Category Archives: Safety

Security News for the Week Ending September 17, 2021

LA Police Collected Social Media Account Info From People They Talked To

I’m sure they were just curious. The LA police watchdog says that officers were instructed to collect civilians’ social media details when they interviewed them. An Email from the Chief dating back to 2015. He said it could be beneficial to investigations and possibly even future outreach programs. These are people who are neither arrested or cited. I am sure that using people’s email addresses for social outreach is far more effective than, say, Twitter, Facebook or even the 6:00 News. Not. For harassing and scaring people, yes. Credit: MSN

Germany Admits Police Used NSO Group Pegasus Spyware

Germany’s Federal Police admitted that they used the Pegasus Spyware, which can totally own a mobile phone and all the data on it, when testifying before Parliament. They said that some features were disabled due to German law. What features and how many people were not revealed. Likely they are not alone – they just got caught at it Credit: Security Week

Taliban and China Are Reportedly in Bed Together

China has reportedly sent its best (?) cyber spies to Kabul to help the Taliban hack land lines and mobile calls, monitor the Internet and mine social media. While all governments, including ours, does this, the Taliban is not likely to put any controls on what gets monitored. China has been, US intelligence sources say, wooing the Taliban for years getting ready for this. One can only assume that the Taliban will reciprocate, like by giving China access to stuff we left behind. CreditL Mirror

FTC Says Health Apps Must Notify Consumers About Breaches

The FTC warned apps and devices that collect personal health information that they must notify consumers if their data is breached in a 3-2 vote, with the two Republicans voting against it. This is designed to specifically address the gap that apps are not considered covered entities for the most part, hence they are not covered by HIPAA. The two Trump appointees who voted against it are not necessarily against having app makers tell users that their data has been compromised, but would prefer to drag the decision out for a few more years as the government does its normal bureaucratic rulemaking process. Credit: FTC

Cop Instructed to Play Loud Music to Disrupt Public Filming of Their Activities

Police – or at least some police – do not like being filmed while performing their job. One Illinois police department officially came up with an interesting tactic. While it doesn’t stop people from filming them, it MIGHT cause the videos to be taken down from social media, which seems to be the goal. When they detect someone filming them, they turn on copyrighted music to be included in the recording. Most social media have been sued enough that they have tech that detects at least popular copyrighted music and if detects it, it removes the post so they don’t get sued. I think it is pretty simple to distort the music a little bit so the filter won’t work while still allowing a listener to hear the interaction with the police. My guess is that if a case like this came to court over copyright, the court would rule in favor of the person filming, but we are talking about the law here, so who knows. Credit: Vice

New Bluetooth Bug Affects Billions of Devices

Researchers from the Singapore University of Technology and Design have published details about BrakTooth, a new family of security vulnerabilities in Bluetooth software implementations.

They assessed 13 Bluetooth devices from about a dozen vendors including Intel, Qualcomm, Texas Instruments and Cypress and found 16 vulnerabilities. On the good side, they can cause a denial of service attack (crashing the device and requiring the other to power cycle it); on the bad side it can allow remote code execution.

The researchers discovered 1,400 products affected by the vulnerabilities including phones, car radios (now called infotainment systems), computers, speakers, headphones, home entertainment systems, toys and industrial automation. Likely there are way more products vulnerable.

Estimates are that there are billions of vulnerable devices, many of which will never be fixed and remain vulnerable until they are in a landfill a decade from now.

The risk varies of course. If you home microwave fails, you may have to find a different way to heat your food. However, if factory automation software fails, it could shut down a factory or worse.

More detailed information is available at this Bleeping Computer article.

None of the vulnerabilities require the hacker to pair with the device, just be in range. The Hacker News says that proof of concept code is available online.

While the end user may think he or she is buying a device from a reputable company, that same owner has no clue where that company is buying their Bluetooth software from and whether it has been patched.

Ford Patents Distracted Driving

Maybe I should title this “what could possibly go wrong”. This is not specifically a security issue, but it could be. Mostly it is a safety issue.

In new cars, you have a big ole screen in the front. It is designed to replace the dash controls and instruments.

If you are Ford and you are looking for new revenue streams as people are buying fewer cars, you come up with one and patent it.

What if Ford figured out where you were on the road and what billboards you are passing (or stores or whatever) and throw up an ad on that screen. After all, those self driving cars have a bunch of cameras. Surely they could lock into an image that a company paid Ford to display.

