Swn57

From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode #57 - August 18, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. IcedID, 'EmoCrash' Exploit, & TeamTNT - 02:00 PM-02:30 PM


Description

This week, Dr. Doug talks Russel Kirsch, Carol Baskin, IcedID, Emotet, TeamTNT, and the CRA! Jason Wood returns for Expert Commentary on how the Secret Service reportedly paid to access phone location data!


Hosts

Doug White's Content:

Articles

  1. Russell Kirsch, Inventor of the Pixel dies.
  2. Emotet patches killswitch to get back into action.
  3. IcedID redux.
  4. TeamTNT takes on AWS with a crypto mining worm.
  5. Ponemon study shows firms are struggling with prioritizing threats.
  6. Canadian Revenue Agency shut down with Credential Stuffing Attack. Still down.
  7. SE Testing Labs found that 50% of the antivirus products they tested failed to recognize notable threats.
    1. SE Labs report.
  8. Carol Baskin sings 50 cent for Cameo.

Jason Wood's Content:

Articles

Secret Service reportedly paid to access phone location data

Say it isn’t so! The Secret Service (and law enforcement in general) are interested in data that suspects phones are sharing on them! So really, this isn’t that much of a surprise, but I’m always interested in privacy issues and how technology and privacy meet. As a result, this article on cnet caught my attention last night.

Basically, the US Secret Service allegedly purchased the services of a product named Locate X for at least the times between September 2017 to September 2018. Locate X appears to be an aggregator of location data that mobile apps collect. You probably already see how this gets collected. The apps say they need location data to provide some function of the app. What is glossed over is that a number of mobile apps turn around and sell this data to products like Locate X. I’m sure it’s documented somewhere in that privacy policy that no one actually reads. And if you do, you’ll probably need a lawyer to help you decipher it. Regardless, this is how Locate X receives its data.

For example, I use RunKeeper to track my attempts at jogging, map my runs, and more importantly give me distance and pace information. So I went and read through the relevant portions of their Privacy Policy. They say outright that they do not sell Personal Information, though they do say they don’t consider deidentifed Personal Information. For the sake of the story, let’s say they do sell this data without deidentification. If the data made its way into Locate X and the Secret Service was interested in my activities, they could use this information to plan where I might be pick me up for questioning or see if I was in an area at a particular time. Obviously, this is useful for law enforcement.

The question them comes in whether they need a warrant to review this information. According to the cnet article, they don’t. And if I put on my amateur lawyer hat and make believe for a moment, perhaps there’s no legal requirement to access data available on the public market. They don’t have to do anything that isn’t available to anyone else who wants to buy the data. It seems like warrants come into play when they need to exercise powers that are only available to government and they are meant to be a check against abuse of those powers. In the case of products like Locate X, anyone can get this data by simply buying it. So do they need a warrant? Perhaps not. Is it a bit of a disturbing idea? Yeah, I’m not totally comfortable with this.

The problem is that we as consumers have given this data up already. So far in the US, reselling this data is legal as long as they tell us about it in some way. That notice goes into privacy policies and notices that we get on a regular basis, that are drafted by lawyers to protect companies in court where it gets evaluated by lawyers. I can make sense of technical documentation pretty well, but legal documents are a struggle. This is a long standing complaint that I have with terms of service documents, privacy policies, and other “consumer” documents required to inform consumers of how things are being used. They aren’t written for consumers and they seem tailor made to at least obscure what we are allowed to do or how our data is used.

Perhaps law enforcement and government agencies (and their service providers) should be required to get warrants for this type of data, but right now that is not the case in the US. Perhaps this is different in places like Europe. This is article shows again the complications that can happen when we give up a lot of information to gain some kind of benefit. If you are concerned about issues like this and privacy laws in the US, then the legal environment needs to be changed. The only place available for that is in your state and federal legislatures, so you’ll want to contact your representatives and work to get them on board. A difficult and long process, but that’s what it requires to get laws changed or enacted.