Privacy, Security Archive

Twelve million phones, one dataset, zero privacy

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles. Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers. We all know this is happening, yet there’s very little we can do about it – save for living far away in the woods, disconnected from everything. There’s cameras everywhere, anything with any sort of wireless connection – from smartphone to dumbphone – is tracked at the carrier level, and even our lightbulbs are ‘smart’ these days. Yet, despite knowing this is happening, it’s still eye-opening to see it in such detail as discovered by The New York Times.

64 bits ought to be enough for anybody!

How quickly can we use brute force to guess a 64-bit number? The short answer is, it all depends on what resources are available. So we’re going to examine this problem starting with the most naive approach and then expand to other techniques involving parallelization. We’ll discuss parallelization at the CPU level with SIMD instructions, then via multiple cores, GPUs, and cloud computing. Along the way we’ll touch on a variety of topics about microprocessors and some interesting discoveries, e.g., adding more cores isn’t always an improvement, and not all cloud vCPUs are equivalent.

SMS replacement is exposing users to text, call interception thanks to sloppy telecos

A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS. Off to a great start for a technology nobody is waiting for. WhatsApp and WeChat have replaced SMS, and unencrypted, vulnerable nonsense like RCS is not going to change a single thing about that.

1Password takes 200 million in venture capital

I wanted to be the first one to tell you: I’m incredibly proud to announce that we’ve partnered with Accel to help 1Password continue the amazing growth and success we’ve seen over the past 14 years. Accel will be investing USD$200 million for a minority stake in 1Password. Along with the investment – their largest initial investment in their 35-year history – Accel brings the experience and expertise we need to grow further and faster. I use 1Password, and I’m deeply skeptical of venture capital investments like these. 1Password has been profitable since its founding, so this investment is not a make-or-break kind of thing, which makes me worried about the future. Password managers require a lot of trust from their users, and trust is not something I give to venture capitalists.

Attorney general Bill Barr will ask Zuckerberg to halt plans for end-to-end encryption across Facebook’s apps

Attorney General Bill Barr, along with officials from the United Kingdom and Australia, is set to publish an open letter to Facebook CEO Mark Zuckerberg asking the company to delay plans for end-to-end encryption across its messaging services until it can guarantee the added privacy does not reduce public safety. A draft of the letter, dated Oct. 4, is set to be released alongside the announcement of a new data-sharing agreement between law enforcement in the US and the UK; it was obtained by BuzzFeed News ahead of its publication. The forces are closing in on end-to-end encryption, and with the bizarre constitutional crises both the US and the UK are experiencing, I would be even more worried about this than I’d be under normal circumstances.

A glut of iOS 0-days pushes their price below cost of those for Android

For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS. The company provided a message to Ars, stating that while Google and Samsung have worked hard to significantly improve the security of Android. During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some  them. On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction. In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox). The security of an operating system is only as strong as its weakest links, and if Apple is slacking a bit on things like iMessage and Safari, while Google and Samsung work to strengthen Android’s weakest links, this is only a logical outcome.

China is forcing tourists to install text-stealing malware at its border

Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller’s device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band. China is basically performing ethnic cleansing on a massive scale, and it’s using technology to aid in its goal o eradicating an entire population group. It’s chilling, and every single technology company active in China – or worse yet, aiding the regime – should be held accountable.

Samsung TVs should be regularly virus-checked, the company says

Samsung has advised owners of its latest TVs to run regular virus scans. A how-to video on the Samsung Support USA Twitter account demonstrates the more than a dozen remote-control button presses required to access the sub-menu needed to activate the check. It suggested users should carry out the process “every few weeks” to “prevent malicious software attacks”. What.

WhatsApp voice calls used to inject Israeli spyware on phones

A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack. I never answer phone calls from telephone numbers I am not familiar with, let alone when the incoming callers his their number blocked. Apparently, though, not even protects you from attacks such as these.

Bloomberg says ‘hidden backdoors’ were found in Huawei equipment, Vodafone denies report

A new report by Bloomberg claims that telecom giant Vodafone had found potential hidden backdoor vulnerabilities in Huawei equipment, but the claims have been refuted the carrier. The Bloomberg report makes claims that Vodafone Italy confirmed that they had found vulnerabilities as far back as 2009 in Huawei telecoms and internet equipment. Obviously Vodafone has a massive interest in denying these stories, and I find it suspicious that stories like this are almost always waved away with a we forgot to turn off/remove a diagnostic thing, oopsie!, but for us mere mortals it’s just impossible to get a good reading on this. I mean, it’s not as if we have much of a choice but to assume our carriers know what they’re doing. …wait.

Assessing unikernel security

Unikernels are small, specialized, single-address-space machine images constructedby treating component applications and drivers like libraries and compiling them, along with a kernel and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun and IncludeOS, and found that this was decidedly not the case: unikernels, which in many ways resemble embedded systems, appear to have a similarly minimal level of security. Features like ASLR, W^X, stack canaries, heap integrity checks and more are either completely absent or seriously flawed. If an application running on such a system contains a memory corruption vulnerability, it is often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown. Furthermore, because the application and the kernel run together as a single process, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular OS, e.g. arbitrary packet I/O. We demonstrate such attacks on both Rumprun and IncludeOS unikernels, and recommend measures to mitigate them. This is a 100+ page article – book? – that isn’t for the faint of heart.

Gmail making email more secure with MTA-STS standard

We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers. Google hopes other email services will also adopt these new security standards.

Remembering Heartbleed

Colm MacCárthaigh, who was Principal Engineer for Amazon Web Services Elastic Load Balancer five years ago, posted an interesting recollection of his experience the day the Heartbleed bug went public. OpenSSL was in use widely across AWS, and the team there basically dropped everything to hot patch millions of deployments, then over the next hours and days took many other steps to mitigate the damage. It’s a fascinating story if you’re familiar with information security, or even just minimally familiar with the infrastructure that keeps the internet going.

Tencent and Xiaomi may be censoring a GitHub page for airing worker grievances

A trending and vastly expanding GitHub database where Chinese developers have been airing their workplace grievances may be at risk of censorship. A number of internet users in China are reporting seeing their access to the database cut off when using browsers offered by companies like Tencent, Alibaba, Xiaomi, and Qihoo 360, as first spotted by Abacus. There’s no indication yet that these censorship efforts may have originated from government orders. And as a reminder: western technology companies, most prominently Apple, is working very closely with the Chinese government, giving them access to user data of Chinese users to aid the China’s totalitarian surveillance state.

Nokia firmware blunder sent some user data to China

HMD Global, the Finnish company that sublicensed the Nokia smartphone brand from Microsoft, is under investigation in Finland for collecting and sending some phone owners’ information to a server located in China. In a statement to Finnish newspaper Helsingin Sanomat, the company blamed the data collection on a coding mistake during which an “activation package” was accidentally included in some phones’ firmware. HMD Global said that only a single batch of Nokia 7 Plus devices were impacted and included this package. Why does stuff like this keep happening? It seems like such a simple thing to not preinstall dodgy stuff on factory-set smartphones.

Facebook stored hundreds of millions of user passwords in plain text for years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is a criminal enterprise that needs to be broken up into its constituent parts sooner rather than later.

The Best Operating Systems for Anonymity

David Balaban says, “There are plenty of operating systems aimed at achieving online anonymity. But how many of them are really good?” He highlights five candidates: Tails OS, Whonix, Kodachi, Qubes, and Subgraph. He concludes that Kodachi is the best OS to preserve anonymity. Have any OSNews readers evaluated any of these OSes? Do you agree with his conclusion?

Huawei chairman accuses American critics of hypocrisy over NSA hacks

Huawei’s rotating chairman Guo Ping has gone on the offensive this week at Mobile World Congress, following continued pressure on US allies to drop the Chinese telecoms giant over national security fears. In a strident on-stage speech and a Financial Times editorial, Guo is escalating Huawei’s side of the story by explicitly calling out the NSA, which Edward Snowden has shown to have hacked Huawei in the past, while presenting his company as a more secure option for the rest of the world. “If the NSA wants to modify routers or switches in order to eavesdrop, a Chinese company will be unlikely to co-operate,” Guo says in the FT, citing a leaked NSA document that said the agency wanted “to make sure that we know how to exploit these products.” Guo argues that his company “hampers US efforts to spy on whomever it wants,” reiterating its position that “Huawei has not and will never plant backdoors.” This war of words and boycotts will continue for a long time to come, but Guo makes an interesting point here by highlighting the fact the NSA hacked Huawei devices and email accounts of Huawai executives. I personally do not believe that devices made in China for other brands – Apple, Google, whatever – are any safer from tampering than devices from a Chinese brand. These all get made in the same factories, and I can hardly fault the Chinese government for doing what all our western governments have been doing for decades as well. It’s not a pretty game, and in an ideal world none of it would be necessary, but we should not let blind nationalism get in the way of making sound decisions.

PureBoot, the high security boot process

The boot process, in computer hardware, forms the foundation for the security of the rest of the system. Security, in this context, means a “defense in depth” approach, where each layer not only provides an additional barrier to attack, but also builds on the strength of the previous one. Attackers do know that if they can compromise the boot process, they can hide malicious software that will not be detected by the rest of the system. Unfortunately, most of the existing approaches to protect the boot process also conveniently (conveniently for the vendor, of course) remove your control over your own system. How? By using software signing keys that only let you run the boot software that the vendor approves on your hardware. Your only practical choices, under these systems, are either to run OSes that get approval from the vendor, or to disable boot security altogether. In Purism, we believe that you deserve security without sacrificing control or convenience: today we are happy to announce PureBoot, our collection of software and security measures designed for you to protect the boot process, while still holding all the keys. Good initiative.

Thunderbolt enables severe security threats

Security researchers at the Network and Distributed Systems Security Symposium in San Diego are announcing the results of some fascinating research they’ve been working on. They “built a fake network card that is capable of interacting with the operating system in the same way as a real one” and discovered that Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system. Vendors have been gradually improving firmware and taking other steps to mitigate these vulnerabilities, but the same features that make Thunderbolt so useful also make them a much more serious attack vector than USB ever was. You may want to consider ways to disable your Thunderbolt drivers unless you can be sure that you can prevent physical access to your machine.