Tag Archives: Airtags

Security News for the Week Ending April 8, 2022

Hackers Hack Russia’s Largest State Owned Media Corporation

Hackers stole 20 years of communications including almost a million emails from the All-Russia State Television and Radio Broadcasting Company (VGTRK). Those emails were published by DDoSecrets. VGTRK runs 5 national TV stations, 5 radio stations and numerous propaganda outlets. The data is available for download as an almost 1 terabyte torrent. The hackers say they did this because of Russia’s attack on Ukraine. This is part of the ongoing cyber war between Ukraine and Russia. Credit: Daily Dot

Apple AirTags Are Useful for Stalking

Motherboard asked dozens of police departments for reports that included Apple Airtags. They received 150 reports that mentioned Airtags. Remember that they asked for reports from something like less than one half of one percent of the departments. In 50 cases women called the police because they were being notified by THEIR iPhones that they were being stalked. Many of these women thought that either former or current intimate partners were to blame. Only one report came from a man. A few of the reports talked about robbery or theft as the potential reason. In any case, Apple has a challenge for which there is no easy fix. Credit: Motherboard

Russia’s Great Firewall has Some Holes in It

Russian citizens are turning to a variety of tools to bypass Russia’s attempt to block citizens from accessing western media. From VPN tools, to Telegram to Cloudflare’s WARP, they are effectively bypassing Russian controls and accessing French, British and U.S. newspapers. Credit: Bleeping Computer

Hotels Are Now Prime Targets for Hackers

As hotels use more tech and create more apps, they have more data for crooks to steal. And, since data is king, the crooks go after it. The Marriott/Starwood hack, back in the old days of 2014, netted the hackers information on a half billion people. With new laws like state privacy laws in the U.S. and GDPR in Europe, the stakes for breaches are just going to get a lot more expensive. Luxury hotels are particular targets as London’s Ritz recently found out. If you have to give information to a hotel, do what you can to minimize it. Credit: Financial Times of London

Government Sponsored Hacks not Limited to Russia-Ukraine

China continues to target India’s power grid, a year after the start of the attack campaign. Security researchers say the purpose right now is to gather intelligence to enable future attacks. They say the attackers would attempt to compromise the grid’s load management system. If it succeeds, it could cause cascading blackouts with no way to stop the dominoes until the country is dark. The FBI says that hundreds of U.S. critical infrastructure companies have been attacked as well, so this is not limited to India. Credit: The Hacker News

Security News for the Week Ending March 4, 2022

Apple Scrambles to Try and Figure Out How to Stop Stalkers From Using AirTags

Their newest idea is, when you initialize a new AirTag, it will tell you that Stalking may be illegal in your country. I really, really, doubt that will have any effect. They are also shortening the time window for notifying you that you are being stalked. Users of newer Apple devices will be able to find out how far away Apple thinks that rogue AirTag is. They are trying, but there is no simple fix. Credit: Yahoo

China Outs NSA Hacking Tool

Just like the U.S. outs foreign hacking tools when it suits our purposes, China is now doing the same thing. Likely this is for internal consumption, but it does give us a little bit of insight into their thinking and for sure, that certain hacking tools are no longer secret. Credit: Vice

Anonymous Hacks High Profile Russian Leaning Websites

First Anonymous hacks the Russian Ministry of Defense and posted the stolen data online for free. The data includes officials passwords, phone numbers and emails (Credit: Cyber News) and then they claim to have broken into Belarusian weapons maker Tetraedr and stole a couple hundred gigabytes. The data stolen included emails and they even, conveniently indexed all of them and handed the data to DDoS Secrets. They call this Operation Cyber Bully Putin. (Credit: Cyber News). It sounds like there will be more web sites hacked. Stay tuned.

Apple Responds to Russian Invasion of Ukraine

Each company is doing its own thing. In Apple’s case, they have paused all product sales in Russia. Apple pay and other services have been limited. Apple maps have stopped live update and Russian propaganda apps have been taken off the Apple store (why were they there in the first place?). Credit ZDNet

FCC to Review Border Gateway Protocol Security

In 1989 an engineer from Cisco and one from IBM wrote down an idea on two napkins (that have been preserved). That was the basis of Border Gateway Protocol or BGP. Needless to say, they did not think about security. BGP has been hacked by China and North Korea, among many others, so many times that we have all lost count. But BGP is a critical part of the Internet’s routing system. Finally, twenty five years too late, the FCC is “looking into” BGP security. We shall see what happens. Change on the Internet goes slowly. IPv6 was approved 10 years ago and still, it is the minority of traffic on the Internet (it is used a LOT on the backbone, just not at the edge). Credit: Data Breach Today

Apple AirTags – The Stalker’s Dream

I can’t really blame Apple for this. Their heart was in the right place. Helping people find their lost stuff sounds like a reasonable goal.

The problem is that no good deed ever goes unpunished.

Initially, people bought an AirTag and then either slipped it into someone’s coat pocket or attach it to the back of a license plate. The goal there was to find out where the Stalkee lived, worked or visited.

Then Apple added software to warn stalkees that they were being stalked. At first it didn’t do that for 24 hours. They have progressively lessened that number of hours as the problem got worse.

Then they added a beep so you might notice the quiet beep. Of course, it the stalker attached it to your car, all they needed was 30 seconds worth of access to remove it. That MIGHT BE possible, depending on the circumstances.

