Skip to content

Monthly Archives: December 2018

Our Cellphones Aren’t Safe

Great article by Cooper Quintin og the Electronic Frontier Foundation with one glaring omission. Even if the cell networks were 100% secure, the apps people install are an even larger source of malware and privacy leaks.


America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.

These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.

How did we get here, and why is our cellular infrastructure so insecure?

The international mobile communications system is built on top of several layers of technology, parts of which are more than 40 years old. Some of these old technologies are insecure, others have never had a proper audit and many simply haven’t received the attention needed to secure them properly. The protocols that form the underpinnings of the mobile system weren’t built with security in mind.

SS7, invented in 1975, is still the protocol that allows telephone networks all over the world to talk to one another. It was built on the assumption that anyone who can connect to the network is a trusted network operator. When it was created, there were only 10 companies using SS7. Today, there are hundreds of companies all over the world connected to SS7, making it far more likely that credentials to the system will be leaked or sold. Anyone who can connect to the SS7 network can use it to track your location or eavesdrop on your phone calls. A more recent alternative to SS7 called Diameter suffers from many of the same problems.

Another protocol, GSM, invented in 1991, allows your cellphone to communicate with a cell tower to make and receive calls and transmit data. The older generation of GSM, known as 2G, doesn’t verify that the tower that your phone connects to is authentic, making it easy for anyone to use a cell-site simulator and impersonate a cell tower to obtain your location or eavesdrop on your communications.

Larger carriers have already begun dismantling their 2G systems, which is a good start, since later generations of GSM such as 3G, 4G and 5G solve many of its problems. Yet our phones all still support 2G and most have no way to disable it, making them susceptible to attacks. What’s more, research has shown that 3G, 4G, and even 5G have vulnerabilities that may allow new generations of cell-site simulators to continue working.

Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies.
Editors’ Picks
Forget the Suburbs, It’s Country or Bust
Dorm Living for Professionals Comes to San Francisco
This Town Once Feared the 10-Story Waves. Then the Extreme Surfers Showed Up.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to “be forthright with federal courts about the disruptive nature of cell-site simulators.” No response has ever been published.

The lack of action could be because it is a big task — there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

This needs to change. To start, companies need to stop supporting insecure technologies such as 2G, and government needs a mandate to buy devices solely from companies that have disabled 2G. Similarly, companies need to work with cybersecurity experts on a security standard for SS7. Government should buy services only from companies that can demonstrate that their networks meet this standard.

Finally, this problem can’t be solved by domestic regulation alone. The cellular communications system is international, and it will take an international effort to secure it.

We wouldn’t tolerate gaping potholes in our highways or sparking power lines. Securing our mobile infrastructure is just as imperative. Policymakers and industries around the world must work together to achieve this common goal.

Cooper Quintin is a senior staff technologist with the Electronic Frontier Foundation, where he investigates digital privacy and security threats to human-rights defenders, journalists and vulnerable populations.

Microsoft Issues Emergency Fix for IE Zero Day


Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.

No one likes a lying a-hole like Zuckerberg and crew


Mark Zuckerberg did everything in his power to avoid Facebook becoming the next MySpace – but forgot one crucial detail…No one likes a lying asshole

Comment Let’s get one thing straight right off the bat: Facebook, its CEO Mark Zuckerberg, and its COO Sheryl Sandberg, and its public relations people, and its engineers have lied. They have lied repeatedly. They have lied exhaustively. They have lied so much they’ve lost track of their lies, and then lied about them.

For some reason, in an era where the defining characteristic of the President of the United States is that he lies with impunity, it feels as though everyone has started policing the use of the word “lie” with uncommon zeal. But it is not some holy relic, it is a word, and it has a definition.

Lie (verb)
1 : to make an untrue statement with intent to deceive
2 : to create a false or misleading impression

By any measure, Facebook as an organization has knowingly, willingly, purposefully, and repeatedly lied. And two reports this week demonstrate that the depth of its lying was even worse than we previously imagined.

