CES 2021: Car spying – your insurance company is watching you

Your ‘networked computer on wheels’ has a privacy problem – when it comes to your data, you may not really be in the driver’s seat

The CES 2021 conference heralds the natural progression of car-spying apps built directly into the car and tied directly to insurance companies. Originally slated to assist drivers in an emergency, the systems are baked into the car platform telemetry itself and know everything about how you drive. How are your premiums calculated? Black box. What happens with your information? Black box, too. What happens when things go wrong? You get the idea.

This creeping blight oozing all over the last vestiges of our privacy in the interest of some thinly-perceived benefit was something tech was supposed to liberate us from – provide new degrees of freedom from. But there is this feeling that the walls of surveillance are closing in on our ability to do what we want, how we want, with things we own.

Only, we own less and less. We rent the things we “buy” from companies, and only borrow what is specified in take-it-or-leave-it licenses heavily favoring the vendor. No? Try opting out of tying into the cloud for basic functionality in the latest e-thing you bought. This will be really hard in the cars of the future.

RELATED READING: Connected cars: How to improve their connection to cybersecurity

If privacy pundits bark vociferously, there may be a tiny checkbox allowing you to opt out, but it will be buried in fine print, and couched in obtuse terms, like “opt out of personalized experiences” or some such phrase. This is not privacy by default – it’s privacy by great effort.

But the cloud knows best, or so we’re told. Even though the cloud is subject to change, we should trust it, whatever it becomes.

Maintaining proxy ownership of your devices via licensing through the cloud doesn’t seem like ownership, really, it feels like renting. Now, with baked-in insurance spies, it feels like always driving with your driving instructor taking notes. So much for the freedom of the road.

Speaking of the road, new cars know how many miles you drive, which leans into by-the-mile licensing and taxing of your car. Someone else determines how much you pay, but once again your private life is the fuel to feed the machine.

Going to court? They can know exactly where you were and when: just ask your car. No need for an alibi – they already know with mind-numbing precision where you were that night. Driving too fast? That will be worse. Stopped outside a bar? Even worse. Both? Well… ”.

And imagine weight sensors in the seats. Then it’s not difficult to guess who the passengers were – or weren’t.

RELATED READING: Connected car hacking: Who’s to blame?

The good news is that auto theft will be very difficult indeed. Unless on the approved driver list, the would-be operator won’t be able to force the car to do anything, other than be hauled off on a flatbed tow truck. Even then, you’d know where it is. And maybe that’s good. But at what price?

Is there a world where consumers can understand what they truly own, and maybe even modify or fix it if they see fit, or opt out of third-party interaction altogether?

The “right to repair” what you own is a long, hard-fought cause shouldered by farmers who wanted to be able to work on their farm equipment out in the middle of nowhere. If your tractor is five hours from the dealer broken in a muddy field, it would be nice to fix it yourself instead. Manufacturers said ‘no’. Baked into the low initial sale prices were the expectation of a long tail of revenue from semi-forced service dependency. Violate that and rouse the ire of the dealers and manufacturers.

What will happen if you opt out of vehicle telemetry? At the grocery store I have to pay more if I don’t use a rewards card; will this happen with my next car? Will you eventually be able to get affordable insurance at all? You can bet the car manufacturers (and their insurance company partners) will have something to say about it.

Hackers leak stolen COVID‑19 vaccine documents

The documents related to COVID-19 vaccine and medications were stolen from the EU’s medicines agency last month

The European Medicines Agency (EMA), which evaluates and approves medicines for the European Union (EU), has disclosed that cybercriminals have posted online a portion of the documents that are related to COVID-19 vaccines and were stolen in a cyberattack last month.

“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” reads the EMA’s press release. However, the agency added that its systems are fully functional and the approval and evaluation timelines for the vaccines haven’t been derailed.

The agency, based in the Netherlands, first disclosed on December 9th, 2020 that it had suffered a cyber incident of unknown origin. The subsequent probe found that several documents belonging to third parties, presumably those belonging to companies working on the vaccines, had been illegally accessed.

Per the investigation, the data breach was limited to one IT application, with the threat actors directly targeting information involving COVID-19 medicines and vaccines. According to BleepingComputer, the data trove included “email screenshots, EMA peer review comments, Word documents, PDFs, and PowerPoint presentations”. The affected companies were notified about the incident in due course.

Following the disclosure of the attack, the pharmaceutical companies BioNTech and Pfizer revealed that they were among those whose documents were accessed. The companies, which partnered to develop and test a COVID-19 vaccine, have issued a joint statement addressing the breach:

“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed. It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”

Unfortunately, this may not be the last time we hear about cyberattacks and fraud attempts concerning COVID-19 vaccines and medication. In the run-up to New Year’s Eve, law enforcement authorities from around the world have been sounding the alarm about cybercriminals and fraudsters attempting to cash in on the vaccine rollout.

The US Department of Treasury is one of the latest agencies to have issued a stark warning about criminals’ attempts to exploit the rollout of the COVID-19 vaccines, including by falsely offering people to help them jump the line. Keep in mind that any such offers are fraudulent, and not only because  most countries have a vaccination strategy that prioritizes high-risk groups and medical professionals; indeed, trying to jump the queue may lead to stern fines. If you encounter similar offers or offers to buy a vaccine, it is most certainly a scam – just like any of the various coronavirus-themed scams that began to do the rounds soon after the pandemic began.

CES 2021: Router swarms invade your home (and know where you are)

New mesh Wi-Fi routers may be the answer to your wireless signal woes, but how about your privacy and security?

Wi-Fi is hard, especially powering the swarms of smart devices in the average home. To combat dead spots, metal surfaces which block or reflect signals, and distant garages too far to connect, manufacturers at CES are rolling out router swarms using the new Wi-Fi 6E rules. These smart devices will get Wi-Fi to the nooks and crannies, but also spy on you and know where you are.

Rather than having one central router that is in charge of reaching your whole home, new routers will form a mesh with a distributed brain that tracks when signals are having a hard time propagating and work around it. By placing lots of tiny little mesh nodes in different rooms, they can learn the RF environment by comparing signal propagation. They can even split signals into tiny slivers to better communicate if they run into interference. Since you affect signal propagation when you stand in a room, they even learn to work around you too. This also means they become de facto motion detectors, since they would know where you are (and aren’t).

Sold as an upgrade, these distributed surveillance devices will make your Wi-Fi work better, sometimes a lot better (due to better frequency management), and that’s how they’re sold. But so much for privacy in private spaces.

And what about security?

Many systems have a cloud component, allowing them to be remotely managed, or remotely managed directly by your ISP. But in the event of a breach – in an industry that lacks an enviable security track record and where time-to-market trumps security – bad actors would know way more about your home environment than you’d like.

Remote management woes currently rank near the top of our list of most vulnerable attack entry points. Putting remote management on every room in your house seems like a fresh new opportunity for hackers, since remote management channels would likely be enabled by default, speeding the onboarding process by ISP install crews.

RELATED READING: New Year’s resolutions: Routing done right

Customers want it anyway. If someone can “magically” log in and fix Wi-Fi woes – fine. They’ll even pay for it as an upsell in the form of managed Wi-Fi service. This service’s control panel has a view to every device that’s connected in your house, their signal strengths, data transfer rates, sites they visit, how long they’ve been online, and a host of other metrics. They can also be used as a sort of low-grade alarm.

As distributed routers burrow further and further into your private life, it seems clear that some invisible line would be crossed whereby they would collect personally identifiable information (PII), which would put them at legal odds in certain parts of the world. We’ll see what legislators think of the technology in the coming years.

Meanwhile, some customers are happy to pay an extra $10 a month to implement these surveillance systems, and hope for the best. If you’re in the market, CES is definitely the place for you to start.

5 common scams and how to avoid them

Fraudsters are quick to exploit current events for their own gain, but many schemes do the rounds regardless of what’s making the news. Here are 5 common scams you should look out for.

Cybercriminals can be very creative when it comes to swindling people out of money. They will use a variety of methods to target their victims ranging from impersonating government officials to creating fraudulent online marketplaces. Time and again they have proven to be very adaptable, tailoring their scams around various hot topics.

In recent months, many scams have capitalized on the COVID-19 pandemic, with the schemes impersonating health authorities or offering to sell protective equipment that was in short supply. Up to December 16th, the US Federal Trade Commission had received more than 275,000 reports of fraud and identity theft related to the pandemic, with the victims reporting losing US$211 million in total. These days, there are scams doing the rounds that attempt to cash in on the vaccine rollout.

Make no mistake, however; fraudsters don’t launch their campaigns only in the wake of public health emergencies or global events. The European Commission recently conducted a survey on consumers’ experience with fraud and scams and found that over half of the surveyed Europeans had experienced at least one of the types of scams they were surveyed about in the past two years.

Fraud comes in many forms, and we’ve rounded up 5 common schemes where con men try to trick victims out of their money at pretty much any time of the year and regardless of what’s making the news. We also share a bunch of tips on how you can avoid falling victim to the ploys.

Online shopping and auction scams

One of the many ways scammers like to target unsuspecting victims is through shopping scams. During the pandemic, there has been a surge of these scams especially due to the shortage of certain goods, such as face masks and hand sanitizer. More broadly, however, using a sophisticated design that may come complete with a stolen logo, fraudsters will create a fake retail website masquerading as a reputable vendor, and offer luxury products from famous brands for ridiculously low prices. However, once you make an order, you’ll either receive a counterfeit product or nothing at all, or worse if you shared your credit card info the criminals could rack up charges on it. Fraudsters have also taken to social media and started offering their goods there. Another similar tactic cybercriminals use to defraud victims is the auction scam. The fraudsters will create a bogus auction offering an item they don’t have, or copy a real listing, and once the prospective buyer wins the auction and pays the allotted price, the victim never receives the product.

RELATED READING: Online scams: Why we get duped

To lower the chances of losing money to such scams, you should always do your due diligence and research the vendor you are buying from by looking through their terms of service and privacy and return policies. You should also try to find reviews from other customers who have ordered from the website. If the vendor is asking you to share too much personal information, that should immediately be a red flag. Perhaps the best and safer advice would be just to purchase the product from a reputable vendor with a proven track record.

Money mule scams

Money mule scams can take various forms; however, the goal of the criminals behind them remains the same – to move money from illicit activities without being traced. To achieve their mission, the crooks will target their victims using various means – enticing them through work-from-home jobs, which isn’t an outlandish concept considering the current pandemic situation, or using online dating services to cultivate a relationship. Once they’ve earned the victim’s trust, they will send them money or a check and ask the victim to send it to someone else. There are various outcomes; depending on the scam, you might submit a fake check that will initially clear … but then bounce and your bank will ask you to repay it, or you may be moving money for a criminal element and you might find yourself in legal trouble.

The advice, in this case, is simple: if the remote job in question entails transferring money for the client to purported clients or contractors, don’t accept it; the risks associated with accepting such jobs online far outweigh any benefits. If your online love interest tries to coax you into sending money somewhere on their behalf, you should be suspicious and refuse to do so, especially if you’ve only ever met them online; romance scams abound and some victims blinded by love have ended up losing their life savings and in some cases had to face legal charges.

Lottery and prize-winning scams

Lottery and prize-winning scams, which fall under the advance-fee fraud category, usually start with the potential victim receiving an unsolicited email, phone call, or text message claiming that they won a large sum of money or some kind of a luxury prize. The message will include pressure tactics telling the victim that there is a limited time to respond and claim the prize, but to do that they will have to pay a fee that covers taxes or shipping costs, or other imaginary charges. Since the competition is bogus, the victim won’t receive any of these “winnings” after paying the faux fees.

