Privacy, Security Archive

New bill looks to save smartphone encryption from state bans

Rep. Ted Lieu (D-CA) and Rep. Blake Farenthold (R-TX) are introducing a bill today to effectively override bad state-level encryption bills. The ENCRYPT Act of 2016, or by its longer name, the Ensuring National Constitutional Rights of Your Private Telecommunications Act, would preempt state and local government encryption laws. The two men said today they are "deeply concerned" that varying bills surrounding encryption would endanger the country as well as the competitiveness of American companies. The argument is that it wouldn't be easy or even feasible to tailor phone encryption capabilities for specific states.

We're going to need a lot of these laws - all over the world.

Dutch government says no to backdoors, slides $540k to OpenSSL

The Dutch government has formally opposed the introduction of backdoors in encryption products.

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands."

The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

The word "currently" worries me, but this is good news.

Backdoors embedded in Juniper Firewalls

On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found "unauthorized" code embedded in an operating system running on some of its firewalls.

The code, which appears to have been in multiple versions of the company's ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.

The security community is particularly alarmed because at least one of the backdoors appears to be the work of a sophisticated nation-state attacker.

Merry Christmas, everybody.

Superfish 2.0: now Dell is breaking HTTPS

From the good women and men over at the EFF:

Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a "man in the middle" attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.

Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.

Did you buy a Dell computer during your Black Friday shopping thing over there in the US? Might want to look it over before handing it your loved one.

Alternatively, just buy a Mac and don't deal with this nonsense.

Email from a married, female Ashley Madison user

Ever since I wrote on Thursday about the Ashley Madison hack and resulting reactions and consequences, I've heard from dozens of people who used the site. They offer a remarkably wide range of reasons for having done so. I'm posting below one email I received that I find particularly illuminating, which I very lightly edited to correct a few obvious typographical errors.

It gets even worse than this email. There are gay men and women in countries where being gay is punishable by death, who were using this site to meet other gay men and women, in secret. This hack will out them, possibly leading to their death.

This hack and spreading of private information is just as bad as any other, similar hacks. Despicable as it is, cheating is not a crime, and even if it were, do we really want to live in a world with mob justice? And yes, the parent company in this particular case isn't exactly of clear conscience, but that's no reason to throw its users under the bus - or have them murdered by barbaric, mediaeval governments.

I know a lot of people like the world to be black and white, because it's simple, easy to understand, and doesn't strain the brain. Sadly for them, that's not how the world works.

Thunderstrike 2: Mac firmware worm details

This is the annotated transcript of our DefCon 23/BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple's Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system's motherboard. The original slides are available.

While I think it's unlikely this worm will pose any real threat in the real world, I find it amazing that we're living in a world where this is possible in the first place.

Online dating website for cheaters gets hacked

Ashley Madison, an online dating website that specifically targets people looking to have an affair, has been hacked by a group that calls itself Impact Team. A cache of data has been released by the Impact Team, including user profiles, company financial records, and "other proprietary information." The company's CEO, Noel Bilderman, confirmed with KrebsOnSecurity that they had been hacked, but did not speak about the extent of the breach.

I'm really surprised by the amount of comments online stating that this is not a problem, because they're just "cheaters" anyway, so they don't deserve privacy, right?

Cheating on your "loved" one is despicable, low, and disgusting (and an immediate, unequivocal relationship/friendship termination in my book), but one, it's not illegal, and two, even if it were, mob justice is not the way to go. This hack and possible release of personal information is just as bad as any other hack.

Hacking Team Android App Could Bypass Google Play Code Review

"Security researchers at Trend Micro's Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider Hacking Team that may have allowed the company's customers to sneak spyware through the Google Play store's code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers--and may now be copied by others trying to get malware onto Android devices." OSNews readers would have never fallen for this ruse, since the name of the app was BeNews. Once we noticed there was nothing about BeOS in these, we discern its nefarious intent.

Hacking Team hacked, attackers claim 400GB in dumped data

On Sunday, while most of Twitter was watching the Women's World Cup - an amazing game from start to finish - one of the world's most notorious security firms was being hacked.

Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.

Feels poetic.

‘Cyber is just pounding me from every direction’

Texas representative John Carter, chairman of the subcommittee on Homeland Security appropriations, and who sits on various other defense-related subcommittees, is hearing about cyber a lot these days. As he put it, "cyber is just pounding me from every direction." That's just the first few seconds of the very entertaining video, where Carter tries to find the right words to express his concern over new encryption standards from Apple and others.

You may laugh about this, but... These are the people running the most powerful military of the world.

The CIA campaign to steal Apple’s secrets

Researchers working with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple's iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the "Jamboree," where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.

Outrage something something not surprised exclamation point.

The great SIM heist

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

The Americans and British hacking into a Dutch company's private network to steal information so they can spy on pretty much everyone. And we call them our "allies". This is way, way worse than whatever the North-Koreans supposedly did to Sony.

In a just world, the people responsible for this act of aggression would be dragged to The Hague to face justice. Alas - we do not live in a just world. My own Dutch government will sweep this under the rug after some fake posturing for the electorate, and that's that.

Russian researchers expose breakthrough in US spying program

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Google reveals third unpatched 90-day Windows vulnerability

Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft's Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought.

Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix.

First, this article makes the usual mistake of calling these vulnerabilities "zero day". They are not zero day. They are 90 day. A huge difference that changes the entire context of the story. Microsoft gets 90 days - three months - to address these issues. I do not see why Google has to account for Microsoft's inflexible security policies which leave users in the lurch.

Second, note that Google also disclosed two OS X vulnerabilities alongside the Windows one. Nobody seems to be talking about those.

Third, Google, how about addressing your own security problems.

How Verizon and Turn defeat browser privacy protections

Verizon advertising partner Turn has been caught using Verizon Wireless's UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking. Explosive research from Stanford security expert Jonathan Mayer shows that, as we warned in November, Verizon's UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.

A virtually unchecked and unbound company with near-monopoly status in many US areas doing something scummy? I am so surprised.

Flaw discovered that could let anyone listen to your cell calls

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale - even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world's cellular carriers to route calls, texts and other services to each other. Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

Home Network Insecurity

Is your home wireless network secure? On a drive about town, I noticed that about one fifth of home routers are completely open and perhaps half are under-secured.

Used to be, this was because home users didn't know how to configure their routers. But now, Comcast is turning home networks into public hotspots unless customers -- few of whom even know about this -- specifically opt out. This article discusses the problems with this.

U.S. courts may hold you responsible if someone uses your wireless network -- without your knowledge or permission -- to illegally download music, movies, or software. People have even been raided by SWAT teams and convicted for downloading child pornography.

Is Comcast's project a bold move towards free wi-fi everywhere? Or is it a security outrage?

Meanwhile, here's a simple tutorial on how to secure your home wireless network.