Category Archives: Security

Computer security failures in the news

On Monday, Public Health Wales disclosed that it accidentally leaked the personal data of 18,105 Welsh residents who tested positive for COVID-19, and that data was visible for 20 hours on a public server on Aug. 30 and viewed up to 56 times, the agency said.

The data belonged to every resident of Wales who tested positive for COVID-19 between Feb. 27 and Aug. 30. It included people’s initials, date of birth, gender and general location, but not specific information on who they are. Still, for a subset of 1,926 people who live in supported housing or nursing homes, the data included the names of those locations.

Source: Data on 18,105 coronavirus patients leaks after staffer clicks wrong button – CNET

And, a bug in Biden’s campaign app enabled anyone to access voter history and other data on millions of voters.

Far too many organizations collect far too much information, and then retain it online for far too long. The result is “All your secrets belong to us”.

Having pulled official credit reports on myself and my wife, we were surprised to find the high number of errors in the records. For example, credit reporting agencies had us living at addresses we had never lived at. In one case, they intertwined data from a woman with a similar name to my wife. Through what we found in our own credit file, I was able to cleverly identify the woman, her actual home address and her employer!

Over time, the quality of data retained – for too long – in online databases goes down and there is seldom anyway to know what erroneous data has been stored about yourself, nor is there away to seek a correction.

 

Why I have repeatedly stated there is no such thing as “anonymized location data”

In the data drawn from apps, each cellphone is typically represented by an alphanumeric identifier that isn’t linked to the name of the cellphone’s owner. But the movement patterns of a phone over time can allow analysts to deduce its ownership—for example, where the phone is located during the evenings and overnight is likely where the phone-owner lives.

Source: U.S. Government Contractor Embedded Software in Apps to Track Phones – WSJ

Let’s just mandate it: “NSA Warns Cellphone Location Data Could Pose National-Security Threat”

The National Security Agency issued new guidance on Tuesday for military and intelligence-community personnel, warning about the risks of cellphone location tracking through apps, wireless networks and Bluetooth technology.

The detailed warning from one of the nation’s top intelligence agencies is an acknowledgment that Silicon Valley’s practice of collecting and selling cellphone location information for advertising and marketing purposes poses a serious national-security risk to many inside the government….

Source: NSA Warns Cellphone Location Data Could Pose National-Security Threat – WSJ

In December 2019, the FAA released a Notice of Proposed Rulemaking requiring mandatory radio-based Remote Identification and tracking of all hobby radio controlled aircraft weighing more than 250 grams (about 1/2 pound). The Final Rule is expected in December of 2021. The NPRM itself eventually ends the radio control model aircraft hobby that currently exists, makes it legal to fly only certified, manufactured drones that are tracked in real time. The primary purpose is to clear the air space above your home and turn it over to AmazonGoogleUPS. The FAA asserts all rights to the airspace in your back yard, for example.

Every remote controlled aircraft would be required by Federal regulation to connect to the Internet and log its activities in an Internet cloud database, in real time. Those providing the cloud databases may offer them for free in exchange for who knows what – but the FAA itself proposed they might collect photo images and telemetry – such as WiFi and Bluetooth communications collected by the craft.

In effect, the FAA mandates a nationwide low level altitude surveillance network of potentially millions of drones collecting data in real time and logging it in data bases – that may as well be located in China.

Meanwhile, the US DoD and the US Department of the Interior banned the use of Chinese made drones over fears of their use for espionage.

While the left hand bans drones from collecting data, the right hand mandates that all drones must collect potentially invasive data on behalf of foreign organizations.

We know that U.S. firms and others are collecting massive amounts of private data through the use of apps on our smart phones. Google itself collects your location data, even when you turn location services off.

The primary business function of the Internet is surveillance to be used for many purposes.

When was the last time the media hyped a “drone sighting”? I can’t even remember.

Reports to the FAA of “drone sightings”, used by Congress and the FAA to drive forth draconian remote identification and mandated national surveillance networks using drones, with the goal of pricing drone flying out of the public’s reach – were based on bad data and media hysterics, much of which was false reporting.

  • Remember the Aeromexico flight in late 2018 that had a collapsed nose cone? The media blamed that on a drone. Six months later the official investigation found it was due to a maintenance defect on the nose cone.
  • Remember the Gatwick Airport fiasco? The only confirmed drone sightings were of the fleet of surveillance drones operated by the Sussex Police over the airport.
  • Remember the temporary Newark Airport closure due to a “drone sighting”? That drone report was from 20 miles away from the airport and may not have even been a drone at all.

Take a look at this – drone sightings have magically disappeared: Drone Sightings: The Actual Non-Hyped Numbers Analyzed (Graphs, Trends, etc.)

After awhile, when the FAA isn’t stealing Youtube content, they seem to have been busy making up fake drone reports to justify a remote ID proposal that mandates all drones be connected to the Internet cloud, in real time, and used as part of a massive national surveillance program, collecting imagery and telemetry and potentially sending it to China. Brilliant. Not like any drones would so something like that.

The FAA’s primary goal is to make hobby flying of radio control model aircraft so expensive and cumbersome as to eliminate it entirely. The reason is to clear the low altitude airspace for AmazonGoogleUPS delivery drones. The FAA asserts that it and it alone owns the airspace in your front and backyards from the ground up. Literally, the airspace below your head when you stand outside is controlled by the FAA and they intend to use it for corporate delivery and surveillance networks. (See my comments to see how that works.)

Rite Aid used facial recognition in cameras in stores serving poor customers

Claims they’ve turned it off due to “industry conversation” about such technology. The tech is kinda useless when everyone is required to wear an airway restriction device over their face:)

In the hearts of New York and metro Los Angeles, Rite Aid deployed the technology in largely lower-income, non-white neighborhoods, according to a Reuters analysis. And for more than a year, the retailer used state-of-the-art facial recognition technology from a company with links to China and its authoritarian government.

Source: Rite Aid deployed facial recognition system in hundreds of U.S. stores

Twitter is garbage: “All your data is belong to us”, to paraphrase

Twitter’s oversight over the 1,500 workers who reset accounts, review user breaches and respond to potential content violations for the service’s 186 million daily users have been a source of recurring concern, the employees said. The breadth of personal data most of those workers could access is relatively limited — including such things as Internet Protocol addresses, email addresses and phone numbers — but it’s a starting point to snoop on or even hack an account, they said.

The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses, two of the former employees said.

Source: Twitter Hack: Broad Access to User Accounts, Security Woes – Bloomberg

DJI’s Go 4 Android app found to have significant spyware capabilities, possibly unused

In my comments to the FAA regarding their NPRM to require mandatory Remote ID and data logging into cloud-based data bases, I pointed out that the FAA was establishing a nationwide aerial surveillance network. This finding appears to validate my comments to the FAA:

According to the reports, the suspicious behaviors include:

The ability to download and install any application of the developers’ choice through either a self-update feature or a dedicated installer in a software development kit provided by China-based social media platform Weibo. Both features could download code outside of Play, in violation of Google’s terms.

A recently removed component that collected a wealth of phone data including IMEI, IMSI, carrier name, SIM serial Number, SD card information, OS language, kernel version, screen size and brightness, wireless network name, address and MAC, and Bluetooth addresses. These details and more were sent to MobTech, maker of a software developer kit used until the most recent release of the app.

Automatic restarts whenever a user swiped the app to close it. The restarts cause the app to run in the background and continue to make network requests.

Advanced obfuscation techniques that make third-party analysis of the app time-consuming.

Source: Chinese-made drone app in Google Play spooks security researchers | Ars Technica

DJI admits the software has these capabilities with this double speak:

DJI officials said the researchers found “hypothetical vulnerabilities” and that neither report provided any evidence that they were ever exploited.

The FAA said they processed all 50,000+ public comments received in regards to their NPRM on Remote ID in just 60 days and are now full speed ahead on implementing their final rule, to be released in December of 2020. My expectation is the FAA will ignore most public input and will ram this rule through at all costs, as they were bought off by AmazonGoogleUPS. While the rule will not ban drones, it is likely to make flying a personal drone expensive and difficult, with mandatory real time tracking and logging into cloud databases of every flight – in other words, a potentially de facto ban on most personal flying. Their proposed rules, in fact, do call for the eventual banning of all home made radio controlled airplanes – a large hobby that has existed safely for over 90 years.

The FAA is, like most government agencies now, acts as authoritarian tyrant.

China government found to use mandatory tax malware to spy on all companies

This mandatory tax software (for tax filing) is required to be used by all companies doing business in China:

Three weeks ago, security researchers exposed a sinister piece of malware lurking inside tax software that the Chinese government requires companies to install. Now there’s evidence that the high-stealth spy campaign was preceded by a separate piece of malware that employed equally sophisticated means to infect taxpayers in China.

Source: Malware stashed in China-mandated software is more extensive than thought | Ars Technica

I’ve been slow to be suspicious of China-based tech – but this report has pushed me to be very suspicious of China-made tech including all types of electronics, computers and drones.

Related: Should news media being actively promoting political actions?

At the bottom of the news report is a series of questions related to the article. The questions then ended with this item:

Teen age hackers took down Twitter

Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control.

Source: Hackers Tell the Story of the Twitter Attack From the Inside – The New York Times

Twitter security is garbage. Yeah, teens took over Twitter.

Twitter is garbage and is not safe to use. Use TweetDelete.net to remove your posts, then de-activate your account.