How Apple’s Address Book app could allow the NSA to harvest your contacts

Ashkan Soltani

Overlooked in last week's revelation that the National Security Agency (NSA) is harvesting hundreds of millions of e-mail address books around the world was this surprising factoid: Apple makes this mass collection easier because the Address Book app that by default manages Mac contacts doesn't use HTTPS encryption when syncing with Gmail accounts.

As a result, addresses that automatically travel between Macs and Google servers are sent as plain text, independent privacy researcher Ashkan Soltani wrote in The Washington Post last Monday. He provided the above screenshot demonstrating that Address Book contents appear in the clear to anyone who has the ability to monitor traffic over a Wi-Fi network or other connection. His observation came 15 months after another Mac user also warned that the Mac app offered no way to enable HTTPS when syncing e-mail address lists with Gmail.

"It appears that it's an Apple issue," Soltani told Ars, referring to the inability to enable HTTPS when Apple's Address Book is updated to a user's Gmail account. "Their other products support Gmail via HTTPS, so I suspect it would be a three-line fix in the contacts to alleviate this problem."

Read 7 remaining paragraphs | Comments


CryptoSeal VPN shuts down rather than risk NSA demands for crypto keys

A consumer VPN service called CryptoSeal Privacy has shut down rather than risk government intrusions that could cost the company money in legal fees and threaten user privacy.

CryptoSeal will continue offering its business-focused VPN, but the consumer service is done, the company announced:

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

VPN services let consumers gain extra privacy and security while using the Internet. A user establishes an encrypted connection with a VPN service, routing all Internet traffic to the VPN before sending it on to the rest of the Internet.

Read 12 remaining paragraphs | Comments


Can we trust the data brokers who store our most intimate private details?

Some of the information Krebs found on

An identity theft service that prosecutors say illegally sold social security numbers, birth dates, driver license numbers, and other sensitive data for more than 500,000 people purchased much of the information from credit service Experian, according to a report published Sunday night.

The revelation, reported by KrebsOnSecurity journalist Brian Krebs, is striking because Experian is one of the three major credit services. Experian also sells its own line of services for preventing identity theft. That means the company was in a position to profit not only from the data it reportedly sold to underground service but also from the demand the underground site created for Experian's credit-monitoring and other identity theft protection services. Sunday's report comes four weeks after Krebs reported that members of a different identity theft ring hacked into LexisNexis and two other data brokers and obtained personal information belonging to at least one million people.

Interestingly, Krebs reports that the alleged proprietor of paid Experian for his monthly data access using wire transfers sent from Singapore. Experian, which by law is required to restrict access to private investigators and other users for "permissible purposes," should have regarded the unusual payment arrangement as a red flag that the account was being used for fraudulent purposes, according to critics. gained access to Experian's databases by posing as US-based private investigators even though the people who ran the service were located overseas.

Read 4 remaining paragraphs | Comments