Subscribe

[Axis of Easy] Your smartphone may be recording everything you say

by on January 6, 2020


Weekly Axis Of Easy #127

Last Week’s Quote was  “Every plane crash makes the next one less likely, every bank crash makes the next one more likely.” …was Nassim Taleb, winner was Joseph Shipman

This Week’s Quote:  “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.” ..by ????

THE RULES:  No searching up the answer, must be posted to the blog

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.


We will be spinning out a stand-alone AxisOfEasy channel in the coming weeks. To get a head-start on a more frequent flow of items via that channel, subscribe to our updates via Mastodon or Twitter.

Listen to the podcast edition of #AxisOfEasy here:

#AxisOfEasy 127: Your smartphone may be recording everything you say from Mark Jeftovic on Vimeo.

In this mammoth, back-to-business edition:
  • New Caller ID laws come into effect in the US
  • Millions of Facebook users phone numbers exposed online
  • CRISPR Baby doc gets three years in prison
  • China’s Fentanyl export empire
  • UN passes new China/Russia backed convention on cybercrime
  • Amazon and Ring hit with Federal lawsuit over hacks
  • Data Breaches over the holidays:
    •     IoT vendor Wyze smart cameras hacked
    •     Lifelabs: medical testing patient data
    •     Wawa, all locations
  • IT provider Synoptek hit with ransomware attack
  • Mysterious drones spotted over two US states
  • Saudi Arabia sentences 5 patsies to death in Khashoggi execution
  • ToTok app isn’t a chat app, it’s a spying tool
  • Your smartphone may be recording everything you say
  • Russia tests stand-alone internet
  • SEC opens probes into listings of tech unicorns
  • Future Fibre / Future Tools and Yak Shaving

New Caller ID laws come into effect in US

On January 1st the TRACED Act took effect in the US. That is the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act which prioritizes enhanced caller-ID frameworks like SHAKEN/STIR (which we first reported on back in #AxisOfEasy 74)

The act imposes stiff fines on parties that spoof fake caller IDs in unsolicited marketing robocalls, and extends the timeframe that the FCC can impose penalties from one year after the incident to up to four.

Oddly, I am having a hard time finding detailed coverage of it in the MSM, which is confining coverage to the penalties against robocalls but not really talking about the technical framework that will be the basis. My third-party VOIP provider is in Canada (voip.ms) and is adapting SHAKEN/STIR in concert with the new US law.

Read: https://abcnews.go.com/Politics/law-robocalls/story?id=68008423

Millions of Facebook users phone numbers exposed online

The above item was of particular interest to me as the volume of inbound robocalls to my cell phone over the holiday season reached a fevered pitch, at one point I was receiving multiple calls per hour. I simply stopped answering calls from non-contacts. I probably won’t resume answering them.

How did all these robots get my personal cell phone number to begin with? Perhaps it was because Facebook had another data breach, in which a security researcher found yet another web accessible data dump that could be accessed with no authentication. Bob Diachenko (again) found a dump with names, emails, phone numbers and user ids of 267 million Facebook users.

As I type this I thought we may have already reported on this, but no, it’s just that Diachenko seems to have a penchant for finding wide open data dumps. He’s previously found data troves of Adobe, a multi-platform 4TB data dump spanning LinkedIn, Facebook and Twitter, and 275 million Indian citizens.

The common factor in all these? Wide open MongoDB databases. They’re not hard to find. You just need to know what to look for on Shodan.

Also a h/t is in order to a reader who sent me this one but I neglected to note who that was at the time and cannot find the email since, so thank-you, whoever you are…. Keep ‘em coming.

CRISPR Baby doc gets three years in prison

The Chinese doctor who created the world’s first gene-edited babies, a pair of twin girls who are supposed to be immune to HIV, (only they may not actually be), has been handed a prison term of three years by Chinese authorities.

Immediately after the announcement last January, Dr He Jiankui was fired from his position from Shenzhen-based Southern University of Science and Technology and an investigation was initiated into his activities. At one point he disappeared for a few months, but then resurfaced. The court found that Jiankui had forged documents and concealed the true nature of his experiments.

Read: https://www.zerohedge.com/technology/chinese-scientist-who-created-first-gene-edited-babies-sentenced-3-years-prison

China’s Fentanyl export empire

TheNation ran a long piece that traces the complex web of dynamics around the opioid and fentanyl crisis. Now that Purdue Pharmaceutical a.k.a “the drug company that addicted America” (see Beth Macy’s “Dopesick” Amazon link  is gone), the vacuum is being filled by multiple entrants spanning the Dark Web and, significantly, China.

Dan Kolitz’s article looks through Ben Westhoff’s “Fentanyl Inc.” which chronicles how “Rogue chemists are creating the deadliest wave of the opioid epidemic”.  Amazon Link

UN passes new China/Russia backed convention on cybercrime

Over the holidays the United Nations passed a resolution for a new convention on cybercrime. It will pave the way “to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes”. The bill was sponsored by Russia and China and has human rights watchdogs concerned that the convention will be used as a basis to squelch political dissent.

The US and many Euro nations opposed the bill echoing said concerns and that the pre-existing Budapest Convention of 2001 already provides a framework for addressing cybercrime internationally. The new resolution would obsolete the Budapest Convention.

Read: https://www.washingtonpost.com/politics/2019/12/04/un-passed-russia-backed-cybercrime-resolution-thats-not-good-news-internet-freedom/

And: https://www.nytimes.com/aponline/2019/12/27/world/europe/ap-un-united-nations-combating-cybercrime.html

Note: I’m a little confused when this passed exactly, the WaPo article is dated December 4th, the SCMP and NYtimes are dated Dec 28th, saying “it passed on Friday”. In any case, work is scheduled to commence drafting the new convention in August 2021. Also, I can’t figure out how Canada voted on it.

Amazon and Ring hit with Federal lawsuit over hacks

The last AxisOfEasy (number 126) before we knocked off for Christmas reported on a hacker gang that had cracked into Amazon Ring cameras and taunted families in their homes through the breached devices, while podcasting it live via their Discord channel. At least one US federal lawsuit has been filed by an Alabama resident, who alleges that hackers broke into his Ring cams and started talking to his children as they played basketball in front of their home.

The lawsuit focuses on Amazon and Ring’s negligence in allowing their cameras to be hacked. My understanding is that the hacks were executing by brute forcing them with previously leaked password databases, so in that sense, reusing passwords is at least part of the problem. Not having brute force dampening would be another, I guess.

Readhttps://www.digitaltrends.com/home/ring-amazon-federal-lawsuit-hacks/

Data Breaches of the Holidays:

It was a busy holiday season for data breaches…. In no particular order:

IoT vendor Wyze smart cameras hacked

Wyze products include: web cams, “smart lightbulbs”, and smart door locks confirmed that account details on 2.4 million customers was exposed for 22 days:

Lifelabs

Not to be outdone, Lifelabs, Canada’s largest medical testing company, disclosed in an open letter to customers that they suffered a breach affecting 15 million patients. The company apparently paid a ransom to cyber-attackers to “recover” the data. I don’t really know what “recover the data” in this context actually means. Did they pay the hackers not to expose it? It’s unclear.

Read: https://customernotice.lifelabs.com/

 Wawa all locations

WaWa CEO disclosed that “potentially all locations” suffered a breach when the company’s payment servers were attacked and infected with malware. The compromise began on March 4, 2019 until it was discovered on December 10, 2019, and contained on December 12, 2019. That’s one long infection time.

…sorry to anyone we missed

IT provider Synoptek hit with ransomware attack 

Christmas was canceled for Irvine, California based IT provider Synoptek, who provides cloud-based IT services for thousands of businesses across the country in sectors ranging from financial services, healthcare, manufacturing and local government. News broke via /r/syadmin on Reddit Christmas Eve that they were hit with a ransomware attack. The company reportedly paid the ransom in order to restore services as soon as possible.

Continuing a theme, ZDnet reports on how a new ransomware strain called Zeppelin, steals the subject data first before encrypting it and holding the owners up for a ransom. It’s not the first to do so, it’s part of an emerging trend with ransomware, making me wonder if it’s the sort of thing that happened with the aforementioned Lifelock hack.

Read: https://www.zdnet.com/article/another-ransomware-strain-is-now-stealing-data-before-encrypting-it/

Mysterious drones spotted over US states

From the Not-Rudolf-Dept: media reports began to spread Dec 23 of large, co-ordinated, nighttime drone formations making maneuvers over Denver, Colorado and parts of Nebraska. Formations of at least 17 drones appears to be flying in squares of approximately 25 miles. The flights start around 7pm and end around 10pm. Authorities do not know the source of the flights and the FAA is investigating.

