You may already be aware that the cell carriers provide pin-point location data to various data brokers and advertisers, as well as law enforcement with a warrant. If you aren’t, you might want to stop and read this blog post and the article I refer to therein. What you might not have suspected was that this very confidential data is available to people who aren’t just interested in selling you stuff, but may be interested in your physical location for more nefarious reasons. Joseph Cox of Motherboard/Vice Magazine gave $300 to a bounty hunter to locate a target phone, which was done in a matter of minutes. Though explicit consent was given by the target for the purposes of this investigation, that permission wasn’t required for the deed to be performed. In other words, if someone wanted to find you (by means of tracking your smartphone), all they need is a few hundred dollars and the right contact.
What this means for you
How does this happen? Basically, the cell phone carriers are selling to companies called “data aggregators”, who then sell to vertical specialists that service specific industries, like bail bondsmen. The cell carrier usually has some form of data privacy and consent policy in place governing its first tier vendor relationship, but obviously have less control the further the data gets away from them. Not that I’m implying the bail industry is more shady than any other, but this was the avenue used by the Motherboard reporter. Unfortunately for us, we live in an country that doesn’t regulate data sales, despite it being one of the most profitable industries in modern history. There are many reasons for this, chief among them the fact that data doesn’t have a tangible form and is trivial to transport thanks to the Internet which also makes it hard to trace, on top of a government that still largely doesn’t understand how technology works, and large corporations who answer to investors and not regulators.
In case it wasn’t already clear, there’s not a lot you can do about your cell carriers data sales policy except to not use their services, which, unless you are a professional Luddite, isn’t very practical in this day and age. Aside from making sure you are voting for congress critters that are technologically savvy and pursuing your privacy interests, knowing that your location isn’t private (and probably won’t be in the foreseeable future) while carrying a smartphone is about as good as it gets. And remember, just because you turn off location tracking does NOT mean that the cell phone carriers don’t know your location. If your phone is on, they know where you are, regardless of your settings, and what they do with that information is, ironically, increasingly hard to track.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Thanks to internet shopping, there’s still some time to get someone a last minute tech gift. Here are some items that I use every day that would make a great stocking stuffer or gift exchange present:
- Travel USB Wall Charger with Foldable Plug: Every family trip, this charger is the first thing to go into the luggage. The folding plug makes it easy to pack, and it has 4 ports so everyone just has to remember their charging cable and not bother with separate, single-port chargers. Knowing that my family is very likely to forget charging cables too, I also grab…
- Magnetic USB Charging Cables: These cables make my mobile life so much easier. Basically, a small magnetic insert goes in your device’s USB or Thunderbolt port, and it will connect to a magnetic USB charging cable (no data, just AC) that just magically connects when they are next to each other, no fumbling around trying to get the charging cable into the device. The convenience really shines in the car and on your nightstand.
- Battery Pack with Flashlight: The only time my phone gets charged is when I’m in one place longer than 15 minutes at a time AND if I happen to remember to plug it in. When I’m on the go and expect to be nowhere near an AC outlet for any stretch of time, I bring a battery pack like this one, either in my backpack or in a jacket pocket just in case. This particular model has an extending light which can turn this battery into a mini lamp or book light, perfect for dark restaurants or camping trips.
- Flexible Arm Mobile Phone Holder: at first this seemed kinda silly, but I came to really like the bendable arm that clamps to my desk and holds my phone up at eye-level. Added bonus is that my magnetic charging cable sticks to it, making it easy to snap on to my phone when I eventually come to roost at my desk. They also make models for tablets and ones that will clamp to you dash or seat in your car. Quite literally very handy!
- Neoprene Laptop Sleeve: My laptop is probably the most expensive thing I carry with me on a daily basis, and it is shoved in and out of my backpack like a Japanese subway commuter. I keep it protected by storing it in a sleeve that maybe cost me $10, and it is probably the best $10 you can spend to protect something that might literally costs a hundred times that. Totally worth it!
