Google Has Eyes on You…

You know that little feature on your smartphone where you can turn off location history? Yeah, well, turns out that’s not the only way Google can track you. According to researchers at Princeton University, there are plenty of other ways that Google can keep its eyes on you, even if you’ve turned location services off for maps. It’s true that if you even open GoogleMaps, Google stores a snapshot of where you are. But checking out daily weather also zooms in on your location. And you probably had no idea that just googling some weird things like “chocolate chip cookies” or “kids science kits” will pinpoint your location as well…within a square foot. Apparently, someone is really, really interested in your top-secret cookie recipes.

As far as we can tell, as long as you turn off location services on every single app, you should be fine. But let’s face it, that’s probably not practical or convenient for most of us. And besides, the cool new things that location services provides are adding so much to make our smartphones more personal and, well, smart. And the conundrum continues…

For more details on how to turn off Google location services, click here.

Aussie Teen Hacks Apple’s Servers

If you know anything about Apple, you know that the world’s first trillion dollar company prides itself on being virtually un-hackable. Well, last week there was a little hiccup for the normally tight security in Cupertino. More accurately, the embarrassing hack came from Down Under, and at the hands of a 16-year old high school student nonetheless. Insert Tim Cooke facepalm here. After a tip from Apple, Australian authorities raided the house of the kid hacker and found, among other tools, a hard drive labeled “Hacky Hack Hack.” Yeah, pretty sure that’s the one they were looking for. Needless to say, the teen is due in juvenile court next week and Apple is due for a serious review of its security protocol. Oh, and don’t worry about the teen hacker. We’re pretty sure he’ll get a killer job offer either from his nemesis or another tech giant.

Water Heater Hacks

When we talk about cybersecurity doomsday scenarios, bad guys breaking into the brain of the electrical grid (think Luke Skywalker targeting the reactor core of the Death Star) is usually near the top of the list. In reality, researchers have painted a much less sophisticated scenario for taking down the grid. Experts have estimated that hackers using botnets to commandeer just 1% of smart devices connected to the grid — water heaters, air conditioners, refrigerators, etc. — could cause cascading outages and potentially  crash the grid. This study once again highlights for us the importance of thinking long and hard about IoT security as we continue to work to secure the bigger picture of utilities and infrastructure.

Hacking at the PGA

Well, it turns out, Phil Mickelson wasn’t the only one hopelessly hacking away at the PGA (Professional Golfer’s Association) Championship. Last week, the PGA released the news that hackers had seized some of it’s digital assets, including marketing materials to be used for the 100th PGA Championship over the weekend. When they powered up their computers on Tuesday morning, Team PGA was welcomed with a ransom message demanding bitcoin and stating “your network has been penetrated. All files…have been encrypted with a strong algorithm. Any attempt to break the encryption could cause the loss of all of the work.” Ouch. Regardless, the PGA refused the ransom and went ahead with the championship, sans some marketing assets. And it seemed to go off without a hitch. Well, at least it did for winner Brooks Koepka and come-from-behind thrill maker Tiger Woods. Not so much for ole’ Lefty.

Cyber Holes in the Electrical Grid

We know that nothing is entirely safe from malicious hackers, but few things are as delicate and important as the electrical grid. A recent test by researchers at Cybereason revealed just how fast industrial control systems (ICS) can be compromised. The company set up a fake power transmission substation, known as a honeypot, and then lured would-be hackers. It only took two days before a hacker broke in, took control of the fake desktop environment and installed tools to control the system. While no legitimate systems were compromised, the exercise highlights the potential vulnerabilities of ICS and the importance of increased security measures. It’s a reminder for us that the types of cyber attacks that which took out Ukraine’s power grid could be used by hackers accessing critical infrastructure anywhere.

Pacemakers Infected With Malware!

Imagine a world political leader taking the stage at a major UN event. The lights come up and everyone quiets down as the speaker prepares to address the crowd. Then, just as he begins, he clutches his chest, doubling over and then falling to the ground, as his artificial pacemaker delivers a fatal shock to his system. While this scenario sounds like a page off a Michel Crichton novel, experts revealed that would-be attackers could do exactly this. Researchers at the security firm Whitescope have exposed critical flaws in one of the leading pacemakers that could allow a terrorist to take control and either prevent or deliver electrical impulses to the device. Threatening to do a live demonstration on an animal, the researchers claim that they could kill a subject by commandeering the device via an iPhone. Time for a wake up call, pacemaker makers.

The Billion Dollar Heist

Last week, a bit of sweet justice was dished out when three members of one of the world’s most notorious cybercrime organizations were indicted and charged with 26 felony counts. These guys, all from the Ukraine, were accused of bilking over a billion dollars from banks across the world over the last five years. They also stole millions of credit cards and resold them on the Dark Web.

The suspects are believed to be members of FIN7, a group that used malware and elaborate phishing campaigns to gain access to numerous US based banks and retailers including Chipotle, Jason’s Deli, Red Robin, Chili’s and Sonic Drive-in. In this case, we can thank the Russians as it was experts at cybersecurity juggernaut Kaspersky Labs that first uncovered FIN7.

You Said What on Reddit?

If you’ve never heard of Reddit, just ask your teen about it. It’s basically an online news aggregator and discussion platform. Oh, and it gets over 600 million visits ever month. So yeah, it’s kind of a big deal that last week, a hacker (likely a ticked-off user) managed to hack into it’s system via SMS messages meant for employees. While the jilted Redditer wasn’t able to gain access to Reddit’s systems, they were able to get their hands on some user data, including email addresses and private messages. Reddit has fixed the problem and is asking users to move to token-based two-factor authentication, where an app on your mobile phone generates a unique one-time passcode. Stay safe and Reddit on!

Your Device is Now Paired…And Hacked

Over the past year, several kinda big hacks have reminded us that bluetooth technology isn’t exactly hacker-proof. At all. Last week, yet another bluetooth hacking technique has been uncovered. The new bluetooth device vulnerability was found in some big brands including Apple, Intel and Qualcomm and the tech-wizards are still testing Google, Android and Linux. Apparently, the bad guys can gain access to a bluetooth device during the pairing process via a man-in-the-middle attack. From there, the attacker can inject malware to steal data or mine for crypto. Even though Bluetooth SIG suggests that there is no indication that the vulnerability has been exploited, Apple and Intel have already released patches for this security vulnerability.

Remote Access on Voting Machines???

This is a big one. The idea of installing modems and any sort of remote-access software into voting machines is about the worst idea since, well, ever. But that’s precisely what the nation’s top voting machine vendor did for nearly a decade. That’s right. Over a period of six years, Election Systems & Software manufactured and sold electronic voting machines loaded with pcAnywhere software. Where are we, Moscow?

Things could get hot for ES&S seeing as they outright denied that machines were ever sold with remote-access. That story changed in a letter  the company sent to Sen. Ron Wyden in April. Oops! Though ES&S has defended the fact that the software was installed on a “small number of machines” as standard practice at the time, considering that over 60% of the ballots cast were on ES&S machines. the entire fiasco calls into question the legitimacy of the elections between 2000-2006.