TomTom Bills for Services Not Delivered

This is an interesting story and interesting warning.

The good news is that it is manageable and the exposure is low, but as the Internet of Things continues its march to take over the world, the problem is only going to get worse.

Here is today’s story.

A guy in the UK woke up one morning to discover that his credit card was being charged for TomTom’s satellite navigation services.

The only problem is that this service was for his Mazda CX-5.

Which he sold last year.

But this owner did the right thing. When he sold his car back to the dealer, he dug though the manual to figure out how to do the equivalent of a factory reset on the infotainment system so as to wipe out all the data. All of his contacts, logins, etc. He thought he did the right thing.

The car sat on the dealer’s lot for months, but then he got this bill.

He reached out to both Mazda and TomTom.

Mazda said that they didn’t keep financial (AKA credit card) data and when the customer did a factory reset, it wipes out the contact information and all other PII.

No matter what question the reporter asked Mazda’s spin doctor, the answer came back that they don’t keep personal information and if the consumer contracts with a third party for services, that is the consumer’s problem (basically, he said it a little more covertly).

Technically this is true, but perception is reality.

TomTom was a little better. They said that they screwed up and sent out billing notices when they should not have and quickly corrected the problem.

At least in the United States, **IF YOU PAY WITH A CREDIT CARD**, your ability to get your money back for situations like this are good as long as you notify the credit card company quickly.

But it points to a bigger problem.

Obviously this guy didn’t realize that there was a third party relationship associated with is part of his car – the navigation system. It is built into the car. He followed the directions to wipe it. Shouldn’t that be it?

How many IoT devices do you have that use one of your credit cards or your bank account? Do you even know which devices have what information?

Example: I have a ring video camera. They charge my credit card a few bucks every month for storing my videos. I could literally take the camera out to my driveway and run it over with my truck and I would still get a bill from Ring every month.

They don’t care that I don’t have the device.

Worse yet, if I sell the device and someone else is dishonest or just not knowledgeable, they could use the device in a way that charges my account.

The way the game is set up is that it is your responsibility to keep track of everything that uses your account information so that you don’t get charged for something that you don’t own, don’t want or can’t use. It is completely up to you.

While I understand why the vendors like it this way, it is important that you, as a business owner or consumer, understand what you have gotten yourself into.

As a consumer, you might see a $10 charge or $25 or whatever and say “hey wait, that’s not right”. And go through the hassle to fix it.

But as someone in the accounting department of a company, even a small company, the odds of catching a $25 or $50 erroneous charge on a business credit card – a charge that has been showing up every month for years but is no longer valid – is much lower. The vendors like it that way.

The ball is, as they say, in your court. Credit: The Register

Trust Your Internet Provider at Your Own Risk

I am not saying that Internet providers are evil. They just may not be as concerned about your security and privacy as you are.

I have often said that your ISP provides you with the modem/router that they can buy for $12.95. While this is a bit of hyperbole, it is, none the less, all too true.

Two security researchers discovered severe vulnerabilities and intentional security backdoors in 29 different fiber termination devices from vendor C-Data. This is just one example.

These devices for terminating fiber to the home called FTTH OLT or fiber to the home optical line termination, are deployed all over ISP’s networks wherever they want to convert from fiber to ethernet.

Not surprisingly, these devices are made in China. They are in consumer’s homes, businesses and data centers.

The researchers found multiple very severe vulnerabilities in multiple devices.

Our recommendation that you install your own firewall that you and only you control between the ISP’s connection and your equipment. While this seems logical, you would be surprised at the number of networks that rely on the ISP to secure them.

Hopefully most businesses have their own firewalls, but for small and medium businesses, they too often are trusting their ISP to secure them.


More importantly, many of these vulnerable devices will never be patched.

