Category Archives: Privacy

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

NSO’s Pegasus Spyware No Longer Works in the UK, US

At this point, this is only a rumor, but maybe with high confidence. The Israeli spyware company NSO Group continues to get into trouble as they sell their software, pretty much, to anyone who will pay the price.

Earlier this month a UK court ruled against NSO that it was likely that a Dubai princess and her lawyers had their phones hacked by the NSO software, probably at the request of her ex-husband.

Amazingly, at virtually the same time, according to an unnamed source, NSO stopped the software from working on all FIVE-EYES country’s phone numbers (UK, US, Canada, Australia and New Zealand).

For how long is unclear.

NSO is facing a lot of lawsuits right now, so they may be trying to deflect some heat. Since they are not publicly saying what they are doing or for how long, I would not count on the good behavior lasting. Too much money to ignore.

What likely happened is that some parts of the international intelligence community “suggested” they cool it for a while, otherwise, they might be force to take some actions like they did in Iran with Stuxnet. If you remember, Stuxnet generated a complete meltdown of Iran’s nuclear program. It is highly likely that the NSA or GCHQ could do the same thing to NSO if they wanted to. Not saying that is what happened, but…..

The NY Post reported that the Princess paid $6.4 million to keep an affair with her bodyguard secret. When this fact came out the Princess, daughter of King Hussein of Jordan, left Dubai with her two young children from her marriage from the Sheikh. It is likely that all of this ugliness is what caused the Shiekh to decide to hack her and her attorney’s phones.

The Sheikh was a bit unhappy with her sudden departure and tried to get the UK High Court to return the children. I guess in the UAE, all is fair in love, war and child custody. He even tried to kidnap the kids using a helicopter.

All of this is kind of above my pay grade, but it does seem to poke some holes in NSO’s claims that they are good guys and their software is only used to catch bad guys, which is what their public story is.

How long NSO will continue to lose revenue opportunities is not clear.

What this “outing” of NSO means, however, is that fears that the Pegasus software was used to spy on diplomats, politicians, reporters and activists are likely true.

Credit: The Guardian

Company That Routes Billions of Text Messages Says it’s been Hacked for Years

Syniverse is a company that no one has ever heard of. They act as an interconnection between 300 mobile carriers and 95 of the top 100 carriers.

They are the reason you can send a text message to your friend who is not on the same phone carrier as you are.

It also allows you to use your phone when you are not in a place where your carrier has service, known as roaming. That is done using the horribly insecure protocol, developed decades ago with no security, called SS7.

In a filing with the SEC, the company admitted that hackers have been in their network since 2016, possibly on and off. Given that they have access to all of your text messages, and call records and location data and other information, that is a huge privacy nightmare.

One former employee said that since the world has not stopped spinning, clearly it is not a problem. Washington, on the other hand, says this is an espionage goldmine.

If the hack was state sponsored, then they would not “use” your data in the traditional sense. They would use it to build a profile and possibly use it to phish you. If, for example, this is a Russia or China operation, there is no telling what they planned to do with it.

If someone is having an affair or swapping nude pictures or other sensitive topics, it could also be used to blackmail people.

Not to fear, however, Syniverse said that as soon as they discovered the breach after five years, they implemented their security incident response plan.

I bet that regulators from around the world are investigating.

Syniverse is trying to go public using a SPAC merger and that is how this came out. They said that the hackers did not try to disrupt operations or ransom them, so all is good, right? If this was state sponsored, you would not expect them to do either of these things. In fairness, they know they are going to get sued, so they are trying to put the best spin on this that they can.

None of their customers were willing to comment for the article. Credit: Motherboard-Vice

Security News for the Week Ending October 1, 2021

Women, Minorities are Hacked More Than Others

A new report, released this week, says that lower income and vulnerable populations are disproportionately affected by cyber crime. Shockingly (not), the report says that those with lower incomes, lower education and minority groups are more likely to fall victim to cyber crime. While the gap is not huge, it is consistent from question to question. Credit: Threatpost

Leaked Apple Training Video Shows It Trains Repair Partners to Disparage Third Party Repairs

Leaked videos show that Apple trains its authorized repair partners to disparage third party repair shops. While at one level this is not a surprise, at another level, as a dominant player in the market, they are going to take some serious heat over the videos. According to Motherboard, who reviewed the videos, it appears that some of the claims made are suspect. Bottom line, users need to review different choices and make an educated decision. Credit: Motherboard

Customs and Border Protection Uses Encrypted App Wickr As FBI Goes Dark

CBP is deploying encrypted messaging app Wickr enterprise wide. While the FBI lobbies Congress to ban end-to-end encryption, another executive branch department thinks encryption is pretty useful. They spent $900,000 to renew their Wickr software licenses (which is pretty reasonable for the size of the organization). Wickr is now owned by Amazon and they do have an enterprise version that can log message traffic as is required by law for CBP. It is unclear what version they are using, but it is likely that version. Credit: Vice

IKEA Admitted to Placing Surveillance Cameras in Warehouse Bathrooms

IKEA has now removed these cameras that were placed in men’s and women’s bathrooms and discovered in a warehouse in England. It is not clear whether cameras exist in other IKEA bathrooms, but the privacy commissioner’s office is likely not happy. IKEA admitted the cameras had been in place since 2015. Credit: The Register

