Cell Carriers Agree – AGAIN – To Stop Selling Your Location Data – HONEST!

Motherboard was able to buy real time location data from a broker for a T-Mobile phone for $300.  This is not illegal.

The food chain for location data is very complicated.

In this case, T-Mobile sold the data to data aggregator Zumigo.

Zumigo sold it to Microbilt.

Microbilt sold it to a bounty hunter.

Who sold it to a “source”.

Who sold it to Motherboard.

Ajit Pai, who, as the Chairman of the FCC has not been very consumer friendly, “declined” a request for an emergency briefing to Congress during the Trump Shutdown.

While I am not terribly impressed by that, the reality is that the FCC won’t take any action during the shutdown any way.  Still, there is no reason not to brief Congress other than the Pai is a Republican and he was asked to testify by the Democrats.

AT&T, Sprint and T-Mobile continue to sell data even though they have promised to stop selling data multiple times.

Now they are saying that they pinky-promise that they will really, really stop selling your location data.

One of the challenges is that there are some legitimate services, such as roadside assistance, that need the data and need to make other accommodations.

One source is many of those applications that people love to install.  One recent study found that a given app might collect your location up to 14,000 times a day (10 times a minute).

Users have to grant permission for apps to use your location, but as we saw with the City of LA lawsuit against The Weather Channel, many times apps ask for your permission to use your location but don’t clearly tell you what they are using it for or who they are selling it to.

The problem for people that really want your data is that for any given user, they don’t know what apps you have installed or which apps you have given location permission, so their best answer is to buy your location info from a data aggregator if they can’t get it from the cell companies.  

You can and should turn off location services when you don’t need it and review which apps you have given location permissions to see if you still want those apps to have that capability.

Don’t hold your breath.  Source: Bleeping Computer.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Food Giant Mondelez Sues Its Insurance Company Over “Act of War”

Mondelez is the parent company of Nabisco, Oreo, Ritz and many other brands that are part of Kraft Foods.

Mondelez, like many other companies, was a victim of the NotPetya attack which turned 1,700 servers and 24,000  workstations at Mondelez into very expensive bricks.

Mondelez’ insurance company, Zurich American, denied the claim and hence the lawsuit, asking for  100 million dollars.

White House estimates of worldwide damage from NoyPetya, at the time, were around 10 billion dollars, so Mondelez is claiming one percent of the total worldwide damage, which seems a bit high, but that is not the point.

The Zurich American policy in questions offers this coverage:

“all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

It seems like this attack meets the requirements of this clause.

BUT, what insurance companies giveth, sometimes they taketh.

Zurich reviewed the claim and did what all insurance companies do – tried to figure out a way to reduce what they would have to pay out.

One survey said that companies collectively world wide could potentially claim $80 billion dollars in damages.

Zurich initially offered Mondelez $10 million to settle but then changed their mind.  Why?

Because of another clause in the policy.

There is a clause in their policy (and many others) that has an exclusion for  “hostile or warlike action in time of peace or war” by a “government or sovereign power.”   The key phrase here is BY a government or sovereign power.  Not hackers friendly to one.  Not hackers  mad at the world.  You get the idea.

Security experts and some governments blamed Russia for the attack.

Russia (of course) denied that claim.

So now, it would appear, it is up to Zurich to prove, based on a preponderance of evidence, that this (a) is a hostile or warlike action – a term that is likely not defined in the policy and for which a generally accepted definition has possibly never been adjudicated through the court system through appeals and (b) that it was done by “a government or foreign power”.  I don’t think it is sufficient to say “well the gov says it is”.

Either way this turns out – and we likely won’t know the final result for years – will have an impact on the insurance industry.  Possibly the two sides will agree out of court, leaving the question unanswered for future claims.

Likely the industry will change the terms of policies long before this is settled and large companies will negotiate terms with insurance carriers – which will affect premiums.

This apparently is NOT a common technique to  limit damages according to some sources and was probably precipitated by the size of the check that they might have to write.

Likely much of the data that could be used to prove Zurich’s stance in this case is classified by the U.S. or other governments.  Are those governments going to be willing to declassify that data for the benefit of one side of a civil lawsuit?  Not clear but stay tuned.  Source:  The Register .

Facebooktwitterredditlinkedinmailby feather

Security news for the Week Ending January 11, 2019

Australian Emergency Notification System Hacked

The Australian Emergency Warning Network, run by a private company, was hacked.  The hacker sent out a message that said “EWN has been hacked.  Your personal data stored with us is not safe.  We are trying to fix the security issues.  Please email support at .. if you want to unsubscribe.”

This service seems similar to the CodeRED system that many Colorado cities subscribe to. In Colorado it is a voluntary sign up process.  It seems like that is the case with this one too.

The alerts went out by email, text and voice.  The company shut down the system during the attack to limit the number of messages that went out;  still tens of thousands did go out.

This happened right after the Australian government passed a law requiring companies to create backdoors to their software and make data available to the government on request.  Are these related?  Unknown.  Details here.

 

Federal Shutdown is Impacting Cyber Defenders

As a follow up to this week’s opinion piece on the Federal shutdown impacting cybersecurity, the Department of Homeland Security cancelled its 2019 Cybersecurity and Innovation Showcase due to the shutdown.  That was supposed to be their largest cybersecurity event of the year.  They said the hope to reschedule it after the government reopens.

The Department of Commerce has also cancelled events and powered down web servers that have cybersecurity standards on them.

DHS’s new cyber security agency, the Cybersecurity and Infrastructure Security Agency (CISA)has furloughed 45 percent of its workforce.  CISA is still manning its “Watch floor” and has some unpaid people who will respond to a major attack on critical infrastructure.

A former attorney at the FTC pointed out the obvious – that “the government shutdown is anxiety inducting, and drives great employees away from government service.”  If it wasn’t bad enough that people who do cybersecurity work get paid less than those doing the same work in the private sector, now they have to worry about getting paid too.  Details here.

Comcast Debuts Xfinity xFI Advanced Security

Comcast announced a new service using the buzzword of the week, AI, saying that their AI powered service is designed to monitor, block and inform customers about online threats while providing protection for all connected devices in the home.  It appears to run inside the Comcast router.  A solution like that is a smart way to do it since you do not have to install anything on a device, but it is limited in what it can do since most data is encrypted.

Cost is $5.99 a month, but you have to have the xFi Gateway, which rents for $11 to $13 a month, depending on the market.  Details here.

 

Coinbase Suspends Ethereum Classic

In the ongoing saga of cryptocurrency attacks, this one creates a new low.

One thing people have always said is that since cryptocurrency uses distributed ledgers, it is immune from people changing history and reusing coins.

W.R.O.N.G.!!!

Multiple sources said that they saw more than 100 ledger blocks “reorganized” (i.e. changed after the fact) – something that should never happen.

Coinbase suspended trading on that particular cryptocurrency.  It is only one of over 2,500 different currencies.

Coinbase said that they saw about 88,000 Ethereum coins being double spent, worth about $460,000, but I saw other reports that said the attack is ongoing and the numbers were much larger.  Source: Coindesk.

Weather Channel (App) Caught Selling User Data Without Permission

The Weather Channel collected user location data under the guise of telling you what the weather is where you are, but in fact, was selling that location data.  The City of Los Angeles is suing them over the misrepresentation.

The NY Times article said that they also sold the data for targeted marketing and to hedge funds for gathering consumer preference information.  The Weather Channel is owned by IBM.

Amazon’s Ring Video Camera Allow Employees in Ukraine Unrestricted Access to All Videos

Let me start by saying that an Amazon spokesperson says that this is not the case, but the Intercept says that multiple former employees say that Ring has given R&D employees in Ukraine unrestricted access to all videos, including those from inside your home to employees, executives and engineers.  The videos are not encrypted because, they say,  that would make the company less valuable.

A Ring spokesperson refused to answer questions about their data security practices but offered a written statement that says that they have strict policies in place for all employees.

After the article was published, Ring tried to do some damage control by still not answering questions, but issuing another email saying “Ring employees never have and never did provide employees with access to livestreams of their Ring devices,” a claim contradicted by multiple sources.

I have a Ring device and was considering buying more.  Not anymore.  Looking for a competitor.

One more time, caveat emptor.  Source:  The Intercept.

Facebooktwitterredditlinkedinmailby feather

Now (Some) (Important) Meta Data Can Be Encrypted

Worried about the NSA capturing all that metadata about you?  That is the stuff about you that the government says it can collect without a warrant (and courtesy of the Patriot Act) because you send it unencrypted over the Internet and so you have no expectation of privacy.

A big part of the data (besides the Internet address that identifies you) is the DNS queries that you make.

DNS is the phone book that the Internet uses to map that friendly name like www,foxnews.com to an IP address  like 23.36.10.215 that the Internet can route.

This week Google announced that it’s DNS service (the one at 8.8.8.8) can now handle DNS over TLS (meaning that your queries are encrypted) blinding not only the NSA but also making it more difficult for your ISP to sell your data as well.

Since DNS is used so much, there was a lot of work done to make sure that DNS over TLS was fast, including using TCP fast open, pipelining and supporting out of order responses.

You can use DNS over TLS in one of two ways and the distinction is important.  The first is opportunistic, meaning it will encrypt your data if it can.  The other is called strict, which means that if the receiving server won’t accept encryption, the transmission will fail.

Google made support for it available for Android 9 (Pie) users Yesterday.  Android 9 users will have to make some settings changes to use it.  Users of older phones will have to upgrade.

Cloudflare also supports DNS over TLS and also DNS over HTTPS, an older variant of it, but until the phones support it, it is unimportant what services support.

Apparently iPhone users can do this to, but Apple does not support it natively; you have to do some significant shenanigans to get it to work.

