TechCrunch reported Shotwell Labs’ co-founder findings that even after the FCC penalized Verizon for injecting markers into their customers’ data that enabled them to be tracked without customer consent, the practice is still thriving across mobile providers and being used to sell name and location data to whoever ponies up for it.
The mobile providers are injecting a new data element similar to Verizon’s Unique Identifier Header (UIDH) which is appended to HTTP requests and allows websites visited to see personally identifiable data, including billing and location info, if they subscribe to the carriers data feed for it. While the article does enumerate some legitimate reasons for websites to gain access to this (employee tracking), it’s still concerning.
MPG: scum bags.
From TechCrunch Mobile phone companies appear to be providing your number and location to anyone who pays:
The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)
MPG: the one site linked-to is now offline:
Want to see something crazy? Open this link on your phone with WiFi turned off
Note: this demo site may have been taken down after this report got traction.
Click “Begin,” enter the ZIP code and then click “See Underlying Data.”
What you should see is your home address, phone number, cell phone contract details, and — depending on what kind of cell phone towers you’re currently connected to — a latitude and longitude describing the current location of your cell phone.
MPG: So nice of the Feds to require that mobile devices be locatable to within 100 feet or so.
A few CEOs in prison for a few years would get things moving on eliminating or reducing some of these issues.
Private data is just too dangerous to trust to companies, or the government, since even the NSA cannot do it, an the IRS contracted with Equifax, which served up malware. Identity theft can land you in prison if the thief commits a crime in your name. It’s time to impose severe penalities for mis-use of private information, including the corporate death penalty.
Michael C write:
I was reading this morning your post and wanted to offer a few observations:
1 – Attached is a redacted privacy page from my Verizon wireless account here in San Francisco. Well hidden on the Verizon Wireless customer page, one can get to an opt-out page (My Profile > Privacy Settings)
2- Once on that Privacy Settings page, you will see three areas where OPT OUT selections can be made. I am presuming that Verizon is honoring those OPT OUTS. If they are not, then we are back to beating the snot out the scumbags in court, AGAIN.
3- The relevant FCC order is:
“5. To settle this matter, Verizon Wireless will pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer’s UIDH with a third party to deliver targeted advertising. With respect to sharing UIDH internally within Verizon Communications Inc. and its subsidiaries,6 it must obtain either opt-in or opt-out consent from its customers. Verizon Wireless will also generate customer UIDH using methods that comply with reasonable and accepted security standards.”
Like most other rational adults, I loathe the data-hoovering that goes on around us. I am concerned, though, that the Shotwell and TechCrucnh folks may have gone off half-cocked UNLESS the telcos are willfully violating these FCC orders.
MPG: good points—important to see proof of willful violaton—might be less bad than it seems.
It seems that Verizon has at least one bad link to opt out. A company with tens of millions of customers (probably more) cannot be bothered to make its opt-out links work? That should leave anyone incredulous.
Michael C wrote to Verizon:
Thank you for the information. You might make sure 611 Customer Service is equally aware. The answer " we have no control over security settings" is both inaccurate and inappropriate. Second, I note the link http://privacy.aol.com/advertising-and-privacy/#Adchoices located on https://wbillpay.verizonwireless.com/vzw/secure/setPrivacy.action is broken and thus
Verizon Wireless is not properly providing access to the necessary OptOut that is part of the OATH alliance "Verizon's Relevant Mobile Advertising program helps make the ads you see more interesting and useful. This program shares information with Oath (formed by the combination of AOL and Yahoo)"
I wish to ensure and verify that I am opted out of any information sharing related to my account, my usage, my location, or my web services. Under no circumstances is Verison to share my data with OATH or any other partners.
I look forward to (1) Verizon fixing the broken link on the privacy page and (2) your response.
with Verizon responding (whether ever fixed or if the message gets through, who knows):
I apologize for any inconvenience this may have caused to you. I will report that the link is not working correctly to opt out of Oath. After further review, I did verify that you can visit http://privacy.aol.com/mobile-choices/ to opt out of Oath on your mobile devices. If you have any other additional questions. Please feel free to email me.
