Where do we go? Who do we talk to? What do we read about? Our mobile phones are troves of personal, private information, and the US Supreme Court weighed Wednesday how easily police should be able to get it.

In a case seen as a landmark for privacy protection in the digital age, the court heard arguments over whether, police have the right to obtain the location data of a person's phone from providers without a search warrant.

During the hearing, most of the high court's nine justices appeared deeply concerned about how phone companies can track a person's movements via their device and hand that information, sometimes going back years, to police when asked.

Civil libertarians say that information is protected by the US Constitution.

But law enforcement officials say the location data transmitted from a phone to a cell tower has been essentially made public and handed over to a third party, giving up any claim the owner might have to privacy.

The specific case involves Timothy Carpenter, who was tracked down and convicted of theft in 2011 after the police obtained some 12,898 cell tower location points for Carpenter's device over four months from phone companies.

Justice Sonia Sotomayor appeared to agree with the pro-privacy advocates.

The cell phone "is an appendage now for some people," she noted.

"Right now we're only talking about the cell site records, but as I understand it, a cell phone can be pinged in your bedroom. It can be pinged at your doctor's office. It can ping you in the most intimate details of your life -- presumably at some point even in a dressing room as you're undressing."

Constitutional Test Case

The US Constitution's Fourth Amendment guarantees the privacy of citizens from "unreasonable searches and seizures," and says police must obtain warrants based on "probable cause" if they want to search a suspect's "persons, houses, papers, and effects."

Parties on both sides of the case agree that the law did not anticipate an era in which everyone relies on a cell phone and technology providers can amass data on a person via those phones.

Nathan Wessler, an attorney with the American Civil Liberties Union representing Carpenter, said the police collection of the phone location data constituted a "search" that required a warrant.

"The concern here is with the privacy invasion, which is quite severe over the long term, over these more than four months of data," he told the court.

But the government argues that the location data is not like tapping a phone conversation, which is illegal without a warrant.

"We're dealing here with routing information. We're not dealing with the contents of communications," argued Michael Dreeben, deputy solicitor general for the Department of Justice.

He argued that giving up the information is a voluntary act by the cell phone user, and so it is not protected.

"There is an element here of voluntariness in deciding to contract with a cell company, just like there's an element of voluntariness in getting a landline phone and making a call," Dreeben told the court.

Implications for Private Data

The case has much broader implications than cell phone location data, experts say.

Today, a huge amount of information from people's lives is held by "third parties": personal files stored in the internet cloud, information from home electronics collected by the makers of those appliances, and communications sent via cell phones and the internet.

"The advance of technology means that information you used to store in your desk drawer is now stored somewhere with third parties," said Greg Nojeim of the Center for Democracy & Technology.

To get information in a drawer, he noted, police would have to ask the court for a warrant.

The Supreme Court will likely make a decision on the case before the end of its current term in June 2018.

In the past five years, 30 percent of all cardholders – credit, debit, even prepaid – have experienced some form of fraud, and at least 17 percent have experienced multiple fraud attempts. However, there’s also good news. Armed with an understanding of how credit card fraud happens and how to guard against it, you can significantly reduce your exposure to risk. The Shift to EMV Chips

You may have noticed in recent years that most credit and debit cards come embedded with small chips. A card chip, known as a Europay Mastercard Visa (EMV) chip, uses the global EMV standard to authenticate and secure transactions made by credit, debit and prepaid cards. This technology is more secure than traditional magnetic stripe cards, which store data that is unchanging and easily copied by a card skimmer. Once a fraudster has “skimmed” your magnetic stripe data, they have all the information they need to use your card as they see fit. Chip cards, by contrast, generate unique security codes for each new transaction. This means thieves can’t use your card for new transactions even if they manage to copy your data.

Unfortunately, card skimming is only one kind of risk. Chipped cards do nothing to protect against card-not-present transactions, such as those processed online. These cards also come with other potential security risks; each card still has a magnetic stripe backup, and this stripe data can be rewritten to effectively undo the protections afforded by the security chip. Data breaches are still a major concern as well, as chip technology offers no protection against the theft of stored information. Additionally, EMV cards can still be skimmed and their data sent remotely to a secondary device, allowing criminals to use the card as they wish for a short period of time.

Tread Carefully With P2P Transactions

Whether it’s Venmo, PayPal, Square Cash or another service entirely, a peer-to-peer (P2P) transaction platform allows you to quickly and conveniently send and receive cash from virtually any device. Unfortunately, P2P services also expose your credit card information to a greater risk. To limit your chance, only conduct transactions with people you know and trust. Additionally, carefully read the platform’s security policies before using to ensure that the process protected appropriately.

Use a Dedicated Card for Digital Transactions

There are clear benefits to using a single credit card for all your needs: it allows you to manage your spending easily and even rack up reward points. However, you can improve your security by using a separate card only for digital transactions. While it won’t prevent theft, it will limit your exposure by ensuring that only one account is potentially put at risk.

Don’t Get Hooked by Phishing Scams

Phishing is a very simple type of scam, but it’s also extremely effective. A phishing attempt comes in the form of an email, text message or social media communication that purports to be from a trusted source, often a reputable company or financial institution. The message will include a request for login credentials, personal information or other sensitive data that criminals can use for fraudulent purposes, or it will attempt to infect your device with malware. To prevent falling victim to phishing, never enter personal information after following a link you’ve received in an email or message. If you believe the request may be legitimate, contact the company or person directly to verify before providing any information.

Practice Good Security Habits

It may be convenient to store your credit card data and other information in online shopping accounts that you frequent, but it’s also a major security risk. Instead, opt out of any data storage, and enter your information manually for each transaction. Clear your browser’s cache after making a transaction to ensure that none of your data is stored, and be sure to only shop over a secure https:// connection. Treat all public computers and Wi-Fi hotspots as compromised, even if they appear to be safe.

Maintain Vigilance

The unfortunate reality is that you can never completely prevent fraud, but you can identify it quickly and limit the damage. To that end, make a habit of reviewing your credit card and bank statements frequently for any suspicious activity. It’s also important to check your credit score and credit report for any errors or signs of fraud. Many credit cards now provide free access to your credit score, and you can check your credit report three times per year by alternately requesting a report from each of the three major reporting bureaus: Experian, TransUnion and Equifax.

Stay Safe With Text Alerts

In addition to obtaining your credit reports, you can stay on top of your finances by using text alerts. Most banking apps provide the option to set various alerts, whether it’s a text message for every transaction over a specified dollar amount or a daily text summary of your current balance. Set these alerts and use them to keep an eye out for any signs of unusual activity. If you notice something that doesn’t add up, report it as quickly as you can.

Credit card fraud is a serious and rapidly growing problem, with losses estimated to reach $10 billion by 2020 in the United States alone. The introduction of EMV chips has helped to curb certain types of fraud, but it’s done nothing to prevent fraud online. With the knowledge and these tips, however, you can do what it takes to keep yourself and your finances protected.

A newly discovered backdoor that has managed to infect over one thousand Android devices was designed to steal sensitive data from popular social media applications, Google reveals.

Dubbed Tizi, the malware comes with rooting capabilities and has been already used in a series of targeted attacks against victims in African countries such as Kenya, Nigeria, and Tanzania. Discovered by the Google Play Protect team in September 2017, the backdoor appears to have been in use since October 2015.

A fully featured backdoor, Tizi installs spyware that allows it to steal sensitive data from the targeted applications, Google says. The malware family attempts to exploit old vulnerabilities to gain root access on the infected Android devices, and its developer also uses a website and social media to lure users into installing more apps from Google Play and third-party websites.

To date, Google has identified over 1,300 devices affected by the malware. According to the company, newer Tizi variants include rooting capabilities that attempt to exploit a series of local vulnerabilities, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

Since most of these vulnerabilities target older chipsets, devices, and Android versions, users running a security patch level of April 2016 or later are far less exposed to Tizi's capabilities. If none of the exploits work, the Tizi apps attempting to gain root will switch to perform the action through the high level of permissions it asks from the user.

Once it has gained root on the compromised device, the threat can proceed to stealing sensitive data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

After infection, the malware usually contacts its command and control (C&C) by sending an SMS with the device's GPS coordinates to a specific number. Subsequent communication with the C&C, however, is performed over HTTPS, but some versions of the malware also use the MQTT messaging protocol to connect to a custom server.

“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,” Google says.

On top of that, however, the malware can also record ambient audio and take pictures without displaying the image on the device's screen.

To stay safe, users are advised to pay close attention to the permissions they grant to newly installed applications; to enable a secure lock screen, such as PIN, pattern, or password; keeping their devices up-to-date at all times, given that the threat exploits old, known vulnerabilities; and ensure Google Play Protect is enabled.

Apple has now released a fix for the bug described here. That fix is part of Security Update 2017-001, which is available from the Mac App Store, in the Updates tab, with the label “Install this update as soon as possible.” (Somewhat confusingly, there have already been previous Security Update 2017-001 releases, for unrelated issues, for Sierra, El Capitan and Yosemite.) This update should be installed as soon as possible, and does not require a restart. It turns out that the issue in question works with any authentication dialog in High Sierra. For example, in any pane in System Preferences, click the padlock icon to unlock it and an authentication dialog will appear. Similarly, if you try to move a file into a folder you don’t have access to, you’ll be asked to authenticate:

Enter “root” as the username, and leave the password field blank. Try this a few times, and it may work on the first try, but more likely you’ll have to try two or a few more times.

When the authentication window disappears, whatever action you were attempting will be done, without any password required.

Let’s take a step back for just a moment and consider what this means. On a Unix system, such as macOS, there is one user to rule them all. (One user to find them. One user to bring them all and in the darkness bind them. /end obligatory nerdy Lord of the Rings reference>)

That user is the “root” user. The root user is given the power to change anything on the system. There are some exceptions to that on recent versions of macOS, but even so, the root user is the single most powerful user with more control over the system than any other.

Being able to authenticate as the root user without a password is serious, but unfortunately, the problem gets worse. After this has bug has been triggered, it turns out you can do anything as root on the first try, without a password.

The root user, which has no password by default, is normally disabled. While the root user is disabled, it should not be possible for anyone to log in as root. This is how macOS has worked since day one, and it has never been an issue before, but this vulnerability causes the root user to become enabled… with no password.

Unfortunately, this means that anyone will be able to log into your Mac using user “root” and no password!

Note that this does not require that the login window be set to always ask for a username and password. If you have it set to display a list of user icons instead, after triggering this vulnerability, there will be an “Other…” icon that will be present on the login screen. Clicking that will allow you to manually enter “root” with no password.

Remote access

This bug does not appear to be exploitable through some of the remote access services that can be enabled in the Sharing pane of System Preferences. Remote Login, which enables access via SSH, does not appear to be exploitable in our testing, nor does File Sharing. Even after triggering the bug and, thus, enabling the root user with no password, we were not able to connect to the vulnerable Mac through these methods.

Unfortunately, it looks like Screen Sharing, which allows you to view and remotely control the screen of your Mac, is vulnerable to this bug. In fact, it can actually be used to trigger this bug, without needing to rely on the root user already having been enabled!

In the screen sharing authentication window on a remote Mac, the same technique can be used. We were able to connect via screen sharing, using “root” as the username and no password, on the second attempt. At that point, the root user was enabled on the remote Mac, and we were able to log in to the root account via screen sharing without any blatant indication that we were doing so appearing on the screen shown to the logged in user on the target Mac. (An icon does appear in the menu bar on the target Mac, but it is not immediately obvious what that icon means. The average user will likely never notice the new icon.)

Unforeseen consequences

Once someone is logged into your Mac as root, they can do whatever they want, including accessing your files, installing spyware, you name it. So, in other words, if you were to leave your Mac unattended for 30 seconds, someone could backdoor it and have a very powerful way in later.

Suppose that you are Suzy, an average office worker in a cubicle farm. You step away from your desk for a moment to grab a cup of coffee. You’ll only be gone for about a minute, and don’t bother locking your screen. While you’re gone, Bob from the next cubicle comes over and “roots” your computer.

Later, you go to lunch. You’re gone for an hour, and Bob knows this because he’s familiar with your routine. He uses the root user to log into your Mac and install spyware—perhaps something to peep through the webcam, hoping to catch you in a compromising position later on when you’ve taken your MacBook Pro home with you.

Of course, all that’s even easier if you have screen sharing turned on, and he can install the spyware remotely, without ever touching your Mac.

Creeped out yet?

Fortunately, if you have your Mac’s hard drive encrypted with FileVault, this will prevent the attacker from having a persistent backdoor. In order to log in, the attacker would have to know the password that will unlock FileVault. Not even the all-powerful root user can access an encrypted FileVault drive without the password.

It’s also worth pointing out that a well-prepared attacker with access to your unlocked Mac could install spyware in less than a minute without relying on this vulnerability and without needing an admin password of any kind (depending on what the spyware does). Some spyware can be installed with normal user privileges.

Further, with a longer interval of unsupervised physical access to any Mac that doesn’t have FileVault turned on, an attacker can install spyware of any kind without needing an admin password.

Avoiding an attack using this vulnerability is actually fairly trivial. Just turn on FileVault, and always lock your Mac’s screen or log out when you’re away from it. While you’re at it, set a firmware password. And, to prevent remote access, turn off all services in System Preferences -> Sharing as a precaution.

Still, this is a very serious vulnerability, which Apple needs to address as quickly as possible. We contacted Apple for comment, but by the time of this writing, had not heard back.

Undoing the damage

If you, like many, have tried this out on your own Mac, you’ve opened up a potential backdoor. Fortunately, closing that door isn’t particularly hard, if you know the door is there and that it’s open.

First, open the Directory Utility application. It’s buried deep in the system where it’s hard to find, but there’s an easy way to open it. Just use Spotlight. Click the magnifying glass icon at the right side of the menu bar, or press command-space, to invoke Spotlight. Then start typing Directory Utility in the search window. Once the application is found, simply double-click it in the list to open it. (Or, even easier, press return once it’s selected in the search results.)

Once Directory Utility opens, click the lock icon in the bottom left corner of the window to unlock it. Then, pull down the Edit menu.

If you see an item reading Enable Root User, as shown in the screenshot above, you’re good. Whatever you did, the root user wasn’t enabled. Quit Directory Utility, and go about your business.

If, instead, you see an item reading Disable Root User, choose that. The root user will be disabled again, as it should be, and it will no longer be possible to log in as the root user from the login screen. Just be aware that this does nothing to protect against the vulnerability, so the root user could easily be enabled again.

Be sure to take the other measures described above to secure your system against unauthorized physical access. Namely,  turn on FileVault, always lock your Mac’s screen or log out when you’re away from it, set a firmware password, and turn off all services in System Preferences -> Sharing.

The FCC announced its plans to do away with net neutrality rules. What effect will that have on IoT? It was hardly a surprise, but this week Federal Communications Commission Chairman Ajit Pai made it all but official: He announced a plan to scrap Obama-era net neutrality rules.

Since Republicans hold a 3-2 edge at the FCC, Pai’s plan is virtually certain to pass — despite lobbying efforts and court challenges from just about every internet constituency apart from big internet service providers (ISPs). "The Restoring Internet Freedom Order," as it’s cynically called, will very likely upend the current rules classifying internet service as a public utility and prohibiting carriers from slowing or blocking certain types of traffic.

Most of the commentary so far has centered on possible blockages of fast access to consumer services such as Netflix, or higher ISP prices to ensure unfettered access to popular online content. But the looming end of net neutrality is likely to have far more pervasive effects than a jittery picture when streaming old episodes of Breaking Bad.

The IoT thrived under net neutrality

One of the biggest questions, in fact, is what effect the sunset of net neutrality provisions will have on the Internet of Things (IoT). My initial analysis suggests that the effects could be significant, but will take time to shake out.

We’ve never really lived in a world with no net neutrality rules, so ISPs and enterprises will be feeling their way around the new landscape. But there are already concerns about how the end of net neutrality could affect the IoT.

Blocking and throttling internet traffic

First of all, if carriers can block, throttle, or delay traffic at their discretion, they could very easily decide to impede IoT traffic in a variety of ways, for a variety of reasons. Unless, perhaps, users paid a premium for fast, timely deliver of their IoT data or agreed to buy IoT devices only from the carrier or its approved partners. In areas where a carrier held a monopoly on internet access, it could pretty much dictate terms.

I haven’t yet heard of any plans to do such noxious things, but it’s hard to put anything past these companies. They’re some of the most disliked companies in America, and they’re under pressure to justify their huge network investments. What do you really expect them to do … let a potential gold mine just sit there?

Effects on enterprise users and small businesses

Attempts to leverage the new rules might not have be so blatant, though. A carrier might simply tell a company like GE that if it wants guaranteed prompt delivery of the data from its industrial IoT devices, it will have to upgrade to a higher — read, more expensive — tier of service to ensure the required service levels.

Given the high stakes, a company the size of GE might be willing go along. But smaller businesses — especially those upstart IoT startups with the cool new ideas might — not be able to afford to pay the freight for premium net access. So, the data from its IoT devices might not be delivered for analysis in a timely fashion … or at all. For enterprise IoT users, the initial effect is likely to be higher costs to ensure access and greater uncertainty about the best ways to connect IoT devices.

The IoT, like the net as a whole, runs on the free exchange of data. That freedom might not disapper immediately upon the death of net neutrality, but this week’s FCC actions certainly makes it more likely to erode over time.