Read:  https://www.nytimes.com/2020/01/01/us/drones-FAA-colorado-nebraska.html

Saudi Arabia sentences 5 patsies to death in Khashoggi execution

A court in Saudi Arabia has sentenced 5 patsies to death over the outcry surrounding the murder of journalist and critic of the Kingdom Jamal Khashoggi. The court said it didn’t have enough evidence to incriminate two officials closest to the Saudi Crown Prince Mohammed Bin Salman, and further concluded that the assassination wasn’t premeditated. What the court is saying is that luring Khashoggi to the Saudi consulate in Turkey under false pretences, and then restraining him, murdering him, before dismembering his body into pieces and smuggling it out of the embassy for disposal was a spur-of-the-moment thing that just, kinda…happened. Just a fluke, really.

ToTok app is a spying tool (also Metaviews on TikTok)

One of the hottest emerging chat apps out there, ToTok, bills itself as a secure alternative to WhatsApp and Skype. But according to a report via the NYTimes who consulted with US intelligence officials, it’s actually a spyware app that the government of the United Arab Emirates is using to eavesdrop on everybody who installs it. The investigation determined that the firm behind ToTok, which has been downloaded millions of times within the past few months, is most likely a front company affiliated with Dark Matter, who in addition to being under an FBI investigation is also “an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work.”

ToTok is not to be confused with TikTok, another social media app that is sweeping the nation. Metaviews’ Jesse Hirsh recently took an in-depth look at TikTok.

Your smartphone may be recording everything you say

Speaking of being spied on by our own gear, the USAToday article talks about how the various and sundry apps and devices we carry around or stick in our homes, eavesdrops on us for marketing purposes. Basically anything with a microphone in it can be assumed to be listening to our conversations, even when we are not specifically addressing them and then parsing the input for keywords it can then use to target advertisements to us.

I first noticed this on a physical level in 2012, when after walking past Trump Towers in downtown Toronto with my map application open (I was headed to a meeting off Bay St), I was subsequently targeted with ads for the Trump Hotel in downtown Toronto in my web travels. I wrote about it at the time in a post that garnered absolutely zero reaction whatsoever.

Maybe it seemed too “out there” at the time and now that it’s the norm and ubiquitous and unavoidable, it’s news. The New York Times just ran what they’re calling an opinion piece about the smart phone location tracking industry based on a data set they obtained containing 12 million cellphone users movements.

Read: https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html

Russia tests stand-alone internet 

Back in #AxisOfEasy 28 we reported on how Russia was proposing the creation of a separate DNS root for the BRIC nations in response to increasingly loggerheads with the US-led internet. Over the holidays Forbes reported that Russia announced their intention to test their stand-alone internet on December 23.

That’s the last I’ve heard of it, not sure how that test went.

SEC opens probes into listings of tech unicorns

The WSJ reported the news that the US SEC has opened an investigation into various issuers on the NYSE regarding activity around the first day of trading. Targets of the investigation include Slack and other so-called “unicorns”.  It is not known exactly what kind of activity the SEC is targeting, but it could involve electronic trading firm Citadel Securities LLC which handles some of the issues.

The morning Slack’s IPO opened: “Citadel Securities indicated that Slack would open between $30 and $34. Just over half an hour later, the firm adjusted its indication to a range of $32 to $34.

Following a half-dozen more adjustments, the stock opened at $38.50, in a giant trade shortly after noon in which $1.75 billion worth of Slack shares changed hands. The stock has since fallen, closing Friday at $21.51.”

Future Fibre / Future Tools and Yak Shaving

A few of the items we put out over the holidays include a couple of Metaviews pieces by Jesse Hirsh:

 

One response to “[Axis of Easy] Your smartphone may be recording everything you say”

  1. Avatar Thatch says:

    Hi,
    I am pretty sure that “The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.” is by the awesome Alvin Toffler.

    (first time contributor and always enjoy the newsletter)

Leave a Reply

Your email address will not be published. Required fields are marked *

#AxisOfEasy is brought to you by....

easyDNS

Power & Freedom™ since 1998


Ledger Nano X - The secure hardware wallet easyDNS