I love that they told us exactly how they verified it. Too often in the news do we just get "was verified" or "an independent source verified," which, I get that you gotta protect sources, but still doesn't give any insight into their methodology. I could ask for example "how do you know you can trust your independent source?" because I have no idea their history together.
Tech news like this is a bit easier to actually show your work for, but even when that's the case so many security articles or people on Twitter don't show the money like this. As much as everyone likes shitting on bitfi, for example, it was quite a while before someone actually demonstrated a hack was done, with reproducible methodology, rather than just blow smoke about how it's insecure.
Leave it to EFF to have the pithiest quote in the article. Is it possible that companies that are shady are more likely to be irresponsible in their security practices, because they're focused on immediate profit?
Unlike spyfone whose intentions appeared to be profiting off of violating the privacy of others. I wonder if they have done the market research to determine if their core demo is domestic abusers.
"You will only install the SpyFone software on devices for which you are the owner, or on devices for which you have received consent from the owner of the device."
Their service cannot be used by domestic abusers, obviously. (sarcasm)
Also, Spyfone has no clue whether others accessed the data previously. For all we know, there's some .onion site selling access to pedophiles.
"Dear Valued Customers of SpyFone.com,
Within the last 10 days, one of our servers experienced a data breach and an unauthorized third party gained access to the data of approximately 2,200 customer accounts. The potentially exposed personal information of those affected could include pictures, call logs, and emails.
While our team is taking steps to enhance our site’s security and we have since taken action to ensure that all accounts are fully encrypted, we are notifying you that your account may have been one of those negatively impacted by the unauthorized access.
In an evolving landscape of online threats, SpyFone.com is committed to the highest standards of accountability and transparency, and proactively works to ensure the safety and security of our users.
We will continue to work to address this matter as we partner with leading data security firms to assist in our investigation, and coordinate with law enforcement authorities."
Non-business users (like nosy parents and controlling spouses) probably won't ever know about this security breach.
I have no sympathy for anyone who uses software like this, I strongly feel there is no justification for software like this that outweighs the invasion of privacy and other harms, and I don't think this functionality should even be possible at the phone OS level, nor should it be allowed for sale in application stores.
The security failure itself isn't surprising in the least, though. Only bad people write this kind of software. They've already limited their pool of potential hires to people with no ethical or moral standards.
Also, look at the image in the article containing the description of SpyFone. They can't even perform basic copy-editing. Poor grammar in commercial products is a solid barometer for overall product quality.
Most of these features aren’t available on iOS. From what I can tell, you have to know thier iCloud credentials and be in a position to do the 2FA.
Amazing how people don't lock down S3 data.
Gosh, getting the access rights to work properly between the various types of controls in place, whether it's the groups, the access policy and whatnot is kind of mind numbing and makes you feel very stupid.
Not that it excuses anything but it is confusing and I can foresee an overworked engineer going "Ah fuck it, no time to read up on that, just go for the easiest stuff to get started on using S3".
As a result 'war driving' through the S3 namespace continues to yield up PII, and CUI nuggets of gold to bad actors.
If you give me a couple dozen developers, all of whom has never had to deal with:
And you made a graph for how long it took to do different tasks I would be able to tell which people were assigned to S3 from across the room.
>“Thank god it is a researcher, someone good trying to protect,” McBroom said in a phone call.
Mr. McBroom needs to be worried about people with ill intentions who have accessed this data in the past and they have no idea about.
Given this is a routine S3 bucket access breach I'd assume lots of bad people have rainbow dictionary found this by now. You can assume people are basically doing that for public buckets all the time now.
Yeah, I'm sure they'll do a fine job, just hire them.
You Need Physical Access To Device For Install
Supports Android Versions (4.1 - 8.1+)
If 2 factor is on you need physical access to device
iCloud login access is required
Then look at the features....
It says a lot about Android that anyone with physical access to an unlocked phone can put this type of spyware on it.
Even if someone does leave their iPhone unlocked long enough for someone to install the app, they still couldn't do it without authorization and even then you have to know the targets iCloud credentials and have physical access to the phone if it has 2FA.
If they can do all they claim they can do on a non jail broken iOS device (and they have a disclaimer that all features don't work on all version of iOS), I would be amazed.
Wow. And their customers are likely not going to know enough or care enough to realize how much privacy they've lost.
You mean that those who they've been spying on have lost?
Yeah, granting public access to s3 buckets sounds like a great effort to enhance data security
This situation, which imo is a real danger, will get 0 attention outside the tech community.
I really wish I had an answer. Maybe I should make of this or something in order to make people share it.
- Android operating system must be Android 4.0 or higher.
- iOS operating system must be iOS 7 to iOS 8.4 or iOS 9.0 to 9.1 (Oct 2015)
Just make sure your target is not using iPhone :)
Holy shit. They left an Amazon S3 bucket wide open, their admin site was wide open, and their API stream of contacts was wide open.
Their concept of secuity is non-existant and they think this will be the last breach?
I doubt you'd hear any competent IT director ever say they won't experience data breaches in the future.
The incompetency is mind boggling.
I'm not talking legal blame for the past mistake, just that at some point in the near future their IAM interface should be fixed. For one thing it should be easy to give permissions to view the permissions without giving keys to the kingdom. For another thing, there's a mental overhead to working with multiple AWS accounts . I get the impression that Google Cloud Platform is ahead right now (while lots of other Google properties are not, heh).
Edit: the spyware company is absolutely to blame, but the complexity of AWS permissions including permission to view the permissions seems like a footgun to me. However, leaving open the admin site is something I wouldn't expect AWS to help with.
I’ve not seen AWS censor content, although I’m sure some cases might warrant it. That has nothing to do with a company that was negligent.
I don’t find AWS’ UI or command line clunky at all. In fact I find them clearer than most Unix tools.
It is not hard to know if you have world readable buckets in S3.
They should have a non-clunky dashboard of some sort where people can get a broad level overview of their security choices.
The AWS CLI allows you to easily pull the policy data attached to any resource and you can process it however you choose.
That's not setting a terribly high bar ;) those take a while to learn too, people just forget that they ever went through that stage.
I'm probably the last person who will defend many of Amazon's design choices, but this is really a matter of competence. Internet engineering is hardly unique in having difficult to understand/operate professional tools. While I will feel sympathetic towards someone who hurts themselves with power tools, you blame the tool when it malfunctions, not when the operator ignores basic safety.
Bottom line: this firm is incompetent to operate the tools they chose to use. Worse, they value the private data of their victims so little that they couldn't be arsed even to perform trivial sanity checks.
I wouldn't trust an outfit like this with the time of day.
Maybe liability for private information loss could be $10k a user. So, Equifax would owe the public 1.4 trillion dollars. Of course, they wouldn't be able to pay that, so the company would be chopped up into bits and sold for scrap.
I think that would catch more attention than some mid-level manager fall guy going to jail for six months, as would likely be the case with criminal proceedings.
It wouldn't be hard for an APT type shop to breach just about any average corporation using an arsenal of private exploits, fuck with their security configuration to make it look like gross incompetence, and exfiltrate the data to some seemingly-amateur front organization that actually leaks it.
End result is you could have foreign actors knocking out their country's competition abroad, using their competitor's laws to do so. Not ideal.
Maybe some determination would have to be made to avoid that, like a judgement rendered on the corporate culture. For example, is it obviously a cesspool of incompetence just in a general sense? Great, burn the company down.
Does the company custom-design their own ARM hardware to at least have a fighting chance vs APT-type threats? Maybe they did everything they reasonably could in that case. You could also argue smaller companies did everything they could even if they don't have the resources for that, provided there's not rampant incompetence.
In this case, it was a spyware company. Seems almost fitting that they'd be unconcerned about securing data that was essentially tricked/stolen from their users.
Or maybe up to 4% of the company's revenue.
IMO all the cookie warnings we see are just misguided attempts to ignore it and continue more or less like before and should probably not save anyone in court, again if I've understood it correctly.
Few bank CEOs have survived the various "we will get some payback for 2008" fines over the years.
If you want to change corporate culture, you don't need to destroy the company, just hold a gun to the head of each CEO and see how fast they make sure everyone else dances.
This is one of the best things about Sarbane-Oxley - the CEO actually signs off the accounts and will go to jail if the accounts are misleading. so guess what has had top priority at banks across the globe?
Let the government keep the money. They'll be more inclined to actually enforce the law. We see how aggressively they police drugs when they stand to benefit from civil asset forfeiture.
For example, if a health insurer the size of Equifax lost the equivalent amount of HIPAA related information due to negligence, you can sure bet there would be penalties. That's because HIPAA related info has legally defined protections.
As it is, calculating the damages of releasing your equifax info is a speculative guess at best, which is why at most you got to lock access or ID fraud protection.
It's also very difficult to assess damages of copyright violations... and so the companies that had it in their interest to get this working pushed for statutory damages.
Maybe we need something like that for privacy.
It's interesting that you bring up health insurance, because that's an industry that definitely knows how to calculate the value of various pieces of personal information.
There should be some level of competence of course, leaving things wide open doesn't seem safe, lol.
We require this of our bridges, and our roads, and our buildings. I'm not sure why we don't for our personal information assets. Arguably the Equifax hack will cause far greater economic loss than, say, a hole in the middle of mission street opening up due to lack of review by a civil engineer, so I don't get it.
Is it because politicians are uneducated technically? We didn't have good fire law in America until a room full of seamstresses burned to death when the single exit was blocked off, do we need something similar for infosec? Equifax SHOULD have been that but whoever breached it didn't release yet (as far as I know) so maybe nobody is feeling the pain yet.
I don't think criminal penalties are appropriate but civil penalties for data breaches should simply have no limit, the possibility of shareholders and debtors forfeiting all value should be included.
At the same time, the problem is "professionalization".
The problem of when one needs "real software engineering" is incredibly hard to solve. It's an incredibly fuzzy line and any organization would have a strong incentive to be on the cheaper, non-professional end of the line.
Unfortunately, Hackernews seems to be the only place where security is taken seriously. Probably because we understand the severe collective risks involved to everything from banking to healthcare whereas most people as individuals don't care if say, their credit card number is stolen, since they aren't liable for fraud. It's hard to see the bigger picture if you aren't technical.
The question is, who's failing to make the whole WORLD care about it? Or at the very least, the politicians? I can count on shitty lobbyists at least ensuring that, like, the economy doesn't fucking burn us alive, because they lose money when that happens. Why aren't the fatcats also getting that about netsec? If the NYSE gets hacked, they stand to lose a lot of money. If someone opens the hoover dam gates through a hack, that's a lot of money lost. We can ignore the morality and privacy issues, and just speak their $$$language$$$ here, and it still doesn't make a lick of sense that politicians aren't eviscerating Equifax right now.
So, are we supposed to like, lobby sense into their heads? I mean, why? Because we're patriots? I guess?
Then again I've got motorcycle riding friends in Houston that don't wear their helmets, and I still have to force people in my backseat to buckle up sometimes, so I don't even know. Why don't people take any kind of safety seriously?
1. Do you have sensitive information?
2. Is a Password required to access that information?
3. Is that password set to "password" or something else that would be trivially easy to guess.
It's like saying it's not your fault if a hacker takes extraordinary measures to tunnel into your house from below ground. But it is your responsibility to at least shut your front door.
The party in power is cutting regulations, not adding them. The customer has to watch their own back.
It seems simple. The free market will kill incompetent companies, right? Customers see data breaches and stop doing business with them.
Sounds good in theory but realistically, customers don't have time to do the research required for a completely free market to self regulate.
Equifax, like many Fortune-N companies, has a heavily funded sales and PR team working actively against your individual research.
Should you, as an individual, apply to a company or attempt to buy a product that has been “sold” the Equifax product suite, you’re still beholden to Equifax services(or leave without the job or house).
You’re effectively stuck, unless you have the resources(time/money) to look for employers or products that stay away from Equifax.
Worse, there's pretty much no way to tell to which companies and products this applies.
This isn't some fast food restaurant poisoning its customers. None of Equifax's "customers" got screwed by their data leak, only the targets of their "product" caught the ramifications.
We haven't had a lot of politicians that have been pro-human/worker/consumer rights in a while. We got a consumer regulatory agency. But when did you see them push back against actual troublemakers.
Sounds like the usual "both parties are the same" nonsense.
I saw them push back all the time. They recovered billions for consumers.
The success of the agency is written about in many publications. Read up on it before putting it down.
One party enacted consumer protections and another party is working to rip it apart. There is a clear difference between the two.
Here's an example article highlighting the success of the agency and the Republican desire to end it http://fortune.com/2017/01/27/donald-trump-cfpb-consumer-pro...
Note to self: one flavor of Kool Aid is good, the other flavor is bad.
However, consider that it is very likely a small minority of those ~150m affected people are actually in a position to spend the time, money, and effort in actually suing and you end up in exactly the position you are now: Equifax doing fine and suffering no penalty for their actions. Class action suits aren't really a better suggestion either because they are typically settled for pennies-on-the-dollar, with the lion's share going to the lawyers anyway.
Suing might make sense where there's a small number of affected people, or where the damages per person are much higher, but when we're talking less than $1,000 damages per person it's really just not worth each individual's time or money to do so. This is _exactly_ the kind of thing regulation is good at protecting against.
If that was the only data reported to credit bureaus, that would be great.
But "reputation data" is increasingly becoming important in this sphere. Are you Facebook friends with people with a low credit score? Do you drive through a dodge neighborhood on the way to work? Do you watch the wrong kinds of movies? Buy liquor? Stream the wrong shows?
It's all up for grabs, and with the "credit score" formulae locked up as trade secrets, there's no way to determine if your mortgage denial was because you were one day late with a cell phone bill, or because you stop at a red light next to a pawn shop enough times that your phone thinks you're a regular customer.
FICO publishes exactly what makes up your credit score, straight from the horse's mouth:
The FCRA gives you the right to know what is in your file
In addition, the FCRA gives you the following rights (not inclusive):
-You must be told if information in your file has been used against you. Anyone who uses a credit report or another type of consumer report to deny your application for credit,
insurance, or employment – or to take another adverse action against you – must tell you, and must give you the name, address, and phone number of the agency that provided the
-You have the right to dispute incomplete or inaccurate information
-Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information.
-Consumer reporting agencies may not report outdated negative information. In most cases, a consumer reporting agency may not report negative information that is more than
seven years old, or bankruptcies that are more than 10 years old
So if you get denied a mortgage, you'll know why, and it certainly won't be because you drive by a pawn shop.
"Speech should be free and unlimited!!!.... Well, unless the topic of the speech is me, then I should be able to control 100% what what other people are saying about me, of course."
How you gonna sue someone for saying things about you that are true? That's not a thing (for good reason). Would you also sue a friend if you borrowed money from them and didn't pay it back and they warned others not to lend to you? Imagine how much a judge would laugh if you showed up to court saying "I didn't get a mortgage because I have a history of not paying my bills, I deserve compensation."
That's ignoring the fact that you actually consent to data sharing as a condition of obtaining credit products. And that's a reasonable condition with a business justification.
In the US it's politically infeasible to have any sort of government agency to collect this information, so it falls on the shoulders of private companies.
The data Equifax has on me is the exact opposite of "damaging." Because of data sharing I'm eligible for a broad range of credit products that I have gotten tens of thousands of dollars in value from. On top of that the information they collect about me allows me to pay a very small premium for car and home owner's insurance.
This isn't a real argument unless you can show that the one person you're actually responding to has held both these positions. This is just a forum where a bunch of people opine; it's not a political party with a documented set of beliefs.
Assult/battery is a physical violent crime that cannot be "undone" with payments.
I did just that. I was a “software architect” for a company that was completely on prem that was moving to the cloud. Before I actually started working with AWS, I actually wanted to do it correctly and wanted an overview of the services offered.
For $reasons, I left that company about a year ago before ever touching the AWS console, and based partially on my “certificate”, I got another job and was given admin access to AWS. I spent the next year actually getting practical experience.
The concept of "incompetent and unaware of it" comes to mind.
Edit: the Dunning-Kruger effect, https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Well, I see that you also invoked Hanlon's Razor. I don't know if I want to give these guys that benefit of doubt - I think they genuinely don't care. Mainly because if they did they had those kinds of standards to begin with, I would expect them to also have the kinds of standards that would make it unlikely to be in this line of business.
Also, anyone who uses an app/service like this, and that service has the word "spy" in their company/product name deserves to have their data and identity compromised.