Security News Bites for the Week Ending August 31, 2018

Spyware Company Leaves Terabytes of Data Unprotected

Spyfone, a software company that allows parents to spy on their kids, spouses to spy on each other and employers to spy on employees allowed the world to spy on everyone.

The data left exposed on Amazon included photos, text messages, contacts, location information, Facebook messages and other information.

In addition to leaving all of their customer’s data exposed, their own backend servers were also left unprotected.

I guess you might call it Karma for spying on people.  Source: Motherboard.

California Tech Execs Pushing Feds to Reverse Cali Privacy Law

Between GDPR, CCPA and other new privacy laws, the tech industry is concerned that their business model is at risk.

As a result Google, Microsoft, IBM, Facebook and others are lobbying aggressively to the Trump administration and Congress to pass a weak federal privacy law that would usurp California’s law and make it easier for those companies to continue their business model as is.

Whatever happens in DC (don’t count on anything happening, but you never know), that won’t affect the changes in Europe and many other countries that are passing similar laws to the EU to allow those countries to do business with the EU.  Those laws will impact US businesses if they have customers in those countries.  While they could create one policy for the US and another for the rest of the world, that would be complicated.

Historically DC has tried to pass a national privacy law, but those past attempts have been much weaker than existing state laws, which has made it difficult to get enough votes to pass it.  A tough law will be heavily lobbied against.  This is why, unlike most other countries in the world, we have no national privacy law.  Source: NY Times .

Senator Wyden Confirms Stingrays Interfere with 911 Calls

Harris Communications, maker of the Stingray has confirmed that the feature which is designed to stop the Stingray from interfering with 911 calls was never tested and never confirmed to work.


As if that wasn’t a big enough problem, hobbyists can build a DIY Stingray for less than $1,000 in parts.

And, foreign spies are already using them in Washington, DC.

WHAT.  COULD,  GO,  WRONG??   Source: Tech Crunch

Apple Forces Facebook VPN App Out of App Store

Facebook recently bought a company named Onavo that makes a VPN app.  The claim is that it makes your browsing experience a more secure browsing experience.

Only problem is that they had an ulterior motive.  They – Facebook – was collecting data on every web page the user visited, every app that you used, every bit of data that you transferred.  While the bad guys couldn’t eavesdrop, Facebook could.  And did.

Well apparently Apple had enough of the duplicity and told Facebook to either voluntarily withdraw the app or they would do it for Facebook.  The app is now gone for iPhone users.  It is still available to Android users.  Source: The Hacker News.

Going Dark – Maybe It Isn’t the Biggest Problem


Law enforcement in general and the FBI in particular have been talking about the “going dark” problem caused by encryption on phones.  Except, maybe, that isn’t the biggest problem that law enforcement is facing.

The Center for Strategic and International Studies just released a study based on interviews with law enforcement from across the country.  What did they discover?

  • A quarter of the people said that they had a lack of guidance from tech companies and convincing them to turn over data.
  • Law enforcement officers said that they received barely any training in digital evidence.  Local police received an average of 10 hours of training a year (about one day).  State police received 13 hours and federal law enforcement received 16 hours a year.  Only 16 percent of the cops said that they received training more than once a year.  It seems to be a tad of a problem.  If you ask people to deal with digital evidence and then you don’t train them, do you really think they will be able to do their job?
  • 19 percent said that not being able to access data on a device was their biggest issue.  That is only 1 out of 5 law enforcement professionals who think that is the biggest problem.
  • 30 percent said their biggest issue what not knowing which company had the data that they needed for their investigation. Much of that data is not encrypted or the service providers have the encryption keys.
  • The National Domestic Communications Assistance Center (NDCAC) is charged with assisting state and local law enforcement.  They have a whopping $11 million budget.  To cover the entire nation.  For a whole year.

We saw that with the San Bernardino killer iPhone situation.  The FBI went all crazy on Apple, but Apple said that they never reached out to them for help until the made enough mistakes that Apple couldn’t help them.   Apple said that if they had contacted them sooner and if they had not shut down the WiFi in the killers’ apartment, they would have been able to retrieve the data.

That doesn’t mean that encryption doesn’t present problems, but if you only give cops 10-16 hours of training a year and only give the one organization that is supposed to help them a budget of $11 million you can’t really expect very good outcomes.  And you don’t get them.

Try the simple stuff first.  After that’s handled we can talk about inserting backdoors.  IF we even need to.

Source: Politico and Schneier on Security.

Voice Hacking is on the Rise

Hacking is a moving target.  And continues to move.

As banks consider using biometric authentication in the place of passwords, hackers are thinking about that too.

Researchers at Black Hat demonstrated that they could synthesize your voice well enough to fool personal digital assistants.

Already there are products on the market from Adobe, Baidu, Lyrebird, Cereproc and others that can do voice spoofing to one degree or another.

Consider this – you have a voice activated system that is trained to recognize your voice – or a person that knows you and would recognize you.  But it is not you.  It is a piece of software that is pretending to be you,

Over the next few years expect the price of this software to go down dramatically.

A hacker could, for example, embed your voice (or something that pretends to be your voice) in a video or audio clip that he or she tricks someone into playing to compromise something.  Just one possible scenario.

Think of this as a complement to the deep fake videos we are already seeing where software puts the head of a, say, political candidate onto the body of a porn star.  That is pretty easy today.

Deep fake audio is next.

So what should security professionals, developers, business executives and end users consider?

If something, like biometric authentication, seems too good (or too secure) to be true, it likely is too good. 

Consider the risks.

Use it as only one part of the authentication process.

For high risk processes, use two or even three factors.

Sorry.  When security meets convenience, convenience usually means poor security.

Just sayin’!

Information for this post came from Entrepreneur.


Stealing Your Phone NUMBER is Profitable

Hackers have figured out that stealing people’s phone numbers is easier and more profitable than stealing their phone (in part because they don’t have to be anywhere near you or your phone in order to steal the number).

Recently I wrote about a bitcoin investor (AKA speculator) who is suing AT&T for $240 million because the let someone steal his cell phone number.  Once he did that, he was able to reset the password for his bitcoin wallet and sell $23 million of his Bitcoin.

While this is a major international issue, authorities in California have arrested a 19 year old who was stealing phone numbers to empty people’s bank accounts and other fun stuff.

This is the third reported arrest this month, which while good, won’t even make a tiny dent in the problem.

This guy is charged with stealing over $1 million in virtual currency and using it to purchase luxury items like a McLaren for $200,000.

So what can you do?

Most people discover the problem when their phone loses service.  Note that if you are connected to WiFi, that will continue to work even if you phone number is ported, but you won’t be able to make or receive calls or send or receive texts.  Anything that works with data like Whatsapp or Signal or web browsing will continue to work after your number is stolen.  If that happens, contact your carrier immediately.

Assuming your carrier allows for this, set up a password on your account.  The password should be required if a hacker tries to steal your number.  In the case of the guy that is suing AT&T they didn’t ask the hacker for it – that dramatically weakens the phone company’s defense.

In the AT&T case, they are saying that they are not required to follow their own procedures.  I suspect that a jury is not likely to agree with that theory when a customer is damaged as a result.

If you have a high risk account like a bank account, brokerage account or Bitcoin account, you need to protect that account with two factor authentication and DO NOT use text messages as the second factor because if someone steals your phone NUMBER they will be getting those text messages, not you.  Use one of the many authenticator apps like Google Authenticator or Microsoft Authenticator.  In that case, someone would need to steal the physical phone and hack the screen lock to empty your bank account.  That would be much harder.

If you can get a high risk provider to disable to easy for hackers to use password reset function (just click here and we will send you a text, then you can reset your password – simple for you but also simple for a hacker) – then do that too.

Many times the providers call center or store people are not very well trained on security, so you may have to be persistent, but remember, it is your money that you are protecting.

Information for this post came from Krebs on Security .


Security News Bites for the Week Ending Aug 24, 2018

FBI Asks Google for Information on ALL People Near Certain Crimes

Now that we know that Google tracks you even if you ask nicely for it not to, this news from BBC becomes more interesting.

The FBI issued a search warrant to Google for information on all people within a 100 acre block around a couple of crimes they were investigating in Portland.

Not only did they want location, but they also wanted full names and addresses, telephone numbers, records of session times and durations, date on which the account was created, length of service, IP address used to register the account, login IP addresses, email addresses, log files and means and source of payment.

Needless to say, all people within a 100 acre block of land is a lot of people and who are not particularly suspected of any crime.

Google declined the request and after about 6 months, the FBI withdrew the warrant request.  Source: BBC .

