Monthly Archives: January 2013

ALERT!!!!! HOW TO: Spy on the Webcams of Your Website Visitors

ALERT!! – I would read this because cops could be watching you.     I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you.

It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).

Updates about the vulnerabilty

Clickjacking + Adobe Flash = Sad Times!

This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated:

Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

— Wikipedia

Combine clickjacking with the Adobe Flash Player Setting Manager page and you have a recipe for some sad times.


I took a computer security class (Stanford’s CS 155) last quarter and really enjoyed this research paper on framebusting and clickjacking. After reading it, I checked out a few popular sites to see if it was possible to clickjack them. After a couple hours, I had no success.

But, then I stumbled upon this blog post entitled “Malicious camera spying using ClickJacking” where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams. He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working.

But alas, the same attack is actually still possible.

How my attack works

Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!

I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

— Guy Aharonovsky

Can Police Search Your Cellphone Without a Warrant?

What’s the difference between personal information and correspondence you have physically stored in your home, and similar information that’s on your cellphone? And what should police have access to without a warrant?

It’s a question that courts across the nation are dealing with it and one that arose here in Massachusetts on Wednesday, when the Supreme Judicial Court ruled that police don’t need a search warrant to look at the call list of a person’s cellphone during while searching that person’s personal property after an arrest.

However, in writing the court’s opinion for Commonwealth vs. Demetrius A. Phifer, Justice Margot Botsford cited other court cases that raise questions about the extent that law enforcement officials can access information stored on a cellphone.

“Today’s cellular telephones are essentially computers, capable of storing enormous quantities of information, personal, private, and otherwise, in many different forms,” Botsford wrote. “They present novel and important questions about the relationship between the modern doctrine of search incident to arrest and individual privacy rights.

“Although an individual’s reasonable expectation of privacy is diminished concerning his or her physical person when subject to a lawful arrest and taken into custody,” she continued, “the same may not necessarily be true with respect to the privacy of the myriad types of information stored in a cellular telephone that he or she is carrying at the time of arrest.”

The New York Times reported last month about divergent rulings in courts across the country regarding information stored on cellphones, such as a Rhode Island judge throwing out cellphone evidence obtained without a search warrant that led a man being charged with the murder of a 6-year-old boy.

A Washington court likened text messages to voice mail messages that can be overheard by anyone in a room, the Times reported, and ruled they are not protected by state privacy laws, while a federal appeals court in Louisiana is wrangling over whether location records stored in smartphones are private information or business records that belong to the phone companies.

Meanwhile, just last week the Senate Judiciary Committee approved a bill that if passed would limit law enforcement officials’ warrantless access to email, private Facebook posts and other information that’s stored on the Internet. reported that tech firms including Apple, Google, Facebook and Twitter have urged Congress to update the Electronic Communications Privacy Act, passed in 1986, “and preserve the same privacy rights that Americans enjoy if their files are printed out and stored in a cabinet at home.”

What should police be able to search on a cellphone without a warrant? The call log? Emails and private Facebook or Twitter messages? GPS location data that track where the phone has been? Should it all be fair game, should it all require a search warrant, or is it a mix? Tell us what you think in the comments.



Know Your Rights – Social Media And Your Job

Social media: Two new laws will prevent employers and higher-education officials from asking for applicants’ social-media passwords. Read more at the San Francisco Examiner:

Increasing numbers of Americans use social media, both on and off the job. Recently, some employers have asked employees to turn over their username or passwords for their personal accounts. Some employers argue that access to personal accounts is needed to protect proprietary information or trade secrets and to prevent the employer from being exposed to legal liabilities. But others consider requiring access to personal accounts an invasion of employee privacy. State legislators introduced legislation beginning in 2012 to prevent employers from requesting passwords to personal Internet accounts—including email, banking and social networking sites—in order to get or keep a job. Some states have similar legislation protect students in public colleges and universities from having to grant access to their social networking accounts. As we all know some us this as a way to profile bikers and their supporters.

A.B. 25
Status: December 3, 2012; Introduced
Existing law prohibits a private employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media. Existing law prohibits a private employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand that violates these provisions. This bill would apply the provisions described above to public employers. The bill would state that its provisions address a matter of statewide interest and apply to public employers generally, including charter cities and counties.

Rule number one when applying for a job: lock down your Facebook profile’s privacy settings.

There’s nothing worse than a perspective employer possessing photographic evidence of exactly how hard you partied in college or the full extent of your airbrushed unicorn t-shirt collection–at least until after you’ve received your first paycheck.

Employers are tricky: many increasingly require applicants to turn over their social media passwords so they can take a look at interviewees’ profiles.

Earlier this week, the state of California took moves to outlaw this practice when the state senate unanimously voted for a bill banning employers from demanding access to the social media profiles of both job applicants and current employees as well as barring retaliation if such requests are denied.

The bill’s unanimous passage came thanks to wide support from business groups, such as the California Chamber of Commerce, as well as organized labor.

However, not everyone is entirely sold on a sweeping ban on employers’ access to employees’ profiles. Senator Ted Gaines (R-Rocklin) told the Sacramento Bee that he is worried about the bill making it more difficult for companies to identify workplace harassment. “I want to make sure we are protecting people’s privacy,” said Gaines. “[But] I have a concern with being able to address early harassment issues.”

Such concerns led to an exception written into the law allowing employers to gain access to employees’ personal accounts to look into “allegations of employee misconduct or employee violation of applicable laws and regulations.”

Facebook itself has vocally come out against the practice.”[We] don’t think it’s right the thing to do,” Facebook Chief Privacy Office Erin Egan told CNN. “But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discriminationif they don’t hire that person.”

It’s against the law for employers to ask interviewees for certain pieces of personal information like race, religion or age; precisely the type of information regularly disclosed on Facebook profiles.

Earlier this summer, the state senate approved a similar bill that also outlawed colleges and universities from asking for social media passwords, a practice sometimes done to ensure that college athletes are complying with NCAA regulations.

California is one of 14 states around the country working on legislation to protect social media passwords. Bills in Illinois and Maryland have already been passed but have yet to go into effect.

At the national level, Senators Chuck Schumer (D-N.Y.) and Richard Blumenthal (D-Conn.) have asked the Department of Justice and the Equal Employment Opportunity Commission to look into whether such password requests are in violation of federal law.

“In an age where more and more of our personal information–and our private social interactions–are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public and protect personal information from their would-be employers,” said Schumer in a statement to the Associated Press. “This is especially important during the job-seeking process, when all the power is on one side of the fence.”

This unequal power dynamic can lead to very uncomfortable situations for job seekers, as one Maryland resident recounted to the Associated Press:

Back in 2010, Robert Collins was returning to his job as a security guard at the Maryland Department of Public Safety and Correctional Services after taking a leave following his mother’s death. During a reinstatement interview, he was asked for his login and password, purportedly so the agency could check for any gang affiliations. He was stunned by the request but complied.”I needed my job to feed my family. I had to,” he recalled.


Representative Eliot Engel (D-N.Y.) introduced similar privacy legislation into the U.S. House of Representatives earlier this year, but it has yet to receive a vote.

The California bill is next headed to the state assembly and, if passed, will go to Governor Jerry Brown to be signed into law.



Bikers Claim They’re Getting Profiled

Initially, charges of racial profiling by law enforcement were brought largely by African-American drivers. But in Maricopa County, Arizona, it’s Latinos who say they’re the victims of race-based policing. Now there’s another group that says they’re being singled out by cops despite their claims they have done nothing wrong. Bikers, individuals who belong to “clubs” like the Hell’s Angels are crying foul and want their legislative representatives to do something. In Washington State, where the law enforcement community is mourning multiple officers killed in the line of duty, legislators working on the state’s House Public Safety Committee heard from scores of individuals about what they say is a travesty of justice.

