Category Archives: Privacy

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Get Ready for Encryption Fireworks

Since the early 1990s, there has been a battle going on between the federal government and privacy advocates. Privacy advocates want strong encryption. The government wants weak encryption that it can break. Except of course for the encryption that they use.

They claim they need it is to hunt down terrorists, but that didn’t get any traction.

Then they claimed it was to hunt down pedophiles.

There are several bills in play right now and none of them really solve the problem. Not even a little bit.

One bill is the earnit act which, in typical Congressional fashion, kicks the can down the road. Since actually figuring out how to solve the problem of bad guys using encryption while at the same time protecting the rest of us, the earnit act proposes to create a commission to make recommendations to the Attorney General, who is not required to accept any of the recommendations and can create his own. Then if the tech community doesn’t accept whatever he says, they will lose the protection they have for content posted by users. Since Congress has like one person who understands tech out of 500, what they don’t seem to realize is that this will not achieve the goal that Republicans have getting more right wing content on the web. Instead what tech companies will have to do is dramatically restrict user posted content to make sure that they do not post any content from either side that would get them sued for helping pedophiles or promoting violence or whatever. Facebook will go back to what Zuckerberg originally planned it for – figuring out which girls he wanted to go out with or something slightly less PG than that. If they lose their immunity, they will restrict content.

If that happens, billions of dollars of investor capital value will go up in flames. I don’t have any Facebook or Twitter stock, but if you do and the bill passes, you should sell.

Sen. Graham introduced a new version of the bill to solve this problem. He wants to let the states decide. That way Twitter will have to comply with 50 state laws. That will definitely make things easier.

The Post says that legislators are far less sympathetic to tech companies and that may be true, but the President seems to like to use at least one tech company and if laws pass that remove protections, those companies are far more likely to censor him than they are now when they have immunity.

There are definitely two camps in Congress right now – those that want to protect people’s privacy and those that want to get rid of privacy because it is inconvenient to them.

Another bill, called the lead act, would literally ban strong encryption and make it a crime to use encryption that doesn’t have a backdoor.

Except, of course, crooks, how do I say this, DON’T CARE MUCH ABOUT THE LAW. So they will use strong encryption except for the dumb ones and we don’t really fix anything.

I am sure if the law requires a back door to private conversations, no crooks will ever discover how it works.

Kind of like how Apple tries to make it impossible to jailbreak their phones.

And their phones are typically jailbroken within 24-48 hours of a new software release.

I am not saying that there is not a problem. What I am saying is that there is no simple solution and rather than passing the buck to a committee or the states, figure out the answer. Even if it takes a couple of years. Figure out the right answer.

I must be thinking of a different organization than Congress. Credit: WaPo

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

Security News for the Week Ending June 12, 2020

Singapore Updates Contact Tracing App

Singapore is not exactly a democracy, so this isn’t a complete surprise. They are updating their contact tracing app to include foreigner’s passport number and scanning of barcodes to facilitate tracking when someone enters a store or mall or restaurant. They would like the program to run in the background, but Apple does not allow Bluetooth to be active in the background, so the software doesn’t work right on iPhones. So, for iPhone users, people who don’t have smartphones and people who won’t install the app, they are working on building a wearable device to perform the same function and possibly issuing a device to everyone in the country. Credit: ZDNet

Indian IT Company Ran Hack for Hire Operation

BellTroX, a small Indian IT company based in Delhi, ran (allegedly) a hack-for-hire operation that targeted thousands of high profile politicians, investors and journalists on six continents over the last 7 years. Initially thought to be state sponsored, investigators now think they were just in it for the money. The group is known as Dark Basin by researchers, who have begun to unravel their work and notify hacked individuals. Credit: The Hacker News

Thanos Ransomware as a Service Weaponizes RIPlace Vulnerability

Thanos Ransomware as a Service tool weaponizes the Windows RIPlace attack tactic. RIPlace is a technique that uses a legacy API to bypass enpoint protection (AKA anti-virus) tools. That that Thanos is available as a service to any wanna hacker, expect to see even more ransomware attacks. The Thanos developer continues to add features including a light version (as in less features) and a company (full featured) version. Credit: Threatpost

Copy Protection Comes in Many Flavors

GE has, apparently, “copy protected” the water filters for their refrigerators so that you cannot use a $13 filter that is physically the same and have to pay GE $55 for their filter.

One customer was sufficiently annoyed that he bought a domain, www.GEFilterGate.com and explained how to “hack” GE’s refrigerator. All you have to do it take GE’s RFID tag off a legit filter and put it in the right place on the fake GE filter. I am not sure if it is legal, but that was one ticked off user. Credit: Vice

Federal Agencies Spending Millions on Crossbow

Crossbow, AKA Stingray, version 2, has been purchased by multiple federal agencies including ICE. Stingray is a device made by Harris to intercept cell phone traffic and is used by the military. They are also being used by federal, state and local governments, including during protests. Think of it as a cell tower in a small suitcase. Whether version 1 or version 2, they can be used to track down fugitives or surveil anyone, anywhere. We have reports of finding many Stingrays around Washington, DC, likely placed there by UNfriendly countries. Harris was so keen to keep information about the Stingray quiet that police regularly dropped charges rather than reveal information. Assume that Crossbow will be the same. Credit: Vice

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

They’re Baaaack! – CCPA Release 2

Californians for Consumer Privacy, an advocacy group that started the push for CCPA is back again, pushing for a ballot initiative this time. You may remember that they got enough signatures two years ago and only by some amazing gymnastics did the legislature pass CCPA.

The group says that they have enough signatures to get the new measure on the ballot and have submitted the initiative to Sacramento.

Here is some of what the new ballot measure proposes:

  • Create a new agency to protect and enforce the new rights and provide clear guidance to both consumers and businesses
  • The tech titans have been trying to delay the enforcement of the current CCPA until next year due to Covid-19
  • The new ballot measure adds new rights including on the sale and use of sensitive personal data such as health and financial information.
  • It requires an opt-in to collect such data
  • It triples the fines for breaking the rules surrounding data on children under 16
  • It requires that Californians be informed when their data is used to make fundamental decisions like credit

To get on the ballot requires 620,000 signatures; they have collected 900,000 signatures.

A recent poll says that 88% of the respondents would vote FOR a new privacy measure.

Last time MacTaggart, the developer who pushed for the original ballot measure, accepted a compromise from the legislature, but indications are that this time, he won’t. However, life is always negotiable.

One reason for the ballot measure is to force the creation of a new agency to enforce the law. The current AG has been, at best, lukewarm to enforcing the existing law.

Get your popcorn out; this is going to be a real battle. Credit: The Register