Category: Links

Links

1 million Google accounts compromised by Android malware called Gooligan

Post author By Christopher Parsons
Post date December 1, 2016

Researchers say they’ve uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.

Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google’s Android operating system. Together, the vulnerable versions account for about 74 percent of users.

…

Update: In a separate blog post also published Wednesday morning, Android security engineer Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said there’s no evidence data was accessed from compromised accounts or that individual users were targeted. He also said Google has been using a service called Verify Apps to scan individual handsets for signs of Gooligan and other Ghost Push apps. When detected, device owners receive a warning and installations are halted.

“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”

While Google is taking this threat seriously – which is a good thing! – there is the problem where handsets shipping without the Google Play Store will remain vulnerable to this and other kinds of malware, unless those other app stores also try to warn users. Even Google’s warning system is, really, some chewing gum to cover up a broader security issue: a huge majority of Android phones have an outdated version of Android installed and will likely never see operating system or security updates. These vulnerabilities will continue, unabated, until Google actually can force updates to its partners. And history says that’s not likely to happen anytime soon.

Tags Android, Google, Security, Vulnerability

Links

Intelligence experts urge Obama to end Edward Snowden’s ‘untenable exile’

Post author By Christopher Parsons
Post date November 30, 2016

Intelligence experts urge Obama to end Edward Snowden’s ‘untenable exile’:

Fifteen former staff members of the Church committee, the 1970s congressional investigation into illegal activity by the CIA and other intelligence agencies, have written jointly to Obama calling on him to end Snowden’s “untenable exile in Russia, which benefits nobody”. Over eight pages of tightly worded argument, they remind the president of the positive debate that Snowden’s disclosures sparked – prompting one of the few examples of truly bipartisan legislative change in recent years.

They also remind Obama of the long record of leniency that has been shown by his own and previous administrations towards those who have broken secrecy laws. They even recall how their own Church committee revealed that six US presidents, from Franklin Roosevelt to Richard Nixon, were guilty of abusing secret powers.

“There is no question that Snowden broke the law. But previous cases in which others violated the same law suggest leniency. And most importantly, Snowden’s actions were not for personal benefit, but were intended to spur reform. And they did so,” the signatories write.

While anything is possible, I have pretty strong doubts that a pardon is coming from Obama. His Whitehouse has aggressively expanded the prosecution of whistleblowers and I’ve never, once, gotten the feeling that Obama was genuinely receptive to Snowden’s actions.

In many ways, several years of US foreign policy has been disrupted — and continues, to this date, to be disrupted — by Snowden’s actions. Given that this has an impact on Obama’s daily briefings and the capabilities of US foreign diplomats I can’t imagine that Obama is likely to pardon Snowden. In fact, I suspect that Obama would argue that if had Snowden just revealed domestic surveillance activities then a pardon might be forthcoming: it’s the revelation of foreign activities that presumably prompt an executive body to assert that harm had in fact occurred based on ability to directly influence world affairs.

Tags Obama, Politics, Snowden, Whistleblower

Links

How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World

Post author By Christopher Parsons
Post date November 28, 2016

This is probably the best journalistic account of how current and past members of the Citizen Lab, in tandem with Lookout (a security company), identified the most significant vulnerability to ever target Apple devices.

Tags Apple, Cyber Security, Research, Security

Links

How a Facial Recognition Mismatch Can Ruin Your Life

Post author By Christopher Parsons
Post date November 27, 2016

Via The Intercept:

“As an analytical scientist, whenever someone gives me absolute certainty, my red flag goes up,” said Jason Latham, who worked as a biochemist prior to becoming a forensic scientist and certified video examiner. “When I came from analytical sciences to forensic sciences, I was like some of these guys are not scientists. They are voodoo witchcraft.”

Forensic reports generally provide few details about the methods they use to arrive at points of similarity. But in Talley’s case, the FBI examiner’s report displayed a high degree of certainty. George Reis, a facial examiner who has testified more than 50 times for state, federal, and military courts throughout the country on forensic visual comparisons, pointed out that the report on Talley’s case was vague. “It is generally considered best practice to be specific in reports and to point out features of similarity, as well as differences, in any comparison illustration or chart,” Reis noted. “In the Talley case no such markings exist. The video frames that were used in the FBI illustration were of poor quality and limited value.”

Facial recognition: sorta fun if you’re using it for commercial stuff like tagging your friends, but really dangerous if its part of what is used to convict persons for crimes they’re alleged to have committed.

Tags Biometrics, FBI, Surveillance

Links

Looking For My Mother At The Bottom Of A Pot

Post author By Christopher Parsons
Post date November 26, 2016

Looking For My Mother At The Bottom Of A Pot is a beautiful personal essay on being away from family during major events. It’s worth every second it will take to read.

Tags Cooking, Family

Links

Finnish Residents Briefly Left in Cold After DDoS Attack

Post author By Christopher Parsons
Post date November 25, 2016

Per Motherboard:

Simo Rounela, CEO of Valtia, a Finnish company that manages the buildings, told Motherboard that the attack hit a DNS service; that is, servers that translate human-readable internet domain names into computer IP addresses.

Shortly after, Valtia received a number of alerts from one of their building’s automation systems, made by a company called Fidelix.

“Remote connection was not working, so went on-site for more inspections,” Rounela explained. The automated system controlling the heating, ventilation and hot water for the homes kept rebooting every 5 minutes. Eventually, it just didn’t boot-up anymore, he said.

We generally don’t understand the full impacts of connecting things to the Internet; it’s a hugely complex system that we can’t easily ‘fault test’ without breaking a lot of different services and systems. The result is that an attack on one aspect of the Internet – such as the DNS infrastructure – can have unexpected impacts around the world. It’s this potential for untold, and cross-national, impacts linked to cyber attacks that makes many of them so risky and dangerous to the general public.

Tags DNS, Finland, Internet Of Things, Security

Links Quotations

RCMP is overstating Canada’s ‘surveillance lag’ | Toronto Star

Post author By Christopher Parsons
Post date November 24, 2016

From a piece that I wrote with Tamir Israel for the Toronto Star:

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services.

The centrepiece of the RCMP’s pitch is captured in an infographic that purports to show foreign governments are legislating powers that are more responsive to investigative challenges posed by the digital world. On the basis of this comparison, the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers.

The RCMP’s lobbying effort misleadingly leaves an impression that Canadian law enforcement efforts are being confounded by digital activities.

An Op-ed that I published with a colleague of mine, Tamir Israel, earlier this week that calls out the RCMP for deliberately misleading the public with regards to government agencies’ existing surveillance powers and capabilities.

Tags Canada, Privacy, RCMP, Surveillance

Links

Hackers and Law Enforcement Could Hijack Wi-Fi Connections to Track Cellphones

Post author By Christopher Parsons
Post date November 23, 2016

From The Intercept:

But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.

This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.

O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.

Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.

Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.

Tags Apple, Mobiles, Security, Surveillance

Links Quotations

Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

Post author By Christopher Parsons
Post date November 16, 2016

The powers that the government is proposing in its national security consultation — that all communications made by all Canadians be retained regardless of guilt, that all communications be accessible to state agencies on the basis that any Canadian could potentially commit a crime, that security of communications infrastructure should be secondary to government access to communications — are deeply disproportionate to the challenges government agencies are facing. The cases chosen by authorities to be selectively revealed to journalists do not reveal a crisis of policing but that authorities continue to face the ever-present challenges of how to prioritize cases, how to assign resources, and how to pursue investigations to conclusion. Authorities have never had a perfect view into the private lives of citizens and that is likely to continue to be the case, but they presently have a far better view into the lives of most citizens, using existing powers, than ever before in history.

The powers discussed in its consultation, and that the RCMP has implicitly argued for by revealing these cases, presume that all communications in Canada ought to be accessible to government agencies upon their demand. Implementing the powers outlined in the national security consultation would require private businesses to assume significant costs in order to intercept and retain any Canadian’s communications. And such powers would threaten the security of all Canadians — by introducing backdoors into Canada’s communications ecosystem — in order to potentially collect evidence pursuant to a small number of cases, while simultaneously exposing all Canadians to the prospect of criminals or foreign governments exploiting the backdoors the RCMP is implicitly calling for.

While the government routinely frames lawful interception, mandated decryption, and other investigatory powers as principally a ‘privacy-vs-security’ debate, the debate can be framed as one of ‘security-or-less-security’. Do Canadians want to endanger their daily communications and become less secure in their routine activities so that the RCMP and our security services can better intercept data they cannot read, or retain information they cannot process? Or do Canadians want the strongest security possible so that their businesses, personal relationships, religious observations, and other aspects of their daily life are kept safe from third-persons who want to capture and exploit their sensitive and oftentimes confidential information? Do we want to be more safe from cybercriminals, or more likely to be victimized by them by providing powers to government agencies?

Christopher Parsons, Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

Tags Canada, Privacy, RCMP, Security

Links

Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say – NYTimes.com

Post author By Christopher Parsons
Post date November 15, 2016

From the New York Times:

International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.

Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’t have known about it,” he said.

The manufacturer of the American branded phones didn’t know of this exfiltration vector. Consumers had no idea of the vector. And Google apparently had no idea that this data was being exfiltrated. But trust mobile devices for moderately-confidential work…

Tags Android, Blu, Privacy, Smart Phone