Pardon the Intrusion #8: Location trackers

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon the Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Owning a mobile phone today is an open invitation to be tracked by telecom firms and any company you grant permission to access your current whereabouts.

Granted, this has its advantages. Giving, say, Google Maps permissions to your location can help you quickly plot the route to your next destination, or find interesting sights and restaurants around you.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

But just as with any piece of personal information, your aggregate location data can reveal a lot more about you. It can allow anyone with access to the data to chart your movements as you commute from home to work, and vice versa. It can also be used for targeting ads.

Look no further than this recent investigative report from the New York Times, which got hold of a massive cache of “more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles.”

Only in this case, the data didn’t come from a carrier or a tech company, but from a location data broker that stealthily collects your “precise movements using software slipped into mobile phone apps.”

This has serious implications for our online privacy and security, especially in the aftermath of revelations that Facebook tracks your location even when you opt out of location tracking on your phones.

On one side are the convenient services offered by the apps by cataloging your every move. On the other side is privacy. It’s time to decide if the trade-offs are worth it.

***

Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

What’s trending in security?

The global problem of ransomware went from bad to worse as Maastricht University, the US Coast Guard, and IT services provider Synoptek became the latest victims over the past few days. Even more worrisome is that the bad guys behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack.

Elsewhere, Twitter fixed two bugs in its Android app that could have allowed hackers to see users’ private account information and made it possible match 17 million phone numbers to user accounts. Ruckus patched multiple flaws in its routers that can be “exploited without needing a router’s password, and can be used to take complete control of affected routers from over the internet.”

Encrypted email service ProtonMail took aim at Google with an encrypted calendar. [ProtonMail]
Microsoft took control of 50 websites that were used by a North Korea-linked hacking group dubbed “Thallium” to carry out spear phishing attacks to trick its victims in the US, Japan, and South Korea to steal sensitive data. [Microsoft]
A Chinese state-sponsored hacking campaign called “Cloud Hopper” targeted at least a dozen cloud providers, once again highlighting the dangers of storing data with a third-party. The group behind the operation — APT10 — took detailed personnel records of more than 100,000 people from the US Navy. [The Wall Street Journal]
Smart home gadget company Wyze exposed personal data of over 2.4 million users via an unsecured database connected to an Elasticsearch server for over three weeks, from December 4 to December 26 last year. [12 Security / Wyze]
A Chinese state-backed hacking group, APT20, has been caught bypassing RSA SecureID based two-factor authentication. [ZDNet]
The South Korean government has green-lit plans to install over 3,000 AI-equipped security cameras in the Seocho District of Seoul that can measure the likelihood of crime by processing the location, time, and behavior patterns of passersby. [ZDNet]
Twitter banned animated PNG files after it posed a threat to “the safety of people with sensitivity to motion and flashing imagery, including those with epilepsy.” The Epilepsy Foundation had filed a criminal complaint with US law enforcement over attacks that used popular epilepsy-related hashtags to post seizure-inducing videos on the platform. [Twitter]
Healthcare startup Lyfebin exposed thousands of medical imaging files, including X-rays, MRI scans, and ultrasounds, in an unprotected Amazon Web Services (AWS) server without a password. [TechCrunch]

Motherboard put together a list of cybersecurity stories it wished it had broken. [Motherboard]
A popular Emirati messaging app, ToTok, was found to be a spying tool meant to “track every conversation, movement, relationship, appointment, sound and image” of those who installed it. [The Next Web via The New York Times / Patrick Wardle]
Russia almost managed to hack the 2016 US elections by sending phishing emails to VR Systems, a prominent provider of election technology. Here’s how. [Politico]
There were almost too many data breaches to count in 2019. Here’s a handy list. [CNET]
The UK government apologized after it accidentally published addresses of more than 1,000 New Year Honor recipients online. [BBC]
Security flaws in GPS-enabled smartwatches made by Thinkrace allow cyberbaddies to gain access and track the devices, including children’s voice recordings. [TechCrunch]

Amazon-owned Ring just can’t seem to catch a break. Buzzfeed and TechCrunch obtained a dataset of 4,500 Ring customers’ data, including email addresses, passwords, and the timezone and approximate location of the device. Ring blamed users for not enabling two-factor authentication. [Buzzfeed / TechCrunch]
A deep-dive into the work of Daniel Kaye, also known as ‘Spdrman,’ who took down Liberia’s internet using the Mirai botnet to overload the country’s internet with junk traffic. [Bloomberg]
Wawa restaurants were hit by credit card stealing-malware between March and December 2019. [Wawa]
Newly discovered vulnerabilities in Google Chrome, called “Magellan 2.0,” could allow attackers to run malicious code in the browser. [ZDNet]
Hackers are now breaking into WordPress websites to inject links in articles and manipulate search engine results. [Buzzfeed]

Data Point

Verizon’s 2019 Data Breach Investigations Report — built on an analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches — reveals that nearly 32% of all breaches involved the use of phishing attacks, with at least 29% of the incidents happening through use of stolen credentials. Perhaps not so surprisingly, 71% of breaches were financially motivated.

Takeaway: The fact that financial gain is still the most common motive behind data breaches is not unexpected. But social engineering attacks on mobile devices are a cause for concern. The limitations of the screen size, coupled with having to toggle between apps and pages, makes it hard for users to check the authenticity of emails and links. “The confluence of design and how users interact with mobile devices make it easier for users to make snap, often uninformed decisions—which significantly increases their susceptibility to social attacks on mobile devices.”

Tweet of the week

What’s the most psycho thing you did in 2019? I’ll go first! I stalked Colton’s Venmo friends to see who he picked and then I knew who won the Bachelor months before anyone else did.

— maybe: clare (@clur19) December 27, 2019