Security This Week: License Plate Readers in Texas Are Now Also Debt Collectors
It’s been a busy week. The New York City Department of Consumer Affairs launched an investigation into hackable baby monitors. An iPhone-crashing link made the rounds. The Anaheim Police Department admitted that it uses plane-mounted stingrays in Disneyland’s backyard. Andy Greenberg explained why the proposed state bans on phone encryption don’t make any sense at all. We learned that it’s not so hard to make your own NSA bulk surveillance system. And the NSA’s chief hacker actually gave a tutorial on how to keep him out of your system.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
Vehicle surveillance broker Vigilant Solutions has offered Texas law enforcement agencies “free” access to its massive automated license plate reader databases and analytical tools— but only if the police give Vigilant access to all of their data on outstanding court fees and hand the company a 25 percent surcharge from money collected from drivers with outstanding court fines. Vigilant also gets to keep a copy of any license-plate data collected by the police, even after the contract ends, and can retain it indefinitely. The EFF warns that it turns police into debt collectors and data miners. Neither policymakers nor the public have evaluated the technology, it contains a non-disparagement clause, and it uploads everyone’s driving patterns into a private system without any ways for these individuals to control how their data is used or shared. According to a contract between Vigilant and the NYPD, the “Domain Awareness System” has extensive surveillance capabilities. The system combines license plate data with camera footage and surveillance devices, and it allows NYC police to monitor cars across the country. The software’s “stakeout” feature gives the NYPD access to who was at a location (such as a protest, a church, or even an abortion clinic) at a given time, and can use both “predictive analysis” to determine where a person is likely to be, and “associative analysis” to determine whether someone is a “possible associate” of a criminal.
The Independent revealed that the UK government has been licensing the sale of invasive surveillance equipment to repressive states rampant with human rights abuses, including Saudi Arabia, Egypt, and the United Arab Emirates. The licenses include tools that can hack into devices, intercept private phone calls, and run internet monitoring and surveillance programs throughout entire countries.
If adult apps that are only available in third party stores are your thing, but you don’t want everyone in your contact list to know, you should make sure you’re running Lollipop on your Android device. That’s because Symantec discovered a new ransomware strain called Lockdroid that uses a clickjacking technique to install itself. The secondary popup comes up as an error message appearing on top of a permissions window, and tricks users by disguising itself as an intermediary screen with a “continue” button perfectly overlaid on top of an activation button. (Lollipop doesn’t show secondary popups on installation screens, so you’d have to be gullible enough to manually approve it if you’ve upgraded—but only a third of phones in the Android ecosystem are up-to-date). The ransomware encrypts users’ files and requires a ransom to decrypt them, and blackmails users by threatening to send their browsing history to all their contacts. Lockdroid is currently being distributed through the “Porn ‘O’ Mania” app.
Despite the City of Chicago trying to cover up the police execution of black teenager Laquan McDonald, dashcam footage was released last November, over 13 months after the shooting had taken place. Three dashcams pointing at McDonald did not record video, and audio was missing from four others. It’s unlikely that this was a coincidence.
A CPD audit has revealed that officers deliberately sabotaged their own dash cams by pulling out batteries, destroying or “losing” antennas, and removing microphones or stashing them in their squad car glove compartments. No wonder 80 percent of the department’s dash cam videos didn’t record audio, and 12 percent didn’t record video, which police officials blamed not just on officer error but also on “intentional destruction.”
Jason Van Dyke, the officer who has been charged with first-degree murder for the shooting death of Laquan McDonald, had his dashcam fixed for a wiring problem in June 2014. It took three months to fix it, but it “broke” again the next day, and took several more months to fix what technicians determined was intentional damage. Van Dyke’s dash cam footage of the McDonald shooting had no sound, because he’d never synced up the mic in his squad car to the camera.
Chicago’s interim police superintendent apparently began issuing formal reprimands and suspending officers for up to three days for deliberately damaging their own dashcams, which has led to a 70 percent increase in the number of video uploads.
Time to Patch Lenovo’s File-Sharing App, Since It Uses the Hardcoded Password “12345678” (When It Actually Uses a Password, That Is)
Say it ain’t so, Lenovo. According to CoreSecurity, which found the vulnerabilities, the company’s file-sharing app, SHAREit, which creates a Wi-Fi hotspot allowing data to be shared from a phone to a laptop or vice versa, has a ridiculous amount of security flaws. First of all, it uses the hardcoded password 12345678 in Windows, and no password at all in Android. That means that any system with a Wi-Fi network card can connect to that hotspot with the password I just gave you, making it easy to capture information transferred between devices. To make matters worse, SHAREitfiles are being transferred in plain text, leaving them susceptible to eavesdropping and tampering through man in the middle attacks. Core Security further points out that file transfers in Windows and Android aren’t encrypted, so any attacker on either side of a file transfer would be able to get a copy simply by sniffing the traffic.
If it wasn’t bad enough that Amazon can’t be bothered to use SSL for all of its pages, the company’s chat support apparently makes it ridiculously easy for just about anybody to gain access to customers’ personal information. Blogger Eric Springer, who used to work for Amazon as a software developer, said that malicious imposters were able to access his home address and phone number, multiple times–without any authentication details beyond his name, email address, and a fake address sharing his zip code (which he’d used to register some websites). Motherboard’s managing editor recreated the trick herself. On his personal blog, EFF activist Parker Higgins documented a similar vulnerability related to Amazon wishlists with private addresses, in which third party shippers include addresses in confirmation emails. He reported the issue in December 2014, and Amazon patched it (at least for Canada) in June 2015.
Hackers hit Israel’s Electricity Authority with a virus in what the country’s energy minister called one of the biggest computer-based attacks the power authority has ever experienced. Portions of the electricity grid were shut down in response, and some computer systems were shut down for two days as well. However, there is no indication that the country’s power grid was attacked. Israel’s Electricity Authority, which sits in the Ministry of Energy, is separate from the country’s utility company.
Palo Alto Networks’ threat research team, Unit 42, has spent seven months investigating a series of attacks that sought to gather information about minority activists, primarily Tibetan and Uyghur activists and those interested in their causes. The attacks also targeted Muslim activists and people interested in critiques of Putin and the Russian government. The group behind the attacks, which Unit 42 nicknamed “Scarlet Mimic,” started targeting activists more than four years ago. The group has spear phishing attacks with decoy documents (and watering hole attacks) to deploy backdoor Trojans, targeting Mac OSX and Android operating systems, and variants of a Windows backdoor named FakeM. Code42’s research indicates that Scarlet Mimic is well funded, highly skilled, and has similar motivations to the Chinese government (although no evidence showing a direct link was found).