Pete Recommends – Weekly highlights on cyber security issues November 30, 2019

Subject: Canada’s use of Huawei 5G would hamper its access to U.S. intelligence – U.S. official
Source: Reuters via Yahoo
https://news.yahoo.com/1-canadas-huawei-5g-hamper-183254094.html

HALIFAX, Nova Scotia, Nov 23 (Reuters) – The U.S. national security adviser urged Canada on Saturday not to use Huawei 5G technology, saying that doing so would put in jeopardy intelligence sharing with the United States and expose Canadians to being profiled by the Chinese government.Canadian Prime Minister Justin Trudeau postponed a decision on whether to use Huawei Technologies Co Ltd 5G network equipment until after the October federal election. He has not commented on the issue since winning the Oct. 21 vote.

Intelligence sharing “would be impacted if our close allies let the Trojan horse into the city,” national security adviser Robert O’Brien told reporters at a security conference in Halifax.

“When they (the Chinese) get Huawei into Canada or into other Western countries, they’re going to know every health record, every banking record, every social media post, they’re going to know everything about every single Canadian,” he said.

The question of whether Huawei’s 5G equipment could contain back doors allowing access to Chinese spying is dividing Canada and its partners in the Five Eyes intelligence-sharing network.

Canada has been caught in the middle of the U.S.-China dispute over Huawei since Canadian police arrested Huawei’s chief financial officer on a U.S. warrant in December, a move condemned by China.


Subject: Go Google free: We pick privacy-friendly alternatives to every Google service
Source: The Ed Bott Report via ZDNet
https://www.zdnet.com/article/goodbye-google-why-and-how-to-take-back-your-privacy/

As privacy concerns grow, companies like Google and Facebook that rely on data collection and advertising for revenue are increasingly in the spotlight. But is it really possible to give up Google’s vast range of services? Here are my recommended alternatives.Over the past two years, I’ve been switching between a succession of iPhones and a series of Android devices, using each for an extended amount of time. Spending months with each mobile platform has been a tremendously useful exercise, helping me understand the strengths and weaknesses of the two dominant smartphone options.

But every time I pick up one of those Android devices, a nagging question pops up in the back of my mind. It’s the same one I hear from friends, family members, and readers every time the topic turns to smartphone platforms: “Aren’t you worried about your privacy when you run Google’s software?”

It’s a legitimate question, and there’s no easy answer.

Google, like Facebook, has a business model that’s built on surveillance

Topic: Google


Subject: Mozilla to Block Fingerprinters by Default in Firefox 72
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/mozilla-to-block-fingerprinters-by-default-in-firefox-72/

As part of its Enhanced Tracking Protection feature, Mozilla is planning on blocking Fingerprinters by default in Firefox 72, which is slated to be released in January 2020.Fingerprinters are a tracking method that allows a company to track you based on characteristics of your computer rather than through tracking cookies.

It does this by building a profile of your device based on its characteristics such as the screen resolution, the browser you use, timezone, language, installed extensions, the installed fonts, and your operating system.

All of this information is compiled into a unique fingerprint that can be used to track you through the different sites you visit on the Internet.

Starting with Firefox 72, the browser will automatically block Fingerprinters on any sites that you visit through its Enhanced Tracking Protection feature.

filed https://www.bleepingcomputer.com/news/security/


Subject: ‘Can you hear me?’: New phone scam tricks you into answering ‘yes’
Source: CBC News
https://www.cbc.ca/news/canada/edmonton/can-you-hear-me-phone-scam-warning-bbb-1.3970312

From encrypted passwords to padlocked doors, Canadians will go to extreme lengths to avoid scammers.Now it may not be safe to pick up the phone.

A new scam relies on your voice to answer a simple question: “Can you hear me now”? The scammers try to bait callers into answering “yes.”

Anti-fraud agencies say that simple acknowledgment can be used to make it sound as if you signed on for a purchase or service.

“They’re trying to get a recording of you saying ‘yes,'” said Ron Mycholuk, a spokesman with the Better Business Bureau of Central and Northern Alberta.


Subject: How to prevent a data breach, lessons learned from the infosec vendors themselves |
Source: Web Informant
https://blog.strom.com/wp/?p=7456

This fall there have been data breaches at the internal networks of several major security vendors. I had two initial thoughts when I first started hearing about these breaches: First, if the infosec vendors can’t keep their houses in order, how can ordinary individuals or non-tech companies stand a chance? And then I thought it would be useful to examine these breaches as powerful lessons to be avoided by the rest of us. You see, understanding the actual mechanics of what happened during the average breach isn’t usually well documented. Even the most transparent businesses with their breach notifications don’t really get down into the weeds. I studied these breaches and have come away with some recommendations for your own infosec practices.The breaches are:


Subject: As 5G Rolls Out, Troubling New Security Flaws Emerge
Source: WIRED
https://www.wired.com/story/5g-vulnerabilities-downgrade-attacks/

The researchers from Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.

