The Darker Side of Drones

Over a million drones have been sold to the hobby market in the U.S. alone.  Some have been sold with more nefarious purposes intended.

To make matters worse, the FAA expects that number to triple – to over 4 million drones – by 2021.

Drones are used by farmers to manage their fields, to inspect infrastructure such as pipelines, and even, on a trial basis, by Amazon to deliver your package.

In Iraq and Syria, they are used to drop grenades and small explosives, in prisons to deliver contraband and take pictures of you while sunbathing in your birthday suit in your back yard.

In addition to these stories, there are hundreds of new stories every day.

The challenge is how to separate the good from the bad and that is not easy.

Information for this post came from World Wide Technologies.

The first answer is that today, for consumers, there is no good answer.  The military is probably in a little better position, but not much.

It is important to understand that shooting down your neighbor’s drone or even interfering with its radio or GPS signal is a crime and will get you arrested (and has gotten people arrested) if you are caught at it. Under U.S. law, a drone is considered an airplane and shooting down your neighbor’s $500 DJI drone will get you the same treatment as if you shot down a commercial airplane – so don’t even think about it.

Here is what the experts are looking at.  Some drones stay in radio contact with their controllers.  It that is true, you may be able, with the right equipment, to track back the radio signals back to the controller, if you are lucky.

Some drones can be programmed to travel on a flight path without any communication back to its owner.  In order to track these guys you need way more sophisticated technology – Infrared signal trackers for example.  Very expensive today.

The drone maker DJI has released AeroScope, a system to track only DJI drones by the signals that they emit.  Owners can, however, encrypt those signals and the system won’t track competitor’s drones, so it is of limited use.

For drones used for surveillance, such as, possibly, the one that crashed into the 40th floor of the Empire State Building last year, standard security measures work – close the blinds to keep out cameras, encrypt WiFi to discourage eavesdropping and if you think you are a target like banks and law firms, up the ante on those – strong encryption and light/radio blocking window blinds.

Right now the bad guys are winning, but stay tuned, people are working on the problem.

Facebooktwitterredditlinkedinmailby feather

Fake DC Cell Tower Story Has New Legs

Last week I wrote about the problem of fake cell towers in DC.

Well, the story has some interesting twists and turns.

First, the largest maker of these devices (at least as best we know) is Harris Corp., maker of the Stingray family.  Harris has been so closed mouthed about them that they have made the FBI drop cases against crooks instead of disclosing that these things even exist.

Well, the cat is out of the proverbial bag regarding the fact that there are probably gobs of these things on the loose, made by who knows whom – probably some are home brew – and they are listening in on – maybe Congress critters.

You have probably heard that there is nothing worse than a Congress critter scared that his or her cover is blown – whether it is a mistress or payoff or leak or whatever – and now susceptible to blackmail.  That’s why when you are getting approved for a security clearance, they want to  know about all of your skeletons.  Not because they care very much, but they don’t want to bad guys to use them against you.

It sounds like there may be Stingrays and Stingray-lookalikes all over the country, likely near sensitive facilities, and the FCC and DHS are playing stupid about it.

Why would they do that?

NOTE TO HARRIS CORP:  JUST PICKING ON YOU BECAUSE YOU ARE THE MOST WELL  KNOWN CELL INTERCEPTER.  I SUSPECT THAT AT LEAST SOME OF THESE BOGUS INTERCEPTORS DON’T COME FROM YOU.

Who do you think is the largest (legal) user of Stingrays?  U.S. law enforcement and spies – and since they don’t want people to know anything about what they are doing, there are no records kept, so no one really knows if a Stingray belongs to the FBI or the KGB or whatever China”s version of those two are.

You can count on all of those having deployed some of them.

But, we don’t really know, actually.

Some of those Congress critters now want to skewer Ajit Pai, head of the FCC.  This could get entertaining, at a minimum.

Information for this post came from The Register.

So what can you do?  Unfortunately, not a huge amount, but there are some things,

Number one is don’t use your cell phone.

Well, not like that.

