Raymond Tec News for February 24, 2019
Welcome to the February 24th, 2019 episode of the Raymond Tec News podcast. I feel it’s important for everyone to be informed about technology because it touches every part of our lives. To do this, I scour the web and curate the articles, tweets, and backchannel sources to provide a concise summary of the bullet points and takeaways while removing as much of the technical jargon as I can.
Each episode starts with the stuff to keep you up at night; data breaches, privacy concerns, and security threats. To balance out the negative I end each episode with a series of stories designed to restore your faith in technology, and, maybe, humanity.
Let’s dive in to data breaches.
First up, I wanted to do an update on the breach of the law firms and insurance companies that were involved in the aftermath of the September 11th terror attacks. The breach was committed by a hacker group called The Dark Overlord and they’ve been hinting that they will continue to release documents that confirm conspiracy theories unless their ransom demands are met by the firms. Thus far the info that’s been released hasn’t lived up to the group’s hype and has even dispelled the theory that Silverstein Properties, the owners of the World Trade Center, made money on the terror attack.
Fast food giant, Wendy’s, has reached a fifty-million-dollar settlement with banks after breaches in 2015 and 2016 saw 18 million user’s data stolen. The breach was a result of hackers infecting credit card machines with malware.
North Country Business Products, a provider of point-of-sale and network services, has reported a data breach from last month affecting 120 of its restaurant customers in the Midwest and Western US. Details were scant as North Country is still notifying its customers.
University of Washington Medicine revealed a data breach this week, when it announced it had misconfigured a server leaving nearly one million patient records exposed for public viewing. The leak was discovered when a patient googled their name and found a file containing their data.
Memorial Hospital in Gulfport, Mississippi lost data of 30,000 patients after a successful phishing attack on an employee in December 2018. Some of the patients had their social security numbers stolen; those patients will receive a year of free identity theft monitoring services.
Hampton Roads Community Health Center in Portsmouth, Virginia was also breached in December 2018. No information about the number of patients affected in this breach. The FBI are involved in the on-going investigation.
The group behind the 9/11 hacks, known as The Dark Overlord, breached the network of Dr. Robert Spies, an Arizona plastic surgeon. More than fifty-five hundred patients were affected after the doctor refused to pay the ransom demand.
CHI Health, a Nebraska healthcare provider, were breached when a third-party vendor brought in a device infected with malware. There was no data exfiltrated from the facilities according to hospital officials.
Florida healthcare provider, AdventHealth, discovered a breach on December 27, 2018 that had been undetected since August 2017. Data of 42,000 patients were exposed. All patients will receive a year of free identity monitoring.
Toyota’s Australian subsidiary was attacked this week by cyber criminals causing a shutdown of all IT systems. The company is reporting that no employee or customer data was lost in the breach, but the investigation is still on-going.
While we’re down under, Australia has revealed more details of their investigation into the hack on Parliament a couple of weeks ago. With help from the Canadian Communications Security Establishment, an agency of the Canadian government, Australia has determined it was a sophisticated state actor, but stopped short of naming the country.
I was unfamiliar with anything about this story until this week, but apparently, India has a very detailed record keeping and biometric identification system in place that started in 2009. It’s called Aadhaar. At its core it’s a 12-digit number that acknowledges residency, but not citizenship, and is supposed to allow better distribution of services by the government. India’s state-owned gas company, Indane, exposed part of its website revealing the Aadhaar numbers, names and addresses of millions of customers. The exposure was discovered by French security researcher Baptiste Robert who is known online as Elliot Alderson. This is the second exposure in a year for the government-owned gas supplier.
Back for the third week in a row, the hacker behind the collection 1-5 breaches has released another 620 million records up for sale. This time records from lesser known but still heavily used sites like Gfycat, piZap, and Classpass, among others, have been breached. These sorts of breaches are most dangerous for people who reuse passwords.
Of course, you don’t have to worry about changing passwords, because you don’t recycle your passwords, do you? Well, if you do, I’d recommend you break that habit by using a password manager. I use LastPass.
The LastPass password manager works on your computers, phones, and tablets. It randomly generates passwords for you each time you create an account, plus for many sites, it will automatically change passwords for you during installation.
