Cyber Saturday—Phone Location Spying, Kaspersky’s FBI Tip, ‘El Chapo’ Compromised

Last week’s column admonished IBM’s The Weather Company for being unclear about the way The Weather Channel app, its weather forecasting service, uses people’s location data. The infraction seems meager in comparison to the abuses that plague location aggregator services–and their downstream clients–which source data from mobile carriers.

These aggregators, barnacles of the telecom industry, depend on cellular giants, like AT&T, Verizon, Sprint, and T-Mobile, for their livelihood. They sell data access to other companies, which sell them to others still. Phone holders have no choice but to opt-in. People’s devices beacon out to cell towers at all times, triangulating their positions, simply by virtue of being on the grid. There is no hiding; everyone’s back bears a target.

For a small fee, anyone with the right connections can hire an unscrupulous marksman to find a person’s phone through a chain of relationships that extends back to these aggregators. Joseph Cox, a reporter at Vice Motherboard, knew a guy who knew a guy, as they say. In an investigation published this week, Cox exposed the underground market for pinpointing handsets. He paid a bounty hunter $300 to geolocate a phone within a few hundred meters, providing nothing more than its phone number.

Cox’s investigation delivers a near-fatal blow to a market segment that has been on life support since the New York Times exposed one particularly egregious offender last year. After that report revealed how a network of data misuse enabled a tool from a company called Securus to track just about anyone’s phone in the country, mobile carriers began unwinding their relationships with aggregators. At the time, Verizon said it would end its relationships, save for a few exceptions, including for fraud prevention and call routing purposes. AT&T similarly said it would limit its relationships to areas such as credit risk assessment and roadside assistance. Sprint and T-Mobile said they were reviewing and canceling contracts with aggregators too.

In light of the latest breach of conduct uncovered by Motherboard, even these reduced relationships face the chopping block. AT&T said it will end all relationships with aggregators by March–even in cases where these ties might have benefited people. (Your car breaks down.) Sprint said it terminated its relationship with Zumigo, the aggregator that provided data to another company, Microbilt, in the Motherboard example, which then sold it on to others, like bail bondsmen and bounty hunters. A Sprint spokesperson declined to reveal whether the company would end all relationships, following AT&T’s lead. Verizon and T-Mobile did not respond to Fortune’s requests for inquiry.

Cox’s expos? serves as a reminder that phones are the world’s ablest spies. As telecom companies either reject or clamp down on aggregators, the potential for location-tracking abuses diminishes–but does not disappear entirely. Risk shifts upstream to the carriers themselves.

Let’s hope for greater oversight at the top.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

In the tip jar. The U.S. government supposedly found the suspect for a massive theft of classified intelligence and hacking tools thanks to a tip from Kaspersky Lab, a Russian antivirus software-maker. Kaspersky researchers are said to have alerted U.S. authorities to the breach’s suspected culprit after receiving mysterious Twitter messages from a person they identified as Harold T. Martin III, a National Security Agency contractor who stands accused of stealing the spy materials. This new information, reported by Politico, seems to complicate the government’s position that Kaspersky represents a national security threat.

I’m going to Disneyland. A Massachusetts court has sentenced a local man to 10 years in prison for unleashing distributed denial of service attacks on children’s hospitals in the U.S. The accused, Martin Gottesfeld, 34, plans to file an appeal, his wife told ZDNet. An interesting tidbit from the story: Before his arrest, “Gottesfeld tried to flee to Cuba in a rented boat, but the trip didn’t go as planned. He were rescued from the Gulf of Mexico by a Disney ship that answered his SOS call and brought back to the US.” So close.

Keys to the kingdom. Much of the strongest evidence federal investigators have presented in court against Joaqu?n Guzm?n Loera, the Mexican drug lord known as El Chapo, consists of voice recordings obtained by subverting the cartel’s supposedly secure communications system. An undercover agent for the Federal Bureau of Investigation recruited the system’s designer, a Colombian IT worker named Christian Rodriguez, to help the agency infiltrate the network, reports the New York Times. NSO Group, a controversial Israeli spyware shop, apparently played a part in the kingpin’s takedown, per Ynetnews, the English-language website of Yedioth Ahronoth, a popular Israeli newspaper.

Death note. Several cybersecurity firms have published investigations into the so-called Ryuk ransomware campaign that recently ground several national newspaper operations to a halt. The companies believe the culprits were Russian-speaking cybercriminals, rather than agents of North Korea, an idea that had been floated. From McAfee: “The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor.” CrowdStrike agreed.

The perimeter defense model in action.

Share today’s Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

Try next door. A man and his mother endure frequent home intrusions by unwelcome visitors in this harrowing Gizmodo story. At blame: Faulty mapping of IP addresses to physical locations in a particular database operated by a company called MaxMind. To represent the geographic center of the family’s hometown, the business used erroneously precise coordinates, sourced from a U.S. intelligence agency, which were pinned on the pair’s home.

The visitors started coming in 2013. The first one who came and refused to leave until he was let inside was a private investigator named Roderick. He was looking for an abducted girl, and he was convinced she was in the house.

John S. and his mother Ann live in the house, which is in Pretoria, the administrative capital of South Africa and next to Johannesburg. They had not abducted anyone, so they called the police and asked for an officer to come over. Roderick and the officer went through the home room by room, looking into cupboards and under beds for the missing girl. Roderick claimed to have used a “professional” tracking device “that could not be wrong,” but the girl wasn’t there.

ONE MORE THING

Let me see ya grill. An archaeologist discovered traces of lapis lazuli, a semiprecious ultramarine stone, in the mouth of a medieval German nun. This once-highly prized blue pigment, which originated in Afghani mines and traveled along the Silk Road trade route, was used to decorate illuminated manuscripts a millennium ago. The discovery suggests that women played a historically more important role as scribes than previously thought. “Religious women were not only literate but also prolific producers and consumers of books,” write the authors of a research paper documenting the find.