Before we dig into the lies, though, it’s worth asking the question: why? Why has the corporation got itself into this position, and why does it have to be dragged kicking and screaming, time and again, to confront what it already knows to be true?

And the answer to that is at the very heart of Facebook, it goes to the core of Mark Zuckerberg’s personality, and it defines the company’s corporate culture: it is insecure. And it has good reason to be.

The truth is that Facebook is nothing special. It is a website. A very big and clever website but a website that is completely reliant on its users to post their own content. Those users don’t need Facebook and they could, in a matter of seconds, decide to tap on a different app and post their thoughts and updates there, instead. If enough people make that decision, the company collapses. All 340 billion dollars of it.

Mark Zuckerberg knows that all too well, and as internal emails handed over to the British Parliament and then published make clear, the top tier of Facebook was highly focused on that question of existential dread: how do we avoid becoming the next MySpace, Geocities, Google Plus, or Friendster?
Novelty item

With thousands of people working underneath them, the world’s largest companies knocking at their door with blank checks for advertising, and the globe’s political leaders inviting them to meetings, Facebook tasted greatness, but couldn’t shake a huge question underneath it all: how does Facebook survive once the novelty wears off?

And the answer was the smart one: make yourself a part of the digital ecosystem. Yes, Facebook was completely reliant on its users, but everyone else wanted those users, too, and while it had them, the corporation needed to make sure it became enmeshed in as many other systems as possible.

It became a savvy businessman making sure that all his money and resources aren’t in one market: diversify, Mark! And that became the driving force behind every subsequent strategic decision while the rest of the company focused on making Facebook a really good product – making it easy to do more, post more, interact more.

And so, we had music service Spotify granted access to Facebook users’ private messages, once users had linked their Spotify and Facebook accounts. Why on Earth would Spotify want to read people’s private messages?

Easy: it is a huge, tasty dataset. You could find out what bands people are excited about, and send them notices of new albums or gigs. You could see what they think of rival services, or the cost of your service. People were encouraged to message their pals on Facebook through Spotify, letting them know what they were listening to. All in all, it was access to private thoughts: companies spend small fortunes paying specialist survey companies for these sorts of insights.

Likewise Netflix. It had access to the same data under a special program that Facebook ran with other monster internet companies and banks in which they were granted extraordinary privileges to millions of people’s personal data.

Facebook cut data deals with all sorts of companies based on this premise: give them what they want, and in return they would be hauled onto Zuckerberg’s internet reservation.

For example, Yahoo! got real-time feeds of posts by users’ friends – reminding us of Cambridge Analytica gathering information on millions of voters via a quiz app, and using it to target them in contentious political campaigns in the US and Europe.

Microsoft’s Bing was able to access the names of nearly all Facebook users’ friends without permission, and Amazon was able to get at friends’ names and contact details. Russian search engine Yandex had Facebook account IDs at its fingertips, though it claims it didn’t even know this information was available. Facebook at first told the New York Times Yandex wasn’t a partner, and then told US Congress it was.

Crossing the line

Plugging large companies into users’ profiles, and their friends’ profiles, became a running theme, and for the antisocial network, it all worked: the data flowed.

But then things took a darker turn. The users and privacy groups started asking questions. Facebook’s entire strategy started looking shaky as people decided they should have control over what is done with their private data. In Europe, a long debate led to solid legislation: everyone in the EU would soon have a legal right to control their information and, much worse, organizations that didn’t respect that could face massive fines.

Facebook started cutting shadier and shadier deals to protect its bottom line. Its policy people started developing language that carefully skirted around reality; and its lawyers began working on semantic workarounds so that the Silicon Valley titan could make what looked like firm and unequivocal statements on privacy and data control, but in fact allowed things to continue on exactly as they had. What was being shared was not always completely clear.

The line was crossed when Facebook got in bed with smartphone manufacturers: it secretly gave the device makers access to each phone user’s Facebook friends’ profiles, when the handheld was linked to its owner’s account, bypassing protections.

And you know how you can turn off “location history” in the Facebook app, and you can go into your iPhone’s settings and select “never” for the Facebook app when it comes to knowing your location? And you can refuse to use Facebook’s built-in workaround where you “check in” to places – at which point it will re-grant itself access to your location with a single tap?

Well, you can do all that, and still Facebook will know where you are and sell that information to others.

To which the natural question is: how? Well, we have what we believe to be the technical answer. But the real answer is: because it lies. Because that information is valuable to it. Because that information forms the basis of mutually reinforcing data-sharing agreements with all the companies that could one day kill Facebook by simply shrugging their shoulders.

That is how Sandberg and Zuckerberg are able to rationalize their lies: because they believe the future of the entire company is dependent on maintaining the careful fiction that users have control over their data when they don’t.
Meet Stan

Here’s a personal example of how these lies have played out. Until recently, your humble Reg vulture lived next door to a man called Stan. Stan had spent his whole life in Oakland, California. He was a proud black man in his 70s who lived alone. This reporter moved next door to him having spent his entire life up until that moment not in Oakland; a white man in his 30s. To say we had no social connections in common would be an understatement. The only crossover in friends, family, culture, and hangouts were the occasional conversations we had in the street with our neighbors.

He had good taste in music. And I know that in the same way I knew he had an expensive and powerful stereo system. But we didn’t even go the same gigs because most of the music he played was from artists long since dead.

Despite all this, Facebook would persistently suggest that I knew Stan and should add him as a friend on Facebook. The same happened to my wife. I took this as a sign I needed to tighten up my privacy settings but even after making changes cutting Facebook off from my daily habits, it still recommended him as a friend. The only thing that finally stopped it? Deleting the Facebook app from my phone.

Sensing a story, and in my capacity as a tech reporter, I started asking Facebook questions about this extraordinary ability to know who I lived next to when it didn’t have access to my location. And the company responded, repeatedly, that it doesn’t. You have control over your data. You can choose what Facebook can see and do with that data. Facebook does not gather or sell data unless its users agree to it.

Except, of course, the opposite was true. It was a lie. And Facebook knew it. It had in fact gone to some lengths to make sure it knew where all its users were.

Precisely how it manages to say one thing and do the opposite is not yet clear but we are willing to bet it is a combination of two factors: one, its app stores and sends several data points that can be used to figure out location: your broadband IP address and/or Wi-Fi and Bluetooth network identifiers. It may be possible to figure out someone’s location from these data points: for example, your cable broadband IP address can often be narrowed down to a relatively precise location, such as a street or neighborhood, especially if you have a fixed IP address at home.

At this point, using Stan’s location from his IP address or from his phone app, Facebook could work out we live next to each other, or at least are near each other a lot, and thus might be friends.
Control is an illusion

With the news that Facebook signed dozens of data sharing agreements with large tech companies, it seems increasingly likely that Facebook was in fact not gathering my location data directly to figure out where I was, but was pulling in data from others, perhaps mixing in my home broadband IP address’s geolocation, and correlating it all to work out relationships and whereabouts.

We don’t yet know what precise methods Facebook uses to undercut its promises, but one thing is true – the company has made to this reporter, and many other reporters, users, lawmakers, federal agencies, and academics untrue statements with an intent to deceive. And it has created false or misleading impressions. It has lied. And it has done so deliberately. Over and over again.

And it is still lying today. Faced with evidence of its data-sharing agreements where – let’s not forget this – Facebook provided third parties access to people’s personal messages, and more importantly to their friends’ feeds, the company claims it broke no promises because it defined the outfits it signed agreements with as “service providers.” And so, according to Facebook, it didn’t break a pact it has with the US government’s trade watchdog, the FTC, not to share private data without permission, and likewise not to break agreements it has with its users.

Facebook also argues it had clearly communicated that it was granting apps access to people’s private messages, and that users had to link their Spotify, Netflix, Royal Bank of Canada, et al, accounts with their Facebook accounts to activate it. And while Facebook’s tie-ups with, say, Spotify and Netflix were well publicized, given this week’s outcry, arguably not every user was aware or made aware of what they were getting into. In any case, the “experimental” access to folks’ private conversations was discontinued nearly three years ago.

