For as long as scam artists have been around so too have opportunistic thieves who specialize in ripping off other scam artists. This is the story about a group of Pakistani Web site designers who apparently have made an impressive living impersonating some of the most popular and well known “carding” markets, or online stores that sell stolen credit cards. One wildly popular carding site that has been featured in-depth at KrebsOnSecurity — Joker’s Stash — brags that the millions of credit and debit card accounts for sale via their service were stolen from merchants firsthand. That is, the people running Joker’s Stash say they are hacking merchants and directly selling card data stolen from those merchants. Joker’s Stash has been tied to several recent retail breaches, including those at Saks Fifth Avenue, Lord and Taylor, Bebe Stores, Hilton Hotels, Jason’s Deli, Whole Foods, Chipotle and Sonic. Indeed, with most of these breaches, the first signs that any of the companies were hacked was when their customers’ credit cards started showing up for sale on Joker’s Stash. Joker’s Stash maintains a presence on several cybercrime forums, and its owners use those forum accounts to remind prospective customers that its Web site — jokerstash[dot]bazar — is the only way in to the marketplace. The administrators constantly warn buyers to be aware there are many look-alike shops set up to steal logins to the real Joker’s Stash or to make off with any funds deposited with the impostor carding shop as a prerequisite to shopping there. But that didn’t stop a prominent security researcher (not this author) from recently plunking down $100 in bitcoin at a site he thought was run by Joker’s Stash (jokersstash[dot]su). Instead, the proprietors of the impostor site said the minimum deposit for viewing stolen card data on the marketplace had increased to $200 in bitcoin. The researcher, who asked not to be named, said he obliged with an additional $100 bitcoin deposit, only to find that his username and password to the card shop no longer worked. He’d been conned by scammers scamming scammers. As it happens, prior to hearing from this researcher I’d received a mountain of research from Jett Chapman, another security researcher who swore he’d unmasked the real-world identity of the people behind the Joker’s Stash carding empire. Chapman’s research, detailed in a 57-page report shared with KrebsOnSecurity, pivoted off of public information leading from the same jokersstash[dot]su that ripped off my researcher friend. “I’ve gone to a few cybercrime forums where people who have used jokersstash[dot]su that were confused about who they really were,” Chapman said. “Many of them left feedback saying they’re scammers who will just ask for money to deposit on the site, and then you’ll never hear from them again.” But the conclusion of Chapman’s report — that somehow jokersstash[dot]su was related to the real criminals running Joker’s Stash — didn’t ring completely accurate, although it was expertly documented and thoroughly researched. So with Chapman’s blessing, I shared his report with both the researcher who’d been scammed and a law enforcement source who’d been tracking Joker’s Stash. Both confirmed my suspicions: Chapman had unearthed a vast network of sites registered and set up over several years to impersonate some of the biggest and longest-running criminal credit card theft syndicates on the Internet. THE REAL JOKER’S STASHThe real Joker’s Stash can only be reached after installing a browser extension known as “blockchain DNS.” This component is needed to access any sites ending in the top-level domain names of .bazar,.bit (Namecoin), .coin, .lib and .emc (Emercoin). Most Web sites use the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage. Regular DNS maps Internet addresses to domains by relying on a series of distributed, hierarchical lookups. If one server does not know how to find a domain, that server simply asks another server for the information. Blockchain-based DNS systems also disseminate that mapping information in a distributed fashion, although via a peer-to-peer method. The entities that operate blockchain-based top level domains (e.g., .bazar) don’t answer to any one central authority — such as the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the global DNS and domain name space. This potentially makes these domains much more difficult for law enforcement agencies to take down. Dark Reading explains further: “When an individual registers a .bit — or another blockchain-based domain — they are able to do so in just a few steps online, and the process costs mere pennies. Domain registration is not associated with an individual’s name or address but with a unique encrypted hash of each user. This essentially creates the same anonymous system as Bitcoin for Internet infrastructure, in which users are only known through their cryptographic identity.” And cybercriminals have taken notice. According to security firm FireEye, over the last year there’s been a surge in the number of threat actors that have started incorporating support for blockchain domains in their malware tools. THE FAKE JOKER’S STASHIn contrast, the fake version of Joker’s Stash — jokersstash[dot]su — exists on the clear Web and displays a list of “trusted” Joker’s Stash domains that can be used to get on the impostor marketplace. These lists are common on the login pages of carding and other cybercrime sites that tend to lose their domains frequently when Internet do-gooders report them to authorities. The daily reminder helps credit card thieves easily find the new domain should the primary domain get seized by law enforcement or the site’s domain registrar. Most of the domains in the image above are hosted on the same Internet address: 190.14.38.6 (Offshore Racks S.A. in Panama). But Chapman found that many of these domains map back to just a handful of email addresses, including [email protected], [email protected], and [email protected].Chapman found that adding credit cards to his shopping cart in the fake Joker’s Stash site caused those same cards to show up in his cart when he accessed his account at one of the alternative domains listed in the screenshot above, suggesting that the sites were all connected to the same back-end database. The email address [email protected] is tied to the name or alias “John Kelly,” as well as 35 domains, according to DomainTools (the full list is here). Most of the sites at those domains borrow names and logos from established credit card fraud sites, including VaultMarket, T12Shop, BriansClub (which uses the head of yours truly on a moving crab to advertise its stolen cards); and the now defunct cybercrime forum Infraud. Domaintools says the address [email protected] also maps to 35 domains, including look-alike domains for major carding sites Bulba, GoldenDumps, ValidShop, McDucks, Mr. Bin, Popeye, and the cybercrime forum Omerta. The address [email protected] is connected to 36 domains that feature many of the same impersonated criminal brands as the first two lists. The domain “paysafehost.com” is not responding at the moment, but until very recently it redirected to a site that tried to scam or phish customers seeking to buy stolen credit card data from VaultMarket. It looks more or less the same as the real VaultMarket’s login page, but Chapman noticed that in the bottom right corner of the screen was a Zendesk chat service soliciting customer questions. Signing up for an account at paysafehost.com (the fake VaultMarket site) revealed a site that looked like VaultMarket but otherwise massively displayed ads for another carding service — isellz[dot]cc (one of the domains registered to [email protected]). This same Zendesk chat service also was embedded in the homepage of jokersstash[dot]su. And on isellz[dot]cc: According to Farsight Security, a company that maps historical connections between Internet addresses and domain names, several other interesting domains used paysafehost[dot]com as their DNS servers, including cvv[dot]kz (CVV stands for the card verification value and it refers to stolen credit card numbers, names and cardholder address that can be used to conduct e-commerce fraud). All three domains — cvv[dot]kz, and isellz[dot]cc and paysafehost[dot]com list in their Web site registration records the email address [email protected], the site xperiasol.com, and the name “Bashir Ahmad.” XPERIA SOLUTIONSSearching online for the address [email protected] turns up a help wanted ad on the Qatar Living Jobs site from October 2017 for a freelance system administrator. The ad was placed by the user “junaidky“, and gives the [email protected] email address for interested applicants to contact. Chapman says at this point in his research he noticed that [email protected] was also used to register the domain xperiasol.info, which for several years was hosted on the same server as a handful of other sites, such as xperiasol.com — the official Web site Xperia Solution (this site also features a Zen desk chat client in the lower right portion of the homepage). Xperiasol.com’s Web site says the company is a Web site development firm and domain registrar in Islamabad, Pakistan. The site’s “Meet our Team” page states the founder and CEO of the company is a guy named Muhammad Junaid. Another man pictured as Yasir Ali is the company’s project manager. We’ll come back to both of these two individuals in a moment. Xperiasol.info also is no longer responding, but not long ago the home page showed several open file directories: Clicking in the projects directory and drilling down into a project dated Feb. 8, 2018 turns up some kind of chatroom application in development. Recall that dozens of the fake carding domains mentioned above were registered to a “John Kelly” at [email protected]. Have a look at the name next to the chatroom application Web site that was archived at xperiasol.info: Could Yasir Ali, the project manager of Xperiasol, be the same person who registered so many fake carding domains? What else do we know about Mr. Ali? It appears he runs another business called Agile: Institute of Information Technology. Agile’s domain — aiit.com.pk — was registered to Xperia Sol Technologies in 2016 and hosted on the same server. Who else that we know besides Mr. Ali is listed on Agile’s “Meet the Team” page? Why Mr. Muhammad Junaid, of course, the CEO and founder of Xperia Sol. Chapman shared pages of documentation showing that most of the “customers testimonials” supposedly from Xperia Sol’s Web design clients appear to be half-finished sites with plenty of broken links and “lorem ipsum” placeholder content (as is the case with the aiit.com.pk Web site pictured above). Another “valuable client” listed on Xperia Sol’s home page is Softlottery[dot]com (previously softlogin[dot]com). This site appears to be a business that sells Web site design templates, but it lists its address as Sailor suite room V124, DB 91, Someplace 71745 Earth. Among the “awesome” corporate design templates that Softlottery has for sale is one loosely based on a motto that has shown up on several carding sites: “We are those, who we are: Verified forum, verified people, serious deals.” Probably the most well-known cybercrime forum using that motto is Omerta (recall from above that the Omerta forum is another brand impersonated by this group). Flower Land, with the Web address flowerlandllc.com is also listed as a happy Xperia Sol customer and is hosted by Xperia Sol. But most of the links on that site are dead. More importantly, the site’s content appears to have been lifted from the Web site of an actual flower care business in Michigan called myflowerland.com. Zalmi-TV (zalmi.tv) is supposedly a news media partner of Xperia Sol, but again the Xperia-hosted site is half-finished and full of “lorem ipsum” placeholder content. THE MASTER MIND?But what about Xperia Sol’s founder, Muhammad Junaid, you ask? Mr. Junaid is known by several aliases, including his stage name, “Masoom Parinda,” a.k.a. “Master Mind). As Chapman unearthed in his research, Junaid has starred in some B-movie action films in Pakistan, and Masoom Parinda is his character’s name. Mr. Junaid also goes by the names Junaid Ahmad Khan, and Muhammad Junaid Ahmed. The latter is the one included in a flight itinerary that Junaid posted to his Facebook page in 2014. There are also some interesting photos of his various cars — all of which have the Masoom Parinda nickname “Master Mind” written on the back window. There is also something else on each car’s rear window: A picture of a black and red scorpion. Recall the logo that was used at the top of isellz[dot]cc, the main credit card fraud site tied to [email protected]. It features a giant black and red scorpion: I reached out to Mr. Junaid/Khan via his Facebook page. Soon after that, his Facebook profile disappeared. But not before KrebsOnSecurity managed to get a copy of the page going back several years. Mr. Junaid/Khan is apparently friends with a local man named Bashar Ahmad. Recall that a “Bashar Ahmad” was the name tied to the domain registrations — cvv[dot]kz, and isellz[dot]cc and paysafehost[dot]com — and to the email address [email protected]. Mr. Ahmed also has a Facebook page going back more than seven years. In one of those posts, he publishes a picture of a scorpion very similar to the one on isellz[dot]cc and on Mr. Khan’s automobiles. At the conclusion of his research, Chapman said he discovered one final and jarring connection between Xperia Sol and the carding site isellz[dot]cc: When isellz customers have trouble using the site, they can submit a support ticket. Where does that support ticket go? Would you believe to [email protected]? Click the image below to enlarge. It could be that all of this evidence pointing back to Xperia Sol is just a coincidence, or an elaborate character assassination scheme cooked up by one of the company’s competitors. Or perhaps Mr. Junaind/Khan is simply researching a new role as a hacker in an upcoming Pakistani cinematic thriller: In many ways, creating a network of fake carding sites is the perfect cybercrime. After all, nobody is going to call the cops on people who make a living ripping off cybercriminals. Nor will anyone help the poor sucker who gets snookered by one of these fake carding sites. Caveat Emptor! from https://krebsonsecurity.com/2018/05/will-the-real-jokers-stash-come-forward/
0 Comments
The Federal Bureau of Investigation (FBI) is warning that a new malware threat has rapidly infected more than a half-million consumer devices. To help arrest the spread of the malware, the FBI and security firms are urging home Internet users to reboot routers and network-attached storage devices made by a range of technology manufacturers. The growing menace — dubbed VPNFilter — targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well as QNAP network-attached storage (NAS) devices, according to researchers at Cisco. Experts are still trying to learn all that VPNFilter is built to do, but for now they know it can do two things well: Steal Web site credentials; and issue a self-destruct command, effectively rendering infected devices inoperable for most consumers. Cisco researchers said they’re not yet sure how these 500,000 devices were infected with VPNFilter, but that most of the targeted devices have known public exploits or default credentials that make compromising them relatively straightforward. “All of this has contributed to the quiet growth of this threat since at least 2016,” the company wrote on its Talos Intelligence blog. The Justice Department said last week that VPNFilter is the handiwork of “APT28,” the security industry code name for a group of Russian state-sponsored hackers also known as “Fancy Bear” and the “Sofacy Group.” This is the same group accused of conducting election meddling attacks during the 2016 U.S. presidential race. “Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide,” the FBI said in a warning posted to the Web site of the Internet Crime Complaint Center (IC3). “The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.” According to Cisco, here’s a list of the known affected devices: LINKSYS DEVICES: E1200 MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS: 1016 NETGEAR DEVICES: DGN2200 QNAP DEVICES: TS251 Other QNAP NAS devices running QTS software TP-LINK DEVICES: R600VPN Unfortunately, there is no easy way to tell if your device is infected. If you own one of these devices and it is connected to the Internet, you should reboot (or unplug, wait a few seconds, replug) the device now. This should wipe part of the infection, if there is one. But you’re not out of the woods yet. Cisco said part of the code used by VPNFilter can still persist until the affected device is reset to its factory-default settings. Most modems and DVRs will have a tiny, recessed button that can only be pressed with something small and pointy, such as a paper clip. Hold this button down for at least 10 seconds (some devices require longer) with the device powered on, and that should be enough to reset the device back to its factory-default settings. In some cases, you may need to hold the tiny button down and keep it down while you plug in the power cord, and then hold it for 30 seconds. After resetting the device, you’ll need to log in to its administrative page using a Web browser. The administrative page of most commercial routers can be accessed by typing 192.168.1.1, or 192.168.0.1 into a Web browser address bar. If neither of those work, try looking up the documentation at the router maker’s site, or checking to see if the address is listed here. If you still can’t find it, open the command prompt (Start > Run/or Search for “cmd”) and then enter ipconfig. The address you need should be next to Default Gateway under your Local Area Connection. Once you’re there, make sure you’ve changed the factory-default password that allows you to log in to the device (pick something strong that you can remember). You’ll also want to make sure your device has the latest firmware updates. Most router Web interfaces have a link or button you click to check for newer device firmware. If there are any updates available, install those before doing anything else. If you’ve reset the router’s settings, you’ll also want to encrypt your connection if you’re using a wireless router (one that broadcasts your modem’s Internet connection so that it can be accessed via wireless devices, like tablets and smart phones). WPA2 is the strongest encryption technology available in most modern routers, followed by WPA and WEP (the latter is fairly trivial to crack with open source tools, so don’t use it unless it’s your only option). But even users who have a strong router password and have protected their wireless Internet connection with a strong WPA2 passphrase may have the security of their routers undermined by security flaws built into these routers. At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.” However, WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as using WPS, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet. Turning off any remote administration features that may be turned on by default is always a good idea, as is disabling Universal Plug and Play (UPnP), which can easily poke holes in your firewall without you knowing it). However, Cisco researchers say there is no indication that VPNFilter uses UPnP. For more tips on how to live with your various Internet of Things (IoT) devices without becoming a nuisance to yourself or the Internet at large, please see Some Basic Rules for Securing Your IoT Stuff. from https://krebsonsecurity.com/2018/05/fbi-kindly-reboot-your-router-now-please/ The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels? These are some of the questions we’ll explore in this article. In 2015, the Federal Communications Commission under the Obama Administration reclassified broadband Internet companies as telecommunications providers, which gave the agency authority to regulate broadband providers the same way as telephone companies. The FCC also came up with so-called “net neutrality” rules designed to prohibit Internet providers from blocking or slowing down traffic, or from offering “fast lane” access to companies willing to pay extra for certain content or for higher quality service. In mid-2016, the FCC adopted new privacy rules for all Internet providers that would have required providers to seek opt-in permission from customers before collecting, storing, sharing and selling anything that might be considered sensitive — including Web browsing, application usage and location information, as well as financial and health data. But the Obama administration’s new FCC privacy rules didn’t become final until December 2016, a month after then President-elect Trump was welcomed into office by a Republican controlled House and Senate. Congress still had 90 legislative days (when lawmakers are physically in Congress) to pass a resolution killing the privacy regulations, and on March 23, 2017 the Senate voted 50-48 to repeal them. Approval of the repeal in the House passed quickly thereafter, and President Trump officially signed it on April 3, 2017. In an op-ed published in The Washington Post, Ajit Pai — a former Verizon lawyer and President Trump’s pick to lead the FCC — said “despite hyperventilating headlines, Internet service providers have never planned to sell your individual browsing history to third parties.” “That’s simply not how online advertising works,” Pai wrote. “And doing so would violate ISPs’ privacy promises. Second, Congress’s decision last week didn’t remove existing privacy protections; it simply cleared the way for us to work together to reinstate a rational and effective system for protecting consumer privacy.” Sen. Bill Nelson (D-Fla.) came to a different conclusion, predicting that the repeal of the FCC privacy rules would allow broadband providers to collect and sell a “gold mine of data” about customers. “Your mobile broadband provider knows how you move about your day through information about your geolocation and internet activity through your mobile device,” Nelson said. The Senate resolution “will take consumers out of this driver’s seat and place the collection and use of their information behind a veil of secrecy.” Meanwhile, pressure was building on the now Republican-controlled FCC to repeal the previous administration’s net neutrality rules. The major ISPs and mobile providers claimed the new regulations put them at a disadvantage relative to competitors that were not regulated by the FCC, such as Amazon, Apple, Facebook and Google. On Dec. 14, 2017, FCC Chairman Pai joined two other Republic FCC commissioners in a 3-2 vote to dismantle the net neutrality regulations. As The New York Times observed after the net neutrality repeal, “the commission’s chairman, Ajit Pai, vigorously defended the repeal before the vote. He said the rollback of the rules would eventually benefit consumers because broadband providers like AT&T and Comcast could offer them a wider variety of service options.” “We are helping consumers and promoting competition,” Mr. Pai said. “Broadband providers will have more incentive to build networks, especially to underserved areas.” MORE OR LESS CHOICE?Some might argue we’ve seen reduced competition and more industry consolidation since the FCC repealed the rules. Major broadband and mobile provider AT&T and cable/entertainment giant Time Warner are now fighting the Justice Department in a bid to merge. Two of the four-largest mobile telecom and broadband providers — T-Mobile and Sprint — have announced plans for a $26 billion merger. The FCC privacy rules from 2016 that were overturned by Congress sought to give consumers more choice about how their data was to be used, stored and shared. But consumers now have less “choice” than ever about how their mobile provider shares their data and with whom. Worse, the mobile and broadband providers themselves are failing to secure their own customers’ data. This month, it emerged that the major mobile providers have been giving commercial third-parties the ability to instantly look up the precise location of any mobile subscriber in real time. KrebsOnSecurity broke the news that one of these third parties — LocationSmart — leaked this ability for years to anyone via a buggy component on its Web site. We also learned that another California company — Securus Technologies — was selling real-time location lookups to a number of state and local law enforcement agencies, and that accounts for dozens of those law enforcement officers were obtained by hackers. Securus, it turned out, was ultimately getting its data from LocationSmart. This week, researchers discovered that a bug in T-Mobile’s Web site let anyone access the personal account details of any customer with just their cell phone number, including full name, address, account number and some cases tax ID numbers. Not to be outdone, Comcast was revealed to have exposed sensitive information on customers through a buggy component of its Web site that could be tricked into displaying the home address where the company’s wireless router is located, as well as the router’s Wi-Fi name and password. It’s not clear how FCC Chairman Pai intends to “reinstate a rational and effective system for protecting consumer privacy,” as he pledged after voting last year to overturn the 2015 privacy rules. The FCC reportedly has taken at least tentative steps to open an inquiry into the LocationSmart debacle, although Sen. Ron Wyden (D-Ore.) has called on Chairman Pai to recuse himself on the inquiry because Pai once represented Securus as an attorney. (Wyden also had some choice words for the wireless companies). The major wireless carriers all say they do not share customer location data without customer consent or in response to a court order or subpoena. Consent. All of these carriers pointed me to their privacy policies. It could be the carriers believe these policies clearly explain that simply by using their wireless device customers have opted-in to having their real-time location data sold or given to third-party companies. Michelle De Mooy, director of the privacy and data project at the Center for Democracy & Technology (CDT), said if the mobile giants are burying that disclosure in privacy policy legalese, that’s just not good enough. “Even if they say, ‘Our privacy policy says we can do this,’ it violates peoples’ reasonable expectations of when and why their location data is being collected and how that’s going to be used. It’s not okay to simply point to your privacy policies and expect that to be enough.”
CHECKING THE FTC’S RECORDWhen the FCC’s repeal of the net neutrality rules takes effect on June 11, 2018, broadband providers will once again be regulated by the Federal Trade Commission (FTC). That power was briefly shared with FCC when the agency under the Obama administration passed its net neutrality rules with the assumption that it could regulate broadband providers like telecommunications companies. When it comes to investigating companies for privacy and security violations, the FTC’s primary weapon is The FTC Act, which “prohibits unfair and deceptive acts or practices in or affecting commerce.” According to the FTC Act, a “misrepresentation or omission is deceptive if it is material and is likely to mislead consumers acting reasonably under the circumstances.” It also finds that an act or practice “is unfair if it causes, or is likely to cause, substantial injury that is not reasonably avoidable by consumers, and not outweighed by countervailing benefits to consumers or competition.” It’s difficult to think of a bigger violation of those principles than the current practice by the major mobile providers of sharing real-time location data on customers with third parties, without any opportunity for customers to opt-in or opt-out of such sharing. But it’s unclear whether the FTC would take take any action against such activity, or indeed if it has any precedent to do so. The agency had the ability to go after mobile broadband providers for privacy and security violations between 2002 and 2015, and so KrebsOnSecurity asked the commission to share how many times during that period that it took enforcement actions against broadband providers. The list I got back from them wasn’t exactly privacy or security focused. The FTC cited a case in 2003 in which it sued AOL and CompuServe over unfair billing practices. In 2009, it helped to take down 3FN, a small, shady ISP that was based in the United States but run by Russians and hosting a stupendous amount of malware, scams and illegal content (i.e. child pornography). In 2014, the FTC alleged that AT&T Mobility deceptively advertised “unlimited” data while throttling mobile customers who used certain amounts of data (this case is still pending but a recent appeals court decision cleared the way for the FTC to continue its lawsuit). In 2015, TracFone, the largest prepaid mobile provider in the United States, agreed to pay $40 million to the FTC for consumer refunds to settle charges that it deceived millions of consumers with regard to its “unlimited” data service. The FTC also cited a scolding letter (PDF) that it sent to Verizon over issues related to the security of its customer routers. No action was taken by the FTC in that case. How eager the FTC will be to police privacy practices of broadband providers may come down to the priorities of the agency’s new leaders. The Trump administration just tapped Andrew Smith as head of the FTC’s consumer protection office. Smith is a lawyer who used to represent many of the companies that the agency is already investigating. Smith will need to recuse himself from multiple ongoing investigations his office would normally lead, including data breaches at Equifax and Facebook, thanks to his previous work on behalf of the companies. According to The Hill, Smith testified in October before the Senate Banking Committee on behalf of the credit reporting industry as the panel investigated an Equifax data breach that compromised more than 145 million people. Gigi Sohn, a fellow at the Georgetown Law Institute for Technology Law and Policy and a former senior adviser to former FCC Chair Tom Wheeler in 2015, said the FTC doesn’t have a strong record on broadband privacy enforcement. Sohn said the FTC’s legal framework does not require affirmative opt-in consent for browsing history and app usage, and that a provider would only have to let you opt-out — something that consumers rarely do and which companies routinely make it hard to do. More importantly, she said, while the FCC’s rules would have protected consumers before they were harmed, the FTC can only act after harm has already occurred. “We passed privacy rules for broadband and mobile providers that would have required them to seek customer opt-in for anything that was considered sensitive,” Sohn said of her work at the FCC under the Obama administration. “The carrier had to give you clear and consistent opportunities to opt out. It was very broad, but the definition we set for personal information was far broader than what even the FTC considered sensitive.” REPEALING THE REPEAL OF NET NEUTRALITYSo the carriers are already reneging on their promise to customers that they won’t share location data without customer consent or a court order. But where does that leave us on net neutrality? The answer is that the major wireless carriers are already doing what was expressly prohibited under the FCC’s net neutrality rules: Favoring their own content over competitors, and letting companies gain more favorable access by paying more. Around the time of the FCC’s repeal of the net neutrality rules last year, The Wall Street Journal prognosticated about what might happen with the regulations out of the way. To do this, it looked at some of the offerings the mobile carriers pitched before the rules were drawn up. “One example of how things could work is the mobile wireless market, where some providers already have used pricing tactics to favor certain websites and services over others,” wrote John D. McKinnon and Ryan Knutson for The Journal:
AT&T Mobility offers a zero-rating plan called “Sponsored Data” that allows content providers to pay up front to have streaming of that content allowed without counting against the provider’s monthly data caps. Sohn said the FCC under the Obama administration initiated an investigation into AT&T’s Sponsored Data plan and Verizon for its go90 service, but that the inquiry was abandoned by the current FCC leadership. There are some prospects for a Congressional repeal of this administration’s gutting of the FCC’s net neutrality rules. On May 16, the Senate approved a resolution nullifying the FCC’s rollback of the net neutrality rules. But the measure faces an uphill battle in the House. “Right now we’re probably 30 to 40 members short of being able to bring a vote in the House,” Sohn said. “About 20 Democrats haven’t gotten on board, and we have no Republicans so far. But I think that’s going to change. If Congress repeals the net neutrality repeal, the next step would be to craft stronger rules [either at the FCC or Congress]. We have until the end of this Congress to get it done.” The CDT’s De Mooy gives the effort to repeal the repeal of net neutrality rules slim chances of passage this year. But she said the prospects for revisiting net neutrality and consumer privacy in the next Congress look good, particularly if Democrats pick up additional seats in the House. “It seems to be something the Democrats are taking up more now,” Demooy said. “So much depends on what happens in November. But that’s true of so many tech policy issues.” SHOCK AND YAWNWhen I first saw a Carnegie Mellon University researcher show me last week that he could look up the near-exact location of any mobile number in the United States, I sincerely believed the public would be amazed and horrified at the idea that mobile providers are sharing this real-time data with third party companies, and at the fact that those third parties in turn weren’t doing anything to prevent the abuse of their own systems. Instead, after a brief round of coverage in several publications, the story fell out of the news cycle. A story this week in Slate.com lamented how little coverage the mainstream press has given to the LocationSmart scandal, and marvels at how much more shocked people were over the Cambridge Analytic scandal with Facebook. “Privacy abuses and slip-ups by major tech companies have become so numerous, and the prospect of containing them seems so hopeless, that the public and much of the media have become nearly numb to them,” writes Will Oremus for Slate. “My data was hacked? So it goes. It may have been used in unauthorized ways by unspecified parties? C’est la vie.” Oremus argues that what the LocationSmart scandal lacks is not import, nor the potential for serious harm, “but a link to some divisive political issue or societal outrage sufficient enough to generate visceral anger from people who aren’t privacy wonks.” If you’ve read this far (bless you), don’t let breach fatigue and incessant media exposure of how little privacy we have harden into resignation. Yes, the prospects of any public debate about consumer privacy protections in the United States at the legislative level seem dim in a high-stakes mid-term election year. But supporters of net neutrality ideals can start getting involved by tweeting, calling and emailing the House lawmakers listed in red at BattleForTheNet.com. While you’re at it, tell your lawmakers what you think about mobile providers giving or selling third-parties real-time access to customer location information, and let them know that this is no longer okay. This is the second article in a two-part series. The first is here: Mobile Giants, Please Don’t Share the Where. from https://krebsonsecurity.com/2018/05/why-is-your-location-data-no-longer-private/ Federal prosecutors have charged three men with carrying out a deadly hoax known as “swatting,” in which perpetrators call or message a target’s local 911 operators claiming a fake hostage situation or a bomb threat in progress at the target’s address — with the expectation that local police may respond to the scene with deadly force. While only one of the three men is accused of making the phony call to police that got an innocent man shot and killed, investigators say the other two men’s efforts to taunt and deceive one another ultimately helped point the gun. According to prosecutors, the tragic hoax started with a dispute over a match in the online game “Call of Duty.” The indictment says Shane M. Gaskill, a 19-year-old Wichita, Kansas resident, and Casey S. Viner, 18, had a falling out over a $1.50 game wager. Viner allegedly wanted to get back at Gaskill, and so enlisted the help of another man — Tyler R. Barriss — a serial swatter known by the alias “SWAuTistic” who’d bragged of “swatting” hundreds of schools and dozens of private residences. The federal indictment references transcripts of alleged online chats among the three men. In an exchange on Dec. 28, 2017, Gaskill taunts Barriss on Twitter after noticing that Barriss’s Twitter account (@swattingaccount) had suddenly started following him. Viner and Barriss both allegedly say if Gaskill isn’t scared of getting swatted, he should give up his home address. But the address that Gaskill gave Viner to pass on to Barriss no longer belonged to him and was occupied by a new tenant. Barriss allegedly then called the emergency 911 operators in Wichita and said he was at the address provided by Viner, that he’d just shot his father in the head, was holding his mom and sister at gunpoint, and was thinking about burning down the home with everyone inside. Wichita police quickly responded to the fake hostage report and surrounded the address given by Gaskill. Seconds later, 28-year-old Andrew Finch exited his mom’s home and was killed by a single shot from a Wichita police officer. Finch, a father of two, had no party to the gamers’ dispute and was simply in the wrong place at the wrong time. Just minutes after the fatal shooting, Barriss — who is in Los Angeles — is allegedly anxious to learn if his Kansas swat attempt was successful. Someone has just sent Barriss a screenshot of a conversation between Viner and Gaskill mentioning police at Gaskill’s home and someone getting killed. So Barriss allegedly then starts needling Gaskill via instant message:
Prosecutors say Barriss then posted a screen shot showing the following conversation between Viner and Gaskill:
Barriss and Gaskill then allegedly continued their conversation:
Later on the evening of Dec. 28, after news of the fatal swatting started blanketing the local television coverage in Kansas, Gaskill allegedly told Barriss to delete their previous messages. “Bape” in this conversation refers to a nickname allegedly used by Casey Viner:
The indictment also features chat records between Viner and others in which he admits to his role in the deadly swatting attack. In the follow chat excerpt, Viner was allegedly talking with someone identified only as “J.D.”
Barriss is charged with multiple counts of making false information and hoaxes; cyberstalking; threatening to kill another or damage property by fire; interstate threats, conspiracy; and wire fraud. Viner and Gaskill were both charged with wire fraud, conspiracy and obstruction of justice. A copy of the indictment is available here. The Associated Press reports that the most serious charge of making a hoax call carries a potential life sentence because it resulted in a death, and that some of the other charges carry sentences of up to 20 years. As I told the AP, swatting has been a problem for years, but it seems to have intensified around the time that top online gamers started being able to make serious money playing games online and streaming those games live to thousands or even tens of thousands of paying subscribers. Indeed, Barriss himself had earned a reputation as someone who delighted in watching police kick in doors behind celebrity gamers who were live-streaming. This case is not the first time federal prosecutors have charged multiple people in the same swatting attacks even if only one person was involved in actually making the phony hoax calls to police. In 2013, my home was the target of a swatting attack that thankfully ended without incident. The government ultimately charged four men — several of whom were minors at the time — with conducting that swat attack as well as many others they’d perpetrated against public figures and celebrities. But despite spending considerable resources investigating those crimes, prosecutors were able to secure only light punishments for those involved in the swatting spree. One of those men, a serial swatter and cyberstalker named Mir Islam, was sentenced to to just one year in jail for his role in multiple swattings. Another individual who was part of that group — Eric “Cosmo the God” Taylor — got three years of probation. Something tells me Barriss, Gaskill and Viner aren’t going to be so lucky. Barriss has admitted his role in many swattings, and he admitted to his last, fatal swatting in an interview he gave to KrebsOnSecurity less than 24 hours after Andrew Finch’s murder — saying he was not the person who pulled the trigger. from https://krebsonsecurity.com/2018/05/3-charged-in-fatal-kansas-swatting-attack/ Broken your phone over the Bank Holiday Weekend? Our Bank Holiday Spring Sale is perfect for you! Get 10% off all repairs from Thursday 24th May until midnight on Monday 28th May. This sale is available across both Call-out and Mail-in Services. How The Discount Works!Mail-in Repairs1. Head over to our mail-in section of the site where you can select the phone or tablet you want repairing along with the type of issue that your phone has. 2. You will then need to add the repair to your cart. 3. When you come to checking out your repair, you will be given an option on the Order Summary page to enter your discount code. 4. The Voucher Code you will need at checkout is SPRING10 Call-Out Repairs1. Head over to our ‘book a repair’ section where you can select the phone you want repairing along with the type of issue that your phone has. 2. Add the repair to your cart. 3. You will then have the option to choose between our Call-Out or Mail-In Service. (There is an extra £15 call-out fee when using the call-out service) 4. When checking out your repair via our Order Summary Page, you have the option to enter the discount code. The voucher code is SPRING10. 5. Fill in the address details of where you want the repair to take place. Once this is complete, we will contact you to approve this repair. You can also call our customer service team on 0333 014 4262 and give them the code and they will place the repair for you. Terms and Conditions:– All terms and conditions of sale remain the same. To book a repair click here or call our friendly customer service team on: 0333 014 4262. The post Bank Holiday Spring Sale – 10% Off All Repairs appeared first on iMend Blog. from https://www.imend.com/blog/bank-holiday-spring-sale-10-off-all-repairs/ With this sudden burst of sunshine sweeping across the UK, have you already booked tickets for your favourite festivals? Whether your into the heavy sounds of Download Festival or the quirky scenery of Boomtown Fair, there is a festival out there for everyone. No matter which festival you are attending your mobile phone is sure to follow. From videoing your favourite live bands to ringing your lost friends, your phone plays an important part of festival life. Keep your phone safe during festival season. Here are 5 top tips for smartphone survival: Put A Password On Your DeviceIn case the worst happens and you lose your Mobile Phone, it is essential that it’s password protected. Without the a personalised code your private details could be at the hands of anyone. If you don’t already have a password on your phone… do it now.
Buy A Waterproof Phone CaseAs many of you know, the weather during festival season can be unpredictable. Why not invest in a waterproof case to protect it from the elements? You can find waterproof cases for as cheap as £10 (dependent on make & model). For those not willing to invest, a resealable sandwich bag will do the trick! Be Cautious When Charging Your PhoneIf you are one of the thousands of people who’s smartphone runs out of charge after day 1, be wary of what you use to recharge it. Many portable chargers and non genuine leads are known to cause power surges, damaging the motherboard’s charging capabilities.
Alternatively, put your phone on to Battery Saver Mode (Low Power Mode on iOS) throughout the duration of the festival. This will reduce your phone’s performance but sustain it’s battery life. Lanyards Save PhonesKeeping your phone in your pocket over festival season can be risky business. With all of the moshing and jumping around, it’s easy for it to leap from your pocket to the muddy floor below. Attach a lanyard to your phone and keep it safe around your neck away from harsh weather and accidental drops. Take A Cheap AlternativeIf you are worried about taking your expensive smartphone to a festival, why not take a cheap alternative. Do you have an old phone lugging around the house or have you recently upgraded, they are the perfect festival phone. You can enjoy your weekend without the worry of breaking or losing your beloved device.
If you don’t have a spare, there are many cheap, robust phones on the market. You can now pick up a phone for as cheap £10, something that will not eat away at your festival funds. Need your phone fixed before festival season kicks off? Click here to see our full range of repairs. The post 5 Top Tips For Smartphone Survival This Festival Season appeared first on iMend Blog. from https://www.imend.com/blog/5-top-tips-for-smartphone-survival-this-festival-season/ Your mobile phone is giving away your approximate location all day long. This isn’t exactly a secret: It has to share this data with your mobile provider constantly to provide better call quality and to route any emergency 911 calls straight to your location. But now, the major mobile providers in the United States — AT&T, Sprint, T-Mobile and Verizon — are selling this location information to third party companies — in real time — without your consent or a court order, and with apparently zero accountability for how this data will be used, stored, shared or protected. Think about what’s at stake in a world where anyone can track your location at any time and in real-time. Right now, to be free of constant tracking the only thing you can do is remove the SIM card from your mobile device never put it back in unless you want people to know where you are. It may be tough to put a price on one’s location privacy, but here’s something of which you can be sure: The mobile carriers are selling data about where you are at any time, without your consent, to third-parties for probably far less than you might be willing to pay to secure it. The problem is that as long as anyone but the phone companies and law enforcement agencies with a valid court order can access this data, it is always going to be at extremely high risk of being hacked, stolen and misused. Consider just two recent examples. Earlier this month The New York Times reported that a little-known data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone across all of the major U.S. mobile networks. Then it emerged that Securus had been hacked, its database of hundreds of law enforcement officer usernames and passwords plundered. We also found out that Securus’ data was ultimately obtained from a California-based location tracking firm LocationSmart. On May 17, KrebsOnSecurity broke the news of research by Carnegie Mellon University PhD student Robert Xiao, who discovered that a LocastionSmart try-before-you-buy opt-in demo of the company’s technology was wide open — allowing real-time lookups from anyone on anyone’s mobile device — without any sort of authentication, consent or authorization. Xiao said it took him all of about 15 minutes to discover that LocationSmart’s lookup tool could be used to track the location of virtually any mobile phone user in the United States. Securus seems equally clueless about protecting the priceless data to which it was entrusted by LocationSmart. Over the weekend KrebsOnSecurity discovered that someone — almost certainly a security professional employed by Securus — has been uploading dozens of emails, PDFs, password lists and other files to Virustotal.com — a service owned by Google that can be used to scan any submitted file against dozens of commercial antivirus tools. Antivirus companies willingly participate in Virustotal because it gives them early access to new, potentially malicious files being spewed by cybercriminals online. Virustotal users can submit suspicious files of all kind; in return they’ll see whether any of the 60+ antivirus tools think the file is bad or benign. One basic rule that all Virustotal users need to understand is that any file submitted to Virustotal is also available to customers who purchase access to the service’s file repository. Nevertheless, for the past two years someone at Securus has been submitting a great deal of information about the company’s operations to Virustotal, including copies of internal emails and PDFs about visitation policies at a number of local and state prisons and jails that made up much of Securus’ business. One of the files, submitted on April 27, 2018, is titled “38k user pass microsemi.com – joomla_production.mic_users_blockedData.txt”. This file includes the names and what appear to be hashed/scrambled passwords of some 38,000 accounts — supposedly taken from Microsemi, a company that’s been called the largest U.S. commercial supplier of military and aerospace semiconductor equipment. Many of the usernames in that file do map back to names of current and former employees at Microsemi. KrebsOnSecurity shared a copy of the database with Microsemi, but has not yet received a reply. Securus also has not responded to requests for comment. These files that someone at Securus apparently submitted regularly to Virustotal also provide something of an internal roadmap of Securus’ business dealings, revealing the names and login pages for several police departments and jails across the country, such as the Travis County Jail site’s Web page to access Securus’ data. Check out the screen shot below. Notice that forgot password link there? Clicking that prompts the visitor to enter their username and to select a “security question” to answer. There are but three questions: “What is your pet’s name? What is your favorite color? And what town were you born in?” There don’t appear to be any limits on the number of times one can attempt to answer a secret question. Given such robust, state-of-the-art security, how long do you think it would take for someone to figure out how to reset the password for any authorized user at Securus’ Travis County Jail portal? Yes, companies like Securus and Location Smart have been careless with securing our prized location data, but why should they care if their paying customers are happy and the real-time data feeds from the mobile industry keep flowing? No, the real blame for this sorry state of affairs comes down to AT&T, Sprint, T-Mobile and Verizon. T-Mobile was the only one of the four major providers that admitted providing Securus and LocationSmart with the ability to perform real-time location lookups on their customers. The other three carriers declined to confirm or deny that they did business with either company. As noted in my story last Thursday, LocationSmart included the logos of the four carriers on their home page — in addition to those of several other major firms (that information is no longer available on the company’s site, but it can still be viewed by visiting this historic record of it over at the Internet Archive). Now, don’t think for a second that these two tiny companies are the only ones with permission from the mobile giants to look up such sensitive information on demand. At a minimum, each one of these companies can in theory resell (or leak) this information and access to others. On 15 May, ZDNet reported that Securus was getting its data from the carriers by going through an intermediary: 3Cinteractive, which was getting it from LocationSmart. However, it is interesting that the first insight we got that the mobile firms were being so promiscuous with our private location data came in the Times story about law enforcement officials seeking the ability to access any mobile device’s location data in real time. All technologies are double-edged swords, which means that each can be used both for good and malicious ends. As much as police officers may wish to avoid the hassle and time constraints of having to get a warrant to determine the precise location of anyone they please whenever they wish, those same law enforcement officers should remember that this technology works both ways: It also can just as easily be abused by criminals to track the real-time movements of police and their families, informants, jurors, witnesses and even judges. Consider the damage that organized crime syndicates — human traffickers, drug smugglers and money launderers — could inflict armed with an app that displays the precise location of every uniformed officer from within 300 ft to across the country. All because they just happened to know the cell phone number tied to each law enforcement official. Maybe you have children or grandchildren who — like many of their peers these days — carry a mobile device at all times for safety and for quick communication with parents or guardians. Now imagine that anyone in the world has the instant capability to track where your kid is at any time of day. All they’d need is your kid’s digits. Maybe you’re the current or former target of a stalker, jilted ex-spouse, or vengeful co-worker. Perhaps you perform sensitive work for the government. All of the above-mentioned parties and many more are put at heightened personal risk by having their real-time location data exposed to commercial third parties. Some people might never sell their location data for any price: I suspect most of us would like this information always to be private unless and until we change the defaults (either in a binary “on/off” way or app-specific). On the other end of the spectrum there are probably plenty of people who don’t care one way or another provided that sharing their location information brings them some real or perceived financial or commercial benefit. The point is, for many of us location privacy is priceless because, without it, almost everything else we’re doing to safeguard our privacy goes out the window. And this sad reality will persist until the mobile providers state unequivocally that they will no longer sell or share customer location data without having received and validated some kind of legal obligation — such as a court-ordered subpoena. But even that won’t be enough, because companies can and do change their policies all the time without warning or recourse (witness the current reality). It won’t be enough until lawmakers in this Congress step up and do their jobs — to prevent the mobile providers from selling our last remaining bastion of privacy in the free world to third party companies who simply can’t or won’t keep it secure. The next post in this series will examine how we got here, and what Congress and federal regulators have done and might do to rectify the situation. from https://krebsonsecurity.com/2018/05/mobile-giants-please-dont-share-the-where/ Apple announced a huge price reduction on iPhone Battery Replacements in December 2017. Their cut-prices have been a great benchmark for all Mobile Phone Repair Companies, with many slashing the price of this repair. It’s fantastic news for the customer, swapping their battery for a fraction of the original price. iMend.com have followed in Apple’s footsteps by reducing the price of all iPhone Battery Replacements. The latest price is an incredible £29.99 across both mail-in and call-out services. Why Use Our Service?Apple have 38 nationwide stores which mainly cover cities and larger towns. However with over 250 iMend Certified Technicians dotted across the UK, it’s iMend’s goal to offer a professional and convenient Mobile Phone Repair Service to those living outside of these higfh populated areas. From quite counties such as Cornwall to small northern towns such as Market Harborough, iMend.com offer the highest quality service at your own home or office, fuss free. Does your iPhone have a dying battery? Book your battery replacement at iMend.com today.
The post All iPhone Battery Replacements Reduced To £29.99 appeared first on iMend Blog. from https://www.imend.com/blog/all-iphone-battery-replacements-reduced-to-29-99/
Check out the latest price drops on our iPhone 7 / 8 Screen Repairs below:
Was: £109.99 Whether you have a Broken iPhone 7 or a Smashed iPhone 8, Click here to view our range of repairs. The post Price Drops Across iPhone 7 / 8 Screen Repairs appeared first on iMend Blog. from https://www.imend.com/blog/price-drops-across-iphone-7-8-screen-repairs/ |
ABOUT MEHi my name is Anthony I am 32 years old from Houston. I am working in local store selling electronic devices. I have been interested in eclectronics since childhood and I like to reacd about it. Archives
April 2019
Categories |