If You Think The Internet of Things Isn’t a Problem…

That only means you don’t work in hardware or software engineering. This Hacked Coffee Maker Demands Ransom and Demonstrates a Terrifying Implication About the IoT. It isn’t just that they can spy on you. They can. They do. They can do more.

So a security researcher was asked to prove that this kind of thing can be done.

After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.

Now why anyone needs a smart coffee maker is beyond me, especially if you see the price. And I paid quite a bit for a coffee maker that is certified by the Specialty Coffee Association. But then it is certified to make a good cup of coffee, not talk to my smartphone. And it didn’t cost $250.

So what happens when your door locks get hacked, or your car? But the main problem with the coffee maker in question is as toehold to the rest of your network.

But Hron says the implications of this kind of hack are much more concerning. Through this exploit, attackers could render a smart gadget incapable of receiving future patches to fix this weakness. He also argues that attackers could program the coffee maker or other Smarter appliances with this vulnerability to attack any device on the same network without ever raising any alarm bells. Given the years-long and even decades-long lifespan of traditional appliances, this also begs the question of how long modern IoT device vendors plan on maintaining software support, Hron points out.

The implications of how bad this can be in the long-run explain the image at the top of this post. (Click the image for a look at the fine print.)

Hat tip to Small Dead Animals: I, For One, Welcome Our New Self-Driving Overlords

What’s the Opposite of Diversity?

University. Georgia Tech coughs up $50k to settle free speech lawsuit involving MLK’s niece.

So a student group, Students for Life, at Georgia Tech, which is a PUBLIC university, applied for $2350 to host Alveda King, the niece of Martin Luther King, Jr. They were turned down.

However, Georgia Tech’s student government asked Students for Life to “guarantee” that King would not discuss “religion, abortion, or LGBT issues.”

Can’t have non-approved ideas running around a University campus. People might begin to think for themselves.

So the student group sued, and won, and not just attorneys’ fees and damages.

Students for Life agreed to settle with Georgia Tech after the school revised its policies so that student groups would receive funding through a “viewpoint-neutral decision-making criteria.”

We haven’t quite lost the fight yet for freedom of expression.

More F*c*book Spying

They didn’t mean to. It was a mistake! Facebook spied on Instagram users through their iPhone cameras, a new lawsuit claims

In July, users noticed that a green FaceTime symbol was showing up when they scrolled through their Instagram feed, per the Independent. The symbol appears on iPhones when the camera is on.

The lawsuit, filed on Thursday by Instagram user Brittany Conditi, claims that Facebook’s intentional access of the camera allows the app to collect “lucrative and valuable data on its users that it would not otherwise have access to,” Bloomberg reported.

The company didn’t respond to a request for comment.

The accusation follows allegations that Facebook illegally holds more than 100 million Instagram users’ biometric data. The social media company offered to pay $650 million in July to settle a lawsuit that accused it of collecting data through the photo-tagging tool available on the app.

NSA Discloses Russian Malware

When the “Never Say Anything” agency has something to say, I usually pay attention, if only for the novelty. NSA discloses new Russian-made Drovorub malware targeting Linux.

The NSA today released a technical report (a joint effort with the FBI) detailing Drovorub’s capabilities and offering detection and prevention solutions. The agency says that the framework includes a kernel module rootkit that makes it difficult for network-wide security solutions to catch it.

Probably means it is serious, it is active, and it is attacking people who the NSA would rather were not under attack.

Your Phone Is Spying on You

And the NSA is worried about phones spying on .gov agents. The NSA on the Risks of Exposing Location Data.

Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible.

One of the things they talk about is the risk introduced by vehicles that have “remote communication” features. But every vehicle since 2006 (?) has had wireless tire-pressure sensors, which you can use to track vehicles. Try getting rid of those!

Free Speech? Not if the Left Has Anything to Say

A systematic campaign of cyberstalking was undertaken by a team of eBay executives. Now ex-eBay-executives. Former eBay Employees Sent Cockroaches, Bloody Pig Mask to Mass. Couple In Harassment Campaign.

Their crime? They DARED to criticize eBay in a newsletter.

In a news conference, U.S. Attorney Andrew Lelling said Monday the former employees sent menacing packages to the couple’s home — including a bloody pig mask — to deter them from writing critically about the San Jose, California-based company.

Lelling said eBay executives were “enraged” by the coverage of the company on the couple’s website. One allegedly said he wanted to “crush this lady,” referring to the woman in the couple that ran the site.

Because the Left is convinced that you don’t have the right to say things that they disagree with, and they have the right to do anything they want to stop you from speaking your mind.

The employees allegedly involved in the scheme were James Baugh, eBay’s former Senior Director of Safety and Security; Stephanie Popp, a senior manager of global intelligence; Stephanie Stockwell, an intelligence analyst; Veronica Zea, a contractor; Brian Gilbert, a senior manager of special operations; and David Harville, former director of global resiliency.

All have been fired by eBay.

All six are being charged with conspiracy to commit cyberstalking and conspiracy to tamper with an investigation.

“Free speech? We can’t have that! Especially if they are going to criticize US!” </sarcasm>

Internet Vigilantes Get it Wrong Again and Again

Are we surprised that people willing to burn down businesses will destroy someone’s life over an error?

First up… Internet vigilantes falsely link ex-officer to teens’ attack

Baffled by the barrage of hate last Thursday, [John] Damskey plugged his name into the internet and made a horrifying discovery: Mobs of Twitter users were falsely accusing him of being the bicyclist on a Maryland trail who accosted three young adults posting flyers protesting the death of George Floyd.

And then… What It’s Like to Get Doxed for Taking a Bike Ride.

In his mentions, disaster was rapidly unfolding. People accused him of assaulting a child. Of being a racist. They shared a selfie he’d taken in sunglasses and his bike helmet and analyzed it alongside blurry images of another man in sunglasses and a bike helmet.

In both cases they were wrong. It didn’t matter. Because they don’t care about anything or anyone, except proving how woke they are.

In the 2nd case, the nightmare started because his regular bicycle ride was shared publicly on some GPS app, because what could go wrong with a lack of privacy.

Trail shared that information publicly, not just with his network of friends and followers. Someone had located a record of his ride on the path on June 2, matched it to the location of the assault from the video, matched his profile picture — white guy, aviator-style sunglasses, helmet obscuring much of his head — to the man in the video, and shared the hunch publicly.

And the hunch was accepted as fact.

And while I know about these 2 incidents, I’m sure there are more.

Beware of Free VPNs

I know it has been said before, but it apparently needs repeating… You get what you pay for. This is especially true in the world of Virtual Private Networks. With so many people using the net to work from home or whatever, VPNs are a good idea, but not every VPN is a a good idea.

If it is free, you are paying for it in another way. 100+ VPN Logging Policies Debunked.

And it isn’t just the unknown players that you need to beware of.

For example, McAfee’s Safe Connect claims to encrypt your online activity and defend you against cybercriminals. On their homepage, they also claim to protect your privacy.

But their “privacy policy” says that they keep info about the apps you use, the websites you visit, in addition to aggregate statistics. That sounds like fairly detailed usage logs to me.

After the break find a table that details some of the VPNs and how they are not guarding your privacy.

Torrent Freak hasn’t updated its list of VPNs, so we still have last year’s list. It is good. The Good VPNs don’t change much year-to-year. Which VPN Services Keep You Anonymous

Continue reading

Third Payment Processor Has Security Breach This Year

Someday companies will take security seriously. But it won’t be in 2020. New York payments startup exposed millions of credit card numbers.

The processor is PAAY, a startup in New York left a database online with no password protection. You can click thru for the particulars.

The interesting thing is the attitude and the lies of one of the co-founders. He said they didn’t store credit card numbers.

TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.

Mendlowitz disputed the findings. “We don’t store card numbers, as we have no use for them.” TechCrunch sent him a portion of the data showing card numbers in plaintext, but he did not respond to our follow-up.

So perhaps not a total nightmare, but it is still a screw-up of monumental stature. To put a database online without security and leave it there for 3 weeks, is just plain stupid. Or it shows you don’t care in the least about security. Which they don’t.

Zoom Security Is Worse Than You Thought

Because security it hard. Security and Privacy Implications of Zoom.

Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. [SNIP]

They’re also lying about the type of encryption.

So the short story is, they don’t give a rat’s ass about security.

And then there is privacy. (What’s that?) First they lied about it. Then they tried to be coy. But privacy is not high on their list of priorities.

Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising.

But then security and privacy are expensive, and if you give a person a chocolate bar, there is good chance they will give you access to their online banking system.

Zoom Is Sending Your Info to F*c*book

Because of course it is. Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account.

What the company and its privacy policy don’t make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app.

Actually most apps send data to F*c*book, because programmers are lazy, and the F*c*book development environment is an easy place to start.

Privacy is such a 20th Century concept. (Hat tip to Wirecutter.)

Microsoft Joins the List of Companies that Hates Privacy

They want to snoop on EVERYTHING you do online. EVERYTHING. Research Finds Microsoft Edge Has Privacy-Invading Telemetry.

When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.

For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.

“Telemetry” data. Everything you do online, is a bit beyond telemetry, and more like a creepy invasion of privacy.

Google’s Blogspot blogging software, has decided that in order to comment on any post at a blogspot.com website, you need to have 3rd-party cookies enabled. So I keep Edge handy with that feature on in case I ever want to comment on a blogspot blog. Because I won’t enable 3rd party cookies in my usual browsers. (Which are all of them, aside from Edge.)

Ministry of Truth is Created in the UK

More like Airstrip One everyday. UK Govt. Approves Net Censorship – Free Speech Dies – Liberty Nation.

The United Kingdom has become the first Western nation to move ahead with large-scale censorship of the internet, effectively creating regulation that will limit freedom on the last frontier of digital liberty. In a move that has the nation reeling, Prime Minister Boris Johnson has unveiled rules that will punish internet companies with fines, and even imprisonment, if they fail to protect users from “harmful and illegal content.”

Couched in language that suggests this is being done to protect children from pedophiles and vulnerable people from cyberbullying, the proposals will place a massive burden on small companies. Further, they will ultimately make it impossible for those not of the pervasive politically correct ideology to produce and share content.

Western Civilization was nice while it lasted. (Hat tip)

Why Aren’t You Using Signal?

Because security is important. Signal is finally bringing its secure messaging to the masses | Ars Technica.

Or are you comfortable living in a state like the old East Germany under the Ministerium für Staatssicherheit, or the Stazi?

But Deb, they make it so hard to share emojis and security is hard, and I really want a chocolate bar, and to get one all I have to do is turn over my life to Google, or F*c*book, or Apple or the NSA, or – Oh look! a squirrel! </sarcasm>

Marlinspike has always talked about making encrypted communications easy enough for anyone to use. The difference, today, is that Signal is finally reaching that mass audience it was always been intended for—not just the privacy diehards, activists, and cybersecurity nerds that formed its core user base for years—thanks in part to a concerted effort to make the app more accessible and appealing to the mainstream.

So there really is no excuse.

Big Grocery Is Watching You

Everything. You. Do. Customer Tracking at Ralphs Grocery Store.

To comply with California’s new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy.

Health. Insurance. Property. Bank Accounts. What you do online. Geolocation data – which is vague. (Where you go in the store or where you go in general?) There’s more.

And when people got creeped out, they said they may have to rethink how they worded the disclosure.

That’s the company’s solution. Don’t spy on people less, just change the wording so they don’t realize it.

More consumer protection laws will be required.

Bets on Whether the Swamp Will Restrain the NSA?

Still, it should be interesting to see the politicos explain why privacy is such an outmoded concept. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance.

The reforms this bill wants to impose are quite extensive and here is a shortlist of the highlights:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.

  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

It’s beginning to feel like we live in the Soviet Union, or East Germany, where the .gov can do pretty much what it wants, and it will destroy anyone who gets in the way.

The Future of Texting Is Broken

Whiskey. Tango. Foxtrot. The Future of Texting Is Far Too Easy to Hack: Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess..

Can we PLEASE get some secure communications. Aside from Signal that is. (Look, I love Signal. I wish I could get everyone to use it, but for some reason I can’t.) And in what is essentially 2020 there is no fucking excuse to have insecure communications. We know how to do this.

But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.

For the love of all things Holy. USE Signal.

Big Amazon Is Watching You

Massive surveillance of everything is in the hands of Amazon. What could go wrong? Amazon’s Ring Home Surveillance Network Raises Big Privacy Concerns.

According to Motherboard, police officers can request homeowners’ surveillance footage through Ring. In a statement, Ring said that law enforcement requests must be tied to an active investigation, and though the owner’s consent is required, a warrant isn’t necessary.

Edward Snowden’s privacy concerns are starting to sound less and less like paranoia.

And the terms of service will change over time. You know, that legally binding statement you agreed to when you opened the package. The fine print that no one ever reads, and changes regularly anyway.

Google Has Patient Data – Wants to Squeeze More Money

What a shock. Google has access to detailed health records on tens of millions of Americans.

Google quietly partnered last year with Ascension—the country’s second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal.

The endeavor, code-named “Project Nightingale,” has enabled at least 150 Google employees to see patient health information, which includes diagnoses, laboratory test results, hospitalization records, and other data, according to internal documents and the newspaper’s sources. In all, the data amounts to complete medical records, WSJ notes, and contains patient names and birth dates.

So much for protections for privacy.

2019 Hacks and Other Cyber-insanity

I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.

It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.

Two months to go.