The social network claims it only ever shared with companies what people had agreed to share or chosen to make public, sidestepping a key issue: that people potentially had their profiles viewed, slurped, harvested, and exploited by their friends’ connected apps and websites.

As for the question of potential abuse of personal data handed to third parties, Facebook amazingly used the same line that it rolled out when it attempted to deflect the Cambridge Analytica scandal: that third parties were beholden to Facebook’s rules about using data. But, of course, Facebook doesn’t check or audit whether that is the case.
Sorry, again

And what is its self-reflective apology this time for granting such broad access to personal data to so many companies? It says that it is guilty of not keeping on top of old agreements, and the channels of private data to third parties stayed open much longer than they should have done after it had made privacy-enhancing changes.

We can’t prove it yet, and many never be able to unless more internal emails find their way out, but let’s be honest, we all know that this is another lie. Facebook didn’t touch those agreements because it didn’t want anyone to look at them. It chose to be willfully ignorant of the details of its most significant agreements with some of the world’s largest companies.

And it did so because it still believes it can ride this out, and that those agreements are going to be what keeps Facebook going as a corporation.

What Zuckerberg didn’t factor into his strategic masterstroke, however, was one critical detail: no one likes a liar. And when you lie repeatedly, to people’s faces, you go from liar to lying asshole. And lying asshole is enough to make people delete your app.

And when that app is deleted, the whole sorry house of cards will come tumbling down. And Facebook will become Friendster.

Call to Boycott All Businesses With Facebook Links

Well, at the moment, it seems, one would need to stop all commercial activities. But it needs to start somewhere. Look, before the Facebook scam, one could go to a website and not be inundated with Facebook analytics, prompts to use your Facebook login, links to “like us” and all the other gimmicks to get users to surrender their private information.

Perhaps it is time to start boycotting all businesses, charities, orgs, government entities, schools, etc. that insist on sporting and wiring their sites to enable the ilk that is Facebook. Speed kills. Facebook kills. Here are a few links about how Facebook has blood on their hands:

The list goes on….

Act now! Delete your Facebook Account and boycott those enterprises that continue to support Facebook.

Comments welcome.

How Facebook let Big Tech peers inside its privacy wall

Facebook let some of the world’s largest technology companies have more intrusive access to users’ personal data than it had previously disclosed. That’s according to an investigation by Gabriel J.X. Dance, Michael LaForgia and Nicholas Confessore of the NYT, based on 270 pages of Facebook’s internal documents and interviews with more than 60 people.

The breadth of the data-sharing was vast. “Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages. The social network permitted Amazon to obtain users’ names and contact information through their friends.”

Users often didn’t know. “Facebook empowered Apple to hide from Facebook users all indicators that its devices were asking for data. Apple devices also had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing, the records show.”

In fact, even Facebook had trouble keeping track. “By 2013, Facebook had entered into more such partnerships than its midlevel employees could easily track, according to interviews with two former employees,” explains the report. “So they built a tool that did the technical work of turning special access on and off.” It doesn’t seem to have solved the problem; as of last year, for instance, Yahoo “could view real-time feeds of friends’ posts for a feature that the company had ended in 2011.”

How did this happen? “Under the terms of a 2011 consent agreement with the Federal Trade Commission, Facebook was required to strengthen privacy safeguards and disclose data practices more thoroughly. The company hired an independent firm, PricewaterhouseCoopers, to formally assess its privacy procedures and report back to the F.T.C. every two years.” But “four former officials and employees of the F.T.C., briefed on The Times’s findings, said the data-sharing deals likely violated the consent agreement.”

Why it matters: Since the Cambridge Analytica scandal, Facebook has insisted that it does not sell data. But the NYT’s reporting suggests that it’s been eager to barter for arrangements that could speed its growth.

DC sues Facebook over Cambridge Analytica scandal

It is about time. Kudos AG Karl Racine! Come on State’s AGs, get off your duffs and join in. Note to EU Brussels – turn up the heat!


“Facebook failed to protect the privacy of its users,” AG Karl Racine said.

The attorney general of the District of Columbia has sued (PDF) Facebook, alleging violations of local consumer protection laws.

In a statement sent to reporters on Wednesday, AG Karl A. Racine said that the social media giant did not adequately protect users’ data, “enabling abuses like one that exposed nearly half of all District residents’ data to manipulation for political purposes during the 2016 election.”

“It allowed Cambridge Analytica to purchase personal information that was improperly obtained from 70 million [individuals], including 340,000 District of Columbia residents,” Racine said on a Wednesday call with reporters. “That’s nearly half of the people that live in the District of Columbia.”

Ben Wiseman, the director at the Office of Consumer Protection at the DC AG’s office, said that the lawsuit is seeking restitution and damages, including “civil penalties up to $5,000 per violation.”

340,000 users times $5,000 each would total $1.7 billion—but the case is likely to settle for far less than that.

Racine added that other states have expressed interest in joining this lawsuit.

“We think that bringing suit is necessary in order to bring these issues to light,” he said.

In the lawsuit, Racine points out that just 852 Facebook users in DC used Aleksandr Kogan’s “thisisyourdigitallife” personality quiz, but, due to the permissive data sharing that was in place at the time, hundreds of thousands of people were affected.

“Furthermore, after discovering the improper sale of consumer data by Kogan to Cambridge Analytica, Facebook failed to take reasonable steps to protect its consumers’ privacy by ensuring that the data was accounted for and deleted,” the complaint states.

“Facebook further failed to timely inform the public (including DC residents) that tens of millions of its consumers had their data sold to Cambridge Analytica, even though Facebook knew, or should have known, that such data was acquired in violation of its policies and was being used in connection with political advertising.”

Monique Hall, a Facebook spokeswoman, declined to respond to Ars’ questions about the new lawsuit but provided a corporate statement.

“We’re reviewing the complaint and look forward to continuing our discussions with attorneys general in DC and elsewhere,” the statement read.

Facebook users cannot avoid location-based ads, investigation finds

Look: Western Populations need to abandon Facebook NOW. It is only way this disgusting company will die. Just perhaps if western populations lead and perhaps, just perhaps, others will follow. They have blood on their hands. It is time.

Oh in the latest news.


Facebook users cannot avoid location-based ads, investigation finds
No combination of settings can stop location data being used by advertisers, says report

Facebook targets users with location-based adverts even if they block the company from accessing GPS on their phones, turn off location history in the app, hide their work location on their profile and never use the company’s “check in” feature, according to an investigation published this week.

There is no combination of settings that users can enable to prevent their location data from being used by advertisers to target them, according to the privacy researcher Aleksandra Korolova. “Taken together,” Korolova says, “Facebook creates an illusion of control rather than giving actual control over location-related ad targeting, which can lead to real harm.”

Facebook users can control to an extent how much information they give the company about their location. At the most revealing end, users may be happy to enable “location services” for Facebook, allowing their iPhone to provide ultra-precise location data to the company, or they may “check in” to shops, restaurants and theatres, telling the social network where they are on a sporadic basis.
Sign up to the Media Briefing: news for the news-makers
Read more

But while users can decide to give more information to Facebook, Korolova revealed they cannot decide to stop the social network knowing where they are altogether nor can they stop it selling the ability to advertise based on that knowledge.

Despite going to as much trouble as possible to minimise the location data received by the social network, the researcher wrote, “Facebook showed me ads targeted at ‘people who live near Santa Monica’ (which is where I live) or ‘people who live or were recently near Los Angeles’ (which is where I work). Moreover, I have noticed that whenever I travel for work or pleasure, Facebook continues to keep track of my location and use it for advertising: a trip to Glacier national park resulted in an ad for activities in Whitefish, Montana; a trip to Cambridge, MA, in an ad for a business there; and a visit to Herzliya, Israel, in an ad for a business there.

“Some of the explanations by Facebook for why I am seeing a particular ad even mention specifically that I am seeing the ad because I was ‘recently near their business’.”

The experience was mirrored by the Guardian reporter Julia Carrie Wong, who discovered in April that the site “knows that I took reporting trips to Montana and Seattle and San Diego, despite the fact that I have never allowed it to track me by GPS”.

Facebook tells advertisers that it learns user locations from the IP address, wifi and Bluetooth data, Korolova says.

In its pitch to advertisers, Facebook says: “Local awareness ads were built with privacy in mind […] People have control over the recent location information they share with Facebook and will only see ads based on their recent location if location services are enabled on their phone.” Korolova says her findings show that “this claim is false”.

The academic argues that Facebook needs to offer the ability to opt out of location use entirely, “or, at the very least, an ability to meaningfully specify the granularity of its use and exclude particular areas from being used”.

In 2015, according to leaked emails published by the UK parliament, the team behind a particular version of location-based advertising, which used Bluetooth “beacons” to track users’ shopping habits without resorting to uploading GPS data, was particularly concerned about appearing “scary”.

“We’re still in a precarious position of scaling without freaking people out,” wrote a Facebook product manager in charge of the location-tracking technology. “If a negative meme were to develop around Facebook Bluetooth beacons, businesses could become reticent to accept them from us.”

Facebook said in a statement: “Facebook does not use wifi data to determine your location for ads if you have location services turned off. We do use IP and other information such as check-ins and current city from your profile. We explain this to people, including in our Privacy Basics site and on the About Facebook Ads site.”

PLEASE STOP USING FACEBOOK! If anything, it will make the roads safer. It will also end the senseless killings spread by this rumor monger garbage company.

ZipRecruiter has been flying low: User email addresses exposed to unauthorised accounts


Looking for work? Spammers could well be looking for you

Lesson: use throw away emails if you must, but better, just say no to job search aggregators. Of course that may be impossible as many clueless employers use them to aggregate CV/Resumes, do initial screen, etc.

Tinder for job-seekers ZipRecruiter has copped to a data breach after the names and email addresses of job-seekers were flung to the wind in a permissions screw-up.

The company – which claims over seven million active job-seekers each month and 40 million job alert email subscribers – has been running since 2010 with operations in the US and UK. In 2012 it had helped 10,000 employers fill positions. By 2017 that number had exceeded one million.

But with impressive growth comes impressive growing pains, and a permissions cock-up at ZipRecruiter has meant that hopeful job-seekers, having uploaded their CV, have had their personal details shared in a way they might not have expected.

In the email, sent to those lucky users and seen by The Register, the company says:

On October 5th, we discovered that certain employer user accounts that were not intended to have access to the CV Database were able to obtain access to information including the first name, last name and email addresses of some job seekers who had submitted their CVs to our CV database.


The problem is with the part of ZipRecruiter’s site that allows an employer with permission to access the database of CVs to contact a candidate. Obviously, having admired the sheen of a turd buffed to a high gloss CV of a candidate, an employer will want to get in touch. To that end, ZipRecruiter provides a contact form, helpfully populated with the name and email address of the hopeful individual.

It appears that the Email Candidate form can also be accessed by users who have not ponied up the cash for access to the CV library. Those users can still search for job-seekers, but only see limited information depending on what a candidate has volunteered. This could be the candidate’s first name, last three employers and city and country.

But thanks to the permissions whoopsie, that unauthorised user could also potentially get to the candidate’s full name and email address.

ZipRecruiter professed itself “not certain of the purpose of the unauthorised access” but speculated with breathtaking insight that the information “could be utilised to send you spam or phishing emails”.

The company was quick to point out that the information accessed does not include any login credentials or financial information, and that its security team stomped on the bug 90 minutes after it was found. The ICO was notified on 9 October and the company has been picking through its records ever since, working out which users have had the spotlight of spammers shone on their details.

As for what to do, well, the company has told affected users:

The goal of this communication is not to alarm you or deter you from responding to potential employers; rather, we want you to be a little more vigilant when considering whether or not to respond to a potential communication, in light of the unauthorised access to your full name and email address.

So that’s alright then.

We contacted ZipRecruiter to find out how many users had been affected, but other than a slightly nasal recording telling us our call may be recorded before abruptly hanging up, the company has remained incommunicado. We can but hope ZipRecruiter is a tad more helpful when it comes to paying customers.

