Uber Safe ? Maybe!

I am sure that many of you have used the Uber and Lyft ride sharing services, but have you thought about what would happen if the driver was in an accident.  You might want to.

Insurance Networking News recently reported about a new coverage that one insurance company (Erie) is offering to provide coverage to people who use their personal vehicles as taxis and have an accident.  They don’t exactly call it Uber Insurance, but that is what it is.

Most likely, your personal auto insurance will not cover an accident if you are using your auto to drive for dollars – meaning it won’t cover damage to your vehicle or the vehicle you hit.  This is important to the Uber driver and not so much to the Uber passenger.

It also won’t cover costs for YOUR (as a passenger) medical care if you are injured.  This is the part that affects you the most immediately.  If it is the other guy’s fault and he or she admits it and he or she has insurance and you can get that company to accept liability, then you can get paid for your medical care.

Otherwise, you may be left to suing everybody involved, likely waiting years, and maybe getting some money.  But, all may not be lost, keep reading.

All that is from the Uber driver’s personal insurance company’s point of view.

Now from Uber’s point of view:

According to a blog post at Uber,  Uber provides $1 million of liability coverage per incident, which, they claim, is primary coverage, from the moment the driver accepts the trip to it’s conclusion.

Uber also claims to provide $1 million of uninsured/underinsured motorist bodily injury insurance.

Uber also provides $50,000 of contingent (secondary) comprehensive and collision insurance, ONLY IF the Uber driver has their own comprehensive and collision policy.

Lyft claims to offer similar coverage with slightly different rules/limits.

Hopefully nothing happens when you take that next taxi ride, but ….

Maybe this is much ado about nothing, but I suspect that there may well be kinks in the system yet to be worked out.  AND, you being knowledgeable about where your coverage is coming from (I would look to Uber or Lyft right away — the deep pockets idea), is probably very useful.

Certainly things to think about from both you as a Uber or Lyft passenger as well as a driver.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather


There was an interesting article in Wired that “outed” Verizon’s use of perma-cookies.

Simply explained, perma-cookies are cookies that identify the user that are added by the carrier between the user’s browser and the receiving web site.  The effect of this is an ID that will follow the user, potentially across devices, silently, with no way for the user to even know this is being done.  Verizon calls it a Unique ID Header or UIDH.  Verizon, of course, sells this to advertisers under the marketing name PrecisionID.  They claim it provides ads that are more relevant to consumers, but more relevantly, it provides a way to ID the user in a way the user can’t easily opt out of.  Technically, if you knew that Verizon was doing this you could go to some web site and opt, but since you weren’t even aware they were doing this, that seems unlikely to occur.  And, according to the article, it doesn’t stop Verizon from using this UIDH, but only asks Verizon not to sell the data.

Curiously, Wired ran a new article last week that said that AT&T’s use of perma-cookies mentioned in the original article was only a “test” and that they have stopped doing it.  However, they reserve the right to start it again.  They called their program Relevant Advertising.  My suspicion is that as long as the program was a secret to the public, they were fine making money from it, but as soon as it was no longer a secret, they could not take the heat.

Interestingly, Sprint and T-Mobile were not mentioned – although that does not mean that they don’t have similar programs.

I think the interesting question is whether this is legal or not and you should stay tuned to see if Verizon caves or they are sued.

Privacy – it used to exist.

Mitch Tanenbaum



Facebooktwitterredditlinkedinmailby feather

Microsoft Releases Out Of Band Kerberos Patch

Microsoft released an out of band patch today for all supported versions of Windows.  The patch fixes a privately reported bug in the Kerberos Key Distribution Center (KDC) protoccol.  If unpatched, it would allow an unauthorized user to execute an elevation of privilege attack.

“The problem stems from a failure to properly validate cryptographic signatures which allows certain aspects of a Kerberos service ticket to be forged,”

Microsoft says that limited attacks on Windows servers are already in the wild – hence the very unusual situation of releasing a patch out of band.

