Privacy, Security Archive

Email from a married, female Ashley Madison user

Thom Holwerda 2015-08-25 Privacy, Security 13 Comments

Ever since I wrote on Thursday about the Ashley Madison hack and resulting reactions and consequences, I've heard from dozens of people who used the site. They offer a remarkably wide range of reasons for having done so. I'm posting below one email I received that I find particularly illuminating, which I very lightly edited to correct a few obvious typographical errors.

It gets even worse than this email. There are gay men and women in countries where being gay is punishable by death, who were using this site to meet other gay men and women, in secret. This hack will out them, possibly leading to their death.

This hack and spreading of private information is just as bad as any other, similar hacks. Despicable as it is, cheating is not a crime, and even if it were, do we really want to live in a world with mob justice? And yes, the parent company in this particular case isn't exactly of clear conscience, but that's no reason to throw its users under the bus - or have them murdered by barbaric, mediaeval governments.

I know a lot of people like the world to be black and white, because it's simple, easy to understand, and doesn't strain the brain. Sadly for them, that's not how the world works.

Thunderstrike 2: Mac firmware worm details

Thom Holwerda 2015-08-11 Privacy, Security 5 Comments

This is the annotated transcript of our DefCon 23/BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple's Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system's motherboard. The original slides are available.

While I think it's unlikely this worm will pose any real threat in the real world, I find it amazing that we're living in a world where this is possible in the first place.

Online dating website for cheaters gets hacked

Thom Holwerda 2015-07-20 Privacy, Security 36 Comments

Ashley Madison, an online dating website that specifically targets people looking to have an affair, has been hacked by a group that calls itself Impact Team. A cache of data has been released by the Impact Team, including user profiles, company financial records, and "other proprietary information." The company's CEO, Noel Bilderman, confirmed with KrebsOnSecurity that they had been hacked, but did not speak about the extent of the breach.

I'm really surprised by the amount of comments online stating that this is not a problem, because they're just "cheaters" anyway, so they don't deserve privacy, right?

Cheating on your "loved" one is despicable, low, and disgusting (and an immediate, unequivocal relationship/friendship termination in my book), but one, it's not illegal, and two, even if it were, mob justice is not the way to go. This hack and possible release of personal information is just as bad as any other hack.

Hacking Team Android App Could Bypass Google Play Code Review

David Adams 2015-07-17 Privacy, Security No Comments

"Security researchers at Trend Micro's Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider Hacking Team that may have allowed the company's customers to sneak spyware through the Google Play store's code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers--and may now be copied by others trying to get malware onto Android devices." OSNews readers would have never fallen for this ruse, since the name of the app was BeNews. Once we noticed there was nothing about BeOS in these, we discern its nefarious intent.

Apple Adds Two Factor Authentication to OS X and iOS

David Adams 2015-07-09 Privacy, Security 15 Comments

Apple wants to make OS X El Capitan and iOS 9 less susceptible to attackers, so it's introducing a new two-factor authentication system to both operating systems. The new authentication system will be available in the public betas for both operating systems.

Hacking Team hacked, attackers claim 400GB in dumped data

Thom Holwerda 2015-07-06 Privacy, Security 20 Comments

On Sunday, while most of Twitter was watching the Women's World Cup - an amazing game from start to finish - one of the world's most notorious security firms was being hacked.

Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.

Feels poetic.

‘Cyber is just pounding me from every direction’

Thom Holwerda 2015-03-27 Privacy, Security 37 Comments

Texas representative John Carter, chairman of the subcommittee on Homeland Security appropriations, and who sits on various other defense-related subcommittees, is hearing about cyber a lot these days. As he put it, "cyber is just pounding me from every direction." That's just the first few seconds of the very entertaining video, where Carter tries to find the right words to express his concern over new encryption standards from Apple and others.

You may laugh about this, but... These are the people running the most powerful military of the world.

Guest post by Alfman 2015-03-23 Privacy, Security 7 Comments

The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader.

The CIA campaign to steal Apple’s secrets

Thom Holwerda 2015-03-10 Privacy, Security 19 Comments

Researchers working with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple's iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the "Jamboree," where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.

Outrage something something not surprised exclamation point.

The great SIM heist

Thom Holwerda 2015-02-19 Privacy, Security 65 Comments

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

The Americans and British hacking into a Dutch company's private network to steal information so they can spy on pretty much everyone. And we call them our "allies". This is way, way worse than whatever the North-Koreans supposedly did to Sony.

In a just world, the people responsible for this act of aggression would be dragged to The Hague to face justice. Alas - we do not live in a just world. My own Dutch government will sweep this under the rug after some fake posturing for the electorate, and that's that.

Submitted by zhengiszen 2015-02-18 Privacy, Security 47 Comments

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Submitted by Alfman 2015-01-19 Privacy, Security 46 Comments

Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft's Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought.

Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix.

First, this article makes the usual mistake of calling these vulnerabilities "zero day". They are not zero day. They are 90 day. A huge difference that changes the entire context of the story. Microsoft gets 90 days - three months - to address these issues. I do not see why Google has to account for Microsoft's inflexible security policies which leave users in the lurch.

Second, note that Google also disclosed two OS X vulnerabilities alongside the Windows one. Nobody seems to be talking about those.

Third, Google, how about addressing your own security problems.

How Verizon and Turn defeat browser privacy protections

Thom Holwerda 2015-01-15 Privacy, Security 19 Comments

Verizon advertising partner Turn has been caught using Verizon Wireless's UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking. Explosive research from Stanford security expert Jonathan Mayer shows that, as we warned in November, Verizon's UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.

A virtually unchecked and unbound company with near-monopoly status in many US areas doing something scummy? I am so surprised.

Thunderstrike: firmware vulnerability in Apple’s EFI

Thom Holwerda 2015-01-01 Privacy, Security 20 Comments

This is an annotated version of my 31C3 talk on Thunderstrike, a significant firmware vulnerability in Apple's EFI firmware that allows untrusted code to be written to the boot ROM and can resist attempts to remove it.

Very detailed write-up on this remarkable vulnerability.

Guest post by twitterfire 2014-12-20 Privacy, Security 15 Comments

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale - even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world's cellular carriers to route calls, texts and other services to each other. Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

Home Network Insecurity

Howard Fosdick 2014-11-17 Privacy, Security 27 Comments

Is your home wireless network secure? On a drive about town, I noticed that about one fifth of home routers are completely open and perhaps half are under-secured.

Used to be, this was because home users didn't know how to configure their routers. But now, Comcast is turning home networksinto public hotspots unless customers -- few of whom even know about this -- specifically opt out.This article discusses the problems with this.

U.S. courts may hold you responsible if someone uses your wireless network -- without your knowledge or permission -- to illegally download music, movies, or software. People have even been raided by SWAT teamsand convicted for downloading child pornography.

Is Comcast's project a bold move towards free wi-fi everywhere? Or is it a security outrage?

Meanwhile, here's a simple tutorial on how to secure your home wireless network.

Guest post by jessesmith 2014-11-10 Privacy, Security 5 Comments

One common method attackers use when attempting to compromise a server is brute forcing login credentials. Given enough time, automated tools can guess a person's username and password, granting the attacker access to an unprotected server. To counter these sorts of attacks, where passwords are guessed by trial and error, several tools have been created. Utilities such as Fail2Ban and DenyHost monitor login attempts and automatically block the computers performing these types of attacks.

Last week the DenyHost project added a feature which allows the utility to block attacks by using the PF firewall. PF is typically used on the OpenBSD and FreeBSD operating systems to block or forward network traffic. The project's website reports:

DenyHost 2.9 adds one new feature, the ability to work with the PF packet filter, popular on BSD systems such as FreeBSD, OpenBSD, NetBSD, PC-BSD and TrueOS. The DenyHost daemon will now work with existing PF tables in real time, allowing administrators to block incoming secure shell connections at the firewall level. Examples of how to set up the appropriate PF rules and enable DenyHost to work with PF are available in the DenyHost configuration file (denyhosts.conf).

Submitted by M.Onty 2014-11-05 Privacy, Security 13 Comments

The new head of GCHQ , Robert Hannigan, has spoken out strongly against American Internet companies. The BBC reports: "His concerns appear to be twofold. Firstly the fact that militant organisations such as Islamic State (IS) are using Twitter, Facebook and WhatsApp to promote themselves and the increasing sophistication that extremists are showing in their use of such platforms. And secondly he is not happy about pledges from Microsoft, Google, Apple and Yahoo to make encryption a default option to protect users from government snooping."

Serious OS X Yosemite Vulnerability Discovered

David Adams 2014-11-03 Privacy, Security 9 Comments

Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability "rootpipe" and has explained how he found it and how you can protect against it. It's a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system. It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn't fixed the flaw yet, he says, so Truesec won't provide details yet of how it works.

Osquery From Facebook

David Adams 2014-10-30 Privacy, Security 1 Comment

Facebook released an open-source tool for monitoring operating system state changes across large infrastructures, which could help engineers quickly diagnose performance and security issues.