Security News Bites for the Week Ending February 15, 2019

Anybody Know What 5G Cellular Means?

5G is the next generation of cellular, promising blindingly fast service and web page loads in the blink of an eye.

Unfortunately, it doesn’t really exist yet.  Yes, a few carriers have set up a few cell sites in a few cities, but there are basically NO phones that are 5G capable at this time.  Apple should launch one in 2020.

5G will also require a LOT more cell sites that don’t exist and that most people don’t want in their backyard.

What this means in reality is that 5G won’t be a factor for years and in many places – low density areas – it may never come due to the expense.  And definitely not until you buy a new phone.

But that hasn’t stopped AT&T from adding a 5G “e” to some of their phones.  AT&T is doing preemptive marketing hoping that people won’t understand that they are not getting 5G service and not getting a 5G capable phone.  But, by that time, they will be locked in.

AT&T says the “E” means evolution, whatever that means.  Other people say the “E” means eventually – just not with that phone or that cell site.

Here’s what Verizon said about it:

5Ge. It’s pretend, it’s fake, it’s the kind of BS that gives marketers, communicators businesses and the wireless industry a black eye. So let’s have some fun. Some people call it “Faux Five G”. There’s “5G Eventually”. What’s your name for @ATT false marketing?

So Sprint is suing AT&T.  AT&T says that people won’t be confused.  Sprint did a survey in which 17% of the people said that they already had this non-existent 5G service.  Stay tuned.  Source: PC Mag.


Discarded Smart Lightbulbs May Be a Security Hole

Smart lightbulbs are smart because they are network connected and since most people are not going to plug a network cable into that bulb, they talk over WiFi.

Researchers took a LIFX smart bulb apart and took the circuit board out of it.  When they analyzed the board they found the WiFi password – not encrypted.

Next all of the security settings for the processor are disabled.

Finally, the company’s RSA private encryption key and root certificate are also accessible.

Given this takes a bit of work to reverse engineer, it is not likely a hacker is going to do it, but to get the company’s private encryption key, which would allow them to sign malicious code and download it wherever they want – that would be worthwhile.

Maybe they should call it a dumb lightbulb.  Source: Limited Results web site.


If You Live in the UK, be Careful Where You Click 

The UK signed into law (what they call Royal Assent) the Counter Terrorism and Border Security law this week.  This law makes it a crime to VIEW information “likely to be useful to a person committing or preparing an act of terrorism”.

One click.  Penalty is up to 15 years in prison.

Seems like a bit of over-reaction to me.  The UK’s special rapporteur on privacy said the law was “pushing a bit too much towards the thought crime”.  1984, we are here.  Source: The UK Register.


FTC in Negotiations with Facebook over Multi-Billion Dollar Fine

Sources have confirmed that the FTC and Facebook are negotiating over a multi-billion dollar fine over Facebook’s privacy practices.  The details have not been released and it could ultimately wind up in court if the two sides cannot agree.  If it does, get your popcorn out because it could be a humdinger.  The FTC’s investigation has been going on for about a year.  Source: Washington Post.


Gov Testing Smartphones as a Replacement for CAC Access Cards

The DoD is testing whether your smartphone can identify you as well as their current Common Access Card to get into DoD buildings and computer systems.

Your smartphone knows how you walk, how you talk, how you type.  You get the idea, but there is more.

With software on the phone, they are going to know exactly where you are at every moment of the day, where you spend your free time (maybe you have someone on the side), what web sites you visit, what bars you visit and how long you stay there.

It may work, but it may be a little bit too 1984 for me.

Using constant monitoring of the user’s behavior—including how they walk, carry the device, type and navigate on it and even how they commute to work and spend their free time—and the system will automatically and continuously verify the user’s identity, enabling them to seamlessly work on secure networks without having to plug in a card each time. Source: Nextgov .


Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.



Facebooktwitterredditlinkedinmailby feather

Are You Trusting Your Web App to Backup Your Data?

Many of us use Internet services – Dropbox for file sharing, Google for collaboration, Mint for finances and many others.  Some of us – individuals and businesses – have data spread far and wide over the web.  So wide that in many cases we really don’t know where our data lives or how it is protected.

This week many people learned the hard way that that doesn’t always turn out the way you want it to.

Email provider VFEmail announced that they had a catastrophic event that wiped out all of their user’s emails and all of their backups.  The first signs of the attack came on February 11th.

The founder of VFEmail says that 18 years of customer data are likely gone and will never be recovered.

Some emails that were stored on a backup in the Netherlands may be recoverable, but how many and when – that is unknown.  Most of the user’s info was stored in the U.S. and that, they say, is all history.

VFEmail had multiple servers in multiple data centers with multiple authentication methods and they were all wiped by an attacker.

At this time they have not provided any reason for the attack, but clearly the attacker wanted to do some real damage.

But this is a word of warning to any person or business who assumes that their service provider is going to protect them.

Number 1 – Read your contract.  Does it say that your provider provides any guarantee regarding your data?  It would be very unusual if any of your providers offer any guarantees at all.

Number 2 – Find out what measures each of your providers takes to protect your data.

Number 3 – How much trouble would you be in if you lost ALL of your data from one or more of these providers?  For example, all of your email.  Forever.  Or all of your pictures.  Or all of your finances.

Number 4 – For those services which your data is important – for which losing some or all of the data would be a “problem”, create an alternate backup.  Or two.

The bottom line is that ultimately, you or your company are responsible for your data.  Unless you have a written agreement with your provider that says that they are legally liable, which is almost unheard of.  Even then, that is only as good as the damages available.  Many times in contracts your claim is limited to the amount of  money you paid.  Pay a $100 a month for a year and the most you can collect is $1,200.    Does that cover the loss of your data?

