go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: April 2021

Go to Homepage [0], contents or to navigation menu

The Security box, podcast 39 for April 14, 2021

Welcome to podcast 39 of the Security Box. Looks like we’ve got commentary from the replay of broadcast 38’s airing. We’ll answer any questions from those comments if any, as well as talk about yet another story I read afterword in regards to Facebook and why it might be a good idea to remove your telephone number or use something like Google or Text Now as your number instead of your primary one. We’ll have news, notes, commentary and more. We hope you enjoy the program as much as I have bringing it to you. Thanks for listening!

Topic: More on Facebook, why Brian Krebs deleted his Facebook account

In an article that I read on April 7th, Brian goes in to detail on why he eventually deleted his Facebook account sometime in 2020.

According to the article, a paragraph says:

The phone number associated with my late Facebook account (which I deleted in Jan. 2020) was not in HaveIBeenPwned, but then again Facebook claims to have more than 2.7 billion active monthly users.

We know that Facebook has never been trustworthy after any type of incident, and I honestly don’t believe that Mr. Krebs couldn’t be part of the 533 million people affected by the breach. Checking with the site, yours truly isn’t effected either, but I honestly wouldn’t believe it now-a-day especially since news of this is two years old.

The supposed database has been kicking around the Internet Cybercrime community since Last Summer, according to the article. I’ve never seen any of these databases, and with the massive amounts of databases out there and what they contain, who could confirm every piece of data in it? I like what Have I been Poned and what it is trying to offer, so don’t get me wrong when it says that I’m not in there when I put my mobile number in the site to check.

We now learn that the database was put up since June 2020 and include names, mobile number, gender, occupation, city, country and marital status. It includes data for 100 different countries and there is a link to a January 2021 twitter post within the article.

KrebsOnSecurity goes on to talk about what might happen if someone with malicious intent gets ahold of your mobile number. One of the things that could happen is your phone number changing hands, otherwise known as a Sim-swapping attack. This happens because an employee at the store you got service is tricked in to changing the information to the attacker and you don’t find out until you use your phone.

Brian talks about how it is probably time to remove your number from services like Facebook once verification of the account is complete. I’m almost tempted on doing this myself. There is a very interesting paragraph in which I got interested in. It says:

Why did KrebsOnSecurity delete its Facebook account early last year? Sure, it might have had something to do with the incessant stream of breaches, leaks and privacy betrayals by Facebook over the years. But what really bothered me were the number of people who felt comfortable sharing extraordinarily sensitive
information with me on things like Facebook Messenger, all the while expecting that I can vouch for the privacy and security of that message just by virtue of my presence on the platform.

We can’t vouch for a presence of a sensitive message just because we’re on the platform. I’ve never used Facebook or its messenger client for anything secure anyway, but that paragraph is very important.

Are You One of the 533M People Who Got Facebooked? is the question and article title we’re talking about in this segment, do read the article.

News Notes and more

  • According to an article found on April 8th and written the day before, shopify let data go and it isn’t as we would think. According to the article, the California man, Tassilo Heinrich, is charged with identity theft and conspiracy to commit wire fraud; while two people outside the United States, were not charged. These other two were located in Portugal and the Philippines, according to the article. I don’t understand why these two outside of the United States aren’t charged, they received stolen data, and could have had the oppertunity of using it. California man indicted for stealing Shopify customer data is the article do give it a read.
  • Think Ransomware is going away? Not so fast! This time, an article talks about emailing customers of the companies that they hack to tell the customer that they got hacked. The purpose of emailing customers is of course to get the company to pay up, although as we know, that doesn’t necessarily mean anything as ransomware gangs are only in it for the money. Ransom Gangs Emailing Victim Customers for Leverage comes from Krebs on Security and is definitely a good read.
  • I blogged about this article on the tech blog, but it never made it in to news notes from what I can recall. Brian Krebs talked about someone who registered the domain krebonsecurity.top and what they’re using it for. I’ll just quote one of the paragraphs outright, it says: “Let’s just get this out of the way right now: It wasn’t me.” The article talks about the Shadowserver Foundation, who has tracked the exchange server attacks and their progress of getting patched or lack there of. According to the article, David Watson, a director of the Shadow Server Foundation Europe, tracked hundreds of unique variants of backdoors that allow the actors to keep access. What was very interesting to me, was the fact that an executable was called krebsonsecurity.exe and Brian talking about this plus the malicious domain made the article worth blogging. I just didn’t have a chance to put it in to news notes till now. Read No, I Did Not Hack Your MS Exchange Server for all of these very interesting details.
  • So there was a breach of a water utility in 2019. Cyberscoop’s Sean Lyngaas wrote this article on a Kansas man who was indicted because of that breach. Wyatt Travnichek is alleged to have done it, as they claim he logged in to Ellsworth County Rural Water District’s computer system
    in 2019 and it was unauthorized access. This unauthorized access lead to a shutdown of the facility in question. He is also charged with causing damage to a computer system. According to a customer service rep, Angela Naegele, said the issue was not effected in the drinking water supply. There is no word on whether he bypassed any security controls. Kansas man indicted in connection with 2019 hack at water utility is the article, go on and check it out.
  • Finally, in the “I can’t believe i heard this article” department, Michael in Tennessee read this article via arstechnica which really started me thinking about this company’s security posture. The company’s name is Q Link Wireless. They apparently had an app that allowed you to enter any customer telephone number which you had to know. After doing this within their application for IOS and Android, the person could see anything they wanted within the account with “no password required.” According to the article, this company known as a “Mobile Virtual Network Operator,” according to the article. They are based in the state of Florida. It provides government and subsidized phones to people who qualify under the lifeline program. They apparently serve at least 2 million customers, according to the article. I suggest you check jaredtech.help as I have a bunch more to say in regards to this story, suffice it to say, they apparently closed this hole by doing it server-side and no communication with any researcher or anyone who reported this to the company. For full reading of this disaster, I give you: No password required: Mobile carrier exposes data for millions of accounts: Q Link Wireless made data available to anyone who knows a customer’s phone number. is what you need to read. Have fun!

We hope you enjoy the program as much as I have bringing it together, make it a great day!

Comments (0)

Why is there “no password required” when accessing accounts? What not to do when setting up accounts for services

I’ve been contemplating this article Michael in Tennessee sent me in regards to a wireless company that thought it would be a great idea to have applications for IOS and Android that allowed people to put in any phone number of a customer and allowing anyone to have full read access to all of the data of the account.

When writing up the news notes, I wrote:

Finally, in the “I can’t believe i heard this article” department, Michael in Tennessee read this article via arstechnica which really started me thinking about this company’s security posture. The company’s name is Q Link Wireless. They apparently had an app that allowed you to enter any customer telephone number which you had to know. After doing this within their application for IOS and Android, the person could see anything they wanted within the account with “no password required.” According to the article, this company known as a “Mobile Virtual Network Operator,” according to the article. They are based in the state of Florida. It provides government and subsidized phones to people who qualify under the lifeline program. They apparently serve at least 2 million customers, according to the article. I suggest you check jaredtech.help as I have a bunch more to say in regards to this story, suffice it to say, they apparently closed this hole by doing it server-side and no communication with any researcher or anyone who reported this to the company.

The sub-titled of today’s article is entitled: “Q Link Wireless made data available to anyone who knows a customer’s phone number.” and I suppose it just fits, doesn’t it?

The article was written for Arstechnica on April 9th, and sadly the last item for news notes. People aught to be ashamed of themselves at this company for thinking this was a great idea.

Q link offers a mobile app called “my mobile account” for both IOS and Android as stated in the notations quoted above as well as within the article which I’ll link here as well.

Besides the app allowing you to see data usage, minutes available, buying minutes, minute usage, text usage and even to buy more minutes or data. It also can display the customer’s:

  • First and last name
  • Home address
  • Phone call history (from/to)
  • Text message history (from/to)
  • Phone carrier account number needed for porting
  • Email address
  • Last four digits of the associated payment card

This is a lot of data for one account, especially when the company had it to where anyone can enter a subscriber’s phone number. Can you imagine what would happen when someone malicious came in and decided that they would take a look around?

According to the article, this wide open access has been available since December of last year, but the article only states since December.

According to a person on reddit, they reported this glaring report to the company with only a “thank you for reporting this to us.” He later reported the same issue twice this year, February and also in April. Then this past thurdday, the app stopped connecting to accounts with a message that says that the number is invalid.

