Tag Archives: at&t

Security News Bites for the Week Ending February 15, 2019

Anybody Know What 5G Cellular Means?

5G is the next generation of cellular, promising blindingly fast service and web page loads in the blink of an eye.

Unfortunately, it doesn’t really exist yet.  Yes, a few carriers have set up a few cell sites in a few cities, but there are basically NO phones that are 5G capable at this time.  Apple should launch one in 2020.

5G will also require a LOT more cell sites that don’t exist and that most people don’t want in their backyard.

What this means in reality is that 5G won’t be a factor for years and in many places – low density areas – it may never come due to the expense.  And definitely not until you buy a new phone.

But that hasn’t stopped AT&T from adding a 5G “e” to some of their phones.  AT&T is doing preemptive marketing hoping that people won’t understand that they are not getting 5G service and not getting a 5G capable phone.  But, by that time, they will be locked in.

AT&T says the “E” means evolution, whatever that means.  Other people say the “E” means eventually – just not with that phone or that cell site.

Here’s what Verizon said about it:

5Ge. It’s pretend, it’s fake, it’s the kind of BS that gives marketers, communicators businesses and the wireless industry a black eye. So let’s have some fun. Some people call it “Faux Five G”. There’s “5G Eventually”. What’s your name for @ATT false marketing?

So Sprint is suing AT&T.  AT&T says that people won’t be confused.  Sprint did a survey in which 17% of the people said that they already had this non-existent 5G service.  Stay tuned.  Source: PC Mag.


Discarded Smart Lightbulbs May Be a Security Hole

Smart lightbulbs are smart because they are network connected and since most people are not going to plug a network cable into that bulb, they talk over WiFi.

Researchers took a LIFX smart bulb apart and took the circuit board out of it.  When they analyzed the board they found the WiFi password – not encrypted.

Next all of the security settings for the processor are disabled.

Finally, the company’s RSA private encryption key and root certificate are also accessible.

Given this takes a bit of work to reverse engineer, it is not likely a hacker is going to do it, but to get the company’s private encryption key, which would allow them to sign malicious code and download it wherever they want – that would be worthwhile.

Maybe they should call it a dumb lightbulb.  Source: Limited Results web site.


If You Live in the UK, be Careful Where You Click 

The UK signed into law (what they call Royal Assent) the Counter Terrorism and Border Security law this week.  This law makes it a crime to VIEW information “likely to be useful to a person committing or preparing an act of terrorism”.

One click.  Penalty is up to 15 years in prison.

Seems like a bit of over-reaction to me.  The UK’s special rapporteur on privacy said the law was “pushing a bit too much towards the thought crime”.  1984, we are here.  Source: The UK Register.


FTC in Negotiations with Facebook over Multi-Billion Dollar Fine

Sources have confirmed that the FTC and Facebook are negotiating over a multi-billion dollar fine over Facebook’s privacy practices.  The details have not been released and it could ultimately wind up in court if the two sides cannot agree.  If it does, get your popcorn out because it could be a humdinger.  The FTC’s investigation has been going on for about a year.  Source: Washington Post.


Gov Testing Smartphones as a Replacement for CAC Access Cards

The DoD is testing whether your smartphone can identify you as well as their current Common Access Card to get into DoD buildings and computer systems.

Your smartphone knows how you walk, how you talk, how you type.  You get the idea, but there is more.

With software on the phone, they are going to know exactly where you are at every moment of the day, where you spend your free time (maybe you have someone on the side), what web sites you visit, what bars you visit and how long you stay there.

It may work, but it may be a little bit too 1984 for me.

Using constant monitoring of the user’s behavior—including how they walk, carry the device, type and navigate on it and even how they commute to work and spend their free time—and the system will automatically and continuously verify the user’s identity, enabling them to seamlessly work on secure networks without having to plug in a card each time. Source: Nextgov .


Cell Carriers Agree – AGAIN – To Stop Selling Your Location Data – HONEST!

Motherboard was able to buy real time location data from a broker for a T-Mobile phone for $300.  This is not illegal.

The food chain for location data is very complicated.

In this case, T-Mobile sold the data to data aggregator Zumigo.

Zumigo sold it to Microbilt.

Microbilt sold it to a bounty hunter.

Who sold it to a “source”.

Who sold it to Motherboard.

Ajit Pai, who, as the Chairman of the FCC has not been very consumer friendly, “declined” a request for an emergency briefing to Congress during the Trump Shutdown.

While I am not terribly impressed by that, the reality is that the FCC won’t take any action during the shutdown any way.  Still, there is no reason not to brief Congress other than the Pai is a Republican and he was asked to testify by the Democrats.

AT&T, Sprint and T-Mobile continue to sell data even though they have promised to stop selling data multiple times.

Now they are saying that they pinky-promise that they will really, really stop selling your location data.

One of the challenges is that there are some legitimate services, such as roadside assistance, that need the data and need to make other accommodations.

One source is many of those applications that people love to install.  One recent study found that a given app might collect your location up to 14,000 times a day (10 times a minute).

Users have to grant permission for apps to use your location, but as we saw with the City of LA lawsuit against The Weather Channel, many times apps ask for your permission to use your location but don’t clearly tell you what they are using it for or who they are selling it to.

The problem for people that really want your data is that for any given user, they don’t know what apps you have installed or which apps you have given location permission, so their best answer is to buy your location info from a data aggregator if they can’t get it from the cell companies.  

You can and should turn off location services when you don’t need it and review which apps you have given location permissions to see if you still want those apps to have that capability.

Don’t hold your breath.  Source: Bleeping Computer.




Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Spying on You For Fun, But Mostly For Profit

We often tell you about web sites that use your data and sometimes in ways that you don’t expect, but usually it is to sell it to advertisers.

However, apparently, AT&T has created a new revenue stream.

AT&T calls the program Project Hemisphere.

Hemisphere is a program which allows law enforcement to search AT&T call records – not because of a warrant – but for a fee.

Harris County, home of Houston, paid AT&T $77,000 in 2007 and $940,000 four years later.  Sounds a bit like a drug dealer.  Get the addict hooked and then jack up the price by a factor of ten.

There are around 4,000 counties in the U.S. plus probably ten times that many cities, not to mention state governments.  If every one of them paid AT&T a million dollars a year – which of course they are not – that is a lot of money.

How much money?  We have no idea because AT&T isn’t telling.

Normally companies share data with law enforcement when they are legally compelled to.

In this case, AT&T has turned it into a product line and profit center.  And since law enforcement is buying a service from AT&T, they don’t have to worry about convincing a judge that there is probable cause in order to get a search warrant.   An administrative subpoena is just fine.

While AT&T would be required to comply with an administrative subpoena, they are not required to develop software to slice and dice the data and provide that information.

In case you were wondering whether AT&T thought this product offering was sleazy, they did.  AT&T required that the government agencies to agree to not use the data in any judicial or even administrative proceeding unless there is no other available and admissible probative evidence.  In other words, if it got out that AT&T was analyzing and aggregating data and then selling it to the government, customers might leave.

In support of this service, AT&T has retained cell phone data back to 2008 or 8 years.  By comparison, Verizon keeps their data for a year and Sprint keeps theirs for 18 months.

AT&T saves call data, text message data, Skype chat data, and other communications, in some cases back to 1987 – almost 30 years.

That seems like a bit more than what is “required”.

Now that this is out, people may start voting with their checkbooks.

Information for this post came from The Daily Beast.

AT&T Says Security Incidents Up 48% Over 2013

AT&T released it’s first public cybersecurity incident analysis report last week.  As a network security services provider, they get to see the attacks in real time.  One service that AT&T offers is to mitigate security threats in the network before they ever reach you.  They also offer cyber security consulting services.  AT&T’s competitor Verizon also produces a similar report every year.  Obviously, these pieces are marketing tools to sell cybersecurity services, but that does not make the data any less useful.

A few highlights from AT&T’s report released last week:

  • Security incidents are up 48% over 2013 (117,000 attacks a day)
  • DDoS attacks are up 62% over the last two years
  • 75% of businesses do not involve their full boards in cyber risk oversight

The report suggests 5 questions for every CEO.  While these questions are not  necessarily perfect, they certainly are good questions:

  1. Is your board of directors fully engaged in cybersecurity?
  2. When did you and your board review your last risk assessment?
  3. What makes you a target for attacks?
  4. What data is leaving your company and is it secure?
  5. Have I provided my security organization all the tools and resources they need to help prevent a security breach?

My additions or changes to these questions are:

For question 2, WHEN was the last risk assessment conducted?  If the answer is more than 12 months ago, it is time to conduct a new one.

For question 4, SHOULD that data be leaving the company at all and HOW do you know what data is leaving the company?

The AT&T report also says that about half of the large companies (their target market) are re-evaluating their information security standards in light of the recent high visibility breaches.  That means that more than half are not.  I suspect that smaller companies are even less likely to be re-evaluating their standards because they are more worried about top line sales numbers.  Unfortunately, that is probably the wrong choice.  Large companies (think Anthem or Target) have the resources to deal with the aftermath of these attacks and continue to do business.  This is much less likely for mid-size and smaller companies.

The report has many other useful recommendations and questions.  I would recommend that the chief security person in every organization read it.

The report is available on AT&T’s web site here.


News Bites for April 9, 2015

The FBI is warning people to be wary of fake federal web sites which both take their PII and also steal money from them.  The web sites rank high on the search engine page, ask for PII and collect a fee.  Sometimes they ask people to send their birth certificate or other information.  People are then told to wait a few weeks, by which time the scamsters, web site and phone numbers are all gone.  See link for more details.


White Lodging provided more details in a breach at 10 properties that they manage for Marriott, Sheraton and other chains (list of properties in this article) across the country.    The breach only affected food and beverage outlets in the properties.  This follows a breach, earlier in 2013 (see here) that apparently was never completely cleaned up.  People should be watching their credit card activity closely anyway, so if you see any fraudulent activity, contact your bank right away and ask for a new card.  Unlike many forms of cyber theft, this one is relatively quick and easy to fix.


The Privacy lawsuit brought by Max Schrems (see earlier posts) against Facebook got its first hearing today in the Vienna Regional Court.   Schrems, who has been a thorn in Facebook’s side for years says that Facebook is collecting and using data in violation of EU privacy laws and participated in the NSA PRISM data collection program, again in violation 0f EU law.  Schrems is suing Facebook Ireland, the EU subsidiary of Facebook.  This trial and appeals will likely go on for years, but it will certainly be interesting to watch. Because this is happening outside the U.S., the U.S. government will likely have a harder time invoking national security to stop Facebook Ireland from disclosing information that they would prefer remain secret.


AT&T agreed to a consent decree with the FCC (not the FTC as is normally the case).  Since they are a regulated common carrier, the FCC has jurisdiction.  The decree comes as a result of employees in Mexico, Columbia and the Phillipines stealing customer information and selling it.  AT&T agreed to pay a $25 million civil penalty, the largest ever assessed by the FTC, and make a number of privacy and security process changes.  The actual decree, very readable by normal legalese standards, is available here.  This is a worst case scenario of insider risk.