aRTy News Podcast for January 13, 2019
Welcome to the January 13th, 2019 episode of the aRTy News podcast, brought to you by Raymond Tec. For those of you listening for the first time, I scour the web every week and curate the articles, tweets, and backchannel sources to provide you, the non-nerd, a concise tech news summary where I answer the question, “Why does this matter to me?”
Like usual, I’ll be starting off with the scary stuff, the data breaches, privacy concerns, and security threats and ending the episode with the good stuff. Because, who doesn’t like to feel all warm and fuzzy?
Let’s rip that band aid off.
First up in data breaches, a report from ThreatPost.com that Australia’s Early Warning Network was hacked last weekend. The attackers used quote, “illicitly gained credentials,” end quote to send out a spam-notification via email, text, and landline phone call. According to the Early Warning Network’s administration no one’s details were revealed in the breach. It is noted in the article that administrators of Early Warning systems like these are more concerned with reliability and redundancy than security. This is the most important point in the article, because these are often government run or government sponsored systems that have access to many points of contact.
Next, we have a report from DarkReading.com that social sharing site Reddit has had potential account breaches. The company has locked out some user accounts and required password changes on others. There isn’t any info what may have been done with the compromised accounts, but a blog post by Reddit employee, Sporkicide, indicated that easily guessed passwords were to blame. The blog went on to recommend using secure passwords and enabling two factor authentication where available.
A report from BleepingComputer.com has revealed that kitchen utensils manufacturer OXO had a data breach that has spanned two years. According to the report personally identifiable information and payment information was stolen. Bleeping Computer attributes this breach to a MageCart attack. The most widely publicized MageCart attacks were Ticketmaster and British Airways. Basically, MageCart is a program that sits on a company’s webserver and logs everything you type into their ecommerce forms, including credit card numbers. There are two main ways to protect against these types of attacks. Avoid smaller sites and use a browser plugin like NoScript. NoScript will block any program or script from an untrusted source. It’s available for Firefox, Chrome, and Opera web browsers on PC, Mac, and Linux. It doesn’t appear to be available for mobile devices.
That’s it for reported breaches and exposures this week, but I’d like to take a couple of minutes to follow up with some updates on previously reported breaches.
The first is a report on findings from a SingHealth breach in 2017 which exposed data on about 1.5 million patients. SingHealth is a large healthcare provider in Singapore. The report raises issues with a wide variety of weaknesses ranging from misconfigurations and coding vulnerabilities to untrained staff and flawed incident response. The link in the show notes provides general tips on how healthcare organizations worldwide could improve their cyber security. Even if you’re not in the healthcare field, it’s still worth perusing.
The second report is from health insurance company, Humana. Bankers Life an insurance company that works with Humana, reported a breach which allowed attackers to gain access to Humana’s systems and expose customer information, including birthdates, addresses, the last four digits of their social security numbers, and insurance-related data. No payment or medical records appear to have been accessible. The attacker or attackers had access to the system for nearly four months. Bankers Life is offering a free year of identity repair and credit monitoring services. Additionally, they’re going to provide training to their employees in cybersecurity methods. This further highlights the fact that cybersecurity is everyone’s responsibility.
I reported last week on the breach of Town of Salem, a popular online game by BlankMediaGames. This week a new report was released that 27%, or about 2.1 million, passwords from the 7.6 million accounts have already been cracked. This is indicative of simple and easily guessable passwords.
Retailer Neiman Marcus has reached a settlement with 43 states over its 2013 data breach. Apparently, the company was moving customer credit card information in plain text. That is to say, with no encryption. The attackers were able to get that information by installing software store’s credit card readers remotely and skimming the cards as they were swiped. Typically, when we talk about credit card skimming, it’s in reference to a physical device installed on a credit card reader. This was a much more technical breach than that. These sort of situations are difficult to detect and prevent against, but have been mitigated by the adoption of EMV, or chip cards.
Finally, in data breaches, a hacker’s bragging got him caught in the data breach of 1,000 German politicians. The lone 20-year-old confessed to revealing personal details including private mobile phone numbers, children’s pictures, and chat discussions. But that’s not the end of the story according to a professor of Computer Science at the University of Surrey. Alan Woodward says, quote, “My concern is that the less informed will use such examples to downplay the threat from organized crime gangs and nation-states,” end quote. He elaborates further stating the stereotype of a hoodie-wearing youth in his parent’s basement is the outlier, not the norm when it comes to cybersecurity risks. While you may, personally, not be at risk of being attacked by government sponsored hackers the accounts you use at work or for banking may be. It’s important for everyone to remain vigilant about their cybersecurity practices.
With data breaches finally over, let’s move on to Privacy Concerns.
The partial US government shutdown has found another unintended victim: website security. When users visit US DOJ dot gov, they get a warning that the website is insecure. That little green padlock next to a website’s name in your browser is your measure of privacy and security. Well, those little green padlocks require human intervention to make sure they stay locked. Unfortunately, the people who do that for many federal websites, aren’t because of the partisan bickering causing this shutdown.
An established cyber criminal gang, TA505, has moved from their established ransomware tactics into Remote Access Trojans. This shift in technique indicates an increased level of sophistication by the organization. Ransomware exploits are often one-time cash grabs, where as these remote access trojans allow TA505 to expand their nefarious tentacles into more than just the small handful of infected systems. Their infection technique is pretty simple. They send out tens of thousands of phishing emails with documents attached, usually related to a banking transfer. Once opened, the documents execute code that grants TA505 access to the infected system. This access allows them to access data on your system, and even remotely control it. The bottom line is simple: if you aren’t expecting an email with an attachment, don’t open it.
An article from ZDNet reveals that a Dutch researcher has identified a new possibility for Google Search results to be manipulated for nefarious purposes. The boxes that pop up at the top of search results when you search for a specific person, place, or thing are called Knowledge Panels. For instance, if you type Steve Jobs into a Google Search, a results box filled with information from Wikipedia shows up as the top result on mobile.
Here’s how the manipulation is done. By adding what are called arguments to the end of the search string in the location bar, you can make that panel show full screen. Now, if I want to manipulate someone into believing that George W. Bush is responsible for 9/11, I just add the argument to the end of the search string, Who’s responsible for 9/11? The original article was published on January 9 and it would appear that Google has already updated their search engine to recognize when a Knowledge Panel has been attached to a search that isn’t relevant.
Good job, Google, but I’ll be sticking with DuckDuckGo.
Kevin Mitnick, world renowned hacker turned security professional, revealed a new phishing scam that can, potentially, highjack accounts protected with two factor authentication. These phishing emails look like legitimate correspondence from a company asking a user to click on a link. The link directs the user to the actual site through their own server. This allows the attacker to confiscate a file known as a session cookie. This session cookie allows the website to know it’s you communicating with it. With the stolen session cookie in hand, the attacker can access whatever account you just logged into, without having to steal your password or access your phone to get the two-factor authentication. The best way to prevent these kinds of attacks are avoiding clicking on links you aren’t expecting.
Finally, another phishing PSA, related to your tax return. Scammers will target corporations large and small this time of year with W2 based phishing scams, because they’re lucrative and simple. The most common method is sending an email, complete with a spoofed internal email address, demanding that W2s for an employee or employees be sent via email immediately. Once sent, these W2s provide a scammer everything they need to file a tax return and reap the refund rewards. As it stands right now, the IRS doesn’t inform you if your tax return has been filed, so the best thing to do is check that your return hasn’t already been filed and file it early to cut down on the amount of time scammers have to access your money.
Now we move from chaotic evil towards chaotic neutral, it’s time for the other news.
It’s difficult to protect ourselves in an always on, always connected world. Especially when the companies we pay and trust to provide us service are selling our data. I haven’t seen much coverage of this in the main stream media this week, but it’s been all over the backchannels and privacy non-profit websites.
A reporter at Motherboard, a Vice news site specializing in technology, paid a bounty hunter $300 to track and find a phone number. This bounty hunter made a phone call to a contact who then provided a screenshot of a Google Map with a blue circle. The blue circle was the location, accurate to within a few hundred yards, of the phone.
Through a series of middlemen, companies like Securus and Microbilt, are selling phone location data to anyone who wants it, directly sourced from the telephone companies themselves. Motherboard’s article confirmed at least three of the big four mobile phone providers are participating in this program, including T-Mobile, Sprint, and AT&T.
Under the guise of providing a more effective and efficient system for debt collectors, Microbilt has created a service that allows companies to track down people who don’t pay their debts. Unfortunately, some of the unscrupulous middle men offer to use their Microbilt skip tracing accounts to locate anyone you want, for a price.
But the bigger issue here, isn’t so much Microbilt or this unscrupulous practice, but the fact that the major Telcos have been caught and pledged to stop before. Since Motherboard’s revelation this week, AT&T and T-Mobile have agreed to cut off all private industry access to location data. This still allows for law enforcement to submit requests for this data.
AT&T and other companies have stated that they require consent from the phone’s user before this location data is accessed, usually in the form of a text message. Sadly, this is far from reality. At this point, for those of us in the US, the only way to fight back against these kinds of tracking threats is to urge your congressional representatives to pass legislation mandating privacy. I have several links for more information about these practices in the show notes. Be sure to check it out, if you value your privacy.
An article from 9to5 Google this week revealed that Ring, an Amazon subsidiary that manufactures video door bells, allowed an unnecessary amount of their employees access to customer’s video feeds. An internal tool for allowing tech support to access the stream of video coming from their video doorbell products, was accessible by employees who never had a need to use the tool.
Besides this invasion of privacy, Ring research and development employees had access to a folder that contained every video created by every Ring camera with a database that linked each video to each customer. Even worse, these videos were stored unencrypted because, basically, it would take too long to have to decrypt them when the R&D team wanted to view one. I assume this access is for further improving the product and making new offerings, but it’s still a little frightening.
Plain and simple from a privacy and security standpoint, videos should never leave the devices you authorize without your express knowledge and consent on a file-by-file basis. Meaning, if you have an issue, that’s when the data gets released and only when you acknowledge and agree to it.
Finally, in Privacy Concerns, another reminder that the internet is forever. Google has won an interim victory in the European Union Court of Justice, or ECJ. Way back in 2014, the ECJ ruled that individuals have a right to require Google to remove sensitive information from search results. It’s known as the right to be forgotten. Since this is the EU court of Justice, Google assumed it could just block the search results in the 27-member nations of the EU, and nowhere else. Google soon found themselves back in court.
Long story short, Google’s appeal, that the EU and its member nations don’t have jurisdiction outside their physical borders, stands. Google can continue displaying unwanted or defamatory search results about individuals outside the EU.
Let’s move on to Security Threats.
The healthcare industry is a huge and growing market that draws many big-name tech players. An article from Jo Best at ZDNet this week put together the puzzle pieces of Amazon’s move into the healthcare market. Amazon has several irons in the healthcare fire. They have dedicated Healthcare and Life Sciences units within their Amazon Web Services division. They also offer their Comprehend service, which uses artificial intelligence and machine learning to read medical records, x-rays, and MRIs to free up physician’s time. Recently, Amazon bought a company called PillPack which will act like Amazon Prime for prescriptions.
Amazon has also formed two new joint ventures revolving around healthcare. One with Arcadia Group, bringing consumer medical devices to market, like blood pressure monitors. The other joint venture was formed with Berkshire Hathaway and JP Morgan Chase to bring quote, “simplified, high-quality, and transparent healthcare at a reasonable cost,” end quote. Industry analysts don’t believe that Amazon is going to stop at just offering healthcare for employees of the three companies, though.
While a monopoly on healthcare is scary, all of this adds up to a vertical integration of many different parts of a healthcare chain that is rife with middlemen pulling down massive profits at the expense of the sick.
In further news about Amazon making moves in previously untouched industries, an article from CNET this week revealed the tech giant is building its own game streaming service. Long gone are the days of going into an Electronics Boutique to purchase a floppy disk or Nintendo cartridge. Amazon’s proposed service would forgo the need to buy expensive PCs or consoles, by running the game in data centers and streaming it over the internet to connected devices.
There are a lot of myths surrounding technology, many of them have a kernel of truth. An article from CNET this week helped to expose and debunk some of these myths. Here are a few examples: You can’t charge your phone by microwaving it. Macs can get viruses. Airport x-ray machines cannot wipe the memory of a phone or laptop. And, contrary to my own belief, using a bag of rice isn’t the most effective method for drying out waterlogged devices. The show notes have a link to the myth article and a helpful article about how to properly dry your phone.
Google’s Board of directors, including co-founders Larry Page and Sergey Brin, are embroiled in two more lawsuits this week relating to sexual misconduct claims. Both lawsuits claim shareholders should be compensated for loses relating to share prices dropping after it was announced that Google executives received multi-million dollar exit packages. These packages were negotiated after the executives in question were found guilty by an internal review of sexual misconduct. The second lawsuit, filed Thursday, is based on information obtained from board meeting minutes in 2014 and 2016 and is heavily redacted at the demand of Google’s legal counsel. This suit is also seeking significant changes to Google’s corporate governance and stock structure as well as demanding Rubin and other dismissed executives return their severance payments.
German automotive firm, Continental has established itself as a reputable tire manufacturer, but at this year’s Consumer Electronics Show, the company is showing off its package delivery robots, that look an awful lot like dogs. While this is just a PR stunt, the article linked in the show notes is worth a read just to see where robotics will be heading.
In a bizarre turn of events, court documents disclosed that Russian cyber security software manufacturer, Kaspersky Labs, was the whistle blower that assisted the NSA in naming and arresting a data thief. Harold Martin, the data thief in question, was arrested in August 2016 after he sent several terabytes of information to a hacker group called Shadow Brokers. For a little over a year, the US Department of Homeland Security has been waging a media campaign against the Moscow-based antivirus firm. The US government banned Kaspersky antivirus as a vendor from all federal systems as a result of this campaign.
You can exhale that bated breath; it’s time for the good news!
The Good News
On display at CES in Las Vegas this week, is a new bed inspired by the gentle rocking of a cruise ship. The bed promotes slumber by unplugging you from our over connected world. There’s no app or phone connection, just a simple timer that gently decreases the rocking motion as you drift off to dream land.
Good news for gamers this week. Two games are available for free for a limited time. The first is available on Steam for free until Monday, January 14th. A Story About My Uncle is a first-person adventure game about finding your lost uncle. The second is What Remains of Edith Finch, an adventure game exploring a family’s history.
The Internet Movie Database, better known as IMDb, an Amazon subsidiary has launched a free streaming service called Freedive this week. It offers ad supported TV shows and movies. Currently the service is available via phones, tablets, computers, and Amazon Fire TV devices. No word on when or if there will be a Roku or Chromecast version.
In partnership with Samsung, T-Mobile has announced a new feature called Caller Verified. Currently only available on Samsung Galaxy Note 9, the service is T-Mobile’s way of fighting back against the increasing onslaught of spam calls. The feature puts a “Call Verified” icon on the phone screen when a call comes in. Since T-Mobile is the first to adopt this technology, only calls from other T-Mobile customers will have the verified badge. Even though it’s only a narrow margin of cellphone users, this feels like a step in the right direction to combat unwanted phone calls.
In automotive news out of CES, Nissan has unveiled its new Leaf E Plus. The all electric vehicle is finally pulling up neck and neck with the competition. Increases of 67 horsepower and 14 pound-feet of torque are exciting, but the most important number, the range, is now 226 miles. Pricing will be available when this new Leaf model goes on sale this spring.
Hearing impaired drivers can rejoice at new technology debuted by Hyundai this week. Two systems were debuted which will allow vehicles to intelligently identify sound and communicate it to drivers. The first, called Audio-Visual Conversion, changes sounds into visual warnings that appear in a heads-up display. The second, called Audio-Tactile Conversion makes the steering wheel vibrate in response to environmental sounds like emergency vehicles and horns. There’s a video of a hearing-impaired taxi driver in the show notes, demonstrating the new systems.
In our final article in Good News, researchers at the University of Washington have created a smart phone app which may help to reduce deaths in the opioid epidemic. The app, called Second Chance, is still in the trial stages, but the team has reported great successes during testing at a safe injection site in Vancouver. Using the phone’s microphone and speaker together to create a sonar listening device, the app can detect breathing and correctly identify the apnea that overtakes a person as they are spiraling towards overdose about 90% of the time. Upon identification of reduced breathing, the app alerted staff members at the safe injection site. Eventually, the research team plans to integrate the app with 911 emergency services.
A fine example of technology throwing light into the darkness.
There’s that warm and fuzzy feeling; like a blanket and a puppy on a rainy afternoon.
If you’ve enjoyed the podcast, please subscribe, rate, and review on iTunes, Google Play, Spotify, Stitcher Radio, or TuneIn. The more buttons you press on those sites, the easier it is for other people to find us. Also, be sure to follow us on Facebook and Twitter at Raymond Tec IT for tech news updates that matter to you.
Make sure you log on to Raymond Tec dot com and check the show notes, as there are a couple of bonus links to check out for further reading. I know I mention this every week, but now I’ve made it easier to find. This week I rolled out my link shortener, now you can go raytec.co slash listen for the latest episode and show notes. That’s r-a-y-t-e-c dot c-o slash listen. Cooler than that, I’ve made following me on social media even easier. Simply visit raytec.co slash Facebook and slash Twitter.
Thanks for listening and have a great week!