Then capitalists figured out how to neuter the speaker so that it didn’t make any noise anymore. You still might get a warning that you were being tracked, but no beep.

Mind you there are other tracking discs, like, for example, tile, but this one is the most widely used one for a variety of (mostly malicious) reasons.

Of course, if you are an Android user and someone slips a disc in your coat, you won’t get notified – unless you install Apple’s creeper software on your Android phone, but I doubt many people even know it exists.

Now a security expert in Berlin has cloned an Airtag and programmed it to bypass Apple’s security protections. In particular, the AirTag alerts a stalkee if the phone sees an AirTag that doesn’t belong the stalkee around the phone for a number of hours. How does it do that? The AirTag periodically broadcast’s it’s key. If the phone sees the same key a lot and it is not yours, it warns you. So, this clone throws out a new key every time it broadcasts.

In fairness to Apple, this is not even their product at this point. Someone stole their idea and designed to work better for evil.

Other researchers are trying to figure out how to stop these attacks.

It will likely be a cat and mouse game – good vs. evil – for a long time, probably forever.

So once again, Apple had a good idea and hackers turned it into a pile of poop.

Credit:Portswigger

Security News for the Week Ending February 4, 2022

Who is Interested in Attacking My Little Website?

I have written about this before but it is worth repeating. I have a simple firewall on my blog sites. There is nothing terribly sensitive there; it is not connected to my company’s network, but still I continue to be amazed. Yesterday there were 1175 attacks from Lithuania alone on one of my sites last week. This included a sustained attempted SQL injection attack. These are mass, indiscriminate attacks. Imagine what the attack drumbeat looks like if you are targeted. Are you protected? Do you care if you website goes down due to an attack? Or is defaced? Or is made unavailable?

CISA is Getting Aggressive on Patching Flaws

CISA has produced a list of bugs that are being actively exploited and is requiring that executive branch agencies actually install the patches (imagine that). This requirement came out of a Binding Operational Directive. While no one is going to jail if they do not follow a BOD, it is not likely to make the boss happy, which could affect both your budget and job security. This list is now over 350 bugs (compare that to the number of CVEs -bugs- publicly indexed in 2021, which is over 10,000, and was over 18,000 in 2020, so this is a tiny fraction of the total bugs. And, it seems, that they add new bugs every week. While this is mandatory for agencies, it is just smart for everyone else. If you are not watching this list, you should. Source: CISA’s Known Exploited Vulnerabilities List

NSO Group Has an Evil Twin

While everyone has been focused on the NSO and its ability to hack iPhones, lurking in the darkness is another Israeli security company, QuaDream. A competitor, they seem to, up until now, stay under the radar, even though they used the same iPhone vulnerability, called ForcedEntry. When Apple patched it last year, it broke both NSO’s and QuaDream’s hacking software. QuaDream’s software, like NSO’s can take over the iPhone camera and microphone, record phone calls and other fun stuff. Just to point out that the problem is bigger than NSO. Credit: Metacurity

DoJ Charges 6 Indian Call Centers With Scamming U.S. Citizens

You know all those calls you get pretending to be Microsoft or the IRS or Social Security? A lot of them come from India and now the feds have gone after them. The feds have indicted 6 companies and their owners personally. It is much more likely that they will be extradited to the U.S. since we are on reasonably friendly terms with India. Credit: The Hacker News

Stalkers Are Silencing Apple AirTags Used to Stalk Victims

AirTags were, ostensibly, designed to help people find their keys, but stalkers have figured out that it is a great way to find out where victims, typically young and female, live, work and go. In theory, Airtags make a quiet beep after it has been separated from its owner for 8-24 hours. The idea is that if it is being used to stalk someone, they might hear the quiet beep. But stalkers didn’t like that so they have figured out how to physically disable the speaker without damaging its tracking ability. There is no software fix for this and likely even if the design is changed, that won’t stop the stalkers either. Since these things are so tiny, it is unlikely that a hidden one would be detected. Credit: Gizmodo

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Apple Airtags – A Low Cost Surveillance Tool for Good or Evil

Ever see a scene in the movies where the cops (or the bad guys) plant a tracking device on someone and later catch the person doing something?

Ever hear stories about an ex stalking his or her former partner?

Well Apple just made that ‘affordable’.

Probably too affordable.

And folks have already tested it.

Like putting an airtag in a Fedex envelope and mailing it somewhere. Then tracking it. Apparently, WAY more precise than Fedex’s own tracking system.

In part, that is because of how they work. If they are within a few feet of any iDevice, poof you know where it is. That works great in the city where the number of Apple devices per square inch is high. Go out into the woods and it doesn’t work so well. Unless the person you are tracking has an iDevice.

You want to know where your kids are? Covertly slip a $29 tracking device in their backpack.

Want to know if your spouse is cheating? You can buy 4 tags for less than a hundred bucks.

Want to keep tabs on your ex? Ditto.

You could hide one in a car or any number of places, depending on how devious you are.

Here is the worst part.

In many cases, it may not even be illegal. But it might be. Depends.

Point of information: A tag is tied to an Apple device. If the Apple device can be tied to you or someone you called or an email account you accessed, the cops will be able to find you.

Just in case you were thinking of doing something illegal.

Tracking your kids? That’s not illegal. But kids are usually smarter than parents, so they might be tracking you right now. If they have $29.

Credit: Ars Technica