Category Archives: Privacy

Hidden Cameras in Your Vacation Rental or Hotel Room?!

After you are done gasping — it is not a far fetched scenario, at least for vacation rentals.  There have been many stories of AirBnB rentals having surveillance cameras – even though their agreement requires that they be disclosed if present.

When it comes to hotels, it is much more likely that those cameras were placed there by pervs rather than by the hotel staff.  Remember the Erin Andrews nude video story?  (See story here if you don’t remember it.  Note:  this is suitable for work – there are no pictures, just the story).

On the other hand, if you are in a foreign country, hotel video cams are more common, especially if you are an American executive, work for a tech company or have a security clearance.  If you do travel internationally and need a defensive security briefing, contact us.

First thing I need to do is provide a warning.  For international travelers, even detecting surveillance cameras, never mind disabling it, can be hazardous to your safety, literally, depending on the country.

This advice comes from a guy, nicknamed Monk, who does counter-surveillance for members of the U.S. military’s Special Operations Command among many others, so I take his advice at face value.

There are three primary methods for checking for hidden surveillance devices.  Remember some of these cameras are maybe a quarter inch across, so they are not easy to see.  They can be hidden in almost anything, including light fixtures, bedside radios, smoke detectors and other places.

The three methods are scanning for transmissions, detecting the lenses and physical search.    Many devices that will help can be purchased online for less than $100, but remember this is an art, not an exact science.

Scanners only work, of course, when the device is transmitting.  This MAY not be a big problem because the smaller devices likely don’t have a lot of storage, so they have to transmit often.

Lens detection works quite well, but there is a technique to develop.  And, it requires a lot of patience. Physical detection works quite well also, but you have to have an idea of what a bug might look like and you have to be willing to disassemble stuff like your bedside radio or the smoke alarm.

I have a sample video of foreign intelligence officials “reviewing” a hotel room when the occupant was gone, so that is definitely real.

As I said, this is not an exact science, but a mixture of all three is probably going to serve you best.

First thought – where are they going to hide a camera?  Kind of depends what they want.  If they want compromising video, it needs a clear line to the bed.  If they want your userid and password, it needs a clear line to your desk.  Remember, top down is fine, so the ceiling is a good candidate.

Alarm clocks, outlets, surge  protectors and lamps are all good locations because they have a built in source of power that won’t raise any suspicions.

This is not meant to be a complete how to article.  That would require way more ink.  Mostly, it will (probably scare you) warn you of the risk.

Hiding cameras in air vents and returns provides good cover because the cameras, electronics, power and storage can be bigger but still hidden.

The article suggests that you ask for a room change, but if you are being targeted, they will just put you in another room with built in surveillance.  Instead, block the suspected camera.  Turn the lamp camera to face the wall.  If it gets turned back the next time the room is serviced, you were probably right.  Point the alarm away from the bed, etc.

While this story may scare the bejibbers out of you, remember that most of the time, the surveillance is there to record damage to the owner’s property, although Erin Andrews’ surveillor had different ideas,  This is also the case if you are a higher risk business person.  AND do not fall for the “who would want to steal stuff from me” ruse.  Higher value business person is a relative term.

Just in case you think I am paranoid (well, that is valid, I am), here is a link to an article by entertainer Kim Komando who hosts a weekly show on tech.  It is real.  What we don’t know is how prevalent is is.  No idea.

Information for this post comes from USA Today.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk

BE PREPARED!

Information for this post came from Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

What is YOUR Level of Paranoia?

A Houston lawyer is suing Apple alleging that Apple’s Facetime bug (still not fixed) that allowed people to eavesdrop even if you do not answer the call, allowed a private deposition to be recorded.

If you are among the geek crowd you probably know that the most paranoid person around, Edward Snowden, required reporters to put their phones in the freezer (not to keep them cold, but rather the metal box of the freezer kept radio waves out) when they were talking to him.

The lawyer is calling the bug a defective product breach and said that Apple failed to provide sufficient warnings and instructions.

I am not intimately familiar with Apple’s software license agreement, but assuming it is like every other one I have seen, it says that they are not responsible for anything and it is completely up to you to decide if the software meets your needs.

That probably conflicts with various defective product laws, but if that strategy had much promise you would think some lawyer would have tried that tactic before.

But the problem with the iPhone and the lawsuit do point out something.

We assume that every user has some level of paranoia.  Everyone’s level varies and may be different for different situations.  We call that your Adjustable Level of Paranoia of ALoP (Thanks James!)

YOU need to consider your ALoP in a particular circumstance. 

You should have a default ALoP.  Depending on who you are, that might be low or high.  You will take different actions based on that.

In this case, if the lawyer was really interested in security, he should not have allowed recorders (also known as phones and laptops) into the room.  He also should have swept for bugs.

That is a trade-off for convenience.  But, that is the way security works.  Low ALoP means high convenience.  High ALoP means lower convenience.  Ask anyone who has worked in the DoD world.   If you work in a classified environment you cannot bring your phone into the building.  They have lockers to store them in if you do.  If you ignore that rule you can lose your clearance or even get prosecuted.

Bottom line is that you need to figure out what your ALoP is for a particular situation and make adjustments accordingly.

Suing Apple will not solve this attorney’s problem.  There will be more software bugs.  I promise this was NOT the last one.

But the lawyer will get his 15 seconds of fame before the suit is settled or dismissed.

Source: ABC 13.

Facebooktwitterredditlinkedinmailby feather

Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

Facebooktwitterredditlinkedinmailby feather

Cell Carriers Agree – AGAIN – To Stop Selling Your Location Data – HONEST!

Motherboard was able to buy real time location data from a broker for a T-Mobile phone for $300.  This is not illegal.

The food chain for location data is very complicated.

In this case, T-Mobile sold the data to data aggregator Zumigo.

Zumigo sold it to Microbilt.

Microbilt sold it to a bounty hunter.

Who sold it to a “source”.

Who sold it to Motherboard.

Ajit Pai, who, as the Chairman of the FCC has not been very consumer friendly, “declined” a request for an emergency briefing to Congress during the Trump Shutdown.

While I am not terribly impressed by that, the reality is that the FCC won’t take any action during the shutdown any way.  Still, there is no reason not to brief Congress other than the Pai is a Republican and he was asked to testify by the Democrats.

AT&T, Sprint and T-Mobile continue to sell data even though they have promised to stop selling data multiple times.

Now they are saying that they pinky-promise that they will really, really stop selling your location data.

One of the challenges is that there are some legitimate services, such as roadside assistance, that need the data and need to make other accommodations.

One source is many of those applications that people love to install.  One recent study found that a given app might collect your location up to 14,000 times a day (10 times a minute).

Users have to grant permission for apps to use your location, but as we saw with the City of LA lawsuit against The Weather Channel, many times apps ask for your permission to use your location but don’t clearly tell you what they are using it for or who they are selling it to.

The problem for people that really want your data is that for any given user, they don’t know what apps you have installed or which apps you have given location permission, so their best answer is to buy your location info from a data aggregator if they can’t get it from the cell companies.  

You can and should turn off location services when you don’t need it and review which apps you have given location permissions to see if you still want those apps to have that capability.

Don’t hold your breath.  Source: Bleeping Computer.

 

 

 

Facebooktwitterredditlinkedinmailby feather