There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
It’s a day ending in “Y” so that means yet another company CEO is on the news apologizing for exposing your PII to the internet. This time around it’s Capital One CEO Richard Fairbank having to say sorry for letting a hacker get access to approximately 100 million US and 6 million Canadian credit card applications. While Capitol One was quick to try to downplay the severity of the the incident, asserting that no credit card numbers were stolen, there is no sidestepping the fact that the hacker, who has since been arrested, was attempting to sell information that includes 140K US Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as an undisclosed number of names, addresses, credit scores, limits and balances.
Not feeling violated enough yet?
To add to everyone’s continuing dystopian nightmare this week, Apple was recently caught in a glaring contradiction to its ongoing marketing message of being a champion of its users’ privacy. Despite buying huge billboards touting that “what happens on your iPhone stays on your iPhone”, a whistleblower has shared damning details on Apple’s use of contractors who have access to numerous private and very sensitive audio snippets recorded by Siri. According to Apple, only a small number of Siri requests are reviewed by humans for accuracy and algorithm tuning, and supposedly these small audio files are semi-anonymized to protect user privacy. Not so, says the whistleblower. As anyone who uses a voice-activated device can attest, Siri and its ilk can perk an ear up even when not being directly addressed, resulting in plenty of unintended recordings that people would definitely not want shared.
“…you can definitely hear a doctor and patient, talking about the medical history of the patient. Or you’d hear someone, maybe with car engine background noise – you can’t say definitely, but it’s a drug deal … you can definitely hear it happening. And you’d hear, like, people engaging in sexual acts that are accidentally recorded on the pod or the watch.”
Anonymous Apple Contractor to The Guardian, 26JUL2019
An important distinction needs to be made with regards to Apple’s voice recognition data gathering practices, especially since they themselves take great pains to tout their privacy advocacy. While Google and Amazon both allow some opt out options on the use of their recordings, Apple does not offer this option short of disabling Siri altogether.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As reported here and everywhere, the 2017 breach of Equifax credit reporting agency exposed critical PII (personally identifiable information) for 147 million Americans. It remains equally notorious for Equifax’s botched handling of the breach as well as the thundering silence (until now) from the government on what should be done to address the appalling privacy breach as well as what consequences the company should face as a result. If it had been announced a few months earlier, Equifax’s settlement with the FTC, Consumer Financial Protection Bureau, and 50 US States and Territories for $575-700M might seem significant, but in the face of the record $5B fine levied against Facebook just two weeks prior, the amount seems paltry, especially considering that Equifax reported revenue of $3.41B in 2018.
What does this mean for you?
From a raw-math perspective, this settlement values your most critical financial data (full name, address, social security number, email address, phone number, credit card numbers, bank account numbers…feel ill yet?) at around $2-3 dollars. Yup, sorry, no “B” or “M” or even “K” following those numbers. Two dollars.
However, if you are willing to put in the work, you can possibly claw back as much as $20,000 depending on your circumstances. For a more comprehensive outline of how you can get your share of the Equifax settlement, the Wall Street Journal spells it out fairly well, but I’ll hit the high notes if you want to hit the ground running from here:
- Were you affected by the Equifax breach?
- Check your credit report.
- Get email updates about the settlement.
- You are entitled to up to 6 free Equifax credit reports a year from 2020 through 2027.
- You may be partially compensated for credit monitoring or identity protection paid for between 9/7/2016 and 9/7/2017.
- You may be eligible for free identity restoration services for at least seven year.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
A few years back I had an unusual request from a client to investigate their spouse’s online history for evidence of possible infidelity. I was asked to handle it discreetly and under the guise of investigating their computers for possible hacking or malware infection. Interestingly enough, it turned out that their computers had been hacked and the attackers had resurrected an old account from a dating site that the spouse had used when they were single. A friend had spotted the activity and brought it to the spouse’s attention who then brought it to me. Even though this cleared up one potential home-wrecking situation, it was only the tip of the iceberg for the couple, as this was only one of many accounts that had been compromised in the identity theft.
How many zombie accounts do you have?
One of the most overlooked double-edged swords of online services is the requirement of creating yet another account to access those services. These companies, for the sake of convenience, use your email address as the login, and it’s highly likely you, also for the sake of convenience, will use a password that is being used elsewhere, possibly repeatedly. Those of us who think of themselves as only “casual” online participants will have dozens of accounts, and those of who have lived and worked online since the birth of the internet will likely have created a hundred or more, with a large majority of them long forgotten and assumed dead and buried.
Many companies, from startup to Fortune 50, do not actively prune unused accounts, and many do not offer a way to remove or deactivate an account, regardless of whether it’s highly active or never been used. It’s also possible for the data of a company that has gone out of business to end up on another company’s server, also forgotten and not maintained by the new custodians, and worse, not even accessible by the customers that created that data in the first place. Unfortunately for us, out of sight is not out of mind for a hacker, and these forgotten troves of data are often not as well protected or even monitored by the company who is supposed to be securing it.
What does this mean for me?
First, stop using the same password for multiple accounts. If one company gets hacked and your data is compromised (Has your login or password already been compromised?), it’s only a hop, skip and a jump for that login credential to be cross-matched on a dark-web database. Suddenly that LinkedIn account which you haven’t used in years has risen from the grave and bitten you right on the you know where on an account that does matter to you.
Secondly, take a lazy Sunday morning to go through your email looking for new account emails from long-forgotten accounts. You can search for them by using phrases like “new account” or “your password” or “account activated”. Make a list and then consider deleting or deactivating any of the accounts you are not using. There is no tried and true way to do this – each service (if it still exists) will have a different process for removing the old accounts, and some will do their damnedest to keep you from leaving, but no one ever said that being safe online was easy, so buckle up and dig in.
Thirdly, consider deleting those very same emails you just found that led you to those old accounts, especially the ones you are planning to keep, and particularly if they actually contain passwords. If you found them, someone with unauthorized email accounts can find them as well and figure out ways to get into those accounts, especially if the emails contain passwords.
Image by Gordon Johnson from Pixabay
Videoconferencing darling Zoom stirred up a pot of controversy earlier this week after it first disclosed and then defended an apparent security weakness in its OS X video conferencing client. According to the security researcher who discovered and reported the flaw back in March of this year, the Mac version of Zoom installs a webserver on the computer on which it is used that will enable users to quickly make and answer Zoom calls. Unfortunately, the main reason they implemented this method was because the built-in security restrictions of the Mac operating system were getting in the way of this quick-connect feature, a “benefit” which Windows users did not enjoy. On top of this, even after the Zoom software was removed from the Mac, this local webserver remained in place, allowing for quick reinstallation in case the user needed to make or receive a Zoom call, the latter of which could be exploited to gain unauthorized access to the Mac’s built-in camera.
Subverting security for convenience is always good practice, right?
Initially, Zoom defended their Mac client methodology and insisted that the changes they made to the Mac client’s settings should be sufficient protect against any exploits of their software. The security researcher remained unconvinced that it was sufficient protection for Mac Zoom users and released his findings to the public alongside a proof of concept demonstration of a malicious Zoom invite attack. After about 24 hours of internet uproar over the vulnerability, Zoom reversed their position on the subject and has just released a patch that removes this feature, as well as adding a new menu choice to do a full uninstall of the software to remove the hidden webserver.
If you are using the Mac version of Zoom, you will want to update your software immediately if it hasn’t already prompted you to update. Windows users, for once, don’t need to do anything. Enjoy your small respite from the usual flood of security flaws.
Among the many problems of the internet, one of the most egregious is the fact that anyone can create a website, put it online, and not really be held accountable for what is actually published on said website. Let’s take the website of home automation company Orvibo, who, at the time of this article’s writing, states on their website:
“Cloud platform supports millions of IoT devices and guarantees the data safety.”

The claim that their platform supports “millions” of devices is backed up by the Orvibo database size, which appears to contain more than two billion records, but the fact that we know exactly how many records are in the cloud platform and that their database is currently open for viewing on the internet without a password is the exact opposite of guaranteeing data safety.
How can a company screw up so badly?
I’ve answered this rhetorical question several times in the past on this blog, but in case you’ve missed it: Technology is fallible because humans are fallible. They are also lazy and sometimes downright malicious, but in the case of the Orvibo database which remains open and accessible at the time of this blog’s publication, we have a stunning example of gross negligence and incompetence that is impacting millions of its customers in very personally identifiable ways. Among the two billion records that includes customers from China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. are email addresses, passwords, geolocation data, IP addresses and device reset codes. Given that Orvibo devices include home automation and security products, the data exposed in this open database gives hackers literally the keys to many family’s homes and hotel rooms, and could potentially endanger their actual lives.
What should you do if you are using Orvibo technology in your home or workplace? Discontinue using it immediately if possible, and if that isn’t possible, see if you can at least disconnect it from the internet and change any passwords used on the device, especially if it’s a password you’ve used elsewhere (also a no-no for just this very reason). It’s not clear when, or even if, Orvibo will address this vulnerability anytime soon, nor will we know whether the data has been access by anyone with ill intent, but in this case, erring on the side of caution is the best course of action.
Very early on, during my time as a young support technician nearly twenty years ago, I quickly learned that most people, particularly those who had grown comfortable working with office computers, frequently did not read many of the dialog and alert boxes that popped up on screen, which often-times led to unexpected or even deleterious results. Even if they did read what was presented (or thought they read it), most of the time they could not recall what the dialog box actually said. Despite what you might think, this is actually very human, and not limited to technology use. When performing menial tasks (as many things we do on computers now are), we are prone to learning how to do them as quickly and efficiently as possible, which includes tapping “OK” as quickly as possible to the numerous prompts our devices pose to us throughout the day. You may have already noticed that many online services, apps and websites have taken advantage of this tendency and present patterns of interaction that mimic expected use, but lead to unexpected outcomes, like accidentally downloading and installing antivirus protection that we don’t need, or adding a paid subscription service for an app that was supposed to be free.
I can feel you clicking “Get to the point, Woo…”
While most people have come to expect that websites and online platforms are going to gather demographic information on them and show advertisements that can sometimes seem uncomfortably accurate, they are not as jaded as yours truly to believe that these same “free” services aren’t actively trying to deceive them through misleading and/or confusing interfaces, dialog boxes and obtuse language, but a recently published European study found that this is exactly what they are doing it, and it’s no accident, nor, if you think about it, is it a new practice. McAfee and Adobe have been doing this for years with their Adobe Reader – McAfee Security Center downloads, and I’m pretty sure every single one of my clients has fallen victim to this particularly trap at least once, despite years of warning about the dangers of clicking “OK” before reading the message. Heck, even IT professionals like yours truly have fallen victim to clicking when in a hurry because, we (despite appearances sometimes!) are human too.
At least two US Senators have finally deigned to do something about the alarming increase in deceptive interface practices and have floated new legislation creatively named “Deceptive Experiences to Online User Reduction Act.” The DETOUR Act would give the Federal Trade Commission the legal means to regulate the use of purposefully deceptive or confusing practices to steer users to decisions that may not be in their best interests or subvert expectations, something they have been monitoring in traditional advertising for decades. For now, this legislation is still in committee, but we can take a small measure of hope that this bipartisan bill finds its way to the voting floor soon. Make sure you contact your Congress-critter to let them know that this is important to you.
Image by Gerd Altmann from Pixabay
Since the advent of online discussion forums and the resulting need for forum moderators that can reign in unruly participants, there have been endless (if constitutionally ill-informed) debates in the US about free speech rights and their applicability to the internet. This particular debate has loomed ever larger as social media’s sudden dominance in politics, economics and ethics surprised even the gloomiest doomsayers in the past three years. Last year, the New York 2nd Circuit Court ruled that a public access TV channel had violated the 1st amendment rights of two producers who appeared to have been fired for criticizing their employer. The TV channel, Manhattan Neighborhood Network appealed to the Supreme Court who just earlier this week reversed the decision.
How does this apply to social media?
The details of the case at first don’t seem to apply at all to social media: MNN is a state mandated and funded public access network, an entity that most analysts agreed would appear to be subject to 1st Amendment jurisdiction. Social media platforms, on the other hand, are clearly not state-owned or operated nor is access to them mandated by any state or federal law. Surprisingly, the decision to reverse the 2nd Circuit ruling was led by the “conservatives” on the court, the exact opposite of what was expected by many conservatives pursuing free speech cases against YouTube and other media platforms for their alleged “anti-conservative bias.”
Instead, the majority opinion took a rather narrow view of public forum doctrine, stating that even though the creation and operation of MNN was mandated by the state, it is operated as a private company in a function that is NOT the exclusive domain of the state, much the same as every social media platform in existence. Just because a private entity (even one as big as Google/YouTube) allows everyone to post and participate does not turn it into a protected free speech zone. Justice Kavanaugh states in his conclusion:
“A private entity […] who opens its property for speech by others is not transformed by that fact alone into a state actor.”
While the court did not directly call out social media platforms in their decision, even the dissenting opinion, written by Justice Sotomayor, seems to leave little room for creative interpretation, and seems to be speaking directly to the heart of the matter:
“The First Amendment leaves a private store owner (or homeowner), for example, free to remove a customer (or dinner guest) for expressing unwanted views…. In these settings, there is no First Amendment right against viewpoint discrimination.”
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
One of the basic problems with collecting a lot of data is that you need a place to store it, and if it’s sensitive data, you need to store it securely. Unfortunately for everyone, the amount of private data all companies are amassing on their customers is accelerating as everyone (except the customers) realizes just how lucrative this practice is. Or, as is the case for more and more companies who get breached, how costly it may end up being if they can’t keep that data safe, as both party-planning website Evite and United States Customs and Border Protection owned up to this week.
What this means for you
While US CBP has not officially released information on the scope of their leak, sources have confirmed that facial recognition data and license plates for up to 100k individuals crossing the Canadian border were stolen from a CBP subcontractor who was storing and using the data outside of the CBP network on their own systems, which were then breached by an as yet unknown attacker.
In the case of the Evite breach, the website was actually notified several months ago that they had been compromised, but only just now acknowledged that customer data from 2013 was stolen in a breach that appears to have happened in February of this year. No financial information was leaked, but names, emails, IP addresses and passwords were definitely stolen and made available for purchase on the dark web in April.
As is typically the case in these types of breaches, there is not a lot you can do as an individual. Evite, of course, has supposedly notified affected individuals of the breach, and is encouraging all users to reset their passwords as a matter of course. And if you happened to be one of the 100k or so individuals passing through a particular Canadian border crossing which is as yet unnamed, you might never know if your data was part of this particular breach.
In what is likely to be a developing (and increasingly bad) news story, two major medical testing companies have announced that their customers’ information has been exposed by a data breach at a vendor that both firms use for payment collections. The firm, American Medical Collections Agency, informed its two clients separately of a persistent security breach that over the course of 8 months, 11.9 million Quest Diagnostic customer records and 7.7 million LabCorp customer records were exposed and most likely stolen by as yet unidentified threat agents. And seeing as this company also has several other, as yet unidentified clients, it’s likely we will see even more disclosures from those companies once the full extent of the AMCA breach is explored.
But wait…there’s more!
Real estate title insurance giant First American Financial Corp. is currently under investigation by regulators for what appears to be a colossal security failure wherein their website exposed over 800 million documents dating back nearly 16 years that contained customer bank account numbers, Social Security numbers, mortgage, tax and wire transaction records as well as drivers license images. Unfortunately the security researchers who originally discovered and confirmed the glaring privacy breach have no way to determine who else accessed the documents during the nearly 2 years it was exposed, but as you can imagine, this level of confidential information is exactly what identity thieves dream about every night.
What’s to be done about this?
At most, you might be able to participate in a class action lawsuit against First American. As of yet, no litigation has been opened against AMCA, and frankly, most people would have no idea who either of these companies are, as they don’t deal directly with the people who are affected by their breaches. Surely regulators and lawmakers are going to punish these companies significantly, especially in light of egregious lack of diligence as in the case of First American. Surely companies will stop doing business with vendors that aren’t taking security and privacy seriously, right? The fact that companies like Equifax are still in business says otherwise, so the only way we are going to see these companies held properly accountable is to vote in lawmakers who care more about their constituents than their corporate donors.