The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount “replay” attacks to run up a target’s mobile bill by repeatedly sending the same message or command. It’s an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.


Subject: Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones
Source: WIRED
https://www.wired.com/story/bluetooth-scanner-car-thefts/

A recent rise in laptop and gadget thefts from cars, particularly in San Francisco and the larger Bay Area, has left victims and police wondering if burglars are using Bluetooth scanners to choose target cars based on which have gadgets inside emitting wireless signals. Many laptops and gadgets will put out a sort of beacon by default when their Bluetooth is turned on, so that other Bluetooth devices can find them and potentially pair—even when closed or idle.

In fact, they’re not even specialized devices. You can easily install a Bluetooth scanner app; it uses your smartphone’s own internal Bluetooth sensors to find nearby signals. They not only list everything they find, but provide details like what type of device they’re picking up, whether that device is currently paired to another over Bluetooth, and how close the listed devices are within a few meters. The apps are often marketed as tools for finding lost devices, like scanning for your misplaced FitBit at your in-laws’ house. But they’re dead simple to use for any purpose—and they surface many more results than your phone does on its own when looking for something to pair with in your Bluetooth settings.


Subject: Law enforcement can plunder DNA profile database, judge rules
Source: ZDNetwww.zdnet.com/article/law-enforcement-can-plunder-dna-profile-database-judge-rules/

A judge has approved a warrant for law enforcement to access the database of DNA profiler GEDmatch, a landmark ruling which may have serious privacy implications.Databases of genetic information, hosted by private companies including Ancestry.com and 23andMe, are a lure few police officers can ignore.

Last week, Detective Michael Fields of the Orlando Police Department told attendees at the International Association of Chiefs of Police conference that he had managed to obtain a warrant from a judge permitting him to search the full GEDmatch database, containing the profiles of roughly one million users.


Previous and related coverage

Topic: Security


Subject: Alexa, Siri and other voice systems are raising security worries
Source: Business Insider
https://www.businessinsider.com/alexa-siri-other-voice-systems-raising-security-hacker-worries-2019-11

It’s hard to know just how concerned consumers and businesses should be about the potential vulnerabilities of voice computers and systems, security experts say. But they should be aware that as fun and useful as such devices and services can be, they aren’t risk-free. And the risks will only increase as the devices become more popular and more services and other gadgets are connected to them.

“We’re opening up a new world of dangers with these things where some really smart people might start figuring out how to do things that cause these devices to behave in unexpected ways,” said Martin Reynolds, an analyst for market research firm Gartner who focuses on emerging technologies.

Sometimes, though, the assistants can be accidentally triggered, whether because of an inadvertent button push or because they mistook another phrase as the wake word. Once they’re activated, the devices start recording, potentially overhearing sensitive or highly private information.

Access to those recordings isn’t necessarily tightly controlled. A malicious actor could get access to them if they hacked a users’ Amazon account, for example.

Amazon’s Alexa, for example, can be controlled by anyone who talks to it. Two years ago, Burger King demonstrated it could activate a Google Home device by broadcasting the phrase “OK, Google” in a television commercial. And researchers in Japan and at the University of Michigan have now shown that they can interact with voice assistants in both smart speakers and phones from a distance using a laser beam pointed at their microphones.

For their part, the leading voice assistant providers do say they keep security and privacy in mind with their products. They each allow users to delete recordings of their voice-assistant requests, and Google and Amazon allow users to review them first. Google’s Home devices and Amazon’s Echo smart speakers have physical buttons that allows users to turn off their microphones; Apple HomePod owners can turn off its mic via an app.

[but the physical button is not really physically disrupting the circuit ? /pmw1]


Subject: Netflix hackers are reactivating canceled accounts, report says
Source: Business Insider
https://www.businessinsider.com/netflix-hackers-reactivating-canceled-accounts-2019-11

  • Hackers have been reactivating people’s canceled Netflix accounts without their consent, according to a new BBC report.
  • After stealing or guessing people’s Netflix passwords, hackers were able to reactivate the canceled subscriptions of former Netflix customers without knowing their bank information.
  • The hacks were reportedly enabled by the fact that Netflix stores customer data including billing information for 10 months after someone cancels an account.

There’s a cottage industry for hacked Netflix accounts. Hackers frequently sell login credentials online at discounted prices — a listing for a four-screen Netflix login is live on eBay.

Posted in: Big Data, Civil Liberties, Cybercrime, Cybersecurity, Social Media