Privacy, Security Archive

Impact assessment shows privacy risks of Microsoft Office

The government of The Netherlands recently commissioned the Privacy Company to perform a data protection impact assessment regarding the government's use of Microsoft Office products, and the results of this assessment are alarming.

The SLM Rijk conducts negotiations with Microsoft for approximately 300.000 digital work stations of the national government. The Enterprise version of the Office software is deployed by different governmental organisations, such as ministries, the judiciary, the police and the taxing authority.

The results of this Data Protection Impact Assessment (DPIA) are alarming. Microsoft collects and stores personal data about the behaviour of individual employees on a large scale, without any public documentation. The DPIA report (in English) as published by the Ministry is available here.

This shouldn't surprise anyone, but it's good to see governments taking these matters seriously, and forcing technology companies to change their policies.

New evidence of hacked Supermicro hardware at US carrier

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Fresh fuel for the fire.

How China used a tiny chip to infiltrate US companies

But that's just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People's Liberation Army. In Supermicro, China's spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

Both Apple and Amazon aggressively deny the reports, but such was to be expected - these companies aren't going to openly admit their products and data could be vulnerable to sophisticated Chinese hacking attempts. In addition, especially Apple is beholden to remaining in the Chinese government's good graces, and won't openly admit they're being targeted by them - like no other company in the world, Apple is dependent on China, because no other country has the manpower, labour laws, and welcoming totalitarian government required to build the massive amount of devices Apple orders from China.

None of this should surprise anyone, and further illustrates that any company - especially major ones - claiming their products are secure and privacy-focused have really no way of guaranteeing as such. Whether it be domestic carriers snooping in on internet traffic or the Chinese government adding small microchips to hardware, nothing is secure or private.

Lenovo: Companies working in China install local backdoors

Does Lenovo put backdoors in if the Chinese government asks?

"If they want backdoors globally? We don't provide them. If they want a backdoor in China, let's just say that every multinational in China does the same thing.

"We comply with local laws. If the local laws say we don't put in backdoors, we don't put in backdoors. And we don't just comply with the laws, we follow the ethics and the spirit of the laws."

This shouldn't surprise anyone, really. At this point, it's pretty safe to assume that any major technology company selling products in China are putting backdoors into their products sold in China. Microsoft, Apple, phone makers - China is simply too powerful and important to ignore.

Dozens of iOS, Android apps secretly share location data

During preparation for a workshop at DEF CON in August on locating privacy leaks in network traffic, we discovered a number of applications on both iOS and Android that were broadcasting precise location data back to the applications' developers - in some cases in unencrypted formats. Research released late Friday by Sudo Security's Guardian mobile firewall team provided some confirmation to our findings - and demonstrated that many apps are sharing location data with firms that market location data information without the users' knowledge.

Is anyone still surprised by this? Apple was recently also forced to remove one of the most popular apps in the Mac App Store because it turned out to be spyware. The one redeeming feature of closed application stores is that they're safer - if that advantage turns out to be a lot less solid than proponents of walled gardens proclaim, why do we keep insisting on maintaining them?

US, others ask companies to build backdoors into encryption

The US, UK, and three other governments have called on tech companies to build backdoors into their encrypted products, so that law enforcement will always be able to obtain access. If companies don't, the governments say they "may pursue technological, enforcement, legislative, or other measures" in order to get into locked devices and services.

Their statement came out of a meeting last week between nations in the Five Eyes pact, an intelligence sharing agreement between the US, UK, Canada, Australia, and New Zealand. The nations issued a statement covering a range of technology-related issues they face, but it was their remarks on encryption that stood out the most.

Break encryption, or we'll break you.

Yahoo, bucking industry, scans emails for advertising

The U.S. tech industry has largely declared it is off limits to scan emails for information to sell to advertisers. Yahoo still sees the practice as a potential gold mine.

Yahoo's owner, the Oath unit of Verizon Communications Inc., has been pitching a service to advertisers that analyzes more than 200 million Yahoo Mail inboxes and the rich user data they contain, searching for clues about what products those users might buy, said people who have attended Oath's presentations as well as current and former employees of the company.

The biggest news in this story is not that Verizon is a scummy company - but that 200 million people still use Yahoo's email service.

Hacker finds hidden ‘god mode’ on old x86 CPUs

Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU, security researcher Christopher Domas told the Black Hat conference here Thursday (Aug. 9).

The command - ".byte 0x0f, 0x3f" in Linux - "isn't supposed to exist, doesn't have a name, and gives you root right away," Domas said, adding that he calls it "God Mode."

The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes.

That's one hell of a bug.

How they did it: GRU hackers vs. US elections

In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia's Main Intelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel'noye upravleniye, or GRU). The indictment was for conducting "active cyber operations with the intent of interfering in the 2016 presidential election."

The allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and additional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law enforcement agencies. Reading between the lines, the indictment reveals that the Mueller team and other US investigators likely gained access to things like Twitter direct messages and hosting company business records and logs, and they obtained or directly monitored email messages associated with the GRU (and possibly WikiLeaks). It also appears that the investigation ultimately had some level of access to internal activities of two GRU offices.

Yet, after a summit meeting with Russia's President Vladimir Putin just days following the indictment, Trump publicly expressed doubt that Russia was involved. The president has said that Putin strongly denied any interference in the election - even as the United States' own director of national Iintelligence, Dan Coats, reiterated the conclusion that Russia was responsible for the attacks. With such rhetoric, Trump has continued to send mixed messages about the findings of his own intelligence and law enforcement teams, while seeming to put more stock in Putin's insistence that the Russian government had nothing to do with any of this.

After digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this matter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided, does strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of attack, failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they enlisted for help.

A detailed look at how Russia attacked the United States election process. Sadly, this being the internet, we probably won't be able to keep the discussion focused on the technical process, but can we all promise to at least try? Regardless of political affiliation, all of us should be worried about the election process of the most powerful country on earth being this easily manipulated by external forces.

New Spectre attack enables secrets to be leaked over network

When the Spectre and Meltdown attacks were disclosed earlier this year, the initial exploits required an attacker to be able to run code of their choosing on a victim system. This made browsers vulnerable, as suitably crafted JavaScript could be used to perform Spectre attacks. Cloud hosts were susceptible, too. But outside these situations, the impact seemed relatively limited.

That impact is now a little larger. Researchers from Graz University of Technology including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.

How smart TVs track more than what’s on tonight

The growing concern over online data and user privacy has been focused on tech giants like Facebook and devices like smartphones. But people's data is also increasingly being vacuumed right out of their living rooms via their televisions, sometimes without their knowledge.

In recent years, data companies have harnessed new technology to immediately identify what people are watching on internet-connected TVs, then using that information to send targeted advertisements to other devices in their homes. Marketers, forever hungry to get their products in front of the people most likely to buy them, have eagerly embraced such practices. But the companies watching what people watch have also faced scrutiny from regulators and privacy advocates over how transparent they are being with users.

This is so deeply creepy.

“Gmail app developers have been reading your emails”

Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans - and not just computers - to read your emails.

Wait, you mean to tell me that when I granted one of those newfangled we-will-organise-your-email-for-you email clients access to my email I granted them access to my email? I am shocked, shocked I say!

Privacy and security stories tend to get easily inflated, and while it indeed sucks that actual people at said companies can read your email, you did explicitly grant them access to your email account. It's all spelled out right there in the Google account permission dialog. These companies aren't here to make your email lives easier - they're here to mine your data and sell it to third parties.

You wouldn't let a random small company install cameras in your house. Why do you treat your email any differently?

Wi-Fi Alliance introduces WPA3 security

Wi-Fi Alliance introduces Wi-Fi WPA3, the next generation of Wi-Fi security, bringing new capabilities to enhance Wi-Fi protections in personal and enterprise networks. Building on the widespread adoption of WPA2 over more than a decade, WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets. As the Wi-Fi industry transitions to WPA3 security, WPA2 devices will continue to interoperate and provide recognized security.

Good news, but it will most likely require you buy a new router, since I doubt many router makers will update their devices to add WPA3 support. I have the last Apple AirPort Extreme, and with Apple exiting the router market, I doubt we'll see them adding WPA3 support.

Verizon and AT&T will stop selling your phone’s location

Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users.

Good news for Verizon and AT&T customers, but one has to wonder who's going to pay for this. They're going to have to recover the lost income somewhere, and that's probably going to be, well, you.

Apple just took a shot at Facebook’s web-tracking empire

For years, Facebook's sneakiest data-collector has been the "Like" button. Any site that wants Facebook traffic needs one, which means they're just about everywhere. And in order to work right, the button needs to log you in - which is to say, it needs to know who you are. How else would Facebook know who liked the post? Even if you don't click, Facebook registers that you loaded the button, which means they get a map of every Like-enabled site you've been to, just the kind of data that advertisers will pay to target against.

Today at WWDC, Apple took a direct shot at that system and Facebook itself. Onstage, Apple's VP of software Craig Federighi described Safari's new anti-tracking features in unusually confrontational terms.

"We've all seen these like buttons and share buttons," Federighi told the crowd. "Well it turns out, these can be used to track you, whether you click on them or not. So this year, we're shutting that down."

This is one of the very rare cases where competing corporate interests actually work out in the favour of consumers. One way or another, this will be added to all browsers.

US carriers selling access to your real-time location data

Four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.

In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart.

Well, at least your messaging app is end-to-end encrypted, right?

A lot of apps sell your data

Your devices are tracking you all the time. You just don’t know it yet.

When you consent to sharing your data with many popular apps, you’re also allowing app developers to collect your data and sell it to third parties through trackers that supply advertisers with detailed information about where you live, work, and shop.

In November 2017, Yale Privacy Lab detected trackers in over 75% of the 300 Android apps it analyzed. A March 2018 study of 160,000 free Android apps found that more than 55% of trackers tried to extract user location, while 30% accessed the device’s contact list. And a 2015 analysis of 110 popular free mobile apps revealed that 47% of iOS apps shared geo-coordinates and other location data with third parties, and personally identifiable information, like names of users (provided by 18% of iOS apps), was also provided.

These are particularly nasty trackers, since it's generally more difficult to block them.

Tech giants hit by NSA spying slam encryption backdoors

A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices.

The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology.

The coalition consists of, among others, Google, Microsoft, and Apple.

Zuckerberg: Cambridge Analytica leak a “breach of trust”

After days of silence, Facebook CEO Mark Zuckerberg has responded to the controversy over the 2014 leak of private Facebook user data to a firm that went on to do political consulting work for the Donald Trump campaign in 2016.

Cambridge Analytica got the data by paying a psychology professor, Aleksandr Kogan, to create a Facebook personality quiz that harvested data not only about its own users but also about users' friends. Kogan amassed data from around 50 million users and turned it over to Cambridge.

Zuckerberg says that when Facebook learned about this transfer in 2015, it got Kogan and Cambridge to certify that they had deleted the data. But media reports this weekend suggested that Cambridge had lied and retained the data throughout the 2016 presidential campaign.

This whole thing should make everyone think twice about how - and if - they should keep using Facebook. I've personally always been incredibly careful about what data I put on Facebook and I've rarely - if ever - used any Facebook 'apps', but in the end, you don't even need to feed Facebook any data for them to figure out who you are and what you're interested in. It's actually remarkably easy to extrapolate a whole lot about you from simple things like the times you're online, or which sites with Facebook social trackers you visit, and so on.

I trust Google with such forms of data, but not Facebook. If it wasn't for my friends, I'd delete my Facebook account in a heartbeat. My hope is that this story - which has certainly permeated beyond tech media into the mainstream media - will push more and more of the people around me to consider leaving Facebook.

Xerox Alto zero-day

We've been archiving a bunch of old Xerox Alto disk packs from the 1970s. A few of them turned out to be password-protected, so I needed to figure out how to get around the password protection. I've developed a way to disable password protection, as well as a program to find the password instantly.

Xerox has failed to respond to this severe security hole in their computer, and every day they refuse to patch this vulnerability is a day their customers run a massive risk. Irresponsible.