November 18, 2019

NSA won’t collect phone location data, promises US government

By Danny Bradbury

US intelligence agencies won’t harvest US residents’ geolocation data in future investigations, revealed the US government this month. In fact, it hasn’t done so since last summer.

The last 18 months have seen significant changes to the US’s collection of phone location data. Since 1994, law enforcement agencies in the US had been able to access court records thanks to an amendment to the 1996 Stored Communications Act. Under this legislation, a judge could give prosecutors access if they could justify that call records were relevant and material to an ongoing investigation.

That all changed in a lawsuit brought by Tim Carpenter, who was convicted in 2011 after federal prosecutors trawled location cell phone data, tying his phone to the time and location of several robberies. Carpenter sued in appeals court, claiming that the trawling violated his Fourth Amendment rights. He lost on appeal, but then the case went to the Supreme Court, which ruled in his favor in a 5-4 vote.

That decision stopped the warrantless collection of phone location data by police and federal law enforcement, but what about for the intelligence community?

In 2001, section 215 of the USA PATRIOT Act amended Title V, Section 501 of the Foreign Intelligence Surveillance Act (FISA), allowing intelligence agencies to collect metadata on calls (known as call detail records, or CDRs) which it stores in repositories and secure networks. The NSA can query the metadata when it has reasonable suspicion that the call could be associated with foreign terrorist organizations.

Section 215 is on the Congressional agenda right now because it is set to expire under the 2015 US Freedom Act, which was created to preserve the CDR program in a constrained form. Unless Congress renews Section 215 it will cease to exist on 15 December 2019.


GitHub launches Security Lab to boost open source security

By John E Dunn

When it comes to open source software security, nobody could accuse Microsoft-owned development platform GitHub of not thinking big when it came up with the idea for Security Lab.

Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage.

It sounds so obvious, it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog:

Securing the world’s open source software is a daunting task.

The JavaScript ecosystem alone encompasses more than a million projects, not helped by the dauting 500:1 ratio of developers to security experts with the knowledge of how to fix things.

Lots of developers crank out vulnerable code, leaving a tiny clean-up squad to pick up the mess of a problem that sprawls across thousands of companies.

Feeling depressed yet? Don’t be – that’s where GitHub’s Security Lab steps in.

To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn.

This has already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said.


Two men busted for hijacking victims’ phones and email accounts

By Lisa Vaas

Police busted two alleged SIM-jackers in Massachusetts on Thursday and charged them with draining fat cryptocurrency wallets and hijacking OG social media accounts.

OG is short for “original gangster” and refers to high-value social media account names: tempting to account kidnappers either because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few with a history of getting hijacked.

An 11-count indictment charges the two men – Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts – with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft for their alleged crime spree, which stretched from November 2017 to May 2018 and stripped $550,000 worth of cryptocoins from at least 10 victims in the US.

The Justice Department (DOJ) said that besides SIM swaps, the two also allegedly used computer hacking to get what they were after.

Prosecutors allege that Meiggs and Harrington took over their targets’ mobile phone and email accounts via SIM-swapping: One would allegedly call a mark’s phone provider and, pretending to be that person, would sweet-talk the provider into transferring the number to a new SIM card.


Wikipedia co-founder offers a Facebook/Twitter wannabe

By Lisa Vaas

How much would you pay for a Facebook- or Twitter-like social network experience, but one in which you’re not tracked, your personal information and web history aren’t gobbled up, and you aren’t e-hounded by targeted ads?

For those of us who haven’t already jumped the Facebook ship and might still be interested in relinquishing our roles as products, Wikipedia co-founder Jimmy Wales has set up a social media site called WT:Social that’s supported solely by donations. The cost, if you want to skip the waiting list: either $12.99/month or $100/year, or your willingness to share the invitation with friends, family and/or colleagues.

Instead of funding the site with advertising, Wales is using Wikipedia’s model of relying on users’ donation. Snipping the tie to advertisers is how you can spare users the low-quality content that proliferates when there’s money to be made via clicks, Wales told Financial Times:

The business model of social media companies, of pure advertising, is problematic. It turns out the huge winner is low-quality content.

