Privacy, Security Archive

How the CIA used Crypto AG encryption devices to spy on countries for decades

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret. The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software. But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages. The article is behind a paywall, sadly, but I figured it’s important enough to link to.

Wacom drawing tablets track the name of every application that you open

I suspect that Wacom doesn’t really think that it’s acceptable to record the name of every application I open on my personal laptop. I suspect that this is why their privacy policy doesn’t really admit that this is what that they do. I imagine that if pressed they would argue that the name of every application I open on my personal laptop falls into one of their broad buckets like “aggregate data” or “technical session information”, although it’s not immediately obvious to me which bucket. Does Wacom have any competitors? Can you even vote with your wallet, or is this yet another market that isn’t really a market at all?

Britain knows it’s selling out its national security to Huawei

The real reason for Britain’s nonexclusion of Huawei was kept under wraps by its government: fear of retaliation. After Brexit, London sees itself as dependent on Beijing’s goodwill. In an interview with the Global Times on Jan. 20, the Chinese ambassador to Britain made it clear that an exclusion of Huawei would severely damage economic and political relations. And for Johnson, the threats from Beijing—a government with expansive control over its national economy—were more credible than those of U.S. President Donald Trump’s administration. Of course, fear isn’t much of an appealing public justification, especially for someone such as Johnson, who wants to project the image of a fearless leader. That’s why the government has come up with an extensive technical justification for the decision—an explanation that’s full of contradictions. Wait, you mean to tell me that going alone instead of being part of the biggest trade and power block after the US opens you up to manipulation and spying by and subservience to the likes of China and Russia? This should make it clear to the US and the EU that the UK should not be trusted with intelligence data.

Google releases open-source 2FA security key platform called OpenSK

Two-factor security is a basic requirement these days if you want to take your digital responsibilities seriously, but some hardware lacks the sort of public documentation that some privacy advocates feel is truly necessary to provide ideal security. Open source enthusiasts will be glad to hear that Google has just announced the release of OpenSK, an open-source implementation for security keys, supporting both FIDO U2F and FIDO2. I’ve always loved the idea of carrying a small piece of hardware to serve as an authentication device, but I’ve never done any serious research into the concept. Of course, and such system would need to be 100% open source, so maybe OpenSK is a contender.

Avast sells user data collected by its antivirus software

An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it. The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called “All Clicks Feed,” which can track user behavior, clicks, and movement across websites in highly precise detail. Is anybody really surprised by this? Antivirus companies have been scammers for a long time now, spreading fear and anxiety amongst primarily less knowledgeable users, tricking and scamming them into paying exorbitant amounts of money for tools that are not needed, do not work, slow computers down, and in many cases, actively harm operating systems. Of course, with these programs running with unparalleled access to many Windows machines, we all knew antivirus companies would resort to selling user data to make an extra buck, sinking even deeper. You don’t need anything more than what your operating system provides, whether you use Windows, Linux, macOS, Android, or iOS.

Microsoft Office update switches Chrome search engine to Bing

Microsoft is planning to use the Office 365 installer to forcibly switch Chrome users over to the company’s Bing search engine. Microsoft’s Office 365 ProPlus installer, used by businesses, will include a new Chrome extension next month that switches the default search engine to Bing. New installations of Office 365 ProPlus and updated installs will include the extension, as long as the default search engine in Chrome is not set to Bing. Microsoft is clearly marketing this to IT admins as enabling its Microsoft Search functionality in Chrome, but it also looks like a stealthy way of pushing people over to using Bing. If Bing is already set as the default search engine in Chrome, then the extension never gets installed. Microsoft is planning to roll this out in the US, UK, Australia, Canada, France, Germany, and India next month. Windows is an advertising platform. Get out while you can.

Twelve million phones, one dataset, zero privacy

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles. Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers. We all know this is happening, yet there’s very little we can do about it – save for living far away in the woods, disconnected from everything. There’s cameras everywhere, anything with any sort of wireless connection – from smartphone to dumbphone – is tracked at the carrier level, and even our lightbulbs are ‘smart’ these days. Yet, despite knowing this is happening, it’s still eye-opening to see it in such detail as discovered by The New York Times.

64 bits ought to be enough for anybody!

How quickly can we use brute force to guess a 64-bit number? The short answer is, it all depends on what resources are available. So we’re going to examine this problem starting with the most naive approach and then expand to other techniques involving parallelization. We’ll discuss parallelization at the CPU level with SIMD instructions, then via multiple cores, GPUs, and cloud computing. Along the way we’ll touch on a variety of topics about microprocessors and some interesting discoveries, e.g., adding more cores isn’t always an improvement, and not all cloud vCPUs are equivalent.

SMS replacement is exposing users to text, call interception thanks to sloppy telecos

A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS. Off to a great start for a technology nobody is waiting for. WhatsApp and WeChat have replaced SMS, and unencrypted, vulnerable nonsense like RCS is not going to change a single thing about that.

1Password takes 200 million in venture capital

I wanted to be the first one to tell you: I’m incredibly proud to announce that we’ve partnered with Accel to help 1Password continue the amazing growth and success we’ve seen over the past 14 years. Accel will be investing USD$200 million for a minority stake in 1Password. Along with the investment – their largest initial investment in their 35-year history – Accel brings the experience and expertise we need to grow further and faster. I use 1Password, and I’m deeply skeptical of venture capital investments like these. 1Password has been profitable since its founding, so this investment is not a make-or-break kind of thing, which makes me worried about the future. Password managers require a lot of trust from their users, and trust is not something I give to venture capitalists.

Attorney general Bill Barr will ask Zuckerberg to halt plans for end-to-end encryption across Facebook’s apps

Attorney General Bill Barr, along with officials from the United Kingdom and Australia, is set to publish an open letter to Facebook CEO Mark Zuckerberg asking the company to delay plans for end-to-end encryption across its messaging services until it can guarantee the added privacy does not reduce public safety. A draft of the letter, dated Oct. 4, is set to be released alongside the announcement of a new data-sharing agreement between law enforcement in the US and the UK; it was obtained by BuzzFeed News ahead of its publication. The forces are closing in on end-to-end encryption, and with the bizarre constitutional crises both the US and the UK are experiencing, I would be even more worried about this than I’d be under normal circumstances.

A glut of iOS 0-days pushes their price below cost of those for Android

For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS. The company provided a message to Ars, stating that while Google and Samsung have worked hard to significantly improve the security of Android. During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some  them. On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction. In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox). The security of an operating system is only as strong as its weakest links, and if Apple is slacking a bit on things like iMessage and Safari, while Google and Samsung work to strengthen Android’s weakest links, this is only a logical outcome.

China is forcing tourists to install text-stealing malware at its border

Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller’s device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band. China is basically performing ethnic cleansing on a massive scale, and it’s using technology to aid in its goal o eradicating an entire population group. It’s chilling, and every single technology company active in China – or worse yet, aiding the regime – should be held accountable.

Samsung TVs should be regularly virus-checked, the company says

Samsung has advised owners of its latest TVs to run regular virus scans. A how-to video on the Samsung Support USA Twitter account demonstrates the more than a dozen remote-control button presses required to access the sub-menu needed to activate the check. It suggested users should carry out the process “every few weeks” to “prevent malicious software attacks”. What.

WhatsApp voice calls used to inject Israeli spyware on phones

A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack. I never answer phone calls from telephone numbers I am not familiar with, let alone when the incoming callers his their number blocked. Apparently, though, not even protects you from attacks such as these.

Bloomberg says ‘hidden backdoors’ were found in Huawei equipment, Vodafone denies report

A new report by Bloomberg claims that telecom giant Vodafone had found potential hidden backdoor vulnerabilities in Huawei equipment, but the claims have been refuted the carrier. The Bloomberg report makes claims that Vodafone Italy confirmed that they had found vulnerabilities as far back as 2009 in Huawei telecoms and internet equipment. Obviously Vodafone has a massive interest in denying these stories, and I find it suspicious that stories like this are almost always waved away with a we forgot to turn off/remove a diagnostic thing, oopsie!, but for us mere mortals it’s just impossible to get a good reading on this. I mean, it’s not as if we have much of a choice but to assume our carriers know what they’re doing. …wait.

Assessing unikernel security

Unikernels are small, specialized, single-address-space machine images constructedby treating component applications and drivers like libraries and compiling them, along with a kernel and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun and IncludeOS, and found that this was decidedly not the case: unikernels, which in many ways resemble embedded systems, appear to have a similarly minimal level of security. Features like ASLR, W^X, stack canaries, heap integrity checks and more are either completely absent or seriously flawed. If an application running on such a system contains a memory corruption vulnerability, it is often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown. Furthermore, because the application and the kernel run together as a single process, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular OS, e.g. arbitrary packet I/O. We demonstrate such attacks on both Rumprun and IncludeOS unikernels, and recommend measures to mitigate them. This is a 100+ page article – book? – that isn’t for the faint of heart.

Gmail making email more secure with MTA-STS standard

We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers. Google hopes other email services will also adopt these new security standards.

Remembering Heartbleed

Colm MacCárthaigh, who was Principal Engineer for Amazon Web Services Elastic Load Balancer five years ago, posted an interesting recollection of his experience the day the Heartbleed bug went public. OpenSSL was in use widely across AWS, and the team there basically dropped everything to hot patch millions of deployments, then over the next hours and days took many other steps to mitigate the damage. It’s a fascinating story if you’re familiar with information security, or even just minimally familiar with the infrastructure that keeps the internet going.

Tencent and Xiaomi may be censoring a GitHub page for airing worker grievances

A trending and vastly expanding GitHub database where Chinese developers have been airing their workplace grievances may be at risk of censorship. A number of internet users in China are reporting seeing their access to the database cut off when using browsers offered by companies like Tencent, Alibaba, Xiaomi, and Qihoo 360, as first spotted by Abacus. There’s no indication yet that these censorship efforts may have originated from government orders. And as a reminder: western technology companies, most prominently Apple, is working very closely with the Chinese government, giving them access to user data of Chinese users to aid the China’s totalitarian surveillance state.