Category: Links

Categories
Links

Why DDoS attacks matter for journalists

Two reasons that journalists should be concerned about DDoS attacks:

First, while the use of common household devices to execute the attacks against Krebs and Dyn was novel, the hackers got control of those devices using one of the oldest and easiest methods out there: bad passwords, a vulnerability most journalists share.

The second reason journalists should attend to these attacks is that strategic use of both DDoS attacks (for example, recent attacks on Newsweek and the BBC) and DNS manipulation are common tools for censorship. This is in part because they are cheap, easy (the software credited with Friday’s attack was posted openly just a few weeks ago), and highly effective in preventing some or all internet users from accessing the content they target.

We’re at the edge of a particularly bad security chasm we’re just about to fall into (if we haven’t already!). The question is whether we can actually avoid the fall or whether the best we can do right now is lessen the hurt on the way down.

Categories
Links

How one rent-a-botnet army of cameras, DVRs caused Internet chaos

Ars Technica:

But even in the midst of the Dyn attack, some of the Mirai-infected devices were being used to attack another target—the infrastructure of a gaming company, according to Allison Nixon, the director of security research at security company Flashpoint. That idea matches up with what others who had some insight into the attack have told Ars confidentially—that it was also pointed at Sony’s PlayStation Network, which uses Dyn as a name service provider.

For now, it’s not clear that the attacks on Dyn and the PlayStation Network were connected. And with a criminal investigation underway, a Dyn spokesperson declined to confirm or deny that Sony was also a target. “We are continuing to work closely with the law enforcement community to determine the root cause of the events that occurred during the DDoS attacks last Friday,” Adam Coughlin, Dyn’s director of corporate communications, told Ars. “Since this is an ongoing investigation, we cannot speculate on these events.”

Regardless of the reasons behind it, the attack on Dyn further demonstrates the potential disruptive power of the millions of poorly protected IoT devices. These items can be easily turned into a platform for attacking anything from individual websites to core parts of the Internet’s infrastructure. And Mirai has demonstrated that it doesn’t take “zero-day” bugs to make it happen; attackers only need poorly implemented security on devices that can’t be easily fixed.

This is definitely one of the best writeups of the DDoS attacks launched againgst Dyn last week, which led to the downtime of major Internet properties. If you want to understand some of the security-related issues associated with the Internet of Things as well as challenges of attributing attacks to different attack infrastructures and intents, this is worth your time.

Categories
Links

Android phones rooted by “most serious” Linux escalation bug ever

Ars Technica:

Just as Dirty Cow has allowed untrusted users or attackers with only limited access to a Linux server to dramatically elevate their control, the flaw can allow shady app developers to evade Android defenses that cordon off apps from other apps and from core OS functions. The reliability of Dirty Cow exploits and the ubiquity of the underlying flaw makes it an ideal malicious root trigger, especially against newer devices running the most recent versions of Android.

“I would be surprised if someone hasn’t already done that this past weekend,” Manouchehri said.

Another week, another extremely serious Android vulnerability that will remain unpatched for the majority of consumers until they throw out their current Android phone and purchase another one (though even that new one might lack the patches!). I wonder what serious vulnerability will come through next week?

Categories
Links

Alibaba’s Jack Ma Urges China to Use Data to Combat Crime

Bloomberg reporting on Alibaba’s Jack Ma:

In his speech, Ma stuck mainly to the issue of crime prevention. In Alibaba’s hometown of Hangzhou alone, the number of surveillance cameras may already surpass that of New York’s, Ma said. Humans can’t handle the sheer amount of data amassed, which is where artificial intelligence comes in, he added.

“The future legal and security system cannot be separated from the internet and big data,” Ma said.

In North America, we’re trialling automated bail systems, where the amount set and likelihood of receiving bail is predicated on big data algorithms. While it’s important to look abroad and see what foreign countries are doing we mustn’t forget what is being done here in the process.

Categories
Aside Links

Imagine if Donald Trump Controlled the NSA

Wired:

And exactly what could a President Trump do with the NSA? First, Hennessey says, there’s the question of what he could undo: He could, for instance, rescind the executive actions of President Obama aimed at reforming the NSA after Snowden’s revelations. Presidential Policy Directive 28, for example, issued in 2014, was designed to ensure that the NSA’s signals intelligence branch wouldn’t use its powers to promote American business interests or suppress political dissent abroad, and that it would minimize its invasion of the privacy of not just Americans but also non-Americans whenever possible. Trump could also defang or coopt the executive branch’s Privacy and Civil Liberties Oversight Board, which opposed and helped to end the NSA’s mass collection of Americans’ cell phone records last year.

More fundamentally, Hennessey and other former NSA staffers worry that Trump could redefine the priorities of the NSA’s foreign intelligence mission. He could, for instance, refocus American spying efforts to take the agency’s eyes off Russia and instead target that country’s adversaries, like Georgia, Ukraine, or even the European Union. Given Trump’s murky financial ties to Russia, it’s still not clear how he would approach its authoritarian government if he were to take power. “Trump has indicated he has unusual views about Vladimir Putin as an individual and Russian activity around the world that’s very problematic for the security interests of the US,” Hennessey says. “We shouldn’t underestimate the importance of the intelligence community’s high level priorities and the ability of the president to shift them.”

Despite what people believe, the NSA is significantly restrained in some of its activities as compared to its compatriots. As an example, there is still no evidence that the NSA conducts economic espionage for the purpose of enhancing specific American business’ interests. The United States does conduct economic espionage for trading and global threat assessments, but not to share the collected information with domestic businesses. A Trump presidency could change that and, in the course, truly blend best-of-class government surveillance with nationalist economic policies. While that might sound appealing to Americans it could also initiate a full-scale trade war…and one where the people of the world would likely come out far poorer.

Categories
Links

More Thoughts on the Yahoo Scan

Macy Wheeler:

To sum up: ex-Yahoo employees want this story to be about the technical recklessness of the request and Yahoo’s bureaucratic implementation of it. Government lawyers and spooks are happy to explain this was a traditional FISA order, but want to downplay the intrusiveness and recklessness of this by claiming it just involved adapting an existing scan. And intelligence committee members mistakenly believed this scan happened under Section 702, and wanted to make it a 702 renewal fight issue, but since appear to have learned differently.

This is the definitive summarization of what Yahoo! (likely) did when they monitored all of their customers’ emails for the US government. Well worth the read for its content and, also, to see what goes into a critical media evaluation of an unfolding intelligence-related series of news stories.

Categories
Links Writing

Apple Logs Your iMessage Contacts — and May Share Them With Police

The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

That Apple has to run a lookup to see whether to send a message securely using Messages or insecurely using SMS isn’t surprising. And the 30 day retention period is likely to help iron out bugs associated with operating a global messaging system: when things go wonky (and they do…) engineers need some kind of data to troubleshoot what’s going on.

Importantly, Apple is not logging communications. Nor is it recording if you communicate with someone who is assigned a particular phone number. All that is retained is the lookup itself. So if you ever type in a wrong number that lookup is recorded, regardless of whether you communicate with whomever holds the number.

More troubling is the fact that Apple does not disclose this information when an individual formally requests copies of all their personal information that Apple retains about them. These lookups arguably constitute personal information, and information like IP addresses etc certainly constitute this information under Canadian law.

Apple, along with other tech companies, ought to release their lawful access guides so that users know and understand what information is accessible to authorities and under what terms. It isn’t enough to just disclose how often such requests are received and complied with: customers should be able to evaluate the terms under which Apple asserts it will, or will not, disclose that information in the first place.

Categories
Links

Yahoo May Have Exposed Rogers Customer Emails to US Spies

Motherboard:

“Any program that scans all the mail that Yahoo has access to would have scanned this email,” Gillmor wrote me in a message.

“If Yahoo chose to segment their scanning by limiting it only to mails that have ‘@yahoo.com’ email addresses [and omitted those sent from @rogers.com], of course, then they would have chosen to exclude this email from the scan,” Gillmor continued. “It’s not clear to me whether any such constraint was in place, though.”

“I’d imagine that, yes, the program would have applied to Rogers customer emails, unless Yahoo elected to specifically exclude them,” wrote Marczak in an email.

Yahoo declined to comment on whether the alleged system filtered out emails from Rogers customers.

Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner, confirmed that Rogers consulted the office in the wake of the Yahoo hack. But as far as the possibility that Rogers customer emails had been siphoned into a surveillance dragnet goes, “Given we don’t have detailed information about the matter, we are not in a position to comment,” Cohen wrote.

When asked if Rogers was aware of the allegations against Yahoo or if the company is concerned that a backdoor could have affected its customers, spokesperson Garas referred me to Yahoo’s statement and wrote that “as such, we believe this matter is closed.”

Great to know that Rogers thinks it shouldn’t (or, worse, doesn’t have to) explain how one of its contracted service providers may have grossly violated the privacy of Rogers’ customers.

Categories
Links

Ottawa’s new mortgage rules will drive up rents in Toronto: study

The Globe & Mail:

Recent reforms to mortgage-insurance regulations announced last week by federal Finance Minister Bill Morneau will likely only add fuel to Toronto’s overheated rental market, Mr. Hildebrand said.

He estimates that the typical buyer will need to earn $86,000 a year to afford a condo under stricter mortgage qualification rules that kick in on Monday, a 17 per cent increase from $73,000 under the existing laws. That will push some prospective buyers into the rental market instead.

New regulations effective Nov. 30 will prohibit mortgages on investment properties from being covered by government-backed insurance, which could make financial institutions less willing to lend to condo investors.

Combined, the changes are likely to drive up demand for rental units while shrinking the supply of new rental investors, Mr. Hildebrand said. “It sort of seems to be to be the wrong time to be doing this,” he said. “Even before the changes come into effect, we’re seeing the lowest level of supply in the rental market that we’ve seen in years.”

Now people can be priced out of renting, in addition to owning. A real victory for all city-bound Torontonians.

Categories
Links Writing

Feds Walk Into A Building. Demand Everyone’s Fingerprints To Open Phones

Forbes:

Legal experts were shocked at the government’s request. “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” said Marina Medvin of Medvin Law. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.”

Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), added: “It’s not enough for a government to just say we have a warrant to search this house and therefore this person should unlock their phone. The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation.

It’s insane that the US government is getting chained warrants that authorize expansive searches without clarifying what is being sought or the specific rationales for such searches. Such actions represent an absolute violation of due process.

But, at the same time, the government’s actions (again) indicate the relative weaknesses of the ‘going dark’ arguments. While iPhones and other devices are secured to prevent all actors from illegitimately accessing them, fingerprint-enabled devices can let government agencies bypass security protections with relative ease. This doesn’t mean that fingerprint scanners are bad – most people’s threat models aren’t police, but criminals, snoopy friends and family, etc – but instead that authorities can routinely bypass, rather than need to break, cryptographically-secured communications.