News Flash: Google Tracks Your Location

That is probably not news to most people.

What is probably news – maybe – is that even when you think you tell Google not to collect and store your location data – it does so anyway.

Or, at least, that is the several lawsuits claim.

In the lawsuit filed Monday in a District of Columbia court, D.C. Attorney General Karl Racine alleges Google has “systematically” deceived consumers about how their locations are tracked and used. He also says the internet search giant has misled users into believing they can control the information the company collects about them.

The DC AG says “in reality, consumers who use Google products cannot prevent Google from collecting, storing and profiting from their location”.

And, just in case you think the DC AG has gone crazy…

The Attorneys General of Texas, Indiana and Washington state have all filed similar lawsuits.

If you think about it, Google makes 80% of their revenue from selling ads. Location is an important part of selling targeted ads. Showing me an ad for a restaurant or retail store a thousand miles away is unlikely to translate to a sale. Location is very important to them.

Google, of course, says these Attorneys General are wrong and Google deeply cares about your privacy. I would add to that …. unless it affects our profitability.

In December 2020, ten states filed a federal lawsuit accusing Google of anticompetitive conduct.

In October 2020, the U.S. Justice Department joined by 11 states filed an antitrust lawsuit against Google for abusing its online search dominance.

European regulators have imposed multi-billion dollar fines for anti-competitive practices.

In May 2020, Arizona filed a lawsuit accusing Google of deceiving customers about protections for their personal data. Documents unsealed in this case showed some Google engineers were troubled by the way the company secretly tracked movements of users who did not want to be followed.

There seems to be an awful lot of smoke here for there to be no fire, but it will be years before all of this plays out. Still, get some popcorn. It will be interesting.

Credit: Security Week

UEFI Bootkit Virtually Impossible to Remove

Bootkits are designed to be undetectable but typically you can reformat the hard drive and reinstall the operating system or, worst case, you can replace the hard drive to disinfect the computer.

But wait, there is more.

Security researchers from Kaspersky. the Russian cybersecurity company that we can never figure out who’s side they are on, disclosed a new bootkit, code name MoonBounce.

This bootkit does not hide anywhere on the hard drive like most bootkits do. That means that formatting the disk or even replacing hard drive WILL NOT get rid of the malware.

So, if it does not hide on the hard drive, where does it hide?

It infects flash memory called SPI memory on the motherboard by taking advantage of flaws.

There are only two ways to get rid of the malware. One is to reflash the SPI memory, an extremely complex task. The other is to replace the motherboard and destroy the old one. Neither is terribly attractive.

Worse yet, given where it lives in the SPI memory controller, there is no easy way to even detect that it is there.

UEFI was designed as a replacement for the old computer BIOS because the BIOS was not secure. The UEFI uses a number of techniques to secure a chain of trust during the boot process to try and stop malicious code from compromising that process. That all works until hackers find bugs in it.

Kaspersky is aware of three bootkits – this one plus LoJax and MosaicRegressor.

But other researchers have found several more including ESPectre, FinSpy’s UEFI bootkit and others.

Kaspersky says this means that what we once thought was impossible – compromising UEFI – is clearly far from that. Still extremely hard, but not impossible.

MoonBounce, Kaspersky says, is the product of China’s APT41.

I am sure that we will learn more about these very rare incursions over time, so stay tuned.

Credit: The Record

Security News for the Week Ending January 21, 2022

Russia Arrests Some REvil Gang Members

At this point we don’t know who they ticked off, but Putin’s goons arrested 14 people and seized 426 million Roubles (about $5.5 million), $600,000 USD, 500,000 euros, computers and 20 cars. These guys definitely will not be getting a Christmas card from Vlad next year. Credit: Yahoo News

Gas or Electric – Which is Better When You are on a Virginia Highway in a Blizzard

Couldn’t resist the dig on Virginia – the government of which could not figure out recently that ice storms could cause problems and where people were stranded on the Interstate for over 24 hours with no food, water or heat. The question that electric car naysayers have been asking – or really telling – is that if you are in an electric car, stuck in a traffic jam, you are going to run out of juice and have to be towed somewhere to get a charge (vs. putting a few gallons in to your gas tank). If you want to see the details of the argument, go to the link, but at least this analysis says that it is a bit of a toss up because of all of the variables. Credit: Vice

Europe Wants to Create Its Own DNS Infrastructure

The EU doesn’t like anything that it can’t control and especially if it is controlled by companies in the U.S. The project, called DNS4EU, would enable DNS filtering, support all DNS standards and, most importantly, would effectively be under the government’s thumb, meaning that they could tell DNS4EU to block whatever the various governments wanted. Bigger point, EU ISPs won’t be happy to lose the revenue that they get from currently selling their users’ data, so it is unclear whether, unless EU law forces them to use it, they would encourage it. Credit: The Record

More Than Half of Connected Medical Devices Have Critical Vulnerabilities

A new report from Cynerio says that 53% of Internet-connected medical devices analyzed were found to have a known critical vulnerability. In addition a third of bedside healthcare IoT devices have an identified critical risk. This includes missing passes, unsupported operating systems and default passwords left operation. Credit:Cynerio

Some Russian Hackers Worried About Being Arrested

After recent arrests by Russia’s FSB of the REvil hackers, there is some chatter on Russian message boards about not wanting to go to jail. One hacker said that those who expect that Russia would protect them will be greatly disappointed. Some are even suggesting moving to a more favorable (to them) jurisdiction, but there likely aren’t many of those. If Russia continues this then the paranoia will likely increase, which is good for us. Credit: ZDNet

The Future of Authentication – More Secure but More Difficult

The IRS is changing from using a homegrown userid and password based authentication system to a third party single signon type of system run by ID.ME.

Given that the IRS doesn’t have a great track record for security, your first inclination might be “can’t be any worse than what they had before”.

The short version of the answer is that it seems to be better, but it is also much more effort to set up your account the first time. After that, it is really no different than any other system signon with two factor mandatory.

Hence the rub.

Do I want access that is more secure?

Or do I not care about security (until my stuff is stolen); it has to be convenient?

I signed up for an ID.ME account a couple of months ago. Not only does the IRS use it but a couple dozen states use it too.

Unlike me, when Brian Krebs signed up for an account, he blogged about the experience. I will capture what he said about it.

The problem that most web sites have is that they don’t really know that you are you. If someone goes to your bank and, assuming you have not signed up for online banking, they sign up as you (to steal all your money, of course), all they need is a few bits of information that is likely widely available and poof, they are you and they can steal your cash.

The IRS is trying to do it right for a change. Pretty novel.

The sign up process starts out pretty normal. Enter an email address and pick a password and confirm that you got the confirmation email that they sent you.

Next you **MUST** pick a multi-factor authentication mechanism. They support everything from a text message to a FIDO key. I chose one of the several authenticator apps that I use.

Next you have to upload a copy of a government issued ID like a driver’s license.

Then you have to take a selfie of yourself holding your ID.

If the computer can match the two images you move into the next step.

You have to provide them with a phone number. Unfortunately, it does not accept Voice over IP phones. That is all that I have. I gave up my last landline a year ago. This forces you into an alternate authentication loop.

Now you have to go to a live video chat on your phone or computer. You get to start all over and re-upload the documents. This just seems like stupid programming and doesn’t provide any additional security, so maybe they will fix this. In this scenario you have to upload TWO other forms of ID like a Social Security Card or birth certificate. This is the same drill you go through when your employer completes your i-9.

Now you get to wait. The system says that you have to stay connected while you wait. Brian’s screen said the wait time was 3 hours and 27 minutes. This is only an estimate.

Brian, like me, tends to like to make waves so after he say that wait time he sent a “love note” to ID.ME’s founder. Even though this was like ten o’clock at night the threat worked and he got a call from a technician in a few minutes. He resolved the issue and Brian got his ID.

Even in this best case, this is a lot more work than a normal account signup, but it is also more secure. You also have to trust this private company with your information. In the worst case, it is a big pain.

A lot of this can be chalked up to growing pains and are totally resolvable. But some of this is the price of having a higher level of confidence in who is signing up.

For higher security systems, like the military, you have to show up in person. This is certainly more convenient than that. I need to renew my Global Traveler card. In order to do that I have to make an appointment – in my case the first appointment is FOUR MONTHS in the future and then drive myself out to the airport – an hour each way. This is definitely more convenient than that.