I wonder what they ended up doing? Why did it take this long to fix it? Why didn’t the CEO respond to the reporter’s email(s) when it was braught to his attention?

For the complete write up by DAN GOODIN of Ars, please read: No password required: Mobile carrier exposes data for millions of accounts: Q Link Wireless made data available to anyone who knows a customer’s phone number. for complete details. This is security at its worst. Good job, q link wireless, keep up the great work.

Comments (0)

I love good news, Kansas man indicted in connection with 2019 hack at water utility

I love covering articles like this, especially when charges are filed.

A U.S. grand jury has indicted a 22-year-old man for allegedly hacking the computer system of a rural water utility in Kansas and shutting down processes
that affect procedures for cleaning and disinfecting water.

Angela Naegele, a customer service specialist at the water utility who answered the phone Thursday, said the 2019 incident had no impact on customers’ drinking water. The utility continuously monitors its water quality and safety, Naegele added.

The indictment did not specify whether Travnichek allegedy circumvented any security controls in his alleged break-in. Prosecutors cited the Safe Drinking Water Act, a 1974 law that mandates contamination-free standards for U.S. water systems, in bringing the charges.  

There’s definitely more here including:

Travnichek’s indictment comes two months after another high profile digital intrusion into a water treatment facility near Tampa, Florida. In that incident,
an unidentified hacker used a remote software program to breach the facility’s computer system, and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level, according to local authorities.  A plant operator noticed and reversed the change.

This is critical infrastructure we’re dealing with, and people like this guy just don’t care.I’m glad he’s been picked up and charged.

For complete details: Kansas man indicted in connection with 2019 hack at water utility is what you need to read, and enjoy.

Comments (0)

Ransomware gangs not going away? Ransomware and their gangs now have something else up their sleeves

Ransomware isn’t going anywhere In fact, its been reported in podcasts that the actors are now emailing or even calling their victim customers to force the customers to call the victim to have them pay. If I remember correctly from reports I’ve heard, it hasn’t worked so well, or even if the customer calls the company and the company pays, its not the end of it in regards to possible problems.

Krebs on Security covers this quite well, and I think its worth passing along to my readers as well.

According to Brian’s article, he gives a letter that was sent to a customer of a business.

This letter is from the Clop ransomware gang, putting pressure on a recent victim named on Clop’s dark web shaming site.

“Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim],” the missive reads. “The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”

“We inform you that information about you will be published on the darknet [link to dark web victim shaming page] if the company does not contact us,” the message concludes. “Call or write to this store and ask to protect your privacy!!!!”

To make things worse, the company that was hit this time came back and said that they were part of a third-party breach, and as we know, those can’t be good.

In response to questions from KrebsOnSecurity, RaceTrac said it was recently impacted by a security incident affecting one of its third-party service providers, Accellion Inc.

We talked about Accelion and their FTP client on a recent Security Box, which this blog and podcast seems to be going that way. Don’t worry, I still need to get a tech podcast out, although now I don’t remember what I wanted to do with it. I digress.

The University of California was one of several universities that had been hit with Klop’s ransomware, and I’m sure that this isn’t going to be the last we hear from this gang.

There are lots of links and lots more, so Ransom Gangs Emailing Victim Customers for Leverage is the article, go and check it out. Enjoy!

Comments (0)

Rogue Employees can be part of the breach problem … hope these two emplpoyees got fired

According to an article I read from the Verge, rogue employees can be part of the breach problem. The article was written on April 7th, and was found on my twitter feed

The article is entitled California man indicted for stealing Shopify customer data and talks about a man by the name of Tassilo Heinrich, who paid Shopify employees to get him data on customers which he then he sold to two people outside the United States. According to the article, this breach affected fewer than 200 merchants and it was because of employee abuse, according to the article. A linked article said that one of the merchants involved was Kylie Jenner’s makeup company Kylie Cosmetics.

For full information on this one, please read the article. Glad in this case it was bad employees, and not a full blown breach. As a side note, these employees gave access to Google Drive via links, as well as giving images as well.

According to the article, Mr. Heinrich is charged with identity theft and conspiracy to commit wire fraud; his two co-conspirators, based in Portugal and the Philippines, were not charged.

