Category Archives: Privacy

Apple Airtags – A Low Cost Surveillance Tool for Good or Evil

Ever see a scene in the movies where the cops (or the bad guys) plant a tracking device on someone and later catch the person doing something?

Ever hear stories about an ex stalking his or her former partner?

Well Apple just made that ‘affordable’.

Probably too affordable.

And folks have already tested it.

Like putting an airtag in a Fedex envelope and mailing it somewhere. Then tracking it. Apparently, WAY more precise than Fedex’s own tracking system.

In part, that is because of how they work. If they are within a few feet of any iDevice, poof you know where it is. That works great in the city where the number of Apple devices per square inch is high. Go out into the woods and it doesn’t work so well. Unless the person you are tracking has an iDevice.

You want to know where your kids are? Covertly slip a $29 tracking device in their backpack.

Want to know if your spouse is cheating? You can buy 4 tags for less than a hundred bucks.

Want to keep tabs on your ex? Ditto.

You could hide one in a car or any number of places, depending on how devious you are.

Here is the worst part.

In many cases, it may not even be illegal. But it might be. Depends.

Point of information: A tag is tied to an Apple device. If the Apple device can be tied to you or someone you called or an email account you accessed, the cops will be able to find you.

Just in case you were thinking of doing something illegal.

Tracking your kids? That’s not illegal. But kids are usually smarter than parents, so they might be tracking you right now. If they have $29.

Credit: Ars Technica

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN

Security News for the Week Ending April 16, 2021

Not a Good Week for Social Media Privacy

After the January 6th attack on the US Capitol, we saw terabytes of conversations and videos and profiles from the alt-right Twitter clone Parler posted online. Last week we saw 500+ million Facebook profiles for sale on the dark web (Facebook says this isn’t a breach) and then we saw another 500 million Linkedin profiles for sale. This week it is Clubhouse, but since it is new, there are only a million+ users in the free database. These social media sites on one hand sue people for taking their data but on the other hand, say that actions like this are not a breach because they offer APIs that allow people to do it. What is the message? Anything associated with your social media world is not private and is fair game. Credit: Cyber News

Some Said Biden Would Cave to China – Not Yet Apparently

The US has just added seven new Chinese companies to the ENTITY LIST, the list of companies that US businesses cannot work with unless they get a get out of jail card from the Commerce Department. These seven companies are supercomputer makers and Chinese National Supercomputing Centers. Looks like the pressure is still on. Credit: ZDNet

Hackers and Blockchain

One way the fuzz have been able to take down botnets is to disable their command and control server(s). Most malware that uses a command and control center usually hard codes the C&C address or addresses or puts them in a DNS record. If law enforcement takes down those servers or reroutes their traffic to a black hole, the botnet is dead. Hackers are creative, so they came up with a workaround.

Put the information they need on the Blockchain. Or many blockchains. Since the Blockchain is both public and immutable, problem solved. If we change the rules regarding whether someone can change a Blockchain, the entire usefulness of the Blockchain and all of the industries that have been built up around it, including all of the value stored in Bitcoin, gets flushed down the toilet. The current worldwide value of all Bitcoin is about $160 billion. If the cops have to break all blockchains worldwide to catch a hacker, I suspect that there will be a lot of unhappy people. I don’t think any government is interested in risking $160 billion (and growing) of capital to take down a hacker. Not sure how to fix this. Dictatorial countries might be willing to destroy their capital market, but I don’t think western countries are willing.

If this happens you better dump any Bitcoin you have quickly. Credit: Bruce Schneier

Domain Name Service Security Neglected by US Energy Companies

Unfortunately, there is no surprise here.

The Biden administration says utilities in the United States are sort of clueless when it comes to cybersecurity. Data collected shows that nearly 80% of the top energy organizations are at risk of cyberattacks due to totally elementary cyber hygiene errors – either willful or through ignorance.

80% of the organizations do not use domain registry locks, which help stop domains from being hijacked. More than 66% use consumer grade registrars, likely because they are a little bit cheaper but also because they don’t understand that those registrars have weak security practices. I looked up my electric utility. They passed the first test and failed the second. Only 3% use DNSSec (mine does not). Only 17% use DNS hosting redundancy. While 73% have some sort of DMARC policy in place, many are set to NONE, meaning that the setting is useless. This is pretty much in line with the results found as part of a global test last year.

As I said, no surprise, but a lot of disappointment. Credit: Security Week

NSA Says They Have A Big Blind Spot

NSA Director General Paul Nakasone testified before the Senate Armed Services Committee about the recent SolarWinds and Microsoft Exchange hacks. He said that foreign hackers are taking advantage of the Intelligence community’s blind spot – adversaries working INSIDE the United States.

Our adversaries can come into the United States, set up shop on the web, do their damage and be gone before a warrant can be issued – before we can have actual surveillance by a civilian authority.

To be clear, a warrant does not need to take a lot of time to get approved, but the NSA don’t need no stinking warrant. What is different is the FBI and others, most of the time, do need to get a warrant and getting a warrant requires probable cause and probable cause takes time to find. That is a constitutional problem, however. After 9/11, we did a whole bunch of new surveillance and some of that was ruled unconstitutional by the Supreme Court, but not until years later.

The problem is that no one – neither foreign not domestic, seems to have had any visibility into what the hackers were doing. In fact, neither law enforcement nor the intelligence community actually detected these attacks.

Nakasone said that we can’t connect the dots because we can’t see all the dots. Unlike dictatorships, in the US, we have separation of responsibilities and that does make things more difficult for those people who are tasked with protecting us.

While the NSA can legally intercept almost any signals that they are able to see internationally, inside the U.S., the FBI and others generally require a warrant to access information.

Of course the FBI and the NSA do not need any warrant to intercept traffic inside the government because the government can give them permission to do whatever they like. Given that the government was a major target, that seems like an important piece of information. The executive branch could have collected as much data as they wanted to using existing laws. Did they miss something? Could they have done something differently? Would that have changed the outcome? I don’t know the answer to any of these questions, but they are useful questions to ask.

Some folks – notably NOT General Nakasone – have suggested that the NSA needs to be allowed to spy inside the United States. That presents some minor legal problems, most notably the fourth amendment to the US Constitution.

Other people have suggested that even if we had allowed the NSA to spy on Americans in America, there is no indication that they would have detected these attacks. They might have. Or might not have.

Of course, if the private sector had a way to share their intelligence with the government in a way that protects Americans’ rights and protects the companies that share their data with the government.

I don’t think there is an easy answer. Sometimes the hackers are good – especially when they using an unlimited bank account as is often the case with state sponsored hacking.

The feds have been talking about a bill that would require companies to tell the gov about an attack, but that would be after the fact and that probably would not have helped in this case.

Still, we have to put our collective thinking caps on and try to figure out a solution. After 9-11 we came up with some reactionary responses and we are still arguing about the impact of that twenty years later. This time we should probably think about the long term implications. But we do need to think. Credit: The Cybersecurity 202/Washington Post

Are You Ready for CCPA?

CCPA went into effect just over a year ago. Now we have some history on it.

DataGrail is a vendor that helps companies like OVERSTOCK and OKTA respond to those CCPA requests. They have fulfilled millions of “data subject requests” for their clients. Here is what they found.

46% of the requests were to tell companies that the consumer did not want their data sold to a third party (the so called DO NOT SELL MY DATA).

One third of the requests were to delete the consumer’s data.

The average business to consumer company received 137 requests per million identities. That is a tiny percentage – like .01 percent.

Side note: Gartner says that companies who manually process requests spend $1,406 per request.

Nearly half of the requests go unverified. Meaning that companies have to spend time and money – for nothing.

Organizations that use a form with a Captcha get significantly less spam.

DataGrail’s report says:

“The companies that are transparent and those that can win trust will be the big winners in the new privacy era,” noted Barber. “Proactively embracing good privacy practices doesn’t have to be a death sentence to profit margins. Forward-thinking companies have figured out how to make a strong privacy stance work for people and their business.”

Now that Virginia has its own version of CCPA and Florida and Texas are on the verge, this might be a good time to wrap your arms around privacy. Credit: Help Net Security

The report can be found at DataGrail

Security News for the Week Ending April 2, 2021

SolarWinds Hackers Got Emails of Former Acting Illegal Head of DHS

Chad Wolf, former temporary acting head of DHS, that a federal court said was illegally appointed, has another item for his resume. When the Russians hacked DHS by way of SolarWinds, they obtained Wolf’s emails. Try to comprehend, for a moment, the intelligence value to Russia of whatever was in his email. DHS has not commented on that subject, but suffice it to say, this is not good. Credit: Cybernews

US Special Operations Command Buys Location Data

SOCOM paid $500,000 to buy data harvested from apps on your phone. The company, Anomaly 6, is pretty secretive. The WSJ picked up the contract info, so they are probably getting more attention than they had gotten in the last year. Founded by ex-military and location industry execs, it seems to have contracts with DoD and the intelligence community. SOCOM says that the $589,500 deal was an evaluation of their data for an overseas environment. SOCOM does a lot of work tracking down bad guys in the Middle East and Africa, so you can probably connect the dots. No one is saying and this is likely no more illegal than SOCOM buying pens from Staples – for better or for worse. Credit: Vice

A Potential Resume Generating Event

Strategic Command, the folks responsible for launching nuclear missiles, sent the following Tweet

;l;;gmlxzssaw .

Is this a launch code on Twitter? No. but here is a real world danger of Work From Home. Note to self – lock your computer before leaving.

Image

Intel Sued Over Capturing User Keystroke data

Have you ever visited a web site, started filling out a form but didn’t submit it, and the site owner contacted you anyway. The way they do that is via software on the web site that records your keystrokes as you type. One of the companies that does that is Intel. Another is Google. There is a current class action lawsuit in Florida that accuses Intel of wiretapping. I’m not a lawyer, but that seems like a stretch. Still, if you are using keystroke monitoring software on your website, you probably should watch this lawsuit closely. Credit: Threatpost

Sierra Wireless Withdraws Financial Guidance Completely After Ransomware

Sierra Wireless, a major Internet of Things vendor, reported that they were the target of ransomware last week. As a result, they halted production at their manufacturing plants. Not only did the attack shut down many of their internal systems, but it forced the company to withdraw the financial performance numbers that they had released just a month earlier. There are a couple of potential reasons why they shut manufacturing down. One of those reasons might be that they are concerned that the attackers were able to compromise code going into those products and they did not want to be the next SolarWinds. Credit: SC Magazine