Tag Archives: Location data

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Security News for the Week Ending February 14, 2020

Feds Say 4 Chinese Hackers Took Down Equifax

The Department of Justice indicted 4 members of the Chinese People Liberation Army, saying that they were responsible for detecting the fact that Equifax did not patch their some of their servers and thus were easily hackable.  This, of course, means that the hack did not require much skill and may have even been a coincidence.

While it is highly unlikely that the 4 will ever see the inside of an American courtroom, it is part of this administration’s blame and shame game – a game that does not seem to be having much of an effect on cybercrime.  Source: Dark Reading

 

Malwarebytes Says Mac Cyberattacks Doubled in 2019

For a long time, the story was that Macs were safer than PCs from computer malware and that is likely still true, but according to Malwarebytes anti-virus software, almost twice as many attacks were recorded against Mac endpoints compared to PCs.

They say that Macs are still quite safe and most of the attacks require the attacker to trick a user into downloading or opening a malicious file. One good note is that Mac ransomware seems to be way down on the list of malware. Source: SC Magazine

Feds Buy Cell Phone Location Data for Immigration Enforcement

The WSJ is reporting that Homeland security is buying commercial cell phone location data in order to detect migrants entering the country illegally and to detect undocumented workers. In 2019, ICE bought $1 million worth of location data services licenses. There is likely nothing illegal about the feds doing this, but it is a cat and mouse game. As people figure out how the feds are using this data, they will likely change their phone usage habits.

Note that this data is not from cell towers, but likely from apps that can collect your location (if you give them permission) as much as 1400 times EACH DAY (once a minute) – a pretty granular location capability. Source: The Hill

FBI Says Individual and Business Cybercrime Losses Over $3 Billion in 2019

The FBI’s Internet Crime Complaint Center or IC3 says that people reported 467,000 cyber incidents to them last year with losses of $3.5 billion.

They say that they receive, on average over the last five years, 1,200 complaints per day.

During 2018, the FBI established a Recovery Asset Team and in 2019, the first full year of operation, the team recovered $300 million. They say they have 79% success rate, but they don’t explain that bit of new math. I suspect that means that over the small number of cases they cherry pick, they are very successful.

Still, overall, that seems to be less than 10% of the REPORTED losses.

Also, it is important to understand that this data only draws from cybercrime reported to the IC3. No one knows if that is 10% of all cybercrime or 90%. Just based on anecdotal evidence, I think it is closer to the 10% number, and, if true, that means the $3.5 billion in losses is really closer to $35 billion. Source: Bleeping Computer

Security News for the Week Ending January 3, 2020

Starbucks Leaves Their API Key in a Public Github Repository

Vulnerability hunter Vinoth Kumar found a Starbucks API key in a public Github repo.

The flaw was set to CRITICAL after they verified that the key gave anyone access to their Jumpcloud (An AD alternative) directory.

The problem was reported on October 17th and it took Starbucks several weeks to understand how bad the damage was.  The key was revoked within 4 days, but still, best practice would like that to be more like 60 minutes.  That, to me, is a failure on Starbucks’ (and probably most company’s) part.  After all, the key, as demonstrated in a proof of concept, would have allowed a hacker to take over Starbucks AWS account.  They paid Kumar a bug bounty of $4,000.  They definitely got away cheap.  Source: Bleeping Computer

 

Location Data Can Put Employee Safety At Risk

On the heels of a story that reporters were able to identify Secret Service agents who were travelling with the President, including figuring out where they lived, using available location data (see story from earlier this week about colleges collecting thousands of location data points per day on each student), comes another story regarding the hazards of location data.

As companies isolate teams to mask R&D, M&A and other sensitive activities, location data that is being sent by apps allows anyone with access to that data to de-compartmentalize those activities and understand exactly what companies are doing, who they are talking to, who their vendors are, possibly what technology areas they are interested in, etc.  Executives are often the worst behaved users and often generate the biggest digital exhaust because of lack of understanding of how the apps work and the consequences.