Maybe Apple’s Security is Not Perfect

A 16 year old Australian kid has been charged with hacking into Apple’s network multiple times over the course of a year successfully, downloading 90 gig of secure files and accessed customer data.

Because the kid is a minor and also because Apple is slightly embarrassed, the police are not saying much.  Source: The Age

Russians Target Senate Races and Conservative Think Tanks

While the President continues to say that the Russians are not targeting our political process, Microsoft has convinced our court system that they are and has seized several domains that were posing as Microsoft domains and were being run by the Russian spy agency GRU and created by the Russian hacker organization known as APT28/Fancy Bear/Strontium (everyone has to create the own name for the same group).  Microsoft claimed that the web sites could be used as a launch pad for attacks since they looked like official Microsoft web properties.  While the article doesn’t say so, I suspect that Microsoft detected actual attacks, otherwise why would they be so specific as to the targets?

The think tanks in question have been critical of Russia.

Russia, of course, is acting dumb and said what web sites and what do you mean impacting the elections.  No surprise there.

One of the think tanks is the Hudson Institute where Trump’s Director of National Intelligence recently said, in a speech, that the lights were “blinking red” like they were just before 9-11.  He was specifically referring, in this case, to Russian interference in the elections.

Microsoft is offering special security services to all political candidates. Source: CNN)

Another Nasty Apache Struts Vulnerability

Remember the Equifax breach?  The root cause of that was an unpatched computer running Apache Struts software.  Now there is another Apache Struts bug and this one is being called critical.   The common vulnerability risk score is 10 out of a possible 10.  Hard to get more critical than that.

Don’t use Struts?

Do you use Atlassian products?  Cisco?  Hitachi?  IBM?  Oracle?  VMWare?  Well then, you  might be using Struts (depends on exactly which product from those companies that you use). (Source: Risk Based Security )

Why An Insider Threat Detection Program is Critical

Adams County, Wisconsin is now facing a crisis of confidence and likely some lawsuits as well.


On March 28, 2018, the county says, it uncovered “questionable activity” on county computer systems.

Three months later, in late June, their investigation was complete.

The result: 258, 120 people had their data illegally accessed.

Data included protected health information and tax information.

How did this happen?  Someone installed illicit software on some workstations (key logger software) to capture userids and passwords.  The key logging software was disabled when it was discovered in March.

They say that there is no indication that the information was used for identity theft.  At this point they are not offering people credit monitoring.  Since there is no indication of a problem, they are telling people that they should, using their own time and effort, register a fraud alert at the credit bureaus.

So who perpetrated this dastardly deed?

According to search warrants filed earlier this month, they are investigating the computer of Adams County Clerk Cindy Phillippi.

Well, you say, the filing of a search warrant does not mean it is true.

Sure enough – accurate.

But apparently the county is convinced enough that the personnel director has asked the Adams County Board to hear charges against Phillippi and requested that she be removed from her elected office.

Apparently, she allegedly installed key logger software on nearly all of the county’s computers because she wanted to investigate a county department head that she believed was using his county computer to access pornography.  Clearly she was not a computer expert.

Maybe in Wisconsin the county clerk is considered a law enforcement investigator.  Unusual, but who knows?

Now the county is going to spend tens of thousands of dollars reporting the breach to those affected, state and federal regulators, Health and Human Services and others.

The worst part – the software was installed on or around January 1, 2013 – MORE THAN FIVE YEARS AGO.

Way to go Wisconsin!

So what does this mean to you and me?

First, if you are a resident or employee of Adams County Wisconsin, it means that a nosy clerk probably accessed your data.

But, since most of us do not live in Adams County, that is likely not a concern for most of us.

This is a perfect example of a an insider threat.  A person, in a position of trust, used that trust to do something (all right, allegedly, but I think she basically copped to it) that will cost her her job, could land her in prison, will likely subject the county to lawsuits, will cost the county tens of thousands of dollars and cause 250,000 people some consternation. 

An insider threat program should detect this kind of activity.  Unless she was using stolen credentials, it should detect that she (or someone), without authorization installed software, was connecting to computers that she (or someone) should not have, was collecting large quantities of data and other unusual activities.

It is also not clear why it took over five years to detect this problem.

This small county (population 20,148) is going to have a potentially large budget issue – assuming they don’t have insurance and most do not – because of not dealing with the insider threat.

Source: Data Breach Today