RELATED READING: You have NOT won! A look at fake FIFA World Cup‑themed lotteries and giveaways

Alternatively, the victims may be solicited to take part in a competition or lottery with astronomical prizes and they are told that they can increase their chances by paying for secret tactics or more draws. The only result, however, will be the victim getting scammed out of money. It’s also worth noting that U.S. citizens partaking in foreign lotteries may be violating federal law, so besides losing money to a scam they could also be facing legal trouble.

To

Week in security with Tony Anscombe

Watch out for a new PayPal smishing campaign – Employee login credentials up for sale – WhatsApp to share more data with Facebook

If you use PayPal, you should watch out for a new SMS-based phishing campaign that targets people by claiming that their accounts have been “permanently limited”. Hundreds of thousands of login credentials belonging to the employees of leading gaming companies are being offered for sale on the dark web. WhatsApp is notifying users that starting from February 8th it will share more of their data with Facebook. All this – and more – on WeLiveSecurity.com.

Chrome, Firefox updates fix severe security bugs

Successful exploitation of some of these flaws could allow attackers to take control of vulnerable systems

Google and Mozilla are each urging users to patch serious vulnerabilities in their respective web browsers, Chrome and Firefox, that could be exploited to allow threat actors to take over users’ systems. The security fixes will be rolled out to Windows, Mac, and Linux over the next few days. Importantly, none of the flaws has been spotted as being abused in the wild.

Chrome

The new stable release of Chrome, 87.0.4280.141, brings 16 security fixes; and while the tech giant won’t disclose details for all of them until the majority of its userbase has received the updates, it did highlight patches for 13 vulnerabilities that were reported by external researchers.

Twelve flaws were classified as high-risk, while one was determined to be medium in severity. Most of the high-severity flaws are use-after-free bugs, i.e. memory corruption flaws, residing in various Chromium components. They could be exploited if a user visited or was redirected to a specially crafted web page in order to achieve remote code execution in the context of the browser, noted the Center for Internet Security.

Google paid more than US$110,000 to the security researchers for discovering and reporting the vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory urging users and system administrators to update the browser: “Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.”

Firefox

Meanwhile, Mozilla released a security update to address a critical-rated security loophole that is tracked as CVE-2020-16044 and affects browser versions prior to Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1.

“A malicious peer could have modified a COOKIE-ECHO chunk in an SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” said Mozilla describing the attack vector.

The Stream Control Transmission Protocol (SCTP) is used for transporting multiple streams of data at the same time between two endpoints that are connected to the same network. The flaw in Firefox resides in how the protocol handles cookie data.

CISA took note of this vulnerability as well and issued an advisory urging both users and administrators to update their software to protect their systems from potential attacks.

You are indeed strongly encourage to update the browsers to their respective latest versions as soon as practicable. You can download the latest version of Chrome here and Firefox here. If you have automatic updates enabled, your browsers should update by themselves.

WhatsApp updates privacy policy to enable sharing more data with Facebook

Many users have until February 8 to accept the new rules – or else lose access to the app

In a major update to its Privacy Policy and Terms of Service, WhatsApp is notifying users in many parts of the world that as of February 8 it will share some of their data with Facebook, the chat app’s parent company. Importantly, users who won’t agree to the new terms will need to stop using the app or delete their accounts.

The notice is being shared via an in-app notification that maps the key updates to WhatsApp’s policies and terms of services. Those are divided into three key points – how the app processes user data, how businesses can use Facebook-hosted services with WhatsApp, and how the app partners with Facebook to offer integration across Facebook’s products.

Note, however, that users in Europe will be exempt from the service’s new data-sharing practices and are only shown the first two of the three points in the notice. WhatsApp’s director of policy for Europe, the Middle East and Africa (EMEA) Niamh Sweeney attempted to clear up some confusion that had arisen around the issue:

3/5 There are no changes to WhatsApp’s data-sharing practices in the Europe arising from this update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or ads.

— Niamh Sweeney (@NiamhSweeneyNYC) January 7, 2021

How about the rest of the world, though? Here’s an important part of the platform’s updated ToS as it will apply to those users:

“As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the Facebook Companies as described in WhatsApp’s Privacy Policy, including to provide integrations which enable you to connect your WhatsApp experience with other Facebook Company Products; to ensure security, safety, and integrity across the Facebook Company Products; and to improve your ads and products experience across the Facebook Company Products,”

RELATED READING: Hey there! Are you using WhatsApp? Your account may be hackable

At this point it is important to remember some of the key information that WhatsApp collects:

Your phone number that you used to create an account Your profile picture and profile information The phone numbers of your WhatsApp contacts Transaction and payments data Location information Information about your device such as the model, operating system, and mobile network Other information, including your IP address, device operations information, and identifiers

By agreeing with new terms and policy you will be effectively agreeing to Facebook and its subsidiaries having access to at least some of your data.

WhatsApp lists the information in the website’s FAQ section that focuses on security and privacy: “The information we share with the other Facebook Companies. includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent.”

Stolen employee credentials put leading gaming firms at risk

It’s hardly fun and games for top gaming companies and their customers as half a million employee credentials turn up for sale on the dark web

More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.

The firm found almost 1 million compromised accounts belonging to gaming clients and employees of major gaming companies, with half of them ending up for sale on the dark web over the past year. The criminals’ increased interest in the gaming industry could partly be chalked up to some effects of the COVID-19 pandemic, which has forced most people inside and online for their social activities, including for online gaming. With revenues estimated to reach almost US$200 billion by 2022, it’s no wonder the gaming industry has become a target for cybercriminals.

KELA has been tracking activities on the internet’s seedy underbelly for over two-and-a-half years and found compromised accounts that could provide access to the internal systems of almost every major gaming company. The accounts in question would grant entry to project management software, admin panels, virtual private networks (VPNs), and development-related environments, among others. Threat actors could wreak all manner of havoc, ranging from stealing company secrets, intellectual property and customer data to deploying ransomware on the company’s machines, which could lead to monetary and reputational damage.

Indeed, over the past few months, said KELA, criminals have been observed seeking access into the networks of a number of gaming companies. “We also detected an infected computer (bot) which had credential logs to plenty of sensitive accounts that could be accessed by attackers upon purchase: SSO, Kibana, Jira, adminconnect, service-now, Slack, VPN, password-manager and poweradmin of the company – all on a single bot – which strongly suggests that it’s used by an employee of the company with administrator rights,” according to KELA, adding that the asking price for the bot was less than US$10.

RELATED READING: Gaming industry still in the scope of attackers in Asia

Sadly, as the company also points out, employees remain one of the main points of access, especially due to credentials being leaked through third-party breaches. These types of credentials aren’t often monetized and can be freely found on dark web forums. Part of the problem could be blamed on their penchant for password reuse.

“We found that these credentials also include high-profile email addresses such as senior employees and email addresses which are generally a significant channel in the company – invoice, purchasing, admin, HR-related emails, support, and marketing are only some of the examples we noticed,” states the report.

Cybercriminals could use these accounts to carry out various spearphishing campaigns in the hunt for more valuable credentials, including those that would grant them access to the most sensitive parts of a company’s network. Alternatively, the login data could also be used to carry out Business Email Compromise (BEC) scams and other crimes.

As the gaming industry is steadily becoming a juicier target for criminals, companies would do well to invest in their cybersecurity, especially by providing security awareness training to their employees and raising awareness about the risks they face. Additionally, companies should institute proper password management policies that prevents password recycling and implement multi-factor authentication.