Surprisingly, most people don’t realize that the popular idiom, “The Devil is in the detail” is actually derived from the more encouraging phrase, “God is in the detail,” i.e. pay attention to the small things as they are important. Both adages are more relevant now than ever, particularly because the average human is now daily agreeing to privacy policies with which, if they were to actually read the fine print, would probably not agree to at all. Such is the case with the numerous policies you are “accepting” when you install apps on your smartphone. What policy acceptance? The one hidden behind a small pop-up that says your data will be shared with other parties to improve your experience, or some other vaguely worded reminder that you are sharing data with a company in exchange for the free (or sometimes paid) use of an app.
What this means for you
“Yeah, yeah, I know, they are watching my every move,” my clients have said to me, “I’ve got nothing to hide.” Or, “It’s a small price to pay for this wonderful app/service/game.” Except most aren’t aware of how much data is being tracked, or what it can used for, aside from advertising. If you’d like a small taste of how this data is being assembled and the level of detail it can offer into everyone’s daily routines, read this article from the NY Times, “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret” – it’s a very easy read and has some nice interactive visual aids to bring the point home. Despite its approachable tone, the content of the article should be unsettling for everyone. For example, when asked to explain why their prompt to grant access to very precise coordinate data and permission to share with 16 companies was instead presented as a way to “recommend local teams and players that are relevant to you,” a spokesperson for the app responded (emphasis ours):
…the language in the prompt was intended only as a “quick introduction to certain key product features” and that the full uses of the data were described in the app’s privacy policy.
Let’s be honest here: I’m in this business up to my neck, and even I don’t read those privacy policies, but only because I know exactly what I’m trading for the use of a “free” app. You have a much more relatable excuse: “Ain’t nobody got time for ‘dat.” You are not wrong, but in the pursuit of better deals, faster commutes, cheaper gas or just weather updates, we have traded a precious commodity: privacy. And lest you forget, privacy is not about hiding secrets, but about not wanting to share everything about your life with complete strangers who only view you as a profit center. This is yet another glimpse of the elephant on the internet around which everyone is still carefully tip-toeing. Make sure you are paying attention!
Image courtesy of TAW4 at FreeDigitalPhotos.net
Hold onto your hats, ladies and gents, because this latest breach is a doozy! Up to 500 million individuals who have transacted with Starwood Hotels & Resorts (now owned by Marriott) have had their information exposed in a massive breach. According to the statement released by Marriott, the Starwood guest reservation database was compromised as early as 2014 and information up to September of this year is considered exposed. Compounding the severity of this issue, already ranked as one of the largest so far, is the amount and type of data exposed “… includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
What this means for you
If you happened to be one of the 500M who has stayed at a Starwood, even if it was before 2014, it’s still likely that some of your personal information was exposed in this breach. Though Marriott has said they started contacting individuals affected, for some of us who stayed at a Starwood hotel before email address collection became common place (myself included), and have since changed mailing addresses, Marriott may have some difficulty contacting you to let you know you were impacted. To be on the safe side, you should definitely consider a credit freeze (if you haven’t already put one in place from the previous Equifax breach) and you should take advantage of Marriott’s offer of a free year of WebWatcher monitoring service. As the name suggests, this service will monitor the web for your personal information (which you can enter yourself) and alert you if any of those data points appears somewhere on the web. Granted, that might actually be you entering that info, but if not, you have a head start on countering a possible identity theft in progress. And while you are at it, why not sign up for an alert from HaveIBeenPwned.com which keeps track of all the major breaches and will also alert you if your email address is on the growing list of breaches occurring almost weekly now.
Technology exists for a singular purpose – to assist humans in doing things beyond our innate, natural capabilities. As has been mentioned in the past, this can cut both ways as the less scrupulous among us find ways to exploit technology to take advantage of our limitations. As online shopping has become the norm, even on hallowed consumption days like Black Friday, the rise of shopping bots has caught the eye of legislators in the US, who are aiming to ban them from online retailer sites, especially around the holidays where their use is particularly Grinch-like.