MPG insists upon the corporate death penalty for Equifax. Let that be a lesson to a company profiting from information that is private.
Equifax consumer assistance website infected with malware
The hits just keep on coming for Equifax. After one of the worst data breaches in history the company received further criticism for winning a “no-bid” contract with the IRS to “secure taxpayer data”.
Now it turns out the public information website it set up to help consumers understand the nature of the data breach was itself infected and thus served up malware to those browsing it. The hostile code took form of a fake “Adobe Flash Update” which instead of updating Flash, installed third-party spyware on the subject computer. Keep up the good work Equifax!
MPG: many people are going to lose everything to identify theft, or be imprisoned because an imposter commits a crime. Just try proving “it wasn’t me” with a stolen identify problem. Extremely dangerous stuff here.
Update: security expert Bruce Schneier testified before the the House Energy and Commerce committee on the Equifax hack. Video and written testimony in essence says that the Equifax breach put all exposed at risk of identity theft and was completely Equifax’s fault. Further, there are other data brokers out there with similar information who are also at risk in the future and the current regulatory environment is insufficient to the task. “All at risk” means 145+ million people.
MPG has long advised wired internet for performance reasons, as well as advising against public WiFi locations.
WiFi is apparently vulnerable to a complete loss of security.
For the techie, emphasis added:
Key Reinstallation A acks: Forcing Nonce Reuse in WPA2
We introduce the key reinstallation attack. This attack abuses design or implementation aws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are a ected by the attack.
Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.
All Wi-Fi clients we tested were vulnerable to our attack against the group key handshake. This enables an adversary to replay broadcast and multicast frames. When the 4-way or fast BSS tran- sition handshake is attacked, the precise impact depends on the data-confidentiality protocol being used. In all cases though, it is possible to decrypt frames and thus hijack TCP connections. This enables the injection of data into unencrypted HTTP connections. Moreover, against Android 6.0 our attack triggered the installation of an all-zero key, completely voiding any security guarantees.
Rather worryingly, our key reinstallation attack even occurs spontaneously if certain handshake messages are lost due to back- ground noise. This means that under certain conditions, implementations are reusing nonces without an adversary being present.
Less technical, from an email I received from EasyDNS.com:
WPA2, the encryption algorithm in use today on nearly all WIFI access points has been discovered to have a major security flaw which renders them hackable.
The upshot is that attackers will be able to read all data traversing the WIFI access point (another reason to use VPN sessions to further encrypt your data before it flows over the air). Security researchers will release their findings at Computer and Communications Security (CCS) on November 1, 2017. My understanding of this so far is that once the paper drops and the inevitable exploits follow, both the access point and the clients will need vendor patching to be secure. Think “heart bleed” to the exponent “shell shock”.
Security researchers will release their findings at Computer and Communications Security (CCS) on November 1, 2017. My understanding of this so far is that once the paper drops and the inevitable exploits follow, both the access point and the clients will need vendor patching to be secure. Think “heart bleed” to the exponent “shell shock”.
MPG: every iPhone and iPad and laptop and similar user relying on WiFi should take pause, particularly at public WiFi access points that might not get patched (remember Equifax screw-up? No need to remember, it is now at present a worse screwup).
Don H writes that Apple already has a patch, albeit only in beta versions of macOS and iOS. The claims in that link are that once the iPhone/iPad/Mac are patched that they will be safe to use anywhere. Kudos to Apple for rolling this out quickly (assuming that happens).
This site and diglloyd.com use https which and as far as I understand it protects user data, but that is not a statement of fact, only what I believe is correct, having worked with encryption as an engineer for some years.
WPA2: Broken with KRACK. What now?
Falling through the KRACKs
Reddit.com list of patches
GitHub list of vendor patches