Comments (0)

The Security box, podcast 38: Facebook at it again, news, notes and more

Hello folks,

The RSS is updated with today’s program that was aired on the Independent artist channel on the mix. Don’t have RSS? Don’t worry! Here is the 100.8mb file.

Below, please find the entire show notes for all to read. The News Notes section is shorter due to time constraints, but good stuff too.

Welcome to the Security box, podcast 38. This week, we had planned to go back to DKIM and have a discussion on it, but we aren’t going to do that. Why? It looks like news has gotten about Facebooks’s 2019 breach and 535 million people whose information may now be out there on the free Internet as well as it already being sold to the dark web when the initial breach occurred. We’ll have news, notes and more as well as your thoughts and comments to boot. Enjoy the program!

Topic: Has Facebook done it again?

Michael in Tennessee sent me an article from Phone Scoop, as well as me seeing the article we’ll be taking from, which came from Cyberscoop. It looks like Facebook is really paying for a 2019 breach in which 500 plus million people’s information including phone number were exposed somehow and later patched by Facebook.

The data, which comes from people from over 100 countries, includes users’ phone numbers, email addresses, full names, birthdates and location, among other
identifiers, according to Insider, which first “reported the news.”

The leak, was first reported by Motherboard, according to the article. The only thing that I’m unclear on is the section that talks about the fact that the leak was reported by Motherboard in January.

The information was made available by paying a Telegram bot a couple of bucks for the details according to the article. According to the article, Facebook removed the ability of searching people by telephone number after the breach. Facebook will be probed by Ireland, and its unclear if the Unnited States will follow suit by the FTC.

The article goes on on what the actors may do with the information now that the information has been made available for free. The website “have I been poned” has been updated by Mr. Troy Hunt with the information that was made available by the breach.

For more information and to read the full article, 533 million Facebook users’ personal data leaked online is the article and do read this.

News Notes for podcast 38

  • Office 365 is no stranger to attack. A Phishlabs article talks about the latest threat. This time, actors can mimic websites by using Google’s API through Google Ads that allow redirects to whatever they want. The issue with this one is that once you log in, they capture your credentials as well as sending you to your account. For complete information, Breaking Down the Latest O365 Phishing Techniques is the article, which will talk about this entire process.
  • Ubiquiti is back in the news. A post by Krebs on Security talks about the latest drama at the company who now has come out saying that there was a problem. After making a change that forced people to log in to their network, they were later told to reset their passwords because of a “third-party cloud provider” may have been breached. There’s more including the very interesting fact that this company should have invalidated all credentials. Ubiquiti All But Confirms Breach Response Iniquity is the article. This is going to get very interesting now.
  • Finally, due to time constraints, I’ve got some good news I want to pass along. Another web boss now has been pleaded and this guy pleaded guilty. This boss was behind selling heroin, firearms and hacking tools. He pleaded guilty on charges of money laundering. Tal Prihar was captured by French authorities. Read Cyberscoop’s article DeepDotWeb boss pleads guilty to laundering millions for more.

Thanks so much for listening!

Comments (0)

The Security Box, podcast 37: The Beginning of DKIM and other stuff

It looks like I did not put the show notes up on the blog for podcast 37’s Security Box. Sorry about that!

The rss feed has been updated after the program was updated.

Don’t worry, those who don’t have RSS can get the 166.76mb file right here.

Want the show notes? You’ve got those coming right up.

Welcome to the Security Box, podcast 37. On this episode of the program, we’re going to talk about something I don’t think people know much about dealing with email, verification of domains in the process, the standards of what it is and how it came to be. We will also cover a very interesting webinar that I listened to by Trend Micro that delbt with the security predictions for 2021. We’ll also have news, notes, questions, comments and more as the show progresses and the listeners choice on whether they have something to contribute. I hope you enjoy the show as much as I have bringing it together for you, and thanks so much for listening!

Topic: DKIM

DKIM is a short form of a longer term which means Domain Keys Identify Mail. This may take several programs to cover, and I think its time, seeing how we had some issues that were the result of it in passing. I’ll talk about those issues in this episode and we’ll get through some of the document.

Webinar: Turning the Tide: Security Predictions 2021

This was quite eye-opening. Usually these predictions are in writing on a blog, and we can pick them apart. This time its in a video, and I hope people enjoy it. I did.

News Notes and more

  • Phishing is definitely continuing to be the topic of the landscape more now than ever, even with the pandemic continuing to rage on. In an article I spotted on Phishlabs, they analyzed 100,000 different web sites of phishing because they indicate that some are on free hosts, some are compromised web sites, yet others may be domains that have expired that they snatched up. The site analysis took place through a three month period and they found the following things: 38.3% used compromised websites, 37.4% abused free hosting services, and 24.3% used maliciously-registered domain names. Within the article, the different terms such as malicious registered are defined. There are two main headings “Discerning Compromised vs Malicious Domain Registration” and “Free Hosting Abuse” which should be read if nothing else. This was definitely a great read, and news worth sharing. Most Phishing Attacks Use Compromised Domains and Free Hosting is the article.
  • Shortly after podcast 35’s airing, there was an article that was posted that made it in to Trend Micro’s “This Week in Security News” roundup which is posted to our blog. While I’m not going to link to that article in news notes, one article about the Solar Winds breach came to light. According to a Swis firm, an actor had APT access to networks for quite awhile. The name of this group is Silverfish. The firm that was named in the article is called Prodaft. Silverfish took advantage by carrying out a sophistocated attack on at least 4720 targets which included governmental institutions, global IT providers, dozens of banking institutions in the U.S. and EU, major auditing/consulting firms, one of the world’s leading Covid-19 test kit manufacturers, and aviation and defense companies. The hackers worked a normal day, monday through friday 8 am to 8 PM according to the article. The report is linked within the article which is entitled Swiss Firm Says It Has Accessed Servers of a SolarWinds Hacker so go ahead and read this one if you read nothing else.
  • Speaking of Phishing, we can’t forget to mention the fact that Covid-19 scams are still out there. A cyberscoop article goes in to detail about the recent rounds of phishing pages to ask for credentials to Office 365 accounts while they send you an email about potential issues or otherwise in regards to the vaccines. All of us now have a chance to get vaccinated, check with your state or pharmacy for complete details for your needs. COVID-19 vaccine scammers are still lurking is the article, and please give it a read.
  • Finally, patching after the massive flaw in Redmond is well under way with 92 percent of servers that were now patched after the biggest breach in business history to date as far as we’re aware. There’s lots of links within Cyberscoop’s article, so its best to read the article entitled Patching is trucking along on Microsoft flaws, but hackers are still meddling.

Thanks so much for listening, and make it a great day!

Comments (0)

Looks like Facebook is now paying for an old breach

According to several articles out there, Facebook is now paying for their apparent mistake that allowed people to get access to phone numbers. While they fixed the vulnerability, hackers have now made the data from the 533 million breach which includes 32 million in the United States alone publically available.

Apparently, this breach occurred in 2019, and a telegram bot could accept a couple of bucks to have access to the data.

Now, you know where this is going, right? The actors can now call you or do anything they want with your phone number, so be aware of what is happening now.

Cyberscoop is one who has details on this latest facebook ordeal, so go read it. 533 million Facebook users’ personal data leaked online is the article.

Comments (0)

mobile news for april7 could be a potential issue

Firstly from redmondpie, we have.
1. lg is shutting down.

LG Confirms It Will No Longer Be Making Smartphones Anymore

From july 31 this year lg will be dieing out.
If you want an lg unit get one now.
Aparently they have good audio etc and will have updates and support for a while but still, lg is switching to components and electric cars, etc.
No more phones though but well there we go its been rumored for ages.

The second and more troubling is this.

uMobix Lets You Keep Track Of Your iPhone And Android With Ease

the article intro blurb states
Keeping tabs on iPhones and Android phones is something that plenty of people have legitimate reasons to want to do. Parents in particular need to know what their children are doing with their devices, not to mention where they’re going. uMobix is an app and service that makes that possible.
uMobix is an app and service that makes that possible.
Once the uMobix client has been installed on the device that needs to be tracked it’s easy to keep tabs on call history, text messages, social media apps that are being used, and more.
You’ll also have access to a GPS location tracker so you’ll always know where the phone has been and when it was there.
Need to know exactly what someone is doing with their device?
uMobix also includes a keylogger so you will always know what your kids are typing.
uMobix captures and records all user keyboard activity, whether into web browsers, messaging, or apps. You can get full insight into all keystrokes initiated.
The uMobix website has a handy demo to show what all of the features do and how they operate, and you can take it for a spin in no time at all by creating an account there and then.
The amount of information you’ll be able to track is impressive and, importantly, it could be hugely important as well.
The article doesn’t go intothe obvious downfalls of this.
1. who is you.
Is it you or is it a hacker.
Sure I could see a reason to use this.
Teen agers, children the list can go on, elderly people other cases like that, people like myself.
But when is to much to much.
1. tracking where you are.
Ok I guess that happens anyway.
2. your text messages, phone calls, what apps you use and what you type online.
I admit it here I am well an absolute bastard online, I wouldn’t trust myself with an laser rifle not to mention that humans can post without thinking.
Its hard to have your digital and real worlds to mesh, its really hard to try to equate real and virtual rules to your real world profile.
You build a profile up of whoever you are posting to and its more than often totally wrong.
I’d have a lagit issue with everyone knowing what I do online, twitter and social networks, I guess if you were a bully or predator maybe but I see no other reason for all this.
Assuming this all complies with the google permitions policies coming into force even then.
Checking emails, knowing where you are and logging your keystrokes.
No human should have that information.
Now I haven’t nore will I be visiting the site in question but assuming all the information is in a secured account, assuming its actually secured with encription, passwords and extra on extra security assuming it works then yeah this would be really good.
Sadly I can find a lot more issues than well good points.
1. Its known hackers will use lagit software to do bad things.
2. all that information is on your phone, assuming its all dialing home somewhere which means everything you do is no longer private or secure.
If this was like this on windows I’d remove all my security software, firewalls and everything, I’d set weak passwords to my bank and I’d post all my information to every hacker out there.
Its just not a good idea to handle this like this.
Next has anyone thought about the battery drains and what we have had to let go.
Covid19 has meant you need to be tracked and the government needs to know where you are.
Granted that information needs to be transfered via randomly generated security access code and that program is held by the government and the tracers need to give you a security code to enter and none know it but still.
We need to be tracked, we allready push so much online, data use and costs, data caps not to mention the battery.
Next, avoiding the first thing made in point 1, there is almost no need to have the information, in other words the same things that would need the information there are also a lot of reasons why not.
The biggest thing is us humans put to much out allready even when we don’t want to.
And automation does more.
I am currently away, and have had to remove printers, tvs, and a host of other extra programs and other things off of my workstation because windows assumes on each network I access I will want access to the devices in question.
Next of course is how secure is the client to access.
One would assume there would be a password but kids are smart.
I know friends with blocking programs set on their systems to track them because of actual good reasons, friends that have managed to hack or get by other means, like watching their parents access them, to remember the passwords turning the program on and off.
Even if we do take all this away, can you imagine what someone could do with every keystroke, everything written, passwords, etc, you may as well not use security software or any passwords at all.
We get so many spam calls and the like.
Can you imagine if you are told by someone they have your umobix password and you need to pay a million to stop your information being uploaded.
And what if it actually is.
Everypassword is compromised.
Your identity stolen.
Your credit cards gone, and you are in jail for multiple crimes you havn’t physically done but all the data is that you have.
The hackers have broken into everything from government to police and have control of all data.
All the lawsuits.
Then what.
Things will have to be made more secure which means legit reasons to get into things will become even harder and round and round it will go till world war 3 happens.
Oh did I mention that that may happen to.
In short its just not a good idea to use this.
Umobix could become the next security nightmare.
The easiest thing to do is not start.
On the other hand, this could actually work.
But no one will want to be tracked and can you imagine all the family and other relationship squobbles that will result in this program.
I have a few extreme religious families that have broken up due to restrictions.
And while a couple got away and won’t be back, one is completely on the give me cash because god told me and the other has gone away and is mentally unstable.
Won’t even talk to her mum, and is on who knows what and wants things.
This is without umobix.
Even if this does go through even without all this is it worth it.
I suspect its not.

Comments (0)

go to sections menu

navigation menu

go to sections menu