This is the Shared Security Weekly Blaze for February 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.
This is your Shared Security Weekly Blaze for February 5th 2018…with your host…Tom Eston
In this week’s episode: ICE license plate tracking database, the first Jackpotting attacks on US ATMs and the Strava global heatmap controversy.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Our number three story of the week is about ICE, the Immigration and Customs Enforcement Agency and how they now have the ability to track billions of license plate records across the US using ALPR (Automated License Plate Recognition) technology. A company called Vigilant Systems has been putting together a database of license plate records submitted by repo agencies, local law enforcement, traffic cameras as well as data from roving ALPR vehicles (similar to the Google street view cars you may have seen roaming around your neighborhood). Vigilant Systems is partnering with ICE so that they can use this data in deportation and immigration control cases. Several civil liberty groups, such as the ACLU, have stated concerns that this database could be used locate and track anyone in real-time for more than just immigration issues. Even if you’re not connected to a criminal investigation, your license record and driving habits could be in this database. The other controversy is that Vigilant systems entered into a private contract with ICE which is a government agency, therefore, there was no congressional oversight and no accountability with a massive surveillance system like this in government hands.
What can you do if you’re concerned about ALPR technology and being tracked? From an legal perspective, several weeks ago the state of California introduced bill S.B 712 which would allow drivers to cover their license plate while parked legally in order to avoid roving ALPR scans, but the bill was rejected by the California senate just this week. No other states to my knowledge are proposing similar legislation. From a product perspective, there are ALPR “blockers” in the form of IR filters and special reflective coatings that can be applied to license plates in an attempt to block ALPR scans. There are many different types of products out there that are just a Google search away. Friendly disclaimer: you should research the legality of using such ALPR anti-tracking devices in your state and/or country before purchasing or using any of these products.
Our number two story this week is about the “jackpotting” attacks that are targeting ATMs in the United States. Jackpotting allows malware installed on ATM machines to shoot out money just like a Las Vegas slot machine. For some strange reason I’m reminded of the movie “Vegas Vacation” in the scene where Clark Griswold jackpot’s his family bank account at the ATM. This attack, on the other hand, is no laughing matter.
In order to perform the attack someone needs to physically access the ATM machine and install the malware via a USB port or through another interface, such as the cash dispensing or front loading slot, and eventually get the malware to infect the underlying operating system of the ATM. Brian Krebs from krebsonsecirity.com noted that most attackers quote “typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.” end quote. Now these attacks seem to require a risky amount of time to physically access the ATM and in some cases attackers have used social engineering techniques such as dressing like an ATM technician to con their way to the ATM. It’s important to note that these attacks have focused on smaller ATMs typically located in pharmacies, gas stations and other small locations not your local large bank ATMs. The Secret Service as well as ATM manufactures have sent out alerts notifying owners of these attacks and how to harden and secure their ATMs from physical attack. In the meantime if you happen to see an ATM jackpotting with money flying out…be sure to alert authorities.
The number one story this week is the controversy over the Strava world-wide heatmap release that inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. Because of this, the US military is now reviewing its policies and guidelines on fitness trackers and other wireless devices being used by military personnel. This heat map, which shows jogging and running routes, has been available since last November but last week on Twitter people started to dig into the details of the map and started to see some interesting patterns. If you’re not familiar with Strava, Strava is an app that allows you to sync your runs and workouts with included GPS (geolocation) information from popular fitness trackers like Fitbits, Apple Watches, Garmin and many others. Runners and other sports enthusiasts frequently opt in to share their running routes with people as a way to stay motivated and to build a community around their workout habits. While the intention of sharing your workout information among friends is good and users of these apps do have some control around the privacy of information being shared, the bigger problem is privacy controls within apps like Strava get complicated really quick. For example, while one privacy setting may prevent a certain group of people from seeing your information, other settings like, sharing data to a leader board for top times in a frequent running route, may inadvertently give someone enough information to figure out who you are. Case in point, the Washington post recently reported on the Strava heat map and said, quote:
“On one of the Strava sites, it is possible to click on a frequently used jogging route and see who runs the route and at what times. One Strava user demonstrated how to use the map and Google to identify by name a U.S. Army major and his running route at a base in Afghanistan.”
To Strava’s credit, they do have extensive privacy settings which can be enabled so you can limit the amount of private information others can see about you and your activities. You can even turn off sharing of any data altogether. However, you need to opt-out of the default settings. The default Strava privacy settings share all your location and other personal data with other users of Strava. To make matters more confusing, to opt out of the “heatmap” of all Strava users you need to change this privacy setting on the Strava website, there is no ability to do this within the mobile app. This highlights a major problem in that privacy settings and how you control your data on third party apps like Strava are confusing to the users of these apps. In fact, I would go as far to say that it’s “confusing by design” in order for you to share as much information about you as possible. Keep in mind that companies like Strava and other “social sharing” apps make money off of the information you share. It’s only to their benefit that you share as much information as possible so they can make a profit. Something to think about next time you allow apps like these to use your location and other personal data.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at firstname.lastname@example.org. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.