A family tracking app was leaking real-time location data

A popular family tracking app was leaking the real-time locations of more than 238,000 users for weeks after the developer left a server exposed without a password.

The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work.

But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look.

Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.

Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them — such as “home” or “work.”

None of the data was encrypted.

TechCrunch verified the contents of the database by downloading the app and signing up using a dummy email address. Within seconds, our real-time location appeared as precise coordinates in the database.

We contacted one app user at random who, albeit surprised and startled by the findings, confirmed to TechCrunch that the coordinates found under their record were accurate. The Florida-based user, who did not want to be named, said that the database was the location of their business. The user also confirmed that a family member listed in the app was their child, a student at a nearby high school.

Several other records we reviewed also included the real-time locations of parents and their children.

TechCrunch spent a week trying to contact the developer, React Apps, to no avail. The company’s website had no contact information — nor did its bare-bones privacy policy. The website had a privacy-enabled hidden WHOIS record, masking the owner’s email address. We even bought the company’s business records from the Australian Securities & Investments Commission, only to learn the company owner’s name — Sandip Mann Singh — but no contact information. We sent several messages through the company’s feedback form, but received no acknowledgement.

On Friday, we asked Microsoft, which hosted the database on its Azure cloud, to contact the developer. Hours later, the database was finally pulled offline.

It’s not known precisely how long the database was exposed for. Singh still hasn’t acknowledged the data leak.

Homeland Security warns of critical flaws in Medtronic defibrillators

Homeland Security has issued a warning for a set of critical-rated vulnerabilities in Medtronic defibrillators which put the devices at risk of manipulation.

These small implantable cardio-defibrillators are implanted in a patient’s chest to deliver small electrical shocks to prevent irregular or dangerously fast heartbeats, which can prove fatal. Most modern devices come with wireless or radio-based technology to allow patients to monitor their conditions and their doctors to adjust settings without having to carry out an invasive surgery.

But the government-issued alert warned that Medtronic’s proprietary radio communications protocol, known as Conexus, wasn’t encrypted and did not require authentication, allowing a nearby attacker with radio-intercepting hardware to modify data on an affected defibrillator.

Homeland Security gave the alert a 9.3 out of 10 rating, describing it as requiring “low skill level” to exploit.

It doesn’t mean that anyone with an affected defibrillator is suddenly a walking target for hackers. These devices aren’t always broadcasting a radio frequency as it would be too battery intensive. Medtronic said patients would be most at risk when patients are getting their implant checked while they’re at their doctor’s office. At all other times, the defibrillator will occasionally wake up and listen for a nearby monitoring device if it’s in range, narrowing the scope of an attack.

More than 20 different Medtronic defibrillators and models are affected, the alert said, including the CareLink programmer used in doctor’s offices and the MyCareLink monitor used in patient homes.

Peter Morgan, founder and principal at Clever Security, found and privately reported the bug to Medtronic in January. In an email, Morgan told TechCrunch that the bugs weren’t easy to discover, but warned of a potential risk to patients.

“It is possible with this attack to cause harm to a patient, either by erasing the firmware that is giving necessary therapy to the patient’s heart, or by directly invoking shock related commands on the defibrillator,” he said. “Since this protocol is unauthenticated, the ICD cannot discern if communications its receiving are coming from a trusted Medtronic device, or an attacker.”

A successful attacker could erase or reprogram the defibrillator’s firmware, and run any command on the device.

Medtronic said in its own advisory that it’s not aware of any patient whose devices have been attacked, but that the company was “developing updates” to fix the vulnerabilities, but did not say when fixes would be rolled out.

The Food and Drug Administration (FDA), which regulates medical devices, provided a list of the affected devices.

It’s the latest example of smart medical devices taking a turn for the worst, even as spending in healthcare cybersecurity is set to become a $65 billion industry by 2021.

The FDA rolled out non-binding recommendations in 2016 to advise medical device makers into practicing better cybersecurity to prevent these kinds of flaws from occurring in the first place, advising companies to “build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats.”

Yet, this latest government alert marks second time in two years Medtronic was forced to respond to security flaws in its medical devices. In October, the company finally shuttered an internet-based software update system that put its pacemaker monitoring devices at risk.

Streaming site Kanopy exposed viewing habits of users, researcher says

On-demand video streaming site Kanopy has fixed a leaking server that exposed the detailed viewing habits of its users.

Security researcher Justin Paine discovered the leaking Elasticsearch database last week and warned Kanopy of the exposure. The server was secured two days later on March 18, a spokesperson told TechCrunch. “We are currently investigating the scope and cause as well as reviewing all of our security protocols.”

Kanopy is like Netflix but for classic movies and documentaries. The company partners with libraries and universities across the U.S. by allowing library card holders to access films for free.

In a blog post, Paine said the server contained between 25-40 million daily logs, which he said could have identified all the videos searched for and watched from a user’s IP address.

“Depending on the videos being watched — that potentially could be embarrassing information,” he wrote.

The logs also contained geographical information, timestamps, and device types, he said. He noted that there was no other personally identifiable information — such as usernames and email addresses — attached to the logs. 

According to a report last year, Kanopy has more than 30,000 movies on its platform.

UK’s Police Federation hit by ransomware

The U.K.’s Police Federation has confirmed it’s been hit by a cyberattack.

The union-like organization, representing 119,000 police officers across the 43 forces in England and Wales, described the event as ransomware in a statement shared on Twitter.

The ransomware attack hit computers at the federation’s Surrey headquarters on March 9, but was only revealed Thursday. Several databases and email systems were encrypted, the organization said, leading to some disruption to its services. Its backup data had also been deleted.

“There is no evidence at this stage that any data was extracted from our systems but this cannot be discounted,” the organization said in a tweet.

None of the other 43 branches across the U.K. were affected, the statement said.

The National Crime Agency is investigating the attack, which the Police Federation said was “not targeted specifically” at the police organization but likely part of a wider campaign.

The organization reported the incident to the U.K.’s data protection regulator on March 11, within the required three days under European law.

A spokesperson for the Police Federation did not comment beyond the organization’s statements, and referred comment to the National Crime Agency, which did not immediately respond to questions.

The news comes two days after Norwegian aluminum manufacturer Norsk Hydro was hit by a strain of LockerGoga, a new kind of ransomware that first emerged earlier this year. The manufacturing giant said Thursday most of its operations have been restored.

Microsoft warns Windows 7 users of looming end to security updates

Microsoft has rolled out a patch that will warn Windows 7 users that security updates will soon come to an end.

The patch rolled out Wednesday warning users of the impending deadline, January 14, 2020, when the software giant will no longer roll out fixes for security flaws and vulnerabilities. The deadline comes some ten years after Windows 7 first debuted in 2009, more than half a decade before Microsoft’s most recent operating system Windows 10 was introduced.

Microsoft’s move to stop issuing security updates is part of the company’s ongoing effort to push users to its latest software, which stands on a greater security foundation and improvements to mitigate attacks.

Starting April 18, users on Windows 7 will begin receiving warnings about the approaching cut-off.

Windows 7 still commands some 40 percent of the desktop market, according to Net Applications. With exactly 300 days before the deadline, the clock is ticking on consumer security support.

Enterprise customers have the option to pay for extended security updates until 2023.

For years, Microsoft allowed Windows 7 users to upgrade to Windows 10 for free to try to encourage growth and upgrades. With those incentives gone, many only have the lack of security updates to look ahead to, which will put business data and systems at risk of cyberattack.

It’s almost unheard of for Microsoft to patch end-of-life software. In 2017, Microsoft released rare security patches Windows XP — retired three years earlier — to prevent the spread of WannaCry, a ransomware strain that piggybacked off leaked hacking tools, developed by the National Security Agency.

The ransomware outbreak knocked schools, businesses and hospitals offline.

Windows 7’s successor, Windows 8, will continue to receive updates until January 10, 2023.

Aluminum manufacturing giant Norsk Hydro shut down by ransomware

Norsk Hydro, one of the largest global aluminum manufacturers, has confirmed its operations have been disrupted by a ransomware attack.

The Oslo, Norway-based company said in a brief statement that the attack, which began early Tuesday, has impacted “most business areas,” forcing the aluminum maker to switch to manual operations.

“Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the company said in a statement posted to Facebook. It’s understood that the ransomware disabled a key part of the company’s smelting operations.

Employees were told to “not connect any devices” to the company’s network. Norsk Hydro’s website was also down at the time of writing.

A sheet of paper with informations concerning a cyber attack (L) and one reading ‘ Hydro is under a cyber attack, don’ t plug your computer on the network unless we say so’ are pictured on a window of the headquarters of the Norwegian aluminium group ‘Norsk Hydro’ in Oslo, Norway on March 19, 2019. (Photo by Terje PEDERSEN / NTB Scanpix / AFP) / Norway OUT (Photo credit should read TERJE PEDERSEN/AFP/Getty Images)

The company manufacturers aluminum products, manufacturing close to half a million tons each year, and is also a significant provider hydroelectric power in the Nordic state.

Reuters said operations in Qatar and Brazil were also under manual operation, but the company said in a public disclosure with the Norwegian stock exchange there was “no indication” of impact on primary plants outside Norway.

“It is too early to assess the full impact of the situation. It is too early to assess the impact on customers,” said the aluminum maker.

Norway’s National Security Authority did not immediately respond to an email with questions, but told Reuters that the infection is likely LockerGoga, a new kind of digitally signed ransomware that went undetected until recently. The ransomware locks files and demands a ransom payment for a decryption key.

Security expert Kevin Beaumont said earlier this month the malware was also used to target Altran, a Paris, France-based consulting firm, last month. Beaumont said the malware doesn’t require a network connection or a command and control server like other ransomware strains. A sample of the ransomware shared to malware analysis site VirusTotal shows only a handful of anti-malware products can detect and neutralize the LockerGoga malware.

Norsk Hydro spokesperson Stian Hasle did not immediately comment.

Sprint customers say a glitch exposed other people’s account information

Several Sprint customers have said they are seeing other customers’ personal information in their online accounts.

One reader emailed TechCrunch with several screenshots describing the issue, warning that they could see other Sprint customers’ names and phone numbers. The reader said they informed the phone giant of the issue, and a Sprint representative said they had “several calls pertaining to the same issue.”

In all, the reader saw 22 numbers in a two-hour period, they said.

Several other customers complained of the same data exposing bug. It’s unclear how widespread the issue is or for how long the account information leak persisted.

Another customer told TechCrunch how the Sprint account pages were initially throwing errors. The customer said they scrolled down their account page and saw several numbers that were not theirs. “I was able to click each one individually and see every phone call they made, the text messages they used, and the standard info, including caller ID name they have set,” the customer told TechCrunch.

Of the customers we’ve spoken to, some are pre-paid and others are contract.

We’ve reached out to Sprint for more but did not hear back. We’ll update when more comes in.

A huge trove of medical records and prescriptions found exposed

A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password.

The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies.

But that fax server wasn’t properly secured, according to the security company that discovered the data.

SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018.

Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

According to a brief review of the data, the faxes contained a host of personally identifiable information and health information, including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data.

The faxes also included personal data and health information on children. None of the data was encrypted.

Two leaked documents found on the fax server, redacted. (Image: TechCrunch)

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel. MedPharm was spun out as a separate company in San Juan to take advantage of tax breaks for those who set up businesses on the island.

TechCrunch verified the records by contacting several patients who confirmed their details from the faxes.

When reached about the security lapse, Patel said the company was “looking into the issue to identify the problem and solution,” but deferred comment to the company’s general counsel, Angel Marrero.

“We are still reviewing our logs and records to access the scope of any potential exposure,” said Marrero in an email.

We asked if the company planned to inform regulators and customers. Marrero said the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”

It’s not immediately known if anyone else discovered the exposed server, or how long the data was exposed.

Both Meditab and MedPharm claim to be compliant with HIPAA, the Health Insurance Portability and Accountability Act, which governs how healthcare providers properly manage patient data security.

Companies that expose data or violate the law can face hefty fines.

Last year was a year of “record” fines — some $25 million for several exposures and breaches, including $4.3 million in fines to the University of Texas for an inadvertent disclosure of encrypted personal health data, and a settlement by Fresenius was for $3.5 million following five separate breaches.

A spokesperson for the U.S. Department of Health and Human Services did not comment.

Facebook failed to block 20% of uploaded New Zealand shooter videos

Facebook said it removed 1.5 million videos from its site within the first 24 hours after a shooter livestreamed his attack on two New Zealand mosques, killing 50 people.

In a series of tweets, Facebook’s Mia Garlick said a total of 1.2 million videos were blocked at the point of upload. Videos that included “praise or support” from the attack were also removed, she said, using a mix of automated technologies — like audio detection — and human content moderators.

Facebook did not say why the 300,000 videos were not caught at upload, representing a 20 percent failure rate.

The cherry-picked “vanity” statistics only account for the total number of uploaded videos that Facebook knows about. TechCrunch found several videos posted to Facebook more than 12 hours after the attack. Some are calling on Facebook to release the engagement figures — such as how many views, shares and reactions — were made before the videos were taken down, which critics say is a more accurate measure of how far the videos spread.

The attack on Friday targeted worshippers during morning prayers in Christchurch, New Zealand. Police said they apprehended the shooter about half an hour after reports of the first attack came in.

The 28-year old suspected shooter, charged with murder, livestreamed the video to Facebook using a head-mounted camera, typically used to record sporting events in first-person. Facebook closed the attacker’s account within an hour of the attack, but the video had already been shared across Facebook, Twitter and YouTube. The shooter described himself as a self-professed fascist, according to a “manifesto” he posted shortly before the attacks. The tech companies have faced criticism for not responding to the emerging threat of violence associated with white nationalism, compared to actions taken against content in support of the so-called Islamic State group and the spread of child abuse imagery,

New Zealand prime minister Jacinda Ardern said on Sunday that social media giants like Facebook had to face “further questions” about their response to the event. Facebook second-in-command Sheryl Sandberg reportedly reached out to Ardern following the attacks.

When reached, Facebook did not comment beyond Garlick’s tweeted comments.

Beto O’Rourke could be the first hacker president

Democratic presidential candidate Beto O’Rourke has revealed he was a member of a notorious decades-old hacking group.

The former congressman was a member of the Texas-based hacker group, the Cult of the Dead Cow, known for inspiring early hacktivism in the internet age and building exploits and hacks for Microsoft Windows. The group used the internet as a platform in the 1990s to protest real-world events, often to promote human rights and denouncing censorship. Among its many releases, the Cult of the Dead Cow was best known for its Back Orifice program, a remote access and administration tool.

O’Rourke went by the handle “Psychedelic Warlord,” as revealed by Reuters, which broke the story.

But as he climbed the political ranks, first elected to the El Paso city council in 2005, he reportedly grew concerned that his membership with the group would harm his political aspirations. The group’s members kept O’Rourke’s secret safe until the ex-hacker confirmed to Reuters his association with the group.

Reuters described him as the “most prominent ex-hacker in American political history,” who on Thursday announced his candidacy for president of the United States.

If he wins the White House, he would become the first hacker president.

O’Rourke’s history sheds light on how the candidate approaches and understands the technological issues that face the U.S. today. He’s one of the few presidential candidates to run for the White House with more than a modicum of tech knowledge — and the crucial awareness of the good and the problems tech can bring at a policy level.

“I understand the democratizing power of the internet, and how transformative it was for me personally, and how it leveraged the extraordinary intelligence of these people all over the country who were sharing ideas and techniques,” O’Rourke told Reuters.

The 46-year-old has yet to address supporters about the new revelations.