This Week in Security: Strava-stalking, The Undead Spyware Company, and Facebook Gets Into Cybersecurity Policy

Lack of Finesse Over Fitness Tracking

Last weekend, Strava Labs released their global heat map of collected fitness tracking app data, much to the chagrin of the Internet. This data has been proudly collected since 2015 using over 1 billion activities since September 2017 and features quite an awesome set of collected data from fitness devices such as Fitbits, and honestly features some quite impressive big data measurements and statistics.

However, within this massive haystack of information were some very sensitive needles. Strava made sure to sanitize the data to prevent individual’s personal data from being leaked, although the location data was not scrubbed to prevent interesting geolocational data from being discovered. This triggered a huge response from many online analysts including Nathan Ruser who was quick to point out that the heat map gave away potential locations of secret military bases and patrols of their personnel.

Not only are military personal at risk; the map provides enough detail for individuals to identify and track jogging or bike paths of individuals based on their locale. This kind of data could easily allow persistent individuals to track people based on their daily habits.

Many are wondering how this data was collected. As it turns out, like many of these cases, the data your device uses and collects is sent to a third party as well as the device manufacturer. Strava obtains this third-party information and collects the data as your devices synch back to the Internet. Luckily for most of these devices, this information can be disabled by using their corresponding mobile application or configuration settings. 

As more and more devices become connected to the Internet, information such as this will become more readily available to more people. Albeit this information can be great for determining ways for benefiting others and environments, it is likely this information will lead to quite possibly some life-threatening situations for some individuals. Strava has maintained the data on their site since publishing the heat map, allowing for people to continue to dive into the details and continue to pull out interesting facts and statistics from the data.

For those of you who are sensitive to this kind of data from falling into the wrong hands, consider policies against these kind of devices, and double check device settings and EULA agreements to ensure your data is not being leaked out to inappropriate parties.

Hacking Team Back from The Dead Again

This week it appears that the notorious Italian spyware development group, Hacking Team, has made another resurgence. This time the group allegedly appears to be operating in conjunction with the Saudi Arabian government in order to continue obtaining sensitive information on groups the Saudi Arabian regime feels threatened by.

In recent documents uncovered by VICE, it appears that Hacking Team has been purchased by two shadowy figures connected to the Saudi Arabian government and have continued their antics of developing sophisticated malware capable of spying on individuals on multiple devices.

In the current cyber renaissance of the Middle East, it appears that Saudi Arabia is following the footsteps of their nearby neighbors, United Arab Emirates (UAE) and slowly stocking up on offensive cyber capabilities. These new capabilities are suspected in being tested out and being deployed in the recent Iran-Saudi Arabia proxy wars that are unfolding in Yemen, Syria, and Qatar.

Previously, Hacking Team had sold their spykits to governments around the world which are considered to be oppressive, including Saudi Arabia; thus making the jump from customer to investor and partner not too surprising to anyone who has been following the drama unfold.

In the newest reports, it appears that the Saudi Arabian government used a shell company by the name of Tablem Limited to purchase 20% of stake in Hacking Team. Recent events such as the Arab Spring, the formation of the new cybersecurity authority of Saudi Arabia, and the jailing of prominent critics of the royal family and even members of the royal family itself – all point to evidence supporting the fact that Hacking Team and the government of Saudi Arabia are working a revival for the spyware company to develop new software to further fuel these activities.

Individuals looking to up their privacy should always keep up to date with the latest security patches, run protective software such as antivirus, password managers and privacy respecting messengers, and be on the lookout for phishing attacks, even the old school phishing methods from 1997 with no file attachments.

Facebook Hire Head of Cybersecurity Policy

In what marks a potential watershed moment in social media and cybersecurity awareness, Facebook has announced they have hired former White House policy director Nathaniel Gleicher to be their own director of cybersecurity policy. This paradigm shift marks a huge step forward for acknowledging how much pressure social media content, particularly those that trigger cybersecurity concerns, can have on their users.

The newly minted job is designed to help counter recent information attacks targeting social media users by spreading disinformation; not unlike psychological warfare tactics used during wartime.

This comes after the much debated Russian influence on the 2016 Presidential election, of which Facebook discovered that over 3000 ads were purchased by Russia’s Influence Agency potentially targeting over 150,000,000 Americans. These ads were so influential that many of them actually lead to physical demonstrations that were organized by people who saw them.

The effects of fake social media content being used to trigger events has long been a suspected strategy of many nation-state organizations. An example of a potential earlier example of a targeted social media hoax was the fake Columbian Chemicals plant explosion in 2014, in which several coordinated social media posts and bot accounts hoaxed a chemical explosion in Louisiana. A second phase of the hoax was accompanied by text messages sent to people in the same area code as the chemical plant stating that toxic fumes from the chemical explosion was evident in the air and to stay indoors.

As expected, this activity went viral and resulted in panic in the area before people were told it was a fake incident. However, unlike typical trolling, the people who spread the disinformation did it in a completely covert and coordinated fashion, even using sophisticated spoofed news sites, doctored videos, and mass SMS messaging to help credit the would be terrorist attack.  Some believe that this operation was a precursor for the 2016 presidential election fake news and social media manipulation campaign.

The world is at a heighten state of awareness, along with the realization that foreign national entities are submitting fake news articles there has been a plethora of other close calls resulting in widespread panic such as the recent Hawaiian missile crisis

At times like this it is better to remain calm and remember Vasili Alexandrovich Arkhipov and double check the facts before acting on something you read on the Internet. Today’s internet is fast becoming another Wild West, in which rules and order are being broken down and tested by individuals and groups who are trying to profit from exploiting and manipulating the masses. As long as there are profits involved and goals to be had, this unfortunately will be a factor, and it is a good thing corporations such as Facebook are looking into options to prevent this.