and resilient environments
  2. Careful review and continued adherence to your change control and approval program.

Attacks may appear closer then they appear – These attacks are originating from someplace, but not the place where one thinks.  The attackers have employed trojaned computers from around the world and are orchestrating this through a command and control server.  This is a very common practice.  Investigators, businesses, and governments should be cautious in pointing fingers as to the source due to the ability to take over systems from one country or from the whole world.

Regulating bandwidth – Today most organizations throttle bandwidth for different types of traffic and based on source-destination ip addresses.  It is quite conceivable we could live in an online world where DoS attacks are ongoing and continuous.  The next step in the arms race would be a land grab on routers and other devices to secure virtual private channels.  Conceivably one could see Google locking a specific set of traffic for every network device.

More thoughts spring to mind, but this is a reminder to take technology problems through a thought through strategy, and not through one-off shots.


Kind regards,

James DeLuccia IV