Home
Security This Week: License Plate Readers in Texas Are Now Also Debt Collectors and other scary reveals
Getty Images
It’s been a busy week. The New York City Department of Consumer Affairs launched an investigation into hackable baby monitors. An iPhone-crashing link made the rounds. The Anaheim Police Department admitted that it uses plane-mounted stingrays in Disneyland’s backyard. Andy Greenberg explained why the proposed state bans on phone encryption don’t make any sense at all. We learned that it’s not so hard to make your own NSA bulk surveillance system. And the NSA’s chief hacker actually gave a tutorial on how to keep him out of your system.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
Vehicle surveillance broker Vigilant Solutions has offered Texas law enforcement agencies “free” access to its massive automated license plate reader databases and analytical tools— but only if the police give Vigilant access to all of their data on outstanding court fees and hand the company a 25 percent surcharge from money collected from drivers with outstanding court fines. Vigilant also gets to keep a copy of any license-plate data collected by the police, even after the contract ends, and can retain it indefinitely. The EFF warns that it turns police into debt collectors and data miners. Neither policymakers nor the public have evaluated the technology, it contains a non-disparagement clause, and it uploads everyone’s driving patterns into a private system without any ways for these individuals to control how their data is used or shared. According to a contract between Vigilant and the NYPD, the “Domain Awareness System” has extensive surveillance capabilities. The system combines license plate data with camera footage and surveillance devices, and it allows NYC police to monitor cars across the country. The software’s “stakeout” feature gives the NYPD access to who was at a location (such as a protest, a church, or even an abortion clinic) at a given time, and can use both “predictive analysis” to determine where a person is likely to be, and “associative analysis” to determine whether someone is a “possible associate” of a criminal.
The Independent revealed that the UK government has been licensing the sale of invasive surveillance equipment to repressive states rampant with human rights abuses, including Saudi Arabia, Egypt, and the United Arab Emirates. The licenses include tools that can hack into devices, intercept private phone calls, and run internet monitoring and surveillance programs throughout entire countries.
If adult apps that are only available in third party stores are your thing, but you don’t want everyone in your contact list to know, you should make sure you’re running Lollipop on your Android device. That’s because Symantec discovered a new ransomware strain called Lockdroid that uses a clickjacking technique to install itself. The secondary popup comes up as an error message appearing on top of a permissions window, and tricks users by disguising itself as an intermediary screen with a “continue” button perfectly overlaid on top of an activation button. (Lollipop doesn’t show secondary popups on installation screens, so you’d have to be gullible enough to manually approve it if you’ve upgraded—but only a third of phones in the Android ecosystem are up-to-date). The ransomware encrypts users’ files and requires a ransom to decrypt them, and blackmails users by threatening to send their browsing history to all their contacts. Lockdroid is currently being distributed through the “Porn ‘O’ Mania” app.
Despite the City of Chicago trying to cover up the police execution of black teenager Laquan McDonald, dashcam footage was released last November, over 13 months after the shooting had taken place. Three dashcams pointing at McDonald did not record video, and audio was missing from four others. It’s unlikely that this was a coincidence.
A CPD audit has revealed that officers deliberately sabotaged their own dash cams by pulling out batteries, destroying or “losing” antennas, and removing microphones or stashing them in their squad car glove compartments. No wonder 80 percent of the department’s dash cam videos didn’t record audio, and 12 percent didn’t record video, which police officials blamed not just on officer error but also on “intentional destruction.”
Jason Van Dyke, the officer who has been charged with first-degree murder for the shooting death of Laquan McDonald, had his dashcam fixed for a wiring problem in June 2014. It took three months to fix it, but it “broke” again the next day, and took several more months to fix what technicians determined was intentional damage. Van Dyke’s dash cam footage of the McDonald shooting had no sound, because he’d never synced up the mic in his squad car to the camera.
Chicago’s interim police superintendent apparently began issuing formal reprimands and suspending officers for up to three days for deliberately damaging their own dashcams, which has led to a 70 percent increase in the number of video uploads.
Say it ain’t so, Lenovo. According to CoreSecurity, which found the vulnerabilities, the company’s file-sharing app, SHAREit, which creates a Wi-Fi hotspot allowing data to be shared from a phone to a laptop or vice versa, has a ridiculous amount of security flaws. First of all, it uses the hardcoded password 12345678 in Windows, and no password at all in Android. That means that any system with a Wi-Fi network card can connect to that hotspot with the password I just gave you, making it easy to capture information transferred between devices. To make matters worse, SHAREitfiles are being transferred in plain text, leaving them susceptible to eavesdropping and tampering through man in the middle attacks. Core Security further points out that file transfers in Windows and Android aren’t encrypted, so any attacker on either side of a file transfer would be able to get a copy simply by sniffing the traffic.
If it wasn’t bad enough that Amazon can’t be bothered to use SSL for all of its pages, the company’s chat support apparently makes it ridiculously easy for just about anybody to gain access to customers’ personal information. Blogger Eric Springer, who used to work for Amazon as a software developer, said that malicious imposters were able to access his home address and phone number, multiple times–without any authentication details beyond his name, email address, and a fake address sharing his zip code (which he’d used to register some websites). Motherboard’s managing editor recreated the trick herself. On his personal blog, EFF activist Parker Higgins documented a similar vulnerability related to Amazon wishlists with private addresses, in which third party shippers include addresses in confirmation emails. He reported the issue in December 2014, and Amazon patched it (at least for Canada) in June 2015.
Hackers hit Israel’s Electricity Authority with a virus in what the country’s energy minister called one of the biggest computer-based attacks the power authority has ever experienced. Portions of the electricity grid were shut down in response, and some computer systems were shut down for two days as well. However, there is no indication that the country’s power grid was attacked. Israel’s Electricity Authority, which sits in the Ministry of Energy, is separate from the country’s utility company.
Palo Alto Networks’ threat research team, Unit 42, has spent seven months investigating a series of attacks that sought to gather information about minority activists, primarily Tibetan and Uyghur activists and those interested in their causes. The attacks also targeted Muslim activists and people interested in critiques of Putin and the Russian government. The group behind the attacks, which Unit 42 nicknamed “Scarlet Mimic,” started targeting activists more than four years ago. The group has spear phishing attacks with decoy documents (and watering hole attacks) to deploy backdoor Trojans, targeting Mac OSX and Android operating systems, and variants of a Windows backdoor named FakeM. Code42’s research indicates that Scarlet Mimic is well funded, highly skilled, and has similar motivations to the Chinese government (although no evidence showing a direct link was found).
http://www.wired.com/2016/01/security-this-week-license-plate-readers-in-texas-are-now-also-debt-collectors/
- Click to Open Overlay Gallery
Getty ImagesIt’s been a busy week. The New York City Department of Consumer Affairs launched an investigation into hackable baby monitors. An iPhone-crashing link made the rounds. The Anaheim Police Department admitted that it uses plane-mounted stingrays in Disneyland’s backyard. Andy Greenberg explained why the proposed state bans on phone encryption don’t make any sense at all. We learned that it’s not so hard to make your own NSA bulk surveillance system. And the NSA’s chief hacker actually gave a tutorial on how to keep him out of your system.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
Vigilant Solutions’ License Plate Reader Database Is a Massive Threat to Privacy
Vehicle surveillance broker Vigilant Solutions has offered Texas law enforcement agencies “free” access to its massive automated license plate reader databases and analytical tools— but only if the police give Vigilant access to all of their data on outstanding court fees and hand the company a 25 percent surcharge from money collected from drivers with outstanding court fines. Vigilant also gets to keep a copy of any license-plate data collected by the police, even after the contract ends, and can retain it indefinitely. The EFF warns that it turns police into debt collectors and data miners. Neither policymakers nor the public have evaluated the technology, it contains a non-disparagement clause, and it uploads everyone’s driving patterns into a private system without any ways for these individuals to control how their data is used or shared. According to a contract between Vigilant and the NYPD, the “Domain Awareness System” has extensive surveillance capabilities. The system combines license plate data with camera footage and surveillance devices, and it allows NYC police to monitor cars across the country. The software’s “stakeout” feature gives the NYPD access to who was at a location (such as a protest, a church, or even an abortion clinic) at a given time, and can use both “predictive analysis” to determine where a person is likely to be, and “associative analysis” to determine whether someone is a “possible associate” of a criminal.
UK Government Allows Firms to Sell Invasive Spying Equipment to Human Rights Abusers
The Independent revealed that the UK government has been licensing the sale of invasive surveillance equipment to repressive states rampant with human rights abuses, including Saudi Arabia, Egypt, and the United Arab Emirates. The licenses include tools that can hack into devices, intercept private phone calls, and run internet monitoring and surveillance programs throughout entire countries.
Android Ransomware Threatens to Share Users’ Browsing History With Their Contacts
If adult apps that are only available in third party stores are your thing, but you don’t want everyone in your contact list to know, you should make sure you’re running Lollipop on your Android device. That’s because Symantec discovered a new ransomware strain called Lockdroid that uses a clickjacking technique to install itself. The secondary popup comes up as an error message appearing on top of a permissions window, and tricks users by disguising itself as an intermediary screen with a “continue” button perfectly overlaid on top of an activation button. (Lollipop doesn’t show secondary popups on installation screens, so you’d have to be gullible enough to manually approve it if you’ve upgraded—but only a third of phones in the Android ecosystem are up-to-date). The ransomware encrypts users’ files and requires a ransom to decrypt them, and blackmails users by threatening to send their browsing history to all their contacts. Lockdroid is currently being distributed through the “Porn ‘O’ Mania” app.
Records Show That Chicago Police Involved in Teen Shooting Sabotaged Their Own Dashcams
Despite the City of Chicago trying to cover up the police execution of black teenager Laquan McDonald, dashcam footage was released last November, over 13 months after the shooting had taken place. Three dashcams pointing at McDonald did not record video, and audio was missing from four others. It’s unlikely that this was a coincidence.
A CPD audit has revealed that officers deliberately sabotaged their own dash cams by pulling out batteries, destroying or “losing” antennas, and removing microphones or stashing them in their squad car glove compartments. No wonder 80 percent of the department’s dash cam videos didn’t record audio, and 12 percent didn’t record video, which police officials blamed not just on officer error but also on “intentional destruction.”
Jason Van Dyke, the officer who has been charged with first-degree murder for the shooting death of Laquan McDonald, had his dashcam fixed for a wiring problem in June 2014. It took three months to fix it, but it “broke” again the next day, and took several more months to fix what technicians determined was intentional damage. Van Dyke’s dash cam footage of the McDonald shooting had no sound, because he’d never synced up the mic in his squad car to the camera.
Chicago’s interim police superintendent apparently began issuing formal reprimands and suspending officers for up to three days for deliberately damaging their own dashcams, which has led to a 70 percent increase in the number of video uploads.
Time to Patch Lenovo’s File-Sharing App, Since It Uses the Hardcoded Password “12345678” (When It Actually Uses a Password, That Is)
Say it ain’t so, Lenovo. According to CoreSecurity, which found the vulnerabilities, the company’s file-sharing app, SHAREit, which creates a Wi-Fi hotspot allowing data to be shared from a phone to a laptop or vice versa, has a ridiculous amount of security flaws. First of all, it uses the hardcoded password 12345678 in Windows, and no password at all in Android. That means that any system with a Wi-Fi network card can connect to that hotspot with the password I just gave you, making it easy to capture information transferred between devices. To make matters worse, SHAREitfiles are being transferred in plain text, leaving them susceptible to eavesdropping and tampering through man in the middle attacks. Core Security further points out that file transfers in Windows and Android aren’t encrypted, so any attacker on either side of a file transfer would be able to get a copy simply by sniffing the traffic.
It’s Crazy Easy to Get People’s Home Addresses From Amazon’s Chat Support
If it wasn’t bad enough that Amazon can’t be bothered to use SSL for all of its pages, the company’s chat support apparently makes it ridiculously easy for just about anybody to gain access to customers’ personal information. Blogger Eric Springer, who used to work for Amazon as a software developer, said that malicious imposters were able to access his home address and phone number, multiple times–without any authentication details beyond his name, email address, and a fake address sharing his zip code (which he’d used to register some websites). Motherboard’s managing editor recreated the trick herself. On his personal blog, EFF activist Parker Higgins documented a similar vulnerability related to Amazon wishlists with private addresses, in which third party shippers include addresses in confirmation emails. He reported the issue in December 2014, and Amazon patched it (at least for Canada) in June 2015.
Israel’s Electric Authority Was Hacked
Hackers hit Israel’s Electricity Authority with a virus in what the country’s energy minister called one of the biggest computer-based attacks the power authority has ever experienced. Portions of the electricity grid were shut down in response, and some computer systems were shut down for two days as well. However, there is no indication that the country’s power grid was attacked. Israel’s Electricity Authority, which sits in the Ministry of Energy, is separate from the country’s utility company.
Espionage Campaign Targets Minority Activists
Palo Alto Networks’ threat research team, Unit 42, has spent seven months investigating a series of attacks that sought to gather information about minority activists, primarily Tibetan and Uyghur activists and those interested in their causes. The attacks also targeted Muslim activists and people interested in critiques of Putin and the Russian government. The group behind the attacks, which Unit 42 nicknamed “Scarlet Mimic,” started targeting activists more than four years ago. The group has spear phishing attacks with decoy documents (and watering hole attacks) to deploy backdoor Trojans, targeting Mac OSX and Android operating systems, and variants of a Windows backdoor named FakeM. Code42’s research indicates that Scarlet Mimic is well funded, highly skilled, and has similar motivations to the Chinese government (although no evidence showing a direct link was found).
http://www.wired.com/2016/01/security-this-week-license-plate-readers-in-texas-are-now-also-debt-collectors/
» Iraq is studying a draft regulation for smart applications
» Vice: Traders’ refusal to enter the platform caused the dollar crisis
» An economist explains the reasons for delaying the implementation of the general budget
» Minister of Labor: Mafia in the Ministry blackmails beneficiaries in exchange for speeding up the re
» Al-Sudani: The meeting is being arranged with Biden, and we will call for the formation of an intern
» In the document: administrative changes in Rafidain Bank that contradict the decision of the Ministe
» The Sudanese government agrees with an Israeli international financing institution to rehabilitate B
» The Gulf Cooperation Council abandons cooperation and supports Kuwait at the expense of Iraq
» Observers: The rise of the dollar will not stop, and most travelers resort to the parallel market
» Experts: Hard currency speculation and smuggling threaten the value of the Iraqi dinar
» Al-Sudani: We are awaiting the actions of the Turkish side to resume exports through Kurdistan
» The US House of Representatives will hold a session next week to cancel the authorization for the in
» The Service Council extends the period for updating and confirming the data of certificate holders a
» Israeli-American protest about Tsurkov: The Iraqi government must feel responsible
» Minister of Water Resources: The marshes need approximately 6 billion cubic meters of water as a min
» Disclosure of an expected increase of 100 thousand dinars for the salaries of this category
» Al-Sudani: Within two years, we will depend on Iraqi gas to operate power stations
» A deputy reveals the imminent decline in the price of the dollar after the Washington meetings
» What is the relationship between the agreement between Baghdad and the region?.. Elekti accuses Turk
» Jordan holds Iraq responsible for postponing the electrical connection and determines who is disrupt
» “When is the payment due?”.. A new comment regarding visiting the salaries of a group of retirees
» The Iraqi Chambers of Commerce and the Japanese JICA discuss developing the private sector
» Al-Abadi: The success of the current government does not depend on pleasing America
» 9/19/23 Militia Man & Crew Iraq Dinar - Militia Man & Angel1 - Update on Iraq's Progress - Al-Suda
» 9/21/23 Militia Man & Crew IRAQ DINAR - Global Financial System - Liquidity = INTERNATIONAL EXCHA
» Parliamentary integrity aims at the governor of the Central Bank: his management is bad and his mand
» Parliamentary Services: The government is continuing to complete the New Sadr City project
» Minister of Oil: We give exceptional attention to the development of national companies and the nati
» The Prime Minister's advisor explains the spending priorities in the budget
» Parliamentary hosting of the Chairman of the Retirement Authority regarding overcoming obstacles and
» Sheikh Al-Karbalai: We seek to return Iraq to what it was before in a number of sectors, including h
» The representative of the Emir of Kuwait meets Al-Sudani: The Iraqi judiciary committed a historical
» Al-Sudani: We will direct quantities of oil to operate Iraqi refineries abroad
» Al-Sudani confirms Iraq's commitment to Security Council resolutions related to Iraq and Kuwait
» Washington played a role in the salary agreement between Baghdad and Erbil
» Foreign Minister: Iraq opened the doors of the economy to Gulf investment, and there are clear misun
» Planning discloses the details of the Baghdad-Babylon road project.
» Al-Sultani reveals violations of the number of employees in Kurdistan
» Including Iraq.. These countries dominate gold reserves in the Arab world
» A "golden opportunity" for companies.. The activities of the Erbil International Food Products Exhib
» Oil: Exporting surplus quantities of liquid gas abroad
» Seminar in Tehran on sustainable trade with Iraq
» Al-Maliki to the British Ambassador: Iraq is preparing to hold local elections that will contribute
» Al-Sudani invites the Secretary of NATO to Baghdad.. The benefits of the relationship outweigh the c
» The former Minister of Resources responds to Al-Halbousi: Iraq does not need new dams because the cu
» Sudanese to his Kuwaiti counterpart: Iraq is committed to Security Council resolutions and the sover
» Al-Sudani confirms Iraq's efforts to pursue strategic relations with the United States
» The Foreign Minister reveals the date of Al-Sudani’s visit to the White House: I will meet Lavrov so
» Kurdish MP: The reactions of Baghdad and Erbil to the Turkish bombing do not rise to the level of de
» Politician: Al-Sudani focuses on 3 points during his stay in New York
» Foreign Ministry: Our relations with Russia remain strong despite the sanctions
» Parliamentary Finance reveals three determinants for passing the salary scale
» Returning more than five thousand dismissed politicians to service
» Parliamentary services: 5 new cities will be added during 2024
» Integrity announces the value of the funds saved last August
» Parliamentary Legal: Passing a general amnesty depends on political consensus
» Mosul Dam Administration: We did not notice any technical problem threatening its safety
» The United States confirms its support for the success of the Sudanese government’s “reform” steps.
» The dollar continues to rise against the dinar in Baghdad and Erbil
» The President of the Kurdistan Region congratulates the Union of Islamic Religious Scholars on the a
» A Kuwaiti parliamentarian demands the return of his country’s deposits with Iraq: amounting to $815
» Iraqi Central Auction: External remittances increased by 80% at the expense of cash sales
» The central bank sells more than $198 million in currency auction
» Planning: 84% completion of the Baghdad-Kirkuk entrance rehabilitation and maintenance project.
» Kuwait: $815 million total deposits of the Kuwaiti government with Iraq
» Demands for the construction of a navigation dam to stop water scarcity in Basra
» Expectations that the oil and gas law will be passed after the local elections
» Demands for the construction of a navigation dam to stop water scarcity in Basra
» Specialists: The path of development is the face of the country in the next stage
» Experts: Developing electronic automation will limit smuggling operations
» Economist: Promoting investment requires implementing comprehensive strategies
» Al-Sudani meets with American companies to support gas investments in Iraq
» Agriculture: Prices of local products are within normal rates
» Basra Electricity announces that there has been a power outage in a number of areas of the governora
» Postponing the start of the electrical connection between Iraq and Jordan
» In numbers... Integrity details the money that was detected, stopping its waste, and returning it du
» Parliamentary Oil: Federal Court decisions are binding on everyone
» Iraq suspends official working hours next Wednesday
» The importance of the development path compared to other new global economic corridors
» Parliament objects to the Sudanese government: It has no right to lend without consulting us
» Parliamentary Oil: The necessity of having understandings regarding the mechanism of extracting oil
» The Prime Minister calls on Norwegian companies to work in Iraq
» Procedures for resolving problems that may arise between governorates
» Experts: Developing electronic automation will limit smuggling operations
» Baghdad hosts a meeting of the Executive Committee of the Arab Parliament
» Experts: Developing electronic automation will limit smuggling operations
» November is the date for announcing industrial investment opportunities
» Dean of deferred laws
» International expert: Promoting investment requires implementing comprehensive strategies
» Dhi Qar Oil increases the number of producing wells
» Consumer reassurance
» Experts: The lack of revenues does not affect budget estimates
» Al-Sudani invites the Secretary-General of NATO to visit Baghdad
» Oil is declining and expectations of an interest rate hike in America erase the impact of the declin
» The Federal Court rejects a lawsuit against sending 700 billion dinars to the Kurdistan Region
» Iraq announces the disarmament of anti-Iranian groups
» British website: The chances of the development route are superior to the Indian corridor
» The rise of the dollar stifles the poor class as the return to school approaches