What this means for you
At first blush, you might be inclined to think that surely our lawmakers have more pressing issues to address beyond algorithms programmed to snap up discounted PlayStations for scalpers, and I might even be inclined to agree with you. I called out this bit of news fluff to shine a light on the dark side of technology again, and how simple it is to exploit it in a way that only serves to line the pockets of the ethically-challenged. One might argue that enterprising capitalists are just using the tools available to get a leg up on the competition, but the shoe is suddenly on the other foot when you realize the same concept (do things faster online) is being used to crank out scammy extortion or phishing emails by the millions every single day. Just because something is possible does not mean that it is ethical, and technology is putting more of these types of decisions in front of humans at a bewildering rate. As our usage of technology grows, we must be extremely careful to not set aside our humanity just to be faster, better or richer.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
I’d like to say I’m busy watching the mid-term results come in, but actually, I’m too tied up reading all the reports of voting machine failures causing delays, confusion and most certainly some disenfranchisement. Despite plenty of media attention on the matter months ago it’s clear nothing was done, causing delays, confusion and doubt across the process in numerous states.
- Voting Machine Meltdowns Are Normal—That’s the Problem – Wired
- Voting Machine Manual Instructed Election Officials to Use Weak Passwords – Motherboard/Vice
- Voting Machine Hell, 2018: A Running List of Election Glitches, Malfunctions, and Screwups – Gizmodo
- Why voting machines malfunctioned on Election Day – Vox
- Voting machine errors already roil Texas and Georgia races – Politico
- Voting machines can be hacked in two minutes, expert warns – Fox News
We’re talking about it, but it’s still being ignored
Sadly, Election Day in the US once again illustrates my point about technology and humans: we are not perfect, nor are the machines we build and use. Despite this reality being clearly demonstrated in the above, we have the hubris to believe that our technology is somehow immune to our own frailties. In many ways, technology clearly allows us to overcome limitations and achieve spectacular things, but it also amplifies our shortcomings, and as we’ve seen numerous times elsewhere it also enables the less virtuous to exploit those shortcomings.
To change things, we need to expect better from our leaders – business, political, and spiritual. They need to understand critical technologies or admit when they do not and hire experts to help shape and implement policy that advances humanity as whole and not just financial interests. It’s OK to admit to not understanding technology, but if it’s an important part of your job or responsibilities, that continued lack of understanding could cause irreparable harm. Change begins with you, and putting in the effort to understand a technology also grants the benefit of being able to spot others who do not, an advantage that is handy in business and politics.
If you’ve been reading my blog for any length of time, you’ve seen me describe the current state of security in a variety of colorful ways, but my favorite analogy is the one where I liken ourselves to jugglers with many objects in the air and with more being tossed in every minute by hackers and criminals. We lose if we drop a single item, but there is no “win” condition for juggling. If anyone has enough hands and arms to keep a lot of things in the air, it should be Facebook, and they have a lot going on, but in the end, they have come up short on another promise: transparency in sponsored advertising. Facebook’s never ending torrent of fake news was supposed to be somewhat dampened by a tool rolled out in May of this year called “Paid for by” which was built to bring some accountability to Facebook publishing tools heavily abused by political trolls leading up to the 2016 US elections, and surrounding numerous other political events since then.
Transparency or Lip Service?
Just ahead of the 2018 midterm elections, Vice.com investigators, through the “Paid for by” tool on Facebook, applied to purchase ads on behalf of all 100 US Senators. All 100 applications were approved, despite the ads being shared from fake political groups built specifically to test Facebook’s transparency tool, and the very obvious fact that Vice investigators are clearly not actual spokespeople for any sitting US Senator. The same tool also allowed the Vice team to buy ads on behalf of Vice President Mike Pence and the Islamic State, but curiously enough, not Hillary Clinton. Based on the amount of effort the Vice team exerted to circumvent the “Paid for by” verification tool, it’s clear that Facebook put an equal amount of effort into building this tool, i.e. virtually none. It’s unclear if the “Paid for by” tool was a token effort put up by Facebook to appease shareholders and lawmakers, or if the problem of fake news on Facebook is truly unsolvable, but if an organization as big and as powerful as Facebook can’t (or won’t) solve this problem, the only other solution is to completely ignore it as a source of news.