For higher security situations, systems like ID.ME are probably the future.

One thing that ID.ME did right is that if you need an account for say the IRS and your State government, one ID is sufficient. All you need to do is authorize ID.ME to share your information with the second entity and you are good to go.

You can ask them to delete your information if you want, at any time, but that inconveniently will also delete your account.

When Brian asked them about their security, they were a bit general – which is understandable – but it definitely sounds like they are taking a lot more care than most web sites. Credit: Brian Krebs

Governments Struggle to Deliver Secure Online Services to Citizens

As times change and as a function of the pandemic response, governments are trying to deliver more services online. Unfortunately, governments rarely get to hire the best or the brightest software developers or security architects because they cannot match what the private sector can offer.

Auth0 recently released the findings of its Public Sector Identity Index. Here are some of their findings.

The first question is how do citizens authenticate themselves to your digital services.

online citizen services

Not surprisingly, the overwhelming answer was userid and password, probably the least secure method possible other than no authentication at all.

While the report says that a little more than 60% use two factor authentication, it is less clear to me whether that means that the site OFFERS 2FA or the site REQUIRES 2FA. Google, for example, offers it but at the moment, for the most part, does not require it. The results include responses from not only U.S. IT and business leaders, but also those in the U.K., Australia and New Zealand. Different countries probably have different adoption rates.

So what are some of the key findings?

  1. Less than one in five are extremely confident in the security of their current authentication solution.
  2. Four in ten are building their own identity authentication solution. I am sure they will do that perfectly and securely. NOT!
  3. Most (75%) plan to expand their digital offerings over the next couple of years and almost the same number are concerned about citizens’ privacy as well.

If we just look at U.S. responses, ensuring that citizens trust their government’s digital services comes in at 71%, but only 56% of those same people have confidence in their ability to deliver it.

Forrester says that what the public sector does is hugely important because it makes up 30% of the global GDP. Credit: Helpnet Security

It’s To Protect The Children

Law enforcement has been trying since at least the 1990’s when they jailed and tried to convict Phil Zimmerman for creating an open source encryption program called PGP, to put the encryption genie back in the bottle.

The problem is that encryption is math and math doesn’t care about politics.

If some governments were to ban encryption, there would be other countries where people who really wanted encryption could get it. And, while the math is hard, there are enough books published, enough algorithms available, that smart hackers could write their own.

Governments have been trying for decades to get software developers to create new math – math that allows for strong encryption but also gives law enforcement a master key to look at whatever they want to look at.

After all, if the TSA can’t even secure the physical keys that they use to open people’s suitcases at the airport, how likely is it that they can secure a master encryption key or keys.

So the solution is to scare people – or at least try to scare them.

Fear is a common tactic. Car makers who don’t want people to be able to repair their own cars said that allowing people to do that would embolden sexual predators (Massachusetts, 2017).

They are counting on people being fearful and not knowledgeable. Occasionally it works.

Britain is trying to scare people into giving up their right to privacy. At this point, we do not know whether it will work or not.

Rolling Stone is reporting that the UK government, at taxpayer expense, has hired the world famous advertising agency M&C Saatchi to create a major scare campaign.

According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black.

The UK Home Office said that they hired Saatchi to bring together organizations that “share our concerns about the impact end-to-end encryption would have on our ability to keep children safe“.

It is fair to say that encryption does make bulk data surveillance harder, but there already is a lot of end-to-end encryption already in place. Open source software like Telegram and Signal and commercial software like Whatsapp are just a couple of examples.

The government says that the plan is to create this media blitz “to make the public uneasy”. In other words, scare them into accepting even more surveillance than they are already under.

One slide from a campaign deck says that most of the public has never heard of end-to-end encryption, adding that “this means that people can be easily swayed”.

They also said that the campaign must not start a privacy vs safety debate, but I don’t think that objective is possible.

The opening phase of the government’s scare campaign is expected to start within days.

However privacy advocates plan to start their own campaign too.

This battle is not going to end anytime soon, but the best defense is an educated public.

If you have questions, please reach out to us.

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed