Tag Archives: mSpy

Security News Bites for the Week Ending September 14, 2018

How, Exactly, Would the Government Keep a Crypto Backdoor Secret?

The Five Eyes (US, Canada, Australia, New Zealand and Great Britain) countries issued a statement last week saying that if software makers did not voluntarily give them a back door into encrypted apps they may pursue forcing them to do that by law.  Australia and the UK already have bills or laws in place trying to mandate that (Source: Silicon Republic).

First, parental control/spyware app Family Orbit stored their private access key in a way that hackers were able to access 281 gigabytes of spied on photos in over 3,000 Amazon storage buckets.  This means that tens of millions of photos taken by kids and of kids are now on the loose.  All because parents wanted to keep tabs on what their kids were doing.  Now the hackers can keep tabs on their kids too (Source: Hackread).   Family Orbit shut down all services until they can fix the problem, but that won’t help recover the 281 gigabytes of data already stolen.

And, for the second time in three years, spyware maker mSpy leaked the data from a million customers including passwords, call logs, text messages, contact, notes and location data, among other information (Source: Brian Krebs).

So here, in one week, two companies who’s very existence is threatened by these leaks were hacked.  Somehow, hundreds of backdoors on major apps will be kept secret by the government.

Sure.  I believe that.  Not.

This is also a word of advice to parents who either are using spyware on their kids or are thinking about it.  The odds of that data getting hacked is higher than you might like.  Would it be a problem for you or your kids if all of their pictures, texts, contacts and passwords were made public?  Consider that before you give all of that data to ANY third party.

Popular Mac App Store App Has Been Sending User Data to China for Years

In a situation that you very rarely hear about, researchers have discovered that the 4th most popular paid app in the Mac app store, Adware Doctor, has been sending user browsing history to China for years.  Apparently, when you click on CLEAN, they take a very liberal view of the request, zip up your browsing history and send it to China. They are able to do this based on the permissions that the user gives it, reasonable permissions given the app.  In other words, they abused the trust that users gave them.

This was reported to Apple a month ago and Apple did nothing about it, but within hours of the news hitting the media, Apple yanked this very popular app from the store.  That, of course, does not protect anyone who has already downloaded it, but at least it will stop new people from becoming victims.

The power of the media!  Source: (Motherboard).

ISPs Try Hail Mary in Bid to Derail California’s Net Neutrality Bill

The California legislature is on a roll.  First the California Consumer Privacy Act (AB 375) – now law, then  the Security of Connected Devices Act (SB 327)- on the Governor’s desk and now The Internet Neutrality Act (SB 822) which would implement many of the requirements of the now repealed FCC Net Neutrality policy.  ISPs such as Frontier, have asked employees to contact the governor and tell him to veto the bill.  This was after AT&T bribed, err, technically “lobbied” an Assembly committee to gut the bill.  The industry then targeted robocalls at seniors saying the bill would cause their cell phone bill to go up by $30 a month and for their data to slow down (neither is true).  It is still on Governor Brown’s desk.  (Source: Motherboard).

Facebook is in the middle of an Apple-esque Fight Over Encryption with the Feds

While this case is under seal, a few details have surfaced.  In this case the feds are asking Facebook to comply with the wiretap act, a law passed in the 1960s, long before the Internet, which requires a phone company to tap a phone conversation after receiving a warrant.

In this case is Facebook Messenger even a phone call as defined in the Act?  Facebook, apparently, says that they do not have the means to do it;  that they do not have the keys.   Can the government force Facebook to rewrite it’s code to provide the keys to the government on request?  Even if they do, the conversations themselves do not go through Facebook’s network, so they could not capture the actual traffic, even if they wanted to.  The NSA could do that, but that is between the NSA and the FBI, not Facebook.

Can they force Facebook to completely rearchitect their system, at Facebook’s cost, to comply?  Even if they do, how long would that take?  What would be the operational impact to Facebook?

Since this is all under seal, we don’t really know and may, possibly, never know.

At this point it is not at all clear what will happen.  It is possible that the court will hold Facebook in contempt, at which point, I assume, Facebook will appeal, possibly all the way up to the Supreme Court.

Think San Bernadino all over again.  Source:  The Verge.

A New Form Of Ransomware

In addition to the traditional ransomware that everyone knows about, the AdultFriendFinder breach I wrote about earlier has the hackers blackmailing  users of the site.  Now, mSpy clients are being extorted too.

Brian Krebs is reporting that hackers are using the mSpy breach to extort iPhone users.  Apparently, users who have mSpy installed are asked for their iTunes userid and password so that mSpy can extract data from iCloud.

mSpy is used to spy on your “loved ones’ – strange concept – so you install it on their phones.  But, they are not supposed to know it is there.  What is not clear to me is whether the iTunes accounts of the spyees or spyors or both are in the hacked data.  From what I have read, it appears to be the spyee – hence they don’t know that their accounts have been compromised.

With all the user data from mSpy now available on the dark web, hackers are, very quickly, extracting those iTunes userids and passwords from the hacked data.

Next, using Tor, the hackers can log into iTunes using those ill-gotten credentials and using the find my phone feature, wipe the phone, set a message that said the phone has been hacked and tell the owner that only way they can get it back is to pay a ransom.

Since most Apply users rely on the Apple ecosystem for backups and the hackers have control of the user’s iTunes/iCloud account, the user, their phone, their data and their backups are all under the control of the hackers.  Assuming that the hacker has taken over their iTunes account, I don’t think they would be able to access their backups in iTunes on their Mac or PC, if they exist.

So, do you pay the ransom?  Or not?  A dilemma.

And, if you do, will the hacker return control of your iTunes account and phone?

One thing to consider is backups completely outside the Apple universe.  At least then you could get your data back.

mSpy Hacked, Hundreds Of Gigabytes Of Data Leaked

Brian Krebs reported that the company mSpy was hacked.  mSpy  builds a software product that runs in the cloud and allows parents to spy on their kids and adults to spy on their (cheating) significant others.  That data is stored in the cloud, and now, hundreds of gigs of their customer’s photos, appointments, corporate emails and other very private documents are up for grabs.

The hackers claim that they have hundreds of gigs of information on 400,000 of mSpy’s customers and credit card information on 145,000 transactions.  For sale.  On the dark web.

As a side note, mSpy says that, unlike some other spy software, their software works on un-jailbroken iPhones.

While this breach could reveal the personal information of 400,000 customers of mSpy, likely, many of those children, this breach is like a canary in a coal mine.  When the miners watched the canaries and then took action, the miners lived.

You might not be an mSpy customer, but do you store any of your data in the cloud?  Besides the obvious – Microsoft, Google, Facebook, Apple.

Do your kids store any data in the cloud?  Selfies, for example.

Are there pictures from a family member’s phone that, how do I say this delicately, you would prefer not be made public?

What about your company?  Any trade secrets, proposals or customer lists in the cloud?

You may want to reconsider how you protect that data.  Google or Facebook (and a thousand other sites) may encrypt your data, but they have the key, so if a hacker compromises one of those sites, the fact that it is encrypted is likely totally irrelevant.   The only encryption that stands a chance is one where you control the key.

A few sites (notably some of the biggies such as Box and Amazon) allow companies to control the encryption keys AS AN OPTION.

Ponder that.  Then call me if you need assistance 🙂