I first read the news about Apple’s secretive location tracking capability in the Kaspersky Labs Threat Post article, “Secret iPhone Feature Tracks Owners’ Whereabouts“:

Security researchers have discovered a hidden iPhone feature that secretly tracks and saves the meanderings of the phone – and presumably its owner.

The tracking feature was described in a presentation at the Where 2.0 Conference in San Francisco on Wednesday. According to the researchers, Pete Warden, founder of Data Science Toolkit and Alasdair Allan a researcher at Exeter University in the UK, the tracking feature records the phone’s movements, including what cell phone towers and Wifi hotspots it connects to, when and where. While that information isn’t shared with Apple, it is retained even when iPhone users update their hardware, suggesting that Apple had plans to use the data at a later time.

Was I surprised?  No.  Irritated?  Yes.  We have one more piece of evidence, that when power is concentrated in the hands of a few, abuses tend to occur.

After reading the O’Reilly Radar article, “Got an iPhone or 3G iPad? Apple is recording your moves“, I followed a link to an application to see for myself:

How can you look at your own data?

We have built an application that helps you look at your own data. It’s available at petewarden.github.com/iPhoneTracker along with the source code and deeper technical information.

The broad view clearly showed the four states in which I have used my month-old iPad:

But the real interesting view was of my supposed meanderings in Arizona:

I can easily explain three of the four major clumps of usage in the Phoenix metropolitan area – my home, the Phoenix airport, and a client site. But I have never taken my iPad to the fourth area of supposed heavy use.

All the outliers are even more problematic.  I used the iPad once in a mountainous area northeast of Phoenix, but all the other outliers?  My only explanation is that I must have forgotten to place the iPad in “Airplane Mode” on one or more more of my flights (heaven forbid!).  The iPad must have connected with dozens of cell towers as we flew over.

My message to Steve Jobs?  Please, just call. I’d gladly invite you over for dinner or take you to my favorite restaurant, where we could discuss the things that are important to me in my life.  But these shenanigans?  Really tawdry for a supposely high class company.

Thanks to my colleague Kevin Moulton for pointing out an excellent Yahoo! special report: In cyberspy vs. cyberspy, China has the edge.

According to U. S. investigators, China has stolen terabytes of sensitive data — from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. “The attacks coming out of China are not only continuing, they are accelerating,” says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Private enterprise is also getting hit big time.

The official figures don’t account for intrusions into commercial computer networks, which are part of an expanding cyber-espionage campaign attributed to China, according to current and former U. S. national security officials and computer-security experts. 

In the last two years, dozens of U. S. companies in the technology, oil and gas and financial sectors have disclosed that their computer systems have been infiltrated. 

In January 2010, Internet search giant Google announced it was the target of a sophisticated cyber-attack using malicious code dubbed “Aurora,” which compromised the Gmail accounts of human rights activists and succeeded in accessing Google source code repositories.

The political ramifications of this cyber warfare are huge. The US and China are the world’s two largest economies, both cooperating and competing on the world’s stage.  With China owning more than $1.1 trillion in U. S. government debt, destabilization of U. S. markets due Chinese cyberattacks would, in effect, be an attack on China’s economy itself.

The old Mad Magazine Spy vs. Spy comics were hilarious, with each spy destroying the other through nefarious means, and then getting up quickly to compete another day.   On the other hand, the China vs. USA cyberspy game is serious business – we play this one for keeps. 

I am anxious for the time when I can buy groceries or pay for a meal with my iPhone.  According to Juniper Research, that time may be be closer than you would think.

As reported by GigaOM, Juniper Research predicts that 1 in 5 Smartphones Will Have NFC by 2014.  NFC, or “Near Field Communication,” is a technology that allows a payment to be made by holding a device, such as a mobile phone, in close proximity to a NFC-capable point of sale terminal.

I think it would be great to use a mobile wallet on my iPhone, working in concert with an NFC chip embedded within my iPhone, to make a payment.

The GigaOM article states:

Juniper said the increasing momentum behind NFC, with a stream of vendor and carriers announcements in recent months, is helping boost the prospects of NFC. North America will lead the way, according to Juniper, with half of all NFC smartphones by 2014. France, in particular, is off to a quick start, with 1 million NFC devices expected this year.

Of course, there is more than just putting moble wallet apps and NFC chips on smartphones.

But the NFC ramp-up will still faces challenges. With so many players involved, from merchants, operators, manufacturers and web giants like Google, service complexity will be an issue. The industry also needs to work out business models around NFC while ensuring strong security for consumers unfamiliar with the concept of a mobile wallet, said Howard Wilcox, the author of the report.

Which smart phone vendor will be first to the races with a mainstream NFC-equipped device? Will the next iPhone be NFC-equipped?  I hope so, but I had also hoped for that in the iPhone 4.  Time will tell.  I’m just hoping for sooner, rather than later.

And, by the way, Identity Management and Information Security are crucial to an overall solution. Knowing who the user is and that user wants to do, and making sure their information is absolutely safe, are critical components of the mobile payments infrastructure that must be built. In that vein, its great to be in the industry that is making this all happen.

My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

On April 4th, I received apology letters from my bank, a major retailer, a large pharmaceutical chain, and three hotel companies.  All of the apologies were similar, but I’ll share just one:

Dear Ritz-Carlton Customer,

We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.

Please visit our FAQ to learn more.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.

It must have really hurt Ritz Carlton, that paragon of sophistication and propriety, to fall on its virtual knees and send out thousands for such emails.

I subsequently learned that USA Today reported:

With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.

Perhaps the Wall Street Journal wanted to make me feel special, one of select few:

Alliance Data (parent of Epsilon) reiterated that social-security and credit-card numbers were not stolen. It also said that only 2% of its more than 2,500 customers were affected.

I have yet to know whether there will be a harmful personal affect from this data breach. But it does illustrate that we are all vulnerable, whenever we trust any confidential information to someone else.

Technorati Tags: Identity Theft, Information Security, Privacy

The Washington Examiner reported yesterday that:

The U.S. Naval Academy is changing its core curriculum for the first time in about 10 years by adding two cybersecurity courses …

The two new requirements come as the school is ramping up training in a field of growing importance to national security. …

"All along, our role has been to develop one or two courses that would give every academy graduate a solid foundation in cybersecurity," said Andrew Phillips, the school’s academic dean. "We spent over a year now collecting advice and feedback from the Navy and the Marine Corps and shopping our ideas around with anyone who might have an opinion and some expertise in this area."

It was interesting to read that the Navy is trailing the U.S. Military Academy and U.S. Air Force Academy, which have had cybersecurity as part of information technology requirements for more than a decade.

Maybe Leroy Jethro Gibbs and the crew over at NCSI convinced the Navy they should step into the modern era!

The natural first question to ask when discussing Identity auditing is,

Who has access to what?

This question is naturally followed by,

Who granted those access rights, when?

More of my customers are asking a third question,

Who used those access rights, how?

The first two questions address the assignment of access rights to individuals; the third question addresses actual use of access rights after assignment.

Oracle has excellent tools to address the first two questions, but we currently lack a good solution for the third.

Why is this third category important?  Some things my customers ask for are:

1. Which users did not use an access right during the past quarter?  They may not need that right at all.
2. What patterns of access can we find?  This may help discover roles for provisioning and attestation.
3. What access attempts are anomalies?  This may help identify and remediate fraudulent use.
4. Where are potential vulnerabilities in my identity administration and access control methods?

So, where can we find solutions?

I have been impressed with a small startup, Veriphyr, that provides:

“an on-demand, pay-per-use analytics service that discovers user access vulnerabilities and privilege abuse on mainframe, midrange, Linux/Unix, and Windows servers. … Veriphyr analyzes identities, activity, and privileges to expose access weaknesses that enable insiders and intruders to capture, leak, or alter data through breach of systems, applications, databases, and networks.”

There is a broad category of Security Information and Event Management (SIEM) systems that address this area. In the Gartner Magic Quadrant report for SIEM systems that I downloaded from Q1Labs website, Gartner defines this market segment as:

Security information and event management (SIEM) technology provides two major functions for security events from networks, systems and applications:

• Security information management (SIM) – log management and compliance reporting
• Security event management (SEM) – real-time monitoring and incident management

SIEM deployments are often funded to address regulatory compliance reporting requirements, but organizations should also use SIEM technology to improve threat management and incident response capabilities.

Three companies in the leader quadrant of the Garter report are ArcSight, RSA and Q1Labs, but a total of 20 companies were covered in the report.  I am by no means a SIEM expert.  I have no idea whether Oracle will get in the SIEM game (and I couldn’t tell you if I did know), but I believe this is an important area for our customers.  It will be interesting to see what transpires.

IT World Canada reported last week:

Malicious hackers who may be based in China managed to fool Canadian federal IT staff into providing access to government computers, leading to severe Internet restrictions at Treasury Board and the Finance Department. …

In what the CBC described as an “executive spear-phishing” attempt, hackers used bogus e-mails to pass themselves off as senior executives to IT staff at the two federal departments and request passwords, while other staff received e-mails with virus-laden attachments.

Although it appeared that the attacks came from Chinese servers, it was not certain that the cyber-attackers were Chinese.  The attacks could have originated elsewhere and been routed through Chinese servers.  Not surprisingly, Chinese government officials quickly denied any connection to the attacks.

Whether the attacks originated with a foreign government or not, this highlights the vulnerability of people, more than technology.  If indeed people divulged passwords to email requesters and opened attachments infected with viruses, it shows that people, not technology, are the weak link in cyber security.

Some information doesn’t go out of date quickly.  This afternoon I stumbled across a post by Wilma Colon-Ariza who published a helpful article entitled “Identity Theft and Phishing Scams” last January.  Its content is still timely.

She first notes:

The federal government reports that identity theft is now the fastest-growing financial crime. Every 79 seconds, a thief steals someone’s identity and opens accounts in the victim’s name.

I don’t know what the current statistics are, but guess they are worse.

After commenting on an “Identity Theft Prevention Act” which took effect in New Jersey, on January 1, 2006, Wilma proceeded to provide a very practical outline of how consumers can protect themselves against Identity Theft and Phishing attempts. 

Finally, if you become a victim of Identity Theft, you can refer to specific steps Wilma provided to get things back in order.

Thanks, Wilma, for an informative and practical post, even it took me a long time to read it!

This post was triggered by a tweet from my son-in-law, Garry Bartle:

LOL! I doubt consumers, the tech industry, or more especially the criminal element want things slowed down just so the FBI can keep pace! RT @cnnbrk: FBI complains communication technology outpacing its ability to wiretap

CNN’s article, “Action needed to assure new technology can be wiretapped, FBI says” stated:

Rapid advances in communications are eroding police departments’ abilities to conduct wiretaps, and Congress needs to take steps to ensure that new telephone, computer and wireless systems are designed to allow lawful police access, FBI and police officials told Congress Thursday. …

At issue is the diminished capability of law enforcement agencies to conduct quick wiretaps in an age of Twitter accounts, Facebook and MySpace pages, BlackBerrys, Androids, iPhones and iPads. The Justice Department calls the phenomenon "going dark."

Well, it might be harder to place wiretaps, but I saw some technology from Cisco at the RSA Conference that sensed and interpreted Facebook traffic from mobile devices and automatically blocked content that violated company policy.  Maybe the FBI should touch base with Cisco.

Certainly, we want bad folks apprehended and punished, but there is ample evidence that the government has increased, rather than decreased surveillance over the past several years.  It just might not be the real crisis that is being portrayed.

My Twitter response to Garry?

@LittleG77 Garry … your message was just intercepted. Next … analysis and remediation. You’ve been had! (JK, but it could happen)