Wireless carriers still selling Americans’ real-time location data

Promises, schomises – apparently U.S. wireless carriers didn’t clean up their acts after the Securus or LocationSmart scandals and stop selling access to their customers’ real-time location data. Because Motherboard’s Joseph Cox was able to pay a bounty hunter $300 to track down a T-Mobile phone’s location.

This time it was Zumigo that sold the location data to Georgia-based credit reporting company Microbilt, which then sold the location data to others. Three hundred bucks later, a massive up-charge from Microbilt’s $4.95 to search for a single device, the bounty hunter’s bail bond company contact provided a screenshot of Google Maps with a blue circle showing the phone’s location in Queens, New York. It’s a really good article that is likely to infuriate you if you care about privacy – or companies keeping their promises.

Sen. Ron Wyden (D-Ore.) called how wireless carriers sell the locations of Americans a “nightmare for national security and the person safety of anyone with a phone.” Wyden also pointed out:

After I exposed these dangerous practices last year, several carriers, including @tmobile’s CEO @JohnLegere told me point blank that his company would stop selling customer location data to shady third parties. https://t.co/JSASCP2PWH

— Ron Wyden (@RonWyden) January 8, 2019

Indeed, back then, Legere snarkily tweeted:

Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog

— John Legere (@JohnLegere) June 19, 2018

“Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers,” Wyden tweeted. “It’s time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable.”

Other cybersecurity news

The state of web application flaws in 2018

According to Imperva’s “The State of Web Application Vulnerabilities in 2018,” injections were the top vulnerability – with remote code execution (RCE) being a bigger issue than SQL injection, followed by cross-site scripting (XSS). WordPress vulnerabilities increased by 30 percent in 2018*, with 98 percent of the vulnerabilities being related to plugins. Regarding Drupal, two vulnerabilities resulted in hundreds of thousands of security breaches last year.

New phishing tool bypasses 2FA

ZDNet’s Catalin Cimpanu highlighted a new pen-testing tool, dubbed Modlishka by Polish researcher Piotr Duszyński, that can “automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA).”

Photos can still trick Android smartphones into unlocking

Four out of 10 Android smartphones with face recognition “security,” can still be tricked to unlock by a photo. After testing 110 smartphones, Dutch Consumentenbond concluded that a photo could fool 42 of the devices into unlocking.

Patch Tuesday fixes issued by Microsoft and Adobe

Microsoft: For the first Patch Tuesday of 2019, the Redmond giant released 49 CVE-related security vulnerabilities – seven of which were rated as critical, and 40 were rated as important. Ten of the CVEs had been reported via the ZDI program.

Tenable said CVE-2019-0547, a memory corruption RCE vulnerability in Windows DHCP client, was the most severe bug to be patched. CVE-2019-0579, an RCE in Windows Jet Database Engine, was the only publicly disclosed flaw, but Microsoft said it was not yet being exploited.

Microsoft also patched two RCE vulnerabilities in Hyper-V. And if you don’t want an attacker to bypass your Android lock screen via Skype, then grab the fix for that Skype elevation of privilege flaw (CVE-2019-0622).

Hopefully you didn’t skip the out-of-band patch for Internet Explorer released in December due to it being exploited. If you did, then make sure you grab it now.

Security patches for Microsoft Office can be found here.

Additionally, Ivanti’s Chris Goettl noted, “Microsoft has released an updated servicing stack for Windows 10 1703. This is the only servicing stack update this month. Servicing stack updates update the update system. … Err if that makes any sense. In other words, if you don’t do this update, you may not be able to reliably do future updates amongst other changes to the system.”

Adobe: Adobe released a patch for Flash Player, but it was related to bug fixes instead of security fixes. However, the patches for Adobe Connect and Adobe Digital Editions were to close security holes. The two critical CVEs had been reported via the ZDI program.

Another stupid IoT flaw, this time involving “smart” hot tubs

It’s beyond me why anyone would actually want to hook their hot tub to the internet because sure enough, tens of thousands of those “smart” hot tubs can indeed be hacked. Pen Test Partners delved into the pwnage procedure. Balboa Water Group failed to respond after being notified of the flaw until the BBC got involved in December.

LeakLooker can find open databases in seconds

If you, too, want to join the drama of dealing with companies after finding proof of their irresponsibility regarding securing databases, then look no further than LeakLooker. Of course, there’s no guarantee that only white hats will be interested in the tool.

According to the TL;DR on Hacker Noon, “With LeakLooker you can find publicly open MongoDB, CouchDB and Elasticsearch database; it also includes Kibana instances. Script parses results from Shodan, excluding empty and compromised databases. Everything is sorted and presented in clickable way.”

From the 100% creepy department

Why settle for total surveillance of adults when you can surveil kids, as well? The Global Times reported that – where else but in China – schools have opted to have students wear “intelligent uniforms to better monitor students’ attendance and whereabouts.” The schools supposedly don’t try to check the accurate geolocation of students outside of the school hours, “but when the student is missing and skipping classes, the uniforms help locate them.”

Device to detect skimmers and hidden cameras in restrooms or hotels

Sick of the pain in the hiney it causes after your payment card has been skimmed? Then you might be interested in the Descamer device being shown off at CES 2019. The fob, which fits on a keyring, can allegedly “detect credit card skimmers at gas stations, hidden Bluetooth cameras in public restrooms or hotels, as well as any other illicit Bluetooth signals anywhere you go.” To use it, “You simply press the button on dScmr, which initiates the detection process by filtering out ‘known to be good’ Bluetooth signals while zeroing in on the potential ‘bad guys’ and alerting the user via a simple green light=good, red light=bad indication.” 

Other security tidbits:

• The government shutdown has been blamed for severely weakening cybersecurity in the U.S.

•  Meanwhile in Britain, the first CISO for the U.K.’s National Health Service lasted a whole three months before resigning; the position came about after the WannaCry ransomware attack.

• Tired of Kaspersky Lab getting a bad rap by the U.S. government? Then you might enjoy reading how the Russian company helped catch an alleged NSA data thief.

• If $4 for Microsoft Office 2016 Professional Plus sounds too good to be true, that’s because it is. Krebs on Security said such software can be purchased from sellers on eBay because sellers are reselling access to existing Microsoft Office accounts.

* Updated Jan. 14, 2019, to correct an error from Imperva’s annual The State of Web Application Vulnerabilities in 2018 report.