Posts Tagged: AOL


26
May 18

Why Is Your Location Data No Longer Private?

The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels? These are some of the questions we’ll explore in this article.

In 2015, the Federal Communications Commission under the Obama Administration reclassified broadband Internet companies as telecommunications providers, which gave the agency authority to regulate broadband providers the same way as telephone companies.

The FCC also came up with so-called “net neutrality” rules designed to prohibit Internet providers from blocking or slowing down traffic, or from offering “fast lane” access to companies willing to pay extra for certain content or for higher quality service.

In mid-2016, the FCC adopted new privacy rules for all Internet providers that would have required providers to seek opt-in permission from customers before collecting, storing, sharing and selling anything that might be considered sensitive — including Web browsing, application usage and location information, as well as financial and health data.

But the Obama administration’s new FCC privacy rules didn’t become final until December 2016, a month after then President-elect Trump was welcomed into office by a Republican controlled House and Senate.

Congress still had 90 legislative days (when lawmakers are physically in session) to pass a resolution killing the privacy regulations, and on March 23, 2017 the Senate voted 50-48 to repeal them. Approval of the repeal in the House passed quickly thereafter, and President Trump officially signed it on April 3, 2017.

In an op-ed published in The Washington Post, Ajit Pai — a former Verizon lawyer and President Trump’s pick to lead the FCC — said “despite hyperventilating headlines, Internet service providers have never planned to sell your individual browsing history to third parties.”

FCC Commissioner Ajit Pai.

“That’s simply not how online advertising works,” Pai wrote. “And doing so would violate ISPs’ privacy promises. Second, Congress’s decision last week didn’t remove existing privacy protections; it simply cleared the way for us to work together to reinstate a rational and effective system for protecting consumer privacy.”

Sen. Bill Nelson (D-Fla.) came to a different conclusion, predicting that the repeal of the FCC privacy rules would allow broadband providers to collect and sell a “gold mine of data” about customers.

“Your mobile broadband provider knows how you move about your day through information about your geolocation and internet activity through your mobile device,” Nelson said. The Senate resolution “will take consumers out of this driver’s seat and place the collection and use of their information behind a veil of secrecy.”

Meanwhile, pressure was building on the now Republican-controlled FCC to repeal the previous administration’s net neutrality rules. The major ISPs and mobile providers claimed the new regulations put them at a disadvantage relative to competitors that were not regulated by the FCC, such as Amazon, Apple, Facebook and Google.

On Dec. 14, 2017, FCC Chairman Pai joined two other Republic FCC commissioners in a 3-2 vote to dismantle the net neutrality regulations.

As The New York Times observed after the net neutrality repeal, “the commission’s chairman, Ajit Pai, vigorously defended the repeal before the vote. He said the rollback of the rules would eventually benefit consumers because broadband providers like AT&T and Comcast could offer them a wider variety of service options.”

“We are helping consumers and promoting competition,” Mr. Pai said. “Broadband providers will have more incentive to build networks, especially to underserved areas.”

MORE OR LESS CHOICE?

Some might argue we’ve seen reduced competition and more industry consolidation since the FCC repealed the rules. Major broadband and mobile provider AT&T and cable/entertainment giant Time Warner are now fighting the Justice Department in a bid to merge. Two of the four-largest mobile telecom and broadband providers — T-Mobile and Sprint — have announced plans for a $26 billion merger.

The FCC privacy rules from 2016 that were overturned by Congress sought to give consumers more choice about how their data was to be used, stored and shared. But consumers now have less “choice” than ever about how their mobile provider shares their data and with whom. Worse, the mobile and broadband providers themselves are failing to secure their own customers’ data.

This month, it emerged that the major mobile providers have been giving commercial third-parties the ability to instantly look up the precise location of any mobile subscriber in real time. KrebsOnSecurity broke the news that one of these third parties — LocationSmartleaked this ability for years to anyone via a buggy component on its Web site.

LocationSmart’s demo page featured a buggy component which allowed anyone to look up anyone else’s mobile device location, in real time, and without consent.

We also learned that another California company — Securus Technologies — was selling real-time location lookups to a number of state and local law enforcement agencies, and that accounts for dozens of those law enforcement officers were obtained by hackers.  Securus, it turned out, was ultimately getting its data from LocationSmart.

This week, researchers discovered that a bug in T-Mobile’s Web site let anyone access the personal account details of any customer with just their cell phone number, including full name, address, account number and some cases tax ID numbers.

Not to be outdone, Comcast was revealed to have exposed sensitive information on customers through a buggy component of its Web site that could be tricked into displaying the home address where the company’s wireless router is located, as well as the router’s Wi-Fi name and password.

It’s not clear how FCC Chairman Pai intends to “reinstate a rational and effective system for protecting consumer privacy,” as he pledged after voting last year to overturn the 2015 privacy rules. The FCC reportedly has taken at least tentative steps to open an inquiry into the LocationSmart debacle, although Sen. Ron Wyden (D-Ore.) has called on Chairman Pai to recuse himself on the inquiry because Pai once represented Securus as an attorney. (Wyden also had some choice words for the wireless companies).

The major wireless carriers all say they do not share customer location data without customer consent or in response to a court order or subpoena. Consent. All of these carriers pointed me to their privacy policies. It could be the carriers believe these policies clearly explain that simply by using their wireless device customers have opted-in to having their real-time location data sold or given to third-party companies.

Michelle De Mooy, director of the privacy and data project at the Center for Democracy & Technology (CDT), said if the mobile giants are burying that disclosure in privacy policy legalese, that’s just not good enough.

“Even if they say, ‘Our privacy policy says we can do this,’ it violates peoples’ reasonable expectations of when and why their location data is being collected and how that’s going to be used. It’s not okay to simply point to your privacy policies and expect that to be enough.”

Continue reading →


8
Feb 17

‘Top 10 Spammer’ Indicted for Wire Fraud

Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation.

According to an indictment returned in federal court in Chicago, Persaud used multiple Internet addresses and domains – a technique known as “snowshoe spamming” – to transmit spam emails over at least nine networks.

persaud-fb

The Justice Department says Persaud sent well over a million spam emails to recipients in the United States and abroad. Prosecutors charge that Persaud often used false names to register the domains, and he created fraudulent “From:” address fields to conceal that he was the true sender of the emails. The government also accuses Persaud of “illegally transferring and selling millions of email addresses for the purpose of transmitting spam.”

Persaud is currently listed as #8 on the World’s 10 Worst Spammers list maintained by Spamhaus, an anti-spam organization. In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. Persaud did not contest the charges and was ordered to pay more than a half-million dollars in restitution and damages. Continue reading →


3
Jun 14

Ne’er-Do-Well News, Volume I

It’s been a while since a new category debuted on this blog, and it occurred to me that I didn’t have a catch-all designation for random ne’er-do-well news. Alas, the inaugural entry for Ne’er-Do-Well News looks at three recent unrelated developments: The availability of remote access iPhone apps written by a programmer perhaps best known for developing crimeware; the return to prison of a young hacker who earned notoriety after simultaneously hacking Paris Hilton’s cell phone and data broker LexisNexis; and the release of Pavel Vrublevsky from a Russian prison more than a year before his sentence was to expire.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

ZeusTerm and Zeus Terminal are iPhone/iPad apps designed by the same guy who brought us the Styx-Crypt exploit kit.

A year ago, this blog featured a series of articles that sought to track down the developers of the Styx-Crypt exploit kit, a crimeware package being sold to help bad guys booby-trap compromised Web sites with malware. Earlier this week, I learned that a leading developer of Styx-Crypt — a Ukrainian man named Max Gavryuk — also is selling his own line of remote administration tools curiously called “Zeus Terminal,” available via the Apple iTunes store.

News of the app family came via a Twitter follower who  asked to remain anonymous, but who said two of the apps by this author were recently pulled from Apple’s iTunes store, including Zeus Terminal and Zeus Terminal Lite. It’s unclear why the apps were yanked or by whom, but the developer appears to have two other remote access apps for sale on iTunes, including ZeusTerm and ZeusTerm HD.

Incidentally, the support page listed for these apps — zeus-terminal[dot]com — no longer appears to be active (if, indeed it ever was), but the developer lists as his other home page reality7solutions[dot]com, which as this blog has reported was intricately tied to the Styx-Crypt development team.

This wouldn’t be the first time a crimeware author segued into building apps for the iPhone and iPad: In January 2012, as part of my Pharma Wars series, I wrote about clues that strongly suggested the Srizbi/Reactor spam botnet was developed and sold by a guy who left the spam business to build OOO Gameprom, a company that has developed dozens of games available in the iTunes store.

Continue reading →


17
Apr 13

SWATting Incidents Tied to ID Theft Sites?

Many readers have been asking for an update on the “SWATting” incident at my home last month, in which someone claiming to be me fraudulently reported a home invasion in progress at my address, prompting a heavily armed police response. There are two incremental developments on this story. The first is I’ve learned more about how the hoax was perpetrated. The second is that new clues suggest that the same individual(s) responsible also have been SWATting Hollywood celebrities and posting their personal information on site called exposed.re.

The day before my SWATting, I wrote a story about a site called exposed.su, which was posting the Social Security numbers, previous addresses, phone numbers and other sensitive information on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. I wrote about the site by way of explaining that — as painful as it may be to admit — this information should no longer be considered private, because it is available quite cheaply via a number of shady services advertised in underground cybercrime forums.

After migrating the data from Exposed.su to Exposed.re, the curator added [Swatted] notations.


[Swatted] notations were added to celebrity names after Exposed.su became Exposed.re

To illustrate this reality, I pointed to one underground site in particular — the now-defunct ssndob.ru (it is now at another domain) — that could be used to pull all of this information on just about anyone, including all of those whose information was listed at the time on exposed.su. In a follow-up investigation I posted on Mar. 18, 2013, I cited sources who claimed that the DDoS against my site and the simultaneous SWATting attack on my home was in retaliation for my writing about ssndob.ru, which allegedly some of those involved in the attacks prized and did not wish to see shuttered.

Specifically, two different sources placed blame for the attacks on a young hacker named “Phobia,” who they said was part of a group of Xbox gaming enthusiasts who used ssndob.ru to look up Social Security numbers belonging to high-value Xbox account holders — particularly those belonging to Microsoft Xbox Live employees. Armed with that information, and some social engineering skills, the hackers could apparently trick Microsoft’s tech support folks into transferring control over the accounts to the hackers. “I heard he got pissed that you released the site he uses,” one of the sources told me, explaining why he thought Phobia was involved.

Incidentally, two days after my story ran, several news outlets reported that Microsoft had confirmed it is investigating the hacking of Xbox Live accounts belonging to some “high-profile” Microsoft employees, and that it is actively working with law enforcement on the matter.

A little digging suggested that Phobia was a 20-year-old Ryan Stevenson from in Milford, Ct. In that Mar. 18 story, I interviewed Phobia, who confessed to being the hacker who broke into and deleted the Apple iCloud account of wired.com reporter Mat Honan. In subsequent postings on Twitter, Honan expressed surprise that no one else had drawn the connections between Phobia and Stevenson earlier, based on the amount of open source information linking the two identities. In his own reporting on the attack that wiped his iCloud data, Honan had agreed not to name Phobia in return for an explanation of how the hack was carried out.

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

Geographic distribution of servers observed in Mar. 14, 2013 attack on KrebsOnSecurity. Source: Prolexic

The week after my story ran, I heard from someone who lives in Stevenson’s neighborhood and who watched federal agents and police descend on Stevenson’s home on Mar. 20. I was later able to corroborate that information with a police officer in Connecticut, who confirmed that authorities had seized several boxes of items from the Stevenson residence that day.

If Stevenson was as involved as his erstwhile gaming buddies claim, I can’t say that I’m sad to learn that he got his own police raid. However, I do not believe he was the one responsible for sending the emergency response team to my home. I believe that the person or persons responsible is/are still at large, and that Stevenson was merely thrown under the bus as a convenient diversion. But more on that at another time.

At the end of March, exposed.su was shut down, and the content there was migrated over to a new domain — exposed.re. The curator(s) of this site has been adding more celebrities and public figures, but there is another, far more curious, notation on some of the listings at the new version of the site: Several of those named have the designation [Swatted] next to them, including P. Diddy, Justin Timberlake and Ryan Seacrest (see the collage above). It’s worth noting that not all of those listed on exposed.re who were SWATted recently are designated as such on the site.

Continue reading →


1
Jul 10

Top Apps Largely Forgo Windows Security Protections

Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third party apps they looked at fail to leverage either feature.

As indicated by the chart to the right, Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.

“If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly,” wrote Alin Rad Pop, a senior security specialist at Secunia. “While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attackers choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.”

Continue reading →