Privacy, Security Archive

Revealed: leak uncovers global abuse of cyber-surveillance weapon

Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists. Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones. Is anyone really surprised? Smartphones are the ideal tools for authoritarian regimes – cameras, microphones, GPS, and other sensors in one neat little package, always on the person, ready to be exploited. Of course criminal regimes are going to abuse them, and of course no smartphone is safe.

Public key cryptography: OpenSSH private keys

When you create standard RSA keys with ssh-keygen you end up with a private key in PEM format, and a public key in OpenSSH format. Both have been described in detail in my post Public key cryptography: RSA keys. In 2014, OpenSSH introduced a custom format for private keys that is apparently similar to PEM but is internally completely different. This format is used by default when you create ed25519 keys and it is expected to be the default format for all keys in the future, so it is worth having a look. An in-depth analysis of what’s inside the OpenSSH private key format and how it is different from the standard PEM format.

The long hack: how China exploited a US tech supplier

Remember that story from two years ago, about how China had supposedly infiltrated the supply chain of Supermicro? The story was denied by American intelligence agencies and the CEOs of Apple and Amazon, but today, Bloomberg posted a follow-up piece with more sources, both anonymous and named, that the story was, in fact, real, and probably a lot bigger, too. The article lists several attacks that have taken place, all using hardware from Supermicro. Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as tthey tried to counter each one and learn more about China’s capabilities. Bloomberg is clearly sticking by and expanding its story, so this means it’s their and their sources’ word against that of giant corporations and American intelligence agencies, and we all know giant corporations and American intelligence agencies never lie. Right?

SerenityOS: writing a full chain exploit

I recently came across SerenityOS when it was featured in hxp CTF and then on LiveOverflow’s YouTube channel. SerenityOS is an open source operating system written from scratch by Andreas Kling and now has a strong and active community behind it. If you’d like to learn a bit more about it then the recent CppCast episode is a good place to start, as well as all of the fantastic videos by Andreas Kling. Two of the recent videos were about writing exploits for a typed array bug in javascript, and a kernel bug in munmap. The videos were great to watch and got me thinking that it would be fun to try and find a couple of bugs that could be chained together to create a full chain exploit such as exploiting a browser bug to exploit a kernel bug to get root access. You don’t get articles like this very often – exploiting a small hobby operating system? Sure, why not.

A look at GSM

There are well documented security flaws in GSM, and publicly available tools to exploit them. At the same time, it has become considerably cheaper and easier to analyze GSM traffic over the past few years. Open source tools such as gr-gsm have matured, and the community has developed methods for capturing the GSM spectrum without the need for expensive SDR radios. With less than $100 and a weekend it’s possible to capture and analyze GSM traffic. With some extra effort it’s possible to decrypt your own traffic, and depending on how your mobile provider has set up their network it may even be possible for somebody else to illegally decrypt traffic they don’t own. GSM is terrifying.

WhatsApp delays privacy changes following backlash

The WhatsApp messaging service announced on Friday that it would delay changes to new business features after people around the world criticized the new policy. The Facebook-owned company said it is “going to do a lot more to clear up misinformation around how privacy and security works on WhatsApp.” Privacy rights activists heavily criticized the WhatsApp changes, saying it was the latest step showing Facebook’s poor handling of user data. The real issue was a far larger than expected exodus of users to services like Signal and Telegram. I doubt Facebook will actually make any meaningful changes – instead, we’ll see a different tone or wording.

Steam’s login method is kinda interesting

How do you send a password over the internet? You acquire a SSL certificate and let TLS do the job of securely transporting the password from client to server. Of course it’s not as cut-and-dry as I’m making it out to be, but the gist of it holds true and stood the test of time. This hasn’t always been this way though, and one incredibly popular storefront on the world wide web prefers to add a little extra to this day. I’ll be discussing Steam’s unique method of logging in their users, and go down a deep rabbit hole of fascinating implementation details. Not exactly my cup of tea, but if there’s one thing I’ve learned over the years here at OSNews, it’s that the most obscure stuff can generate a lot of interest. So, here you go.

Apple’s privacy labels reveals Whatsapp and Facebook Messenger’s hunger for user data

When Apple unveiled major privacy upgrades at the WWDC 2020 for its iOS14, a battle royale broke out between the tech giant and Facebook. The social media giant claimed user data was critical to its ability to serve relevant ads and that Apple’s policies would stymie small business.  As the world now grapples with Facebook’s privacy changes that require users to compulsorily share their Whatsapp data with the social media platform, Apple’s privacy labels update all but confirms what we always knew. That, data collected by Whatsapp and Facebook Messenger is far in excess of what its competitors do. Apple’s privacy labels are a great idea, and despite Google being a data-hungry company, I wouldn’t be surprised if they make their way to Android soon, too. I love how they make the contrast between various applications to incredible stark and clear. Good move by Apple.

The EU may be looking into breaking end-to-end encrypted chats

The EU is often at the forefront of consumer protection when it comes to privacy laws like the GDPR. But now it looks like the Council of the European Union might undermine all of this with a move to cancel secure end-to-end encryption as we know it, the ORF (Austrian Broadcasting Corporation) reports. The ORF obtained an internal draft in which the Council argues that the motion is meant as a counteract against terrorism, pointing to last week’s Vienna shooting. However, it’s becoming increasingly clear that the terror attack could’ve been prevented without further surveillance powers if it wasn’t for egregious mistakes in the Austrian counterterrorism office. It seems like the attack is used as a pretense to gain public support. Throwing babies out with the bathwater under nebulous claims of “but terrorism!” isn’t just an American thing. For now, this is just a proposal by one cog in the EU government machine and it’s unlikely to go anywhere (for now!), but wheels are definitely in motion, and just like our friends in the US, we have to remain vigilant for politicians abusing terrorist attacks to erode our rights and freedoms.

Online voting vendor Voatz urges Supreme Court to limit security research

The Supreme Court is considering whether to adopt a broad reading of the Computer Fraud and Abuse Act that critics say could criminalize some types of independent security research and create legal uncertainty for many security researchers. Voatz, an online voting vendor whose software was used by West Virginia for overseas military voters in the 2018 election, argues that this wouldn’t be a problem. “Necessary research and testing can be performed by authorized parties,” Voatz writes in an amicus brief to the Supreme Court. “Voatz’s own security experience provides a helpful illustration of the benefits of authorized security research, and also shows how unauthorized research and public dissemination of unvalidated or theoretical security vulnerabilities can actually cause harmful effects.” As it happens, we covered a recent conflict between Voatz and an independent security researcher in last Thursday’s deep dive on online voting. And others involved in that altercation did not see it the way Voatz did. This reminds me of TurboTax in the United States, who lobbies aggressively to keep filing taxes as difficult as possible as to protect its business.

Hospital devices exposed to hacking with unsupported operating systems

As reported on CNET today: A huge proportion of internet-connected imaging devices at hospitals run outdated operating systems, according to research released Tuesday by Palo Alto Networks, a cybersecurity firm. The company found that 83% of these devices run on outdated software that can’t be updated even when it contains known vulnerabilities that hackers can exploit. This is such a serious issue, but most people are oblivious to the problem of critical legacy systems that cannot be upgraded. Most critics just make uniformed statements like “upgrade” to a modern OS, but it’s usually a cocktail of ageing hardware and legacy software requirements that will stop upgrades from happening.

How the CIA used Crypto AG encryption devices to spy on countries for decades

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret. The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software. But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages. The article is behind a paywall, sadly, but I figured it’s important enough to link to.

Wacom drawing tablets track the name of every application that you open

I suspect that Wacom doesn’t really think that it’s acceptable to record the name of every application I open on my personal laptop. I suspect that this is why their privacy policy doesn’t really admit that this is what that they do. I imagine that if pressed they would argue that the name of every application I open on my personal laptop falls into one of their broad buckets like “aggregate data” or “technical session information”, although it’s not immediately obvious to me which bucket. Does Wacom have any competitors? Can you even vote with your wallet, or is this yet another market that isn’t really a market at all?

Britain knows it’s selling out its national security to Huawei

The real reason for Britain’s nonexclusion of Huawei was kept under wraps by its government: fear of retaliation. After Brexit, London sees itself as dependent on Beijing’s goodwill. In an interview with the Global Times on Jan. 20, the Chinese ambassador to Britain made it clear that an exclusion of Huawei would severely damage economic and political relations. And for Johnson, the threats from Beijing—a government with expansive control over its national economy—were more credible than those of U.S. President Donald Trump’s administration. Of course, fear isn’t much of an appealing public justification, especially for someone such as Johnson, who wants to project the image of a fearless leader. That’s why the government has come up with an extensive technical justification for the decision—an explanation that’s full of contradictions. Wait, you mean to tell me that going alone instead of being part of the biggest trade and power block after the US opens you up to manipulation and spying by and subservience to the likes of China and Russia? This should make it clear to the US and the EU that the UK should not be trusted with intelligence data.

Google releases open-source 2FA security key platform called OpenSK

Two-factor security is a basic requirement these days if you want to take your digital responsibilities seriously, but some hardware lacks the sort of public documentation that some privacy advocates feel is truly necessary to provide ideal security. Open source enthusiasts will be glad to hear that Google has just announced the release of OpenSK, an open-source implementation for security keys, supporting both FIDO U2F and FIDO2. I’ve always loved the idea of carrying a small piece of hardware to serve as an authentication device, but I’ve never done any serious research into the concept. Of course, and such system would need to be 100% open source, so maybe OpenSK is a contender.

Avast sells user data collected by its antivirus software

An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it. The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called “All Clicks Feed,” which can track user behavior, clicks, and movement across websites in highly precise detail. Is anybody really surprised by this? Antivirus companies have been scammers for a long time now, spreading fear and anxiety amongst primarily less knowledgeable users, tricking and scamming them into paying exorbitant amounts of money for tools that are not needed, do not work, slow computers down, and in many cases, actively harm operating systems. Of course, with these programs running with unparalleled access to many Windows machines, we all knew antivirus companies would resort to selling user data to make an extra buck, sinking even deeper. You don’t need anything more than what your operating system provides, whether you use Windows, Linux, macOS, Android, or iOS.

Microsoft Office update switches Chrome search engine to Bing

Microsoft is planning to use the Office 365 installer to forcibly switch Chrome users over to the company’s Bing search engine. Microsoft’s Office 365 ProPlus installer, used by businesses, will include a new Chrome extension next month that switches the default search engine to Bing. New installations of Office 365 ProPlus and updated installs will include the extension, as long as the default search engine in Chrome is not set to Bing. Microsoft is clearly marketing this to IT admins as enabling its Microsoft Search functionality in Chrome, but it also looks like a stealthy way of pushing people over to using Bing. If Bing is already set as the default search engine in Chrome, then the extension never gets installed. Microsoft is planning to roll this out in the US, UK, Australia, Canada, France, Germany, and India next month. Windows is an advertising platform. Get out while you can.

Twelve million phones, one dataset, zero privacy

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles. Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers. We all know this is happening, yet there’s very little we can do about it – save for living far away in the woods, disconnected from everything. There’s cameras everywhere, anything with any sort of wireless connection – from smartphone to dumbphone – is tracked at the carrier level, and even our lightbulbs are ‘smart’ these days. Yet, despite knowing this is happening, it’s still eye-opening to see it in such detail as discovered by The New York Times.

64 bits ought to be enough for anybody!

How quickly can we use brute force to guess a 64-bit number? The short answer is, it all depends on what resources are available. So we’re going to examine this problem starting with the most naive approach and then expand to other techniques involving parallelization. We’ll discuss parallelization at the CPU level with SIMD instructions, then via multiple cores, GPUs, and cloud computing. Along the way we’ll touch on a variety of topics about microprocessors and some interesting discoveries, e.g., adding more cores isn’t always an improvement, and not all cloud vCPUs are equivalent.

SMS replacement is exposing users to text, call interception thanks to sloppy telecos

A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS. Off to a great start for a technology nobody is waiting for. WhatsApp and WeChat have replaced SMS, and unencrypted, vulnerable nonsense like RCS is not going to change a single thing about that.