Tag: Privacy

Categories
Links

Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say – NYTimes.com

From the New York Times:

International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.

Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’t have known about it,” he said.

The manufacturer of the American branded phones didn’t know of this exfiltration vector. Consumers had no idea of the vector. And Google apparently had no idea that this data was being exfiltrated. But trust mobile devices for moderately-confidential work…

Categories
Links

Privacy experts fear Donald Trump accessing global surveillance network

Thomas Drake, an NSA whistleblower who predated Snowden, offered an equally bleak assessment. He said: “The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.”

Bush and Cheney functionally authorized the NSA to undertake unlawful operations and actively sought to hinder authorizing courts from understanding what was going on. At the same time, that administration established black sites and novel detention rules for persons kidnapped by the CIA from around the world.

Obama and Biden developed legal theories that were accompanied by authorizing legislation to make the NSA’s previously unlawful activities lawful. The Obama presidency also failed to close Gitmo or convince the American public that torture should be forbidden or that criminal (as opposed to military) courts are the appropriate ways of dealing with suspected terror suspects. And thoughout the NSA deliberately misled and lied to its authorizing court, the CIA deliberately withheld documents from investigators and spied on those working for the intelligence oversight committees, and the FBI continued to conceal its own surveillance operations as best it could.

There are a lot of things to be worried about when it comes to the United States’ current trajectory. But one of the more significant items to note is that the most sophisticated and best financed surveillance and policing infrastructure in the world is going to be working at the behest of an entirely unproven, misogynistic, racist, and bigoted president.

It’s cause to be very, very nervous for the next few years.

Categories
Links Writing

Apple Logs Your iMessage Contacts — and May Share Them With Police

The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

That Apple has to run a lookup to see whether to send a message securely using Messages or insecurely using SMS isn’t surprising. And the 30 day retention period is likely to help iron out bugs associated with operating a global messaging system: when things go wonky (and they do…) engineers need some kind of data to troubleshoot what’s going on.

Importantly, Apple is not logging communications. Nor is it recording if you communicate with someone who is assigned a particular phone number. All that is retained is the lookup itself. So if you ever type in a wrong number that lookup is recorded, regardless of whether you communicate with whomever holds the number.

More troubling is the fact that Apple does not disclose this information when an individual formally requests copies of all their personal information that Apple retains about them. These lookups arguably constitute personal information, and information like IP addresses etc certainly constitute this information under Canadian law.

Apple, along with other tech companies, ought to release their lawful access guides so that users know and understand what information is accessible to authorities and under what terms. It isn’t enough to just disclose how often such requests are received and complied with: customers should be able to evaluate the terms under which Apple asserts it will, or will not, disclose that information in the first place.

Categories
Links Writing

Feds Walk Into A Building. Demand Everyone’s Fingerprints To Open Phones

Forbes:

Legal experts were shocked at the government’s request. “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” said Marina Medvin of Medvin Law. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.”

Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), added: “It’s not enough for a government to just say we have a warrant to search this house and therefore this person should unlock their phone. The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation.

It’s insane that the US government is getting chained warrants that authorize expansive searches without clarifying what is being sought or the specific rationales for such searches. Such actions represent an absolute violation of due process.

But, at the same time, the government’s actions (again) indicate the relative weaknesses of the ‘going dark’ arguments. While iPhones and other devices are secured to prevent all actors from illegitimately accessing them, fingerprint-enabled devices can let government agencies bypass security protections with relative ease. This doesn’t mean that fingerprint scanners are bad – most people’s threat models aren’t police, but criminals, snoopy friends and family, etc – but instead that authorities can routinely bypass, rather than need to break, cryptographically-secured communications.

Categories
Links

Judge Orders Yahoo to Explain How It Recovered ‘Deleted’ Emails in Drugs Case

Motherboard:

After receiving requests from UK police and the FBI in September 2009 and April 2010, Yahoo created several “snapshots” of the email account, preserving its contents at the time—and revealing the messages. But the defense alleges there should have been nothing for law enforcement to find.

Yahoo’s explanation is that the recovered emails were copies created by the email service’s “auto-save” feature, which saves data in case of a loss of connectivity, for example. The company has filed several declarations from a number of its staff, but the defense said some of those contradicted each other, and it wants more information.

The question of when, and for whom, data has been deleted or made inaccessible is often based on power and knowledge. And end-users tend to lack both.

Categories
Links

National security review tries to tackle needs of law enforcement in digital world | Toronto Star

The Toronto Star:

Lawful access is “a real thorny issue,” said University of Ottawa law professor Craig Forcese, a national security law expert, in an interview with the Star.

“For years I’ve been saying we’ve got to deal with it, and you can’t deal with it without investing people in a discussion, because the best-organized civil liberties organizations in Canada right now are privacy groups,” said Forcese.

“And if you go ahead unilaterally and start tabling stuff in Parliament, you’re going to have a replay of the disaster of the last decade in Parliament where nothing ever got passed, except the cyberbullying bill which didn’t address all the issues.”

Parliament did a lot over the last decade. Including passing lawful access legislation following more than 10 years of public debate that included numerous public consultations (i.e. not just with civil liberties organizations).

That civil liberties groups – which by definition argue hard against infringements of constitutional rights – did their jobs is to be congratulated not smeared.

Categories
Links

Location Privacy: The Purview of the Rich and Indigent

Krebs on Security:

In Texas, the EFF highlights how state and local law enforcement agencies have free access to ALPR equipment and license plate data maintained by a private company called Vigilant Solutions. In exchange, police cruisers are retrofitted with credit-card machines so that law enforcement officers can take payments for delinquent fines and other charges on the spot — with a 25 percent processing fee tacked on that goes straight to Vigilant. In essence, the driver is paying Vigilant to provide the local cops with the technology used to identify and detain the driver.

“The ‘warrant redemption’ program works like this,” the EFF wrote. “The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.”

That’s right: Even if the contract between the state and Vigilant ends, the latter gets to keep all of the license plate data collected by the agency, and potentially sell or license the information to other governments or use it for other purposes.

Another case of the private surveillance sector overcoming state institutions, and to the detriment of citizens’ rights to privacy.

Categories
Links

WhatsApp to start sharing user data with Facebook

WhatsApp to start sharing user data with Facebook:

WhatsApp says that sharing this information means Facebook can offer better friend suggestions by mapping users’ social connections across the two services, and deliver more relevant ads on the social network. Additional analytics data from WhatsApp will also be shared to track usage metrics and fight spam.

WhatsApp now provides about the best security of any chat application that is available. Sadly, the privacy aspects of the company are now being weakened as Facebook more fully integrates WhatsApp into the broader range of Facebook companies.

Categories
Links Writing

BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life

BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life:

But the software on the DTEK50 is the same as the Priv’s – hardened Android 6.0.1 (Marshmallow), FIPS 140-2 compliant full disk encryption, hardware root of trust, and BlackBerry Integrity Detection that monitors for compromises, with BlackBerry extras like the Hub (a unified inbox for all communications), calendar, contacts, password keeper, device search, launcher, and the DTEK security app for which the phone was named. Once you’ve used the BlackBerry software, most other offerings seem severely wanting. DTEK deserves special mention. It evaluates the device’s security posture, recommends changes, and allows you to see exactly what rights each app is using, and how often. You can also revoke individual privileges for an app if, for example, you see no reason why a flashlight app should have access to your contacts.

On what possible grounds can the reviewer – or the editor, who presumably assigned the title to this article – assert that the new Blackberry device is ‘secure’? We know that Blackberry’s consumer-grade options do not encrypt messaging data. We know that other implementations of Android, such as CopperheadOS, actually contribute code to the Android Open Source Project that is meant to reduce vulnerabilities.

We also know that Blackberry refuses to disclose how often they receive, and respond to, government requests for assistance. And we don’t know which countries Blackberry provides assistance to, under what specific terms, or the types of data that the company discloses. But all of this speaks to Blackberry being able to access consumers’ data…which is the definition of a service being insecure insofar as non-authorized actors can read or copy the data in question.

Before journalists or editors make assertions regarding security of mobile devices (or any other product for that matter) they should be obligated to contact experts in the field of mobile security. And preferably they’d actually contact people who actively test the security of mobile devices. Or, you know, at the very least they’d read the news and realize that the security afforded by Blackberry to its retail customers if more like propoganda than based in reality.

Categories
Links

Copperhead OS: The startup that wants to solve Android’s woeful security

Copperhead OS: The startup that wants to solve Android’s woeful security:

Linux device drivers have been the operating system’s Achilles heel since day one, and the Android platform is no exception. Android phones ship with kernels frozen to ensure driver compatibility—which usually means that a new Android device comes with a kernel that’s already a year or two old.

“It’s like if you have a printer and the last printer driver made was for Windows 95, you can never upgrade your computer to a newer version,” Soghoian explains. “Android is bigger than just Google, and when Google’s partners drag their feet it undermines the security of the entire ecosystem.”

As an Android device ages, the kernel may get backported security patches, depending on the OEM’s willingness to push updates, but the handset will miss out on the latest security advances, since upgrading the kernel would break hardware compatibility with the drivers.

There are a lot of great things about Android. Device and data security just aren’t amongst them.