MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/1471136
Krebs on Security reports that criminals are using forged Emergency Data Requests (EDRs) to trick tech companies into handing over user data. What is an EDR, you ask? As Krebs explains: …in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents. According to a Bloomberg report, insiders say that Apple and Facebook both fell for these scams, providing “basic subscriber details, such as a customer’s address, phone number and IP address…” Of course, you can’t just send an EDR to a tech company from your Gmail account and expect them to answer it! The reason that these fake EDRs are working is that the bad guys have hacked police and government agencies, and are using the compromised websites to send emails from official accounts. That makes it very hard for the folks in Silicon Valley to know if a request is legitimate or not. The fallout from phony EDRs So what are the hackers doing with all of this information? People familiar with the investigation into the incidents say that criminals are using it for harassment campaigns — and we have to warn you, it’s some truly awful stuff. In a separate piece, Bloomberg says: The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse… What can be done about fake EDRs? The issue of fraudulent EDRs doesn’t have an easy solution. There are tons of police stations and government accounts around the world. They have varying degrees of security protection for their IT infrastructure. Long story short: some of them are going to get hacked, and that’s not going to change any time soon. Alex Stamos, former Chief Security Officer at Facebook, suggests that police departments take steps to prevent account compromises from happening in the first place, such as implementing two-factor authentication for their employees. But what about tech companies? How can they know if an EDR is coming from a hacked account or not? Stamos says that companies might want to require confirmation callbacks so that they can verify that the person requesting an EDR is really who they say they are. Another idea, floated by former FBI agent Matt Donahue in a Krebs on Security interview, is to create a system that assigns a trustworthiness rating to EDR requesters. It would work a bit like a “credit rating” for the police departments and governments making EDRs. Anyone using the system would also be able to see information about the individual making the request that could help them determine whether or not it was genuine. IoT attacks on the rise The Internet of Things (IoT) is under attack, according to VentureBeat. The report says that there were 900 million attacks against IoT devices in 2021. The list of attacked devices includes routers, storage devices, access points, cameras, and smart home devices.