It’s simple and makes your online life more secure. Learn more about LastPass by visiting my affiliate link at Raytec dot co slash LastPass. That’s r-a-y-t-e-c dot c-o slash l-a-s-t-p-a-s-s. If you purchase a subscription using my affiliate link, I will receive compensation for it. But, if I didn’t use it, I wouldn’t recommend it.
Moving on to privacy news.
A couple of weeks ago I reported about how Apple had pulled Facebook’s ability to publish an app that was paying people, as young as 13, to share all their personal data, including private text messages, emails, and location data. Facebook has stepped up and agreed to voluntarily remove this same app from the Google Play store. In case you’re curious, the app is called Onavo, O-N-A-V-O, and is purportedly a VPN app.
Facebook is accused of improperly handling medical data in a complaint filed with the FTC. According to the complaint, Facebook pushed its Groups functionality suggesting that users share personal health information, or PHI, then didn’t store it properly or notify users that the groups weren’t completely sealed from public view.
Unfortunately, Facebook’s mishandling of PHI doesn’t end there. They have been inadvertently collecting data from nearly a dozen third-party apps and storing it on their servers without user’s knowledge. These apps use Facebook’s software development kit, or SDK, allowing people to log in using their Facebook ID. The SDK also allows developers to see how people are using their apps by allowing Facebook to collect and store their data. Some of the affected apps track heartbeats, blood pressure, menstrual cycles, and pregnancy statuses. Technically, this one isn’t all Facebook’s fault, much of blame lays with the app developers themselves.
In more Facebook news, the company says it will soon be releasing a patch for the iOS version of WhatsApp that will fix a bug allowing Face ID and Touch ID to be bypassed. Simply put, there’s a way for people to read WhatsApp messages on iOS devices without having to use Touch ID or Face ID, which is a problem for a secure messaging app.
Apple’s app store is known for being safe. Apple checks each app before it’s uploaded and made available to the general public. Unfortunately, it appears there’s another app store called TutuApp that peddles pirated apps that is easy to load onto your phone, but very dangerous. Avoid installing non-Apple app stores, because these stores are given access to all your data on your phone and are likely designed and marketed by Chinese developers.
Important elections are coming up in Australia, Canada, the UK, and the EU over the course of the next 20 months and many organizations are on high alert. To combat misinformation, Twitter is extending political ad protections to its European Union customers, providing more transparency about where ads are coming from. And Microsoft is warning that Russian hackers are attempting to influence EU elections through direct attacks on political groups as well as NGOs, non-profits, and integrity monitoring groups.
According to a report from Bleeping Computer, Microsoft has been allowing certain websites to play Adobe Flash content without getting user permission in its Edge web browser. Explicitly allowing a website to do something that isn’t generally considered safe is known as whitelisting. Unfortunately, Flash is a security risk that shouldn’t be run from any website. Microsoft acknowledged the issue and patched it this month, but intentionally left Facebook on the whitelist.
Verizon has requested the Federal Communications Commission grant them permission to lock down new phones for 60 days to reduce identity theft. Identity thieves are purchasing new phones on customer accounts then selling them on the black market. The lock would prevent swapping SIM cards.
California is working on a bill to close a loop hole in data breach reporting laws. The bill is a response to the Marriott hack, where as many as 25 million passport numbers were stolen. Currently, companies aren’t required to report whether passport numbers were stolen in a data breach, just that personal information was lost.
Facebook’s app for Android got an update on Wednesday. Before this update, if you had Location History turned on in your phone Facebook could track your location even while you weren’t using the app. There are detailed instructions in the link to the Wired article in the show notes.
Things only get worse for Google from here this week. Google rolled out a new feature for its Nest home security alarm system combining it with their Google Assistant. Unfortunately, Google never told the general public that there was a hidden, secret microphone in the alarm system.
Finally, in privacy news, a scandal has engulfed Google’s subsidiary YouTube this week after Matt Watson, a YouTube creator, has revealed the existence of a thinly veiled child predator ring. These predators are finding videos of preteens and commenting on them, directing others to parts of the videos that may be arousing to pedophiles. Unfortunately for YouTube, once their suggestion algorithm detects that you’re looking at videos that have what may be considered racy content, it finds other videos with similar comments and recommends them. So, even if you start by looking at swimsuit-clad adults you’re quickly pushed into the rabbit hole that reveals these predators.
Big name advertisers have pulled their support from the platform, including AT&T, Disney, Nestle, and Hasbro. YouTube’s response has been to push some of the responsibility onto creators by requiring them to monitor comment sections, announcing that it has been proactively hiring social workers, child development specialists, and people formerly in law enforcement, and removing channels run by children under the age of 13. YouTube has also begun evaluating how to change its recommendation algorithm to eliminate this issue and the issue of recommending conspiracy theories.
Let’s move on to security news.
Adobe has released two patches for two different products this week. One is for Adobe Reader, the second in as many weeks, which allowed attackers to gain remote access to systems. The other for Adobe Premiere Pro which addressed an issue on MacBook Pros that could physically damage the speakers.
Windows compression software, WinRAR, has released a patch this week fixing a 19-year-old security flaw that affects millions of users. The software allows users to package and decrease the size of files and was a go-to solution for more than a decade for Microsoft Windows users.
Known as DrainerBot, a recently discovered ad-based malware, is affecting millions of Android users. The malware is disguised as ad software for app developers to make money from their creations. What it does is download videos to your phone or tablet, never display them, then reap the income from the advertiser. It’s known as DrainerBot, because it uses up to 10 gigabytes of data per month and drains your battery life. If you’ve used a lot of data or your phone has been dying rapidly, check your battery usage and data usage in settings to see which apps are causing the drain and uninstall them immediately.
A recent spate of phishing scams have targeted Polish banking customers. These scams look legitimate, requesting users log into the bank to verify transactions, but direct to a fake page with a fake Google ReCAPTCHA verification. ReCAPTCHA is that annoying ‘pick the images that have crosswalks’ thing you sometimes have to do to get access to things. If you pass the test, you’re then redirected to download a zip file that contains malware or, if you’re running Android, asked to install a malware app. Even though the scope is limited to Poland for now, there’s a good chance this technique will expand.
A growing spear phishing campaign has been spotted on LinkedIn. Spear phishing is a more targeted version of phishing, where the scammer does more research to make you click links or download software that could be harmful. In this case, the scammer opens a dialog, builds some rapport, then directs you to a website with malware or sends you an email with malware attached. There’s lots of details in the link in the show notes.
Facebook has made two positive security moves this week. It has fixed a flaw which could have allowed an attacker to hijack accounts very easily. It has also suspended 3 popular video pages linked to the Russian government that targeted millennials with propaganda.
Crowdstrike, an American cybersecurity firm, has released its annual global threat report in which it shows how quickly defenders must move to stop cyber-attacks. The report states that Russian hackers take an average of 19 minutes to completely breach a system after finding flaws.
In a move everyone in the information security industry saw coming, the deterioration of relations between the US, Iran, and China has caused a massive expansion in the number and scope of cyber-attacks.
You may have seen a helpful tip that’s making the rounds on Facebook recently, but, be warned, it’s not foolproof. The tip suggests that you can use your phone to see if a credit card reader has a Bluetooth skimmer built into it. Some skimmers may use Bluetooth, but most won’t. Bluetooth has severe limitations, including a very short range that would make it less likely to be usable for scammers.
Finally, in security news, a new study was released this week showing vulnerabilities in popular password managers. 1Password, Dashlane, KeePass, and LastPass were tested for potential vulnerabilities and all came up lacking. But the test required that an attacker have physical access to your computer and have full administrator privileges on the machine. If an attacker was sitting in front of your computer, they could use a special program to scan the memory and see what information was left behind by the password manager, including unencrypted passwords. For all this to happen the computer couldn’t have been shut down, you would have had to recently have used your password manager, and the attacker would have to have full control over the system. If all these criteria were met, the attacker would likely already have access to other sensitive information making the time-consuming process of recovering your passwords from memory a waste of their time.
While the risk is real, it’s still in your best interest to use a password manager because there is a much greater likelihood of your password being stolen from a data breach on a website than it is likely that Russia will send a hacker into your home or office to gain physical access to your computer. For a more technical look, and responses from the companies, check out the ZDNet article in the show notes.
Let’s move on to other news.
If you needed any more reason to dislike Facebook and other social media, a new study released in the Journal of Behavioral Addictions reports that drug users showed similar results to in the decision-making test used in the study as those who spent more time on social media. This means people who spend a lot of time on social media have a greater likelihood of making a higher risk decision than not.
Apple has announced that it will partner with Goldman Sachs to release a credit card this year. But Apple failed to announce that one of the bugs it fixed in its 12.1.4 iOS update two weeks ago was an exploit that has been used by malicious hackers to gain control over devices.
Huawei has remained all over my news feeds this week. The UK has stated it believes the risk of using Huawei equipment is manageable, despite warnings from the US government. The company’s founder has gone on the record condemning the US’s actions and stating explicating that there was no way the US could crush them. And, finally, there’ve been multiple reports that Huawei has allegedly attempted to steal Apple’s trade secrets.
NASA has announced it is close to finalizing a traffic control system for drones.
The MLB has announced a technology crackdown to prevent teams from intercepting the coded signals catchers send to pitchers during games. The technology crackdown includes outfield cameras and smartwatches and fitness bands. I’d love to hear more on how they used Fitbits to steal signs.
More talk about algorithms. Instagram and Pinterest are being called to task for exacerbating a mental health crisis among teens. After the suicide of 14-year-old Molly Russell in the UK, her father discovered Pinterest was sending her emails recommending images of self-harm. Because the teen had been seeking out these types of images, Pinterest’s algorithm continued recommending similarly tagged photos, in theory, normalizing the behavior. Facebook’s search also made headlines when a Belgian security researcher stumbled on a quote, “sexist search bug,” end quote. When he searched for photos of my female friends, he got back lots of images. But when he searched for photos of my male friends, he got nothing along with a suggestion that he meant female friends. In reality, this is more of a reflection on users than on Facebook, because the search system simply takes common searches and recommends them when it sees something similar.
Leviton, the electrical wiring manufacturer, has unveiled designs for a new cloud-connected breaker box that will allow you to control individual circuits from your smart phone. Details were scant about pricing or built-in security features. I would wait a couple of generations before I’d invest in one.
Piëch Automotive, founded by Anton Piëch, great grandson of Ferdinand Porsche and son of the former chairman of Volkswagen has started a new car company that will unveil its first full electric vehicle at the Geneva Motor show this year. Details and pictures of the car are linked in the show notes.
Lucid Motors, an Electric Vehicle start up funded by Saudi Arabian investment may debut its SUV this year.
Chevy has added find my car functionality to its myChevrolet phone app. No word on whether Aston Kutcher or Seann William Scott will be starring in advertisements for the app.
In a moment that has everyone in the IT world smacking their foreheads, President Trump, as you heard at the top of the episode, tweeted out a demand that 5G be rolled out immediately and, in the same tweet he also demanded that 6G be rolled out too. 5G is nowhere near ready for mass rollout, Verizon is the first to announce that it will be bringing the new standard to 30 cities in late 2019. But, 6G isn’t a thing.
For the second time in two weeks, President Trump has suggested a policy that may improve the digital lives of all Americans. He has proposed a high-level policy statement using four pillars. The first pillar, protecting and securing, will unify and secure federal and state government networks. The second pillar, focus on American prosperity, is designed to reward those who create, adopt, and push forward innovative online security processes. The third pillar, peace through strength, focuses on positioning the US to strike back against both cybercriminals and nation state actors who threaten to destabilize the country or the world via cybercrime or cyber warfare. It also includes the creation of an international legal framework to help make international cyber investigations more fruitful. The fourth pillar, advancing American influence, is designed to collaborate with international partners to create and preserve a secure, free internet. Details of how all of this will be accomplished are non-existent. The framework the President has built could be great or it could be terrible. The future is unknown.
After backlash from the developer community, Google has announced that it will no longer be crippling Chrome by removing the ability to block ads.
New research from Texas Tech University blames YouTube for the rise of Flat Earthers. The research suggests nearly all people who believe in the conspiracy theory got their start on YouTube.
Last week I had mentioned that Google and Facebook were being besieged by demands to curb anti-vaxxers. This week, YouTube has responded by demonetizing anti-vax conspiracy videos, making the spread of these lies unprofitable.
NextTech AR Solutions, a Toronto-based company is bringing its technology to the digital dressing room. The augmented reality software will allow users to virtually try on fashion accessories like sunglasses and jewelry.
Metronaut is a new app that will allow classical musicians to play along with a professional orchestra. More than just an app that plays music, it uses your smartphone’s microphone to adjust tempo. And each arrangement is recorded in studio. The app has about 160,000 downloads so far.
Netflix has announced the cancellation of its last two Marvel shows, Jessica Jones and The Punisher, as well as original series Friends from College. Netflix also announced new Arrested Development shows launching March 15th.
Amazon has also announced that it will end its hit series the Man in the High Castle, with the soon-to-be-released Season 4.
That’s finally it for other news. We can finally move onto the stuff that reduces my anxiety.
A group of more than 100 Microsoft employees have sent a letter to its CEO and President criticizing the company’s involvement and demanding it withdraw from a military contract for its HoloLens augmented reality technology. I classified this as good news, because regardless of how you feel about the US military, it’s important that everyone be given a voice.
I have a nice group of articles here that may help ease the bad taste Google left in your mouth with all the negative news earlier.
First up, Google has announced that Google Maps will being listing places where people can safely dispose of unused medication in an effort to fight the opioid epidemic. Google partnered with state governments and the Drug Enforcement Agency to create the listing of 35,000 sites.
Google released a 30-page document during the Munich Security Conference this week outlining how it will fight misinformation in the forthcoming elections. In the outline it discusses how its algorithms don’t reflect ideological views of content creators or auditors. It has discussed how its 20 years of experience fighting spam will be used to deter fake news makers. It also mentioned how it has already partnered with fact checking networks and launched the 300 million-dollar Google News Initiative.
Finally, for Google good news, it will be ending its forced arbitration policy for all employees after its workers staged walk outs in the wake of sexual harassment scandals that were handled poorly.
Audi is introducing new technology to reduce vehicle emissions. Known as the Green Light Optimization Speed Advisory, or GLOSA, the system will help you choose a speed to catch more green lights and reduce idle time. The system is part of the Audi Connect Prime on 2017 and newer models and will be available in 13 urban regions across the US.
Amazon has decided to make a push to be carbon neutral to offset its historically poor environmental record. The Shipment Zero initiative is aiming to make all shipments carbon-neutral by 2030. It believes these efforts will be aided by aircraft biofuels, electric vehicles, renewable energy, and reusable packaging.
The really exciting news out of Amazon this week though comes in the form of an investment. Amazon has committed to expanding computer science courses at more than 1,000 high schools in all 50 states and the District of Columbia. Known as the Future Engineer program, Amazon hopes to positively impact the lives of more than 100,000 underprivileged kids and will also award 100 students per year with 10,000-dollar four-year scholarships.
A new bill moving through the US congress is aimed at cracking down on hidden fees on your phone and internet bills. Called the Truth-in-Billing, Remedies and User Empowerment over Fees, or TRUE Act, the bill will require phone, cable, and internet companies to include all charges in advertisements and give consumers a way to fight back when they’re surprised with a higher than expected monthly statement.
Photographer John Rankin Waddell has created a new project, in collaboration with Visual Diet, called Selfie Harm. He took photos of teens and then gave them the opportunity to use a selfie app to retouch the photos. His goal is to show how people can be manipulated by the manicured and curated social media reality. The project is wonderful reminder that we are all beautiful and don’t need technology to change what we look like.
My last story in good news this week comes from the depths of the ocean. Scientists have finished mapping the genome of the great white shark. The DNA of these ancient apex predators can, potentially, unlock the secrets of their uniquely fast wound-healing ability. Their 41 chromosome pairs could also unlock the secrets of preventing or healing cancer. Some of their DNA pairs promote stability against mutations in their genomic chains which also helps to reduce the potential of cancer, since cancer is malignant a mutation of cells.
Now, that’s a positive way to end an episode.
That’s it for this week in tech news that matters to you. If you’ve enjoyed the podcast, please subscribe, rate, and review on iTunes, Google Play, Spotify, Stitcher Radio, or TuneIn. The more buttons you press on those sites, the easier it is for people to find me. If you’ve found any of this episode’s information helpful, please share what you found interesting in a post on your social media by linking to Raytec dot co slash listen. That’s r-a-y-t-e-c dot c-o slash listen. I really appreciate anyone who’s willing to share my podcast.
As always, there are bonus links in the show notes. Articles in this week’s extracurricular reading include: a smart jersey for NBA band wagon jumpers, the UK’s new push to geotag criminals, tips on how to watch the Oscars, and much more. The show notes also have links to each of the podcast apps I listed as well as links to my social media. If you have any information, updates, or constructive criticism, feel free to reach out via social media.
Thanks for listening and have a great week!