Security Weekly News Episode #57 - August 18, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. IcedID, 'EmoCrash' Exploit, & TeamTNT - 02:00 PM-02:30 PM
This week, Dr. Doug talks Russel Kirsch, Carol Baskin, IcedID, Emotet, TeamTNT, and the CRA! Jason Wood returns for Expert Commentary on how the Secret Service reportedly paid to access phone location data!
Doug White's Content:
- Russell Kirsch, Inventor of the Pixel dies.
- Emotet patches killswitch to get back into action.
- IcedID redux.
- TeamTNT takes on AWS with a crypto mining worm.
- Ponemon study shows firms are struggling with prioritizing threats.
- Canadian Revenue Agency shut down with Credential Stuffing Attack. Still down.
- SE Testing Labs found that 50% of the antivirus products they tested failed to recognize notable threats.
- Carol Baskin sings 50 cent for Cameo.
Jason Wood's Content:
Say it isn’t so! The Secret Service (and law enforcement in general) are interested in data that suspects phones are sharing on them! So really, this isn’t that much of a surprise, but I’m always interested in privacy issues and how technology and privacy meet. As a result, this article on cnet caught my attention last night.
The question them comes in whether they need a warrant to review this information. According to the cnet article, they don’t. And if I put on my amateur lawyer hat and make believe for a moment, perhaps there’s no legal requirement to access data available on the public market. They don’t have to do anything that isn’t available to anyone else who wants to buy the data. It seems like warrants come into play when they need to exercise powers that are only available to government and they are meant to be a check against abuse of those powers. In the case of products like Locate X, anyone can get this data by simply buying it. So do they need a warrant? Perhaps not. Is it a bit of a disturbing idea? Yeah, I’m not totally comfortable with this.
The problem is that we as consumers have given this data up already. So far in the US, reselling this data is legal as long as they tell us about it in some way. That notice goes into privacy policies and notices that we get on a regular basis, that are drafted by lawyers to protect companies in court where it gets evaluated by lawyers. I can make sense of technical documentation pretty well, but legal documents are a struggle. This is a long standing complaint that I have with terms of service documents, privacy policies, and other “consumer” documents required to inform consumers of how things are being used. They aren’t written for consumers and they seem tailor made to at least obscure what we are allowed to do or how our data is used.
Perhaps law enforcement and government agencies (and their service providers) should be required to get warrants for this type of data, but right now that is not the case in the US. Perhaps this is different in places like Europe. This is article shows again the complications that can happen when we give up a lot of information to gain some kind of benefit. If you are concerned about issues like this and privacy laws in the US, then the legal environment needs to be changed. The only place available for that is in your state and federal legislatures, so you’ll want to contact your representatives and work to get them on board. A difficult and long process, but that’s what it requires to get laws changed or enacted.