If you make calls from the data side of your phone, these devices cannot intercept the calls in the same way.

Say you make a call using Signal or Whatapp.  The call is just more data.  Even the number you are calling is just data.  And it is encrypted.  Can spies, given the right motivation, crack the crypto?  Probably, even likely.  Even if it means hacking into your phone.  But you would need to be a very specific target for that to be worthwhile.

Power off your phone when you are not using it.  Truly a pain, but they can’t pick up a signal if the phone is off.  If you want to be off the grid for some reason, you have to be off the grid.

If you are Edward Snowden, you put the phone in the oven (preferably OFF) or the freezer (Likely ON).  Both are sealed metal boxes that don’t transmit radio waves.

If you are paranoid, Amazon sells RF shielding pouches, the portable version of Snowden’s oven or freezer for as little as $6.99.  For an example of one, click here.

So, while there is likely some risk, unless you are at high risk for some other reason, I probably wouldn’t worry much about it.  But, if you are concerned or just want to ‘stick it to the man’, there are some things that you can do if you are willing to be a little inconvenienced.

Facebooktwitterredditlinkedinmailby feather

Friday News

Delta Airlines Terms of Service “Concern”

Users that tag pictures with Delta Skymiles hashtags (#Skymileslife and #Deltamedalionlife) agree to some interesting terms and conditions according to a recently modified Delta Skymiles program terms.  First, they give Delta a perpetual license to use the tagged content (photos) and (b) they warrant they are the sole owner of the content and have the authority to post the content.  Note that you are not posting this on Delta’s web site.  The next term is the one that is mind blowing.  (C) you agree, under your Skymiles program agreement that if you post something, say on Twitter, with those hashtags, that you will indemnify Delta and pay any legal fees, among other terms.  Pretty amazing.  (Source: BoardingArea.com).

Ransomware May Kill You – Literally

Researchers at Vanderbilt studied the mortality rate in hospitals and correlated that data to hacking attacks.  They found that the mortality rate increased by about one-third to one-half percent after an attack.  They also say that the size of the breach doesn’t seem to affect the mortality rate.  (Source: Dark Reading).

Alabama is the last state in the union to enact a data breach notification law

Almost 15 years after California’s landmark privacy law, SB 1386, became effective, Alabama passed a data breach notification law and the governor signed it.  Like many other states, it refers to “implement and maintain reasonable security” and “conduct a good faith and prompt investigation” in case of a breach.  What is a bit less customary is that they give some detailed specifics as to what is reasonable.  Yeah for Alabama.  (Source: Ballard Spahr)

Homeland Security Says Rogue Stingrays Operating in DC

Stingrays, one brand name for cell phone call interceptors were found by Homeland Security to be operating in DC last year according to a memo between DHS and Sen. Ron Wyden (D-OR).  DHS said that they did not have the equipment or funding to monitor for rogue devices.  It makes sense that foreign intelligence services would be very interested in intercepting cell phone calls made by government officials in DC and likely many other cities where there are large defense and intelligence communities.  Wyden said that leaving cell phone security to the phone companies has been disastrous, which is certainly true, but he didn’t mention efforts by the NSA to weaken crypto over the last 20 years or efforts by the FBI to intentionally build in back doors to all encrypted communications, so, maybe, what goes around, comes around  (Source: Associated Press).

Why Vendor Cyber Risk Assessments Are So Important

Bangalore based Business Process Outsourcer [24]7.ai admitted that they suffered a breach between September 26th and October 12th 2017.  Being an outsource vendor, their breach likely affected many customers.  Among those that have fessed up, so far, are Delta Airlines, Sears and yesterday, Best Buy.

[24]7.ai said that they thought that only a million of their customers credit cards were affected by the breach

You can outsource the work, but you can’t outsource the liability.  Even though Sears, Delta and Best Buy are trying to throw [24]7.ai under the cyber liability bus, who their customers will blame is them (Source: Economic Times of India).

Facebooktwitterredditlinkedinmailby feather

Facebook Continues it’s Damage Control Program

Facebook is used to riding high.  Not so much lately.

