Privacy, Security Archive

Apple just took a shot at Facebook’s web-tracking empire

For years, Facebook's sneakiest data-collector has been the "Like" button. Any site that wants Facebook traffic needs one, which means they're just about everywhere. And in order to work right, the button needs to log you in - which is to say, it needs to know who you are. How else would Facebook know who liked the post? Even if you don't click, Facebook registers that you loaded the button, which means they get a map of every Like-enabled site you've been to, just the kind of data that advertisers will pay to target against.

Today at WWDC, Apple took a direct shot at that system and Facebook itself. Onstage, Apple's VP of software Craig Federighi described Safari's new anti-tracking features in unusually confrontational terms.

"We've all seen these like buttons and share buttons," Federighi told the crowd. "Well it turns out, these can be used to track you, whether you click on them or not. So this year, we're shutting that down."

This is one of the very rare cases where competing corporate interests actually work out in the favour of consumers. One way or another, this will be added to all browsers.

US carriers selling access to your real-time location data

Four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.

In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart.

Well, at least your messaging app is end-to-end encrypted, right?

A lot of apps sell your data

Your devices are tracking you all the time. You just don’t know it yet.

When you consent to sharing your data with many popular apps, you’re also allowing app developers to collect your data and sell it to third parties through trackers that supply advertisers with detailed information about where you live, work, and shop.

In November 2017, Yale Privacy Lab detected trackers in over 75% of the 300 Android apps it analyzed. A March 2018 study of 160,000 free Android apps found that more than 55% of trackers tried to extract user location, while 30% accessed the device’s contact list. And a 2015 analysis of 110 popular free mobile apps revealed that 47% of iOS apps shared geo-coordinates and other location data with third parties, and personally identifiable information, like names of users (provided by 18% of iOS apps), was also provided.

These are particularly nasty trackers, since it's generally more difficult to block them.

Tech giants hit by NSA spying slam encryption backdoors

A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices.

The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology.

The coalition consists of, among others, Google, Microsoft, and Apple.

Zuckerberg: Cambridge Analytica leak a “breach of trust”

After days of silence, Facebook CEO Mark Zuckerberg has responded to the controversy over the 2014 leak of private Facebook user data to a firm that went on to do political consulting work for the Donald Trump campaign in 2016.

Cambridge Analytica got the data by paying a psychology professor, Aleksandr Kogan, to create a Facebook personality quiz that harvested data not only about its own users but also about users' friends. Kogan amassed data from around 50 million users and turned it over to Cambridge.

Zuckerberg says that when Facebook learned about this transfer in 2015, it got Kogan and Cambridge to certify that they had deleted the data. But media reports this weekend suggested that Cambridge had lied and retained the data throughout the 2016 presidential campaign.

This whole thing should make everyone think twice about how - and if - they should keep using Facebook. I've personally always been incredibly careful about what data I put on Facebook and I've rarely - if ever - used any Facebook 'apps', but in the end, you don't even need to feed Facebook any data for them to figure out who you are and what you're interested in. It's actually remarkably easy to extrapolate a whole lot about you from simple things like the times you're online, or which sites with Facebook social trackers you visit, and so on.

I trust Google with such forms of data, but not Facebook. If it wasn't for my friends, I'd delete my Facebook account in a heartbeat. My hope is that this story - which has certainly permeated beyond tech media into the mainstream media - will push more and more of the people around me to consider leaving Facebook.

Xerox Alto zero-day

We've been archiving a bunch of old Xerox Alto disk packs from the 1970s. A few of them turned out to be password-protected, so I needed to figure out how to get around the password protection. I've developed a way to disable password protection, as well as a program to find the password instantly.

Xerox has failed to respond to this severe security hole in their computer, and every day they refuse to patch this vulnerability is a day their customers run a massive risk. Irresponsible.

CCleaner downloads infected with malware

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

Don't use registry cleaners. They serve no purpose.

Why you shouldn’t unlock your phone with your face

If you value the security of your data - your email, social media accounts, family photos, the history of every place you've ever been with your phone - then I recommend against using biometric identification.

Instead, use a passcode to unlock your phone.

Can't argue with that - especially in place where law enforcement often takes a... Liberal approach to detainees.

European MEPs seek ban on backdooring encryption

The European parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) has put forward a proposal that would amend the EU's charter of fundamental rights to extend privacy rights to the digital realm and prevent governments of EU Member States from backdooring end-to-end encrypted services.

"This Regulation aims at ensuring an effective and equal protection of end-users when using functionally equivalent services, so as to ensure the protection of confidentiality, irrespective of the technological medium chosen," they write in the draft eprivacy proposal. "The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information."

On encryption the committee amends an earlier text, proposed by the EU's executive body, the European Commission, to state: "hen encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."

It's only a committee proposal for now that will need approval from the European Parliament, but at least it's something. It also happens to fly in the face of European leaders, who are talking of weakening encryption or banning it outright.

This proposal would obviously be the right thing to do, but with so many leaders around the world exploiting the wholly irrational fear of terrorism (you're much more likely to die sitting on the couch than at the hands of terrorists here in Europe) among the media-primed public and people falling for that nonsense hook, line, and sinker (see Brexit, Trump, and extreme right parties in The Netherlands and France), this proposal will most likely not make it.

Malware uses Intel CPU feature to steal data

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

A quick look at the Ikea IoT lighting platform

Ikea recently launched their Trådfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look it's surprisingly competent. Hardware-wise, the device is pretty minimal - it seems to be based on the Cypress WICED IoT platform, with 100MBit ethernet and a Silicon Labs Zigbee chipset. It's running the Express Logic ThreadX RTOS, has no running services on any TCP ports and appears to listen on two single UDP ports. As IoT devices go, it's pleasingly minimal.

It's always nice to be pleasantly surprised when it comes to non-IT companies and IT security.

Cryptographers show collision in SHA-1 algorithm

From the EFF:

On February 23rd, a joint team from the CWI Amsterdam and Google announced that they had generated the first ever collision in the SHA-1 cryptographic hashing algorithm. SHA-1 has long been considered theoretically insecure by cryptanalysts due to weaknesses in the algorithm design, but this marks the first time researchers were actually able to demonstrate a real-world example of the insecurity. In addition to being a powerful Proof of Concept (POC), the computing power that went into generating the proof was notable.

So what's the big deal?

Unfortunately, the migration away from SHA-1 has not been universal. Some programs, such as the version control system Git, have SHA-1 hard-baked into its code. This makes it difficult for projects which rely on Git to ditch the algorithm altogether. The encrypted e-mail system PGP also relies on it in certain places.

Fearful of hacking, Dutch will count ballots by hand

Let's talk about elections! Except not the American ones, but the Dutch elections, coming up in March.

Concerned about the role hackers and false news might have played in the United States election, the Dutch government announced on Wednesday that all ballots in next month's elections would be counted by hand.

We haven't been using electronic voting ever since it was demonstrated the machines were quite easily hackable, but everything higher up in the stack was still electronic - such as counting the paper ballot and tallying up the results from the individual voting districts. The upcoming election will now be entirely done by hand - voting, counting, and tallying, making it that much harder for foreign powers to meddle in our elections.

This switch to full manual voting is taken two days after Sijmen Ruwhof posted a detailed article explaining just how easy it would be to hack our voting process.

Journalists from Dutch TV station RTL contacted me last week and wanted to know whether the Dutch elections could be hacked. They had been tipped off that the current Dutch electoral software used weak cryptography in certain parts of its system (SHA1).

I was stunned and couldn't believe what I had just heard. Are we still relying on computers for our voting process?

Turns out the "security" of the counting machines and software, as well as the practices of everything around it, is absolutely terrible. The article is an endless stream of facepalms - and really shines a light on just how lacklustre the whole electronic part of the process was, and hence provides an interesting look behind the scenes of an election.

Disable your antivirus software (except Microsoft’s)

I was just reading some Tweets and an associated Hackernews thread and it reminded me that, now that I've left Mozilla for a while, it's safe for me to say: antivirus software vendors are terrible; don't buy antivirus software, and uininstall it if you already have it (except, on Windows, for Microsoft's).

I've been saying the same thing here on OSNews for a decade now: antivirus software makers are terrible companies. Don't buy their crappy software only to let it infect your machine like a virus that slowly hollows out and kills your computer.

Stick to Windows' built-in Microsoft tool.

FBI and CIA now agree that Russia hacked to help Trump win

FBI director James Comey has signed on to a previously reported CIA assessment that Russian President Vladimir Putin directly intervened in the US presidential election in aid of Donald Trump, according to an internal CIA memo obtained by the Associated Press and Washington Post. The report has also been endorsed by the Office of the Director of National Intelligence, giving it the unanimous support of US intelligence agencies.

While the hack focused on the DNC and not the actual voting machines (I think Trump would've won even without the DNC hack), this is exactly the reason why The Netherlands ditched electronic voting machines roughly 15 years ago, and went back to the traditional paper ballot and red pencil. In today's world, any democracy worth its salt should ditch electronic voting.

Meanwhile, the Obama administration was aware of the hack before the elections took place, but didn't want to be seen interfering with the election process, because they thought Clinton would win. Yes.

500 million Yahoo accounts compromised

We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

That's a big hack.

Linux Flaw Allows Attackers to Hijack Web Connections

Researchers discovered that a Transmission Control Protocol (TCP) specification implemented in Linux creates a vulnerability that can be exploited to terminate connections and conduct data injection attacks.

The flaw, tracked as CVE-2016-5696, is related to a feature described in RFC 5961, which should make it more difficult to launch off-path TCP spoofing attacks. The specification was formulated in 2010, but it has not been fully implemented in Windows, Mac OS X, and FreeBSD-based operating systems. However, the feature has been implemented in the Linux kernel since version 3.6, released in 2012.

A team of researchers from the University of California, Riverside and the U.S. Army Research Laboratory identified an attack method that allows a blind, off-path attacker to intercept TCP-based connections between two hosts on the Internet.

Researchers noted that data cannot be injected into HTTPS communications, but the connection can still be terminated using this method. One attack scenario described by the experts involves targeting Tor by disrupting connections between certain relays so that users are forced to use attacker-controlled exit relays.

How can journalists and activists (and regular folks) reduce their susceptibility to surveillance?

The recent news of a savvy UAE-based activist thwarting an attempt to compromise his iPhone raises the important issue of state-based surveillance actors and their private sector contractors having sophisticated and effective ways of intercepting communication and using their targets' own devices against them. One problem with modern mobile computing technology is that it's been built around expansive and convenient features, with security and privacy as an afterthought. On the same day I learned about the iPhone exploit, I happened to listen to a re-run of a 2014 Planet Money podcast in which an NPR journalist volunteered to fall victim to his unencrypted internet traffic being captured and analyzed by experts, and what they were able to learn about him, and specifically about the sources and topics of a story he was working on, was alarming.

As the podcast mentions, mobile OS vendors and online services are getting a lot better at encrypting traffic and obscuring metadata, and one of the primary reasons for this was Edward Snowden's revelations about the ubiquity and sophistication of the NSA's surveillance, and by extension, the dangers of surveillance from other state agencies, black hat hackers, and legions of scammers. The Snowden revelations hit Silicon Valley right in the pocketbook, so that did impel a vast new rollout of encryption and bug fixing, but there's still a long way to go.

As a way of both highlighting and trying to fix some of the inherent vulnerabilities of smartphones in particular, Ed Snowden teamed up with famed hardware hacker Bunny Huang have been working on a hardware tool, specifically, a mobile phone case, that monitors the radio signals from a device and reports to the user what's really being transmitted. They explain their project in a fascinating article at PubPub.

Mobile phones provide a wide attack surface, since their multitude of apps are sharing data with the network at all times, and even if the core data is encrypted, a lot can be gleaned from metadata and snippets of unencrypted data that leak through. Journalists and activists generally know this, and often use Airplane Mode when they're worried their location may be tracked. Problem is, when agencies are using spearphishing attacks to remotely jailbreak iPhones and install tracking software, and there are even fears that OS vendors themselves might be cooperating with authorities, Snowden and Huang set out to allow users to monitor their devices in a way that doesn't implicitly trust the device's user interface, which may be hiding the fact that it's transmitting data when it says it's not. The article goes into great detail about the options they considered, and the specific design they've worked down to, and it looks terrific.