A couple of weeks ago I wrote about the income tax fraud cases the security and financial folks at Wayne State University have been hearing about. I want to reiterate several points I made and let you know how the investigation stands at this moment.
From the moment we (the Controller, Payroll, the Provost, the Information Privacy Officer — that would be me, our Information Security Officer, Internal Audit, Senate leadership, etc.) started hearing reports of Wayne State employees finding false reports filed in their name, we began investigating how this might have happened — and whether something or someone at Wayne State might have been responsible.
Let me begin by saying: we DO NOT believe this was caused by any person within WSU or because of a security lapse at WSU itself. To the best of our knowledge, all universities in Michigan have employees who have experienced these hacks, and it has certainly become a nationally-covered news item.
Be that as it may, our security team has been combing logs and looking at our database of phishing attempts to make sure nothing has slipped through the cracks.
Last week, I attended a conference in DC of other university privacy officers and opinion was unanimous — phishing is the source of virtually all security breaches at universities these days. Consequently, our Security Officer and I are offering training on how to recognize and resist phishing attempts. The next two are scheduled for this Friday at 11 a.m. and Tuesday, June 7, at 3 p.m. in Bernath auditorium. Both are free, do not require registration, and are aimed at you, the average computer user.
Finally, let me repeat something I said in my last blog post:
If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy redacted). This is how you do that. Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know. Note: DO NOT TELL ME THE AMOUNT – JUST WHETHER IT MATCHES! I am the Chief Privacy Officer, after all 🙂
On Friday you received a message from C&IT and the VP for Administration talking about the epidemic of income tax fraud that has hit the country. This morning it made the front page of the Free Press:
A large number of Wayne State folks were hit (since my name was listed as contact person I was contacted by a number of people, most of whom I know from other directions).
Unfortunately there’s little you can do, other than following the directions on the IRS website. This is apparently now a feature of our modern, ‘connected’ world.
If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy ‘redacted’). Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know (DO NOT TELL ME THE AMOUNT–JUST WHETHER IT MATCHES–I am the Chief Privacy Officer, after all 🙂 ). This is how you do that.
Meanwhile, welcome to the club (I was hit too, last year).
Last week I wrote about how some (perhaps) rogue apps use your microphone to listen for subsonic signals coming from your TV or laptop to tell advertisers what you are watching or viewing.
You can stop this from happening by denying those apps permission to use your microphone. Here’s what you do.
On iOS (iPhone or iPad)1 open the Settings app and scroll down to Privacy. Touch that, then you’ll see this:
Select Microphone and you’ll see a list of apps that use the Microphone. Here’s mine (somewhat edited):
Slide the on-off switch to the right to deny the app access to the microphone. And the next time you install a new app and it asks you whether to allow it access to your mike, think before you click.™
1 This process is generally similar on a Droid, but may vary depending on version of the operating system.
One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)
It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.
What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it
The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.
The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).
Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.
Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.
Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.
For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.
Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.
Declan McCullagh (well-known IT commentator and software developer) has a take on why software companies are up in arms about the FBI’s request for assistance with breaking into a terrorist’s iPhone.
And, in case you want some sense of how many important contemporary software and hardware companies are frightened by this development, here’s a list of those who have filed Amicus briefs in the case.
A careful reading of the list shows there aren’t many major players who aren’t taking Apple’s side, including many of their rivals. And here’s the inside story on how Apple marshalled their colleagues to join the fray.
Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.
Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.
It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.
Tim Cook and the FBI will testify before Congress this afternoon.
Now that it’s getting national play, people have noticed that this isn’t the first time the Government has attempted to get Apple to break their own iPhone security. Months before the San Bernadino attacks they tried a couple of times to get Apple to do the same thing. A judge for the US District Court refused the same order in a case unrelated to national security in October of last year.
So one could conclude that the government’s purpose here is to wrap itself in the flag because it really doesn’t like the idea of security without back doors. If they win this case, of course, the world will continue to write secure software. Since the number of iPhones in the world is nearly 50 million that’s an enormous market for truly secure smartphones, and if the the US government breaks them I’m sure there will be Chinese, Indian or Finnish companies eager to supply truly secure phones we can use for online banking, shopping at Amazon, remote desktop connections and other totally legitimate reasons to have security without back doors floating around waiting to be exploited.
If you’re interested in what this Chief Privacy Officer thinks, my colleague and friend Dan Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School has an excellent blog featuring a cartoon he drew that gets at some of the essence of this issue (click that link if the images below aren’t loading for you):
In a couple of recent articles Bruce Schneier, the internationally known security and privacy guru has started thinking deeply about what has come to be called The Internet of Things.
The Internet of Things is the label that is being given to the fact that more and more devices are directly talking to the internet. Thermostats, smoke detectors, fitness bands, house door locks, burglar alarms–the list goes on and on. Not to mention cars that can be unlocked, and perhaps even started with our smartphones. And I’m not even bringing up autonomous cars, which, while real, are not yet ready for prime time.
What Schneier is interested in is the fact that these objects could all talk to each other, either about themselves, or about us. Simple things like the fact that many internet-enabled house door locks will unlock when we walk up to the door, if we’re carrying our phones. Already my car allows me to unlock it if my key is in my pocket (and, incidentally, won’t allow me to close the trunk if the key is in the trunk.) At the moment the key doesn’t talk to the web, but I wouldn’t be surprised if some brands already do. And, as Schneier notes, not only do the ‘things’ in the internet sense the world around them, they also act on it, raising the house temperature, shutting off the house fan if the smoke alarm is triggered (the Nest smoke alarm will do this if there’s a Nest thermostat in the loop). So what do you call something that senses the world and then acts on it in a very generalized way? Schneier calls it a ‘robot’. And, he suggests, its properties, and probably its behavior, is no longer predictable. It’s almost autonomous, and, for those who are interested in the behavior of systems, it’s emergent meaning its behavior is no longer totally deterministic.
Here are the articles–food for thought in both of them.
Forbes article (can’t be read if you have an ad-blocker, incidentally)
In honor of Data Privacy Day, a few items.
You may have heard that we had a guest speaker, Sol Bermann, Chief Privacy Officer at U of M on Tuesday. He is happy to share the slides he presented on Privacy and Big Data, so here they are:
Also, my blog from last week was picked up nationally by Educause, the national educational computing organization, and it can be seen here.