The Security box, podcast 39 for April 14, 2021

Welcome to podcast 39 of the Security Box. Looks like we’ve got commentary from the replay of broadcast 38’s airing. We’ll answer any questions from those comments if any, as well as talk about yet another story I read afterword in regards to Facebook and why it might be a good idea to remove your telephone number or use something like Google or Text Now as your number instead of your primary one. We’ll have news, notes, commentary and more. We hope you enjoy the program as much as I have bringing it to you. Thanks for listening!

Topic: More on Facebook, why Brian Krebs deleted his Facebook account

In an article that I read on April 7th, Brian goes in to detail on why he eventually deleted his Facebook account sometime in 2020.

According to the article, a paragraph says:

The phone number associated with my late Facebook account (which I deleted in Jan. 2020) was not in HaveIBeenPwned, but then again Facebook claims to have more than 2.7 billion active monthly users.

We know that Facebook has never been trustworthy after any type of incident, and I honestly don’t believe that Mr. Krebs couldn’t be part of the 533 million people affected by the breach. Checking with the site, yours truly isn’t effected either, but I honestly wouldn’t believe it now-a-day especially since news of this is two years old.

The supposed database has been kicking around the Internet Cybercrime community since Last Summer, according to the article. I’ve never seen any of these databases, and with the massive amounts of databases out there and what they contain, who could confirm every piece of data in it? I like what Have I been Poned and what it is trying to offer, so don’t get me wrong when it says that I’m not in there when I put my mobile number in the site to check.

We now learn that the database was put up since June 2020 and include names, mobile number, gender, occupation, city, country and marital status. It includes data for 100 different countries and there is a link to a January 2021 twitter post within the article.

KrebsOnSecurity goes on to talk about what might happen if someone with malicious intent gets ahold of your mobile number. One of the things that could happen is your phone number changing hands, otherwise known as a Sim-swapping attack. This happens because an employee at the store you got service is tricked in to changing the information to the attacker and you don’t find out until you use your phone.

Brian talks about how it is probably time to remove your number from services like Facebook once verification of the account is complete. I’m almost tempted on doing this myself. There is a very interesting paragraph in which I got interested in. It says:

Why did KrebsOnSecurity delete its Facebook account early last year? Sure, it might have had something to do with the incessant stream of breaches, leaks and privacy betrayals by Facebook over the years. But what really bothered me were the number of people who felt comfortable sharing extraordinarily sensitive
information with me on things like Facebook Messenger, all the while expecting that I can vouch for the privacy and security of that message just by virtue of my presence on the platform.

We can’t vouch for a presence of a sensitive message just because we’re on the platform. I’ve never used Facebook or its messenger client for anything secure anyway, but that paragraph is very important.

Are You One of the 533M People Who Got Facebooked? is the question and article title we’re talking about in this segment, do read the article.

News Notes and more

  • According to an article found on April 8th and written the day before, shopify let data go and it isn’t as we would think. According to the article, the California man, Tassilo Heinrich, is charged with identity theft and conspiracy to commit wire fraud; while two people outside the United States, were not charged. These other two were located in Portugal and the Philippines, according to the article. I don’t understand why these two outside of the United States aren’t charged, they received stolen data, and could have had the oppertunity of using it. California man indicted for stealing Shopify customer data is the article do give it a read.
  • Think Ransomware is going away? Not so fast! This time, an article talks about emailing customers of the companies that they hack to tell the customer that they got hacked. The purpose of emailing customers is of course to get the company to pay up, although as we know, that doesn’t necessarily mean anything as ransomware gangs are only in it for the money. Ransom Gangs Emailing Victim Customers for Leverage comes from Krebs on Security and is definitely a good read.
  • I blogged about this article on the tech blog, but it never made it in to news notes from what I can recall. Brian Krebs talked about someone who registered the domain krebonsecurity.top and what they’re using it for. I’ll just quote one of the paragraphs outright, it says: “Let’s just get this out of the way right now: It wasn’t me.” The article talks about the Shadowserver Foundation, who has tracked the exchange server attacks and their progress of getting patched or lack there of. According to the article, David Watson, a director of the Shadow Server Foundation Europe, tracked hundreds of unique variants of backdoors that allow the actors to keep access. What was very interesting to me, was the fact that an executable was called krebsonsecurity.exe and Brian talking about this plus the malicious domain made the article worth blogging. I just didn’t have a chance to put it in to news notes till now. Read No, I Did Not Hack Your MS Exchange Server for all of these very interesting details.
  • So there was a breach of a water utility in 2019. Cyberscoop’s Sean Lyngaas wrote this article on a Kansas man who was indicted because of that breach. Wyatt Travnichek is alleged to have done it, as they claim he logged in to Ellsworth County Rural Water District’s computer system
    in 2019 and it was unauthorized access. This unauthorized access lead to a shutdown of the facility in question. He is also charged with causing damage to a computer system. According to a customer service rep, Angela Naegele, said the issue was not effected in the drinking water supply. There is no word on whether he bypassed any security controls. Kansas man indicted in connection with 2019 hack at water utility is the article, go on and check it out.
  • Finally, in the “I can’t believe i heard this article” department, Michael in Tennessee read this article via arstechnica which really started me thinking about this company’s security posture. The company’s name is Q Link Wireless. They apparently had an app that allowed you to enter any customer telephone number which you had to know. After doing this within their application for IOS and Android, the person could see anything they wanted within the account with “no password required.” According to the article, this company known as a “Mobile Virtual Network Operator,” according to the article. They are based in the state of Florida. It provides government and subsidized phones to people who qualify under the lifeline program. They apparently serve at least 2 million customers, according to the article. I suggest you check jaredtech.help as I have a bunch more to say in regards to this story, suffice it to say, they apparently closed this hole by doing it server-side and no communication with any researcher or anyone who reported this to the company. For full reading of this disaster, I give you: No password required: Mobile carrier exposes data for millions of accounts: Q Link Wireless made data available to anyone who knows a customer’s phone number. is what you need to read. Have fun!

We hope you enjoy the program as much as I have bringing it together, make it a great day!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.