The bikers, the kind who don leather and “get their motors running,” told the committee that they have been targeted by police, stopped for no apparent reason, searched, questioned and generally harassed simply because they ride motorcycles. The bikers say it’s profiling plain and simple.

They say it’s similar to charges made by predominantly young black drivers that they are singled out by police. It’s illegal to profile minorities, so it should be illegal to profile motorcycle riders, the bikers contend. “It does occur,” Rep. Steve Kirby, D-Tacoma, the sponsor of a bill to outlaw profiling of motorcyclists, told The Spokesman-Review newspaper. “It’s just wrong and it has to stop.”

The Washington State Patrol is particularly apt to pull them over. Those charges were leveled by David Devereaux, of Tacoma. He is a member of the Outsiders Motorcycle Club.

When bikers showed up last year for their annual lobbying day at the state house, a state trooper took down all their license plate numbers, Devereaux said. The bikers videotaped the trooper and posted it on YouTube to back up their claim of harassment. But Capt. Jason Berry, head of government and media relations for the State Patrol, denied that troopers profile bikers or any other group.

The agency did collect license information on all motorcycles at Black Thursday in 2009 because some outlaw bikers were “showing off colors and paraphernalia.” But Capt. Berry says that was standard practice for everyone that showed up. It was just a precaution in case “something bad were to happen,” Berry said.

When nothing did, “the information was thrown away.” In addition, the Washington State P says it has no problem with Kirby’s bill because the agency does not profile and is proud of it. Some committee members tried to flesh out major differences between various types of biker clubs.

Rep. Brad Klippert, R-Kennewick, a police officer when he’s not a legislator, asked if there weren’t legal biker gangs and illegal gangs.

“Weren’t the Hells Angels running methamphetamine out of California and into the Northwest a few years back?”

But there are many types of motorcycle organizations, from Christian bikers to stockbroker bikers according to Mr. Devereaux.

The Hells Angel stereotype sells movie tickets, but it’s a fraction of the larger group.

“We’re working Americans. I’m raising two children. I’ve been married for 15 years,” he told The Spokesman-Review.

Motorcycle Clubs Claim Profiling In California

Say that they are good people and should not be targeted for ‘undue’ law enforcement attention

OROVILLE, Calif. — While admitting many of them deliberately foster a “bad boy” persona, members of several motorcycle clubs went before the Butte County Board of Supervisors today to say they don’t deserve to be treated as criminals, and resent it.

With their Harley-Davidson motorcycles parked in front of the county Administration Building, and wearing vests declaring themselves to be “Americans,” “Bishops,” “Just Brothers” and others, they came before the supervisors Tuesday to say they are good people and shouldn’t be targeted for undue law enforcement attention.

Dave Gilbert, 71, president of the United Bikers of Butte County, said he rides with the Just Brothers, which he firmly said is not a gang.

He said several motorcycle clubs in Butte County do rides that are fundraisers for a host of charities.

“I am not a gang guy. I’ve never been arrested in my life. I’m a good guy,” said Gilbert.

He and the others spoke during the public comment section of the meeting, when people can talk on any topic not on the agenda. The board cannot not take any action on what was said.

Gilbert and his colleagues said they find themselves being stopped by deputies and other law enforcement who want to take their pictures, particularly pictures of their tattoos and the bike’s license plates.

He went on to say he had talked to Butte County Sheriff Jerry Smith about the situation and he was “very nice.”

Bonnie Salmon, who owns Scooters Cafe on Highway 70 with her husband, Dan, said in the last month she has seen officers stop her clients in the cafe’s parking lot.

She said the riders were being “profiled.” She said the bike riders were being asked about their tattoos and patches.

Her husband said their business has dropped off since officers stopped bike riders at the cafe.

Bill McPhillips, an attorney from Canoga Park, said he was there representing the clubs. He said motorcycle clubs are places where a segment of “blue collar workers” tend to congregate.

“They have a certain style. They are easy to be picked out. They are being singled out because of the way they chose to express themselves. That is completely un-American,” said the attorney.

“It is true, bikers like to cultivate the ‘bad boy’ image, but you’ve got to know they are your neighbors,” said McPhillips.

The attorney and several of the bikers said the effort to come to the board had begun a dialogue that should lead to greater understanding.

Paradise Supervisor Kim Yamaguchi said he belongs to a cycle club that is affiliated with his church.

Supervisor Steve Lambert, who chairs the board, said “I think a bridge has been built here.”

Sheriff Smith, who was present during the presentation, said outside the meeting, “We’re not harassing anybody.”

He said his staff has noted an upswing in the number of people on motorcycles wearing club colors that “we can’t account for.”

Smith said there has been some “misconceptions, misunderstandings perhaps,” and he hoped his office and the club members can come to some common ground.


US Supreme Court Considers Forced Blood Draw From Motorists

The nation’s highest court on Wednesday considered whether police should be able to forcibly draw the blood of a motorist without a warrant. Supreme Court justices heard oral arguments in the case of Missouri v. McNeely to decide whether Tyler McNeely’s constitutional rights were violated when he was taken to a hospital for a blood draw after a state patrolman accused him of driving under the influence of alcohol (DUI) in October 2010.

“The issue in this case is whether the state may stick a needle in the arm of everyone arrested on suspicion of drunk driving without a warrant and without consent,” McNeely’s lawyer, Steven R. Shapiro, argued. “Missouri’s answer to that question is yes, even in routine DWI cases like this and regardless of how quickly and easily a warrant could be obtained.”

Prosecutors insist obtaining a warrant takes too much time. Since, they argue, evidence of alcohol is purged from the body over time, police were right to cite “exigent circumstances” to bypass the Fourth Amendment requirement to have a independent judge review the evidence before authorizing the blood draw. Several justices seemed skeptical about the claim.

“So how can it be reasonable to forego the Fourth Amendment in a procedure as intrusive as a needle going into someone’s body?” asked Justice Sonia Sotomayor. “I say this because breathalyzers in my mind have a much different intrusion level. They don’t intrude into your body.”

Many states have a program where judges are on standby to receive warrant applications over the phone for DUI cases. In these programs, warrants can be issued very quickly.

“The virtue of it is this man or woman is trained to listen to policemen and others say things and try to pin him down a little bit and make an independent judgment,” Justice Stephen G. Breyer said. “So — so why would it take more than 5 minutes? …. It would make it less likely that people who are really innocent in fact have this happen to them and so forth.”

Prosecutors argued such a system would not be feasible with all the paperwork and delays inherent in the legal system. Even if it were possible to obtain a speedy warrant, the protection it offered would be meaningless.

“I think if we were to the point where we were approving search warrants in three minutes, it would essentially be a rubber stamp,” Jackson, Missouri prosecuting attorney John N. Koester Jr said.

Twenty-five states currently prohibit warrantless blood draws, fifteen of which joined this case to formally oppose the prosecution’s argument that the warrant requirement is just too burdensome in rural jurisdictions. Justice Antonin Scalia suggested setting a precedent that applied nationwide based on current limitations could be a problem if technology advances to make it easier to present evidence to a judge in rural areas. He also wondered whether the warrant has become something of a formality that holds little meaning in DUI cases.

“In these DUI cases it’s always going to be the same thing,” Scalia said. “The policeman is going to say, well, you know, his breath smelled of alcohol; we gave him the walk a straight line and turn around test, he flunked it; he couldn’t touch his nose with his index finger. What is the impartial magistrate possibly going to do except to say, hey, you know, that’s probable cause.”

The defense answered that warrants generally are not turned down, regardless of the subject matter.