Tag Archives: Location data

Security News for the Week Ending February 14, 2020

Feds Say 4 Chinese Hackers Took Down Equifax

The Department of Justice indicted 4 members of the Chinese People Liberation Army, saying that they were responsible for detecting the fact that Equifax did not patch their some of their servers and thus were easily hackable.  This, of course, means that the hack did not require much skill and may have even been a coincidence.

While it is highly unlikely that the 4 will ever see the inside of an American courtroom, it is part of this administration’s blame and shame game – a game that does not seem to be having much of an effect on cybercrime.  Source: Dark Reading

 

Malwarebytes Says Mac Cyberattacks Doubled in 2019

For a long time, the story was that Macs were safer than PCs from computer malware and that is likely still true, but according to Malwarebytes anti-virus software, almost twice as many attacks were recorded against Mac endpoints compared to PCs.

They say that Macs are still quite safe and most of the attacks require the attacker to trick a user into downloading or opening a malicious file. One good note is that Mac ransomware seems to be way down on the list of malware. Source: SC Magazine

Feds Buy Cell Phone Location Data for Immigration Enforcement

The WSJ is reporting that Homeland security is buying commercial cell phone location data in order to detect migrants entering the country illegally and to detect undocumented workers. In 2019, ICE bought $1 million worth of location data services licenses. There is likely nothing illegal about the feds doing this, but it is a cat and mouse game. As people figure out how the feds are using this data, they will likely change their phone usage habits.

Note that this data is not from cell towers, but likely from apps that can collect your location (if you give them permission) as much as 1400 times EACH DAY (once a minute) – a pretty granular location capability. Source: The Hill

FBI Says Individual and Business Cybercrime Losses Over $3 Billion in 2019

The FBI’s Internet Crime Complaint Center or IC3 says that people reported 467,000 cyber incidents to them last year with losses of $3.5 billion.

They say that they receive, on average over the last five years, 1,200 complaints per day.

During 2018, the FBI established a Recovery Asset Team and in 2019, the first full year of operation, the team recovered $300 million. They say they have 79% success rate, but they don’t explain that bit of new math. I suspect that means that over the small number of cases they cherry pick, they are very successful.

Still, overall, that seems to be less than 10% of the REPORTED losses.

Also, it is important to understand that this data only draws from cybercrime reported to the IC3. No one knows if that is 10% of all cybercrime or 90%. Just based on anecdotal evidence, I think it is closer to the 10% number, and, if true, that means the $3.5 billion in losses is really closer to $35 billion. Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 3, 2020

Starbucks Leaves Their API Key in a Public Github Repository

Vulnerability hunter Vinoth Kumar found a Starbucks API key in a public Github repo.

The flaw was set to CRITICAL after they verified that the key gave anyone access to their Jumpcloud (An AD alternative) directory.

The problem was reported on October 17th and it took Starbucks several weeks to understand how bad the damage was.  The key was revoked within 4 days, but still, best practice would like that to be more like 60 minutes.  That, to me, is a failure on Starbucks’ (and probably most company’s) part.  After all, the key, as demonstrated in a proof of concept, would have allowed a hacker to take over Starbucks AWS account.  They paid Kumar a bug bounty of $4,000.  They definitely got away cheap.  Source: Bleeping Computer

 

Location Data Can Put Employee Safety At Risk

On the heels of a story that reporters were able to identify Secret Service agents who were travelling with the President, including figuring out where they lived, using available location data (see story from earlier this week about colleges collecting thousands of location data points per day on each student), comes another story regarding the hazards of location data.

As companies isolate teams to mask R&D, M&A and other sensitive activities, location data that is being sent by apps allows anyone with access to that data to de-compartmentalize those activities and understand exactly what companies are doing, who they are talking to, who their vendors are, possibly what technology areas they are interested in, etc.  Executives are often the worst behaved users and often generate the biggest digital exhaust because of lack of understanding of how the apps work and the consequences.

Since companies have moved to BYOD devices and can no longer control what apps a user installs or what data those apps exhaust, they have very little control over the problem.  Some apps have been found to send out over a thousand data points per app, per person, per day.  To servers in China.  What could possibly go wrong.

The only way to counteract this is via employee education.   Source: ZDNet

 

Travelex Knocked Offline by Cyber Attack

Travelex, the currency exchange company, was knocked offline by some sort of cyber attack.  As seems to be the case much of the time, the company decided that staying silent and not telling anyone what is going on will make things better.  In one way they are right since they are not giving the lawyers who will be suing them any information now.  That will wait until the lawsuits are filed.

One of the services that Travelex offers is stored value credit card called the Money Card.  They sell it to travelers as the safest to travel with money.  Only for current Travelex Money Card customers, it is super safe, because they cannot get their money.  Which could be a problem if you are traveling and need access to your cash.

In addition, banks that use Travelex as their currency exchange service are also offline.  Travelex is a huge player in this space, so their being down is a big problem.

The attack hit them on New Year’s eve and as of the night of January 3rd, they are still offline.  This could have a long term impact on their business and some commercial customers might choose to leave them.

The silence only makes it worse.  They likely did not have a disaster recovery/business continuity plan – at least not one that works.  And, I am sure that regulators in many, many countries will be asking questions.  Source: Threatpost

 

Guess How Long It Takes For Hackers to Test Your Stolen Credit Card Once it is on the Dark Web?

A researcher decided to test how long it takes for your credit card to be tested after it is posted for sale on the dark web.  It turns out the test was a little harder to conduct than the researchers thought since everyone buying and selling on the dark web is, how shall I say this, A TAD BIT SUSPICIOUS OF EVERYONE ELSE.

Once he got past that problem, it turns out the answer is about two hours.  That is not very comforting.  Hackers buying the stolen cards want to know if they are any good, so they make very small purchases, thinking most people won’t bother to trace down a $0.50 transaction that they don’t recognize.

Two Hours is not very long and a bit of a surprise to me.  Source: Bleeping ComputerFacebooktwitterredditlinkedinmailby feather

Cell Carriers Agree – AGAIN – To Stop Selling Your Location Data – HONEST!

Motherboard was able to buy real time location data from a broker for a T-Mobile phone for $300.  This is not illegal.

The food chain for location data is very complicated.

In this case, T-Mobile sold the data to data aggregator Zumigo.

Zumigo sold it to Microbilt.

Microbilt sold it to a bounty hunter.

Who sold it to a “source”.

Who sold it to Motherboard.

Ajit Pai, who, as the Chairman of the FCC has not been very consumer friendly, “declined” a request for an emergency briefing to Congress during the Trump Shutdown.

While I am not terribly impressed by that, the reality is that the FCC won’t take any action during the shutdown any way.  Still, there is no reason not to brief Congress other than the Pai is a Republican and he was asked to testify by the Democrats.

AT&T, Sprint and T-Mobile continue to sell data even though they have promised to stop selling data multiple times.

Now they are saying that they pinky-promise that they will really, really stop selling your location data.

One of the challenges is that there are some legitimate services, such as roadside assistance, that need the data and need to make other accommodations.

One source is many of those applications that people love to install.  One recent study found that a given app might collect your location up to 14,000 times a day (10 times a minute).

Users have to grant permission for apps to use your location, but as we saw with the City of LA lawsuit against The Weather Channel, many times apps ask for your permission to use your location but don’t clearly tell you what they are using it for or who they are selling it to.

The problem for people that really want your data is that for any given user, they don’t know what apps you have installed or which apps you have given location permission, so their best answer is to buy your location info from a data aggregator if they can’t get it from the cell companies.  

You can and should turn off location services when you don’t need it and review which apps you have given location permissions to see if you still want those apps to have that capability.

Don’t hold your breath.  Source: Bleeping Computer.

 

 

 Facebooktwitterredditlinkedinmailby feather