First they said that Cambridge Analytica inappropriately captured the data of 47 million users after 250,000 or so users completed a survey and they captured the information of all of those people’s friends without their permission.

Now they are saying that their arithmetic wasn’t so good and it wasn’t 47 million but rather 87 million users (Source: National Review).

Facebook is also saying that “malicious actors” took advantage of the search tools on Facebook and captured public information on most of all 2 billion users.  The attack was very creative.  Take email addresses or phone numbers compromised in one of many breaches and pop them into Facebook’s search box.  Until yesterday, that would retrieve any information you marked as public including photos, job history, friends and other information.  Yesterday, as part of their  “rehabilitation”, they disabled the feature, but not before bad guys stole terabytes of data (Source: Washington Post).

Then there was the memo by Facebook exec “Boz” who said that anything that we do to connect more people is good, even if it is used by terrorists.  Now that the memo has become public, he claims that he didn’t really believe that. (Source: CNBC).

Finally, after first saying that while he liked the EU’s new privacy regulation, GDPR, Facebook had no plans to make that the rule in places where they were not being forced to do that by law, they are now saying, just kidding (Source: Ars Technica).

Okay, given that Facebook seems to be acting like the twin of Mr. Robot’s Evil Corp., what should you do?

First, be a conscious user.  Even today Facebook allows you to make information private or visible to just friends.  My posts are public, intentionally, but nothing else is public – only visible to friends.

Given that Facebook makes all of its money from selling your data, the default is always going to be share (or steal) your data.  You need to proactively change the defaults.

As Facebook makes changes in response to the current PR disaster it is in the middle of, see what new capabilities they offer and take advantage of them.

Finally, don’t post so much.  Do you really need to post everything that you do?  Once you post it, it is out there.  At least one insurance company is denying burglary claims if people posted their vacation plans prior to returning home.  Be smart;  post less.

Social media is wonderful, but with wonderfulness comes problems, so be smart.

Facebooktwitterredditlinkedinmailby feather

Drupalgeddon 2

The Drupal team has released a patch that they call highly critical that allows an attacker to run arbitrary code on a Drupal web site with no authentication required. All they need to do is know the URL of the web site.

Drupal rates the severity of the flaw a 21 on a 1 to 25 scale.

They said they expect exploits to be developed within hours or days.

From a risk standpoint, for an unauthenticated user to be able to run any arbitrary code on your website, that is about as bad as it gets.

All recent Drupal versions are affected – 6, 7 and 8 and Drupal has created patches for old, unsupported versions.

Details are available here.

 

Facebooktwitterredditlinkedinmailby feather

80% of IoT Apps for Your Phone Contain Vulnerabilities

The Internet of Things is the newest fad.  Today I heard about Internet connected sneakers.  Apparently, you can change the design at will.

Given that and the lack of any liability of the part of the software developer no matter what happens (when was the last time a software developer was sued for writing a buggy app?), there is not a lot of motivation to write good software.

Pradeo labs studied a hundred apps that control everything from your baby monitor to your garage door and found some unsettling but not surprising facts:

  • 80% of the apps had vulnerabilities
  • 15% were vulnerable to being taken over
  • 8% get connected to uncertified networks, including domains that have expired and which could be purchased by hackers
  • 90% (yes, that is not a typo) leak application data such as application content, device information, video, audio and location.

Information from this post came from Pradeo Security.

Given this, what should a user do.

Unfortunately, there is no easy answer.

First, and this one is hard, don’t be the first on your block to install an app.  Let others debug the software.

Second, look for app reviews and especially security info in reviews.

Third, ask the vendor (and not the retailer) about security.  If you get blown off or get some fluffy answer, you get the message – security is irrelevant.

Fourth, make distinctions between apps that secure, say, your house and apps that open the blinds.   You may not care if your blinds are opened accidentally, but you probably care if a hacker unlocks your house or is watching you and your baby.

And last, be willing to forgo the newest gee-whiz app if you don’t have a good feeling about it.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed