by Paul Arnote (parnote)
Surprise! (Not!) Facebook Data Breach!
File this one under "who'da thunk it?" Facebook data and privacy breach? Hold it ... Facebook and privacy in the same sentence? What am I thinking?!
In a nutshell, Cambridge Analytica convinced around 300,000 Facebook users to install a "personality" app. As a result, not only was data collected on those 300,000 Facebook users, but also all of their friends. In the end, over 50,000,000 ... yes, MILLION ... users were caught up in the mass collection of private data.
Initially, it was reported that the Donald Trump presidential campaign accessed and used the collected data to help win his bid for the White House. But, it has also trickled out that former U.S. President Obama also used the same data to stump for donations from supporters.
In the aftermath -- five days after the story broke -- Mark Zuckerberg issued a less-than-heartfelt "apology" for the data collection. Over 3,000 advertisers -- including Mozilla -- are either pulling their advertising from Facebook, or are threatening to do so. Untold numbers of users are threatening to delete their Facebook accounts, or already have. Congressional investigators are calling for Zuckerberg to testify before a congressional committee about mass data collection. Legislators in the UK are asking for something similar. In other countries around the world, governments are inquiring into whether or not Facebook violated privacy standards for their citizens. The implications from this "event" are huge, and won't settle out for quite some time.
In a connected item with this "story," which also falls into the "who'da thunk it" category, a former operations manager for Facebook tells tales of previous data collections by third party apps that went mostly ignored or unpunished.
Stay tuned. This one will take quite some time to be sorted out, and I'm sure there's more yet to come.
Super Hero Windows User Sues Microsoft Over Forced Win10 Updates
On February 14, 2018, Albuquerque, New Mexico resident Frank Dickman filed lawsuit in U.S. District Court against Microsoft and Microsoft CEO Satya Nadella for a forced update from Windows 7 to Windows 10. The "update" borked his ASUS 54L Notebook computer, rendering it immediately non-functional.
Dickman characterizes his lawsuit as a "civil rights violation." As a remedy, he is asking for Microsoft to provide, via digital download and activation code, a copy of Windows 7 within 30 days of being served notice of the lawsuit. If they fail to provide him a copy of Windows 7 and its activation code within 30 days, he is asking for $600 million in damages.
While his monetary reward may be a bit excessive (and thus has about as much chance of being awarded as he does to walk on the moon naked), he isn't the first person to complain about Microsoft's overly aggressive push to upgrade Windows users to Windows 10. In July 2016, three Florida residents filed a class action lawsuit, claiming Microsoft coerced them into upgrading to Windows 10, borking their computers. In June 2016, a California travel agent was awarded $10,000 in small claims court when the Windows "update" borked her computer. In this case, Microsoft claims that it settled to minimize court and legal costs. There are many, many other Windows users seeking compensation for Microsoft's overzealous push to upgrade users to Windows 10.
Cellebrite Can Hack EVERY iPhone In The World
If you use any smartphone ... no, strike that. If you use any cell phone ... no, strike that, too. If you use ANY form of electronic voice communication in today's spy-infested, intrusive socio-political environment and expect any level of privacy, then you are living with your head in the same clouds that all your collected data is stored in. The three and four letter government sponsored agencies and the hackers have never heard the maxim "just because you can, doesn't mean you should."
Cellebrite is an Israeli company that is a fully owned subsidiary of Sun Corporation of Japan. They have, in turn, subsidiaries based in the U.S. and Germany. It markets a whole host of services geared towards breaking the encryption on, most of all, every available and in use mobile operating system. Their services are geared towards and marketed to law enforcement agencies. This includes iOS and Android. It is thought that Cellebrite is leveraging zero-day exploits discovered for iOS, some discovered by Cellebrite itself. As a result, Cellebrite is becoming a one-stop-shop for collecting the "hacks" and exploits that break the encryption on mobile devices. Thus, the world is just one hack away from having all of these exploits released into the digital wilderness.
The FBI, DHS, U.S. Secret Service, and many U.S. based law enforcement agencies are customers of Cellebrite. Recently, it was discovered that one U.S. law enforcement agency utilized Cellebrite technology to unlock an iPhone 8 -- which means that it most likely will work on iPhone X, when it's released. According to Cellebrite, they have the means to hack or bypass any security or encryption on iOS 5 through iOS 11. The same also applies to the Android platform, as well.
Here is an excerpt from Wikipedia that ought to scare the pants off anyone using any mobile platform:
In 2007, Cellebrite announced a line of products it called 'Universal Forensic Extraction Device' (UFED), aimed at the digital forensics and investigation industry. The UFED system is a hand-held device with optional desktop software, data cables, adapters and other peripherals. The UFED additionally has an integrated Subscriber Identity Module (SIM) reader.
Unlike its commercial counterpart, the UME, the UFED system is sold only to approved government and corporate organizations. Also unlike the UME, the UFED extracts mobile device data directly onto an SD card or USB flash drive. Another major difference from the UME is the UFED's ability to break codes, decipher encrypted information, and acquire hidden and deleted data.
The UFED has been named "Phone Forensic Hardware Tool of the Year" for four years running in the Forensic 4cast Awards.
Cellebrite claims the UFED has the ability to extract data from nearly 8200 devices as of June 2012. These include smartphones, PDA devices, cell phones, GPS devices and tablet computers. The UFED can extract, decrypt, parse and analyze phonebook contacts, all types of multimedia content, SMS and MMS messages, call logs, electronic serial numbers (ESN), International Mobile Equipment Identity (IMEI) and SIM location information from both non-volatile memory and volatile storage alike. The UFED supports all cellular protocols including CDMA, GSM, IDEN, and TDMA, and can also interface with different operating systems' file systems such as iOS, Android OS, BlackBerry, Symbian, Windows Mobile and Palm as well as legacy and feature cell phones' operating systems.
The UFED enables the retrieval of subject data via logical ("what you see is what you get"), file system (e.g., directories and files), or physical extractions (i.e.: hex dump, a bit-for-bit copy of a mobile device's entire storage). Physical extraction enables it to recover deleted information, decipher encrypted data, and acquire information from password-protected mobile applications such as Facebook, Skype, WhatsApp and browser-saved passwords. The UFED's physical extraction functionality can also overcome devices' password locks, as well as SIM PIN numbers.
The Wikipedia article provides us this scary tidbit, a little later on in the article:
On 12 January 2017 it was reported that an unknown hacker had acquired 900 GB worth of confidential data from Cellebrite's external servers. The data dump includes alleged usernames and passwords for logging into Cellebrite databases connected to the company's my.cellebrite domain, and also contains what appear to be evidence files from seized mobile phones, and logs from Cellebrite devices.
The data suggests Cellebrite sold its data extraction products to countries such as Turkey, the United Arab Emirates and Russia.
Now that brief passage gives a couple of things to make users very, very afraid. First, Cellebrite has been hacked in the past, making the release of these "tools" into the digital wilderness a very real and scary proposition. Second, it appears that Cellebrite is available to anyone willing to pay the prices for the service.
I can't even imagine the horror for our personal and private data should these "tools" ever become available and widespread to privacy pirates around the world.
Energizer Releases Cell Phone With 16,000 mAh Battery
My own LG V20 Android cell phone has a 3,200 mAh battery. On most days, the battery lasts the entire day before needing to be recharged. Even the new Samsung Galaxy S9 has a 3,000 mAh battery to power it. The new and forthcoming iPhone X has a 2,716 mAh battery, for comparison. So now, Eveready ... yes, the battery maker ... is releasing its own Android phone with a 16,000 mAh battery (non-user removable). It's called the Energizer Power Max P16K Pro. The phone is manufactured for Eveready by Avenir Telecom, and it had all of the Mobile World Congress abuzz.
Projected out, that battery should power the phone for between five and seven days (depending on how much you use your phone, of course). Can you imagine being able to use your cell phone for an entire WEEK before having to recharge its battery? At our house, charging the cell phone(s) is a nightly ritual. Have some idle time at work? Plug the phone in to charge. Driving in the car? Plug the phone in to charge. I'm sure you know the routine. The P16K Pro also boasts a "standby" time of 40 days.
With a battery that has more than 3x the capacity of the Samsung S9 and iPhone X, the P16K Pro phone comes in at twice the thickness of the iPhone -- about 15.2 mm thick. Still, it comes with some pretty nice features. Take a look:
MediaTek Helio P23 chipset
2.5 GHz Cortex-A53 eight core CPU
6GB of RAM
128GB of internal storage
microSD card slot for expansion (64GB Max)
Dual nano SIM card slots for people who like juggling two numbers
Android 8.0 Oreo
5.99-inch 18:9 aspect ratio display (full HD resolution)
1080 x 2160 pixels (~403 ppi density)
Front (16-megapixel + 13-megapixel)
Back (13-megapixel + 5-megapixel)
Rear fingerprint sensor below the cameras
WLAN Wi-Fi 802.11 a/b/g/n, Wi-Fi Direct, hotspot
Bluetooth 4.2, A2DP, LE
GPS Yes, with A-GPS
Radio FM radio
USB Type-C 1.0 reversible connector (PowerDelivery 2.0)
Expected "fast charging" time: 90 minutes
NO Power Bank/Reverse charging
Expected price: US$738/599/£528
It would be nice to see other features, such as water resistance or being waterproof, added to the list of features before it is released. If that single feature were added, I'd stand in line to get my hands on this phone. Also, the ability to be able to use the phone's massive battery to charge other devices would be a nice feature, but it appears that this will not be the case. Besides the screen -- which pretty much has to be glossy -- the glossy back of the phone is a real fingerprint and grime magnet. It would be nice to see a matte finish for those parts of the phone that don't require high gloss -- like the back of the phone case.
Of course, where my phone's battery (and every other phone's battery) struggles is in fringe reception areas. For example, when I'm deer hunting at my favorite spot, the ONLY place I can get enough intermittent service to send a simple SMS text is when I'm up in the tree stand. The service isn't consistent or strong enough to be able to send a MMS multimedia text message, much less make a call. During that time, I'm lucky if my cell phone's battery lasts until sunset, and that is only if I turn off all unnecessary, power draining features, like Wifi, syncing, Bluetooth, etc. I also have to turn down the biggest power consumer -- the display screen -- to only a 10% brightness. It would be interesting to see how this new phone would fare under such conditions.
Expect to see this phone hit stores this coming September.
"Internet of Things"
If you read any of the computer trade magazines, you have undoubtedly heard about the "Internet of Things." Basically, this is where everything and anything that can be conceivably connected to the internet, is connected to the internet. For those behind this trend and those willing to accept it, everything from your toilet paper roller to your refrigerator to your dog's collar gets connected to the internet. Probably the most popular recent products in this category include Google Home and Amazon Echo.
Every time I read the abbreviation for the "Internet of Things" ... which is IoT ... I can't help seeing an "ID" in front of it, and read it as such ... IDIoT. I must not be a part of their target market or audience. I have no need for my refrigerator to send a shopping list -- over the internet -- to my cell phone before going grocery shopping. I have no need for my toilet paper roller to serve as a radio. And I certainly don't need something like Google Home or Amazon Echo spying on my every move and monitoring my behavioral "patterns" just to target me with advertising or attempting to sell me more stuff I don't need.
In my humble opinion, those pushing IoT are another group of people who have never heard of the maxim, "just because you can, doesn't mean you should." There's plenty of circumstantial evidence to suggest that the makers of IoT appliances might be in bed with their "brethren" from the three- and four-letter government agencies, who don't need any additional help. With the intrusions of computer, tablets and smartphones into our daily lives, I don't need to view my refrigerator with suspicious eyes over its nefarious motives about to whom else it might be sharing some of my most private activities of daily living.
As these devices multiply exponentially, it should be of little surprise that security is, at best, poor. A team of researchers from Ben-Gurion University recently purchased a variety of IoT devices off of the shelf. Their sole purpose was to see how easily they could hack them, and then use them to attack other similar devices over the internet. Within about 30 minutes of unboxing the items, they had discovered the devices' default password and the services they were running. Then they could use that information to take over other devices of the same make and model, creating a botnet that they could control.
Overall, they purchased 16 different items, including baby monitors, doorbells, cameras, and temperature sensors, and were able to discover the password for 14 of them. They took them into the lab and disassembled the devices, looking for debugging ports that remained on the circuit boards. Once found, they had full "backdoor" access to the devices. Then, once hacked, they had all the information they needed for all other devices of the same make and model. Some of these items have the potential to remain in service for decades. Some of these companies will go out of business during the service life of these devices. Thus, there will be no more firmware updates for these devices (despite the fact that consumers are not particularly good about applying firmware updates, anyway).
Illegal Spies Hiding In The Open
This couldn't have come at a more inopportune time. At a time when computer users are increasingly wary of government intrusions into our private lives, comes the revelation that employees of Best Buy's Geek Squad worked hand in hand with the FBI to ensnare computer users suspected of illegal activities. For over the past 10 years, Geek Squad staff and the FBI maintained a close "working" relationship at their Louisville, Kentucky repair facility.
When customer's computers would be sent there for repair, Geek Squad employees would actively search that customer's computer hard drive for data reflecting illegal activities. If suspicious activity or data was discovered, an FBI agent would come and take a look at the questionable data. If the FBI agent agreed with the Geek Squad employee's assessment, then the hard drive would be confiscated, and then sent to a FBI field office close to the customer's primary residence. Then, that field office would investigate further, and if necessary, petition the courts for a search warrant of the customer's hard drive -- even though the "search" had occurred before the acquisition of a proper warrant.
Best Buy has confirmed that no less than four Geek Squad employees received $500 payments -- a bounty, if you will -- from the FBI for turning over suspicious illegal activity "finds" via their illegal searches.
This revelation has come out of a FOIA (Freedom of Information Act) filed by the EFF (Electronic Frontier Foundation) after a 2017 case where a California physician was arrested for child pornography. He had taken his computer in to Geek Squad for repair, and it was shipped to the Louisville, Kentucky repair center. Geek Squad employees allegedly found a child pornography image in an 0unallocated space on the hard drive. To do so would require more than a cursory glance of the images stored on the hard drive. Rather, such a discovery of images on unallocated hard drive spaces typically requires forensic software to find and retrieve. Thus, the Geek Squad employees would have had to have been actively searching for evidence of illegal activity.
The court documents for that case revealed a quite cozy relationship between the FBI and Geek Squad, prompting the EFF to dig a little deeper, thus prompting the filing of the FOIA request. EFF contends that these searches of customer's hard drives may have amounted to a violation of the customer's Fourth Amendment guarantee of protection from illegal search and seizure. The FBI has refused to confirm or deny whether it has other such arrangements with other computer repair outlets and businesses.
The question at the heart of the matter has nothing to do with whether or not certain customers engaged in illegal activity. Rather, it has more to do with whether customers were illegally deprived of legal due process and subjected to illegal, warrantless searches. This would, without failure, expose innocent customers to illegal warrantless searches, as they are swept up in the search for evidence of illegal activities.
There is some protection in having the technical savvy to do your own computer repair work. By doing your own repair work, you eliminate (or greatly diminish) the possibility of being deprived of due process and subjected to illegal warrantless searches.
Lastly, this case has only reaffirmed my personal decision about 18 years ago to never, EVER patronize Best Buy again. It's making my decision to take my business elsewhere one that has paid dividends -- and I have done nothing illegal!
This case represents a slippery slope: where does this end? Does it eventually expose people who have opinions or views that aren't mainstream or widely accepted, but if widely known, could be damaging? In the U.S., people are supposed to be innocent until proven guilty, and are afforded protection from illegal searches and seizures.
(Another) Cryptojacking Exploit
This one seems to cross the OS lines, so Linux users need to beware.
Targeting Windows servers with the leaked NSA EternalBlue exploit (the same one that the WannaCry cyberattack was based on), the RedisWannaMine cryptojacking exploit targets database servers and applications servers. It appears to behave like a worm, increasing the infection rate and making more money for its "masters."
Recently, the cybersecurity site Imperva noted the discovery of the new exploit in its security blog. It appears to leverage a vulnerability reported in Apache Struts. Imperva's logs and sensors detected a stealth remote code execution, where it attempts to download an external resource using standard Linux package managers, like apt and yum. It gains persistence by making new entries in crontab, and gains access to a machine by making a new ssh key entry in /root/.ssh/authorized_keys and new entries in the system's iptables.
Everything the script needs is installed from the external resource, and does not depend on local libraries on a user's machine. Some of those installed packages are git, python, redis-tools, wget, gcc and make. It then downloads masscan, a publicly available TCP port scanner tool from GitHub, compiles it, then installs it. Then, it uses masscan to find and infect publicly available Redis servers. When it finds one, it then launches a tool to infect that Redis server. Once infected, it searches for a version of SMB (Samba) with a certain vulnerability, which it then uses to spread to Windows servers.
If nothing else, the RedisWannaMine exploit is complex, self-contained, sophisticated and elaborate. Once up and running, it will do two things. First, it will use the server to mine for cryptocurrencies, and fattening the wallets of its "master." Second, it will continue to seek out vulnerable Redis servers and spread to them, and then start the cycle all over again.
Don't you wonder what the software landscape would look like if these talented individuals or groups were to put their amazing programming talents into making better general use software for the masses? I know I do. This also illustrates why it's important to never run your computer as root, and to try and stick with the software in the official PCLinuxOS repository as much as possible.