Privacy, Security Archive

Flaw discovered that could let anyone listen to your cell calls

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale - even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world's cellular carriers to route calls, texts and other services to each other. Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

Home Network Insecurity

Is your home wireless network secure? On a drive about town, I noticed that about one fifth of home routers are completely open and perhaps half are under-secured.

Used to be, this was because home users didn't know how to configure their routers. But now, Comcast is turning home networks into public hotspots unless customers -- few of whom even know about this -- specifically opt out. This article discusses the problems with this.

U.S. courts may hold you responsible if someone uses your wireless network -- without your knowledge or permission -- to illegally download music, movies, or software. People have even been raided by SWAT teams and convicted for downloading child pornography.

Is Comcast's project a bold move towards free wi-fi everywhere? Or is it a security outrage?

Meanwhile, here's a simple tutorial on how to secure your home wireless network.

DenyHost adds support for PF firewall

One common method attackers use when attempting to compromise a server is brute forcing login credentials. Given enough time, automated tools can guess a person's username and password, granting the attacker access to an unprotected server. To counter these sorts of attacks, where passwords are guessed by trial and error, several tools have been created. Utilities such as Fail2Ban and DenyHost monitor login attempts and automatically block the computers performing these types of attacks.

Last week the DenyHost project added a feature which allows the utility to block attacks by using the PF firewall. PF is typically used on the OpenBSD and FreeBSD operating systems to block or forward network traffic. The project's website reports:

DenyHost 2.9 adds one new feature, the ability to work with the PF packet filter, popular on BSD systems such as FreeBSD, OpenBSD, NetBSD, PC-BSD and TrueOS. The DenyHost daemon will now work with existing PF tables in real time, allowing administrators to block incoming secure shell connections at the firewall level. Examples of how to set up the appropriate PF rules and enable DenyHost to work with PF are available in the DenyHost configuration file (denyhosts.conf).

GCHQ: Silicon Valley is Terrorist “Command and Control” Network

The new head of GCHQ , Robert Hannigan, has spoken out strongly against American Internet companies. The BBC reports: "His concerns appear to be twofold. Firstly the fact that militant organisations such as Islamic State (IS) are using Twitter, Facebook and WhatsApp to promote themselves and the increasing sophistication that extremists are showing in their use of such platforms. And secondly he is not happy about pledges from Microsoft, Google, Apple and Yahoo to make encryption a default option to protect users from government snooping."

Serious OS X Yosemite Vulnerability Discovered

Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability "rootpipe" and has explained how he found it and how you can protect against it. It's a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system. It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn't fixed the flaw yet, he says, so Truesec won't provide details yet of how it works.

What is the Shellshock Bash bug and why does it matter?

By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices.

This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux.

A very simple and straightforward explanation of this major new security issue. The OSNews servers were updated yesterday.

After Apple, Google also makes encryption default in Android L

Two good pieces of news today. Both Apple and Google have announced that the most recent versions of their mobile operating systems will encrypt user data by default. Google:

The next generation of Google's Android operating system, due for release next month, will encrypt data by default for the first time, the company said Thursday, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones.

Android has offered optional encryption on some devices since 2011, but security experts say few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically; only somebody who enters a device's password will be able to see the pictures, videos and communications stored on those smartphones.

And Apple:

Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that prevents the company - or anyone but the device's owner - from gaining access to the vast troves of user data typically stored on smartphones or tablet computers.

The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails and recordings.

Xiaomi fixes privacy leak on Redmi 1s

A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi's servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting "Settings > Mi Cloud > Cloud Messaging" from their home screen or "Settings > Cloud Messaging" inside the Messaging app - these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.

Fast response, but it's exactly this kind of shitty behaviour that especially a Chinese company simply cannot afford out here in the west. If Microsoft, Apple, or Google does something like this, they'll have armies of defenders and a huge PR department to solve it. Upcoming Chinese companies are generally much, much leaner and do not have that at all.

In any case, you're generally much better off with a custom ROM anyway, and this just yet another reason.

Ars reviews the Blackphone

Ars Technica reviews the BlackPhone, a device which claims to be much more secure than other smartphones.

After configuring the various pieces of Blackphone's privacy armor, it was time to check it for leaks. I connected my loaner phone to a Wi-Fi access point that was set up to perform a packet capture of my traffic, and we started to walk through the features. I also launched a few Wi-Fi attacks on the phone in an attempt to gather data from it.

For my last trick, I unleashed a malicious wireless access point on Blackphone, first passively listening and then actively trying to get it to connect. While I did capture the MAC address of the phone’s Wi-Fi interface passively, I was unable to get it to fall for a spoofed network or even give up the names of its trusted networks.

So, we've verified it: Blackphone is pretty damn secure.

A very disappointing test of the essential claim to fame of this smartphone. All Ars has done is confirm it does not leak data - something you can easily achieve on any phone. This review does not spend a single word on the baseband operating system of the device, which is a crucial part of any smartphone that we know little about. There's no indication whatsoever that the baseband operating system used by the NVIDIA chipset inside the Blackphone is in any way more secure than that of others.

Unless we have a truly open baseband processor, the idea of a secure phone for heroes like Edward Snowden will always be a pipe dream. I certainly commend Blackphone's effort, but there's a hell of a lot more work to be done.

‘Chinese Android smartphone shipped with spyware’

A Chinese no-name Galaxy S4 knock-off allegedly comes pre-loaded with spyware:

For the first time ever, the experts at the German security vendor have discovered a smartphone that comes with extensive spyware straight from the factory. The malware is disguised as the Google Play Store and is part of the pre-installed Android apps. The spyware runs in the background and cannot be detected by users. Unbeknownst to the user, the smartphone sends personal data to a server located in China and is able to covertly install additional applications.

The news comes from a security firm, so take it with a grain of salt, but still - this is exactly the kind of stuff legitimate Chinese manufacturers really do not want.

OpenBSD forks, prunes, fixes OpenSSL

Members of the OpenBSD project, already known for the OpenBSD operating system and related projects such as OpenSSH, OpenBGPD, OpenNTPD, OpenSMTPD, are creating a fork of the OpenSSL project, likely to be called LibreSSL. (OpenSSL and OpenBSD are completely separate projects with different people working on them.)

Apparently, the focus is not so much on taking OpenSSL into a completely different direction, but more on a massive code cleanup and long-overdue maintenance.

NSA said to exploit Heartbleed bug for intelligence for years

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

On that supposed backdoor in Samsung devices

First it was a huge backdoor, then it turned out not to be a big deal. Whatever is the case with this issue with Samsung phones - it only serves to highlight what I wrote about several months ago:

It's kind of a sobering thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, pivots around software that is of dubious quality, poorly understood, entirely proprietary, and wholly insecure by design.

Whether or not this is actually a huge security issue, I don't care - it just further highlights the dire need for a properly and truly open baseband firmware.

On hacking microSD cards

Remember when I wrote about how your mobile phone runs two operating systems, one of which is a black box we know and understand little about, ripe for vulnerabilities? As many rightfully pointed out in the comments - it's not just mobile phones that have tiny processors for specific tasks embedded in them. As it turns out, memory cards have microprocessors though - and yes, they can be cracked for remote code execution too.

Today at the Chaos Computer Congress (30C3), xobs and I disclosed a finding that some SD cards contain vulnerabilities that allow arbitrary code execution - on the memory card itself. On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else. On the light side, it also enables the possibility for hardware enthusiasts to gain access to a very cheap and ubiquitous source of microcontrollers.

There's so much computing power hidden in the dark.