Assuming that the domain is infected, the only solution is to rebuild the domain from scratch.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

US Spy Programs Targeting Americans’ Mobile Phones

According to the Wall Street Journal (pay link), the  government (US Marshals Service) is flying “dirtboxes” in small airplanes to capture the signals from your cell phone.  Basically, a dirtbox is a self contained cell tower with a strong signal.  Since your cell phone will connect to the strongest signal, if the dirtbox winds up being that signal, your phone will connect to that.

Once connected, the feds can grab the ID of that phone (possibly the ESN, IMSI, MIN or similar ID) and the position of that signal and see if it is associated with a bad guy.

In the grand scheme of things, they are not (we don’t think) collecting a lot of data, tracking phone calls or eavesdropping and supposedly once they get this far, they need to get a warrant (according to an article in SC Magazine that references the WSJ article).

Since it appears that the dirtbox is not acting as a real cell phone tower, when you connect to it and try to make a call, that call won’t go through.  That would include 911 calls, although the report says that they have taken measures to prevent that – whatever that means.

Since the program is secret (or at least was), we really don’t know the details of the program.  Likely, the government would have liked to keep it secret, and they were successful at keeping it secret for 7 years (supposedly it has been running since 2007), but it is hard to keep a secret like that.

One assumes that criminals that watch TV use either burner phones (ones that you can buy at 7-11 or Walmart that are cheap and disposable), but I am sure that some do not.

I am sure more details will emerge.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Masque Attack – All Your iOS Apps Belong to Us

FireEye , a security research firm, recently disclosed an interesting attack against iOS devices.  Apparently, iOS allows a rogue iPhone app to replace a genuine iPhone app.  Once that rogue app is now installed, it can do anything the real app could do – PLUS send a copy of your banking credentials Moscow or Kiev or someplace.

The reason this works is that Apple relies on something called a bundle identifier, but iOS does not verify that the new app is signed with the same certificate as the old app.

Another problem is that the way the attack works, it can tell you that it is installing an update to Angry Birds (does anyone play that any more?) but under the covers it is replacing the genuine version of the GMail app with a rogue version.  You have no reason to be suspicious of the behavior of the GMail app, so you are not likely to notice minor differences that the rogue GMail app might introduce.

Interestingly, Microsoft has a similar but different problem their code signing certificates – not verifying things to a sufficient degree.  You would think people would learn.  Sometimes not.

In Apple’s defense, this only works if you load apps from a source other than the Apple store – say by way of clicking on a link in a spear phishing attack and then saying that it is okay to install the new app.  But the bad guys are clever, so if the attack is done right, it will be very convincing.

The US Department Of Homeland Security’s CERT issued an alert today that confirms the details of FireEye’s press release.

Read the article in the link above for more details, but it is a very interesting situation and being wary is a REALLY good idea.  This is not a “The World Is Ending” attack, but it certainly could do some damage.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Experts Say This Month’s Microsoft Patches Should Be Applied Quickly

An article in SC Magazine recommends that organizations apply this month’s Microsoft patches very quickly.

Among the patches:

  • One vulnerability, CVE-2014-6332, had been remotely exploitable for 18 years prior to its patch, and could be used by an attacker to circumvent Microsoft’s free anti-exploitation tool EMET and its Enhanced Protected Mode (EPM) sandbox in Internet Explorer 11 to carry out drive-by attacks.
  • Another bug, CVE-2014-6321, impacts the Windows Secure Channel (Schannel) security package, technology that implements SSL and TLS secure communications protocols.
  • Lastly, a bug gaining the attention of security experts, CVE-2014-6332, was designated by Microsoft as a “Windows OLE automation Array Remote Code Execution Vulnerability”.

Two of these bugs have been present since Windows 95.  NOW that the hackers know that they exist, that most people are slow to patch systems  and that they will affect systems all the way back to Windows 95 in some cases (i.e. a huge “target of opportunity”), expect attacks to be coming.  Microsoft is NOT releasing patches for Windows XP or earlier, so those systems are becoming more of a siting duck every day.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed