In case you haven’t already been scared silly by the concept, “deep fakes” are a new classification of videos wherein the faces of the subjects of the videos, usually short clips from movies or talk shows with easily recognizable actors, are replaced with a different face. While skilled video and movie special effects editors have been doing this for decades, the effect was usually obvious and it took an expensive special effects studio to produce the result. Now, we have YouTubers producing clips like the below which is amazing and terrifying at the same time:
What this means for you
The amazing part is easy to see (or not see). At some point in the video, I forget that I’m looking a Bill Hader and can only see Arnold’s face, which coupled with his excellent impression of the Governator, makes it look AND sound like Schwarzenegger is sitting with Conan instead of Hader. The terrifying part? This was done by one guy using open source software that doesn’t require an entire special effects studio team to produce.
If that isn’t enough to put a chill in your bones here are a few recent deep fake news stories that should wake you right up:
- The Democratic National Committee produced a deep fake video of their own chair Tom Perez for this year’s Def Con (one of the biggest hacker conventions in the world) to highlight the dangers deep fakes present to the 2020 elections.
- A Chinese app maker just released a free app on the Chinese iOS App store that can use a single picture to replace actors’ faces in a collection of famous movie clips.
- A scammer used a deep fake audio application to impersonate the voice of a UK energy firm CEO which was convincing enough to trick an employee into transferring over $200k to an unauthorized bank account, from where it was quickly transferred and laundered through multiple international accounts.
There’s that elephant again, though at least this time, there are a lot of people talking about it. Technology is again racing ahead of ethics, morality and law, and shows no signs of stopping. Will it take money or elections being stolen before anything is done about it? Have we hit a point where society will always be trailing technology, picking up the broken pieces and taping together integrity as best we can?
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
I’m pretty sure most of us pay very little attention when our mobile phones ask to update the installed apps, even if during that process your phone asks if its OK to grant new permissions to an app that needs access to your contacts, camera, phone or local filesystem. The app is already installed on the phone and you use it (sometimes), so where’s the harm? Unfortunately for millions of Android users who had an app called CamScanner on their phone, the latest version came with a malware delivery vehicle called a Trojan Dropper. This bit of software, once installed, can reach out to a designated server on the internet and download encrypted code which can then be decrypted and run on the device without any action required by the phone owner.
What this means for you
Unfortunately for Android users, even the ones that keep on the straight-and-narrow and only install Play Store apps, staying inside Google’s “walled garden” is sometimes more like wandering around a hedge maze full of holes, thorny bushes and no clear exits. Earlier this month, Google had to remove 34 apps that collectively had been downloaded over 100 million times because they contained a similar bit of malware called a Clicker Trojan. In cases like the Dropper and this Clicker Trojan, the software is designed to allow hackers to covertly subscribe the users to costly subscription services and repeatedly open websites in massive advertising click-fraud campaigns, generating millions of dollars for the attackers, often going completely unnoticed on the compromised phones.
As with many types of malware infections, the underlying cause is often either a lack of understanding of how phones can be infected or what that behavior might look like on a mobile device, or, in many cases, a lack of patience or even care for the diligence required to notice the problem in the first place. If you need some basic guidelines on navigating the mobile app safety maze, here are some things you should always observe:
- Remove any apps you aren’t using, especially ones you don’t remember installing.
- Always read the reviews on apps that you are considering installing. Look for complaints about ads, popups, unusual behavior or suspicious permissions requests.
- Keep track of what you install, and observe your phone closely after installing a new app. The Clicker Trojan mentioned above didn’t activate until 8 hours of being installed to avoid detection.
- Always be suspicious of an app’s request for unusual permissions. If you want to be on the safe side, deny all permissions during install, but be aware that many legitimate apps need access to various functions of your phone to operate properly, and denying permissions will likely cause the app to function poorly or not at all.
- Never install apps from any store other than the official Apple or Google stores. Jailbreaking or rooting your phone, even if you know what you are doing, is not recommended, and at minimum will void your warranty and absolve the carrier and phone manufacturer from providing any kind of support.
- Watch your phone bill and credit cards for unusual charges, especially if you have your bill set to auto-pay through credit card.
Ransomware attacks are on the rise. Depending on which security company you get your news from, the percentage increase from 2018 varies from 110% to a whopping 365% as reported by Malwarebytes Labs. Also important to note: attackers are going after government institutions in the US in a noticeable way. Since the start of 2019, there have been 22 documented attacks on city, county or state governments, including the high-profile incident in Baltimore which I wrote about back in May of this year which has thus far resulted in $18 million in remediation costs and lost revenue. Not to be outdone, the state of Texas can add new record to its list of big things: 23 local government organizations were attacked simultaneously in what is being called the largest coordinated ransomware attack against multiple government entities…so far.
What this means for you
Unless you happened to be served by one of the 23 unlucky institutions affected by this attack, this will be one more splash of water in our ongoing drink from the malware fire hose. Texas officials are keeping mum so far on who-what-where’s of the attack, but if I had to guess, someone got phished via email, gave up credentials, which led to the hackers being able to drop malware on critical systems that all went off on August 16th. Given the breadth of the attack, it’s likely the attackers have been working this particular set of targets for months, meaning it was organized and purposeful.
You might not have noticed this, but ransomware attacks had slipped to the background in 2017, but they are back with a vengeance and focused on businesses and government entities because the hackers realized deeper pockets are just as susceptible to ransomware, and are more likely to pay ransoms because they can’t afford to not pay, as seems to be painfully exemplified by Baltimore’s ongoing recovery. As always, your best protection against this type of malicious, technological pollution is a multi-layered defense perimeter that consists of at minimum: email filtering, workstation and server malware protection, a strong firewall, and cloud-based backups. If you can add employee training to that list, you will be much better protected than your neighbor or even the competition. And in case you were wondering where you might be able to cover all these bases with one call, just give us a ring.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
It’s a day ending in “Y” so that means yet another company CEO is on the news apologizing for exposing your PII to the internet. This time around it’s Capital One CEO Richard Fairbank having to say sorry for letting a hacker get access to approximately 100 million US and 6 million Canadian credit card applications. While Capitol One was quick to try to downplay the severity of the the incident, asserting that no credit card numbers were stolen, there is no sidestepping the fact that the hacker, who has since been arrested, was attempting to sell information that includes 140K US Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as an undisclosed number of names, addresses, credit scores, limits and balances.
Not feeling violated enough yet?
To add to everyone’s continuing dystopian nightmare this week, Apple was recently caught in a glaring contradiction to its ongoing marketing message of being a champion of its users’ privacy. Despite buying huge billboards touting that “what happens on your iPhone stays on your iPhone”, a whistleblower has shared damning details on Apple’s use of contractors who have access to numerous private and very sensitive audio snippets recorded by Siri. According to Apple, only a small number of Siri requests are reviewed by humans for accuracy and algorithm tuning, and supposedly these small audio files are semi-anonymized to protect user privacy. Not so, says the whistleblower. As anyone who uses a voice-activated device can attest, Siri and its ilk can perk an ear up even when not being directly addressed, resulting in plenty of unintended recordings that people would definitely not want shared.
“…you can definitely hear a doctor and patient, talking about the medical history of the patient. Or you’d hear someone, maybe with car engine background noise – you can’t say definitely, but it’s a drug deal … you can definitely hear it happening. And you’d hear, like, people engaging in sexual acts that are accidentally recorded on the pod or the watch.”Anonymous Apple Contractor to The Guardian, 26JUL2019
An important distinction needs to be made with regards to Apple’s voice recognition data gathering practices, especially since they themselves take great pains to tout their privacy advocacy. While Google and Amazon both allow some opt out options on the use of their recordings, Apple does not offer this option short of disabling Siri altogether.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As reported here and everywhere, the 2017 breach of Equifax credit reporting agency exposed critical PII (personally identifiable information) for 147 million Americans. It remains equally notorious for Equifax’s botched handling of the breach as well as the thundering silence (until now) from the government on what should be done to address the appalling privacy breach as well as what consequences the company should face as a result. If it had been announced a few months earlier, Equifax’s settlement with the FTC, Consumer Financial Protection Bureau, and 50 US States and Territories for $575-700M might seem significant, but in the face of the record $5B fine levied against Facebook just two weeks prior, the amount seems paltry, especially considering that Equifax reported revenue of $3.41B in 2018.
What does this mean for you?
From a raw-math perspective, this settlement values your most critical financial data (full name, address, social security number, email address, phone number, credit card numbers, bank account numbers…feel ill yet?) at around $2-3 dollars. Yup, sorry, no “B” or “M” or even “K” following those numbers. Two dollars.
However, if you are willing to put in the work, you can possibly claw back as much as $20,000 depending on your circumstances. For a more comprehensive outline of how you can get your share of the Equifax settlement, the Wall Street Journal spells it out fairly well, but I’ll hit the high notes if you want to hit the ground running from here:
- Were you affected by the Equifax breach?
- Check your credit report.
- Get email updates about the settlement.
- You are entitled to up to 6 free Equifax credit reports a year from 2020 through 2027.
- You may be partially compensated for credit monitoring or identity protection paid for between 9/7/2016 and 9/7/2017.
- You may be eligible for free identity restoration services for at least seven year.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
A few years back I had an unusual request from a client to investigate their spouse’s online history for evidence of possible infidelity. I was asked to handle it discreetly and under the guise of investigating their computers for possible hacking or malware infection. Interestingly enough, it turned out that their computers had been hacked and the attackers had resurrected an old account from a dating site that the spouse had used when they were single. A friend had spotted the activity and brought it to the spouse’s attention who then brought it to me. Even though this cleared up one potential home-wrecking situation, it was only the tip of the iceberg for the couple, as this was only one of many accounts that had been compromised in the identity theft.
How many zombie accounts do you have?
One of the most overlooked double-edged swords of online services is the requirement of creating yet another account to access those services. These companies, for the sake of convenience, use your email address as the login, and it’s highly likely you, also for the sake of convenience, will use a password that is being used elsewhere, possibly repeatedly. Those of us who think of themselves as only “casual” online participants will have dozens of accounts, and those of who have lived and worked online since the birth of the internet will likely have created a hundred or more, with a large majority of them long forgotten and assumed dead and buried.
Many companies, from startup to Fortune 50, do not actively prune unused accounts, and many do not offer a way to remove or deactivate an account, regardless of whether it’s highly active or never been used. It’s also possible for the data of a company that has gone out of business to end up on another company’s server, also forgotten and not maintained by the new custodians, and worse, not even accessible by the customers that created that data in the first place. Unfortunately for us, out of sight is not out of mind for a hacker, and these forgotten troves of data are often not as well protected or even monitored by the company who is supposed to be securing it.
What does this mean for me?
First, stop using the same password for multiple accounts. If one company gets hacked and your data is compromised (Has your login or password already been compromised?), it’s only a hop, skip and a jump for that login credential to be cross-matched on a dark-web database. Suddenly that LinkedIn account which you haven’t used in years has risen from the grave and bitten you right on the you know where on an account that does matter to you.
Secondly, take a lazy Sunday morning to go through your email looking for new account emails from long-forgotten accounts. You can search for them by using phrases like “new account” or “your password” or “account activated”. Make a list and then consider deleting or deactivating any of the accounts you are not using. There is no tried and true way to do this – each service (if it still exists) will have a different process for removing the old accounts, and some will do their damnedest to keep you from leaving, but no one ever said that being safe online was easy, so buckle up and dig in.
Thirdly, consider deleting those very same emails you just found that led you to those old accounts, especially the ones you are planning to keep, and particularly if they actually contain passwords. If you found them, someone with unauthorized email accounts can find them as well and figure out ways to get into those accounts, especially if the emails contain passwords.
Videoconferencing darling Zoom stirred up a pot of controversy earlier this week after it first disclosed and then defended an apparent security weakness in its OS X video conferencing client. According to the security researcher who discovered and reported the flaw back in March of this year, the Mac version of Zoom installs a webserver on the computer on which it is used that will enable users to quickly make and answer Zoom calls. Unfortunately, the main reason they implemented this method was because the built-in security restrictions of the Mac operating system were getting in the way of this quick-connect feature, a “benefit” which Windows users did not enjoy. On top of this, even after the Zoom software was removed from the Mac, this local webserver remained in place, allowing for quick reinstallation in case the user needed to make or receive a Zoom call, the latter of which could be exploited to gain unauthorized access to the Mac’s built-in camera.
Subverting security for convenience is always good practice, right?
Initially, Zoom defended their Mac client methodology and insisted that the changes they made to the Mac client’s settings should be sufficient protect against any exploits of their software. The security researcher remained unconvinced that it was sufficient protection for Mac Zoom users and released his findings to the public alongside a proof of concept demonstration of a malicious Zoom invite attack. After about 24 hours of internet uproar over the vulnerability, Zoom reversed their position on the subject and has just released a patch that removes this feature, as well as adding a new menu choice to do a full uninstall of the software to remove the hidden webserver.
If you are using the Mac version of Zoom, you will want to update your software immediately if it hasn’t already prompted you to update. Windows users, for once, don’t need to do anything. Enjoy your small respite from the usual flood of security flaws.
Among the many problems of the internet, one of the most egregious is the fact that anyone can create a website, put it online, and not really be held accountable for what is actually published on said website. Let’s take the website of home automation company Orvibo, who, at the time of this article’s writing, states on their website:
“Cloud platform supports millions of IoT devices and guarantees the data safety.”
The claim that their platform supports “millions” of devices is backed up by the Orvibo database size, which appears to contain more than two billion records, but the fact that we know exactly how many records are in the cloud platform and that their database is currently open for viewing on the internet without a password is the exact opposite of guaranteeing data safety.
How can a company screw up so badly?
I’ve answered this rhetorical question several times in the past on this blog, but in case you’ve missed it: Technology is fallible because humans are fallible. They are also lazy and sometimes downright malicious, but in the case of the Orvibo database which remains open and accessible at the time of this blog’s publication, we have a stunning example of gross negligence and incompetence that is impacting millions of its customers in very personally identifiable ways. Among the two billion records that includes customers from China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. are email addresses, passwords, geolocation data, IP addresses and device reset codes. Given that Orvibo devices include home automation and security products, the data exposed in this open database gives hackers literally the keys to many family’s homes and hotel rooms, and could potentially endanger their actual lives.
What should you do if you are using Orvibo technology in your home or workplace? Discontinue using it immediately if possible, and if that isn’t possible, see if you can at least disconnect it from the internet and change any passwords used on the device, especially if it’s a password you’ve used elsewhere (also a no-no for just this very reason). It’s not clear when, or even if, Orvibo will address this vulnerability anytime soon, nor will we know whether the data has been access by anyone with ill intent, but in this case, erring on the side of caution is the best course of action.
Very early on, during my time as a young support technician nearly twenty years ago, I quickly learned that most people, particularly those who had grown comfortable working with office computers, frequently did not read many of the dialog and alert boxes that popped up on screen, which often-times led to unexpected or even deleterious results. Even if they did read what was presented (or thought they read it), most of the time they could not recall what the dialog box actually said. Despite what you might think, this is actually very human, and not limited to technology use. When performing menial tasks (as many things we do on computers now are), we are prone to learning how to do them as quickly and efficiently as possible, which includes tapping “OK” as quickly as possible to the numerous prompts our devices pose to us throughout the day. You may have already noticed that many online services, apps and websites have taken advantage of this tendency and present patterns of interaction that mimic expected use, but lead to unexpected outcomes, like accidentally downloading and installing antivirus protection that we don’t need, or adding a paid subscription service for an app that was supposed to be free.
I can feel you clicking “Get to the point, Woo…”
While most people have come to expect that websites and online platforms are going to gather demographic information on them and show advertisements that can sometimes seem uncomfortably accurate, they are not as jaded as yours truly to believe that these same “free” services aren’t actively trying to deceive them through misleading and/or confusing interfaces, dialog boxes and obtuse language, but a recently published European study found that this is exactly what they are doing it, and it’s no accident, nor, if you think about it, is it a new practice. McAfee and Adobe have been doing this for years with their Adobe Reader – McAfee Security Center downloads, and I’m pretty sure every single one of my clients has fallen victim to this particularly trap at least once, despite years of warning about the dangers of clicking “OK” before reading the message. Heck, even IT professionals like yours truly have fallen victim to clicking when in a hurry because, we (despite appearances sometimes!) are human too.
At least two US Senators have finally deigned to do something about the alarming increase in deceptive interface practices and have floated new legislation creatively named “Deceptive Experiences to Online User Reduction Act.” The DETOUR Act would give the Federal Trade Commission the legal means to regulate the use of purposefully deceptive or confusing practices to steer users to decisions that may not be in their best interests or subvert expectations, something they have been monitoring in traditional advertising for decades. For now, this legislation is still in committee, but we can take a small measure of hope that this bipartisan bill finds its way to the voting floor soon. Make sure you contact your Congress-critter to let them know that this is important to you.
Image by Gerd Altmann from Pixabay