An Indianapolis homicide fuels criticisms of digital tracking devices | #itsecurity | #infosec | #cybersecurity | #infosecurity | #hacker

Placeholder while article actions load

Welcome to The Cybersecurity 202! I’ve spent a lot of time with reporters at bars but somehow only this weekend learned about how the Chicago Sun-Times bought a bar so its reporters could go undercover as bartenders and catch city inspectors accepting bribes. 

Below: Today’s January 6 hearing will focus on Trump’s false claims about election hacking and fraud, and fresh evidence suggests that a Trump ally breached an election system in Georgia.

AirTags and other trackers can be easily misused by bad actors

An alleged homicide in Indianapolis is raising tough questions about digital trackers that are marketed for convenience but sometimes used for stalking.  

Gaylyn Morris, who was arrested and accused of murder, allegedly told witnesses that she was tracking her boyfriend Andre Smith with an Apple AirTag because she suspected him of cheating on her, as my colleague Lindsey Bever reports.  

Apple markets its AirTag mini trackers as a way to locate easily lost items such as keys and wallets. But privacy advocates have long warned that AirTags and similar products are frequently used to track unsuspecting people.

Morris allegedly used the AirTag to locate Smith at a local pub where he was with another woman and a heated confrontation ensued. According to police, Morris is accused of running over Smith several times with a car, per the Indianapolis Star. He was pronounced dead at the scene.

The case highlights how seemingly innocuous tracking technology can potentially be used for nefarious purposes — especially by romantic partners and exes — sometime with tragic results.  

Apple has made significant reforms to reduce the danger of AirTag stalking — but critics say the changes are far from sufficient.  

  • AirTags make a periodic chirping noise to alert people to their presence.
  • The tags also pop up an alert when they’re in proximity to an iPhone or other Apple product for an extended period of time.
  • That alert previously only popped up after three days of proximity, but Apple announced earlier this year that it is significantly shortening that window. In a test run in March, Post tech columnist Geoffrey A. Fowler received an alert after just 45 minutes.
  • Similar tracking products offered by Samsung and the company Tile can be discovered in proximity to a phone by scanning with apps offered by the companies.

But those safeguards leave plenty of loopholes that can work to a stalker’s advantage. Geoffrey highlighted several of them.

  • The AirTag sound can be tough to hear if you’re in a noisy place.
  • The AirTag alerts also don’t automatically pop up if the person being tracked uses an Android or other non-Apple product.
  • There’s an Android app people can download to find AirTags in proximity to their phones. But, as with the apps that identify trackers offered by Samsung and Tile, this puts the onus on the victim who may have no reason to suspect he or she is being tracked.

Students at the Technical University of Darmstadt developed a single app that scanned for all the major trackers, Geoffrey notes, something the companies themselves haven’t done that would at least make the process easier for people who fear being tracked.

Asked for comment on the Indianapolis case, Apple referred back to its statement from a series of anti-tracking updates in February. Security and privacy advocates were quick to highlight the Indianapolis case as evidence that more security checks are needed. 

Carrie Goldberg, an attorney who focuses on digital stalking and harassment:

Nicholas Weaver, a senior researcher at the University of California at Berkeley’s International Computer Science Institute:

Weaver suggested blocking AirTags from reporting locations where the person who bought the devices hasn’t been recently based on his iPhone location history — a strong suggestion the person didn’t leave his keys there. 

More from Goldberg and Weaver:

This is just the latest scandal for surreptitious tracking and listening technology. In most cases, this technology comes in the form of apps that are surreptitiously installed on the victim’s phone or another device rather than physical objects — a category critics have dubbed “stalkerware.”

Like AirTags, these apps often also have legitimate purposes, such as helping parents track their children’s online activity. But in some cases, the legitimate activity is largely a veneer and the apps are used for nefarious purposes more often than legitimate ones. 

  • Last year, Ali Nasser Abulaban, a popular TikTok personality, allegedly murdered his wife and a male friend after spying on them through a listening app surreptitiously installed on his daughter’s iPad.
  • In 2005, the Justice Department indicted the creator and four users of Loverspy, malicious software designed to spy on intimate partners.

Cybersecurity advocates led by the Electronic Frontier Foundation’s Eva Galperin have been pushing for tech and anti-virus companies to do a better job of scanning for stalkerware and alerting users when it’s on their devices. 

But it’s a difficult process — not least because stalkerware can be difficult to distinguish from legitimate apps. 

Today’s Jan. 6 hearing will focus on Trump’s false election fraud claims

The hearing will focus on Trump’s baseless claims that the 2020 election was stolen and how those assertions were connected to the mob that attacked the Capitol on Jan. 6, 2021, Amy B Wang and Jacqueline Alemany report. Republican election lawyer Benjamin Ginsberg and former federal prosecutor B.J. “BJay” Pak will testify at the hearing, which begins at 10 a.m. today.

“We will reveal information about how the former president’s political apparatus used these lies about fraud, about a stolen election, to drive fundraising, bringing in hundreds of millions of dollars between Election Day 2020 and January 6,” a committee aide said.

They also said the committee will “show that some of those individuals responsible for the violence on the 6th echoed back to those very same lies that the president peddled in the run-up to the insurrection.” 

Georgia Secretary of State Brad Raffensperger (R) is expected to testify at the committee’s fifth hearing, the Wall Street Journal reported. The fifth hearing will focus on Trump’s efforts to pressure state officials and election officials to change the results of the election, the Journal reported. Trump pressured Raffensperger to “find 11,780 votes” in a Jan. 2 phone call, according to The Post. 

More evidence suggests a possible election security breach in a Georgia county

Cybersecurity executive Benjamin Cotton, who has allied with 2020 election deniers, said in a court filing that he examined the voting system used in Coffee County, Ga. It’s the latest indication that allies of former president Donald Trump have breached some voting machines in the wake of Trump’s 2020 election loss and false claims that the election was stolen, Emma Brown and Amy Gardner report. 

Cotton, who founded digital forensics firm CyFIR, said in the filing for a civil federal suit in Arizona that he examined Dominion Voting Systems machines used in several counties — including Coffee County; Mesa County, Colo.; and Maricopa County, Ariz. He didn’t respond to a request for comment. That lawsuit was filed by two Republican candidates who want to block Arizona from using electronic voting machines in November’s midterm election.

“The episode in Coffee County is one in a steady drip of revelations since the 2020 election about attempts by Trump allies to examine or copy tightly guarded voting machines to search for evidence of fraud,” my colleagues write. “Some of those attempts have been aided by like-minded election officials, raising concerns about insiders as a growing threat to election security.”

Several other counties that Cotton cited were already known to have compromised the security of election machines. 

  • Mesa County clerk Tina Peters was indicted in March on charges stemming from an effort to let outsiders copy election machine hard drives. She has denied wrongdoing.
  • Cotton was a contractor for a partisan audit in Maricopa County launched by Republicans. The review reaffirmed President Biden’s victory in the state.

Hospital check-in software is harvesting patients’ health data

More than 2,000 U.S. hospitals and clinics use software made by the company Phreesia to streamline check-ins at doctor’s offices, according to the company. But Phreesia also sells ads to pharmaceutical companies and asks patients to opt in to receive those targeted ads, Geoffrey A. Fowler reports. 

Phreesia software was used for more than 100 million check-ins in the past year, according to the company. Users are allowed to decline to share their information for advertising purposes, but the company wouldn’t tell Geoff how many patients say no. Collecting such data could also make Phreesia a valuable target for hackers, who have gone after organizations that store sensitive medical information.

Bolsonaro’s new ally in questioning Brazil’s elections: The military (The New York Times)

CERT-UA warns of cyberattack on Ukrainian media (Interfax-Ukraine)

Channel 4 facing Ofcom probe over ’emergency news’ stunt to promote drama The Undeclared War (i News)

Wickr, Amazon’s encrypted chat app, has a child sex abuse problem — and little is being done to stop it (CNBC)

Answers to school’s cyberattack could be weeks away (Toledo Blade)

  • National Cyber Director Chris Inglis and CISA Executive Assistant Director Eric Goldstein speak at ITI’s cyber summit today. 
  • The Senate Judiciary Committee hosts a hearing on threats to election workers on Tuesday at 10 a.m. 
  • The House Energy and Commerce Committee holds a hearing on privacy legislation on Tuesday at 10:30 a.m.
  • Carol House, the National Security Council’s director for cybersecurity and secure digital innovation, speaks at an Atlantic Council event on cybersecurity challenges with central bank digital currencies on Wednesday at 12:30 p.m. 
  • Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience Iranga Kahangama and Eric Mill, a senior adviser to Federal Chief Information Officer Clare Martorana, speak at a Billington CyberSecurity event on Thursday at 8 a.m.
  • The Center for Strategic and International Studies hosts an event on obstacles to implementing the federal government’s cybersecurity efforts on Thursday at 2:30 p.m. 

The Post’s former executive editor Ben Bradlee argued against them winning a Pulitzer prize because he argued the tactic violated journalistic ethics. Thanks for reading. See you tomorrow.

Original Source link

Leave a Reply

National Cyber Security Consulting App





National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.