You, and only you, need to figure out what is required to protect your data. 

Our recommendation is at least one set of offline, disconnected backups.  After all, it is hard to hack a backup that is powered down and stored in a safe or a vault.

Also remember, backups are not like fine wine – they don’t age well.  Backup early, backup often.

Information for this post came from Brian Krebs.


Facebooktwitterredditlinkedinmailby feather

Are You Prepared to Handle the Digital Assets of Your Loved Ones After They Are Gone?

No one has made it out of this life alive.  That I am aware of.

Sometimes, while it is not comfortable, we know when a loved one is about to pass and sometimes we are able to prepare for it.

In other cases, you don’t know  it is going to happen and are completely unprepared.

In my case, I have some personal experience with this.  My brother was hit and killed by a car driven by a mass murderer fleeing from the police and I had to deal with this lack of preparation in spades.  My brother was a young guy (62) and he had not prepared for his untimely demise.

Assuming that you have to deal with this horrible situation of closing out the digital life of a loved one, here is some information.


Collect all of credit cards that you can find.  Depending on how close the loved one is, you may or may not know what cards exist.  You may have to check the mail for a month or three to see if there are credit card statements.  If there is no balance on the account you may not hear from the credit card company until the card is about to expire.  Once you have the cards, call the bank and cancel them.  You will have to prove who you are, most likely, provide a death certificate and evidence that you are the administrator of the deceased’s estate.  At that point you will be able to find out about balances and close the accounts.


Mail can be a challenge. IF you lose access to the mail, you will lose a lot of information.  Did the deceased have a post office box, either at the US Post Office or a private box service?  The Post Office will NOT send you a bill.  They will just cancel the box for non-payment.  Make sure that you keep paying that bill and checking that box.  If the deceased lived in another city you may need to forward the mail.  The Post Office will only do that for a limited time.  If the deceased had a spouse and someone is going to continue at the address, that makes things easier, but if not, you only have, at  most, a year and that is not as long a period of time as you might think.


Technically, this may be against the law, but if the deceased had online accounts and you know or guess the password or can successfully do a password reset (if you have access to the deceased’s phone and email), then you can impersonate that person.  More than likely most online providers won’t know or care that the person passed away.  BUT, beware, if they do find out they may lock the account with no advanced warning.  Get in quickly, get what you need and get out.


Paypal, like most online providers, has a process.  If you can log on then you can withdraw whatever funds are there, payable to the estate.  If you can’t log in, you will have to provide them with documentation – a will, letters testamentary or something similar, etc.  Consider that a significant pain, especially if the estate did not need to be probated otherwise.


Facebook has a process where someone can designate a legacy contact in which case you can tell Facebook how to handle the account, but they will not give you the ability to log on. You can only freeze the account or delete it.  I assume you will have to prove the person has passed away.  If there is no legacy designation then you will have to provide paperwork.


Instagram has a process similar to Facebook.


Twitter has a privacy form to report a death.  You have to provide the appropriate paperwork and then you can get the account deleted.


Like the above, they have a form and a process in order to make sure that you are doing things legally, but you can get data or close the account.


Microsoft says that the deceased’s account will be deleted after a year of inactivity.  Of course, that doesn’t give you access to any data.

The best way to handle this is to record your passwords and store them securely.  Some password manager software has an “on death” feature that allows you to gain access to the person’s password vault upon proving the person is deceased and you have been designated as the guardian of the passwords.

Check out the source article below for a few web site links.


I assume that companies will eventually contact you about past due bills if they plan to get paid, but I have seen some circumstances where they want to add late fees and legal fees for past due accounts.  To the degree that you can, figure out what bills might be due and reach out to the companies involved.


Delaware has passed comprehensive legislation forcing online providers to do the right thing.  In some cases, Delaware residents were denied access to spouse’s email due to privacy policies – that will no longer cut it in Delaware.  Check your state for specific laws.

Bottom line, plan if you can, but that is not always possible.  If not, it can be done, but it will definitely take some work.

Planning definitely makes things easier.

Information for this post came from Entrepreneur magazine.


Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.


Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.


Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.


Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .


Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .


Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Facebooktwitterredditlinkedinmailby feather

Is Internet Provider’s “Zero Rating’ Really a Revenue Enhancer

The fight in the U.S. over net neutrality is far from over with each side claiming they are right.

In the meantime, the E.U. has required net neutrality since 2016 but has allowed individual countries to figure out how to implement it.  Some have implemented it by not doing anything, which gives us an opportunity to compare the effects.

In the U.S., the side against zero-rating (the opposite of net neutrality), which allows a carrier to exempt particular content from data usage fees – typically their own or from a third party that paid the carrier a lot of money – says that it is just a way for carriers to make people use a service that makes them more money, but, apparently, it is worse than that.

Non-profit studied wireless data prices in 30 European countries and found that the cost of wireless data plans were significantly more expensive in countries that didn’t implement net neutrality and allowed zero-rating.

According to the study, those countries that implemented net neutrality and did not allow zero-rating saw a double digit price decline in wireless data prices over a one year period, while countries that did the opposite saw a price increase.

Again, according to the study, carriers that allowed zero-rating jacked up prices to make their content (the zero-rated content) seem cheaper by comparison.

In the U.S. the fight over net neutrality is in the courts at this point, so we probably won’t know the outcome for years.

What does seem to be the case is that U.S. consumers already pay way more for wireless data than do their European counterparts and that is not likely to improve anytime soon.  Source: Motherboard.



Facebooktwitterredditlinkedinmailby feather