App Proves Adage: Just Because I’m Paranoid Doesn’t Mean They’re Not Watching Me

Plus: ChewBacca steals credit card data from dozens of retailers, Oracle tries to use the Jedi mind trick, and hackers for hire get busted

3 min read

Willie Jones covers transportation for IEEE Spectrum, and the history of technology for The Institute.

App Proves Adage: Just Because I’m Paranoid Doesn’t Mean They’re Not Watching Me
Illustration: Randi Klett; Images: iStockphoto

This Week in Cybercrime

A team of researchers at Rutgers University in Piscataway, N.J., has developed an Android app designed to heighten awareness of just how frequently cellphone users’ location information is accessed by apps and other software. "All apps that access location need to request permission from the Android platform," Janne Lindqvist, who led the research project, told Computerworld. "The problem is that people don't pay attention to these default disclosures."

The team noted that although Android phones feature GPS indicator that flashes on and off when an app is trying to access the user's location, most people never notice it or simply misunderstand the message being conveyed by the icon.

Their app—which they tested on several Android devices running apps including Firefox and Tunein Radio—bridges that communication gap by flashing a message across the handset’s screen: "Your location is being accessed by [app name]."

The idea is to get consumers thinking about why apps such as Angry Birds and collect location and device ID information and to find out whether awareness of this data collection will affect users' attitudes towards apps. As expected, participants in the study [pdf] featuring the app were surprised at how often some apps accessed their location, and that some other apps accessed their location at all.

The team says it is putting the finishing touches on its app (currently known as the RutgersPrivacyApp) so they can make it available at the Play Store.

Which Retail Stores Haven’t Been Hacked?

Last week, we asked which chains, other than Target and Neiman Marcus, had seen their point-of-sale systems give away the store with respect to their customers’ credit card information. We noted that security researchers had already uncovered evidence that half a dozen more companies had had their digital pockets picked. But apparently that was the tip of the iceberg. It was revealed this week that payment card information has been stolen from several dozen retailers’ networks since the end of October. The culprit in the overwhelming majority of those cases was a memory-scraping malware program called ChewBacca. The program—so named because the Star Wars character appears prominently on the login page for the server that collected data from infected machines—also has a keylogger and installs an executable file that lets it survive system reboots.

Though ChewBacca was first identified by researchers at Kaspersky Lab in a December blog post, much of what we’ve learned about it since has been uncovered by antifraud researchers at RSA. After analyzing the malicious code and its command-and-control infrastructure, RSA figured out that 32 of the 45 affected retailers are based in the United States; others are in Russia, Canada, and Australia. The researchers wouldn’t reveal the identities of the compromised retailers, saying only that they have advised the companies to report everything they know to the proper authorities.

Hackers R Us

An international law enforcement operation has netted the low-hanging fruit on the tree of online criminal activity. Officials proudly announced that they’ve snatched up 11 people in the United States, India, China, and Romania and have charged them with crimes based on their alleged involvement with websites offering e-mail hackers for hire. Authorities say the suspects—who were the operators of websites such as—or the sites’ clients were responsible for hacking into fewer than 10 000 e-mail accounts. Meanwhile, the cybercriminals that run phishing schemes aimed at gaining access to tens of thousands of inboxes at a clip go on unmolested.

Oracle’s Jedi Mind Trick: This Is Not a Security Flaw; It's a Configuration Error

Bad: Two vulnerabilities in Oracle’s older database packages allow hackers to access a remote server, view the server’s file system, and dump files—all without a password. Worse: More than two years after security researcher Dana Taylor reported the flaws, Oracle has yet to release a patch for one of them, and, according to Taylor, the patch belatedly created for the other didn’t actually fix the vulnerability. Worst—for Oracle, anyway—Taylor kept detailed notes on her interactions with the company.

3VILDATA Blogger Discovers Key to Making Good Modems Go Bad

Security researcher and blogger Andreas Lindh reported this week that hackers can take advantage of security holes in some USB modems and force the machines to send malware-laced text messages to any phone number or act as staging areas for spear-phishing attacks. Lindh declined to identify the manufacturer of the device upon which he carried out the exploit because he had yet to notify the vendor.

In Other Cybercrime News…

Aleksandr Andreevich Panin, a Co-Creator of the SpyEye Banking Trojan, Pleads Guilty

VPN Bypass Bug Recently Found to Affect Android Jelly Bean 4.3 Now Identified as a Problem for Android KitKat 4.4.

Gag Orders Related to U.S. Government Demands for Data from Telecom Companies Under the Foreign Intelligence Surveillance Act Have Been Partially Relaxed

Senators Question Intelligence Officials About Snowden, Domestic Surveillance

Issa, Five Other Congressmen Call For DNI Clapper’s Removal


The Conversation (0)