Airlines Don’t Encrypt Your Passenger Data for E-Tickets - ThreatWire

Apple Fixes their FaceTime Bug, and Finds More Issues in the process, airlines are found not encrypting your passenger data, and detailed and accurate GPS data was being sold off! All that coming up now on ThreatWire. #threatwire #hak5

-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆

Our Site → https://www.hak5.org

Shop → https://www.hakshop.com

Subscribe → https://www.youtube.com/user/Hak5Darren?sub_confirmation=1

Support → https://www.patreon.com/threatwire

Contact Us → http://www.twitter.com/hak5

Threat Wire RSS → https://shannonmorse.podbean.com/feed/

Threat Wire iTunes → https://itunes.apple.com/us/podcast/threat-wire/id1197048999

Host: Shannon Morse → https://www.twitter.com/snubs

Host: Darren Kitchen → https://www.twitter.com/hak5darren

Host: Mubix → http://www.twitter.com/mubix

-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆

Links:

Apple Facetime Update:

https://arstechnica.com/information-technology/2019/02/apple-pushes-fix-for-facepalm-possibly-its-creepiest-vulnerability-ever/

https://support.apple.com/en-us/HT209520

https://support.apple.com/en-us/HT209521

https://www.zdnet.com/article/ios-12-1-4-fixes-iphone-facetime-spying-bug/

https://www.businessinsider.com/apple-security-audit-on-group-facetime-bug-discovers-second-flaw-2019-2

https://twitter.com/benhawkes/status/1093581737924259840

https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

https://techcrunch.com/2019/02/07/apple-glassbox-apps/

Airline Systems:

https://www.wandera.com/mobile-security/airline-check-in-risk/

https://threatpost.com/flaw-in-multiple-airline-systems-exposes-passenger-data/141596/

https://www.cyberscoop.com/airlines-ticketing-email-hackers-wandera-southwest/

Cell Carriers:

https://motherboard.vice.com/en_us/article/j575dg/what-a-gps-data-is-and-why-wireless-carriers-most-definitely-shouldnt-be-selling-it

https://motherboard.vice.com/en_us/article/a3b3dg/big-telecom-sold-customer-gps-data-911-calls

https://motherboard.vice.com/en_us/article/43z3dn/hundreds-bounty-hunters-att-tmobile-sprint-customer-location-data-years

Photo credit:

https://upload.wikimedia.org/wikipedia/commons/d/d5/N731SW_Southwest.jpg

Best Gaming TVs, New 49 Inch Dell U4919DW Monitor, Pocketalk Translator vs. Google Translate!!! - TekThing 215

Best Gaming TVs! Google Translate Alternative??? Meet Pocketalk! New 49 Inch Dell U4919DW Monitor, VPN Blocks My Bank?

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

00:47 CamelCamelCamel’s $45,000 Drive Disaster

It was a rough week for CamelCamelCamel.com, the ever so awesome Amazon price tracking service. In the words o' TekThing viewer Don, “Well here's s a good reason to back up that data: $29k for data recovery.” More deets (like what happened) i the show, and we hope they’re back online this week! Go backup your data!

https://camelcamelcamel.com/

03:37 Dell UltraSharp 49 Inch Curved Monitor: U4919DW

Patrick’s run a 35” Dell ultrawide monitor on his desk for years. Has he finally found a monitor that’s too wide??? What makes this a better monitor for office apps and Creative Suite than other massive panels? Watch the review to find out!

https://www.dell.com/en-us/shop/dell-ultrasharp-49-curved-monitor-u4919dw/apd/210-arnw/monitors-monitor-accessories

10:33 Pocketalk Translator

A verbal language translator, the size of a bar of soap, that works with 74 languages over WiFi or mobile data on its own SIM card? Meet Pocketalk. Can you really have a conversation with it? Is it better than Google Translate? Watch the video to find out! https://www.pocketalk.net/

24:15 Will My Bank Work Over A VPN???

James emailed from Dallas, Texas, “If I run everything through a VPN will I still be able to log into my bank, email etc. or will they automatically think I am unauthorized?” That’s an absolute maybe! Find out more in the video.

28:02 Gaming TV Recommendation

Thomas emailed ask@tekthing.com, “

I am planning on downsizing my life and moving in to a tiny home or an RV for full time living. I am a big gamer but because of the size limitations of an RV or a tiny home i don't want a TV and then a monitor as well. I know that you can get TV tuners for your computer but monitors are way more expensive then a TV. I want to get a 50+ inch TV, would love 60hz+ and would need enough inputs for my computer, Roku, PS4, PS3 at the very least so 4 but 6 HDMI inputs would be nice.” Our picks are in the video, and check out the excellent “The 7 Best 4k Gaming TVs - Winter 2019” at RTINGS.com!

https://www.rtings.com/tv/reviews/best/by-usage/video-gaming

Thanks Hak5!!!

A big Thank You to Hak5 for the studio space! Check out the security and privacy podcasts at hak5.org, the pentesting gear in the shop, and don’t forget: Cloud C2: makes remote pentesting easy!

https://shop.hak5.org/

https://C2.Hak5.org

31:46 Do Something Analog!

Like Terry, who preserved a fragile stained glass church window, including LED back lighting to make it glow. Nicely done!

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

Thank You Patrons! Without your support via patreon.com/tekthing, we wouldn't be able to make the show for you every week!

https://www.patreon.com/tekthing

EMAIL US! ➳ ask@tekthing.com

SUPPORT:

Amazon Associates ➳ https://amzn.to/2pHgf8T

Subscribe ➳ https://www.youtube.com/tekthing

Website ➳ http://www.tekthing.com

RSS ➳ http://feeds.feedburner.com/tekthing

Patreon ➳ https://www.patreon.com/tekthing

Help us with translations! ➳ http://www.youtube.com/timedtext_cs_panel?c=UC6sWaC11f4mxnizvOroOvkQ&tab=2

THANKS!

HakShop ➳ https://hakshop.myshopify.com/

Dale Chase Music ➳ http://www.dalechase.com/

SOCIAL IT UP!

Twitter ➳ https://twitter.com/tekthing

Facebook ➳ https://www.facebook.com/TekThing

Reddit ➳ https://www.reddit.com/r/tekthingers

HOSTS:

Shannon Morse ➳ https://www.twitter.com/snubs / https://www.youtube.com/shannonmorse

Patrick Norton ➳ https://www.twitter.com/patricknorton

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

5G Network Security Flaw Discovered! FaceTime Disabled - ThreatWire

5G Security Flaw

A flaw was recently discovered in the new 5G protocol that could allow a third party to use IMSI catcher like devices to snoop on data on this new protocol.  Four researchers at SINTEF Digital Norway, ETH Zurich Switzerland, and Technische University Berlin Germany discovered the vulnerability, which effects not only 5G, but is also backwards compatible with 3 and 4G protocols as well. It affects the Authentication and Key Agreement (AKA for short) - the technique between your phone and a cellular network that allows them to communicate securely.  AKA is supposed to negotiate and establish a key exchange between the phone and carrier to encrypt the link. 5G-AKA is supposed to thwart IMSI catchers, but the vulnerability opens up a potential entry point for newer devices to spy.

Data about a users activity, such as numbers of texts or calls received and sent, could be used by an attacker to profile a victim.  And if you take your phone away from the signal of a newer IMSI catcher? Well, the moment you come back within it’s vicinity, it can pick up where it stopped and continue tracking. This could be used to track political figures or officials in targeted attacks, not only to see amounts of calls, but also to track physical location between fake base stations.

The researchers responsibly disclosed their findings to 3GPP (the 3rd Generation Partnership Project) and GSMA, and the parties are taking steps to remedy the situation before the end of 2019.

FaceTime Vulnerability

Last week, a major bug surfaced by 9to5Mac, detailing how iPhone users could use FaceTime group chats to snoop on the audio from other phones without their knowledge.  All someone would have to do is call another user using FaceTime, and they would immediately hear the audio from the receivers phone before they accepted or rejected the call. The ringer rings as normal, so the receiver would know someone was calling, but they wouldn’t be able to tell if you could hear their audio before they actually picked up.

Many iphone users took to social media expressing their concerns at the ease of this vulnerability. Put simply: you’d first have to start a FaceTime Video Call to an iphone contact, then, when it’s dialing, swipe up from the bottom and tap Add Person. Add your own phone number on the Add Person screen, then start a group FaceTime call with yourself and the audio of the contact.

To make matters worse, this flaw could also be used to snoop on the video feed of the user. To do this, all a user would have to do is press the power button while on the lock screen, which also would send their video to the caller. According to BuzzFeedNews, pressing volume down did similar. While the underlying cause wasn’t specified, security researchers think that bad logic coding of the group FaceTime processes could be the problem.

After this news broke, it was discovered that a 14 year old boy found this flaw over a week prior to the news article, while playing Fortnite with his friends.  The boy stumbled upon the bug on January 19, while trying to initiate a group FaceTime call. His mother reported this problem to Apple through a series of posts and emails, but to no avail. It appears Apple knew or should have known about the problem for a week before actually getting around to fixing it. While they did respond to one of her reports on January 23, it was not clear to the mother that they were fixing it.

Apple disabled the group FaceTime feature on January 29, and it has since been listed as temporarily unavailable on their system status page. Before that disabled the feature altogether, the best option was just to disable FaceTime in the iOS settings.

Apple is now experiencing legal concerns related to this bug. They have been sued by a Houston based lawyer, who claims someone eavesdropped on a conversation.  New York Attorney General Letitia James has also initiated a formal investigation into the bug.

A software patch will be made available to users this week in iOS 12.1.4, and to update, simply go to your settings app, general, and software update.

Facebook Loves Your Data

Facebook isn’t out of the security headlines yet… no surprise. Facebook uses an Apple program called the Developer Enterprise Program to create and manage apps that aren’t found in the Apple App Store, but are available for download. This is usually used by companies to create internal apps used for internal capabilities. Facebook used the Developer Enterprise Program to create and distribute an application to the masses that allows them to obtain user data while paying that user $20 a month.  Since Apple has pretty strict privacy rules for their App Store, this is a loophole that Facebook was able to take advantage of to track users data. The “Facebook Research” app used Root Certificates to collect data on users. This could be browsing history, time spend on apps or sites, purchases made, private messages, location data, and network data just to name a few. Since Facebook Research also enabled their own VPN network, this also gave them the ability to view anything that would normally be kept private under a VPN service.

Since this is in violation of Apple’s guidelines, Apple revoked Facebook’s enterprise certificates, which also broke some of Facebook’s internal team apps. Beta versions of apps like Instagram, Messenger, and the Facebook app would also stop working, since those were all part of the enterprise program.  After some time, Apple restored Facebook’s access to the Enterprise Program. Your version of the social media apps if downloaded from the App Store, are not affected.

With Facebook came similar news from Google.  Google’s Screenwise Meter app was also available in this format that allowed them to analyze and monitor user data. Google removed their application from download, and made a statement regarding the iOS app saying that it was a mistake.

-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆

Links:

https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/

https://eprint.iacr.org/2018/1175.pdf

https://www.cnet.com/news/security-flaw-allows-for-spying-over-5g-researchers-find/

https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

https://www.buzzfeednews.com/article/nicolenguyen/facetime-bug-iphone

https://www.cnet.com/news/apples-facetime-bug-was-discovered-by-a-teen-playing-fortnite/

https://twitter.com/MGT7500/status/1087171594756083713

https://twitter.com/MGT7500/status/1090079031666438144

https://twitter.com/BEASTMODE/status/1090298850764644352

https://www.cyberscoop.com/facetime-bug-group-chat-disabled-apple-ios-macos/

https://www.apple.com/support/systemstatus/

https://www.zdnet.com/article/iphone-facetime-bug-now-apple-sued-over-eavesdrop-on-lawyers-client-phone-call/

https://www.cnet.com/news/apple-facetime-bug-prompts-investigation-from-ny-attorney-general/

https://www.zdnet.com/article/ios-12-1-4-is-coming-to-fix-the-worst-iphone-and-ipad-bug-to-date/

https://www.cnet.com/news/facebook-shuts-down-ios-research-app-it-used-to-access-user-data/

https://www.cnet.com/news/apple-restores-facebooks-ability-to-run-internal-apps/

https://www.cnet.com/news/googles-data-gathering-app-may-have-also-violated-apples-policies/

https://threatpost.com/google-pulls-data-chugging-app-from-ios-devices/141358/

Photo credit:

https://pixabay.com/p-387026/?no_redirect

ICYMI: The Snubs Report is Going Strong!

I was in Kyoto for just a few days, so I made the most of it with these must-see tourism sites! Here are my top 6 places to see in Kyoto! Twitter: http://www.twitter.com/snubs Site: http://www.snubsie.com YouTube: http://www.youtube.com/ShannonMorse I've been hosting online video shows since 2008, and recently learned how to edit!

 

I've been working on The Snubs Report every week as an after-hours hobby platform. This show is giving me the ability to fine-tune my own vlogging and learn more editing skills. Since I've started The Snubs Report, I've gotten better at editing video and photos with Adobe Premiere, Lightroom, and Photoshop. I'm also learning a lot about analytics and what kind of videos you want to see.

So, what do you want to see me talk about on The Snubs Report? Anything in particular? Let me know via my social networks, or comment below!

Cheers!

Busy, Busy, Busy!

This past month has been extremely busy! Luckily, though, I'm loving each and every minute of it. I recently got the open position as the new producer of Before You Buy on TWiT.TV and I'm up in Petaluma part time managing that new role. This is an exciting opportunity to work with a new group of core tech enthusiasts and grow my own career as a journalist and entertainer. When I'm up at the TWiT headquarters, I'll be wrangling gadgets for the show, guest hosting when asked, reviewing products every week, and producing the show. It sounds like a lot, but it's very fun and manageable with my organization skills.

A few folks have asked me if I was leaving Hak5 when I started producing BYB, and I'm still hosting the show just like normal. Now, I'm hosting/ producing Hak5, HakTip, Before You Buy, Bite Club Show, and (soon!) Threat Wire. So even though I'm starting new endeavors I'm still sticking to my roots with Hak5 and learning as much as I can about the world of security. We have plenty to look forward to in the next year, and I'm actually excited to go to work during the week. :)

Hak5 1108 - Proxies - Part 1

http://revision3.com/hak5/all-about-proxies

This time on Hak5, we begin a special series on proxies. Caching, filtering, security or anonymity -- whatever your reasons may be, Darren and I are exploring the ins and outs of this great technology from the ground up. All that and more!