Privacy, Security Archive

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

Symantec and Norton are among the most popular security tools, but the U.S. Department of Homeland Security warns of critical flaws that could pose great risks.

A slew of corporate, government and personal computers are protected by Symantec, but are they really protected? Homeland Security believes there's reason to worry, and has issued a warning this week.

"Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry," notes the alert. "Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system."

Let me be clear - Pokemon Go and Niantic can now:

• Read all your email
• Send email as you
• Access all your Google drive documents (including deleting them)
• Look at your search history and your Maps navigation history
• Access any private photos you may store in Google Photos
• And a whole lot more

What's more, given the use of email as an authentication mechanism (think "Forgot password" links) they now have a pretty good chance of gaining access to your accounts on other sites too.

The attack, which was targeted at US users, hit websites including the New York Times, the BBC, AOL and the NFL over the weekend. Combined, the targeted sites have traffic in the billions of visitors.

The malware was delivered through multiple ad networks, and used a number of vulnerabilities, including a recently-patched flaw in Microsoft's former Flash competitor Silverlight, which was discontinued in 2013.

Rep. Ted Lieu (D-CA) and Rep. Blake Farenthold (R-TX) are introducing a bill today to effectively override bad state-level encryption bills. The ENCRYPT Act of 2016, or by its longer name, the Ensuring National Constitutional Rights of Your Private Telecommunications Act, would preempt state and local government encryption laws. The two men said today they are "deeply concerned" that varying bills surrounding encryption would endanger the country as well as the competitiveness of American companies. The argument is that it wouldn't be easy or even feasible to tailor phone encryption capabilities for specific states.

On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found "unauthorized" code embedded in an operating system running on some of its firewalls.

The code, which appears to have been in multiple versions of the company's ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.

The security community is particularly alarmed because at least one of the backdoors appears to be the work of a sophisticated nation-state attacker.

Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a "man in the middle" attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.

Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.

This is the annotated transcript of our DefCon 23/BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple's Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system's motherboard. The original slides are available.

Ashley Madison, an online dating website that specifically targets people looking to have an affair, has been hacked by a group that calls itself Impact Team. A cache of data has been released by the Impact Team, including user profiles, company financial records, and "other proprietary information." The company's CEO, Noel Bilderman, confirmed with KrebsOnSecurity that they had been hacked, but did not speak about the extent of the breach.

On Sunday, while most of Twitter was watching the Women's World Cup - an amazing game from start to finish - one of the world's most notorious security firms was being hacked.

Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.

The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader.

Researchers working with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple's iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the "Jamboree," where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.