Driverless Cars Could Generate 100 GB of Data Per Second

While predictions of driverless cars by 2020 only materialized in limited situations, driverless cars are coming and they will generate a ton of data. Test vehicles are generating between 20 and 40 Terabytes of data a day. Estimates say the average self-driving car will generate between 1 and 15 TB a day and a robotaxi might generate 450 TB. If most cars are driverless by 2030, that will create an amazing amount of data and I am sure that it will all be secure and private. Remember that these cars are collecting data of everything that it drives past – cars, buildings, roads, people, so just because YOU don’t drive a self-driving car, that doesn’t mean that one of those cars won’t catch you in a place where you should not be, doing something that you should not be doing. Credit: Cybernews

Security News for the Week Ending September 24, 2021

Detecting Hidden Cameras in Your Airbnb and Similar Rentals

No one wants to think about this, but it is an issue. Especially in private home/condo rentals, owners are worried about you stealing or damaging their stuff. And some of them are just stalkers. Here is a TikTok video from well known security researcher Marcus Hutchins on some things that you can do to look for hidden cameras. Credit: Hack Read

Japan Sets New Internet Speed Record – 319,000,000,000,000 bits per second

While not a security issue, it is pretty impressive. This beats the old record of 178 terabits/second. The test was carried out in a lab, but simulated a 3,000 KM fiber. This is definitely still experimental, so don’t expect to get this speed at your house any time soon. Credit: Computing (free account required)

The Internet is Going to Break

Well, I don’t think so, but some people are concerned. Let’s Encrypt is that free service that lets web site owners encrypt traffic to and from their website. Let’s Encrypt’s original ROOT CERTIFICATE is going to expire in about a week. They updated their certificate in clients like Chrome and Edge and server software like Linux Apache a long time ago, but what about users that are running old, unsupported software. In a word, they are going to be SOL. The certificate will show as expired and depending on the situation, the user likely will not be able to establish the connection. If it is a server that has that expired certificate, even if the user has been updated, things won’t work. Bottom line, this is only going to be a problem for old, unsupported systems – but there are a lot of these. Stay tuned. Old IoT devices are most likely to break. If you are responsible for systems, now would be a good time to test. Credit: Portswigger

VoIP Phone Provider Hit by Denial of Service Attack; Has Been Down for a Week

This is the downside of the cloud. VoIP.ms has been battling a massive (they say) distributed denial of service attack since September 16th. They say they have over 80,000 (likely unhappy) customers in 125 countries. All of whom have limited voice service as a result of the attackers wanting VoIP.ms to pay them a ransom to stop the attack. How would your business operate if it did not have phone service for a week? Credit: ZDNet

100 Million IoT Devices Affected by New Bug

NanoMQ is an OPEN SOURCE messaging processing platform that is used in many critical IoT devices like patient monitors, fire detection, car system monitors and smart city applications, among many others. Researchers form Guardara detected multiple vulnerabilities affecting as many as 100 million devices. It could cause the device to crash – that is very simple to do – or worse. Attacks on these kinds of devices are spiking and until IoT vendors get serious about security, plan on a backup system for anything that is critical. While some people continue to spread the myth that Open Source software is secure, there is not much evidence for that as we see bug after bug revealed in super popular apps, never mind the really niche ones. Credit: Threat Post

Google Says Geofence Warrants Up by 10x+

Geofence warrants are “requests” by law enforcement for information on everyone that was in a particular geographic area during a particular time window.

Typically they use the results to come up with the usual list of suspects. The initial response usually doesn’t include names and addresses; that comes after the police mine all the data that they got. Also note that they do not delete that data. Possibly for ever.

Lets say there was a burglary at 1 Park Avenue in New York on Saturday morning, maybe around 6 AM. The NYPD might ask Google to give them data on everyone in a 4 block area surrounding 1 Park between midnight and noon that day.

The police would need to convince a judge that this is reasonable, but that does not tend to be that hard.

How I know that it is not hard is by looking at the numbers.

In 2018 before geofence warrants were popular, Google responded to 982 of these warrants.

Last year, they responded to over 11,000 of them.

GOOGLE IS OF COURSE ONLY ONE COMPANY GETTING SUCH WARRANTS. Every big tech company gets them.

Google really hasn’t said much in response to this. In fairness to them, they have to comply with the law.

But the reason these are becoming very popular is the sheer amount of data we choose share with Google. From location tracking to maps to queries to all kinds of stuff, Google is awash in your data.

In one case, in 2020, the data indicated that one Zachery McCoy was the police’s prime suspect and in this case, Google told him about the warrant (they can’t and don’t always tell). He was using an app to track his bike riding and it put him near a burglary.

Ignore, for the moment, that any half-way intelligent crook will power off his or her phone before going out on the town to loot, pillage, maim and whatever.

McCoy had to spend his own money to eventually exonerate himself – after other evidence emerged.

Such is the danger of our super connected world.

Convenience and surveillance. Wonderful. Credit: Threatpost