Google Has Patient Data – Wants to Squeeze More Money

What a shock. Google has access to detailed health records on tens of millions of Americans.

Google quietly partnered last year with Ascension—the country’s second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal.

The endeavor, code-named “Project Nightingale,” has enabled at least 150 Google employees to see patient health information, which includes diagnoses, laboratory test results, hospitalization records, and other data, according to internal documents and the newspaper’s sources. In all, the data amounts to complete medical records, WSJ notes, and contains patient names and birth dates.

So much for protections for privacy.

2019 Hacks and Other Cyber-insanity

I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.

It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.

Two months to go.

It Isn’t Just Amazon and Google Spying on You

As if that wasn’t enough. Alexa and Google Home abused to eavesdrop and phish passwords.

By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google.

Privacy is such a 20th Century concept.

Welcome to the Panoptican

Netflix. Roku. Smart-TVs. They are all spying on you. Facebook and Google have ad trackers on your streaming TV, studies find.

Modern TV, coming to you over the Internet instead of through cable or over the air, has a modern problem: all of your Internet-connected streaming devices are watching you back and feeding your data to advertisers. Two independent sets of researchers this week released papers that measure the extent of the surveillance your TV is conducting on you. They also sort out who exactly is benefiting from the massive amounts of consumer data that is taken with or without consumer knowledge.

They just can’t stand the idea that you have any privacy. Or that you think thoughts they don’t approve of, but that’s another story.

GPS Trackers for Kids Making Data PUBLIC

This is BEYOND stupid. Buggy GPS Trackers Expose Childrens’ Real-Time Location.

It seems that corporations haven’t learned a damn thing about security, and people are so excited about convenience they don’t seem to care that it comes at the cost of privacy and/or security.

So when you bought the GPS tracker to keep tabs on your kid, did you think it would make their every move public? Did you think you would be outfitting them with a microphone that anyone on the planet could listen to? Did you think you get a “really good” system for next to no money?

The security flaws were found in GPS location trackers manufactured by the Shenzhen i365 Tech, with over 600,000 users from countries all over the world and resold under multiple brands on various e-commerce platforms like Amazon or eBay.

The details are at the link, but in short… There is a default password for EVERY tracker, which is “123456” and user-id is the serial number. While you can define a more stupid “security model,” it would be hard to come up with one in 2019.

Back in 2017, the European Consumer Organisation (BEUC) also issued a public service announcement warning that most children’s GPS-tracking smartwatches are stuffed to the brim with various security flaws exposing their location or allowing potential attackers to take control of the devices.

Various “children’s tablets” that could be hacked and used for phishing. Trackers. Smart watches. Do you really want to bet your kid’s safety on cheap technology from a company you never heard of, sold by an “Amazon Affiliate” – which is about the equivalent of buying something from a flea market.

Bluetooth? I’ll Keep My 3.5mm Headphone Jack, Thanks

This isn’t the first exploit to hit Bluetooth, and it probably won’t be the last. New Attack exploiting serious Bluetooth weakness can intercept sensitive data.

Address book syncing between a car and phone, keystroke from a keyboard, it isn’t a particular product that is vulnerable, it is the ENTIRE Bluetooth architecture.

KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.

Architectural level problems are the hardest to fix, though several companies have implemented fixes to “mitigate” the issue.

“Why Schools?” – That’s The Wrong Question

Why aren’t schools doing anything to prepare? (And they’re not.) That would be a better question. Why School Systems? The Rise of Ransomware in Public Schools.

And if you ask the wrong question, any answer that you get won’t result in any useful insights.

Due to their wealth of data and limited budget for cybersecurity staff and training, schools have drawn the eye of hackers. Experts recommend backing up data and investing in cybersecurity training and preparedness.

My personal recommendation is that schools cut back on that “wealth of data” until such time as they have a wealth of “cybersecurity training and preparedness” in place, and deployed to protect it. And even then, they should ask if they really need to have that information online, because while ransomware has been in the news, there have been instances where all the data needed to steal identities was taken out of school systems. That’s a lifetime of having to worry about identity theft for people who are not old enough to drink. (Thanks Public Schools Idiots Everywhere who think you know how much you need to spend on security.) All because some administrator somewhere, with next to no knowledge of the risks, decided that he couldn’t be bothered to look up a kids address the 2 times during the year when he needed that information. And how often to school administrators need SSN? Really? They couldn’t get by 99.999% of the time with an in-house student ID number?

But back to the schools.

“The principal reason is that it’s a relatively easy target to aim for,” he said, explaining that school systems typically suffer from a fairly limited IT staff, older equipment and less-than-optimal cybersecurity expertise.

Then repeat after me. If that statement (limited expertise, limited staff, etc.) applies to your organization, that purge every last bit of data that is not needed, and some that is needed. And it isn’t needed just because you’ve “always collected it.” Schools do NOT need SSN. Not online they don’t. They don’t need every piece of information for stealing identities in a place where they can be stolen by the lowest-knowledge hacker on the planet. How big is your school? You can’t file a couple of 1000 pages of info. (Like home address, and SSN for the one time in 4 years when you MIGHT need it?) Stop pretending that having “everything at your fingertips” is a requirement. It isn’t.

Another instance where people asked the wrong question. What diet leads so many people in this area to live past 100? (Hint: It isn’t diet.)

Why Does Everything Have to be WiFi Enabled?

In this case Canon cameras. Even DSLR cameras are vulnerable to ransomware.

More to the point, why aren’t WiFi enabled interfaces secure?

The hackers (white hat) showed that if a camera had WiFi turned on, and that camera was in range of their WiFi access point, they could encrypt the photos on the camera’s memory card.

Canon issued an advisory telling folks to avoid unsecured WiFi, turn off network functions and install a new security patch.

The issue affects most of Canon’s camera lineup, from the EOS 70D to the mirrorless EOS R. It might not be limited to Canon, either, as Check Point told The Verge that other manufacturers, which use the same PTP protocol, could also be vulnerable. [My emphasis.]

PTP or Picture Transfer Protocol is an Unauthenticated interface used by a lot of cameras and software.

Could manufacturers of everything please check to see if they have

  1. any non-secure interfaces
  2. hard-coded passwords or other backdoors

and get rid of them immediately? Probably not.

Apple Only Cares About Your Privacy When They Get Bad Press

So they’re just like every other tech giant. And they did get bad press. Apple suspends Siri response grading in response to privacy concerns.

In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide. Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake.

In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.

This is similar to mess Google is in.

Privacy is such a 19th Century concept.

Locking the Barn Door After the Horses Escaped

Personally I like “Putting a guard on the picket lines, after the horses have been stolen.” But few people know that saying. LAPD Police Officers’ Personal Information Stolen in Data Breach.

So after the breach…

“Out of an abundance of caution we’re applying extra layers of security around our personnel system and enhancing defenses,” Ross told NBCLA Monday.

Which would have been fine if they’d done that BEFORE the data breach took place. Shouldn’t all their sensitive data have “enhanced defenses?”

The breach itself…

A suspected hacker claimed he or she had stolen the personal information of about 2,500 LAPD officers, trainees, and recruits, along with approximately 17,500 police officer applicants, in what may be a large breach of data held by the city of Los Angeles’ Personnel Department.

Maybe cities should consider NOT putting everything online.