And that’s the other problem with elephants on the internet: because of their size, they are hard to ignore.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
There is at least one good thing to come from the increasing number of residential surveillance cameras: we are getting real-time, high-definition looks at criminals in action, like the recent video recording of a Tesla being stolen via an already well-known fob spoofing technique, something I wrote about over two years ago. The unsettling video is only made slightly less so when the car thieves struggle with disconnecting the charging cable from the car, highlighting the irony that a simple electrical cable was almost a better deterrent than the actual key-less entry system protecting the car.
Most security breaches are caused by carelessness or laziness
I’m certain there are statistics to back up this claim, but I’m also relying on decades of anecdotal experience when stating that most security breaches are our own damned fault. In the above-mentioned incident, the victim admitted to neglecting to protect the vehicle from this sort of theft with Tesla’s “Pin to drive” feature (equivalent to not using a password on your computer or phone), but it’s unclear whether that was because he wasn’t aware it was necessary, or just never got around to setting it up in the first place. Most of the breaches I encounter typically start with someone clicking on a link they shouldn’t have, and 9 times out of 10, when I debrief “patient zero”, they are able to pinpoint the exact moment they screwed up. When I ask them why, the answer is one of these reasons:
- I was in a hurry,
- I didn’t want to bother someone else,
- It looked OK,
- I thought my antivirus/firewall/karma/etc. would protect me,
- My data is backed up, right?
Sadly, none of these, even the last one, is a good excuse, and most of my clients are self-aware enough to this invaluable learning moment to heart. Sadly, despite one or more valuable lessons delivered, even the most paranoid among us will be susceptible to momentary lapses in vigilance and judgement. After all, we are only human. This too is a valuable lesson, and not an excuse to give up in the face of daunting probability. Knowing that we are our own worst enemies will keep us on our toes when we need it most, and if we bolster our defenses with the proper security technology, we are much less likely to be vulnerable when our guard inevitably falters.
Image courtesy of Miles Stuart from FreeDigitalPhotos.net
I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.
A small percentage of Windows users have opted into the “Insiders” program which grants them early access to new features, bug fixes and content updates for Windows 10, which as I’m sure all of you are painfully familiar with now, updates very frequently. The object of the Insiders program is to “beta test” new updates to the operating system before they are pushed out to the rest of the world, presumably to catch bugs before they can affect the more than 700 million devices that use Windows 10. Well, they caught a bug, but not before it erased data on an undisclosed number of Insider machines.
What this means for you – Get backed up!
If you aren’t an Insider – you have to opt into the program – you only have to worry about fully tested updates destroying your data. I’m only being somewhat sarcastic here, as many of you have experienced some form of loss (data, time, monetary) recovering from the forced death march that is Windows 10’s update cycle, and at least one of my clients experienced a complete wipe of all of his installed applications, necessitating hours of reinstallation work. It’s important to understand that Microsoft, just like any company powered by humans, can and will make mistakes, and those mistakes will cause problems for you. Fortunately, you can counteract this uncertainty with a simple practice: back up your data. There are many options to choose from in this area – some of my clients only work on and store important data on a central server that is backed up, or, if that option isn’t available to them, they use some form of cloud backup, either self-managed or provided to them by C2. Just the other day I had a client suffer a complete data wipe (rare, but it does happen) due to a crashed Windows profile (possibly caused by a Windows update) but they were backed up right until the crash and were able to recover their data, albeit slowly. The backup paid for itself in spades that day, and saved my client from catastrophic loss.