As for the UK’s Information Commissioner’s Office (ICO), a spokesperson told us: “ZipRecruiter, Inc has made us aware of an incident and we will consider the facts.”

Register reader Steve, who was one of the lucky job hunters to receive an “oopsie” email, observed: “It’s always so f*cking special to get pwned when you’re looking for work.”

It is indeed, Steve. It is indeed. ®

Bomb threat’ scammers linked to earlier sextortion campaign

Scare tactic efforts may be the work of a single group

Yesterday’s ‘bomb scare’ spam campaign may have been a follow-up to another infamous email extortion effort.

Researchers with Cisco’s Talos say that the rash of emails floated yesterday demanding that recipients pay a Bitcoin ransom or face the possibility of a bomb attack on their offices are simply an evolution of the scare-tactic extortion scam that surfaced in October of this year.

In that scam, the sender copied passwords from a for-sale list of stolen credentials then sent them to a target claiming to have installed malware on their computer. The victim was told to send money or have compromising videos leaked. Of course, those videos did not exist and there was no malware.

We analyzed a few of these and saw that the credentials were not correct in our sample

This week, the scammers pivoted to a new type of threat, spaffing out emails that claimed the recipients building would blow up unless they sent $20,000 in Bitcoin.

The composition of the emails, as well as the demand for Bitcoin payoffs, was remarkably similar, and Talos researcher Jaeson Schultz thinks he knows why.

“Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign,” Schultz explained.

Fortunately, Schultz says, the latest technique is not paying off for the hapless extortionists.

“Only two of the addresses have a positive balance, both from transactions received Dec. 13, the day the attacks were distributed,” he said.

“However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers.”

With that sort of success rate, it is no surprise that, as of yesterday, the crew decided to try another threat to scare people out of their cryptocoins. This time, it is with the threat of an acid attack.

It should go without saying: Don’t pay any ransom demanded by an unsolicited email, and report all threats to an admin and/or the police. ®

Scumbag hackers lift $1m from children’s charity


A group of criminal asswipes have managed to steal $1m from the Save the Children Foundation.

The global children’s health charity said in its 2017 fiscal report (PDF) to the IRS that, back in April of last year, some total sleezebag was able to get control of an employee’s email account and then convince the organization to make a transfer of $997,400 to a bank account in Japan.

According to Save The Children, the dickhead(s) who pulled off the scam disguised the illicit transfer as a purchase of solar panels for health centers in Pakistan. It was only a month later that the crime was discovered.

While the feckless rectal warts were able to make off with the charity’s money, insurance covered much of the damage.

“By the time that the fraud was discovered in May 2017, the transferred funds could not be recalled, but Save the Children was subsequently able to recover $885,784 from its insurance carriers to mitigate the financial loss,” the filing explains.

“In addition, Save The Children coordinated with the FBI, and through them, the Japanese Law Enforcement to assist in criminal investigations related to this incident, and we have taken steps internally to strengthen cybersecurity and other processes to prevent cyberfraud.”

“Social engineering is one of the easiest and most effective ways for attackers to reach their goals,” Bailey noted. “Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”

Administrators and managers would be well served to remind end users to always keep an eye out for suspicious requests, and when they spot one check with the sender (either in person or over the phone) to verify

No word was given on whether the arseholes who committed the fraud have been caught, but hopefully they get what is coming to them in the most painful way imaginable.

The attack was one of two incidents that occurred at the charity in 2017. A separate attempt by another utter bastard to steal funds (through a hacked vendor) tried to get the company to wire $9,210 to a bank account in Benin. That fraud was caught and all but $120 were recovered.

Lamar Bailey, director of security research and development at Tripwire, noted that Save the Children was hardly alone in falling victim to these sort of attacks.

“Social engineering is one of the easiest and most effective ways for attackers to reach their goals,” Bailey noted. “Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”

Administrators and managers would be well served to remind end users to always keep an eye out for suspicious requests, and when they spot one check with the sender (either in person or over the phone) to verify