5G – Mostly Hype – For Now

There has been a lot of hype surrounding the next generation of cellular technology and while 5G is definitely cool, we need to make sure that we don’t get the cart before the horse.

#1 – Everyone has to buy a new phone.  Apple watchers think that Apple should release it’s first 5G phone before the end of 2020.  Other phones are being touted as 5G or possibly 5G evolution – which is different.  This means that even if 5G is available in your neighborhood, which it likely is not, it won’t do  you any good until you replace your phone.

#2 – Carriers need to upgrade each and every cell tower.  This means new electronics.  Given that there are hundreds of thousands of cell towers – or more – in the United States, that is a lot of money.  Likely, carriers might upgrade the network first in rich neighborhoods (because those people might buy new phones sooner) or neighborhoods with high traffic density.  Most of us won’t see upgrades for years.  I still connect to towers that only support 3G and 2G on a regular basis.

#3 – Network capacity needs to be upgraded.  It is wonderful if you can talk to the cell tower at 1 gigabit per second but that does no good if the connection from that cell tower to the rest of the network is only, say 50 megabits – there is no magic to get you faster speed.  And that needs to go all the way back to the Internet backbone.  In many cases, that is 5 to 10 network connections that all have to be upgraded.  If you have two cell towers that each want to talk at 1 gigabit per second and they connect to one consolidation  point, that needs to have a 2 gigabit connection and if two of those connect to a higher consolidation point, that needs to have a 4 gigabit connection.  Everybody shares the same pipe and it will only run as fast as the slowest connection.

#4 – MORE cell towers.  The nature of 5G is that the signal can only travel a short distance at that high speed.  This means more towers. And more “back haul” connections.  Should we put a tower in your back yard?  This is going to be a big problem.  Carriers want to reduce costs which means that land owners are going to be even less likely to want to put a tower in their back yard.  I have heard some stories that carriers are lobbying for laws to force land owners to put cell sites on their land for next to nothing.  That is not going to go over very well.

#5 – Oh, yeah, 5G doesn’t work inside.  Not in your house.  Not in your car.  Not in your office.  Unless you have a 5G mini cell site inside the building.  With enough bandwidth to back haul the traffic.  There are some carriers that are working on  using a different frequency that works better inside, but frequency (also called spectrum) is exceptionally scare.

#6 – Now you create all these really cool 5G applications that use all that bandwidth.  What about security.  After all, today, phone app security is horrible.  If you start building all of these bandwidth gobbling applications will security magically improve?  Not likely.

Other than that, there are no problems with 5G.

What we are likely to see is limited deployment of 5G over the next couple of years.  Select sites in select cities.  What we are also know is that the back haul bandwidth is going to be a problem.

Next we are going to have to get everyone to buy new phones.

And likely the 5G cell plans are going to cost more just like smartphone plans had/have a “surcharge”.

We need to develop all those cool new apps.

And finally, we need to solve the security problems.

As I said, other than that, there are no problems with 5G.


Facebooktwitterredditlinkedinmailby feather

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.


Facebooktwitterredditlinkedinmailby feather

Welcome to the Surveillance State

Let me first say that there is nothing illegal about what follows.  You may not like it, but it is not illegal.

Using a public records request, Motherboard obtained a user manual for the Palantir surveillance system called Gotham.

The system is used by law enforcement around country (including, for example, New York, New Orleans, Chicago and Los Angeles), but northern California has got them all beat.  It is also used by a number of private companies.

Northern Cal has created something called the Northern California Regional Intelligence Center or NCRIC.  Through NCRIC, 300 cities in California, home to almost 8 million people, had access to Palantir’s data.

So what can a city ask NCRIC for?

This includes emails, phone numbers, current and previous addresses, social security number(s), business relationships, license plates, and travel history as captured by license plate cameras. The tool also maps that person’s “possible relatives” and “possible associates,” or their friends and family.

They say that everything starts with something that’s perceived as being illegal.
Examples of data that the police can request include:
  • If they have the name of a person associated with a license plate, they can find out where that vehicle has been over any period of time via license plate reader data.
  • With a name, police can get email and phone info, current and previous addresses, bank accounts, social security numbers, business relationships, family relationships, height, weight and eye color.
  • They can find out who are the family members of the evil person along with their business associates.  Once they have those names, they can get the information above for those people too.  Those people, of course, may or may not have done anything illegal.

The feds pay for NCRIC including the 80 people who work there, through a grant.

NCRIC’s contract with Palantir expires this year and Palantir will be replaced by SAS, another big data company, but NCRIC has a license to use Gotham forever.

Again, remember, nothing about this is illegal and you might be able to do most of this yourself with some work, but in the case of Palantir, all you have to do is type a name and click a few buttons.

Welcome to 1984.

And, don’t forget, none of this is limited to law enforcement.  It is limited to only those people who’s credit cards or checks clear.

Source: Motherboard (there is a lot more info in the article).

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 12, 2019

FBI and DHS Raid State Driver’s License Database Photos

The FBI and DHS/ICE have been obtaining millions of photos from state DMV driver’s license databases.  The FBI and DHS have do not feel that they have ask permission to do this.

The FBI conducts 4,000  facial recognition searches a  month.  While the searches might be to find serious criminals,  it also might be used to find petty thiefs.

All that may be required to conduct the search is an email.  21 states allow the these searches  absent a court order.   There is no federal law allowing or prohibiting this.

ICE does searches in a dozen states where those states DMVs give illegal aliens licenses.  Source: ZDNet.

Chinese Authorities Leak 90 Million Records

US companies are not the only ones that have crappy security.  This week the Chinese got caught in that net.   Jiangsu province, with a population of 80 million left 26 gigabytes of personal data data representing 56  million personal and 33 million business records exposed in an unprotected elastic search server.  The internet is equal opportunity.   Source: Bleeping Computer.

Will the Chinese or Russians Hack the 2020 Census?

The census used to be conducted on pieces of paper, sent in both directions through the mail.  That was very difficult to hack.  Unfortunately, it is also very expensive.  Given that the results of the Census affects everything from the makeup of Congress to the receipt of Federal road construction dollars, the outcome is very important.

What way to make people trust the government even less than they already do than to screw up that count.

This year, for the first time, the Census is using the Internet and smart phones to electronically collect data.  And, since the software is behind schedule, what better way to bring it back on schedule than to reduce testing.  After all, what could possibly go wrong.  Even Congress is nervous.  Of  course, the count directly affects their job.  Source:  The NY Times.

K12.Com Exposes Student Data on 7 Million

Its a sad situation where a breach of the personal data of 7  million students is barely a footnote.  In this case, K12’s software is used by 1,100 school districts (maybe yours?)  They  left a database publicly accessible until notified by researchers. Information compromised included name, email, birthday, gender, authentication keys for accessing the student’s account and other information.  Not nuclear launch codes, but still, come on guys.  Source: Engadget.


If You Were NOT Paranoid Before …..

Google smart speakers and Google Assistant have been caught eavesdropping without permission – capturing and recording (and handing over to the authorities).  Note this is likely NOT exclusively a Google issue.  They just got caught.  Amazon listens to, they say, about 1.000 clips per shift and has recorded conversations like a child screaming for help and sexual assaults.  THESE RECORDINGS ARE LIKELY KEPT FOREVER.

A Dutch news outlet is reporting that it (the news outlet) received more than 1,000 recordings from a Dutch subcontractor who had been hired to transcribe the recordings for Google as part of its language understanding program.

Among the recordings are domestic violence, confidential business calls and even users asking their speakers to play porn on their connected devices.  

Of the 1,000 recordings, over 150 did not included the wake word, so 15% of the sessions in this sample should not have been recorded at all.

Google acknowledged that the recordings are legitimate but says that only 0.2 percent of all audio gets transcribed.  They also said that the recordings given to the humans were not associated with a user’s account, but the news outlet said that you could hear addresses and other information in the audio, so doing your own association is not hard.

Fundamentally you have two problems here.  One is Google listening (or having its vendors listen) to what you ask Google and the other is Google listening and recording stuff it should not record.  The first should be reasonably expected;  the second is a problem.  Source: Threatpost.

Facebooktwitterredditlinkedinmailby feather

Magecart, the Credit Card Stealing Monster, Is Alive and Well

In one research report researchers have discovered Magecart attacks affecting 17,000 web domains including some in the Alexa Top 2000.  You may remember that Magecart is what took down British Airways and likely caused them to be fined 183 million Pounds by the UK Information Commissioner’s Office.

Magecart is not a single hacker or even a single organization, but rather a technique for injecting Javascript that steals credit card information into otherwise okay web pages.  This group looked for unprotected Amazon S3 buckets (really, did people not get the memo – apparently not) to compromise the Javascript code.  In this case, many of the pages are not even checkout pages, so they are just spraying to see what they get.

The Javascript code that they are inserting is heavily obfuscated to make it very difficult for anyone to figure out what it does.  Most developers looking at code like that will just  move on.  Source: The Hacker News.

In a separate report, Sanguine Security says that they identified 962 web sites that were infected with Magecart in one day.   They described it as the largest automated campaign to date.  The previous record was 700 in one day.  Source: Info Security Magazine.

Whether there is some overlap in sites between these two research groups is unknown, but what is clear  is that attackers are very successfully figuring out how to inject malicious code in otherwise reputable web sites undetected.    Two examples of large web sites that have been infected by this technique are Ticketmaster (EU) and British Airways, so it is not just effective on small sites.  Most of the sites infected are, in fact, relatively smaller sites.

Bottom line is that all sites need to consider the possibility of their code being infected with malware and take measures to reduce the risk of that happening.  This includes things like checksumming files and installing software to detect modification of existing files and the addition of new files.

But this also affects third party code that is integrated into your web site.  As we have seen with a number of third party attacks, the attackers hit the weakest point, and if that is third party code that you use, that is fine with them.


Facebooktwitterredditlinkedinmailby feather

In Case You Thought GDPR Was Overblown – Its Not

When GDPR first went into effect in May 2018, people talked about horror stories of fines to the tune of 4% of a company’s total global revenue.

Then reality hit and there were no fines or tiny fines.  Or so it seemed.

The problem with regulators is that it always takes them a while.

Legitimately, you do want them to make sure that they only issuing fines when appropriate.

This week we have two big fines on the horizon.

The UK Information Commissioner’s Office (ICO) has decided to fine Marriott 99 million Pounds Sterling or roughly $125 million for the Starwood breach.  While not the end of the world for a company like Marriott and it is even possible that they have insurance to cover some or all of that,  Marriott is fighting it.  (Source: BBC).

Also in the UK, The ICO decided to fine British Airways 183 million Pounds Sterling or about $225 million for a website breach that affected about a half million people.  That represents 1.5% of their global revenue for 2017. Source: BBC.

Some people were hoping that the various data protection authorities were going to be all bark and no fine, but reality is a little different.

We have already seen many smaller fines.  But it is all relative.  A Polish taxi cab company was fined 160,000 Euros for failing to delete data that they could not justify why they retained it.  160,000 Euros for a taxi company might be harder to swallow than 183 Pounds for BA.

And from the scuttlebutt, what we hear is expect many more fines during 2019 and 2020 as the authorities ramp up their staff and complete investigations.  As of January of this year, authorities had received about 60,000 complaints (Source: Law.com).  Helen Dixon, the Irish Data Protection Commissioner, had 29 people on her staff in 2015 – before GDPR.  Ireland is where companies like Facebook have their European HQs due to tax reasons.  Helen has a staff of 133 right now with 30 openings and is anticipating adding more staff in 2020.

Companies big and small should not plan on flying under the radar because even if one of the data protection authorities don’t single you out, if your users are among those 60,000 complaints — you still could wind up being investigated.

Facebooktwitterredditlinkedinmailby feather