WhatsApp Is Lacking In Security

But then the people behind it don’t care about security. How Hackers Broke WhatsApp With Just a Phone Call.

A new Financial Times report alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn’t need to pick up to be infected, and the calls often left no trace on the phone’s log.

Apparently the latest patch fixes some of the problem, and they are “doing infrastructure upgrades” to also address the issue. But WhatsApp is all about convenience. And convenience is in many ways the enemy of security.

“This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days,” says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. “Security never was WhatsApp’s primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities.”

They bad guys are targeting high-profile dissidents and political activists. So probably bad-states.


The Apple $1 Billion Suit Over Facial Recognition Gone Wrong

The story from earlier already has a broken link. So here it is again from a different source. Teen hits Apple with $1B lawsuit over facial recognition arrest.

Ousmane Bah was arrested by New York Police Department officers on Nov. 29 after being accused of thefts at Apple Stores in Manhattan, Boston, New Jersey and Delaware, according to his lawsuit.

The lawsuit says the actual thief was caught stealing $1,200 worth of merchandise — specifically Apple Pencils — from the Boston store on May 31, 2018. The person then used a stolen ID that included Bah’s name, address and other personal details, but not his photo, according to the suit. This may actually have been a non-photo learner’s permit that Bah previously lost, the suit says. Bah is African American.

The lawsuit accuses Apple of negligence, emotional distress, defamation, slander, libel and fraudulent concealment.

Because they didn’t bother to look at the guy they arrested vs the security camera footage BEFORE they arrested him. Though that’s as much on the cops as on Apple.

Apple Defamed a Kid, He Wants His Payday

Facial recognition gone wrong. A teenager is suing Apple for $1 billion over facial recognition tech. OK that link is broken in a day. Here’s the CNET story. Teen hits Apple with $1B lawsuit over facial recognition arrest. Quotes are from the original. Not sure why that source booted the story…

An 18-year-old from New York is currently trying to take Apple for around 0.1 per cent of the company worth – $1 billion – for a facial recognition faux pas that has allegedly seen him charged in New York, Massachusetts, Delaware and New Jersey for thefts that were nothing to do with him.

The only way to get the tech giants to change their ways – short of antitrust action, which I don’t see happening – is to cause them real financial harm.

Facial recognition not being a reliable tool in law enforcement? We’re shocked. Absolutely shocked.

Would You Let a Random Stranger Install Cameras In Your Home?

Of course not. But you will buy cheap “security cameras” and install them without even bothering to change the default credentials, for the most part. P2P Weakness Exposes Millions of IoT Devices.

A peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found.

The “random people” viewing stuff collected from security cameras, doorbell-cameras, baby-monitors, etc. include the .gov, as well as bad people.

There are at least 2 million vulnerable devices on the internet. Only about 7 percent are in the USA, with largest portion in China, and about 17 percent in Europe. (Click thru – there’s a map.)

And in a side note about how these companies treat security… none of the companies that manufacture/rebrand this stuff responded to requests, or even acknowledged the problem. And then there’s this.

Interestingly, iLnk’s Web site (p1.i-lnk[.]com) currently appears to be non-functional, and a review of its HTML source code indicates the site is currently compromised by an obfuscated script that tries to redirect visitors to a Chinese gaming Web site.

And the researcher doesn’t think it is possible for these to be fixed in the field, not that any of the companies involved are likely to try.

If you install this kind of crap in your home, and you don’t know precisely what the risks are, well, the best thing I can say is you need to educate yourself. And you may want to rethink that.

Data on 80 Million American Households Available

Security is such a bother. Exposed Database Leaks Addresses, Income Info of Millions of Americans.

  • Full addresses, including street addresses, cities, counties, states, and zip codes
  • Exact longitude and latitude
  • Full names, including first, last, and middle initial
  • Age
  • Date of birth

And that is only the data in plaintext. There is more data about income, marital status, etc.

No one knows – yet – who that data “belongs” to, because of how it was stored, but it was all available on the internet, with no security at all. That 80 million number is significant because it is “more than half of the total number of U.S. households.”

F*c*book Investigation Trifecta

It couldn’t happen to a more deserving organization. Facebook hit with three privacy investigations in a single day.

  1. Ireland launched a GDPR investigation for the “hundreds of millions” of users who had their passwords stored in plaintext.
  2. Canada is upset over the 600,000 Canadian citizens who had their data vacuumed up and used in the Cambridge Analytica insanity
  3. And the 1.5 million users who had their contact lists stolen was too much for the Attorney General of New York.

“It is time Facebook is held accountable for how it handles consumers’ personal information,” said [NY Attorney General Letitia] James in a statement. “Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data.”

They are evil and must be destroyed. Plaintext passwords, and stealing contact information is inexcusable.

F*c*book Steals Contacts from 1.5 Million People

I am even more convinced that F*c*book is evil and must be destroyed. Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent.

These 2 things are really all you need to know.

  • A security researcher recently noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.
  • Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts without asking for permission first.

They didn’t mean to do this, really. That was never their intent. They LOVE privacy, and Zuckerberg *spit* wants to ‘rebrand’ as a privacy organization. Good luck with that.