THERE ARE PLENTY of guides available on how to protect your data, how to secure yourself online, and how to stop digital snoops from tracking you across the web and then profiting from that intrusion. (Sorry, “monetization”.) You should do these things. But if a cascading series of revelations this past week has taught us anything, it's that all of those steps amount to triage. The things you can control add up to very little next to the things you can’t.

It’s an obvious point, especially if you follow the privacy headlines. But a recent example of location-tracking gone wrong—in fairness, it rarely goes right—that unfolded over the last week or so underscores the severity of what you’re up against.

On May 10, a New York Times report detailed a service, called Securus, that allegedly allowed a former sheriff to track people’s location, practically in real time, without a court order. Securus technically requires legal documentation that authorizes use of its services. But US senator Ron Wyden (D–Oregon) says Securus told his office that the company “never checks the legitimacy of those uploaded documents” and that it does not feel obligated to do so. It offers a rubber stamp, then, to letting people know where virtually anyone in the US is standing at any given moment.

On the heels of that report, ZDNet detailed how all four major US carriers sell location data to companies you’ve never heard of, without your explicit permission. In this specific case, Securus bought its access from a location aggregator called LocationSmart, which in turn bought it from the telecoms. All of these corporate relationships are arguably legal.

"We don’t really have federal laws that are focused on that backend sale of personal data," says Alan Butler, senior counsel at the Electronic Privacy Information Center. "A lot this is just the Wild, Wild West, honestly. That’s why the companies do whatever they want."


'If they’re going to have this data and a claim to use it, then they absolutely have a responsibility to make sure it’s locked up tighter than Fort Knox.'




That includes phones, smartwatches and other devices that can transmit, store and receive data.

The Defense Department on Tuesday issued a sweeping electronics policy banning personal and government-issued mobile devices from secure spaces within the Pentagon.

The new rules bar all military personnel, government employees, contractors and visitors from bringing internet-connected devices into areas of the Pentagon where classified information is processed, handled or discussed, according to a memo first reported by The Associated Press.

The ban applies to cellphones, laptops, tablets, smartwatches and any other device that can transmit, store or record data and run on “a self-contained power source.”

Before entering secure spaces, people will be required to shut off mobile devices and leave them in storage containers outside the area, Deputy Defense Secretary Patrick Shanahan wrote in the memo. The rules don’t apply to electronics with minimal storage and transmission capabilities, like key fobs or fitness trackers without cameras and microphones that don’t connect to the internet.

The undersecretary of Defense for intelligence and Defense chief information officer can grant exceptions for certain government-issued devices, but personal electronics are universally banned. Exceptions for cellular-enabled medical devices may be given on a case-by-case basis.

The Pentagon began reconsidering its mobile device policy after the fitness-tracking app Strava compiled user location data in a global heat map and inadvertently revealed the locations of multiple overseas military bases. The data dump also publicized the identities and locations of international aid workers, intelligence operatives and military personnel, raising security concerns among government officials.

The new rules are less extreme than the facilitywide cellphone ban Defense Secretary James Mattis reportedly considered after the Strava incident.

Agency officials have 180 days to fully implement the policy.


A sophisticated and targeted mobile espionage campaign has been found targeting North Korean defectors. Mounted by a relatively new APT actor known as Sun Team, the offensive used Google Play and Facebook as attack vectors; and overall, it shows how quickly the mobile threat landscape is evolving as APTs shift tactics to focus on this segment.

The RedDawn campaign, as it has been dubbed by the researchers that observed it, planted three “unreleased” beta apps in Google Play that target Korean-speaking users. They masquerade as something useful. One is called Food Ingredients Info, and the other two claim to be security-related (Fast AppLock and AppLockFree).

“We are witnessing an evolution of the traditional kill chain, where the platform is truly becoming agnostic,” Raj Samani, chief scientist at McAfee, said in an email interview. “Mobile malware is over 14 years old, and the evolution of mobile threats into mobile APTs is a testament of the fact of how critical mobile devices have become to us in our digital life.”

In reality, the food app and Fast AppLock secretly steal sensitive data like contacts, messages, call recordings and photos, and they’re also capable of receiving commands and additional executable (.dex) files from a C2 server. AppLockFree, on the other hand, appears to be part of a reconnaissance effort, setting the foundation for a future wave of attacks.


“We believe this group behind this campaign is just getting started,” said Samani.

As for how the malicious apps made it into the official store in the first place, he explained that the apps were meant to be an innocuous-looking initial foundation for the attack.


The FBI has disrupted a network of half a million routers compromised by the group of Russian hackers believed to have penetrated the Democratic National Committee and the Hillary Clinton campaign during the 2016 elections, according to reports.

The hacker group, known as "Fancy Bear," has been using a malware program called "VPN Filter" to compromise home and small office routers made by Linksys, MikroTik, Netgear and TP-Link, as well as QNAP network-attached storage devices.

VPN Filter is "particularly concerning" because components of the malware can be used for the theft of website credentials and to target industrial system protocols, such as those used in manufacturing and utility settings, Cisco Talos Threat Researcher William Largent explained in a Wednesday post.

"The malware has a destructive capability that can render an infected device unusable," he said, "which can be triggered on individual victim machines or en masse, and has the potential of cutting off Internet access for hundreds of thousands of victims worldwide."

Neutralizing Malware

The FBI on Tuesday obtained a court order from a federal magistrate judge in Pittsburgh to seize control of the Internet domain used by the Russian hackers to manage the malware, The Daily Beast reported.