Author Archives: Troy Hunt

Weekly Update 139

Weekly Update 139

Per the beginning of the video, it's out late, I'm jet lagged, all my clothes are dirty and I've had to raid the conference swag cupboard to even find a clean t-shirt. But be that as it may, I'm yet to miss one of these weekly vids in the 2 and a half years I've been doing them and I'm not going to start now! So with that very short intro done, here's this week's and I'll try and be a little more on the ball for the next one.

Weekly Update 139
Weekly Update 139
Weekly Update 139

References

  1. Google is having some issues with the U2F keys the recommend for their Advanced Protection Program (but seriously, this is a pretty minor issue)
  2. I'm definitely still recommending this approach for locking down Google accounts (that's my piece from November on how to get it all set up)
  3. Forbes had some Magecart script running on their site (interesting breakdown by @bad_packets)
  4. Let's Encrypt's CT log is now up and running (with support from Sectigo too so kudos to them for that, it's a very different approach to the old Comodo)
  5. I'm up for some European Blogger Awards again! (I'd love your votes folks 😎)
  6. Twilio is sponsoring my blog again this week (check how to implement 2FA in your app with Authy)

Weekly Update 138

Weekly Update 138

After a mammoth 30-hour door-to-door journey, I'm back in the USA! It's Minnesota this week and I've just wrapped up a couple of days of Hack Yourself First workshop followed by the opening keynote at NDC followed by PubConf. All great events but combined with the burden of travel, all a bit tiring too (plus, it turns out that emails don't stop coming in when you're busy...) There's a real crypto theme to this week's update courtesy of some of the contents in my keynote, a really ridiculous article on PC Mag I came across and a lovely meeting with a few of the folks from Let's Encrypt. There's also a follow-up to the video I promised to include in this blog post...

After recording this piece, I went and checked what had changed on that PC Mag article about certs. As expected, it turns out it was just promotional content on Sectigo, specifically changing the name from Comodo and also changing some of the content. Here's a diff of the archive.org version from earlier this month versus today:

Weekly Update 138
Weekly Update 138

Gotta keep that "good reputation"! Still in the PC Mag article:

  1. "you're probably best off clicking away from [sites using DV certs] as fast as you can"
  2. "most modern web browsers will indicate that an EV certificate is being used by showing a green Uniform Resource Locator (URL) bar"
  3. "You usually get what you pay for"

To be clear too: archive.org shows a few edits of that article in October and November last year then nothing until the 6th of May which is the day I tweeted this:

You can see why this sort of thing is so frustrating to folks like Scott and I; imagine what it's like for people actually trying to figure out what certificate they should acquire! Anyway, all that and more in this week's update:

Weekly Update 138
Weekly Update 138
Weekly Update 138

References

  1. I'm doing another Hack Yourself First workshop in New York next week (we've still got tickets available for that one, kicks off on Monday!)
  2. PC Mag did an absolute hatchet piece on certificates full of disinformation and clearly motivated by commercial desires (I've linked to my tweet as the ensuing discussion makes for "entertaining" reading)
  3. Some people remain insistent on arguing about Let's Encrypt's success to the fullest extent possible (but they're easily debunked arguments, which brings me to the next point...)
  4. Let's Encrypt certs are now used by 38% of the Alexa Top 1M sites serving content over HTTPS (that's based on Scott's nightly crawler stats)
  5. There's some real upsides to having phishing sites served over HTTPS (that's Scott's piece from Jan last year)
  6. Varonis is sponsoring my blog this week (they're talking about insider threats again, courtesy of the course I made for them 🙂)

Weekly Update 137

Weekly Update 137

It's the last one from home for a few weeks, both for Scott and myself. Whilst I head off to the US for a couple of weeks, he's back home to the UK before other Europe travel then we'll both end up back on the Gold Coast in a few weeks time before the AusCERT conference.

This week, we're talking about how kids are so good at circumventing things like parental controls and how maybe - just maybe - talking to your kids and using some social techniques is a better (or at least complimentary) approach to hard controls. Partly as a result of that tweet, we're also discussing the rampant negativity we seem to constantly face by a small minority on Twitter. It's minor in numbers, but increasingly carries a mental weight (see the link below for context). Plus there's Trustico. Ah, Trustico, just have a listen and see what you think...

Weekly Update 137
Weekly Update 137
Weekly Update 137

References

  1. My 9-year old found a clever way to circumvent iOS' parental controls (imagine what it's like for the average person trying to understand this stuff...)
  2. We're both confounded by the unnecessary ongoing negativity folks on Twitter seem intent on espousing (I'm linking to this one because it's a perfect example of injecting negativity into an otherwise happy, joyful tweet)
  3. Trustico has some really shady marketing going on with their certs (that's a link to Scott's post smashing the screwy - make sure you search for "nerdville"!)
  4. Twilio are sponsoring my blog this week, check out what you can do with Authy to add 2FA to your site (this is dead easy - do it!)

Weekly Update 136

Weekly Update 136

Scott is still here with me on the Gold Coast lapping up the sunshine before NDC Security next week so I thought we'd do this week's video next to the palm trees and jet ski 😎 But, of course, there's still a heap of stuff happening that's worthy of discussion, everything from the UK gov's NCSC doing good work to the Reply All podcast I was on this week to new data breaches to the ongoing shenanigans involving kids "smart" watches. And oh boy, the communications strategies of a couple of these in particular is just absolutely woeful. All that and more in this week's update.

Oh - and right after I published this, I noticed some crazy static for about 14 seconds at the 27:15 mark. Sorry - I'd republish it but I'd be looking at about 2 hours to re-render and re-upload and this is already going out a couple of hours late so, yeah, sorry!

Weekly Update 136
Weekly Update 136
Weekly Update 136

References

  1. The NCSC has published a list of the worst 100k passwords you can now go and download (these came from HIBP's Pwned Passwords list and are available to download in the clear)
  2. The Pwned Passwords API has really grown in usage lately (10.5M hits a day with a 98.4% cache hit ratio courtesy of Cloudflare)
  3. I was on the Reply All podcast again this week (these guys rock - listen to this podcast at every opportunity!)
  4. TicTokTrack is back online per the schedule they represented last week, but apparently the Sri Lanka bombings meant they were back online... when they said they would be? (that's a link to the original story, their PR process has been absolutely terrible)
  5. There are some very shady communications coming from SPACETALK in the wake of the TicTokTrack incident (seriously guys, when is ambulance chasing ever looked on as a good thing?!)
  6. Varonis is sponsoring my blog this week and giving you access to their free "Enemy Within" course (written by me!)
  7. And whilst we're talking insider threats, let us not forget the man who outsourced his job to China (6 years old now, still kinda stupid and hilarious at the same time)

Weekly Update 135

Weekly Update 135

It's another episode with Scott Helme this week as he's back in town for NDC Security on the Gold Coast (still a got a week to get those tickets, folks!) The timing actually works out pretty well as there was this week's announcement around Let's Encrypt transition of their root cert which is right up his alley. There's also the whole TicTokTrack kids watch situation which aligns very well with many of both our prior experience. And just on that, when we recorded the video they were planning on getting the service back up and running that day (Thursday Aus time when we recorded). Turns out that didn't happen and frankly, kudos to them for taking a little more time to get things right:

All that and more in this week's update:

Weekly Update 135
Weekly Update 135
Weekly Update 135

References

  1. We're at NDC Security on the Gold Coast week after next (Scott's doing the World's Best TLS Training, I'm doing Hack Yourself First)
  2. Let's Encrypt's transition to ISRG root (that post of Scott's went to number 1 on Hacker News so good work on that mate!)
  3. TicTocTrack had an absolute zinger of an IDOR vulnerability (they're not the only watch in this class to have serious flaws either)
  4. Twilio are sponsoring my blog this week, big thanks to them! (check our how you can use Authy to add 2FA to your app)

How to Track Your Kids (and Other People’s Kids) With the TicTocTrack Watch

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Do you ever hear those stories from your parents along the lines of "when I was young..." and then there's a tale of how risky life was back then compared to today. You know, stuff like having to walk themselves to school without adult supervision, crazy stuff like that which we somehow seem to worry much more about today than what we did then. Never mind that far less kids go missing today than 20 years ago and there's much less chance of them being hit by a car, circumstances are such today that parents are more paranoid than ever.

The solution? Track your kids' movements, which brings us to TicTocTrack and the best way to understand their value proposition is via this news piece from a few years ago:

Irrespective of what I now know about the product and what you're about to read here, this sets off alarm bells for me. I've been involved with a bunch of really poorly implemented "Internet of Things" things in the past that presented serious privacy risks to those who used them. For example, there was VTech back in 2015 who leaked millions of kids' info after they registered with "smart" tablets. Then there was CloudPets leaking kids voices because the "smart" teddy bears that recorded them (yep, that's right) then stored those recordings in a publicly facing database with no password. Not to mention the various spyware apps often installed on kids' phones to track them which then subsequently leak their data all over the internet. mSpy leaked data. SpyFone leaked data.  Mobiispy leaked data. And that's just a small slice of them.

And then there's kids' smart watches themselves. A couple of years back, the Norwegian Consumer Council discovered a whole raft of security flaws in a number of them which covered products from Gator, GPS for barn and Xplora:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

These flaws included the ability for "a stranger [to] take control of the watch and track, eavesdrop on and communicate with the child" and "make it look like the child is somewhere it is not". These issues (among others), led the council's Director of Digital Policy to conclude that:

These watches have no place on a shop’s shelf, let alone on a child’s wrist.

Referencing that report, US Consumer groups drew a similar conclusion:

US consumer groups are now warning parents not to buy the devices

The manufacturers fixed the identified flaws... kind of. Two months later, critical security flaws still remained in some of the watches tested, the most egregious of which was with Gator's product:

Adding to the severity of the issues, Gator Norge gave the customers of the Gator2 watches a new Gator3 watch as compensation. The Gator3 watch turned out to have even more serious security flaws, storing parents and kids’ voice messages on an openly available webserver.

Around a similar time, Germany outright banned this class of watch. The by-line in that piece says it all:

German parents are being told to destroy smartwatches they have bought for their children after the country's telecoms regulator put a blanket ban in place to prevent sale of the devices, amid growing privacy concerns.

Wow - destroy them! The story goes on to refer to the German Federal Network Agency's rationale which includes the fact that "parents can use such children’s watches to listen unnoticed to the child’s environment". This is a really important "feature" to understand: these devices aren't just about tracking the kids whereabouts, they're also designed to listen to their surroundings... including their voices. Now on the one hand you might say "well, parents have a right to do that". Maybe so, maybe not, you'll hear vehement arguments on that both ways. But what if a stranger had that ability - how would you feel about that? We'll come back to that later.

Around a year later, Pen Test Partners in the UK found more security bugs. Really bad ones:

Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc.

This wasn't just bad in terms of the nature of the exposed data, it was also bad in terms of the ease with which it was accessed:

User[Grade] stands out in there. I changed the value to 2 and nothing happened, BUT change it to 0 and you get platform admin.

So change a number in the request and you become God. This is something which is easily discovered in minutes either by a legitimate tester within the organisation building the software (which obviously didn't happen) or... by someone with malicious intent. The Pen Test Partners piece concludes:

We keep seeing issues on cheap Chinese GPS watches, ranging from simple Insecure Direct Object Request (IDOR), to this even simpler full platform take over with a simple request parameter change.

Keep that exploit in mind - insecure direct object references are as simple as taking a URL like this:

example.com/get-kids-location?kid-id=27

And changing it to this:

example.com/get-kids-location?kid-id=28

The level of sophistication required to exploit an IDOR vulnerability boils down to being able to count. That was in January this year, fast forward a few months and Ken Munro from Pen Test Partners contacts me. He's found more serious vulnerabilities with the services these devices use and in particular, with TicTocTrack's product. He believes the same insecure direct object reference issues are plaguing the Aussie service and they needs someone on the ground here to help establish the legitimacy of the findings.

To test Pen Test Partners' theory, I decided to play your typical parent in terms of the buying and setup process and use my 6-year old daughter, Elle, as the typical child. She's smack bang in the demographic of who the watch is designed for and I was happy to give Ken access to her movements for the purposes of his research. So it's off to tictoctrack.com.au where the site leans on its Aussie origins:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I can understand why companies emphasise the "we host your data near you" mantra, but in practical terms it makes no difference whether it's in Australia or, say, the US. You're also often talking about services that are written and / or managed by offshore companies anyway so where the data physically sits really is inconsequential (note: this is assuming no regulatory obligations around co-locating data in the country of origin). The "we take the security of your data seriously" bit, however, always worries me and as you'll see shortly, that concern is warranted.

The Aussie angle comes up again further down the page too:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

At this point it's probably worthwhile pointing out that despite the Aussieness asserted on the front page, the origin of the watch isn't exactly very Australian. In fact, the watch should be rather familiar by now:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

So for all the talk of TicTocTrack, the hardware itself is actually Gator. In fact, you can see exactly the same devices over on the Gator website:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

It's not clear how they arrived at the conclusion of "the world's most reputable GPS watch for kids and elders", especially given the earlier findings. And who is Gator? They're a Chinese company located in Shenzhen:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The country of origin would be largely inconsequential were it not for TicTocTrack's insistence on playing the Aussie card earlier on. It's also relevant in light of the embedded media piece at the start of this blog post: this isn't "a new device developed by a Brisbane mother" nor is the mother "the creator of the watch". In fairness to Karen Cantwell, it wasn't her making those claims in the story and the media does have a way of spinning things, but it's important to be clear about this given how this story unfolds from here.

Regardless, let's proceed and actually buy the thing. I get Elle involved and allow her to choose the colour, with rather predictable results:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The terms and conditions were actually pretty light (kudos for that!) but the link to the privacy and security policies was dead. I go through the checkout process and buy the watch:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

iStaySafe Pty Ltd is the parent company and we'll see that name pop up again later on. An email promptly arrives with a receipt and a notice about the order being processed, albeit without a delivery time frame mentioned. With time to kill, I decide to poke around and take a look at how the tracking works, starting with the link below:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Turns out the tracking app is a totally different website running on a totally different hosting provider in a totally different state:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The primary site is down in Melbourne whilst the tracking site is in Brisbane per the info on the front page. My credentials from the primary site don't work there and registering results in me needing to choose a reseller:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Here we see iStaySafe again, but it's the other resellers (all Aussie companies) that help put the whole Gator situation in context. Uniting Agewell provides services to the elderly and when considering the nature of the Gator watch, it made me think back to a comment on the Chinese manufacturer's website: "the world's most reputable GPS watch for kids and elders". Cellnet is a publicly listed company with a heap of different brands. Weareco produces uniforms. eHomeCare provides "smart care technology for healthy ageing" and their product page on the GPS tracking watch explains the relationship:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

As it turns out, attempting to sign up just boots me back to the TicTocTrack website so I assume I just need to wait for the watch to arrive before going any further. Still, this has been a useful exercise to understand not just how the various entities relate to each other, but also because it shows that the scope of this issue isn't just constrained to kids, it affects the elderly too.

A few days later, this lands in the mail:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch
How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm surprised by how chunky it is - this is a big unit! For context, here it is next to my series 4 Apple Watch (44mm - the big one):

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm not exactly expecting Apple build quality here (and as you can see from the pic, it's a long way from that), but this is a lot to put on a little kid's wrist. You can see the access port for the physical SIM card (more on that later), as opposed to Apple's eSIM implementation so it's obviously going to consume a bunch of space when you're building a physical caddy into the design to hold a chip on a card.

Regardless, let's get on with the setup process and I'm going to be your average everyday parent and just follow the instructions:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The app is branded TicTocTrack and is published by iStaySafe:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Popping it open, the first step is registration (the mobile number is a pre-filled placeholder):

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm surprised by the empty space at the top and the bottom - just which generation of iPhone was this designed for? Certainly not the current gen XS, does that resolution put it back in about the iPhone 5 era from 2012? That'd be iOS 6 days which their user manual seems to suggest:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Whilst the aesthetics of the app might seem inconsequential, I've always found that it's a good indicator of overall quality and is often accompanied by shortcomings of a more serious nature. It's the little things that keep popping up, for example the language and grammar in the aforementioned user manual. Why is it "Support Platforms" and then "Supported devices"? And why is the opening sentence of the doc so... odd?

Welcome to TicTocTrack® User Manual! You are about to begin your journey with the live tracking with your family.

That sort of language appears every now and then, for example in the password reset section:

If you forget your password, please use web portal to obtain new password.

It has me wondering how much of this was outsourced overseas and again, that wouldn't normally be worth mentioning were it not for the emphasis placed on the Aussie origins of the service (I know, despite it being a Chinese watch). The actual origins of the service become clear once you look at the download links for the app:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Searching for that same "Nibaya" name on the TicTocTrack website turns up several different versions of the user manual:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

It turns out that Nibaya is a Sri Lankan software development company with a focus on quality control and quality assurance:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

We're also told by the browser that they're "Not secure" which is not a great look in this day and age. They do in fact have a certificate on the site, only thing is it expired two and a half years ago and they haven't bothered to renew it:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Moving on, there's a mobile phone number verification process which sends an SMS to my device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Only thing is, the keyboard defaults back to purely alphabetical after every character is typed so unless you pre-fill the field from the SMS (which iOS natively allows you to do), it's a bit painful. Again, it's all the little things.

Following successful number verification, the app fires up and asks for access to location data:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Based on what I'd already read in the user manual, my location data can be used to direct me to a child wearing the watch so requesting this seems fine for that feature to function correctly.

Next is the money side of things and we're looking at $20 a month for the "Full Service Subscription":

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

If I'm honest, I'm still a bit confused about what this entails. Is this for the tracking service? Or for the Telstra SIM which it shipped with and is identically priced?

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Or is it for both? I'm assuming both but then when I look at the service plans on the website, none of them are priced at $19.99. Regardless, I take the $20 option and move on:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The adding a device bit I get - I'm going to need to pair the watch - but the subscription bit further confuses me because I've literally just bought a subscription on the previous screen! For my purposes I don't see myself needing it for any more than 7 days anyway so I'm not too concerned, let's go and add that new device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

A new TicTocTrack watch it is:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

And let's go with the supplied SIM which then leads us to the device and SIM registration page:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

The IMEI is the identifier of the device itself (the watch) and that can be scanned off the barcode in the packaging. The SIM ID relates to the pre-packaged SIM from Telstra, the barcode for which is under one of the grey obfuscation boxes in the earlier image. I call the device "Elle", register it and that's that.

Lastly, I insert the SIM into the watch (the metal flap for which opens in the opposite direction to the video tutorial and took me a good 5 minutes to work out for fear of breaking it), then drop it onto the power. Give it a couple of hours to charge, boot it up and shortly afterwards it's showing a 3G connection:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I give it a little time to sync to the TicTocTrack service then successfully find it in the app:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Drilling down on Elle's profile, I get an address and GPS coordinates which are both pretty accurate:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

To its credit, the watch does a pretty good job of the setup and tracking process once you're past some of the earlier hurdles. At this stage, I now have a device which is broadcasting its location reliably and I can successfully see it in the app. I'm not going to go through other features such as the ability to send an SOS or make a call, at this stage all I really care about is that the watch is now tracking her movements.

The next day, we head off to tennis camp (it's school holiday time) with the TicTocTrack / Gator on her wrist:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

She isn't aware of why she has the watch, to her it's just a new cool thing she gets to wear. And it's pink so that's all boxes ticked. She's now at the local court whilst I (in my helicopter parent mode), am sitting at home watching her location on my device:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Safe in the knowledge that my little girl is in a place that I trust, I get back to work. But someone else is also watching her location, someone on the other side of the world who is now able to track her every move - it's Ken. Not only is Ken watching, as far as TicTocTrack is concerned he's just taken her away:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

She's no longer playing tennis, she's now in the water somewhere off Wavebreak island. This isn't a GPS glitch; Ken has placed her four and a half kilometres away by exploiting an insecure direct object reference vulnerability in TicTocTrack's API. He's done this with my consent and only to my child, but you can see how this could easily be abused. It's not just the concept of making someone's child appear in a different location to what the parents expect, you could also have them appear exactly where the parents expect... when they're actually nowhere near there.

But these devices are about much more than just location tracking, they also enable 2-way voice communications just as you'd have on a more traditional cellular phone. This, in turn, introduces a far creepier risk - that unknown parties may be able to talk to your kids. In order to demonstrate this, I put the watch back on Elle and gave Pen Test Partners permission to contact her. Pay attention to how much interaction is required on her part in order for a stranger to begin talking to her simply by exploiting a vulnerability in the TicTocTrack service:

Even for me, that video is creepy. It required zero interaction because Vangelis was able to add himself as a parent and a parent can call the device and have it automatically answer without interaction by the child. The watch actually says "Dad" next to a little image of a male avatar so a kid would think it was their father calling them:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

This is precisely what the Germans were worried about when they banned the watches outright and when you watch that video, it seems like a pretty good move on their part.

The exploits go well beyond what I've already covered here too, for example:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

That link goes off to a Facebook post by an account called Travelling with Kids which very enthusiastically espouses the virtues of tracking them (it's not explicitly said, but the post appears to be promotional in nature):

The little wanderers were stoked to be going off to kids club at the Hard Rock Hotel Bali We have complete peace of mind knowing they’re wearing their TicTocTrack watches, so they can call us at anytime and with GeoFencing we know their location

By now, I'm sure you can see the irony in the "peace of mind" statement.

The technical flaws go much further than this but rather than covering them here, have a read of the Pen Test Partners write-up which includes details of the IDOR vulnerability. Just to put it in layman's terms, here's the discussion I had with Vangelis about it:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Being conscious that many people who don't normally travel in information security circles will read this, handling a vulnerability of this nature in a responsible fashion is enormously important. Obviously you want to remove the risk ASAP, but you also want to make sure that information about how to exploit it isn't made public beforehand. We religiously followed established best practices for responsible disclosure, here's the timeline with dates being local Aussie ones for me:

  1. Saturday 6 April: Ken first contacts me about the watch. I order one that morning.
  2. Tuesday 9 April: Watch arrives.
  3. Wednesday 10 April: I set the account up.
  4. Thursday 11 April: Elle wears the watch to tennis and we test "relocating" her.
  5. Friday 12 April: Vangelis calls her and has the discussion in the video above. Ken privately discloses the vulnerability to TicTocTrack support that night.
  6. Monday 15 April (today): TicTocTrack takes the service offline.

A couple of hours before publishing, I received a notification to the email address I signed up with as follows:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I'm in 2 minds about this message: on the one hand, they took the service down as fast as we could reasonably expect, being within a single business day so kudos to them on that. On the other hand, the messaging worries me in a number of ways:

Firstly, Ken didn't just "allege" that there were security flaws, he spelled it out. His precise wording was "The service fails to correctly verify that a user is authorised to access data, meaning that anyone can access any data, should they so wish". Anyone testing for a flaw of this nature would very quickly establish that changing a number in the request would hand over control of someone else's account thus proving the vulnerability beyond any shadow of a doubt. That word was used 3 times in the statement and it implies that they're unsubstantiated claims; they're clearly not. Which brings me to the next point:

Secondly, it wouldn't make sense to pull down the entire service if you weren't convinced there was a serious vulnerability. Many people allege there are security flaws in services but they don't generally go offline until they're proven. Clearly an incident like this has a bunch of downstream impact and acknowledging it publicly is not something you do on a whim. Either TicTocTrack was very confident in that accuracy of Ken's report (well beyond what "alleged" implies) or there were other factors I'm not aware of that drove them to rapidly pull the service.

Thirdly, the following statement was made without citing any evidence: "there has never been a security breach that has lead to our customer's personal data being used for malicious purposes". It's not uncommon to see a response like this following a security incident, but what it should read is "we don't know if there's ever been a security breach..." This vulnerability relied on an authenticated user with a legitimate account modifying a number in the request and the likelihood of that being logged in a fashion sufficient enough to establish it ever happened is extremely low. And if you were the kind of developers to log this sort of information, you'd also be the kind not to have the vulnerability in the first place!

Let's be perfectly clear - this is just one more incident in a series of similar ones impacting kids tracking watches and Gator in particular. What's infuriating about this situation is that not only do these egregiously obvious security flaws keep occurring, they're just not being taken seriously enough by the manufacturers and distributors when they do occur. There's no finer illustration of this than the statement Ken got when speaking to an agent over in his corner of the world:

UK agent for Gator said that they didn’t have the money for security, as otherwise they couldn’t afford a staff Xmas party

Is that really where we're at? Tossing up between exposing our kids in this fashion and beers at Christmas? If you're a parent ever considering buying one of these for your kid, just remember that quote. Inevitably, cost would have also been a major driver for TicTocTrack outsourcing their development to Sri Lanka, indeed it's something that Nabaya prides itself on:

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

I want to finish on a broader note than just TicTocTrack or Gator or even smart watches in general; a huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids are absolute garbage in terms of the effort invested in security and privacy. I mentioned CloudPets and VTech earlier on and I also mentioned spyware apps; by design, every one of these has access to data that most parents would consider very personal and, in many cases, (such as the photos older kids are often taking), very sensitive. These products are simply not designed with a security-orientated mindset and the development is often outsourced to cheap markets that build software on a shoestring. The sorts of flaws we're seeing perfectly illustrate that: CloudPets simply didn't have a password on their database and both the VTech and TicTocTrack vulnerabilities were as easy as just incrementing a number in a web request. A bunch of the spyware breaches I referred to occurred because the developers literally published all the collected data to the internet for the world to see. How much testing do you think actually went on in these cases? Did nobody even just try adding 1 to a number in the request? Because that's all Ken needed to do; Ken can count therefore Ken can hack a device tracking children. Maybe I should give Elle a go at that, her counting is coming along quite nicely...

There's only one way I'd track my kids with GPS and cellular and that's with an Apple Watch. I don't mean to make that sound trivial either because we're talking about a $549 outlay here which is a hell of a lot to spend on a kid's watch (plus you still need a companion iPhone), but Apple is the sort of organisation that not only puts privacy first, but makes sure they actually pay attention to their security posture too. As that Gator agent in the UK well knows, security costs money and if you want that as a consumer, you're going to need to pay for it.

I'll leave you with this thread I wrote up when first starting to look at the watch. It got a lot of traction and I'd like to encourage you to share it with your parenting friends on Twitter or via the one I also posted to Facebook.

Weekly Update 134

Weekly Update 134

That's the second update in a row I've done on time! It's also another one with a bunch of other things in common with last week, namely commentary on yet more data breaches. It's not just the breaches in HIBP, but the ones I'm busily trying to disclose. This is really sucking a lot of time right now and frankly, well, I summed it up here earlier in the week:

But it's the right thing to do and I'm going to keep at it, even if it means loading data without the organisations involved responding (it certainly won't be the first time). I also go on a bit of a rant about devices and services targeted at monitoring kids and as I say in the video, you'll see precisely why this is such a big issue for me probably next week or the week after. Stay tuned for that one and for now, here's this week's vid:

Weekly Update 134
Weekly Update 134
Weekly Update 134

References

  1. I've got 3 different NDC events with workshops coming up over the next month:
    1. Gold Coast
    2. Minnesota
    3. New York
  2. Knuddles got themselves a €20k fine for their breach (which is now in HIBP)
  3. I ranted on about how crazy the security and privacy implications are for  whole bunch of products and services targeted at monitoring kids (do read - and please share - that thread, here's a Facebook version of it too)
  4. Varonis is sponsoring my blog again this week and they have an excellent free course on insider threats (ok, I may be a little biased on that...)

Weekly Update 133

Weekly Update 133

Wow, a weekly update back on the normal schedule! I also realised when watching this back how less tired I look compared to the last few weeks. Travel takes its toll so I touched on that a bit in this week's update, along with the usual raft of new data breaches to go into HIBP. Plus there's Facebook's incidents, both the one they're not directly responsible for and the one they are responsible for, but is also both a bit of a non-event and something that's reflective of broader issues in the industry.

Next week should be bang on schedule again and with any luck, I'll look even less tired again 😎

Weekly Update 133
Weekly Update 133
Weekly Update 133

References

  1. Here's everything that goes into a massive international speaking trip (people always publicly share the good stuff in their lives, this is the warts and all version)
  2. Stop hosting forum software yourself! (that was specifically targeted at vBulletin, I later also wrote about my broader approach to platform outages when I'm not responsible for them)
  3. The Intelimost breach has a really interesting write-up by Zack Whittaker (and it's kinda fun to sleazy spammers come undone!)
  4. It's not Facebook's fault that 3rd party developers exposed a bunch of data from their APIs (but there's still a discussion to be had about how much data Facebook should be exposing in the first place)
  5. It is Facebook's fault that they were asking for people's email account passwords (although in practical terms, it also doesn't particularly matter)
  6. Twilio is this week's blog sponsor (they're talking about how 2FA helps secure online transactions and helps comply with regs like PSD2 )

Weekly Update 132

Weekly Update 132

From last week's update in Seattle to home to Sydney to back home and a late update (again). But regardless, I'm committed to continuing the cadence of doing these updates each week and 132 of them in, I'm yet to miss a week.

This week it's a combination of more of the same (travel, events and data breaches), as well as more thoughts on the future of HIBP and Cloudflare's role when it comes to nasty content online. That last one in particular is a really tricky discussion and it's one that tends to come back to the surface after events that cause us to reflect on the nature of online speech that whilst legal, we all (well, almost all) just don't want being online. I'm not sure exactly what the answer is that allows us to have both the freedoms and safety we want, but I do think that acknowledging the issues on both sides of that debate is important. All that and more this week, next week will be another update from home and with any luck, one that puts be back on the usual Friday schedule.

Weekly Update 132
Weekly Update 132
Weekly Update 132

References

  1. I've got a bunch of events coming in the US, Europe and Israel (that's a complete list of all the public 2019 events)
  2. I'm being inducted into the Infosecurity Hall of Fame in London (this is pretty cool, I'm really looking forward to the event in June!)
  3. Tens of millions of more records went into HIBP this week (the Twitter feed lists them all, including how many unique addresses were found)
  4. The Cloudflare issue around what they should censor is a really dicey one (that link goes back to issues with the Daily Stormer in 2017 and is worth re-reading in light of recent events)
  5. Varonis is this week's blog sponsor (check out their live cyber attack workshop)
  6. I've created a bunch of training for Varonis in the past you can access for free (ransomware, insider threats and GDPR, amongst other topics)

Weekly Update 131

Weekly Update 131

So firstly, sorry for the audio quality. I'm pretty damn frustrated with those Instamics right now between the flakey firmware upgrade process and the unexpected loss of recording today. I'll make sure I get on top of it for next time.

I'm sitting at the gate in Seattle right now about to board so I'm going to cut this intro short and jump straight into the vid. Here's this week's which has a bunch of different things in it I found interesting including the usual raft of data breaches and other industry bits and pieces. Gotta fly, enjoy!

Weekly Update 131
Weekly Update 131
Weekly Update 131

References

  1. I'm doing a keynote for Akamai in Sydney on Thursday (hear more from me on data breaches and cyber-things)
  2. And another NDC meetup in Sydney that night (we packed these out in Brisbane and Sydney so register quickly for this one if you want to come along)
  3. The owner of Exactis wasn't real happy about the impact of their data breach on his business (yeah, the people whose data they sold weren't real happy either...)
  4. Elsevier looks like they logged a bunch of passwords in plain text (who would do that... oh, wait...)
  5. Facebook looks like they logged a bunch of passwords in plain text (they join Twitter and GitHub from last year in doing the same thing)
  6. Never ever, ever, ever install spyware on the devices of anyone you actually care about (seriously, how often are we going to go down this path?!)
  7. Twilio is sponsoring my blog again this week (they're talking 2FA with Authy, something you definitely want to look into if you're building any sort of auth system)

Weekly Update 130

Weekly Update 130

Well that was a hell of a week of travel. Seriously, the Denver situation was just an absolute mess but when looking at the video from the day I was meant to fly in, maybe being stuck in LA wasn't such a bad thing after all:

But despite the dramas I did still (just) make it and got to do my talk so as close as it was, I'm still yet to miss one. This week I'm talking about a bunch of different travel things, upcoming events, data breaches and those ridiculous bloody cookie warnings everyone hates so much. Next week I'll be in Seattle and will probably also be pushing the update out a little late, but I will still be pushing it out. Until then, here's the week that was:

Weekly Update 130
Weekly Update 130
Weekly Update 130

References

  1. I'll be keynoting at the Akamai Security Summit World tour in Sydney (it's on Thursday 28 of this month)
  2. Then I'll be doing another NDC meetup in Sydney (like Brisbane and Melbourne, that event will be oversubscribed so get in early)
  3. ixigo denies a breach (but resets everyone's passwords anyway...)
  4. These cookie warnings are absolutely ridiculous (they always were, but GDPR just continues the insanity)
  5. Ad blockers are also part of this whole problem (killing all ads - even those run responsibly - just makes the whole thing even worse)
  6. Varonis is this week's blog sponsor (watch their DFIR team investigate a cyberattack using their data-centric security stack)

These Cookie Warning Shenanigans Have Got to Stop

These Cookie Warning Shenanigans Have Got to Stop

This will be short, ranty and to the point: these warnings are getting ridiculous:

These Cookie Warning Shenanigans Have Got to Stop

I know, tell you something you don't know! The whole ugly issue reared its head again on the weekend courtesy of the story in this tweet:

The reason I don't know if it makes it better or worse is that on the one hand, it's ridiculous that in a part of the world that's more privacy-focused than most it essentially boils down to "take this cookie or no access for you" whilst on the other hand, the Dutch DPA somehow thinks that this makes any sense to (almost) anyone:

And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.

Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:

Do you know how hard it is to explain OAuth to technical people, let alone the masses? Oh wait - it's not OAuth - it's Oath but even I didn't get that at first because nobody really reads these warnings anyway! And now that I have read it and I know it's Oath, what does that really mean? Oh look, a big blue button that will make it all go away and allow me to do what I came here for in the first place...

But say you are more privacy focused and you wanted to follow that link in the original tweet. Here's your fix:

These Cookie Warning Shenanigans Have Got to Stop

And if you're smart enough to actually understand what cookies are and be able to make an informed decision when prompted with a warning like TechCrunch's, then you're smart enough to know how to right click on a link and open it incognito. Or run an ad blocker. Or something like a Pi-hole.

Or you move to Australia because apparently, we don't deserve the same levels or privacy down here. Or have I got that back to front and Europeans don't deserve the same slick UX experience as we get down here? You know, the one where you click on a link to read an article and you actually get to read the article!

So let's be European for a moment and see how that experience looks - let's VPN into Amsterdam and try to control my privacy on TechCrunch:

These Cookie Warning Shenanigans Have Got to Stop

Are you fucking serious? This is what privacy looks like? That's 224 different ad networks that are considered "IAB Partners" (that'd be the Interactive Advertising Bureau) and I can control which individual ones can set cookies. And that's in addition to the 10 Oath foundational partners:

These Cookie Warning Shenanigans Have Got to Stop

You can't disable any of those either by the look of it so yeah, no privacy on that front. But at least you can go and read their privacy policy, right? Sure, Unruly's is 3,967 words, Facebook's is 4,498 words and Zentrick's is another 3,805 words. Oh - and remember that you need to accept cookies on each one of those sites too and you're going to want to read about how they and their partners track you...

These Cookie Warning Shenanigans Have Got to Stop

And the ridiculous thing about it is that tracking isn't entirely dependent on cookies anyway (and yes, I know the Dutch situation touched on browser fingerprinting in general too). Want to see a perfect example? Have a go of Am I Unique and you'll almost certainly be told that "Yes! You can be tracked!":

These Cookie Warning Shenanigans Have Got to Stop

Over one million samples collected and yet somehow, I am a unique snowflake that can be identified across requests without a cookie in sight. How? Because even though I'm running the current version of Chrome on the current version of Windows, less than 0.1% of people have the same user agent string as me. Less than 0.1% of people also have their language settings the same as mine. Keep combining these unique attributes and you have a very unique fingerprint:

These Cookie Warning Shenanigans Have Got to Stop

The list goes on well beyond that screen grab too - time zone, screen resolution and even the way the canvas element renders on the page. It's kinda cool in a kinda creepy way.

And here's the bit that really bugs me (ok, it all bugs me but this is the worst): how do we expect your normal everyday person to differentiate between cookie warnings and warnings like these:

These Cookie Warning Shenanigans Have Got to Stop
These Cookie Warning Shenanigans Have Got to Stop

I know what these are and you probably do too by virtue of being on this blog, but do you really think most people who have been conditioned to click through the warning that's sitting between them and the content they wish to read understand the difference between this and a cookie warning? We literally have banks telling people just to ignore these warnings:

So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices. That is all.

Weekly Update 129

Weekly Update 129

Heaps of stuff going on this week with all sorts of different bits and pieces. I bought a massive new stash of HIBP stickers (1ok oughta last... a few weeks?), I'll be giving them out at a heap of upcoming events, I was on the Darknet Diaries podcast (which is epic!) plus there's more insights into the ShareThis data breach and the ginormous verifications.io incident. Oh - and Udemy is still pirating my content, here's the tweet if you'd like to let them know how you feel about that:

Next week I'll be coming from the US, either Denver or New York depending on how time goes. I'm sure not much will happen between now and then...

Weekly Update 129
Weekly Update 129
Weekly Update 129

References

  1. I was on the Darknet Diaries podcast about the RockYou data breach (add this one to your regular list, Jack does a fantastic job of it)
  2. The ShareThis breach had people in there who never expected to be in there (that's a link to last week's weekly update, check out the comments there for more info)
  3. There's now 763 million more records in HIBP (you didn't give your data to verifications.io and neither did I, but they left it all sitting there open to the world)
  4. Udemy has got a long history of pirating and selling other people's content (no, they're not like YouTube, not unless they want to drop the facade of being a platform with quality content)
  5. Twilio is sponsoring my blog again this week (check out their stuff on implementing 2FA, it can be dead easy)

Weekly Update 128

Weekly Update 128

I'm not intentionally pushing these out later than usual, but events have just been such over the last few weeks that it's worked out that way. This one really is a short one though as there hasn't been a lot of newsworthy stuff going on this week, other than the new Instamics I picked up which are rather cool. The audio recording did work well (I mentioned in the video I wasn't sure if it was functioning correctly), and it's pretty damn good quality for what it is. Certainly better than my old Rhode lapel mic, but obviously not up to the standard of the Electro-Voice I use for professional recording.

Next week I expect I'll be a little more organised and have some more content but until then, here's a succinct 14 minutes worth of what's new on my side:

Weekly Update 128
Weekly Update 128
Weekly Update 128

References

  1. I bought some Instamics (these are very cool units, but the firmware update process is worrying)
  2. We've got a free NDC meetup in Melbourne soon (Brisbane sold out early and Melbourne looks like doing the same)
  3. We're bringing NDC to New York! (I'll be there doing a workshops and talks)
  4. I loaded the Dubsmash data breach into HIBP (also just pushed the button on ShareThis)
  5. Varonis is sponsoring my blog this week (more from them on their DFIR team investigating a cyberattack)

Weekly Update 127

Weekly Update 127

It was another travel week so another slightly delayed weekly update, but still plenty of stuff going on all the same. Along with a private Sydney workshop earlier on, I'm talking about some free upcoming NDC meetup events in Brisbane and Melbourne and I'd love to get a great turnout for. I've just ordered 10k more HIBP stickers to last me through upcoming events so they'll be coming with me.

In other news, there was old news appearing as new news about how hosed you are if your machine is compromised with the level of hosing extending to your password manager. This will inevitably be another one of these times where something gets blown out of proportion (and context) in some of the news headlines then we'll all go back to more sane discussions about assessing relative risks, likelihoods and impacts. There's also a very stead feed of breaches making their way into HIBP after appearing for sale on dark web marketplaces so I give a bit of an update on those as well.

All that and more this week in a slightly shorter form than usual, enjoy!

Weekly Update 127
Weekly Update 127
Weekly Update 127

References

  1. Catch me in Brisbane next week at the NDC meetup (free, and very close to capacity already)
  2. Or catch me in Melbourne a couple of weeks later for the NDC meetup there (that event has just gone up so there's tickets left, but there's also strong interest)
  3. Order yourself some Have I Been Pwned stickers (and help me by using the referral code in that blog post so I can buy more to give away at events)
  4. Twilio is sponsoring my blog this week (they're talking about how easy it is to use Authy for 2FA instead of risky SMS)

Weekly Update 126

Weekly Update 126

Another week, another conference. This time it was Microsoft Ignite in Sydney and as tends to happen at these events, many casual meetups, chats, beers, selfies, delivery of HIBP stickers and an all-round good time, albeit an exhausting one. That's why I'm a day late this week having finally arrived home late last night.

Moving on though, I've got a bunch of other events coming up particularly in conjunctions with the folks at NDC. Brisbane in a couple of weeks, Gold Coast in April then Minnesota in May. Oh - plus Oslo in June and stretching out beyond that, Sydney in October. The link in the references below about how conferences can help keep speakers happy (or piss them off, as it may be), explains why I keep doing these events. All that plus more data breach news and my thoughts on the subsequent lists of credential stuffing data.

Weekly Update 126
Weekly Update 126
Weekly Update 126

References

  1. I'm doing a free user group in Brisbane for NDC on Thursday 28 Feb (this will be a really casual presentation, Q&A and fun night out)
  2. Speaking of NDC, the show will be on in my home town of the Gold Coast in late April (that's a dedicated security event which Scott Helme will be down for too)
  3. Speaking of NDC, I'll also be at NDC Minnesota in May (Hack Yourself First workshop and a shiny keynote)
  4. The reason I keep doing NDC events is because they don't do any of these things! (that's the 10 things conferences do to upset their speakers)
  5. A heap of new data was leaked earlier on in the week (EyeEm has since been loaded into HIBP)
  6. And then even more data breaches were announced a couple of days ago (I'll obviously be keeping an eye out for those too)
  7. All these new data breaches are already starting to make the debate around credential stuffing collections a memory (but as I explain in that post, I think we're past hyping every single one of them up)