Skip to content

Nick L

Open Amazon S3 buckets open online now: US election autodialers

Who are these idiots hiring for security? AWS plainly warns when a bucket is open.

Quote

Security biz Kromtech has unearthed two more embarrassing – and potentially dangerous – cases of groups leaving mass data caches unguarded on the public internet.

In the first case, the culprit was an improperly configured AWS S3 bucket owned and operated by Robocent, a political robocalling company based in Virginia Beach, VA.

According to Kromtech head of comms Bob Diachenko, the storage bucket contained 2,594 files, including the audio files to be used in robocalls to voters and spreadsheets containing hundreds of thousands of US voters’ contact details.

These records included voters’ names, addresses, year of birth, phone number, political affiliation, and demographic info such as ethnicity and education level, all pieces of data that would be valuable to use in a spear phishing or social engineering scam.

Unfortunately, Diachenko said, it gets worse. It appears other sites have already collected and indexed the exposed data.

“What’s more disturbing is that company’s self-titled bucket has been indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found,” Diachenko explained.

The second case exposed by Kromtech could land a few people behind bars, if convicted, of course.

Researchers uncovered an exposed mongoDB instance that contained both credit card numbers and payment details. A bit more digging lead the researchers to a dump of Facebook and stolen email account data and info from freemium games that offer in-app purchases through virtual currency.

Eventually, the researchers were able to piece together what was going on. The stolen credit cards were being combined with the lifted data to set up Apple IDs on hundreds of jailbroken iPhones that could then be automated to create user accounts on installations of the free-to-play games. The fake game accounts then purchased in-app currency for the games and were re-sold to other players for cryptocoins or real-world currency.

In other words, the scammers were using fake game accounts on jailbroken phones to launder money from the stolen payment cards via the freemium games, and the criminals operating the scam had left the entire operation wide open to the public by not securing the database.

Kromtech said it had reported all of its findings to the US Department of Justice so that a criminal investigation could be opened

Microsoft: The Kremlin’s hackers are already sniffing, probing around America’s 2018 elections

Why wouldn’t it be them?

QUOTE

Microsoft says it has already uncovered evidence of Russian government-backed hacking gangs attempting to interfere in the 2018 US mid-term elections.

“Earlier this year we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates that were all standing for election this year,” Burt said.

“These are all people who, because of their positions, might be interesting targets from an espionage standpoint as well as an election disruption standpoint.”

Burt declined to name the candidates being targeted, citing Microsoft’s policy of preserving the anonymity of its clients. In the past, Fancy Bear largely focused its efforts on targeting computers belonging to the Democrats and Hillary Clinton’s campaign, and leaking the Dems’ internal emails in the hope of swinging the balance of Congress for the GOP, and the White House race for Donald Trump.
Redmond is a tool for Russia

Microsoft’s services play a prominent role in Fancy Bear’s meddling, Burt said. To help make its phishing pages more believable, the GRU-backed hacking crew often registers domains whose names resemble Microsoft services and then uses those to create fake login or download pages impersonating Redmond’s own. These pages can trick victims into installing malware, or handing over the usernames and passwords for their email inboxes and other sensitive accounts. Additionally, the domains are used for the command and control servers for data-harvesting spyware.

Because of that, Burt explained, Microsoft has made a habit of tracking the group, and using its legal team to have those domains seized and either shut down or handed over to Microsoft’s security team, who then use them to gather information about the inner-workings of the operation.

Burt said that, after two years of tracking the gang, Microsoft has become efficient enough that a new domain can be challenged and seized in as little as 24 to 48 hours. “The goal here is to say stop using Microsoft domain names,” Burt said. “If you keep using them, we are going to make it more costly for you.”

This is also why securing your Microsoft Office 365 accounts with multi-factor authentication is crucial, to help thwart password phishing attempts.

Burt’s comments also come as the US Department of Justice issued a report warning that attacks on the mid-term elections are all but assured. The report notes that the government has created a task force, including multiple agencies and states attorney generals, that will focus on detecting and prosecuting attempts to affect the outcome of the mid-term vote.

IoT Vacuum Spying

Quote

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets’ camera, and remote-control the gizmos.

Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the night-vision camera and mic, and take control of the Roomba rip-off.

Think of it as a handy little spy-on-wheels.

Break up Facebook up

Since the users of Facebook will never take action to fix their addiction, perhaps it is time for regulators to step in. The history of egregious breaches of public trust and leaks of privacy at Facebook demand action.

QUOTE

When the government broke up the telephone system in 1984, the fact that AT&T could count most citizens as customers and that it was arguably the best-run telephone company in the world was not deemed compelling enough to preserve its monopoly power. The breakup would unleash a wave of competition and innovation that ultimately benefited consumers and the economy.

Facebook seems to be in a similar position today — only with far greater global reach than Ma Bell could have imagined. Facebook’s two billion monthly active users, and the way those accounts are linked and viewed by users and by third parties, have made it the most powerful communications and media company in the world, even if its chief executive, Mark Zuckerberg, insists his is a technology business.

And that power is being abused. As The New York Times reported Tuesday, Facebook shared data with at least four Chinese electronics firms, including one flagged by American officials as a national security threat. We learned earlier this week, thanks to a Times investigation, that it allowed phone and other device makers, including Amazon, Apple, Samsung and Microsoft, to see vast amounts of your personal information without your knowledge. That behavior appears to violate a consent order that Facebook agreed to with the Federal Trade Commission in 2011, after Facebook was found to have made repeated changes to its privacy settings that allowed the company to transfer user data without bothering to inform the users. And it follows the even darker revelation that Facebook allowed a trove of information, including users’ education levels, likes, locations, and religious and political affiliations, to be exploited by the data mining firm Cambridge Analytica to manipulate potential voters for its Republican Party clients.

Throughout its history, Facebook has adamantly argued that it treats our data, and who has access to it, as a sort of sacred trust, with Zuckerberg & Company being the trustees. Yet at the same time, Facebook has continued to undermine privacy by making it cumbersome to opt out of sharing, trying to convince users that we actually do want to share all of our personal information (and some people actually do) and by leaving the door unlocked for its partners and clients to come in and help themselves. Those partners have included 60 device makers that used application programming interfaces, also known as A.P.I.s, so Facebook could run on their gadgets.

In Facebook’s view those partners functioned as extensions of the Facebook app itself and offered similar privacy protections. And the company said that most of this intrusive behavior happened a decade ago, when mobile apps barely existed and Facebook had to program its way onto those devices. “We controlled them tightly from the get-go,” said Facebook’s Ime Archibong, vice president for product partnerships, in a response to The Times’s article. Yet a Times reporter was able to retrieve information on 295,000 Facebook users using a five-year-old BlackBerry.

Facebook Gave Data Access to Chinese Firm Flagged by U.S. Intelligence

Suprise Surprise Surprise! Just say no to Facebook!

Quote

Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant that has a close relationship with China’s government, the social media company said on Tuesday.

The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo and TCL.

The four partnerships remain in effect, but Facebook officials said in an interview that the company would wind down the Huawei deal by the end of the week.

Facebook gave access to the Chinese device makers along with other manufacturers — including Amazon, Apple, BlackBerry and Samsung — whose agreements were disclosed by The New York Times on Sunday.

The deals were part of an effort to push more mobile users onto the social network starting in 2007, before stand-alone Facebook apps worked well on phones. The agreements allowed device makers to offer some Facebook features, such as address books, “like” buttons and status updates.

Security Court says NO to Kaspersky’s US govt computer ban appeal

QUOTE

A US district court has upheld the American government’s ban of Kaspersky Lab software from computers of federal agencies.

Judge Colleen Kollar-Kotelly, sitting in Washington, DC, issued a ruling Wednesday to dismiss the two lawsuits Kaspersky had filed against Uncle Sam and the Department of Homeland Security challenging both the September 2017 Binding Operative Directive (BOD 17-01) and the Congressional National Defense Authorization Act (NDAA), the two documents that blocked government agencies from using Kaspersky Lab’s products.

The Moscow-based Kaspersky saw its products blocked from US government use after it was implicated in a Russian government espionage operation that lifted top-secret NSA cyber-weapons from the Windows PC of a careless agency staffer.

Facebook Gave Device Makers Deep Access to Data on Users and Friends

Dear Facebook users, you are the product, you are also morons. Freedom and privacy are rights that need to be defended, not given away for convenience.

Quote

As Facebook sought to become the world’s dominant social media service, it struck agreements allowing phone and other device makers access to vast amounts of its users’ personal information.

Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.

But the partnerships, whose scope has not previously been reported, raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.

TomTom Privacy – a Good Model!

So I previously posted the disgusting Garmin Privacy policy. There is a fine alternative. TomTom.  (I have no financial interest in TomTom and do not sell their products. I just want to show an alternative)

Firstly they state clearly the principles

TomTom is all about where you are and getting to where you want to be. We help you achieve more. Sometimes we’ll need to know some things about you in order to help you. While we collect and use your data, we fully understand that you value your privacy.

We believe privacy is about freedom and being able to decide for yourself who uses your data and how. This is why we have established our Privacy Principles:

1. We will always keep you fully informed about your data

We make sure you understand which data from or about you we use, why we use it, how long we use it and who can use it.

2. We enable you to remain in control of your data

We consider the data from or about you to be yours. We only use it for the purposes for which you have given it to us, or for which we collected it from you. You can opt out or opt in at any time using our software and websites.

3. We protect your data

Your data is yours. We keep it that way by protecting it as best as we reasonably can to prevent it from falling into the wrong hands.

Read the whole thing HERE. Unlike Garmin their default is privacy

We will not share your data with others without asking you for permission first, unless there is a legal obligation that prohibits us from asking.

Say YES to TomTom and shame on Garmin

Garmin: Your Privacy Matters (NOT!)

So here is the latest privacy update to come out in the wake of all the Facebook flack. This one is terrible.

Garmin Privacy Policy Full Text Here

Personal data that is processed when you use your Garmin auto navigation device or app:

If you use a Garmin auto navigation device or app and provide your consent, then Garmin will collect and upload from your device data such as location, speed, direction, and time and date of recording. If you provide your consent when asked, then Garmin may also share this aggregated data with or sell this data to third parties to enhance the quality of the traffic, parking and other features enabled by content providers.

Oh great Garmin – Why is the default to violate your user’s privacy? Where is the link to OPT OUT?

Personal data that is processed when you use location features on your Garmin device or app:

If you elect to use location-based services, such as weather, traffic information, fuel prices, movie times, and local event information, on your Garmin app or device, then the physical location of your device will be collected, in order for Garmin or our providers to provide you with such location-based services.

No Consent option??

Basically Garmin the deal is this. We have high prices for your products and your default is to monetize this further by stealing and selling our personal information as the default.

Sorry – Just say NO to Garmin