Since companies have moved to BYOD devices and can no longer control what apps a user installs or what data those apps exhaust, they have very little control over the problem.  Some apps have been found to send out over a thousand data points per app, per person, per day.  To servers in China.  What could possibly go wrong.

The only way to counteract this is via employee education.   Source: ZDNet

 

Travelex Knocked Offline by Cyber Attack

Travelex, the currency exchange company, was knocked offline by some sort of cyber attack.  As seems to be the case much of the time, the company decided that staying silent and not telling anyone what is going on will make things better.  In one way they are right since they are not giving the lawyers who will be suing them any information now.  That will wait until the lawsuits are filed.

One of the services that Travelex offers is stored value credit card called the Money Card.  They sell it to travelers as the safest to travel with money.  Only for current Travelex Money Card customers, it is super safe, because they cannot get their money.  Which could be a problem if you are traveling and need access to your cash.

In addition, banks that use Travelex as their currency exchange service are also offline.  Travelex is a huge player in this space, so their being down is a big problem.

The attack hit them on New Year’s eve and as of the night of January 3rd, they are still offline.  This could have a long term impact on their business and some commercial customers might choose to leave them.

The silence only makes it worse.  They likely did not have a disaster recovery/business continuity plan – at least not one that works.  And, I am sure that regulators in many, many countries will be asking questions.  Source: Threatpost

 

Guess How Long It Takes For Hackers to Test Your Stolen Credit Card Once it is on the Dark Web?

A researcher decided to test how long it takes for your credit card to be tested after it is posted for sale on the dark web.  It turns out the test was a little harder to conduct than the researchers thought since everyone buying and selling on the dark web is, how shall I say this, A TAD BIT SUSPICIOUS OF EVERYONE ELSE.

Once he got past that problem, it turns out the answer is about two hours.  That is not very comforting.  Hackers buying the stolen cards want to know if they are any good, so they make very small purchases, thinking most people won’t bother to trace down a $0.50 transaction that they don’t recognize.

Two Hours is not very long and a bit of a surprise to me.  Source: Bleeping Computer

Cell Carriers Agree – AGAIN – To Stop Selling Your Location Data – HONEST!

Motherboard was able to buy real time location data from a broker for a T-Mobile phone for $300.  This is not illegal.

The food chain for location data is very complicated.

In this case, T-Mobile sold the data to data aggregator Zumigo.

Zumigo sold it to Microbilt.

Microbilt sold it to a bounty hunter.

Who sold it to a “source”.

Who sold it to Motherboard.

Ajit Pai, who, as the Chairman of the FCC has not been very consumer friendly, “declined” a request for an emergency briefing to Congress during the Trump Shutdown.

While I am not terribly impressed by that, the reality is that the FCC won’t take any action during the shutdown any way.  Still, there is no reason not to brief Congress other than the Pai is a Republican and he was asked to testify by the Democrats.

AT&T, Sprint and T-Mobile continue to sell data even though they have promised to stop selling data multiple times.

Now they are saying that they pinky-promise that they will really, really stop selling your location data.

One of the challenges is that there are some legitimate services, such as roadside assistance, that need the data and need to make other accommodations.

One source is many of those applications that people love to install.  One recent study found that a given app might collect your location up to 14,000 times a day (10 times a minute).

Users have to grant permission for apps to use your location, but as we saw with the City of LA lawsuit against The Weather Channel, many times apps ask for your permission to use your location but don’t clearly tell you what they are using it for or who they are selling it to.

The problem for people that really want your data is that for any given user, they don’t know what apps you have installed or which apps you have given location permission, so their best answer is to buy your location info from a data aggregator if they can’t get it from the cell companies.  

You can and should turn off location services when you don’t need it and review which apps you have given location permissions to see if you still want those apps to have that capability.

Don’t hold your breath.  Source: Bleeping Computer.