z3r0trust Privacy Newsletter #32–20

Credit

A Vision For the Future

In this inaugural installment of the z3r0trust Privacy Newsletter, I would like to introduce you to one experienced information security professional’s humble but persistent quest to bring awareness to digital privacy in the hopes that others will help to spread further awareness and demand government and technology industry reform for not only Americans but everyone across the globe. This is a personal philosophy that aligns with a core premise that privacy is an inalienable fundamental human right, something that I truly believe in and feel strongly about but that is sadly not the reality in many countries around the world to include capitalist America.

This inherent right to privacy has been repeatedly trampled upon by our government under the guise of national security following terrorist attacks against the United States like 9/11 that happened decades ago (e.g., The PATRIOT Act and FISA). However, these are laws we still are living with today. For all the terrorist attacks these laws may have prevented the public will never know because the government has zero transparency for such information and it comes at the sacrifice of individual privacy and freedom. We’re all required to take our shoes off when clearing security at the airport because a terrorist once tried to shoe bomb an airplane.

We’re all restricted from taking too many liquids on airplanes because terrorists tried to bomb airplanes using liquid explosives. It’s these types of knee-jerk reactionary security measures that often remain in place for decades because no one who remembers what happened on September 11, 2001, ever wants to see something like that happen again. So, what do we do? We just continue to put up with more and more restrictions on our freedom and privacy by allowing some factions of whatever current administration-flavor of politics is running the government to pass legislation that allows it.

As a former Marine, please trust me when I tell you that I realize just how incredibly important national security is to any nation. The public fear factor following successful terrorist attacks is significant However, in recent years our government has used national security as an excuse to gradually ratchet up their erosion of privacy. Fighting for digital privacy is not about demanding privacy because we are doing illegal stuff online with computers that we shouldn’t be.

Rather, it’s about stopping the constant collecting, analysis, and selling of our private internet use to third-party data brokers and marketers that I would like to see ended permanently. These Big Tech companies like Google, Facebook, Twitter, Instagram, and Snap, Inc. (Snap, Inc. owns Snapchat) allow users to sign up for free accounts to use their services knowing that users aren’t going to take the time to read several pages long Terms of Service and Privacy Statements about which types of information is collected about the use of their products and services.

Signing up to use “free” Tech services makes us, the users, the product because we’re not paying for a service with our money per se, but yes we are paying for the use of these free services in other ways. Some of which, we have no control over. Privacy is about having the ability to control your information and the portability to migrate it wherever you feel like on the internet without having to request access to it from ISPs. We know we are the product of free Tech services like social media.

Well, some of us do and maybe others who are not as tech-savvy do not I would argue. But that doesn’t make it right, morally or ethically for Tech companies to be able to get away with it. Their continued lobbying in Congress has enabled them to remain largely unregulated for so long. That must change. We must end this practice and change the dynamic. People need to demand tech reform to achieve better individual privacy control of their personal information.

On the digital privacy battlefront, we have several topics worthy of some measure of discussion this week.

Potential TikTok & WeChat Ban

President Trump and Secretary of State Pompeo continue to beat the national security drum about the dangers of Chinese-owned apps like TikTok owned by ByteDance and WeChat owned by Tencent. The U.S. recently ordered the Chinese embassy in Houston, Texas closed reportedly due to continued espionage threats (Fifield, et al., 2020), and China retaliated by ordering the U.S. consulate in Chengdu to be closed (Yin, 2020). With these types of tit-for-tat political escalations and military tensions in the South China Sea between China and the U.S., it leaves many wondering if the world is on the precipice of another great world war? I hope for the sake of humanity that we are not. Some of the language written in the Executive Orders to ban TikTok and WeChat were as follows:

“The US government says TikTok and WeChat “capture vast swaths of information from its users.” “This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.” The executive order also claims both apps gather data on Chinese nationals visiting the US, allowing Beijing “to keep tabs” on them (BBC, 2020).

As I previously covered in the June edition of Hacking Privacy #6.20: Traceless Non-Contact & TikTok-Talkitty Talks to Everyone, there are security and privacy risks involved with TikTok but they are not exclusive to TikTok only. All social media apps and every app a user installs on their smartphone or on a computer (i.e., an “app” is short for an application, or computer program) represent a new potential attack surface. Does that mean we should ban it for all Americans? No, that is preposterous and would be impossible to enforce anyway with Virtual Private Networks, Proxy Servers, and Tor browsers easily able to defeat Internet Service Provider (ISP)-enacted firewall blacklisting of such app website links.

Make no mistake, this is merely political security theater from the Trump Administration designed to sow further distrust in all things China and make it appear as though they are concerned with app security. They are not, by the way, otherwise, they would also ban apps like Facebook among many others from usage on government devices. The difference, of course, is that Facebook is owned by the U.S. whereas TikTok and WeChat are not. China is going to retaliate with equal bans of U.S. tech products and can we blame them?

I don’t say this to diminish the massive scale of Chinese espionage against the U.S. in recent decades, something the U.S. is not alone in being a victim of, but rather to illustrate how this isolationist, nationalistic security policy can be applied by both sides. This tit-for-tat economic escalation between the Trump Administration and China bleeds over into Trump’s chances of getting successfully reelected in the November 2020 election. You need to be able to see the interconnected correlations, the secondary and tertiary effects of these types of unilateral actions.

On one side of the coin, you’ve got China who detests Trump and has deliberately waited to agree to a new trade deal with the U.S. China wants to see him ousted as soon as possible so they can try to improve relations with the West. On the other side of the coin, we have Russia who in 2016 went to great lengths to interfere in the U.S. Presidential Election to ensure “their guy” got elected. The Fancy Bear Advanced Persistent Threat (APT) group hacked John Podesta’s phone and gained access to a DNC email server from which they exfiltrated thousands of emails that were leaked to WikiLeaks. This is all old news but I reiterate it to demonstrate that there is a lot to security and privacy than just the technical hacking and engineering of computer systems. Experienced infosec professionals will understand the importance of appreciating the bigger picture and how it affects what we do as security professionals. There are obvious and some not-so-obvious correlations.

Twitter Shares Your Phone Number to Advertisers‌

‌For those reading my published work, most are aware of my presence on Twitter (@z3roTrust). After the announcement that Peerlyst was shutting down at the end of August 2020, Twitter is now the only social media presence I maintain. I deliberately keep it this way to limit my online exposure and OSINT collection attempts. Many of the things I write about make me a target by corporations, terrorist groups, and governments. I call it as I see it. Shape up or ship out. Being a privacy advocate, you can imagine how much it irks the hell out of me when the one social media site I use is exposed for using user phone numbers given to Twitter expressly to establish two-factor authentication (2FA) for advertising purposes (Cox, 2020).

Allow me to clarify this a bit. To set up 2FA on Twitter, users must provide a cell phone number. There are three separate 2FA options as seen in the snapshot I posted (above). Users can select Text message, Authentication app, or use a Security key. Twitter takes users’ phone numbers and uses them for advertising purposes when users were trying to improve the security of their accounts. Way to go Twitter, keep throwing users under the bus, and sacrificing their privacy. According to a recent Twitter SEC quarterly filing, it expects the Federal Trade Commission (FTC) to impose a fine on the company of between $150-$250 million. This practice is ethically wrong and I recommend that you immediately switch to either the Authentication app or Security key options of 2FA, then go back and delete your cell phone number from your account.

Neverending Spam Robocalls‌

‌The Federal Communications Commission (FCC) is supposedly working to curb spam phone calls that are rampant in the U.S. and which have been an annoyance for many years. This is certainly not the first time the issue has come up yet here we are in the year 2020 and we are still dealing with this problem. The failure of the FCC to successfully mitigate spam phone calls is partly due to the Trump-installed crony puppet Ajit Pai who heads the FCC and who is both corrupt and incompetent as many others have pointed out. In a Techdirt piece published in 2019 regarding a former head of the Broadband Deployment Advisory Council (BDAC), Elizabeth Ann Pierce whom Pai appointed to lead the Council, was arrested for an elaborate fraud scheme (Bode, 2019). The article goes on to say,

“In some areas, Pai’s FCC tenure has been ruthlessly efficient at neutering FCC oversight of natural telecom monopolies and giving those monopolies absolutely everything they want. In other instances it’s been plagued with an almost preternatural ability for absurd controversy, incompetence, and bizarre missteps. A commission tasked with doing something it refuses to do, headed by somebody now going to prison for fraud, certainly falls into the latter camp” (Bode, 2019).‌

My effort to bring greater awareness to this issue by involving key politicians

‌Pai had been working with Telecom industry leaders to combat robocalls by proposing to get all Telecom providers on board with a new initiative called STIR/SHAKEN, or Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) (FCC, 2020). The thought was to get Telecom providers (AT&T, Bandwidth, Inc., CenturyLink, Charter Communications, Comcast Corporation, Cox Communications, Frontier Communications, Google LLC, Sprint, TDS Telecommunications LLC, T-Mobile USA, Inc., U.S. Cellular Corp, Verizon, and Vonage Holdings Corp.) all on the same sheet of music to upgrade their telecommunications infrastructures to implement Caller ID Authentication (FCC, 2020).

However, due to COVID-19 and weak FCC leadership, the initiative has stalled and several Telecom providers have replied with excuses as to why they are not in favor of implementing these newer protocols to prevent robocalls. Things that make you go, “Hmm?” Who cares about customers, right? Worry not telecoms and the FCC, I won’t soon forget this. Earnings and November 2020 election votes will reflect accordingly as I continue to expose them for the greedy corporate assholes that they really are. I could go into painfully explicit detail on how this technology works and how the entire telecom system is still using the Signaling System №7 (SS7) also known as the Common Channel Signalling System 7 (CCSS7) protocol developed in 1975 which allows for among other vulnerabilities, call spoofing, SMS (text) message interception, the ability to listen to phone calls and track the geographic location of mobile phone users (Gibbs, 2016). However, I’ll leave that for another time.

A Watered-Down California Consumer Privacy Act‌

‌As often happens with punitive laws like the CCPA, before they can even be enforced, there are already bills pending in the state legislature that, if approved, would essentially “water down” the spirit of the law which was from the outset to protect consumer privacy. For instance, AB874 is an amendment to the CCPA that excludes “publicly available information” from the definition of “personal information,” and clarifies that deidentified or aggregate information is “not personal information” and which the California Governor, Gavin Newsome, approved and signed (IAPP, 2020). This seems to me to be the opposite of protecting consumer privacy. It is my humble opinion that not all “public information” and especially not “aggregated personal information” should be allowed to be “public” in the first place. AB 981 strips consumers of their right to request a business to delete or not sell the consumer’s personal information if it is necessary to complete an insurance transaction (IAPP, 2020). I don’t believe my care factor for what insurance companies want even registers on any kind of scale.

You can do a lot with someone’s name and home address. Yet, every homeowner’s home address is publicly listed? What gives these data broker websites the right to post our public information on the Web for anyone in the world with an internet connection to look at? That is complete and utter garbage. That is the very definition of anti-privacy. We should all be automatically opted-out of these predatory tactics. The only way that will ever happen in the U.S. is if the three branches of government pass new privacy legislation and it is strictly upheld in the courts. Laws are often not upheld as they were intended to be applied in the court system. Many a law has been severely crippled by judges’ erroneous interpretation of the law.

All of the websites listed in the Tweet snapshot above are data brokers that deal in our public information but if you’ve ever viewed your information on one of these sites you’ll quickly learn that they’ve aggregated your personal information into some kind of weaponized, one-stop shopping experience for cyberstalkers to quickly find out everything they need to know about you. If you live in California or are privacy-minded individual tracking the status of the CCPA, I highly recommend checking out the International Association of Privacy Professionals (IAPP) and their CCPA Amendment Tracker (below).‌

Credit: IAPP, 2020

‌Practical Privacy Hacks

Minimizing Smartphone Geolocation Tracking

The National Security Agency (NSA) released guidance to the public about limiting location data exposure which contains great security and privacy guidance. The NSA guidance is not new but is somewhat reassuring coming from perhaps the most prestigious intelligence agency in the world that specializes in foreign Computer Network Espionage (CNE) and is one of a handful of organizations within the U.S. (i.e., the FBI, USCYBERCOM, CIA being others) that is authorized to conduct Computer Network Attacks (CNA) with it’s Tailored Access Operations (TAO) element that has risen to notoriety in recent years. Just as other countries do, the U.S. conducts its own CNE activities such as installing spyware on a target’s computer (Galperin, 2014). Activists that participate in protests might want to pay special attention to this guidance. If attending protests, know that you’re being surveilled with CCTV-enabled facial recognition software (FRS). Think about using a burner phone that contains no personal data on it.

· Even just powering on a phone exposes location data

· Telecom providers have been known to sell customer real-time location data

· Rogue base stations (and Stingrays that police often use) can easily be purchased and used to collect cell phone user locations and track targets

· Wi-Fi and Bluetooth sensors on your phone can reveal location data

· Unless you configure your phone not to, the phone shares location services with apps that request it

· Even if location services are disabled on a device, the device’s operating system (Android, iOS, Windows, etc.) can still use location data and/or communicate that data to the network as part of telemetry data or update purposes

· Even if location services are disabled on a device, some apps won’t ask for permission to infer location information

· Even if location services are disabled on a device, wireless sniffers (commercially-available) can be used to determine users’ location using WiFi and Bluetooth

· Some devices do not even allow users to disable Bluetooth

· Internet-of-Things (IoT) devices are also potentially susceptible to these same types of location data vulnerabilities, think fitness trackers, smartwatches, smart medical devices, built-in vehicle devices (e.g., LoJack, OnStar), home appliances, smart lightbulbs, home security systems, smart locks, smart thermostats, home assistants (Alexa, Google Home, etc.)

· If a device has been compromised then all bets are off, users may think they’ve disabled location services but in reality malware prevents them from doing so (we call this being “pwned”)

· Metadata shared to social media apps and sites can be used to locate users (Use caution: always scrub metadata before uploading media with a tool like: https://www.metawiper.com/)

· Disable location services settings on devices

· Disable radios when they are not actively in use: disable BT and turn off Wi-Fi if these capabilities are not needed.

· Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled before activating Airplane Mode.

· Apps should be given as few permissions as possible by setting privacy settings to ensure apps are not using or sharing location data

· Avoid using apps related to location if possible, since these apps inherently expose user location data. If used, location privacy/permission settings for such apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app. Examples of apps that relate to your phone’s geolocation are maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.

· Disable advertising permissions to the greatest extent possible by setting privacy settings to limit ad tracking, noting that these restrictions are at the vendor’s discretion.

· Reset the advertising ID for the device regularly. At a minimum, this should be done weekly.

· Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.

· Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location data usage.

· Use an anonymizing Virtual Private Network (VPN) to help obscure location. Pick only from https://www.privacytools.io/

· Minimize the amount of data with location information that is stored in the Cloud, if possible. **Comment on this from @z3roTrust- Now, I don’t know about you, but I read this to mean that the NSA likely can access whatever you upload to the Cloud. At a minimum, should your Cloud Service Provider (C-SP) ever be compromised and your files leaked, you had better ensure that it is doubly encrypted. Once by you and again by the C-SP. That way your private info isn’t exposed.‌

‌I appreciate the fact that the NSA published this information but at the same time because of its nature as an intelligence agency, I wonder what they aren’t telling us or if any of the published guidance is intentionally inaccurate? Ooh, did I just plant a seed of distrust in your mind? Nah, it’s always been there. I am just watering it to help it grow. I’m not big on conspiracy theories but I am a realist and I know what spy agencies do. They spy. I am under no false impression that organizations exist for one purpose and that despite my military background, I could just as easily be targeted by such spy organizations were I ever considered to be some type of national security threat. I have been operating for years as if I were already being monitored and have even self-reported myself when my security research led to the discovery of classified information that shouldn’t be on the internet. As an ethical hacker, I am a known entity. I have accepted that fact and so I choose to help spread digital security and privacy awareness.

Dangers of Browser-based Password Managers‌

‌Look into whether it is feasible for you to use a locally-stored password manager such as KeePass or KeePassXC instead of a Web-based or browser-based password manager that is much more susceptible to software vulnerability exploits. If there is one thing you don’t want someone else to get a hold of, it’s your master password that allows access to your entire personal password database. KeePass and KeePassXC both make versions of their open-source software product that work with browser-based access but it is going to be much safer not to use such an option and instead opt for the locally-stored application which stores the decryption key on your hard drive.

Face Masks That Replicate Your Real Face?‌

Credit: @djbaskin

‌In the wake of the Coronavirus (COVID-19) pandemic, many people follow the advice of medical experts by wearing cloth face masks to help slow the spread of the disease. We know it won’t completely stop the spread but the thought is that by wearing face masks, we can at least slow the advance of the disease and save precious medical resources from becoming overwhelmed which will result in the unnecessary loss of human lives. Maskalike has reportedly taken to manufacturing face masks that are identical to your face reprinted from selfie photos you upload to the company’s site. There is a 25,000 person-long waitlist to get one of these masks. Obviously, this is a popular idea and the entrepreneur behind it is going to rake in the profits from her idea. Good for her, but this product is not for everyone.

I understand that privacy is just not important to some people. It’s the same as information security measures that experts advise users to implement. Some people just don’t care about such things. These are the same people who never install any updates to their computers or devices and then wonder how they got hacked later. I have no empathy whatsoever but perhaps we all get that way about certain issues or aspects of our work from time to time. Sometimes it can be overkill. However, for me, if it comes to choosing between a cloth face mask that I already own and one that I have to special order so that it looks exactly like my face then I’ll pass. No thanks. I don’t care if people recognize me or if facial recognition systems can positively identify me. Not my problem.‌‌

That is all I have for this week peeps! Sorry, that was quite a bit to dump on you, I know. Privacy is a choice. Anybody who says they don’t care about privacy because they have nothing to hide should post all of their personal information to include all of their website passwords to social media. See what happens… No one would willingly do something that stupid, right? Perhaps then, we all some things we’d like to keep private.

Trust No One. Verify Everything. Leave No Trace.

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net

References

BBC News. (2020, August 7). TikTok threatens legal action against Trump US ban. Retrieved from https://www.bbc.com/news/business-53660860

Bode, K. (2019, June 27). Former Head Of Ajit Pai’s Broadband Advisory Council Is Headed To Prison For Fraud. Retrieved from https://www.techdirt.com/articles/20190625/07563042471/former-head-ajit-pais-broadband-advisory-council-is-headed-to-prison-fraud.shtml

Cox, K. (2020, August 4). Twitter faces FTC probe, likely fine over use of phone numbers for ads. Retrieved from https://arstechnica.com/tech-policy/2020/08/twitter-faces-ftc-probe-likely-fine-over-use-of-phone-numbers-for-ads/

FCC. (2020). Combating Spoofed Robocalls with Caller ID Authentication. Retrieved from https://www.fcc.gov/call-authentication

Fifield, A., Morello, C., Nakashima, E., Harris, S. (2020, July 22). China pledges to retaliate after U.S. orders closure of its consulate in Houston. Retrieved from https://www.washingtonpost.com/world/asia_pacific/china-vows-to-retaliate-after-us-orders-closure-its-consulate-in-houston/2020/07/22/41e5c6ea-cbf1-11ea-99b0-8426e26d203b_story.html

Galperin, E. (2014, March 13). New NSA Slides Reveal Tailored Access Run Amok. Retrieved from https://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok

Gibbs, S. (2016, April 19). SS7 hack explained: what can you do about it? Retrieved from https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

IAPP. (2020). CCPA Amendment Tracker. Retrieved from https://iapp.org/resources/article/ccpa-amendment-tracker/

NSA. (2020, August 4). Limiting Location Data Exposure. Retrieved from https://media.defense.gov/2020/Aug/04/2002469874/-1/-1/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF

Wong-Shing, K. (2020, July). Company Makes Custom ‘selfie’ Masks That Look Like Your Face. Retrieved from https://www.simplemost.com/company-makes-custom-masks-that-match-your-face/?partner=buffer_SM&utm_campaign=buffer_SM&utm_medium=new&utm_source=facebookSM

Yin, K. (2020, July 23). China orders US to close Chengdu consulate in retaliation to Houston closure. Retrieved from https://abcnews.go.com/International/china-orders-us-close-chengdu-consulate-retaliation-houston/story?id=71956863

--

--

--

the salty chronicles of one bumbling infosec engineer’s lifelong quest to design less shitty privacy & security while trying his best not to blow up the planet

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DeFi Wizard Customer Support Portal is live!

DevSecOps — What Security Controls exist and when to implement them?

5 Scams You Should Know to Keep your Crypto and NFTs Safe

Becoming Virtually Untraceable (Eps1.0_B4s!c_T3chn1qu3s.onion)

TryHackMe: Bolt walkthrough by Mayur Parmar(th3cyb3rc0p)

{UPDATE} Humpback Whale Hack Free Resources Generator

Transforming the Future of Business Communication

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
꧁𓊈𒆜🆉3🆁🅾🆃🆁🆄🆂🆃𒆜𓊉꧂

꧁𓊈𒆜🆉3🆁🅾🆃🆁🆄🆂🆃𒆜𓊉꧂

the salty chronicles of one bumbling infosec engineer’s lifelong quest to design less shitty privacy & security while trying his best not to blow up the planet

More from Medium

A call to action: it’s time for DAOscord

What to Do with Critical Medical Device Vulnerabilities