In fact, there’s a thriving industry that cashes in on clicks by fabricating trolls on either side of the political spectrum, as we recently found out when a reporter went undercover to work in a Polish troll farm.

The same goes for fake news: as a former fake-news writer described a few months ago, sensationalist clickbait fakery is all about the ad revenue. It doesn’t matter how preposterous the content is: what matters is that somebody (or many somebodies) opens the articles and generates ad impressions.

WT: Social grew out of Wales’ previous project, WikiTribune, which sought to be a global news site devoted to fighting fake news – one comprised of professional journalists and citizen contributors.


How ransomware attacks

By John E Dunn

More than a decade after it first emerged, is the world any closer to stopping ransomware?

Judging from the growing toll of large organizations caught out by what has become the weapon of choice for so many criminals, it’s tempting to conclude not.

The problem for defenders, as documented in SophosLabs’ new report How Ransomware Attacks, is that although almost all ransomware uses the same trick – encrypting files or entire disks and extorting a ransom for their safe return  – how it evades defenses to reach data keeps evolving.

This means that a static analysis technique that stopped a strain of ransomware today may not stop an evolved counterpart in just a few weeks’ time. This creates a major challenge for organizations and security companies alike.

As the growing number of high-profile ransomware attacks reminds us, sugar coating the issue would be deluded – ransomware has grown as an industry because it works for the people who use it, which means it beats the defenses of victims often enough to deliver a significant revenue stream.

The report covers the operation of the most prominent ransomware examples in recent times in detail, including Ryuk, BitPaymer, MegaCortex, Dharma, SamSam, GandCrab, Matrix, WannaCry, LockerGoga, RobbinHood, and Sodinokibi


How the Linux kernel balances the risks of public bug disclosure

By Danny Bradbury

Last month a serious Linux Wi-Fi flaw (CVE-2019-17666) was uncovered that could have enabled an attacker to take over a Linux device using its Wi-Fi interface. At the time it was disclosed Naked Security decided to wait until a patch was available before writing about it.

Well, it’s been patched, but the journey from discovery to patch provides some insights into how the Linux open-source project (the world’s largest collaborative software development effort) manages bug fixes and the risks of disclosure.

The Linux community worked hard last month to patch a bug in one of the operating system’s wireless drivers. The bug lay in RTLWIFI, a driver used to run Wi-Fi chips produced by processor manufacturer Realtek.

To be vulnerable to the bug, a device would have to include a Realtek Wi-Fi chip. These processors can be found in everything from Wi-Fi access points and routers through to some laptop devices explained the person that found it, GitHub’s principal security researcher Nicolas Waisman.

If a device does contain this chip, the consequences could have been serious, he told Naked Security at the time:

You could potentially obtain remote code execution as an attacker.

An attacker in radio range of the device could send a packet using a Wi-Fi feature called Wi-Fi Direct, which enables devices to talk to each other directly via radio without using a central access point. The attacker could add information to the packet that would trigger a buffer overflow in the Linux kernel.

Given that Realtek chips turn up in all kinds of equipment including routers and laptops, the bug seemed like a pretty big deal. It’s also an old one – it’s been in the Linux codebase since 2013.


Apple fires employee after he texts customer’s pic to his own phone

By Lisa Vaas

She had this funny feeling.

So before she took her cracked iPhone screen to the Apple store for repair, she backed it up, and she went on a wiping spree. Apps with financial information or that linked to her bank account? Deleted. Social media apps? Gone.


I didn’t want them going through them.

But the phone’s voluminous photos? Argh! No time. You can undoubtedly see where this is going, so let’s go there…

Her appointment had been moved up. The Valley Plaza Apple store in Bakersfield, California, was texting her, so she rushed over without deleting those photos, Gloria Elisa Fuentes said in a Facebook post earlier this month.

Fuentes placed her phone in the hand of one of the Apple store employees, and then, like one does, she waited. The employee “messed around” with it for quite a while, she said, but hey, that’s what phone store employees do:

I didn’t really pay any mind to it because I just figured he’s doing his job, looking into my insurance info or whatever.

Perhaps Fuentes might have grown suspicious when the employee asked for her password. Twice. But she didn’t think anything about it. In the end, he told Fuentes she would have to take it to her phone company for a screen fix.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation