Privacy, Security Archive

A quick look at the Ikea IoT lighting platform

Ikea recently launched their Trådfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look it's surprisingly competent. Hardware-wise, the device is pretty minimal - it seems to be based on the Cypress WICED IoT platform, with 100MBit ethernet and a Silicon Labs Zigbee chipset. It's running the Express Logic ThreadX RTOS, has no running services on any TCP ports and appears to listen on two single UDP ports. As IoT devices go, it's pleasingly minimal.

It's always nice to be pleasantly surprised when it comes to non-IT companies and IT security.

Cryptographers show collision in SHA-1 algorithm

From the EFF:

On February 23rd, a joint team from the CWI Amsterdam and Google announced that they had generated the first ever collision in the SHA-1 cryptographic hashing algorithm. SHA-1 has long been considered theoretically insecure by cryptanalysts due to weaknesses in the algorithm design, but this marks the first time researchers were actually able to demonstrate a real-world example of the insecurity. In addition to being a powerful Proof of Concept (POC), the computing power that went into generating the proof was notable.

So what's the big deal?

Unfortunately, the migration away from SHA-1 has not been universal. Some programs, such as the version control system Git, have SHA-1 hard-baked into its code. This makes it difficult for projects which rely on Git to ditch the algorithm altogether. The encrypted e-mail system PGP also relies on it in certain places.

Fearful of hacking, Dutch will count ballots by hand

Let's talk about elections! Except not the American ones, but the Dutch elections, coming up in March.

Concerned about the role hackers and false news might have played in the United States election, the Dutch government announced on Wednesday that all ballots in next month's elections would be counted by hand.

We haven't been using electronic voting ever since it was demonstrated the machines were quite easily hackable, but everything higher up in the stack was still electronic - such as counting the paper ballot and tallying up the results from the individual voting districts. The upcoming election will now be entirely done by hand - voting, counting, and tallying, making it that much harder for foreign powers to meddle in our elections.

This switch to full manual voting is taken two days after Sijmen Ruwhof posted a detailed article explaining just how easy it would be to hack our voting process.

Journalists from Dutch TV station RTL contacted me last week and wanted to know whether the Dutch elections could be hacked. They had been tipped off that the current Dutch electoral software used weak cryptography in certain parts of its system (SHA1).

I was stunned and couldn't believe what I had just heard. Are we still relying on computers for our voting process?

Turns out the "security" of the counting machines and software, as well as the practices of everything around it, is absolutely terrible. The article is an endless stream of facepalms - and really shines a light on just how lacklustre the whole electronic part of the process was, and hence provides an interesting look behind the scenes of an election.

Disable your antivirus software (except Microsoft’s)

I was just reading some Tweets and an associated Hackernews thread and it reminded me that, now that I've left Mozilla for a while, it's safe for me to say: antivirus software vendors are terrible; don't buy antivirus software, and uininstall it if you already have it (except, on Windows, for Microsoft's).

I've been saying the same thing here on OSNews for a decade now: antivirus software makers are terrible companies. Don't buy their crappy software only to let it infect your machine like a virus that slowly hollows out and kills your computer.

Stick to Windows' built-in Microsoft tool.

FBI and CIA now agree that Russia hacked to help Trump win

FBI director James Comey has signed on to a previously reported CIA assessment that Russian President Vladimir Putin directly intervened in the US presidential election in aid of Donald Trump, according to an internal CIA memo obtained by the Associated Press and Washington Post. The report has also been endorsed by the Office of the Director of National Intelligence, giving it the unanimous support of US intelligence agencies.

While the hack focused on the DNC and not the actual voting machines (I think Trump would've won even without the DNC hack), this is exactly the reason why The Netherlands ditched electronic voting machines roughly 15 years ago, and went back to the traditional paper ballot and red pencil. In today's world, any democracy worth its salt should ditch electronic voting.

Meanwhile, the Obama administration was aware of the hack before the elections took place, but didn't want to be seen interfering with the election process, because they thought Clinton would win. Yes.

500 million Yahoo accounts compromised

We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

That's a big hack.

Linux Flaw Allows Attackers to Hijack Web Connections

Researchers discovered that a Transmission Control Protocol (TCP) specification implemented in Linux creates a vulnerability that can be exploited to terminate connections and conduct data injection attacks.

The flaw, tracked as CVE-2016-5696, is related to a feature described in RFC 5961, which should make it more difficult to launch off-path TCP spoofing attacks. The specification was formulated in 2010, but it has not been fully implemented in Windows, Mac OS X, and FreeBSD-based operating systems. However, the feature has been implemented in the Linux kernel since version 3.6, released in 2012.

A team of researchers from the University of California, Riverside and the U.S. Army Research Laboratory identified an attack method that allows a blind, off-path attacker to intercept TCP-based connections between two hosts on the Internet.

Researchers noted that data cannot be injected into HTTPS communications, but the connection can still be terminated using this method. One attack scenario described by the experts involves targeting Tor by disrupting connections between certain relays so that users are forced to use attacker-controlled exit relays.

How can journalists and activists (and regular folks) reduce their susceptibility to surveillance?

The recent news of a savvy UAE-based activist thwarting an attempt to compromise his iPhone raises the important issue of state-based surveillance actors and their private sector contractors having sophisticated and effective ways of intercepting communication and using their targets' own devices against them. One problem with modern mobile computing technology is that it's been built around expansive and convenient features, with security and privacy as an afterthought. On the same day I learned about the iPhone exploit, I happened to listen to a re-run of a 2014 Planet Money podcast in which an NPR journalist volunteered to fall victim to his unencrypted internet traffic being captured and analyzed by experts, and what they were able to learn about him, and specifically about the sources and topics of a story he was working on, was alarming.

As the podcast mentions, mobile OS vendors and online services are getting a lot better at encrypting traffic and obscuring metadata, and one of the primary reasons for this was Edward Snowden's revelations about the ubiquity and sophistication of the NSA's surveillance, and by extension, the dangers of surveillance from other state agencies, black hat hackers, and legions of scammers. The Snowden revelations hit Silicon Valley right in the pocketbook, so that did impel a vast new rollout of encryption and bug fixing, but there's still a long way to go.

As a way of both highlighting and trying to fix some of the inherent vulnerabilities of smartphones in particular, Ed Snowden teamed up with famed hardware hacker Bunny Huang have been working on a hardware tool, specifically, a mobile phone case, that monitors the radio signals from a device and reports to the user what's really being transmitted. They explain their project in a fascinating article at PubPub.

Mobile phones provide a wide attack surface, since their multitude of apps are sharing data with the network at all times, and even if the core data is encrypted, a lot can be gleaned from metadata and snippets of unencrypted data that leak through. Journalists and activists generally know this, and often use Airplane Mode when they're worried their location may be tracked. Problem is, when agencies are using spearphishing attacks to remotely jailbreak iPhones and install tracking software, and there are even fears that OS vendors themselves might be cooperating with authorities, Snowden and Huang set out to allow users to monitor their devices in a way that doesn't implicitly trust the device's user interface, which may be hiding the fact that it's transmitting data when it says it's not. The article goes into great detail about the options they considered, and the specific design they've worked down to, and it looks terrific.

Apple releases security patch after iPhone zero day exploit used on UAE political dissident

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

Getting started with Tails, the encrypted operating system

A step-by-step guide on how to download, install, and start using Tails, the world's most secure platform.

Tails, an encrypted and anonymous OS that bundles widely used open source privacy tools on a tiny device, is one of the most secure operating systems in the world. The Linux distribution rose to popularity when it was revealed Edward Snowden relied on Tails to secure his identity while sharing NSA secrets with journalists Glenn Greenwald and Laura Poitras. In the past half decade, Tails has been embraced as an essential security suite by journalists, hackers, and IT workers.

“Antivirus products could let hackers hijack computers”

Symantec and Norton are among the most popular security tools, but the U.S. Department of Homeland Security warns of critical flaws that could pose great risks.

A slew of corporate, government and personal computers are protected by Symantec, but are they really protected? Homeland Security believes there's reason to worry, and has issued a warning this week.

"Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry," notes the alert. "Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system."

My deep dislike and mistrust for antivirus peddlers and their shady business practices are known around these parts, so none of this obviously surprises me in the slightest. These are companies fooling otherwise fantastic websites like Ars Technica into publishing FUD articles about OS X/iOS/Android/Linux/BeOS/MULTICS eating all your documents and murdering your firstborn unlessyoubuytheirproductswhichareototallynotresourcehogsandreallyarentuselesspiecesofjunk, so I'm not surprised their products are insecure.

Since I'm anything but oblivious to the irony of posting this story (in fact, it's one of the prime reasons to post this), be sure to read the source note from the U.S. Department of Homeland Security to make up your own mind.

Pokemon Go is a huge security risk on iOS

Let me be clear - Pokemon Go and Niantic can now:

  • Read all your email
  • Send email as you
  • Access all your Google drive documents (including deleting them)
  • Look at your search history and your Maps navigation history
  • Access any private photos you may store in Google Photos
  • And a whole lot more

What's more, given the use of email as an authentication mechanism (think "Forgot password" links) they now have a pretty good chance of gaining access to your accounts on other sites too.

This only applies to iOS, so Android users seem to have nothing to worry about. The fault lies with Niantic, so let's hope they fix it soon.

WhatsApp is now fully encrypted, end-to-end, on all platforms

Over the past year, we've been progressively rolling out Signal Protocol support for all WhatsApp communication across all WhatsApp clients. This includes chats, group chats, attachments, voice notes, and voice calls across Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10.

As of today, the integration is fully complete. Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other. This includes all the benefits of the Signal Protocol - a modern, open source, forward secure, strong encryption protocol for asynchronous messaging systems, designed to make end-to-end encrypted messaging as seamless as possible.

WhatsApp is the most popular messaging protocol in the world (in my own country it's effectively at 100% market share), so to see it do end-to-end encryption is a huge deal.

New York Times, BBC, others hit by ‘ransomware’ malvertising

The attack, which was targeted at US users, hit websites including the New York Times, the BBC, AOL and the NFL over the weekend. Combined, the targeted sites have traffic in the billions of visitors.

The malware was delivered through multiple ad networks, and used a number of vulnerabilities, including a recently-patched flaw in Microsoft's former Flash competitor Silverlight, which was discontinued in 2013.

That's why we have adblockers.

New bill looks to save smartphone encryption from state bans

Rep. Ted Lieu (D-CA) and Rep. Blake Farenthold (R-TX) are introducing a bill today to effectively override bad state-level encryption bills. The ENCRYPT Act of 2016, or by its longer name, the Ensuring National Constitutional Rights of Your Private Telecommunications Act, would preempt state and local government encryption laws. The two men said today they are "deeply concerned" that varying bills surrounding encryption would endanger the country as well as the competitiveness of American companies. The argument is that it wouldn't be easy or even feasible to tailor phone encryption capabilities for specific states.

We're going to need a lot of these laws - all over the world.

Dutch government says no to backdoors, slides $540k to OpenSSL

The Dutch government has formally opposed the introduction of backdoors in encryption products.

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands."

The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

The word "currently" worries me, but this is good news.

Backdoors embedded in Juniper Firewalls

On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found "unauthorized" code embedded in an operating system running on some of its firewalls.

The code, which appears to have been in multiple versions of the company's ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.

The security community is particularly alarmed because at least one of the backdoors appears to be the work of a sophisticated nation-state attacker.

Merry Christmas, everybody.

Superfish 2.0: now Dell is breaking HTTPS

From the good women and men over at the EFF:

Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a "man in the middle" attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.

Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.

Did you buy a Dell computer during your Black Friday shopping thing over there in the US? Might want to look it over before handing it your loved one.

Alternatively, just buy a Mac and don't deal with this nonsense.