Perpetual IT

Arizona has filed suit against Google over tracking users’ locations even after they’ve turned tracking off, claiming that the advertising-fueled tech titan has a “complex web of settings and purported ‘consents’” that enable it to furtively milk us for sweet, sweet ad dollars.

On Wednesday, State Attorney General Mark Brnovich said in a release that opting out of location tracking is a fool’s errand, given how sneaky Google is at playing bloodhound:

While Google users are led to believe they can opt-out of location tracking, the company exploits other avenues to invade personal privacy. It’s nearly impossible to stop Google from tracking your movements without your knowledge or consent.

The AG said that Google’s location tracking is unfair, deceptive, and also against the law: in this case, the Arizona Consumer Fraud Act.

The AG’s Office kicked off its consumer fraud investigation in August 2018, after the Associated Press ran an article titled “Google tracks your movements, like it or not”. The article was based on research from Princeton University that found that Google’s ability to track users’ location histories went far deeper than many of us realized.

This is the way location tracking works: Android users can turn it off with a slider button in the Location section under Settings … supposedly.

Once tracking is turned off, Google no longer stores a timeline and a precise record of a user’s movements when they take their Android device (or iPhone running Google services and apps) with them.

Checking this in Maps can be done by visiting Google’s Account Settings >My Account Activity > Other Account Activity > click ‘Visit Timeline’ under Location History. This should show a history of a user’s movements while using their device.

To test it all, Princeton postdoctoral researcher Gunes Acar carried an Android phone with Location History off and then shared the data with AP.

His research showed that he was tracked:

• On two train trips to New York;
• On visits to The High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem; and
• To his home address.

Acar found that turning off Location History doesn’t stop certain Google apps – maps, weather, searches, web and app activity, for example – from storing a timestamped location when you open them.

Arizona contends that Google has “lulled [users] into a false sense of security” by leading us to believe that we’ve actually had the ability to keep it from tracking our location history.

Google told users that ‘with Location History off, the places you go are no longer stored.’ But as the AP article revealed, this statement was blatantly false – even with Location History off, Google surreptitiously collects location information through other settings such as Web & App Activity and uses that information to sell ads.

The lawsuit describes how Google gets at users’ location data through numerous settings and products, but that two of the sneakiest ways it does so are through Location History and Web & App Activity.

Check out pp. 14-15 of the lawsuit for a table of settings that Arizona describes as …

… [a] complex web of settings and purported ‘consents’… that misleads users into handing over their location data to Google.

Arizona’s suit notes that up until early to mid-2018, Google’s disclosures regarding Web & App Activity misled users into believing that the setting had nothing to do with tracking user location. The company didn’t let users know that it was collecting their location data through Web and App Activity, which was on by default.

In August 2018, following the AP’s report, Google “clarified” the fact that it was tracking people’s locations even after they disabled the Location History setting. Not that it changed the practice, mind you – rather, it just fixed a page that incorrectly said that turning off the setting would stop the tracking.

What the Help page originally said:

… with Location History off, the places you go are no longer stored.

The “clarified” version:

This setting does not affect other location services on your device [and] … some location data may be saved as part of your activity on other services, like Search and Maps.

Arizona AG Brnovich told The Washington Post that Google has made it near impossible to completely disable tracking by forcing users to dig into granular Android system settings.

When consumers try to opt out of Google’s collection of location data, the company is continuing to find misleading ways to obtain information and use it for profit.

Arizona wants the court to force Google to pay back Arizona profits earned through ads that monetized the data, as well as potential fines of up to $10,000 per violation.

Google sent out a statement saying that it’s looking forward to “setting the record straight”:

The Attorney General and the contingency fee lawyers filing this lawsuit appear to have mischaracterized our services. We have always built privacy features into our products and provided robust controls for location data.

Latest Naked Security podcast

If you’re a Naked Security Podcast listener, you’ll have heard Sophos’s own Peter Mackenzie telling some fairly wild ransomware stories.

Peter works in the Managed Threat Response (MTR) part of our business – in his own words, if you’re network’s on fire, he’s one of the people who will rush in to try to fix it.

As you can imagine, plenty of his deployments come in the aftermath of ransomware attacks.

A few years ago ransomware criminals typically used what’s called the “spray-and-pray” approach – or what might more appropriately be called “spray-and-prey”, given the entirely predatory nature of these attacks.

A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.

Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLocker, Locky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today.

But today’s ransomware criminals tend to pick entire organisations as victims.

The crooks break into networks one-at-a-time, learn the structure of the network, work out the most effective attack techique for each one, and then scramble hundreds or thousands of computers across an entire organisation in one go.

In cases like this, where an entire business may find its business operations frozen because all its computers are out of action at the same time, ransom demands aren’t just $300 or even $30,000 – they may be $3,000,000, or even more.

As you can imagine, this means that the ransomare part of today’s file scrambling attacks – the malware program at the heart of the scrambling process – is now just one piece in a much bigger toolbox of tricks that a typical ransomware gang will have up their sleeves.

Last week, for example, we wrote about an attack by the Ragnar Locker crew in which they wrapped a 49KB ransomware executable – a file created specifically for one victim, with the ransom note hard-coded into the program itself – inside a Windows virtual machine that served as a sort of run-time cocoon for the malware.

The crooks deployed a pirated copy of the Virtual Box virtual machine (VM) software to every computer on the victim’s network, plus a VM file containing a pirated copy of Windows XP, just to have a “walled garden” for their ransomware to sit inside while it did its cryptographic scrambling.

But that’s far from everything that today’s crooks bring along for a typical attack, as SophosLabs was able to document recently when it stumbled upon a cache of tools belonging to a ransomware gang known as Netwalker.

Above, taken from the SophosLabs report, is a chart showing the range of tools used by these crooks during a typical attack.

From left to right, the columns reveal the various activities that the crooks work on as the attack unfolds:

• Initial process. The crooks need to get a foothold into the network first, and this gang likes to use a combination of phishing emails and unpatched vulnerabilities. Note that the phishing emails in an attack of this sort almost never contain the ransomware itself – that part of the attack is revealed for the first time much later on, when the crooks have the final onslaught planned out.
• Execution. Ransomware crooks typically use popular, legitimate tools – the sort that many sysadmins themselves use all the time, and may be used to seeing in their system logs – to distribute and execute their malware.
• Privilege escalation. If the crooks can acquire administrative powers without cracking or stealing any sysadmins’ passwords, they will. Here you see the favourite exploits of this crew. Even though patches have been out for these holes for anywhere from two months to five years, the crooks don’t have a lot to lose by trying freely available exploits that are known to work on unpatched computers, before moving on to more complex attacks.
• Defence evasion. Once the crooks have given themselves equivalent power to an official sysadmin, they can start to “adjust” the security posture of the network as a whole. Sometimes they will do this using the official tools for the job, but they also typically keep a stash of unofficial “tweaking tools” that can uninstall or turn off security software to make later parts of the attack easier and less likely to trigger alarms.
• Credential access. Many popular and freely available open source tools exist to snoop around in memory in the hope of finding passwords or authentication tokens that give crooks ever-more privileged access to the system. These tools are popular with penetration testers – indeed, some of them are pitched as security tools, though they’re essentially malware when run by anyone unofficial.
• Discovery. Crooks love a network map as much as your own IT department, and typically use a variety of tools to find out not only how many endpoints and servers an organisation has, but also to learn which services are hosted on what servers (even if they’re in the cloud). In modern malware attacks, crooks go out of their way to find any online backup servers you have. They then make every effort to wipe out your backups first to make it more likely that you will be forced to pay up. Ransomware attackers also often take the trouble to identify servers that host company-critical databases. If they can shut down your database applications just before they launch their encryption attack, then the database files will not be locked and their ransomware will scramble them along with everything ele.
• Lateral movement. Attackers love RDP (remote desktop protocol), which is built into to Windows, and will abuse it wherever it’s left open, accessible and insecure. (The tool called NLBrute you see in the Discovery column is an automated password guesser for RDP.) But where RDP is not available, the crooks will often bring along popular and legitimate remote-control tools – perhaps even ones you already use in your network and thus that will not look out of place – to help them “administer” your network with ease.
• Impact. Notice that only three of the boxes in this whole chart are actually ransomware programs. All the other boxes amount to what you might call the supporting cast or the construction tools for the final attack.

Data exfiltration

Perhaps the most important thing to take from this whole chart is the bottom-most box at the far right, labelled Data exfiltration.

When ransomware first became a serious problem about seven years ago, the idea of scrambling your files in place was a way for the crooks to “steal” your files – in the criminal sense of permanently depriving you of them – without having to upload them all first.

The average computer and the typical network just didn’t have the bandwidth to make that possible, and the average crook didn’t have enough storage to keep hold of it all.

But cloud storage has changed all that, and ransomware crooks are now commonly stealing some or all of your data first, before unleashing their ransomware.

They’re then using this stolen data to increase the pressure of their blackmail demands by threatening to leak or sell your data if you don’t pay up, thus giving them criminal leverage even if you have a reliable and efficient backup process for recovering your files.

What to do?

Here, we’re going to refer you to our April 2020 article entitled 5 common mistakes that lead to ransomware.

In quick form, our five tips are:

1. Protect your system portals. Don’t leave RDP and other tools open where they aren’t supposed to be. The crooks will find your unprotected access points.
2. Pick proper passwords. Don’t make it easy for crooks and their password guessing tools. Use 2FA wherever you can.
3. Peruse your system logs. As the chart above shows, the crooks often use a lot of sysadmin tools that would probably show up as unusual in your logs if you were to look.
4. Pay attention to warnings. Exploits that ran but failed could be reconnaissance for a future attack rather than an attack in their own right. (See 3.)
5. Patch early, patch often. The Netwalker crooks wouldn’t bother with a CVE-2015-1701 exploit from five years ago if it never worked. Don’t be the network where it does!

Of course, don’t forget the obvious – make sure you are using anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Latest Naked Security podcast

This week Peter shares how Ragnar Locker ransomware deploys a virtual machine to dodge security, Mark discusses the latest in the Apple v FBI saga and Duck talks AirPod “MagicPairing.”

Producer Alice Duckett is joined by Sophos experts Mark Stockley, Paul Ducklin and Peter Mackenzie.

Listen now!

Roberto Escobar’s company has reportedly filed a $2.6 billion lawsuit against Apple for purportedly having lame-o security – security so bad, his address purportedly got leaked through FaceTime and has led to subsequent assassination attempts.

According to TNW and TMZ, former accountant and co-founder of the Medellín drug cartel Roberto Escobar, brother to the now deceased drug kingpin Pablo Escobar, is claiming that his iPhone X nearly killed him.

According to the lawsuit, Escobar bought an iPhone X back in April 2018. One year after the purchase, Roberto claims he got a life-threatening letter from someone named Diego who claimed to have found Roberto’s address through FaceTime.

Escobar claims he purchased the X after he had a phone call with an Apple support employee who assured him that the device was “the most secure on the market” and “will never be” vulnerable to any exploits in the future.

Having a secure phone was of utmost importance to Roberto, given that he’d already faced assassination attempts. In December 1993, he was blinded in one eye after receiving a letter bomb that also injured two prison guards.

Escobar claims that in spite of Apple’s assurances about the security of the X, he received strange FaceTime calls. In fact, in January 2019, Apple scrambled to fix an eavesdropping FaceTime bug that enabled snoopers to see their targets’ video feeds, to hear what they were saying, and even to hear what other people in the room were saying.

Escobar claims that the bug led to his receiving a life-threatening letter in January 2019. He says he was forced to go into hiding.

Is this for real?

Apple hadn’t returned inquiries from news outlets as of Thursday evening. Escobar Inc. did, though. As TNW reports, the firm is taking this lawsuit quite seriously. From its report:

Olof Gustafsson, Escobar Inc’s CEO, told us that the “court has already accepted [their] lawsuit” and Apple must respond within 30 days of this notice. If it doesn’t, Escobar Inc. will “win [by] default.”

When I asked what they expected to happen, Gustafsson told me that “Apple is aware of its many faults, and this [wouldn’t] be the first time they… pay for it.” According to him, Escobar Inc. “will not surrender [their] case until [they] win.”

Causes of action

According to TNW, there are three causes of action behind the suit:

• Breach of Contract. Escobar says Apple didn’t “provide a phone free of exploits.” He wants $100 million for that one.
• Negligence/Negligence Misrepresentation. The suit claims that Apple “breached its duty of care” and “failed to notify” Escobar when the FaceTime exploit was found. For that, he wants $500 million.
• Negligent Infliction of Emotional Distress. Besides the above, this cause of action covers “humiliation, embarrassment, mental and emotional distress and anguish”. For this, he would like $2 billion.

That’s quite a lot of moolah. What are Escobar’s chances of getting it?

That’s hard to say. Some think that the suit is too ludicrous to even come close to becoming an actual trial. After all, when’s the last time that marketing assurances on a support call were pulled in as rock-solid evidence of a contract? … If ever?

As far as the $2.6 billion figure goes, well, that’s not the biggest fine we’ve ever seen bandied about. For one, the Federal Trade Commission (FTC) fined Facebook nearly twice that – $5 billion – for fumbling our data in July 2019.

Is this just a publicity stunt to sell gold-plated iPhones, which Escobar explains is his “way of fighting Apple”? If so, it wouldn’t be the first time that Escobar has gone after Apple. Earlier this year, he launched a $349 “unbreakable”, foldable gold smartphone, or what the Daily Mail described as a “rebranded Samsung Galaxy Fold covered in gold tinfoil.”

At the same time, he announced that his lawyers were preparing a $30 billion class-action lawsuit against Apple – a company he dubbed a bunch of scammers selling overpriced junk. From Digital Trends:

They are scammers, and now we are preparing the class-action lawsuit. They are cheating the people and selling worthless phones to consumers, overpriced. My lawyers have been ready for long time, but before I sue them and give money back to the people which they deserve, I wanted to show them that my product is much better.

We want Apple to give some of their illegal profits back to the people. I will make sure of it. I have spent almost $1 million just on lawyers to begin this lawsuit.

Information security is always intriguing, but this? This is popcorn-worthy.

Latest Naked Security podcast