You are responsible for protecting your own network. Sorry. Credit: ZDNet

Security News Bites for the Week Ending July 10, 2020

Digicert to Incinerate 50,000 Certificates this Weekend

Due to a process failure, Digicert is going to invalidate about 50,000 SSL (TLS) certificates this weekend. This is happening with only 5 days notice. If Digicert is your certificate provider, make sure that your certificate is not one that is going into the bonfire. Credit: The Register

National Coin Shortage

Okay, this is not a security item, but fascinating none the less. I went into a gas station this week and there was a sign on the counter – pay with exact change or use a credit card. National Coin Shortage. News to me, but apparently true according to the Federal Reserve. Due to Covid-19 and stores closing, coins are not circulating. Combine that with the U.S. Mint reducing some production due to the virus, and the Fed says that there is a coin shortage. They say it likely won’t be fixed for months. Interesting. Credit: Vice

The Hidden Purpose of New Mac Ransomware

If you are like most people, you probably assume that the purpose of any ransomware is, well, to collect a ransom. According to researchers, that might not be the case with EvilQuest. Instead, it’s purpose, they say, is to steal information. Almost anything. Images. Documents. SSL Certificates. Crypto wallets. Spreadsheets. I.e., almost anything with bits. Probably a good idea not to get infected with it. Credit: SC Magazine

DHS’s “SSN Lock” – Nope. Not Even Close

I have written before that you need to create your online account at important vendors before a hacker creates one for you and takes over your account.

Great concept. For **MOST** companies, that actually works. Not so for your Social Security Number at the Department of Homeland Security.

After a reader alerted him, Brian Krebs created an account on DHS’s web site and locked his social security number. Brian then created another account on the site using a different email address but with his social and the system allowed him create that second account and to unlock his social. We call that pretend security. Most companies do better than that. Credit: Brian Krebs

Russian Hacker Who Hacked Linked In and Dropbox is Guilty

Russian National Yevgeniy Nikulin was found guilty of hacking LinkedIn and Dropbox, among other sites. He was arrested in the Czech Republic in 2016 and extradited to the US in 2018 over objections of Russia who wanted to, they said, bring him to trial in Russia (sure, we believe them). The case has been a bit of a circus with him not cooperating with his lawyers, meeting with Russian officials without his lawyer present and being placed in solitary after vandalizing his cell. He will be sentenced in September. Credit: Cyberscoop

The Evils of Encryption

People who know me know that I am always railing against people who want to curb encryption, but encryption does present legitimate problems.

Firefox Send is a great program that allows users to encrypt data – large files – and send a link to a recipient to allow them to download the file. I use it regularly. Well, I used to.

This week Mozilla shut it down – hopefully temporarily – while they figure out a solution. What is the problem?????

The service presents several problems; here are a couple.

For example, you can set Send to delete the file after ONE download. That means that investigators who want to look at it to figure out its origin can’t cuz it is gone.

Firefox URLs are typically trusted inside organizations, so in the name of efficiency, they might not be scanned.

Gangs don’t have to figure out an anonymous way to deliver payloads – even big ones. Firefox does it for them.

Files can be password protected making it impossible for man in the middle corporate decryption to scan the files.

While Mozilla is being a good corporate citizen and took the service down until they can figure out how to deal with some of these issues, they are not issues limited to Send. Any file transfer service with similar features is equally vulnerable.

At the corporate level, one solution is easy. Consider Send malicious (even when it isn’t) and block it via a deny-list or firewall rule. Kind of heavy handed. Of course you have to do this for every single competitor of Send.

Also of course, you then need to give users an approved alternative.

It would also seem that you can get your arms around this by always scanning Send attachments.

None the less, apparently it is enough of a magnet for hackers that Firefox shut it down.

Is your organization safe from this type of attack? I suggest you take steps now before it is used against you. Credit: ZDNet

CCPA and Cyber Insurance

The law firm of Bryan Cave has done some interesting analysis.

On January 1, 2020, California became the first U.S. state to allow a breach victim to sue a company that was breached without having to prove they were damaged. The breach alone was proof of damage. The amount any one person can sue for is small – between $100 and $750, but when you multiply that by any reasonable number of victims – say 10,000 which by today’s standard is a small breach – and now you are talking money. In this example, between a million and 7.5 million dollars.

So what did Bryan Cave’s analysis show?

27 of the 84 breaches reported to the CA AG so far this year have resulted in litigation. There have been 34 actions filed referencing CCPA.

Of course a lot of this is garbage.

Some of the suits were filed for breaches that happened before CCPA went into effect. Some were filed before the 30 day cure period expired (although it is hard to cure a breach, the law says ya gotta let ’em try).

Some were filed for non-breach related CCPA violations. Note: the law does not allow for private rights of action in these cases.

Some of this could be attorneys practicing. Or testing the courts so see if they have read the law or want to create a law of their own. This part will pass.

Still 30% of the breaches reported to the AG have resulted in some form of legal action. This is up from 4-6 percent in previous years.

So what does this mean for a company with customers in California?

It means the economics of cyber security is changing and changing rather rapidly. This is, in my opinion, exactly what the framers of the ballot initiative (Alastair Mactaggart) that force AB 375 to be passed into law wanted.

Whether you agree with Alastair or not, you need to recognize that the economics of cybersecurity for companies that have customers in the world’s 5th or 6th largest economy has changed.

Likely it will continue to change.

Will insurance companies, understanding that their risk profile has changed, start demanding better security if you want insurance? Don’t know, but they understand math. Either better security, higher premiums or no insurance

Will banks start demanding better security for companies who want loans. Certainly bad security increases loan risk?

Will investors start demanding better security for companies that they invest in? Some already have.

So what does this mean for companies?

Consider the new economics. Then consider your security profile. Finally consider what would happen if you were breached?

Credit: Bryan Cave

When Police Hack the Hackers

Sometimes the police do some great tech work. This case does not appear to include any U.S. law enforcement agencies, but sometimes they don’t want any attention for a number of reasons.

This story starts with criminals using a specially modified phone that was designed to be more secure. The phone, called an EncroChat, has no camera, no microphone and no GPS. The phone costs about $1,100. The phone also provides global network coverage for about $1,600 for 6 months.

The phone provider promised anonymity, but they were, apparently, wrong.

The Dutch police figured out a way to hack these phones. Likely at the network level. This allowed them to read the messages of hundreds of criminals in real time.

I have no clue how this phone and network works, but anytime you trust your provider to manage encryption keys for you, there is a weakness. Just guessing, but that is probably how they got in.

The authorities were capturing messages for two months before they swooped in and they are still analyzing data. I bet there are some folks looking over their shoulder now.

SO FAR, the Brits have arrested 750 crooks, confiscated $67 million in cash, 77 firearms and over two tons of drugs.

But the Dutch police won the contest hands down. They arrested 60 people, but they were much better at the drug haul. Their haul includes 22,000 pounds of cocaine, 154 pounds of heroin and 3,300 pounds of crystal meth. They also found and disabled 19 drug labs and seized 25 vehicles.

Other countries were also involved and conducted their own arrests.

Based on what the cops say, this is not over yet. As they review more communications, they will go after other crooks.

I am neither a drug dealer nor user, so I have no idea about prices, but Google says that a pound of coke retails for about $10,000. Assuming that is even close, just the coke alone has a street price of a quarter billion dollars.

I am guessing some folks are not happy about losing that much “product”.

While sometimes we don’t have great things to say about law enforcement’s ability to deal with tech, here is a case where even though the tech was supposedly law enforcement proof, they did an amazing job, got some bad people off the streets and removed a significant amount of drugs from the supply chain. This happened against a backdrop of a U.S. Senate committee voting today on a bill that tries to do something about encryption. Perhaps they should talk to the Dutch authorities.

No one thinks this is the end of anything, but we will take any wins we can get.

On the other hand, if you are a crook, don’t assume your tech is unhackable and completely secure. 🙂 Credit: NY Times

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed