Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones

from the whoops-a-daisy dept

Wireless subscribers of Verizon's Visible prepaid service received a rude awakening after hackers compromised their account, then ordered expensive new iPhones on their dime. Last week a company statement indicated that "threat actors were able to access username/passwords from outside sources," then utilize that access to login to Visible customer accounts. Hacked users say the attackers then utilized that access to order expensive kit, and, initially, getting Visible to do anything about it was a challenge:

The company seemed to initially claim this was an instance of "credential stuffing," or hackers obtaining login information obtained from other hacks or breaches of other services, then testing those logins in as many services as they can find. But experts doubted that claim, noting that the company had been complaining about issues with its chat services before acknowledging the hack. More specifically, Visible support reps were telling users that ambiguous "technical issues" had left it incapable of making any changes to customer accounts.

There are also questions about when the company knew about the hacks, with it initially trying to claim last week that the hack and subsequent iPhone orders were an ordinary system error:

Although Visible made a public statement yesterday, the company first acknowledged the issue on Twitter on October 8. At the time, Visible provided a vague reason: order confirmation emails erroneously sent out by the company.

"We're sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it," the company told a customer.

Again, this is where just a basic, internet-era privacy law requiring greater transparency (and perhaps a little more accountability for industries and executives that not only keep failing to secure user data, but clearly aren't great about being honest with their users) would come in kind of handy. Instead we keep just looking at the problem and shrugging because purportedly drafting competent privacy laws with any competency is deemed impossible, letting the repercussions pile up.

Filed Under: breach, data breach, hack, prepaid service, visible
Companies: verizon

Company That Handles Billions Of Text Messages Quietly Admits It Was Hacked Years Ago

from the whoops-a-daisy dept

We've noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry's treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry's refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.

Now this week, a wireless industry middleman that handles billions of texts every year has acknowledged its security isn't much to write home about either. A company by the name of Syniverse revealed that it was the target of a major attack in a September SEC filing, first noted by Motherboard. The filing reveals that an "individual or organization" gained unauthorized access to the company's databases "on several occasions." That in turn provided the intruder repeated access to the company's Electronic Data Transfer (EDT) environment compromising 235 of its corporate telecom clients.

The scope of the potentially revealed data is, well, massive:

"Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver's numbers, the location of the parties in the call, as well as the content of SMS text messages."

Amazingly enough the hack began in 2016 but was only discovered this year. How much data was accessed? Why did it take so long? Was it a Chinese or Russian sponsored attack? Why was there absolutely no transparency about the breach until now? Why aren't Syniverse or any wireless carriers being clear about what happened? Have government officials been compromised? Have those officials been notified by anybody? Good questions!:

"The information flowing through Syniverse’s systems is espionage gold," Sen. Ron Wyden told Motherboard in an emailed statement. "That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse's cybersecurity practices were negligent, identify whether Syniverse's competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry."

Between this and the SS7 flaw alone you have to inherently assume that most global wireless communications has been significantly compromised for a long while in some fashion. And like most hacks, the scale of this will only get worse as time goes by. Security and privacy at massive international scale isn't easy, but these kinds of repeated scandals don't have to happen. They're made immeasurably worse by our lack of even a basic internet-era privacy law, intentionally underfunded and understaffed U.S. privacy regulators, and our failure to hold companies accountable in any meaningful way for repeated and massive screw ups. Mostly because doing any of these things might put a dent in quarterly revenues.

Filed Under: data breach, hack, privacy, security, ss7, text messages
Companies: syniverse

T-Mobile Confirms Major Hack, Social Security Numbers And Drivers License Data Exposed

from the here-we-go-again dept

Earlier this week reports emerged that T-Mobile was investigating a massive hack of the company's internal systems, resulting in hackers gaining access to a massive trove of consumer information they were selling access to in underground forums. Initial estimates were that the personal details of 100 million customers had been accessed (aka all T-Mobile customers). After maintaining radio silence as it investigated the hack, T-Mobile has since released a statement detailing the scale of the intrusion. In short, it was smaller than initial claims, but still massive and terrible:

"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers."

While T-Mobile notes that none of the PINS used by former or prospective postpaid (billed regularly month to month) customers were accessed, T-Mobile does note that 850,000 active T-Mobile prepaid customers had their names, phone numbers and account PINs exposed. Many others had their social security numbers, drivers license/ID information, and other data exposed:

"Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers."

While it's understood why T-Mobile would collect some of this data during a credit check, it's not clear exactly why it needed to keep this data after the credit check is complete. This, again, is the kind of stuff you could tackle with a basic US privacy law with meaningful penalties for companies that keep getting hacked. For T-Mobile customers I think this is maybe the fifth or sixth time the company has been hacked since 2018. You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems.

Instead we stand around, shrug, complain that it's impossible or too hard to have competent governance on this subject, and nothing changes. And when consumers then get hacked (again), the best they get are platitudes like "free credit reporting," which prove utterly useless given they've received "free credit reporting" the last 75 times their data wasn't properly secured.

It's not clear how many of these kinds of repeated scandals we need to see before the federal government crafts some basic, competent guard rails, but it's abundantly clear that, thanks to a broad cross-industry coalition of lobbyists with near-unlimited budgets, it's not going to be anytime soon.

Filed Under: data breach, drivers licenses, hack, social security numbers
Companies: t-mobile

MAGA-Friendly Twitter Clone, GETTR, Coughs Up 90,000 User Email Addresses To Hackers

from the gettr-(un)done dept

GETTR, the Twitter clone created by former Trump advisor Jason Miller, seems to have rolled out just as smoothly as every other attempt to replace the social media service that's still inexplicably popular with people who claim to hate it for moderating their speech.

It's yet another "free speech" platform that claims it upholds the lofty ideals of allowing those banned from other, more functional sites to speak their minds… just as long as said mind speech does not include any of the following:

Without limitation, we may, but do not commit to, do so to address content that comes to our attention that we believe is offensive, obscene, lewd, lascivious, filthy, pornographic, violent, harassing, threatening, abusive, illegal, or otherwise objectionable or inappropriate, or to enforce the rights of third parties or these Terms or any applicable Additional Terms.

Just like Gab, Parler, and whatever the fuck the thing is that the MyPillow guy is doing, GETTR is finding out it has a host of moderation problems that can't easily be dealt with, especially when you've promised to not "censor" your users' speech.

On top of that, GETTR -- like the other platforms listed above -- seems to have been cobbled together somewhat incompetently and rolled out hastily, opening itself up to an unhealthy blend of toxic content, trolling (both expert and inexpert), and security stress testing from those interested in this new collection of user data.

GETTR, whose surprising surge of early users appears to be mostly a mirage created by the importation and deployment of Twitter data, is no exception to the Far Right Twitter Clone™ rule. Toxic content abounds, as do multiple trolling efforts that only add to the mess. And it appears that while GETTR claims it wants to protect speech, it doesn't care nearly as much about protecting speakers.

Hackers were able to scrape the email addresses and other data of more than 90,000 GETTR users.

On Tuesday, a user of a notorious hacking forum posted a database that they claimed was a scrape of all users of GETTR, the new social media platform launched last week by Trump’s former spokesman Jason Miller, who pitched it as an alternative to "cancel culture." The data seen by Motherboard includes email addresses, usernames, status, and location.

New platforms are often a bit leaky, usually thanks to the inexperience of those creating them. This is all part of the learning curve. But GETTR had some advance notice its uncensored ecosystem had some security problems, given that it was successfully breached on opening day.

On July 4, the day of the site' official launch, a hacker broke into and defaced some of the site's most prominent users, including its founder Jason Miller, former CIA director Mike Pompeo, former Trump advisor Steve Bannon, and pro-Trump congresswoman Marjorie Taylor Greene, as first reported by Insider.

Less than three days later, the platform was coaxed into coughing up user data. Not exactly a sign things are improving. The site's CEO says otherwise, claiming this scraping was related to the first breach, which allowed a hacker to deface several prominent accounts. Jason Miller claims the security hole has been closed and that GETTR "takes cybersecurity seriously."

Maybe so, but we'll see what happens. Alt-right Twitter also-rans Gab and Parler both gave up plenty of user data -- some of it proving instrumental in federal prosecutions -- and those sites had plenty of time to harden themselves against attackers. A quick patch of a service that seems to rely heavily on someone else's API to give the appearance the platform is heavily used is still a very tempting target, both for malicious hackers and those whose efforts are just another form of trolling. When your social media alternative is more performative than functional, little things like securing user data tend to be afterthoughts.

Filed Under: emails, hack, jason miller, scraping, security
Companies: gettr

Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16

from the don't-try-too-hard dept

It's not sure why journalists keep having to do the wireless industry's job, yet here we are.

Sometime around mid-march, Motherboard reporter Joseph Cox wrote a story explaining how he managed to pay a hacker $16 to gain access to most of his online accounts. How? The hacker exploited a flaw in the way text messages are routed around the internet, paying a third party (with pretty clearly flimsy standards for determining trust) to reroute all of his text messages, including SMS two factor authentication. From there, it was relatively trivial to break into several of the journalist's accounts, including Bumble, Whatsapp, and Postmates.

It's a flaw the industry has apparently known about for some time, but they only decided to take action after the story made the rounds. This week, all major wireless carriers indicated they'd be taking significant steps to the way text messages are routed to take aim at the flaw:

"The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is "industry-wide" and "affects all SMS providers in the mobile ecosystem."

"Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number."

It's a welcome move, but it's also part of a trend where journalists making a pittance somehow routinely have to prompt an industry that makes billions of dollars a year to properly secure their networks. It's not much different from the steady parade of SIM swapping attacks that plagued the industry for years, only resulting in substantive action by the sector after reporters began documenting how common it was (and big name cryptocurrency investors had millions of dollars stolen). It was another example of how two factor authentication over text messages isn't genuinely secure.

Or the SS7 flaw, which the industry has known about for years but didn't take seriously until journalists began documenting how the flaw lets all manner of malicious private and government actors spy on wireless users without them knowing. US consumers pay some of the highest prices in the developed world for mobile data. At that price point, it doesn't matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.

Filed Under: data, hack, privacy, sms, two factor authentication

Internet-Connected Chastity Cages Hit By Bitcoin Ransom Hack

from the the-future-is-not-what-we-were-promised dept

If you hadn't noticed yet, the internet of things is a security and privacy shit show. Millions of poorly secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.

So of course this kind of security and privacy apathy has extended to more creative uses of internet-connected devices. Case in point: last October, security researchers found that the makers of an IOT chastity cage -- a device used to prevent men from being able to have sex -- (this Amazon link has the details) had left an API exposed, giving hackers the ability to take remote control of the devices. And guess what: that's exactly what wound up happening. One victim and device user say he was contacted by a hacker who stated he wouldn't be able to free his genitals from the device unless he ponied up a bitcoin ransom.

Luckily his genitals weren't in the device at the time, though it's not clear other users were as lucky:

"A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely "locked," and he "could not gain access to it." "Fortunately I didn’t have this locked on myself while this happened," Robert said in an online chat."

Given the often nonexistent security on internet of things devices, such problems aren't particularly uncommon in devices like not-so-smart thermostats. It's also a major problem in many hospitals where big medical conglomerates haven't been willing to pony up the money necessary to keep lifesaving technology private and secure. That said, "I had to pay some kid in the Ukraine $750 so I could access my own genitals" is a new wrinkle many hadn't seen coming.

It's just yet another reminder that you shouldn't connect everything to the internet just because you can. And you shouldn't endeavor to engage in such innovation unless you're willing to spend the money and take the time to ensure you're adhering to basic security and privacy standards. Whether a heart monitor or a sex toy, most companies still aren't after ten years of headlines like this. And despite some promising headway being made in policy, our response to the security dumpster fire that is the IOT remains a pretty hot, discordant mess.

Filed Under: bitcoin, chastity cage, hack, iot, ransomware, security

DOJ, US Court System Latest To Announce They're Victims Of The Massive Solarwinds Hack

from the COVID-but-for-networked-systems dept

The hits just keep on coming for US federal agencies affected by the massive Solarwinds hack. State-sponsored hackers -- presumably Russian -- leveraged Solarwinds' massive customer base and compromised update server to infect systems around the world. Here in the United States, a possible 18,000 Solarwinds customers are affected… as are their users and customers, which brings the possible number of infected back up into the millions.

The DHS's cyber wing, CISA, issued a warning about the hack, noting that the only solution was to air gap affected systems and delete the compromised Orion software. Hours later, the entity warning other federal agencies about the hack announced it too had been hacked, making the whole thing a bit Monty Python-esque.

The list of federal agencies affected by this advanced persistent threat continues to grow. The Department of Commerce was one of the first to discover a breach. This was followed by announcements of suspected breaches at the US Postal Service and the Department of Agriculture. The Defense Department has also noted it's affected, although it has yet to deliver any specifics about the multitude of agencies it oversees.

The DHS, Department of Energy, and the National Nuclear Security Administration have also been breached. The latest news adds a couple more federal agencies/operations to the list.

The DOJ says it's been breached, but appears to believe the damage is minimal. That doesn't seem to jibe with the details of the statement, which says an email system used by damn near everyone was the target.

On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment.

After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted.

There's a lot of sensitive information floating around the DOJ, given the large number of federal investigations and prosecutions it oversees. The breach could be even more severe than this indicates, given this breach announcement, which affects an adjacent branch of the government.

The AO [Administrative Office of the US Courts] is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings. An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing.

Hackers may have obtained access to sealed dockets and documents, including warrants, affidavits, and other investigative/prosecutorial filings that haven't been made public. Not only would this include investigative techniques, information on informants, and other sensitive information tied to ongoing investigations and prosecutions, it also affects a multitude of private individuals and companies who have been allowed to litigate under seal to protect personal/confidential info that could cause serious damage to litigants if made public.

Sure, there's a presumption of openness in the court system, but there's still a lot of stuff filed under seal, at least temporarily. Publication of sealed documents could conceivably cause damage to people, places, and things… even if the government tends to overstate the damage when asking judges for secrecy.

For the time being, the US Courts system will require all sensitive filings to be done in paper form or via "secure electronic devices." These will be stored in a standalone system that's completely walled off from the CM/ECF system that's accessible via PACER. This new process won't affect every sealed document, though -- just the ones the courts consider to be "highly-sensitive."

[M]ost documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, administrative immigration records, and sealed filings in many civil cases likely would not be sufficiently sensitive to require HSD [highly sensitive court documents] treatment and could continue to be sealed in CM/ECF as necessary.

Given the interconnectedness of the internet of government things, a breach in one location can easily result in cross-pollination. Just because an agency hasn't discovered a breach yet doesn't mean a malicious hacker hasn't established a foothold in the system. The end of this long international nightmare is still well over the horizon. The popularity of Solarwinds' products made it too tempting of a target to pass up.

Filed Under: breach, doj, hack, us courts
Companies: solarwinds

DOJ And Florida Officials Announce Arrests Relating To Twitter Hack

from the that-didn't-take-long dept

This seemed fairly inevitable, after it became quite clear that the Twitter hack from a few weeks ago was done by teen hackers who didn't seem to do much to cover their tracks, but officials in Florida announced the arrest of a Florida teenager for participating in the hack, followed by the DOJ announcing two others as well -- a 19 year old in the UK and a 22 year old in Florida.

As for why the first announced was separate and done by Florida officials, it appears that it involved a 17-year-old, and apparently it was easier to charge him as an adult under state laws, rather than under federal law, as with the other two.

Hillsborough State Attorney Andrew Warren filed 30 felony charges against the teen this week for “scamming people across America” in connection with the Twitter hack that happened on July 15. The charges he’s facing include one count of organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information and one count of access to computer or electronic device without authority.

Hillsborough County Jail records show Clark was booked into jail shortly after 6:30 a.m. Friday.

Warren’s office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.

Once again, it's looking like we got incredibly lucky -- that it was just some young hackers mostly messing around, rather than anyone with serious ill-intent and the ability to plan something bigger. It now appears that Twitter's internal security controls were kind of a mess. Over 1,000 employees had access to the control panel that would allow people to make the changes that enabled the hack -- and even that some staffers and contractors somehow made it a game to abuse their powers to spy on users.

Once again, it seems that Twitter needs to fix up a lot of things on the security side, including figuring out how to do end-to-end encryption for direct messages.

Filed Under: doj, fbi, florida, hack, twitter hack

DOJ Indicts Cyprus National Who Apparently Hacked Ripoff Report And Deleted Negative Reviews

from the managing-everyone's-reputation-but-your-own dept

We've covered incidents involving Ripoff Report for several years here at Techdirt. In most of the cases that we've covered, Ripoff Report has been the target of bogus DMCA takedowns and libel lawsuits from entities who would do pretty much anything to see negative reviews disappear.

Ripoff Report has plenty of critics. The company refuses to take any review down, even if the reviewer is the one asking for it to be removed. People have accused Ripoff Report of engaging in extortionate behavior by encouraging third parties to flood complaining companies (and individuals) with negative reviews. And the site's hardline stance of review removal (it simply never happens) hasn't earned it much sympathy in other countries where Section 230 immunity and other free speech-friendly laws aren't in effect.

But the latest news involving Ripoff Report is some of the weirdest. And it comes from an unusual source: the Department of Justice. A Cyprus national with links to a California reputation management company has been extradited to the US to face criminal charges related to the malicious hacking of Ripoff Report.

The indictment alleges that on Oct. 30, 2016, [Joshua] Epifaniou obtained unauthorized access to the database of Ripoff Report (ROR), a company located in Phoenix, Arizona, through a brute force attack. A brute force attack is a trial-and-error method used to obtain information, such as a user password or personal identification number. Epifaniou allegedly used the attack to successfully override ROR’s login and password protection to access its database through an existing account for a ROR employee. On Nov. 18, 2016, Epifaniou emailed ROR’s CEO using an email address, threatening to publicly disseminate stolen ROR data unless the company paid him $90,000 within 48 hours. According to the indictment, Epifaniou emailed again the following day with a hyperlink to a video recording demonstrating Epifaniou’s unauthorized access to the ROR CEO’s account.  

This would be on top of Epifaniou's other alleged extortion schemes. He also illicitly harvested personal information from a number of other sites, including those belonging to an online game publisher, an employment service, and a sports news site run by Turner Broadcasting. Epifaniou and his conspirators emailed users of these sites, threatening them with exposing sensitive data unless a ransom was paid.

Trying to extort Ripoff Report's site owner wasn't the only thing Epifaniou did. He also leveraged his illicit access to the review site to benefit California-based SEO Company's customers, ensuring a healthy payout for himself in the process. From the indictment [PDF]:

On or about November 8, 2016, SEO Company negotiated a "reputation management service agreement," charging the client an initial $4000 for removal of a complaint from ROR.

On or about November 9, 2016, EPIFANIOU and his co-conspirator via an instant messaging service discussed their plan to remove data from the ROR website for a fee but pretend to SEO Company's clients that it was accomplished through court orders rather than computer hacking.

[...]

On or about February 13, 2017, SEO Company negotiated a "reputation management service agreement" with another client, charging an initial $4,000 for removal of a complaint from ROR.

On or about February 14, 2017, EPIFANIOU and his co-conspirator via an instant messaging service discussed the status and profits of their ROR hack, and their intent to hack-additional customer complaint and review websites (including through website vulnerabilities and stolen employee login credentials).

On or about March 3, 2017, SEO Company negotiated a "reputation management service agreement" with another client, charging an initial $4,150 for removal of two complaints from ROR.

On or about March 31, 2017, SEO Company negotiated a "reputation management service agreement" with another client, charging $11,000 for removal of two complaints from ROR.

On or about April 27, 2017, EPIFANIOU and his co-conspirator via an instant messaging service discussed another method for unauthorized access to ROR's database, "in case the original exploit gets patched so we can drag this out for another at least 6-7 months."

Between October 2016 and May 2017, EPIFANIOU and his co-conspirator removed at least 100 complaints from the ROR database, charging SEO Company's clients approximately $3,000 to $5,000 for removal of each Complaint.

And that's how you remove a negative review from Ripoff Report. All you need is a willing conspirator, admin-level access to the site itself, and the willingness to put your freedom on the line to help companies patch up their reputations. It's not a great plan, but it worked right up until it didn't. And that six-month run was enough to delete 100 negative reviews and generate at least $300,000 in payments from SEO Company customers who are now linked to illicit hacking and ransom demands. Fun stuff.

Filed Under: breach, doj, extradition, hack, joshua epifaniou, reputation management, seo
Companies: ripoff report

Tradeoffs: Facebook Helping The FBI Hack Tails To Track Down A Truly Awful Child Predator Raises Many Questions

from the icky-in-many-ways dept

Last week, Lorenzo Franceschi-Bicchierai at Vice had a bombshell of a story about Facebook helping the FBI track down a horrible, horrible person by paying a cybersecurity firm to build a zero-day attack on Tails, the secure operating system setup that is recommended by many, including Ed Snowden, for people who want to keep secrets away from the prying eyes of the government.

The story should make you uncomfortable on multiple levels -- starting with the fact that the person at the center of the story, Buster Hernandez, is way up there on the list of truly terrible people, and there's simply no reason to feel bad that this person is now locked up:

The crimes Buster Hernandez committed were heinous. The FBI's indictment is a nauseating read. He messaged underage girls on Facebook and said something like “Hi, I have to ask you something. Kinda important. How many guys have you sent dirty pics to cause I have some of you?,” according to court records.

When a victim responded, he would then demand that she send sexually explicit videos and photos of herself, otherwise he would send the nude photos he already had to her friends and family (in reality, he didn’t have any nude photos). Then, and in some cases over the course of months or years, he would continue to terrorize his victims by threatening to make the photos and videos public. He would send victims long and graphic rape threats. He sent specific threats to attack and kill victims’ families, as well as shoot up or bomb their schools if they didn’t continue to send sexually explicit images and videos. In some cases, he told victims that if they killed themselves, he would post their nude photos on memorial pages for them.

And it gets worse from there. It's good that the FBI tracked him down.

But, from there, you suddenly start to run into a bunch of other uncomfortable questions regarding Facebook's involvement here. And each of those questions helps demonstrate the many tradeoffs that a company like Facebook (or lots of other internet companies) face in dealing with awful people online. And to be clear there is no "good" answer here. Every approach has some good elements (getting a horrible person away from continuing to terrorize young girls) and some not so great elements (helping the FBI hack Tails, which is used by journalists, whistleblowers, and dissidents around the globe).

The article notes that there was a vigorous debate within Facebook about this decision, but the folks in charge decided that tracking this person down outweighed the concerns on the other side:

“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson said. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”

Former employees at Facebook who are familiar with the situation told Motherboard that Hernandez's actions were so extreme that the company believed it had been backed into a corner and had to act.

“In this case, there was absolutely no risk to users other than this one person for which there was much more than probable cause. We never would have made a change that affected anybody else, like an encryption backdoor,” said a former Facebook employee with knowledge of the case. “Since there were no other privacy risks, and the human impact was so large, I don’t feel like we had another choice.”

That does sound like a balancing of the risk/rewards here, but the idea that handing over a backdoor to the FBI puts no one else's privacy at risk may raise some eyebrows. The description of the zero day certainly sounds like it could be used against others:

Facebook hired a cybersecurity consulting firm to develop a hacking tool, which cost six figures. Our sources described the tool as a zero-day exploit, which refers to a vulnerability in software that is unknown to the software developers. The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video. Finally, Facebook gave it to an intermediary who handed the tool to the feds, according to three current and former employees who have knowledge of the events.

And while the Facebook spokesperson tried to play down the idea that this was setting an expectation, it's not really clear that's true:

Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.

But this may be hard to swallow, given that this is the very same FBI that has been pushing tech companies to develop backdoors to encryption for years, and in the famous San Bernardino case, tried to use the All Writs Act to force Apple to create a type of backdoor on iOS to break into a phone.

And obviously, cooperating one time doesn't mean you need to cooperate every time, but it will at least raise questions. Especially at a time when Facebook is supposedly moving all of its messaging systems to fully encrypted. Can the setup there be fully trusted after this story?

As Bruce Schneier rightfully points out, it's fine for the FBI to figure out how to use lawful hacking to track down Hernandez. That is it's job. It's much less clear, though, that Facebook should be handing that info over to the FBI which could then use it elsewhere as well. It certainly does not appear that the FBI or Facebook revealed to the developers of Tails that their system had this vulnerability. Indeed, Tails only found out about it from the Vice story:

A spokesperson for Tails said in an email that the project’s developers “didn't know about the story of Hernandez until now and we are not aware of which vulnerability was used to deanonymize him.” The spokesperson called this "new and possibly sensitive information," and said that the exploit was never explained to the Tails development team.

So... that's a problem. The FBI, under the Vulnerabilities Equities Program, is supposed to reveal these kinds of vulnerabilities -- though it frequently does not (or hangs on to them for a long time before sharing). At the very least, this confirms lots of people's suspicions that the Trump administration's updating of the VEP process was little more than window dressing.

Senator Ron Wyden -- who is often the only one in Congress paying attention to these things -- also seemed quite concerned about how this all went down:

“Did the FBI re-use it in other cases? Did it share the vulnerability with other agencies? Did it submit the zero-day for review by the inter-agency Vulnerabilities Equity Process?” Wyden said in a statement, referring to the government process that is supposed to establish whether a zero-day vulnerability should be disclosed to the developers of the software where the vulnerability is found. “It’s clear there needs to be much more sunlight on how the government uses hacking tools, and whether the rules in place provide adequate guardrails.”

And thus, we're all left in an uncomfortable place. It's good that the FBI was able to trackdown and find Hernandez, and stop him from preying on any more victims. But, Facebook's direct involvement raises tons of uncomfortable questions, as does the FBI's decision to keep this vulnerability a secret (at the very least, it seems like Facebook maybe should have tipped off the Tails folks as well, once the FBI nabbed Hernandez). In an ideal world, the FBI would have figured out how to track down Hernandez without Facebook paying a firm to build the zero-day attack -- and then the FBI would have notified Tails' developers of the vulnerability. But, of course, that's not what happened.

Filed Under: buster hernandez, fbi, hack, tails, tracking, vep, vulnerabilities, zero day
Companies: facebook