Privacy, Security Archive

During preparation for a workshop at DEF CON in August on locating privacy leaks in network traffic, we discovered a number of applications on both iOS and Android that were broadcasting precise location data back to the applications' developers - in some cases in unencrypted formats. Research released late Friday by Sudo Security's Guardian mobile firewall team provided some confirmation to our findings - and demonstrated that many apps are sharing location data with firms that market location data information without the users' knowledge.

The US, UK, and three other governments have called on tech companies to build backdoors into their encrypted products, so that law enforcement will always be able to obtain access. If companies don't, the governments say they "may pursue technological, enforcement, legislative, or other measures" in order to get into locked devices and services.

Their statement came out of a meeting last week between nations in the Five Eyes pact, an intelligence sharing agreement between the US, UK, Canada, Australia, and New Zealand. The nations issued a statement covering a range of technology-related issues they face, but it was their remarks on encryption that stood out the most.

Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU, security researcher Christopher Domas told the Black Hat conference here Thursday (Aug. 9).

The command - ".byte 0x0f, 0x3f" in Linux - "isn't supposed to exist, doesn't have a name, and gives you root right away," Domas said, adding that he calls it "God Mode."

The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes.

In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia's Main Intelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel'noye upravleniye, or GRU). The indictment was for conducting "active cyber operations with the intent of interfering in the 2016 presidential election."

The allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and additional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law enforcement agencies. Reading between the lines, the indictment reveals that the Mueller team and other US investigators likely gained access to things like Twitter direct messages and hosting company business records and logs, and they obtained or directly monitored email messages associated with the GRU (and possibly WikiLeaks). It also appears that the investigation ultimately had some level of access to internal activities of two GRU offices.

Yet, after a summit meeting with Russia's President Vladimir Putin just days following the indictment, Trump publicly expressed doubt that Russia was involved. The president has said that Putin strongly denied any interference in the election - even as the United States' own director of national Iintelligence, Dan Coats, reiterated the conclusion that Russia was responsible for the attacks. With such rhetoric, Trump has continued to send mixed messages about the findings of his own intelligence and law enforcement teams, while seeming to put more stock in Putin's insistence that the Russian government had nothing to do with any of this.

After digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this matter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided, does strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of attack, failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they enlisted for help.

The growing concern over online data and user privacy has been focused on tech giants like Facebook and devices like smartphones. But people's data is also increasingly being vacuumed right out of their living rooms via their televisions, sometimes without their knowledge.

In recent years, data companies have harnessed new technology to immediately identify what people are watching on internet-connected TVs, then using that information to send targeted advertisements to other devices in their homes. Marketers, forever hungry to get their products in front of the people most likely to buy them, have eagerly embraced such practices. But the companies watching what people watch have also faced scrutiny from regulators and privacy advocates over how transparent they are being with users.

Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans - and not just computers - to read your emails.

Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users.

For years, Facebook's sneakiest data-collector has been the "Like" button. Any site that wants Facebook traffic needs one, which means they're just about everywhere. And in order to work right, the button needs to log you in - which is to say, it needs to know who you are. How else would Facebook know who liked the post? Even if you don't click, Facebook registers that you loaded the button, which means they get a map of every Like-enabled site you've been to, just the kind of data that advertisers will pay to target against.

Today at WWDC, Apple took a direct shot at that system and Facebook itself. Onstage, Apple's VP of software Craig Federighi described Safari's new anti-tracking features in unusually confrontational terms.

"We've all seen these like buttons and share buttons," Federighi told the crowd. "Well it turns out, these can be used to track you, whether you click on them or not. So this year, we're shutting that down."

Your devices are tracking you all the time. You just don’t know it yet.

When you consent to sharing your data with many popular apps, you’re also allowing app developers to collect your data and sell it to third parties through trackers that supply advertisers with detailed information about where you live, work, and shop.

In November 2017, Yale Privacy Lab detected trackers in over 75% of the 300 Android apps it analyzed. A March 2018 study of 160,000 free Android apps found that more than 55% of trackers tried to extract user location, while 30% accessed the device’s contact list. And a 2015 analysis of 110 popular free mobile apps revealed that 47% of iOS apps shared geo-coordinates and other location data with third parties, and personally identifiable information, like names of users (provided by 18% of iOS apps), was also provided.

A coalition of Silicon Valley tech giants has doubled down on its criticism of encryption backdoors following a proposal that would give law enforcement access to locked and encrypted devices.

The group, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology.

We've been archiving a bunch of old Xerox Alto disk packs from the 1970s. A few of them turned out to be password-protected, so I needed to figure out how to get around the password protection. I've developed a way to disable password protection, as well as a program to find the password instantly.

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

The European parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) has put forward a proposal that would amend the EU's charter of fundamental rights to extend privacy rights to the digital realm and prevent governments of EU Member States from backdooring end-to-end encrypted services.

"This Regulation aims at ensuring an effective and equal protection of end-users when using functionally equivalent services, so as to ensure the protection of confidentiality, irrespective of the technological medium chosen," they write in the draft eprivacy proposal. "The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information."

On encryption the committee amends an earlier text, proposed by the EU's executive body, the European Commission, to state: "hen encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.