Information for this post came from the Hacker News.

 

 

 

Facebooktwitterredditlinkedinmailby feather

Chrysler Lawsuit Goes to Trial

Many of you probably remember the very dramatic 60 Minutes segment from a few years ago where they put a reporter inside a Jeep and then disabled the brakes and watched the car go slowly into a ditch.  All while the reporter videoed it (see this CBS web page).

Not surprisingly, Chrysler quickly fixed the bug after the PR disaster that the 60 Minutes video was.

According to a class action lawsuit, Chrysler knew about the bug but decided not to fix it until the 60 Minutes segment.

The researchers took over the car via its radio (OK, it is a little more complicated than that;  through the “infotainment” system).  It is all interconnected and there is very little security in it.

Over the last three years this case has been working its way – slowly – through the courts.  The plaintiffs said Chrysler knew about the bug for years but didn’t fix it and Chrysler saying that since you didn’t roll into a ditch you weren’t directly impacted, so you can’t sue.

A year later the researchers figured out how to break through the patch, although that required physical access to the car.

And in 2018 Chrysler had to recall almost 5 million cars due to a bug that could lock the car in Cruise control mode.  The fix to that is to put the car in Neutral, slow the car with the brakes then put it in park.  That will unlock the cruise control.

You should stop thinking of that big metal box you drive as a car with a computer in it and rather think of it as a hundred or more computers, more or less connected, that happens to have wheels and an engine.

At this point the U.S. Supreme Court said that the car owners do have standing.  This is a huge win for attorneys who want to sue over cyber-security issues.

Chrysler says that they are looking forward to the trial (sure they are.  If they were so confident, why have they been fighting to avoid going to trial for the last three years).  They say that none of the class participant’s cars were hacked and the bugs have now, finally, been fixed.  The plaintiffs say that the resale value of their cars has been damaged.

The trial is currently scheduled to start in October and the testimony, assuming they don’t settle out of court, could be very embarrassing as to who knew what when.

For businesses, this is yet another step in holding companies liable for software bugs.  Potentially, in this case, bugs that they knew about but did not fix.

Does your insurance cover this?  Is it product liability insurance or cyber insurance?  It is probably not general liability insurance.  Maybe none of them.

This trial and the endless appeals are far from over, but the news so far is certainly not good for companies that don’t give cyber-risk the attention it is due.

Plaintiff’s attorneys no doubt are excited that they will get to the trial stage, but there is a long way between going to trial and winning on appeal, so don’t get too happy yet.

This will definitely be a case to watch and for businesses, time to ramp up the attention on cyber-security,

Details from this post came from The Register.

 

Facebooktwitterredditlinkedinmailby feather

The Security Implications of the Federal Shutdown

O P I N I O N

The President says that the shutdown is about security and I think he is right, but not in the way he is thinking.

We have to take this agency by agency, but just look at the numbers.  The EPA, probably no one’s favorite agency for different reasons, says it is furloughing 13,000 out of its 14,000 employees.  Is it likely that some of those employees serve cybersecurity (or even physical security) functions?  Maybe the 1,000 people are all of the folks managing cybersecurity, but I doubt it.

TSA screeners are considered essential, so they are supposed to work even though they are not being paid.  Some number of them (TSA isn’t saying how many) have been calling in sick.  Given the horrible stats regarding TSA agents detecting contraband and the fact that TSA turnover is 80% or more a year in some cities, there is no way that this is not negatively impacting your security.  It is affecting my security less because I haven’t had to fly lately, but if I did, it would affect my security too.

Even if the TSA attrition rate is not climbing during the shutdown, they are not hiring anyone right now. That alone puts security at a disadvantage.  The TSA has 50,000 agents.  If you assume they have to replace only 25,000 every year, if the shutdown lasts a month and the stats don’t go up, they will have to replace about 2,000 people.  How easy will that be given that the government is/was shut down.  The TSA says that standards won’t suffer, but you can do your own math.

Many so called government employees are actually contractors.  It is possible that some companies are choosing to pay their employees to work at federal jobs even though they are not and likely will not be paid (historically, federal employees got back pay after they returned to work but contractors did not), but some companies do not have the resources to do that.  Combine that with the government issuing what they call “stop work” orders to contractors and you have to believe that there is an impact.  One stat I read tonight said that 40% of the federal labor force is contractors.  Assuming that is close to true, surely some of those people are not working as a result of the shutdown and probably some of them perform security functions.

Other parts of Homeland Security includes 187 departments and several hundred thousand employees.  At least some of them have been furloughed; others are working without pay, while others are looking for other jobs.

Who are the most likely to find other jobs?   Certainly it is not those with the least skills.  When it comes to cybersecurity, it is the ones with the most skills and likely, if they leave, they will get a pay raise.  And, they won’t come back.

So while the government will never admit how much the shutdown affected security, the longer it goes on, the greater the effect is.

Just my two cents.

 

 

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed