Category Archives: Android

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

Soldiers Get Lonely Too

If you can’t beat them on the battlefield, beat them in cyberspace.  Israel has accused Hamas of creating a fake dating app and targeting both male and female Israeli soldiers to download the app.

Once installed, the app has the ability to see the soldier’s location, contact list and to use the phone as a listening device and camera.

The app targeted Android phone users, likely because that was easier to do.  This is apparently the second generation of a surveillance app and is more sophisticated than the earlier app.  The user granted the app the permissions to do all of these things, which sort of makes sense for a dating app.

In an effort at spin control, the Israeli Defense Force said that the apps had failed to do any security damage at all, saying that some soldiers had refused to download the app and reported it to superiors.  They did admit that some soldiers had downloaded and installed the app.

In another situation, researchers at Northeastern University ran a small experiment to try and detect if their phones were eavesdropping on them.

They took what amounts to a tiny sample of apps – 17,000 out of millions – to see if the phone’s microphone was activated.  Out of this small sample, they didn’t find any.

What they did find, however, may be more disturbing.

They discovered that many of these apps were sending screenshots of the phone to third party domains and also video recordings of the user’s interaction with the apps.  There is only a very tiny step from there to listening to you in general.

The fact that these apps were doing this was not obvious to a normal user.

Given this, what do you do?

First, and you are not going to like this, read the user license agreement.  While only some of the apps that secretly recorded screenshots and video disclosed the fact in their license agreement, some of them did disclose it.

Second, if you are no longer using an app, uninstall it.  If the app is not there, it is hard to eavesdrop.

Finally, be cautious about installing apps.  Some people never met an app that they couldn’t use.  Being selective is probably just smart.

This, apparently, is both an Android and iPhone problem as some of the frameworks that mobile apps are built on top of intentionally offer this screen and video capture.  At least one vendor, Appsee, said they their developers are violating their license agreement by capturing user data without permission.  Once they were outed by the media, they disabled the video capture for a single app and feel a lot better about themselves.  Google also says this violates the Play store agreement.  Gee, I am sure that any hacker would be scared about that.

Other software platforms may not even care.

Until Google and Apple give you the ability to absolutely, positively know if your data is being captured, you have something else to be concerned about.

 

Information for this post came from The Guardian and Gizmodo.

Facebooktwitterredditlinkedinmailby feather

Do You Care If Someone Is Reading Your Email?

For some people, they don’t really care.  For other people, it is a complete invasion of privacy.

For both groups, it is happening every day.

Apps sometimes ask for permission to read your mail.  It could be to get rid of junk mail or clean your mailbox or many other reasons, but in all cases, you MUST give the app permission in order for it to read your mail.

What is sometimes not clear is that while YOU think that means that the app is reading your email, what the developer thinks is that HE/SHE can read your email.

When the app was installed eons ago, Google popped up a dialog box something like this:

You then clicked on the Allow box and the app started working its magic.

The Wall Street Journal reported earlier this week that, for example, employees of Edison Software read the mail of hundreds of users to build a new feature.   Return Path reportedly read the emails of thousands of users.

The developers say, its in the license agreement that I am sure that you read.  NOT!

Google says Not Our Fault!  You gave the app permission.

To see who you gave those permissions to and take them away, follow these steps from Motherboard:

To see which apps you’ve given email permissions to, you can use Google’s Security Checkup for Gmail. To remove these permissions, go to your Google account settings, select “sign-in and security,” navigate to “apps with account access,” click “manage apps,” and then click on your linked apps and hit “remove access.” (Go to the bottom of the post linked at the end of this blog for step-by-step screenshots illustrating how to do this.)

But this really begs a larger question.

Think about all the apps that you have installed on your iPhone or Android phone (or the two people on the planet that are still running Windows phones).

Did you even think about the permissions that the app asked for when you installed it.  Or if it asked for permissions when you ran it.

Absent doing that, there is no telling what your apps are doing.  Reading your texts, tracking your location or who knows what else.

Of course, if you don’t care, then its not a problem.  Otherwise, you should look at the permissions that you have given the various apps that are installed.  And when you install a new app, consider whether you REALLY want that app or its developers to be reading your mail or tracking your location.

 

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

DNS Hijacking Malware targets iPhones, Android and Desktops

While most of the general user base has never heard of DNS and of those that have, only a few of those understand how it works, that has not stopped the hackers from very effectively abusing it against everyone.

Very simply, DNS maps the www.xyz.com names that people use in their browsers into the IP addresses that computers use and if that process can be corrupted, well, then, we have trouble  in River City.

Well, it can be corrupted and it has been corrupted and we do have trouble.  In River City.  And elsewhere.

The malware called Roaming Mantis now works on iPhones, Android Phones and desktops, in addition to Internet routers.

The attacks fool users into installing infected software and from that point, they can pretty much do anything they want.

Information for this post came from Hacker News.

So what should you do to protect yourself?

First, protect your router:

Use a strong password and NOT the default one.

Turn off the feature that allows you to administer your router FROM THE INTERNET, usually called remote administration.

Even though it is super tempting sometimes, do not install apps on your phone or computer that do not come from known reputable sources.

When you go to a site that asks for your credentials, attempt to verify the site.  Look closely at the URL for typos, look for the secure indicator, if your anti-virus software tests web sites, look at those results.  Mostly, just slow down a bit and see if what you are being asked to do seems logical.

Beyond that, you are likely going to need expert help.

Facebooktwitterredditlinkedinmailby feather

Beware of Shady Repair Shops

A report presented this month at the 2017 Usenix Workshop on Offensive Technologies was pretty offensive – and not in the way they meant in the workshop title.

Offensive security is what spies do – go out and attack a system.

The report demonstrated a proof of concept attack that would work if someone took their phone into some repair place.  The attack, works by surreptitiously inserting hardware, say behind a replacement for a cracked screen, that “added” a few “features”.

They demonstrated putting these hacked screens into two Android phones – an Huewai and a Nexus – but they say the attack will work with iPhones as well.

This attack works because the manufacturers assume a trust boundary, meaning that they trust that the hardware has not been compromised.  In this case, that trust is broken.

In reality, this is nothing new.  Stories abound of PC and Mac repair places inserting extra software and sometimes even hardware into a computer to be able to monitor it.  There was a big dust-up a year or two ago when it was discovered that some repair technicians were being paid by the FBI to feed them information from computers in for repair.

In this case, the modified screen would be able to read the keyboard, capture screen patterns (for pattern screen locks), install malicious apps and take pictures and send them to the hacker.

All this for about ten bucks in parts.

The problem occurs because you lose control of the device – phone, tablet or computer – when you leave it with the repair person.

They say that this particular attack is so subtle that it is unlikely to be detected, even by another repair technician unless he or she knows what to look for.

The researchers say that there are some inexpensive countermeasures that manufacturers can add, but there is really nothing that you can do yourself.

They say that this attack could easily scale up to be done to a lot of phones and, of course, would also scale down to targeted phones.

As a user, the only thing that you can do is choose your repair center wisely.  If you can use a manufacturer’s repair center, that is probably less risky.  If not, then do your homework and check out the place and also ask them how they vet the individuals working on your device.

Great – something else to worry about.

For more details about the hack, see the article in Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Google vs. Banking Bots – The Bots Are Winning

The BankBot trojan is managing to keep Google Engineers on their toes.  The trojan sits, literally, on top of existing banking apps and captures your user name and password.

The initial target was Russian banks.  Then it was “improved” to include UK, Austria, Germany and Turkey.  Who knows what the next version will target.

The creators of this malware have been creative enough to foil Google’s software, called Bouncer, into thinking these are legitimate apps.

A handful of apps have been found that deploy this malware and they have all been taken down – but not before thousands of downloads were made.

BankBot can also steal credentials for Facebook, Youtube, WhatsApp, Uber and other apps.

BankBot can also intercept SMS messages often used in two factor authentication.  THIS is why NIST, has deprecated the use of SMS for two factor authentication.  Too easy to compromise.

In the source article below, there is a list of 424 banking apps that BankBot is targeting.  That is a large number of apps for one piece of malware to target.

One reason we may be seeing this more internationally than in the U.S. is that older versions of Android did not do as good a job of protecting against rogue apps “writing over” legitimate apps on the screen, which is how this malware works.  The user thinks they are typing into the real app because that is what they see, but in reality, the rogue app, sitting on top of the real app is what the user is entering their password into.

This points to another issue.  While Apple is very good about forcing users to upgrade to the current version of iOS, the Android market is fragmented and there is no one company in control.

Within six months of release, Android phones become “obsolete” and companies often stop patching them within a year or two of that release.  Users that continue to use those old Android phones don’t get patches and when those phones are compromised, personal and corporate data on those phones are also compromised.  Silently!

Right now there is a very nasty bit of malware that targets the Broadcom Wi-Fi chip.  It can even work if Wi-Fi is turned off.  Both Apple and Google have patched this in March (Apple) and April (Google), so if you have not installed a major OS upgrade this month, your phone is and will continue to be vulnerable to this attack on the Broadcom Wi-Fi firmware.  This is only one example of a recent attack vector that obsolete phones will remain vulnerable to.

The moral of the story is that companies and individual users of both Android and Apple phones and tablets have to come to grips with the fact that even though those devices still work, if the manufacturer and/or  distributor (like Apple or Verizon) stop supporting those devices, it is time to replace them.  Sorry.  It is a matter of security.  That is no different than the need to upgrade from Windows Vista (which is also not supported), even though it is functioning.  No support = much higher risk of compromise.

In places outside the U.S., old phones running obsolete, non-supported versions of the Android and Apple OSes are commonplace.  As is malware.  And trojans. And security breaches.

This week Apple got caught trying to silently end support for the iPhone 5 in the newest version of their OS.  They changed their mind when they were outed,  but make no mistake – the next version of iOS will likely NOT support the iPhone 5 and at that point, iPhone users are in the same boat as Android users running version 2,3,4 or 5 of the Android OS.

While you may not like this – if you are running one of these unsupported OSes, you either need to figure out if there is an upgrade path, buy a new device (AND DO NOT GIVE THAT OLD DEVICE TO ANYONE – unless, perhaps, you want to give it to someone you really, really don’t like) or stop using that device for anything sensitive like email or online commerce or banking.

Consider yourself warned.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather