Notable

TY BAKER

Cell phone tracking firm exposed millions of Americans' real-time locations

The bug allowed one Carnegie Mellon researcher to track anyone's cell phone in real time.

A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located – without obtaining their consent.

The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.

>https://www.zdnet.com/article/cell-phone-tracking-firm-exposed-millions-of-americans-real-time-locations/

MAYBE NOTABLE

Mucho <3 BO / BV / BAKER

OF COURSE NO HOMO, U FAGS!

LA Confidential: How Leaked Emergency Call Records Exposed LA County's Abuse & Crisis Victims

The UpGuard Cyber Risk Team can now disclose that sensitive data from the Los Angeles County 211 service, a nonprofit assistance organization described on their website as "the central source for providing information and referrals for all health and human services in LA County," was publicly exposed online.

This information was stored in an Amazon AWS S3 bucket configured to be publicly and anonymously accessible. Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information. Despite 211’s dedication to preserving the confidentiality of reports, a technical misconfiguration - in this case, an inadvertently public cloud storage instance - exposed not only email addresses and weakly hashed passwords for LA County 211 employees, but six years of highly sensitive call logs regarding some of the most vulnerable people in LA County.

>https://www.upguard.com/breaches/la-county-211-hotline

MAYBE

NOTABLE

IGNORE THE SHILLS, GET COMFY AND HELP DIG W/ SOME OF THIS NOTABLE SHIT I'M POSTING

Revealed: Storyful uses tool to monitor what reporters watch

News Corp subsidiary’s news verification plugin also used to monitor users’ social media browsing

Software developed by a subsidiary of Rupert Murdoch’s News Corp to help journalists verify content on social media is also being used to monitor the videos and images viewed by reporters who use the tool.

The technology was built by Storyful, an agency that finds, verifies and licenses newsworthy or viral social media content on behalf of media organisations, including the New York Times, the Washington Post and ABC News in the US, and News Corp’s own publications and the public broadcaster the ABC in Australia.

In 2016, journalists were encouraged to install a Storyful web browser extension called Verify that informs users when videos or images have been verified and cleared for use by the company’s in-house journalists.

But the Guardian has established that data acquired through the Verify plugin is also being used by Storyful to actively monitor what its clients are seeing on social media. The incoming social media browsing data has been turned into an internal feed at the company that updates in real time.

>https://youtu.be/HszxDmIWLcc

>https://www.theguardian.com/world/2018/may/17/revealed-how-storyful-uses-tool-monitor-what-journalists-watch?CMP=share_btn_tw

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US

A hacker has provided Motherboard with the login details for a company that buys phone location data from major telecom companies and then sells it to law enforcement.

A hacker has broken into the servers of Securus, a company that allows law enforcement to easily track nearly any phone across the country, and which a US Senator has exhorted federal authorities to investigate. The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus’ law enforcement customers.

"Location aggregators are—from the point of view of adversarial intelligence agencies—one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.

The hacker who breached Securus provided Motherboard with several internal company files. A spreadsheet allegedly from a database marked “police” includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year. A hash is a cryptographic representation of a piece of data, meaning a company doesn’t need to store the password itself. But the hashes themselves were created using the notoriously weak MD5 algorithm, meaning attackers could learn a user’s real password in many cases. Indeed, some of the passwords have seemingly been cracked and included in the spreadsheet. It is not immediately clear if the hacker that provided the data to Motherboard cracked these alleged passwords or if Securus stored them this way itself.

Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others. The data also includes Securus staff members, as well as users with personal email addresses that aren’t explicitly linked to a particular government department.

>https://motherboard.vice.com/en_us/article/gykgv9/securus-phone-tracking-company-hacked