SecureMac, Inc.

Checklist 136: The High Cost of Free Viewing

May 2, 2019

On this week’s Checklist by SecureMac: Free viewing, plus bonus malware, 80 million households exposed, Is Facebook ACTUALLY working on user privacy?

Checklist 136: The High Cost of Free Viewing

Do you love your streaming services? Many of us do — and hackers know it, too, with some starting to set their sights on capitalizing on this vast audience of potential targets. Meanwhile, someone is leaking major amounts of data on tons of people again, and this week we also get to enjoy Opposite Day, as we look at a story about Facebook that might not be all bad — maybe. Those subjects, their details, and our thoughts — that’s this week’s Checklist. Going down the list, our topics include:

  • Free Viewing, plus Bonus Malware!
  • 80 Million Households Exposed
  • Is Facebook ACTUALLY Working on User Privacy?

We know you’re just dying to get to the end and find out the answer to that last question, so let’s waste no further time as we dive right in to this week’s discussion. 

Free Viewing, plus Bonus Malware!

You won’t believe this one: people are using pirate video devices for nefarious purposes! We’re not just talking about people who are stealing premium content through pirate apps, though that’s no good either — we’re talking about the devices themselves, the ones that deliver the content, being crammed full of malware. Malware? In pirated content? Say it ain’t so!

This story comes to us from CNET and as a result of some in-depth research conducted by a security consulting firm and the DCA, or Digital Citizens Alliance. During their collaboration, the team looked at six different streaming devices. Let’s hit pause here for a second to explain what we’re talking about: what is a pirate streaming device?

Think of how you watch your favorite streaming services, such as Netflix and Hulu. While some people use built-in Smart TV apps or their video game consoles, many others use separate devices such as an Apple TV, a Roku, or another similar option. Of course, you still need to pay for access to the services — unless you’ve bought one of the modified options which some unscrupulous individuals offer for sale. These kits use various exploits to provide “free” access to the content that’s usually locked behind a paywall. As CNET notes, they work just like your typical device — you connect it to your home network and your TV and use the apps to access the content you want to see.

These devices pop up in various places around the web and sometimes even in thrift stores and flea markets, but they aren’t official by any means — nor are they really legal, of course. It all comes with a major catch, too, as the researchers discovered: most of the time, the devices themselves are infested with malware, and if not the hardware, then the streaming “apps” are malware payloads on their own. Some of the malware discovered by the researchers can search user networks for connected devices, such as microphones, and take them over. Others stole Wi-Fi usernames and passwords, or sat silently in the network collecting data and sending it off to foreign servers. 

The DCA and Dark Wolfe Consulting crunched the numbers and estimated that in the US alone there are probably about 12 million active users of these vulnerable devices. That’s a lot of people potentially exposed to mysterious and unsavory malware operators.

Okay: it should go without saying, but the biggest and most important takeaway from all of this is that you shouldn’t use these devices. Not only is it illegal, but it’s also dangerous to your digital safety and privacy. That being said, what if you or someone you know has already gone down this road? What should you do? Unfortunately, it can be a bit of a sticky situation to resolve.

It’s likely that if a malware-infested streaming device were connected to a network, it would take the opportunity to look for other things to infect, such as Internet of Things (IoT) devices. Right now, there is no easy way to scan such devices for malware. You can check your Mac, of course, and make sure that it comes up clean, but it may be time for a factory reset on devices you’re concerned may be affected. While it might mean losing some custom settings, you can recreate those — at least you’ll get rid of the malware in the process. To stress: merely removing the infected streaming device from your TV or network isn’t necessarily enough to be certain you’ve purged the problem. 

Now is also a good time to fall back on the same old standby advice: change your passwords and monitor your accounts, since there’s no way of knowing whether the malware intercepted sensitive information on your network or not. For Mac users, downloading and installing the Princeton network scanner we discussed recently on The Checklist is also an option. This program allows you to see when your IoT devices are “talking” to a server on the web, and it could help you identify when a device has become infected. 

But seriously: avoid all this hassle by paying for streaming services and avoiding these bootleg devices altogether.  It’s just not worth the risk!

80 Million Households Exposed

Here on The Checklist, we like to feature stories with a clear call to action — something you can do to make yourself safer, to be more proactive, or to engage with digital security more fully. Unfortunately, this is not one of those stories. Coming again to us from CNET is news that a group of security researchers discovered a massive online database, available in the cloud, totally unsecured and ready for anyone to look through its contents. What were those contents? Only addresses and personal details for approximately 80 million households in the United States. For those keeping score, that’s more than half the households in the country. 

The amount of information in the database is immense, although it seems to track strictly household information and not statistics on individuals. Even so, the amount of data revealed inside the database was staggering, and included things such as household addresses, full names and dates of birth for household occupants, and more. Much of the information is exposed, though some attributes use some kind of code. 

How does this happen?

It could be as simple as someone simply forgetting to secure the database when they put it in the cloud — mistakes do happen. It could also be a stolen database put online by a hacker, who may not particularly care about the security of the information anyway, though this isn’t likely in this particular scenario. Someone may have simply forgotten about the database or not known about its contents during a transfer of assets between two companies. One more plausible scenario is that whoever put it online believed they could enjoy “security through obscurity” — simply that no one would be able to find it. 

So where did all this come from and who left the database unsecured in the cloud? Good question — nobody knows. Well, Microsoft knows, since they own the cloud server on which the data was discovered. In a statement to the media, Microsoft said they’d notified their “customer” and were assisting them in securing the information so that it would not be exposed again. What about notification for all the people whose data was left up in plain sight? Well, that’s trickier — and we probably wouldn’t hold our breath for that to happen, either. 

The researchers have reached out to the public for help identifying the “customer” independently since Microsoft isn’t likely to divulge that information themselves. Since most of the information in the set was on individuals over 40, it raises plenty of questions about what service would collect such specific information only on households in the US. Of course, if anyone figures it out and we hear about it, we’ll be sure to bring you an update.

The silver lining to this story, if there is one, is that it’s not clear how long the database was up or how many people might have viewed it — but the direct risk of anyone using this information nefariously is low, though the elderly may be at risk of targeted scams. The best advice here is the same as it would be otherwise: stay vigilant.

Is Facebook ACTUALLY Working on User Privacy?

We’ll round out this week’s chat with our old pals over at Facebook — it’s been a minute since we focused back on them, after all. While it’s rare that we have anything good to say about Mark Zuckerberg and friends — well, we still might not — let’s get into the details of this story first. The world’s largest social network recently made a post on its developer page about some changes it says it’s embarking upon now and in the near future.

Citing their “ongoing commitments to privacy and security,” Facebook says they’ll be cutting off access to certain APIs used to interface with user data while also making changes to their policies governing how third parties can use the Facebook platform. Furthermore, Facebook pledged to “regularly evaluate” how apps receive permission from users for access.

After a glance at the list of APIs Facebook is phasing out, one thing was clear: this is a legitimate move to modify the way that public APIs can be used to receive data on Facebook users. While there isn’t a broad commonality between the APIs, many of them do pertain to various forms of user interaction and information, and so Facebook is moving to curtail the previously freewheeling era of data access. However, that doesn’t mean that Facebook itself is doing anything different with user data — just that it’s going to restrict, for now, how others can use that information. In other words, it’s not a bad thing, but it’s also partially a calculated PR move. 

So, that’s a somewhat positive step, but what else is Facebook doing? The next moves are better, as their “platform policies” update now bans apps with “minimal utility” and bars developers from requesting user information that doesn’t directly contribute to the experience a user inside the app. In other words, you can say goodbye to the basic personality quizzes whose sole purpose was to siphon off data to sell on to a third party. Since so much of what users interact with on Facebook is considered an “app” — it’s practically anything that a user didn’t submit personally — this will have some pretty far-reaching effects. Remember that Cambridge Analytica initially gathered the vast amount of on Facebook users it had through a personality quiz app. With these changes, that wouldn’t be possible. 

Finally, the last change is one we’re comfortable calling straight-up good: Facebook is making a big change to the way user permissions work. In the past, app developers would request reams of your information whether they needed it immediately or not, so they could just grab it all at once. Now, Facebook will automatically revoke permissions an app hasn’t used in 90 days — and the site will more proactively review app permissions to remove access to data it isn’t using. To get access to that information of yours again, developers would need to go through another manual review process. 

Ultimately, these are good steps forward — but Facebook’s business model is still all about monetizing your data for its own survival. That makes their “commitments to privacy and security” a little hard to swallow. While it’s nice to see Facebook taking some potentially positive steps for the safety and privacy of user data, it’s also a little bit like bailing water out of the Titanic — you’ve got a whole lot of bigger problems to deal with than this. 

Still, this is a development worth watching as Facebook did promise more information in the coming months. What that translates into remains to be seen, but we’ll see if perhaps Facebook has finally decided to try and turn their PR on privacy around. For now, we’ll remain cautiously optimistic.

Join our mailing list for the latest security news and deals