Promises, schomises \u2013 apparently U.S. wireless carriers didn\u2019t clean up their acts after the Securus or LocationSmart scandals and stop selling access to their customers\u2019 real-time location data. Because Motherboard\u2019s Joseph Cox was able to pay a bounty hunter $300 to track down a T-Mobile phone\u2019s location.This time it was Zumigo that sold the location data to Georgia-based credit reporting company Microbilt, which then sold the location data to others. Three hundred bucks later, a massive up-charge from Microbilt\u2019s $4.95 to search for a single device, the bounty hunter\u2019s bail bond company contact provided a screenshot of Google Maps with a blue circle showing the phone\u2019s location in Queens, New York. It\u2019s a really good article that is likely to infuriate you if you care about privacy \u2013 or companies keeping their promises.Sen. Ron Wyden (D-Ore.)\u00a0called how wireless carriers sell the locations of Americans a \u201cnightmare for national security and the person safety of anyone with a phone.\u201d Wyden also pointed out:After I exposed these dangerous practices last year, several carriers, including @tmobile\u2019s CEO @JohnLegere told me point blank that his company would stop selling customer location data to shady third parties. https:\/\/t.co\/JSASCP2PWH\u2014 Ron Wyden (@RonWyden) January 8, 2019Indeed, back then, Legere snarkily tweeted:Sounds like word hasn\u2019t gotten to you, @ronwyden. I\u2019ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https:\/\/t.co\/UPx3Xjhwog\u2014 John Legere (@JohnLegere) June 19, 2018\u201cMajor carriers pledged to end these practices, but it appears to have been more empty promises to consumers,\u201d Wyden tweeted. \u201cIt\u2019s time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable.\u201dOther cybersecurity newsThe state of web application flaws in 2018According to Imperva\u2019s \u201cThe State of Web Application Vulnerabilities in 2018,\u201d injections were the top vulnerability \u2013 with remote code execution (RCE) being a bigger issue than SQL injection, followed by cross-site scripting (XSS). WordPress vulnerabilities increased by 30 percent in 2018*, with 98 percent of the vulnerabilities being related to plugins. Regarding Drupal, two vulnerabilities resulted in hundreds of thousands of security breaches last year.New phishing tool bypasses 2FAZDNet\u2019s Catalin Cimpanu highlighted a new pen-testing tool, dubbed Modlishka by Polish researcher Piotr Duszy\u0144ski, that can \u201cautomate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA).\u201dPhotos can still trick Android smartphones into unlockingFour out of 10 Android smartphones with face recognition \u201csecurity,\u201d can still be tricked to unlock by a photo. After testing 110 smartphones, Dutch Consumentenbond concluded that a photo could fool 42 of the devices into unlocking.Patch Tuesday fixes issued by Microsoft and AdobeMicrosoft: For the first Patch Tuesday of 2019, the Redmond giant released 49 CVE-related security vulnerabilities \u2013 seven of which were rated as critical, and 40 were rated as important. Ten of the CVEs had been reported via the ZDI program.Tenable said CVE-2019-0547, a memory corruption RCE vulnerability in Windows DHCP client, was the most severe bug to be patched. CVE-2019-0579, an RCE in Windows Jet Database Engine, was the only publicly disclosed flaw, but Microsoft said it was not yet being exploited.Microsoft also patched two RCE vulnerabilities in Hyper-V. And if you don\u2019t want an attacker to bypass your Android lock screen via Skype, then grab the fix for that Skype elevation of privilege flaw (CVE-2019-0622).Hopefully you didn\u2019t skip the out-of-band patch for Internet Explorer released in December due to it being exploited. If you did, then make sure you grab it now.Security patches for Microsoft Office can be found here.Additionally, Ivanti\u2019s Chris Goettl noted, \u201cMicrosoft has released an updated servicing stack for Windows 10 1703. This is the only servicing stack update this month. Servicing stack updates update the update system. \u2026 Err if that makes any sense. In other words, if you don\u2019t do this update, you may not be able to reliably do future updates amongst other changes to the system.\u201dAdobe: Adobe released a patch for Flash Player, but it was related to bug fixes instead of security fixes. However, the patches for Adobe Connect and Adobe Digital Editions were to close security holes. The two critical CVEs had been reported via the ZDI program.Another stupid IoT flaw, this time involving \u201csmart\u201d hot tubsIt\u2019s beyond me why anyone would actually want to hook their hot tub to the internet because sure enough, tens of thousands of those \u201csmart\u201d hot tubs can indeed be hacked. Pen Test Partners delved into the pwnage procedure. Balboa Water Group failed to respond after being notified of the flaw until the BBC got involved in December.LeakLooker can find open databases in secondsIf you, too, want to join the drama of dealing with companies after finding proof of their irresponsibility regarding securing databases, then look no further than LeakLooker. Of course, there\u2019s no guarantee that only white hats will be interested in the tool.According to the TL;DR on Hacker Noon, \u201cWith LeakLooker you can find publicly open MongoDB, CouchDB and Elasticsearch database; it also includes Kibana instances. Script parses results from Shodan, excluding empty and compromised databases. Everything is sorted and presented in clickable way.\u201dFrom the 100% creepy departmentWhy settle for total surveillance of adults when you can surveil kids, as well? The Global Times reported that \u2013 where else but in China \u2013 schools have opted to have students wear \u201cintelligent uniforms to better monitor students\u2019 attendance and whereabouts.\u201d The schools supposedly don\u2019t try to check the accurate geolocation of students outside of the school hours, \u201cbut when the student is missing and skipping classes, the uniforms help locate them.\u201dDevice to detect skimmers and hidden cameras in restrooms or hotelsSick of the pain in the hiney it causes after your payment card has been skimmed? Then you might be interested in the Descamer device being shown off at CES 2019. The fob, which fits on a keyring, can allegedly \u201cdetect credit card skimmers at gas stations, hidden Bluetooth cameras in public restrooms or hotels, as well as any other illicit Bluetooth signals anywhere you go.\u201d To use it, \u201cYou simply press the button on dScmr, which initiates the detection process by filtering out \u2018known to be good\u2019 Bluetooth signals while zeroing in on the potential \u2018bad guys\u2019 and alerting the user via a simple green light=good, red light=bad indication.\u201d\u00a0Other security tidbits:\u2022 The government shutdown has been blamed for\u00a0severely weakening cybersecurity in the U.S.\u2022 \u00a0Meanwhile in Britain, the first CISO for the U.K.\u2019s National Health Service lasted a whole three months before resigning; the position came about after the WannaCry ransomware attack.\u2022 Tired of Kaspersky Lab getting a bad rap by the U.S. government? Then you might enjoy reading how the Russian company helped catch an alleged NSA data thief.\u2022\u00a0If $4 for Microsoft Office 2016 Professional Plus sounds too good to be true, that's because it is. Krebs on Security said such software can be purchased from sellers on eBay because sellers are reselling access to existing Microsoft Office accounts.* Updated Jan. 14, 2019, to correct an error from Imperva\u2019s annual The State of Web Application Vulnerabilities in 2018 report.