Category: Links

Categories
Links

Turkey coup plotters’ use of ‘amateur’ app helped unveil their network

The Guardian:

A senior Turkish official said Turkish intelligence cracked the app earlier this year and was able to use it to trace tens of thousands of members of a religious movement the government blames for last month’s failed coup.

Members of the group stopped using the app several months ago after realising it had been compromised, but it still made it easier to swiftly purge tens of thousands of teachers, police, soldiers and justice officials in the wake of the coup.

Starting in May 2015, Turkey’s intelligence agency was able to identify close to 40,000 undercover Gülenist operatives, including 600 ranking military personnel, by mapping connections between ByLock users, the Turkish official said.

However, the Turkish official said that while ByLock helped the intelligence agency identify Gülen’s wider network, it was not used for planning the coup itself. Once Gülen network members realised ByLock had been compromised they stopped using it, the official said.

But intelligence services are policing agencies are still ‘Going Dark’…

Categories
Links

Canada’s National Security Consultation: Digital Anonymity & Subscriber Identification Revisited… Yet Again – Technology, Thoughts & Trinkets

Over at Technology, Thoughts, and Trinkets I’ve written that:

Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners.

The government has framed the discussion in two constituent documents, a National Security Green Paper and an accompanying Background Document. The government’s framings of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. Moreover, key commitments, such as the need to impose judicial control over Canada’s foreign intelligence agency (CSE) and regulate the agency’s expansive metadata surveillance activities, are neither presented nor discussed (although the government has mentioned independently that it still hopes to introduce such reforms). The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools.

In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts, beginning with the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

I wrote the first of what will be many analyses of the Canadian government’s national security consultation with a good friend and colleague, Tamir Israel.

The subscriber identification powers we write about are not really intended for national security but will, instead, be adopted more broadly by law enforcement so they can access the data indiscriminately. Past legislative efforts have rejected equivalent powers: it remains to be seen if the proposal will (once more) be successfully rejected, or whether this parliament will actually establish some process or law that lets government agencies get access to subscriber identification information absent a warrant.

Categories
Links

First-time homebuyer? You could have less borrowing power under new mortgage rules

The CBC:

But Tal says the one place the rule changes will be felt is the Toronto condo market, where sale prices are below $1 million a property and deals often involve first-time buyers with down payments of less than 20 per cent.

“That’s exactly where the target is,” Tal said.

Shaun Hildebrand, senior vice-president of real estate market research firm Urban Nation, agrees with Tal.

“If there is a beneficiary to these policies, it will be the condo market, whether it’s on the for-sale side where buyers are forced into lower price points or on the rental side, as well, as fewer first-time buyers are getting into the marketplace,” Hildebrand said.

While I tend to agree that moving people towards a long-term rental market is important and not an inherently bad thing (in fact, that culture is prevalent in other housing markets), it does demand affordable rental properties. So: will the slowdown in the condo market actually reduce costs of condos due to competition, and lead to a lower rental rate for them on the basis that landlords will not have to recoup the same investment, or will rents remain where they are (and rise) so that wealthy landlords can extract further rents from their tenants?

Categories
Links

How hard is it to hack the average DVR? Sadly, not hard at all

Ars Technica:

Johannes B. Ullrich, a researcher and chief technology officer for the SANS Internet Storm Center, wanted to know just how vulnerable these devices are to remote takeover, so he connected an older DVR to a cable modem Internet connection. What he saw next—a barrage of telnet connection attempts so dizzying it crashed his device—was depressing.

“The sad part is, that I didn’t have to wait long,” he wrote in a blog post published Monday. “The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes.”

The Internet of Things should, at this point, mostly be renamed the Internet of Threats.

Categories
Links Writing

Brace yourselves—source code powering potent IoT DDoSes just went public

Brace yourselves—source code powering potent IoT DDoSes just went public:

Both Mirai and Bashlight exploit the same IoT vulnerabilities, mostly or almost exclusively involving weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox. But unlike Bashlight, the newer Mirai botnet software encrypts traffic passing between the infected devices and the command and control servers that feed them instructions. That makes it much harder for researchers to monitor the malicious network. There’s also evidence that Mirai is able to seize control of Bashlight-infected devices and possibly even patch them so they can never be infected again by a rival botnet. About 80,000 of the 963,000 Bashlight devices now belong to Mirai operators, Drew said.

Next time you see a vendor sell you something that can be connected to the Internet, be sure to ask:

  • How long will you be providing support for this product?
  • How will you be pushing security updates to this product?
  • What mitigation strategies have you implemented to ensure that a third-party doesn’t take control of this product?
  • What will you do to help me when this device is compromised because of a vulnerability in this product?

I can almost guarantee that whomever is selling the product will either look at you slackjawed or try to use buzzwords to indicate the product is secure. But they will almost certainly be unable to genuinely answer the questions because vendors are not securing their devices. It’s their failures which are have created the current generation of threats that the global Internet is just now starting to grapple with.

Categories
Links

Moto Z Play review: the best battery life of any smartphone today

But the Moto Z Play rarely feels like you’re doing much settling. Even when you add together the negatives like an average camera, Verizon’s annoying bloatware, and Lenovo’s poor track record with software updates, the Moto Z Play’s affordable price, zippy performance, and unbelievable battery life still add up to something very compelling. And yes, unlike the Z and Z Force, there’s even a headphone jack built in. Forget the Z’s before it; this is the practical Moto Z that most people should get. It’s available exclusively from Verizon Wireless for a limited time for $408, but starting in October you can get it unlocked on GSM carriers (and free of carrier bloat) for $450.

The Verge notes that if you buy a Moto Z you’re unlikely to get “software updates”. That doesn’t just mean you won’t get bells and whistles and neat new features as Google releases new versions of their operating system. It also means that Lenovo will not send you security updates. So you’ll have a long-lasting smartphone that is insecure to trivial attacks that could extract sensitive personal information or otherwise compromise your device.

But other than that, I’m sure it’s a great phone to recommend.

Categories
Links

More than 400 malicious apps infiltrate Google Play

Ars Technica:

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

“This malware allows threat actors to infiltrate a user’s network environment,” Thursday’s report stated. “If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.”

BYOD: a great cost-saving policy. Until it leads to an attacker compromising your network and potentially exfiltrating business-vital resources.

Categories
Links

This is where your smartphone battery begins

This is a brilliant (if saddening) long-form investigation into how the cobalt in contemporary electronics is mined in the Congo and the impacts such mining has on the local residents. It’s worth the (long) read.

Categories
Links

Why doctors are rebelling against Ontario’s crumbling healthcare system

Toronto Life:

The fact that doctors bill more than $11 billion annually makes them something like a corporation—their revenues are roughly the same as Air Canada’s or Canadian Tire’s. When companies of that size have to deal with revenue freezes or shortfalls, they respond by finding efficiencies, eliminating duplication and waste, lowering wages or prices, squeezing suppliers for discounts. They take a hard look at how they run their business, and they usually become better companies as a result. Doctors refuse to do this work. Hoskins is determined to force them.

I’m uncertain that the author has ever travelled on Air Canada. Unless, of course, they think that the ‘efficiencies’ Air Canada has achieved by laying of thousands of people, worsening service quality, and regularly failing to meet its agreements with customers have made Air Canada a “better company” as a result.

Categories
Links

Organizational Doxing and Disinformation – Schneier on Security

From Bruce Schneier:

Major newspapers do their best to verify the authenticity of leaked documents they receive from sources. They only publish the ones they know are authentic. The newspapers consult experts, and pay attention to forensics. They have tense conversations with governments, trying to get them to verify secret documents they’re not actually allowed to admit even exist. This is only possible because the news outlets have ongoing relationships with the governments, and they care that they get it right. There are lots of instances where neither of these two things are true, and lots of ways to leak documents without any independent verification at all.

No one is talking about this, but everyone needs to be alert to the possibility. Sooner or later, the hackers who steal an organization’s data are going to make changes in them before they release them. If these forgeries aren’t questioned, the situations of those being hacked could be made worse, or erroneous conclusions could be drawn from the documents. When someone says that a document they have been accused of writing is forged, their arguments at least should be heard.

As someone who routinely receives, and consults on, leaked documents I can emphatically say this is a serious issue. And that journalists are generally very cautious these days about publishing based on mysteriously sourced documents.