After all, what could possibly go wrong if Ford displays an ad for that big sale at the XYZ store. Surely you are not going to look at that ad instead of crashing into the car in front of you.

Oh, wait, that is not what they meant.

Of course, if the car is fully self driving. FULLY. self driving. Maybe that wouldn’t be such a risk. Are they only going to display ads when the car is in full self driving mode.

Is the driver going to hit the brakes when he or she sees an ad that attracts him or her. I guess that will test all of other cars collision avoidance systems.

Of course, I am sure, it would be impossible to hack. Picture this. Your car is now encrypted with ransomware and if you want to drive it again, pay us 1 Bitcoin.

What could go wrong? The possibilities are limitless.

Credit: Ford

Security News for the Week Ending August 20, 2021

Well That Seems Like a Bit Over the Top

A pharmacist in Illinois faces up to 120 years in prison for selling dozens of (I assume blank) Covid vaccine cards. The pharmacist sold 134 cards to 11 buyers for roughly $1276. He is being charged with theft of government property. That seems like a stretch, but maybe. Mostly they want to make a point that if you want a fake vaccine card, you should create them on Photoshop yourself. Yes, it will take you a few hours, but it isn’t very hard. That makes it harder for the feds to discover that you did that. And don’t brag about it on social media. Mind you, just because you do make it yourself doesn’t mean you aren’t breaking the law. Falsely using a government seal, for example, is crime, but it probably won’t get you 120 years, which is why the came up with this creative charge. Just doing a quick Google search, I found blank cards online, so I have no idea why anyone would buy one. Blank cards were also for sale on Amazon for a while – 10 for $12.99. Credit: Bleeping Computer

Another Day, Another Cryptocurrency Hack

Last week a hacker stole $600 million in cryptocurrency for fun … and then gave it back. This week hackers stole $97 million from the crypto exchange ‘Liquid’. This time it doesn’t appear to be a joke. The exchanges are getting better at freezing the money when this happens because the have so much experience at it. That is probably not a good thing. For the hackers, that is. Credit: Data Breach Today

Blackberry Says Older Versions of it’s QNX OS Vulnerable

Blackberry sells a real time operating system used in cars, medical equipment and other embedded equipment. This includes 175 million cars (this number doesn’t include the tens of millions of other devices which could have been bought pre-fix and are still in use in factories, warehouses and many other places). But the cars are older cars – Blackberry says that they fixed the bugs in 2012 – after denying for months that they existed. That likely (maybe) means that products that were DESIGNED after 2013 or 2014 are not vulnerable, but that could be a design date and not a manufacture date or sale date. Blackberry has released patches to manufacturers, but that doesn’t mean that patches have been installed. Credit: The Register

Ransomware 4.0? Maybe

First there was ransomware. Just encrypt your files and demand money. Then ransomware 2.0 – steal your data and demand money to get it back. Next came ransomware 3.0. With this generation, the hackers go directly to the businesses’ customers (one example was a psychotherapy practice where the hackers threatened to release the therapists’ notes if the patients didn’t pay up). Now comes version 4. With V4, the hackers offer employees of the intended victim a cut of the action if they release the ransomware into their employer’s network. Wow. This is getting out of hand. Credit: Brian Krebs

Security News for the Week Ending July 30,2021

Internet Rot Causes Porn on Legit Sites

News sites like New York Magazine and others accidentally displayed porn because they had links to the old and now gone Vidme video sharing site. Vidme went out of business in 2017 and a porn site bought the domain. Since there is no easy way for web site operators to detect that a linked site has been sold and since there are billions of old pages out there, you have the making of an embarrassing disaster. Needless to say, the web sites fixed this little bit of rot, but there are millions of other bits of rot lurking. Credit: Wired

Ex eBay Security Boss Sentenced to 18 Months for Cyber-stalking and Witness Tampering

The former global security manager for eBay was sentenced on Tuesday to 18 months in prison and was ordered to pay a $15,000 fine for his role in the cyber-stalking and harassment of a Massachusetts couple who published a newsletter critical of the internet yard sale. Philip Cooke, a former police captain before joining eBay was the last of 7 charged in a scheme to threaten and silence a couple who wrote a blog that was negative about eBay. eBay executives say that they were not aware of the tactics, but…..really? Credit: The Register

9th Circuit Limits Feds’ Confiscation of Electronics at the Border

The 9th Circuit Court (covering Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, Mariana Islands, Oregon and Washington) ruled that border agents, which until now have had a complete free-for-all with your digital devices, severely limited what a border agent can search for without a warrant. They can ONLY search for digital contraband such as child porn. Under the Trump administration, CBP had a blacklist of reporters, humanitarian workers and lawyers and would regularly seize their phones and laptops under the ruse of Homeland security and copy all of their content. Assume this will wind up at SCOTUS sometime in the next 5-10 years, but in the meantime, this is the law in the western US. Credit The Washington Time

Ransomware Up 93% in Last 6 Months Adding TRIPLE Extortion

In a report, Checkpoint Security says, that overall cyber attacks are up 17% in the US and 36% in EMEA over the first 6 months of the year. But, they say, Ransomware is up 93%, caused by ransomware 3.0. For those not following this, in ransomware 1.0, the crooks just encrypted your data. In ransomware 2.0, they steal it first, then encrypt it and threaten to release it if you have good backups and don’t want to pay. In ransomware 3.0, they steal it and encrypt it, but also try to get your customers, whose data they have stolen, to pay. Credit: Cyber News

DOJ Admits Hackers Got Into Emails of 27 US Attorneys’ Offices

7 months after the SolarWinds Attack was announced, DOJ now says that Russia was able to browse their emails between May and December, including sent, received and stored, and also including attachments. DOJ admits that Russia had access to at least 80% of employees emails in the Eastern, Northern, Southern and Western district of New York. They also got access to emails in California, DC, Florida, Georgia, Kansas, Maryland, Montana, Nevada, New Jersey and 6 other states. Credit: Bleeping Computer

How to Defend Against NSO Spyware

Or at least try!

The NSO Group is the Israeli company that sells spyware to governments. And which evidence suggests also sells to all forms of unsavory characters, although they deny that.

Evidence also says that they target journalists, activists, business executives and lawyers around the world.

But they come from the Werner Von Braun school of rocketry – once they go up, who cares where they come down. They say that how their customers use the software is not their business.

While iPhones are usually good at stopping malware, in this case they are about as secure as a screen door against NSO’s Pegasus software.

While there is no such thing as perfect security, that doesn’t mean that you should just give up and allow the hackers in. The Pegasus software gives the hackers unlimited access to a target’s mobile device. It allows the hacker, which may be a government, to:

  • Remotely and covertly collect information including
  • – location
  • – relationships
  • – phone calls
  • – plans
  • – activities
  • Monitor Voice and VoIP phone calls in real time
  • Siphon contacts, passwords, files and encrypted content from the phone
  • Use it to monitor the room around the phone by turning on the microphone
  • Monitor the phone’s location
  • and, monitor connections through apps like WhatsApp, Facebook, Signal and other apps

All that being said, it is just an old fashioned remote access trojan.

So, what can you do to even the odds?

  1. Avoid click bait – text messages or WhatsApp messages that try to get you to click on a link (and install the malware). The messages may appear to come from your bank, for example.
  2. Separate sensitive work from non-sensitive work on different devices. I know that is a pain, but so is getting hacked.
  3. Use out of band verification if you get a link that you are not expecting

That is just one form of attack. Another is to intercept unencrypted web traffic and redirect it to malicious sites. To help thwart this:

  1. Always type the HTTPS:// in front of the URL
  2. Bookmark known sites and only go there from the bookmarks
  3. Use a VPN

Unfortunately, there are also zero-click exploits, ones that you don’t have to interact with to get infected. There was a recent iMessage attack that worked like that. Just send you a malformed iMessage and you were infected. To reduce the odds of this working:

  1. UNINSTALL **ALL** apps that are not absolutely essential
  2. Regularly audit your apps to make sure there are none there that you don’t need
  3. Regularly install all patches to the OS and apps – but only do that when you are on a trusted network
  4. Use a tamper bag to stop a phone from communicating with its handler when you are not using it

Obviously, the simplest attack is physical access. To help thwart this:

  1. Keep your phone under your control at all times
  2. Do not believe the myth that hotel room safes are secure. They are not.
  3. Put your device in a tamper-evident bag if you need to leave it somewhere. At least that way you will know if someone attempted to get into it.
  4. Use burner phones and change them like underwear

I know that all of this is a pain in the rear. You have to decide what your level of paranoia is.

Remember: Security or convenience, pick one.

Credit: The Intercept