Category Archives: Privacy

The Challenge of Privacy

Everyone has heard about the Federal Trade Commission fining (tentatively) Facebook $5 billion for sharing your data – with Cambridge Analytica  – without your permission.

The FBI has sought proposals for third parties to hoover up everything that is visible on social media and build a database so the FBI can search it for information on activities that you do that they think is sketchy.

The FBI wants to search your stuff by location (neighborhood), keywords and other functions.

Which seems to me precisely what cost Facebook $5 billion for allowing Cambridge Analytica to do.

Except the FBI wants to do this not just with Facebook, but with all social media platforms combined.

Not to worry.  I am sure that it will be secure.  And not abused.  And not used for political purposes.  After all, we are from the government and…..

The FBI wants to capture your photos as well.

Of course, doing so would violate the terms of service of every social media platform, so unless the do it secretly or Congress passes a law nullifying the social media terms of service, it is likely that social media platforms will terminate the accounts if they detect it.  *IF* they detect it.  Given the relationship between social media and DC, they may be motivated to stop it.

However, it is already being done by private companies, in spite of the prohibition, to sell to marketers, so who knows.

Facebook and Instagram actually have a ban on using the platform for surveillance purposes.

From a user perspective, there is likely nothing that you can do other than stop using social media.  It is POSSIBLE that if you stop making posts public (and instead only make them visible to your friends), that MIGHT stop them from being hoovered up.

If you stop using the platforms, that will make Facebook, Twitter and other platforms sad.

Smart terrorists will shift to covert platforms to make detection harder.

The good news is that there are not very many smart terrorists.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Is The Encryption Debate Over?

Attorney General Barr said that he wants an encryption back door and if it compromises your privacy, well, we are not talking about protecting nuclear launch codes.  So we  know where he stands.

What came as a bit of a surprise is that Facebook says that they are going to build a back door into WhatsApp.  Not sure why.  Where is the pressure?  Who has the compromising pictures? Likely it is just greed.  They want to be able to operate in every country and since there are a number – a small number right now – that won’t let them operate without allowing those governments to spy on their users, the simple answer is to cave.

Here is what Facebook says they are going to do.  They are not going to, technically, insert a back door.  They might even claim this is a service to their users.

Think about this for a moment.  Right now WhatsApp cannot read your messages so they can’t target ads at you.  If they did know what you are saying, they could use or sell that data to advertisers.  That is just one possible use.

They are going to modify their app to do “content moderation”.  Content moderation is a covert word for censorship.  If China, for example, doesn’t want anyone to say anything bad about Xi, the moderation software will look for people saying bad things about him and stop it.

Since this happens on the user’s device, the encryption is not an issue because the user can decrypt stuff on their device.

Then, to make sure that the government will allow them to operate, they will send any banned content to a central moderation facility (AKA the government censors) to figure out who the local goon squad should come visit.

Obviously, the country can tell Facebook what they want them to look for.

Now say that you decide that you don’t like that and you switch to Signal.

The government could go to Signal and say “if you don’t want to be blocked you have to do content moderation.  It has nothing to do with your encryption.  Don’t say you can’t do it, because Facebook is doing it”.  At that point, privacy is pretty much done with.

It is *possible* that Signal, since it is not a commercial profit making company, might say go for it, block us.  That is not great for Signal, but, it might be better than compromising their principles.  Who knows.

Any government, no matter how repressive, now has a way to demand that software vendors give the their back door.

Facebook won’t say when this will be deployed – assuming it is not already deployed.  Why?  Because it might cause their customers to leave and that would, kind of, defeat the purpose.  I can already see the handwriting on the wall, so I am working to migrate away from WhatsApp and delete the application.

The total end game here could be to force Apple and Google to add “content moderation” to the operating system.  That is really what the repressive regimes like China and other repressive regimes (including, apparently, the US) would like to happen.

Stay tuned.  It is not clear how this is going to come down, but we certainly have a roadmap.

Source: Forbes.

Facebooktwitterredditlinkedinmailby feather

Apple Contractors “Regularly Hear Confidential Details’ on Siri Recordings

Apple uses contractors to listen to Siri recordings to figure out whether Siri responded correctly.  Apple says that these contractors are under non-disclosure agreements and the Siri conversations are not directly tied to the person’s iPhone or Apple credentials.

Still, these people hear about:

  • Confidential medical conversations
  • People having sex
  • Drug deals
  • Other likely illegal activities
  • Business deals

While they grade Siri on it’s responses, they don’t have to grade it on the subject matter of those conversations.

Apple does not specifically disclose that they hire contractors to listen to your requests, but they did not deny it either.  They say only about one person of the conversations per day are reviewed by humans.  Still, that is likely millions of sound bites.  Per day.

You are probably saying why would someone ask Siri a question while having sex?  Well, the short answer is that they do not.  But Siri can get confused and think that you said the activation word when you did not, hence the recordings.

If you have an iPhone or other Siri enabled Apple device around you, you implicitly consent to Apple recording you and humans listening to that conversation sometimes, whether you asked it to or not.  Siri can be activated accidentally, apparently, by the sound of a zipper.  Really?!

Another way that Siri can be activated is if an Apple Watch detects it has been raised, which could easily happen during drug deals. Or during sex.

So lets assume that you are OK with the possibility, maybe even likelihood that Siri may record you in compromising or private situations.

Does that mean that other people in the room are okay with that?  Like your sec partner.  Who may use your name.

Are other people in the room even aware that they are being recorded?

Is that even legal?  Answer: probably not in states that require two party consent, but I am not aware of a court decision yet,

In some companies, you are not allowed to bring your electronic devices into the building.  You may remember that Snowden required reporters to put their iPhones in the refrigerator to block signals to them.

If you are concerned about the confidentiality of a conversation you are having then you need to ask these questions.  Samsung was forced to put a disclosure on their TVs to this effect after a lawsuit.

Remember, it is not your device that you have to be worried about, it is everyone else within earshot that you should be concerned about.

Not only does this include Siri devices, but it includes any other smart device that has the capability to covertly record.

Source: The Guardian

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 26, 2019

Equifax Agrees to Pay UP TO $700 Million to Settle Breach Lawsuits

First – the settlement hasn’t been agreed to by the court yet, so this is all speculation.

Of the $700 million pot, at least $300 million is set aside to pay damages to consumers.  Another $100 million plus is to pay for credit monitoring.

There are lots of details.  For the most part, unless you can prove damages and prove that those damages were caused by the Equifax breach and not some other breach, you probably will not get paid much.  You can get paid up to $250 if you file a claim and without proof.  Everything past that requires proof.   With 150 million victims and a $300 million pot, that averages to $2 a person.

BUT there is one thing you should do and that is get the free credit monitoring.    Go to EQUIFAXBREACHSETTLEMENT.COM and wait until it says that the court has approved it.  Note this is not a site owned by Equifax and given what a mess they are, this is good.  Read more details here.

The Next NSA Hacker Gets 9 Years

Harold Martin, the NSA contractor (employed by Booz, like Edward Snowden) was sentenced to 9 years for stealing 50 terabytes of data over the course of his 22 year NSA career.  The leak is something like 5 times the size of the Snowden leak.  He didn’t sell it;  he just liked data.  He had so much he had to store in in sheds in his back yard.  Many of the documents were clearly marked SECRET AND TOP SECRET.

The fact that he was able to steal hundreds of thousands of documentss doesn’t say much for NSA security, which is sad.  Source: Nextgov.

Huawei – Bad – Not Bad – Bad?!

President Trump said that Huawei is a national security threat and needs to be banned and then he said that maybe we can trade that threat for a better deal with China on trade.

Now it is coming out that Huawei helped North Korea build out their current wireless network.  The equipment was shipped into North Korea by Chinese state owned Panda International.  This has been going on since 2006 at least.  Huawei is likely continuing to provide technical support to North Korea.

This seems like a national security threat and not a bargaining chip for the President to toss in to get a trade deal that he wants, but what do I know.  Source: Fox News.

 

AG  Barr Says He Wants Encryption Back Door And Why do You Need Privacy – Just Suck it Up.

Attorney General William Barr said this week that if tech companies don’t provide a back door into consumer encryption,  they will pass a law forcing it.  And while this will allow hackers and Chinese spies to compromise US systems, it is worthwhile.

He said that they might wait for some terrorist event that kills lots of people and blame it on encryption (whether that is true or not).

He did seem to exclude “custom” encryption used by large business enterprises, whoever that might include.

Barr said that bad guys are using crypto to commit crimes what the police can’t investigate.  If that were true we would expect that crime would be going up.  If it is a really bad problem, it would be going way up.

Only problem is that the statistics say crime is going down.

You may remember that Juniper added such a back door, likely at the request of the NSA and it worked great until word got out about it and hackers had a field day.

This conversation is not over.  Source: The Register.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 19, 2019

FTC Approves $5 Billion Fine for Facebook

The FTC commissioners reportedly approved an approximately $5 billion fine of Facebook for violating the 2011 consent decree in conjunction with the Cambridge Analytica mess.

To put that in perspective, Facebook’s revenue just for 4th quarter of last year was $16.9 billion and their profit for that quarter was $6.9 billion, so the fine represents a little less than one quarter’s profit.   Still this is two orders of magnitude greater than the FTC fine of Google a few years ago.  The Justice Department has to approve the settlement and is typically a rubber stamp, but given this President’s relationship with social media, you never know.  Source: NY Times.

 

Why do they Want to Hack ME?

The Trickbot malware has compromised 250 million email addresses according to Techcrunch.  Besides using your email account to send spam, it does lots of other nifty stuff as it evolves.  Nice piece of work – NOT!

Why?  So that they can use your email to send spam.  After you, you are kind of a trusted person, so that if someone gets an email from you as opposed to a spammer, they are more likely to click on the link inside or open the attachment and voila, they are owned.

And, of course, you are blamed, which is even better for the spammer.  Source: Techcrunch.

 

Firefox Following Chrome – Marking HTTP web sites with “NOT SECURE” Label

Firefox is following in the footsteps of Google’s Chrome.  Starting this fall Firefox will also mark all HTTP pages (as opposed to HTTPS) as NOT SECURE as Google already does.  Hopefully this will encourage web site operators to install security certificates.  It used to be expensive, but now there are free options.  Source: ZDNet.

 

AMCA Breach Adds Another 2 Million + Victims

Even though American Medical Collection Agency was forced into bankruptcy as a result of the already 20 million+ victims, the hits keep coming for AMCA.  Another one of their customers, Clinical Pathology Labs, said that more than 2 million of their customers were affected by the breach.  They claim that they didn’t get enough information from AMCA to figure out what happened.

It is going to be interesting to see where the lawsuits go, who’s name(s) show up on the HIPAA wall of shame and who Health and Human Services goes after.  Given that AMCA filed for bankruptcy, it is very likely that Quest, CPL and AMCA’s other customers will wind up being sued.  Actually, Quest, Labcorp and the others are who should be sued because they selected AMCA as a vendor and obviously did not perform adequate due diligence.  Source: Techcrunch.

 

Another Day, Another Cryptocurrency Hack/Breach

This time it is the cryptocurrency exchange Bitpoint and they say that half of their 110,000 customers lost (virtual) money as a result of a hack last week.  The hack cost Bitpoint $28 million and they say that they plan the refund their customer’s money. One more time the hackers compromised the software, not the encryption,  Source: The Next Web.

Facebooktwitterredditlinkedinmailby feather