Author Archives: Troy Hunt

Weekly Update 193

Weekly Update 193

First time back in a restaurant! Wandering down my local dining area during the week, I was rather excited to see a cafe that wasn't just open, but actually had spare seating. Being limited to only 10 patrons at present, demand is well in excess of supply and all you have to do is leave some contact info in case someone else in the restaurant tests positive at a later date. Fair enough too, yet somehow - still beyond my comprehension - there was a bunch of outrage expressed at the necessity to provide personal information. Talk of data breaches, stalking and government control ensued which all started to get a little "tinfoil hat", to my mind. My (more candid!) thoughts on that and more in this week's update.

Weekly Update 193
Weekly Update 193
Weekly Update 193
Weekly Update 193

References

  1. Somehow, a tweet about the joy of being able to return to restaurants became an opportunity for some people to whinge about privacy (some serious loss of priorities there amongst some people)
  2. I love getting fan mail about HIBP, and this one is particularly hilarious (ok, "fan mail" is a strong word here, but it's entertaining all the same)
  3. A heap of new data breaches have gone into HIBP this week (I make it 6 new ones which have kept me rather busy)
  4. Sponsored by NordVPN — secure your traffic with a faster VPN. For your remote work and browsing needs.

The Unattributable “db8151dd” Data Breach

The Unattributable

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know:

Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this:

The Unattributable

The global unique identifier beginning with "db8151dd" features heavily on these first lines hence the name I've given the breach. I've had to give it this name because frankly, I've absolutely no idea where it came from, nor does anyone else I've worked on with this.

My delving into the breach began back in Feb with a tweet:

I embedded my own record which you can pore through in more detail on Pastebin:

It's mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn't a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I've interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn't someone I'd expect to see a strong association with and I couldn't see any other similar folks. But it's the next class of data in there which makes this particularly interesting and I'm just going to quote a few snippets here:

Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007.
Met at the 6th National Pro Bono Conference in Ottawa in September 2016
Met on 15-17 October 2001 in Vancouver for the Luscar/Obed/Coal Valley arbitration.

It feels like a CRM. These are records of engagement the likes you'd capture in order to later call back to who had been met where and what they'd done. It wasn't just simple day to day business interaction stuff either, there was also this:

But nowhere - absolutely nowhere - was there any indication of where the data had originated from. The closest I could get to that at all was the occurrence of the following comments which appeared over and over again:

This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.
Exported from Microsoft Outlook (Do not delete)
Contact Created By Evercontact

Evercontact did actually reach out and we discussed the breach privately but it got us no closer to a source. I communicated with multiple infosec journalists (one of whose own personal data was also in the breach) and still, we got no closer. Over the last 3 months I kept coming back to this incident time and time again, looking at the data with fresh eyes and each time, coming up empty. And just before you ask, no, cloud providers won't disclose which customer owns an asset but they will reach out to those with unsecured assets.

Today is the end of the road for this breach investigation and I've just loaded all 22,802,117 email addresses into Have I Been Pwned.  Why load it at all? Because every single time I ask about whether I should add data from an unattributable source, the answer is an overwhelming "yes":

So, mark me down for another data breach of my own personal info. There's nothing you nor I can do about it beyond being more conscious than ever about just how far our personal information spreads without our consent and indeed, without our knowledge. And, perhaps most alarmingly, this is far from the last time I'll be writing a blog post like this.

Edit 1: No, I don't load complete and individual records into HIBP, only email addresses. As such, only the presence of an address is searchable, the data associated with the address is not stored nor retrievable.

Edit 2: No, I can't manually trawl through 100M+ records and extract yours out.

Weekly Update 191

Weekly Update 191

I think I'm going to stick with the live weekly update model for the foreseeable future. It makes life so much easier when it comes to editing, rendering and uploading and it means I always have something out on time. So, that's that, other news this week is mostly just bits and pieces here and there and some banter with the audience and that's just fine, it's nice having a quieter week sometimes 😊

Weekly Update 191
Weekly Update 191
Weekly Update 191
Weekly Update 191

References

  1. Finally cleaned up my garage with an awesome bike storage solution (this makes me enormously happy 😊)
  2. The UniFi G4 Pro cameras are now hardwired in (tweet thread here including creating privacy and motion zones)
  3. Underneath the surface facade of success is a huge amount of "invisible" effort (yet somehow, a few people in that thread wanted to focus on how it's harder some people than others)
  4. Sponsored by NordVPN — an even faster VPN connection. Now powered by NordLynx, a WireGuard-based tunneling solution.

Weekly Update 190

Weekly Update 190

I went with the "just record it live" approach again this week and honestly, it's working out much better for me. It's easier to publish (no manual retrieval of audio and video from devices, no editing in Premier, no waiting for upload) and doing it in my office gets almost the same audio and video quality as the "old" way anyway. Plus, I get to interact with people whilst recording so all in all, I'm pretty happy with this approach. Let me know how you find it and if you have any suggestions for improvement, I'll try and do this earlier in the day next Friday to hit the Aus and US friendly time zones rather than Aus and Europe per the last couple of weeks.

Weekly Update 190
Weekly Update 190
Weekly Update 190
Weekly Update 190

References

  1. We're tracking exceptionally well in Australia during the pandemic, especially in my home state of Queensland (great empirical data on that Twitter account)
  2. Half of people who responded to my Bluetooth poll leave it turned on all the time (count me in that half too)
  3. On average, I load a new breach into HIBP every 4 days but this week was 4 of them across the span of 5 days (mostly due to getting on top of a bunch of disclosures)
  4. There's been a significant uptick in HIBP usage over the last month (definitively not related to any specific breaches, best guess is it's related to changes in working patterns)
  5. I get "I've been hacked and need help" emails pretty much every single day (I'm yet to find a good way of handling these)
  6. Sponsored by Duo: Five reasons you should secure your VPN with MFA to ensure an additional layer of defense. Get the guide by Duo Security.

Weekly Update 189

Weekly Update 189

Last week, I got the vid out a day late and by early afternoon today it looked like I was heading the same way. So, for the first time I ended up just live streaming it direct to YouTube. I actually quite liked the interaction, although I picked the quietest time in the day with most of the world asleep and obviously the audio quality wasn't the same as sitting in my office but still, not a bad end result I reckon.

I decided to sit outside on the boat as in just a few hours from now, our restrictions here will begin lifting and we'll actually be able to head out on it for leisure again. I talk a bit about what's changing here, what our numbers look like and, of course, the whole COVIDSafe situation. Our contact tracing app has been really well received here by and large but holy shit, those who don't like it are an angry bunch, just listen to one example I read out. All that and some IoT and networking bits as well in this week's update.

Weekly Update 189
Weekly Update 189
Weekly Update 189
Weekly Update 189

References

  1. Apparently, IoT'ing your garage door is much harder than I thought it would be (but possibly, also very simple)
  2. I finally got a couple of Ubiquiti cams working wirelessly in the house (that's a link to the tail of the tweet thread that works through it all)
  3. Here's that video on how funny it is to complain about privacy via the world's largest social media platforms 🤣 (the irony is thick with this one...)
  4. We ran a panel on Wednesday with 5 independent parties discussing COVIDSafe and what was learned tearing it down (tl;dr - it does precisely what we were told it would do)
  5. Sponsored by Varonis. SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

COVIDSafe App Teardown & Panel Discussion

COVIDSafe App Teardown & Panel Discussion

I've written a bunch about COVID-19 contact tracing apps recently as they relate to security and privacy, albeit in the form of long tweets. I'm going to avoid delving into the details here because they're covered more comprehensively in the resources I want to consolidate below, firstly the original thread from a fortnight ago as news of an impending app in Australia was breaking:

On Sunday night, that app finally landed here, branded as COVIDSafe. I installed it the day after, capturing a bunch of my own thoughts and linking to efforts from the community to dissect what it was actually doing:

The efforts of fellow community members (several of them fellow Microsoft MVPs) garnered a lot of attention so we banded together to run a public panel yesterday. That 2-hour panel discussion has now been published to YouTube and it's chock-a-block full of real world observations about what the app actually does, what it collects, what it sends and what the real world privacy and security implications are. I loved being a part of this panel as it allowed us to step away from the speculation and conspiracy theories and instead focus on the facts of how the thing works. None of us have any commercial interests in this (we all went through a disclosure process in the video), it's just pure independent, fact-based discussion. Enjoy:

Weekly Update 188

Weekly Update 188

It's a day late because somehow, even in the current climate, I still find myself with a lot on my plate and the 2am getup yesterday morning didn't leave me much like talking by the usual time I'd record this video came around. Regardless, I haven't missed a week yet and I wasn't going to start today! No great single stories of significance this week but I thought I'd share some insights into how life is gradually returning to a new kind of normal here. We've fared exceptionally well in Australia and I'm conscious many people watching this are in very different situations, this is merely my experience and what my daily life looks like at present.

Weekly Update 188
Weekly Update 188
Weekly Update 188
Weekly Update 188

References

  1. The COVID19 Australia Twitter account is a great source of empirical data (we're weathering the pandemic exceptionally well down here)
  2. The next workshop I'll be doing is "in" Oslo for NDC in June (this will be my 7th NDC Oslo, just the first one, well, not actually in Oslo!)
  3. Nanoleaf is kinda cool 😎 (I feel like it would be easy to go overboard with these...)
  4. Amazon has won the tender to host data from Australia's COVID-19 tracing app (yes, it's an American company but no, that doesn't matter)
  5. I mentioned "The Belfast Case" as it relates to Microsoft and customer data stored in overseas (that's an important precedent in discussions like these)
  6. Nintendo is at the receiving end of a credential stuffing attack (despite some people claiming their passwords were "strong and unique", it has all the hallmarks of so many incidents that have come before it)
  7. Sponsored by Varonis. SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Weekly Update 187

Weekly Update 187

Spiders! Ok, not your normal start to a weekly update but yeah, we had a bit of an infestation this week which did take the mind of other current events for a while. Much of what's happened beyond that this week has resulted in various tweet storms; the Zoom credential stuffing situation, the Coronavirus tracking app (holy cow that has some "robust" debate around it) and the (seemingly endless) thread of progress as I build up my Ubiquiti network. All that and more in the vid below ?

Weekly Update 187
Weekly Update 187
Weekly Update 187
Weekly Update 187

References

  1. If you don't like spiders then don't click this link (wonder how many of them are still crawling around in the air conditioning unit...)
  2. No, there isn't a "Zoom data breach" and yes, people keep using shitty passwords (c'mon media, it's not hard to report on this accurately!)
  3. The Coronavirus tracking app tweet storm (less than a day on and apparently, it's had 125k impressions so it's clearly getting some traction, but it's divisive)
  4. Speaking of tweet storms, check out my Ubiquiti build! (this project has brought me so much joy ?)
  5. The Icelandic government is now on Have I Been Pwned (they're the 10th national government to have full access to query their gov domains)
  6. Sponsored by: SecurityFWD. A brand new YouTube show from Varonis. Watch Episode 1: How Far can Wi-Fi Travel?

Welcoming the Icelandic Government to Have I Been Pwned

Welcoming the Icelandic Government to Have I Been Pwned

Hot on the heels of onboarding the USA government to Have I Been Pwned last month, I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team (CERT-IS), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring.

As with the USA and Iceland, I expect to continue onboarding additional governments over the course of 2020 and expanding their access to meaningful data about breaches that impact their departments.

Weekly Update 186

Weekly Update 186

Somehow this week's update ended up being 55 minutes, largely because of playing with a bunch of the new network gear and unboxing a pretty snazzy looking rack from 4Cabling. I get through with that then sit by the pool for the rest of this week's update. (And yes, I shaved!)

Incidentally, there's some audio clipping occurring after I sit by the pool. I've tweaked the levels a bit at that point to try and compensate, still not quite sure what happened but hopefully it's not too bad.

Weekly Update 186
Weekly Update 186
Weekly Update 186
Weekly Update 186

References

  1. We built a Nerf Gun wall! (this was just super good fun, it's now all hooked up to Alexa too)
  2. Pwned Passwords is getting bigger and bigger (more than half a billion queries in a month now)
  3. I hate spam and I hate being asked to link to spammy articles (but I love the outcome of this blog post!)
  4. The 5G health concern situation is an exercise in understanding hoaxes and disinformation campaigns (plus, some of it's just absolutely batshit crazy)
  5. Sponsored by Duo: Going beyond the perimeter: what a 'zero-trust' approach to security means and how to get started. Download the guide by Duo Security.

Let’s Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Hey, did you hear that Facebook are going to start using your personal photos in whatever way they see fit? For real, it's going to start tomorrow unless you act quickly! All you have to do is copy and paste this message onto your own Facebook page and wammo - they're not allowed to touch them! Ready? Here goes: "With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents..."

This sounds ridiculous. It is ridiculous yet somehow, otherwise smart people in my own social networks (and probably yours) lapped it up. Copying and pasting this message achieved absolutely nothing beyond shining a spotlight on those who were prone to falling for hoaxes and disinformation campaigns. I've been following and writing about these for long enough that they're dead obvious to spot these days, for example:

And so it is with posts about the dangers of 5G. I've seen a massive uptick of people sharing information about the emerging cellular standard over the last week or so, enough that it prompted me to ask what's going on via Twitter:

By all means, read through the responses if you want to get a sense of how people responded, but let's avoid the discussion of "does 5G present a danger to our health" and instead talk about how to identify false or misleading information spread by social media. If we spoke about the former, we'd be here all day and others are much more qualified to do it than me. The latter, however, is right up my alley and understanding the hallmarks is valuable well beyond just the current 5G discussion.

So, let's not talk about whether 5G is safe or not, let's instead talk about why opponents of the technology display every single spammy, scammy, hoaxy behaviour imaginable and then you can consider how much you should trust them. I'll break this down into logical headings everyone can easily follow and call out key insights in bold.

It Takes Minutes to Establish (Lack of) Credibility

Let's take a perfect example of disinformation and how easy it is to establish the credibility of what's being shared. I had this pop up a couple of weeks ago:

Sounds ridiculous, but also sounds like the sort of thing non-techie people might fall for. I don't personally know the lady who posted it; she's the mum of a kid in my son's class and AFAIK, not a malware analyst (or anything close) and is unlikely to have an informed opinion on the matter. So let's just Google it:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Well that was easy. I replied to the lady's message with a link to the hoax within about 60 seconds yet still, other parents chimed in and thanked her.

Let's try the same thing with one of the 5G petitions that's been circulating. This one is titled Stop 5G Networks Now! We do not want a weapons system, nor our brains to be fried!:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

The first warning sign on this petition is literally the warning at the top of the page:

Change.org has received flags from our users that the statements in this petition may be contested. You should consider researching this issue before signing or sharing.

You'll see the same warning on the Ban the 5g network in Australia petition and the Stop the 5G roll out / Turn off 5G Australia petition. I've seen both these petitions shared in recent days and I'm near certain that none of the people sharing them have "researched this issue before signing or sharing".

Edit: The day after posting this, 2 of the 3 petitions linked to above had been removed by change.org for being "against their community guidelines".

This was started by Jenn Oates so let's dig a little deeper and see what sort of credentials she has given she's talking about the health implications of radio waves. Here's her profile:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

That is all. No bio, but there's still useful information here. The profile pic, for one, is easily searched on Google images and returns a constant theme:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Crop circles, eh? We'll just park this as a data point frequently related to conspiracy theories and move on. Let's try a Google search for Jenn Oates Parkerville, WA, Australia. The first result is another Change.org page with a petition update from Jenn. This is the only content of substance on the page:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

Whoa - "evil Devil worshipping money counting Judas Satanist". So here's another insight:

Insight 1: You can tell a lot about the credibility of a claim by observing those attracted to it.

While we're on petition updates, have a scroll down the page and the last one at the time of writing embeds a YouTube video titled 5G PROGRAMMED to KILL ALL LIFE which was posted by a user called wil paranormal:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

No mention of 5G, but clearly a conspiracy theorist. And again, the insight from above - what does it tell you about a topic when you look at those supporting it?

It took several minutes after looking at Jenn's petition to find the information above and also find a complete lack of information on Jenn herself; no scientific papers, no peer-reviewed content or anything else of any kind you'd expect someone mounting scientific arguments to have produced.

You can play the same easy game with every one of the petitions mentioned above. For example, the "Stop the 5G roll out / Turn off 5G Australia" was started by a "Mumma, Photographer, Glamour/Promotional Model" in Bundaberg, a place better known for making rum than producing scientific research:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

The "Ban the 5g network in Australia" petition was started by a vegan Instagram star, so far the only person who actually contributes to the wellness industry but a world away from scientists who study the effects of radio waves on the human body.

All of the people above are, of course, entitled to their own opinions, but the question you need to ask yourself is contained within the next insight:

Insight 2: Understand the difference between people who have formed their own opinion versus those who are qualified enough to influence your opinion.

One last example just to drive the point home:

I enjoyed Zombieland, but not once did I stop and think "here's a guy who looks like he'd know a thing or two about voltage-gated calcium channel activation exacerbating viral replication". Yet here he is, broadcasting it to 2M Instagram followers. Fortunately, he's since deleted the post.

Understand Your Own Susceptibility to Confirmation Bias

Let's start by understanding the term confirmation bias:

Confirmation bias is the tendency to search for, interpret, favour, and recall information in a way that confirms or strengthens one's prior personal beliefs or hypotheses. It is a type of cognitive bias. People display this bias when they gather or remember information selectively, or when they interpret it in a biased way. The effect is stronger for desired outcomes, for emotionally charged issues, and for deeply-entrenched beliefs.

As it relates to the 5G topic, what I'm consistently seeing is people who want to believe that governments or big tech are suppressing the little guy and willingly believe that resources confirming this view are trustworthy. The problem with confirmation bias is that if you search hard enough, you'll always find material that supports your point of view.

There's a sensational documentary about flat earthers (ok, sensationally entertaining!) I watched on Netflix recently called Behind the Curve. If you've not seen it already, take a moment to watch the trailer:

Note the quote at about the one-minute mark:

I want to believe "this", this doesn't mesh with reality so don't change my view, change reality!

It's the antithesis to scientific research; instead of setting out to determine the conclusion in an evidence-based fashion, people set out with the conclusion they want to believe already cemented in their minds then find the evidence they need in order to support that conclusion.

Insight 3: Consider whether you believe a claim because the evidence supports it, or simply because you want to believe it.

We are all susceptible to confirmation bias, and that includes me. There are things I dearly want to believe and when I see a headline that supports my bias, I'm naturally inclined to latch onto it. The question for you when reading about a topic such as 5G is whether you want to believe that it's dangerous, or whether you want to research it properly and will be satisfied which whatever conclusion the evidence draws you to. That's the key differentiation, and that's what most people I see sharing the conspiracy theories simply aren't doing.

Occam's Razor (Usually) Provides the Answer

A (non-tech) mate asked me about 5G the other day. He'd read news of it being linked to Coronavirus, a conspiracy theory that has gained a surprising amount of momentum in recent weeks. (Sidenote: Wired has a piece titled How the 5G coronavirus conspiracy theory tore through the internet which explains the origins of this.) It doesn't take much searching to find precisely the sort of correlation conspiracies he's talking about:

So we had a discussion about how correlation does not imply causation and how tweets such as the one above show absolutely zero evidence of a cause and effect relationship between 5G and Coronavirus. If that all sounds a bit wordy for you, the following tweet illustrates it beautifully:

So, what's to be done? do we ban Nicholas Cage movies to prevent drowning? No, because that's a patently ridiculous assertion and we can easily reach that conclusion by applying Occam's Razor:

The simplest solution is most likely the right one.

Applied to 5G and Coronavirus, Occam's Razor would conclude that a densely populated city with 11M people will likely spread a highly contagious virus quite quickly. Also, a large city in China (which is rapidly becoming the tech hub of the world) is likely to be an early adaptor of next gen tech. These are both logical, rational and unrelated conclusions.

Insight 4: When faced with alternative theories, consider which one is the simplest and therefore most likely to be true.

Let's apply Occam's Razor to another accusation being made in the 5G debate space: that big tech is censoring discussion on the topic. My mate brought this up in our discussion: "Google shouldn't be censoring free speech by removing YouTube videos, that should be our right". Alrighty then, let's play that thought out - should Google allow extremist videos that incite violence? No, of course not, because that actually has the potential to cause serious harm. How is that related to 5G hoaxes? Convinced of the role 5G plays in the spread of coronavirus, people are literally destroying 5G towers in the UK:

It's just insane, and it's spurned on by batshit crazy videos like this:

One video, removed by the site after the Guardian flagged it, featured a man claiming to be a former executive at a UK mobile network falsely stating that coronavirus tests were actually used to spread the virus, and that the pandemic was created to hide deaths from the mobile technology.

So, applying Occam's Razor, are videos being removed because big tech is trying to silence "the little guy" blowing the whistle on a corrupt industry that is deliberately spreading a deadly virus to cover up 5G radiation deaths, or are they being removed because they incite dickheads to destroy critical infrastructure? There's only one simple answer...

The "Viral" Nature of Hoaxes is a Warning Sign

Let's go back to the Dance of the Pope hoax for a moment, the one that was circulated by a parent in WhatsApp. Literally whilst writing this blog post yesterday, the following came in via Facebook Messenger from a friend of my parents in a totally different social circle:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

The last sentence is the warning sign - "Fwd this msg to as many as you can!" - and you see it over and over again in hoaxes and disinformation campaigns. You'll also see it over and over again as it relates to the 5G debate:

It's very likely Helen doesn't have an informed view on the 5G situation and that it's appealing to her confirmation bias (I'm drawing that conclusion based on her other tweets), yet she's appealing to thousands of follows to reinforce her own view of 5G. When Bal watched the video of a former Vodafone employee drawing links between 5G and coronavirus it "connected a lot of dots" for him (which again, is obviously just appealing to his own confirmation bias), and he encouraged others to watch it and draw the same conclusion. This is the viral nature of social media - one person's enthusiasm or endorsement rapidly spreads to others and it's just so easy to replicate a message without giving any thought to the topic nor the consequences that "going viral" can have.

Going back to the Dance of the Pope, I asked the sender of the hoax what made her believe it was real and now that she knows it's a hoax, how she feels about it:

Let's Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns

This sentence nails it, both as it relates to the hoax video and much of the 5G debate that's currently raging:

In my case (& I think with many others), when you know that you lack knowledge & experience in this field, & that you don’t know enough to call it ‘most definitely’ a scam, (& that you feel it’s arrogant to make a choice on other people’s behalf) you err on side of caution & post it on

You know you lack knowledge but you post it on anyway. Now here we are with a dancing pope and 5G spreading coronavirus.

Insight 5: Question why you're being encouraged to influence others and if you're sufficiently informed to do so.

Conclusion

The problem with the 5G situation specifically is that if there are valid concerns to be had, they're buried in there somewhere amongst all the crazy. And let's face it, there's a whole spectrum of legitimacy in this discussion, the challenge is sifting through it, discarding the rubbish and focusing on the good stuff. And that's really the point of this post: being able to identify when information is hyperbolic and likely to be either misleading or outright false versus something we genuinely need to take seriously.

If I was to be concerned about 5G (which I'm not) and I wanted to learn more (which at this stage, I don't), I'd go straight to a technology resource I trusted. Many people pointed me at Wired's coverage in December so if you want to learn more, start there. I'd also defer to the likes of the World Health Organisation:

I wouldn't go to Jenn in Parkerville because without evidence to contrary, I can only assume she has absolutely no idea what she's talking about. I also wouldn't share any information on the topic unless I felt informed enough to influence others. I do feel informed enough to share an opinion on hoaxes and disinformation campaigns, so here we all are.

If I've appealed to your own confirmation bias by highlighting nut jobs talking about 5G conspiracy theories, please share this post with your entire social network ?

No, I Won’t Link to Your Spammy Article

No, I Won't Link to Your Spammy Article

If you're reading this, chances are you've arrived here from a link I sent you via email. That email would have been a reply to one you originally sent to me that would have sounded something like this:

Hi, I came across your blog on [thing] and I must admit, it was really nicely written. I also have an article on [thing] and I think it would be a great addition to your blog.

No, no it wouldn't and there are all sorts of reasons why not. First among them is that if I was to add a link to your resource, I'd be legitimising the spam email you just sent me. Wait - you think It's not spam? Of course it's spam! Keep reading the definition until you understand then proceed:

Spamming is the use of messaging systems to send an unsolicited message, especially advertising

Alrighty, so it's an unsolicited message (I certainly didn't ask for it) and it's intended to advertise your work. And that's really what you're asking for here - free advertising. You want people reading my content to leave my site and head on over to yours where they'll not only read your content, but (probably) view your ads and drive revenue for you.

Thing is, it's probably not even "your" site anyway because there's a very high likelihood that you're an Oompa Loompa in the "digital marketing" space tasked with spamming people like me (remember, you're only allowed to have gotten down to here if you understand what spam is) in order to drive clicks. It's either clicks alone or clicks and SEO courtesy of establishing more inbound links in an attempt to artificially inflate the popularity of the site.

So here's how I've decided to deal with the problem: every time I receive spam of this nature I'm going to add an item to the list below. It will have the title of the resource you wanted me to link to, except... no link! Just the title. On a popular blog. So now when people search for [thing], they'll hopefully end up here rather than on the spammy article thus penalising you for your behaviour. And just to help my own SEO and awareness of your spammy behaviour, I'll tweet a link to this page with the title of your page each time it happens.

  1. The Ultimate Tor Browser Guide for 2020
  2. The Best VPN for China 2020
  3. How to know if someone is watching you on your camera
  4. 5 Ways to Stay Protected from Advanced Phishing Threats
  5. How to Access Windows Remote Desktop Over the Internet
  6. What We Need To Know About Bluetooth Security
  7. The Best Internet Browser for 2020
  8. Two-Factor Authentication: ​What Is It and Why You Should Use It
  9. 14 Ways to Create a Secure Password in 2020 (That you’ll Remember)
  10. Black Hat SEO
  11. Infidelity Statistics (2020) – Do Men Or Women Cheat More?
  12. PayPal Fees: 5 Ways to Avoid This
  13. How to Come Up With a BS-Free Answer to This Question: “What Does Customer Service Mean to You?”
  14. The History and Uses of the Occupational Outlook Handbook
  15. Cybersecurity Career Guide
  16. Best Email Finder Tools to Find Emails Addresses And Phone Number
  17. Sell Bitcoin for Skrill
  18. The Student's Internet Research Guide
  19. A Guide to Public Wifi Security Risks & How to Use it Safely

Incidentally, I think this blog post would be a great addition to your article, would you mind linking to it? kthanksbye!

Weekly Update 185

Weekly Update 185

I actually lost track of what week it was at the start of this video. Did I do the Aussie workshops last week? Or the week before? I know I was at home so... it's just all becoming a blur. But be that as it may, life marches on and this week like every other one before it was full of interesting cyber-things. I find the situation with Zoom in particular quite fascinating, particularly the willingness - even eagerness - that so many seem to have to throw the very tool that's bringing so many people together in a time of need under the security and privacy bus. More on that and a bunch of other things in this week's update.

Weekly Update 185
Weekly Update 185
Weekly Update 185
Weekly Update 185

References

  1. Get Pluralsight for free for all of April! (because c'mon, what else are you going to do these days?!)
  2. We're running another Hack Yourself First workshop in Porto next week (of course it's not "in" Porto, but it's NDC Porto and it's the last one on our schedule for now)
  3. Houseparty is offering a million bucks if you can identify who's running a smear campaign against them (it'd be a seriously well-orchestrated campaign if true, most of what I see looks like garden variety account takeovers)
  4. Zoom is being forced to really step up their game (but I don't believe it's any riskier using Zoom than any other similar platform)
  5. Zoom bombing raids have apparently become quite the thing with kids these days (non tech-savvy users + bored kids = chaos)
  6. TicTocTrack had a serious security issue - again (but disclosure hasn't happened despite a commitment to be open, transparent and honest)
  7. Sponsored by Chronicle from Google. Redefining security analytics. Click here to learn about the platform designed for a world that thinks in petabytes.

Reassuring Words and Good Intentions Don’t Mean Good Security

Reassuring Words and Good Intentions Don't Mean Good Security

How much can you trust the assertions made by an organisation regarding their security posture? I don't mean to question whether the statements are truthful or not, but rather whether they provide any actual assurance whatsoever. For example, nearly 5 years ago now I wrote about how "we take security seriously" was a ridiculous statement to make immediately after a data breach. It seems that not much has changed since then:

That last one is particularly apt here as it gets us on-topic with kids watches. Almost a year ago to the day, I wrote about a serious flaw in TicTocTrack watches that made it trivial to track kids, re-position them and even enable strangers to call their watch which would answer with zero interaction from the child. This wasn't the first instance of a tracking device on a kid going wrong, it was just the latest in a long line of them. To their credit, TicTocTrack rectified the flaw (insecure direct object references), communicated with parents and got back to business. Meanwhile, the whole kids-watch-security-train-wreck continued:

In that tweet, I concluded that "the pattern is alarmingly predictable" which foreshadowed what would inevitably be yet more incidents with yet more kids watches to come. TicTocTrack saw things differently:

The linked piece is titled "Cyber Resilience Key For iStaySafe" and is a short read wound up with a link to a PR company's email address. Amongst the reassurances of their investment in security is this paragraph:

In the following months, iStaySafe made significant investments both financially and by allocating staff resources to conduct a comprehensive penetration test of their software platform, mobile applications, sales website, all API’s and entire systems architecture. This investigation was conducted by a 3rd party C.R.E.S.T certified cybersecurity firm based in Brisbane to ensure that iStaySafe and subsidiary TicTocTrack has the best-practice cybersecurity and risk management protocols in place.

This is not at all unusual and it's from the same old "reassure customers of how seriously we take security" playbook. Many organisations assert precisely the same things: penetration tests, code reviews, ticks from certified bodies etc. A really key thing to understand here is that most of this is "point in time"; when the penetration test was conducted, everything was ok (or appropriately remediated). But the next day? Who knows. I don't mean to solely criticise TicTocTrack here, this is pretty standard PR which in my mind, didn't change a thing:

Sure enough, less than 2 months later, someone sent me my entire TicTocRecord pulled out via a flaw in their system:

[
  {
    "FirstName": "Troy",
    "LastName": "Hunt",
    "Email": "[redacted email]",
    "FamilyIdentifier": 3494,
    "PhoneNumber": "[redacted phone]",
    "ProfilePictureFilename": null,
    "CustomerType": null,
    "CRM_ContactId": "0",
    "ProfilePictureUrl": "https://tracker.tictoctrack.com/res/img/usermeta/DEFAULT_IMG.jpg",
    "ProfilePictureTimestamp": "0",
    "ProfilePicture": null,
    "ProfilePictureMIME": null,
    "Status": "Suspended",
    "ID": "[redacted email]",
    "CompositeID": "[redacted email]"
  },
  {
    "FirstName": "[redacted email]_temp",
    "LastName": "",
    "Email": null,
    "FamilyIdentifier": 3494,
    "PhoneNumber": "00000000000",
    "ProfilePictureFilename": null,
    "CustomerType": null,
    "CRM_ContactId": "0",
    "ProfilePictureUrl": "https://tracker.tictoctrack.com/res/img/usermeta/DEFAULT_IMG.jpg",
    "ProfilePictureTimestamp": "0",
    "ProfilePicture": null,
    "ProfilePictureMIME": null,
    "Status": "Temp",
    "ID": "[redacted email]_temp",
    "CompositeID": "[redacted email]_temp"
  }
]

Plus, they sent me my 7 year old daughter's record relating to her device:

{
  "DeviceName": "Elle",
  "DevicePhoneNumber": "+61473997091",
  "ICCID": "89610185002367820863",
  "IMEI": "357593061030345",
  "AlertPhoneNumbers": "",
  "AlertEmailAddresses": "||",
  "Avatar": null,
  "AvatarMIME": null,
  "AvatarUrl": "https://tracker.tictoctrack.com/res/img/usermeta/DEFAULT_IMG.jpg",
  "AvatarImageTimeStamp": "0",
  "DeviceTypeID": 4,
  "DevicePassword": null,
  "StaticMacData": "[]",
  "Active": true,
  "EffectDate": null,
  "AvatarImageName": null,
  "APN": "telstra",
  "SubscriptionType": "TTTSim",
  "ID": "3494|593061030345",
  "CompositeID": {
    "FamilyID": 3494,
    "DeviceID": "593061030345"
  }
}

Fortunately, that person was Gordon Beeming, a fellow Microsoft Most Valuable Professional who identified the vulnerability, contacted me privately, had the details passed on to TicTocTrack and then the flaw remediated before writing about it publicly a couple of weeks ago:

And the nature of the flaw? Take this URL:

/api/Users?$filter=(FamilyIdentifier%20eq%204236)

Now consider the filter in the query string and ponder: "what would happen if there was no filter"? Here's what Gordon wrote:

I thought what happens if I browse directly to that container without any filter, this pulled to my browser every user in their system

And that's how he ended up with every user in the system, including myself.

The point of all this is that despite the best of intentions (and I do believe their intentions are good), per the title of this post those good intentions and reassuring words do not mean that a security incident won't occur. Obviously, they also don't mean that one won't reoccur and any assertion to the contrary puts us back at the same November discussion in the tweets above (and we now know how that worked out).

So, should you not buy a kids tracking watch due to the inherent risks? I'm not saying that any more than I'm saying you shouldn't buy a connected sex toy; by all means, if one of these devices provides value to you and you're conscious of the privacy risks and willing to accept them, then do it. But for me, my own personal risk assessment puts a lot of weight in the old mantra of "you cannot lose what you do not have" so no, I wouldn't buy either.

Further to this, Jeremy Kirk has written about the incident today including comments from TicTocTrack on their decision not to disclose the exposure of their customer database in January this year. That's a bit tangential to the purpose of this blog post so I won't delve into it here, but leave your thoughts on that in the comments below. Here's their statement from the cyber resilience page mentioned earlier, just for context:

iStaySafe will continue to operate in an open, transparent and honest manner

Weekly Update 184

Weekly Update 184

This has been an absolutely flat-out week between running almost 3 hours of our free Cyber-Broken talk with Scott Helme, doing an hour of code with Ari each day (and helping get up to speed with remote schooling) then running our Hack Yourself First workshop on Aussie time zones the last couple of days. But, especially given the current circumstances, I'm pretty happy with the result ?

This week's update covers those events plus the onboarding of the USA government onto HIBP, an announcement I was very happy to make this week! Oh - and about the green screen - I don't know whether I'll stick with this for future weekly updates or not, I'm just enjoying the novelty factor for the moment ?

Weekly Update 184
Weekly Update 184
Weekly Update 184
Weekly Update 184

References

  1. The green screen I'm using is from Elgato (this is a super cool screen, really easy to collapse and move around)
  2. Scott and I live streamed almost 3 hours of our Cyber-Broken talk which is now available to watch at your leisure (this was great fun and the feedback has been fantastic!)
  3. Ari and I did an hour of code each day working through the fundamentals for kids (I hope other parents get use out of this, particularly if their kids are stuck at home these days)
  4. The USA government is the 9th to be onboarded to Have I Been Pwned (I'm super happy to see the service extend to our friends across the Pacific!)
  5. Sponsored by Chronicle from Google. Redefining security analytics. Click here to learn about the platform designed for a world that thinks in petabytes.

Welcoming the USA Government to Have I Been Pwned

Welcoming the USA Government to Have I Been Pwned

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive notifications when they're impacted in subsequent data breaches.

Over the coming months I expect to continue expanding the scope of government support in HIBP. For now, it's a big welcome to the USA and I'm enormously happy to see HIBP able to support them in this fashion.