Tag: Security

Categories
Links

Judge Orders Yahoo to Explain How It Recovered ‘Deleted’ Emails in Drugs Case

Motherboard:

After receiving requests from UK police and the FBI in September 2009 and April 2010, Yahoo created several “snapshots” of the email account, preserving its contents at the time—and revealing the messages. But the defense alleges there should have been nothing for law enforcement to find.

Yahoo’s explanation is that the recovered emails were copies created by the email service’s “auto-save” feature, which saves data in case of a loss of connectivity, for example. The company has filed several declarations from a number of its staff, but the defense said some of those contradicted each other, and it wants more information.

The question of when, and for whom, data has been deleted or made inaccessible is often based on power and knowledge. And end-users tend to lack both.

Categories
Links

Yahoo is expected to confirm a massive data breach, impacting hundreds of millions of users

Recode:

But there’s nothing smooth about this hack, said sources, which became known in August when an infamous cybercriminal named “Peace” claimed on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. The data allegedly included user names, easily decrypted passwords and personal information like birth dates and other email addresses.

It will be curious (and worrying) to see whether this was a one-off breach or persistent. And, if persistent, whether the data also includes information from users of services like Tumblr.

Categories
Links

iMessage apps offer more layers of encryption, but do you need one?

Macworld:

Adding encryption you control inside an iMessage transmission can provide more assurances that your messages remain unreadable to others, but there a whole lot of provisos you need to consider before accepting this as a higher level of security.

It’s nice to see reviewers of applications present the concerns, first, before what might be nice about new ‘security’ apps. Namely that crypto is hard to do, not all crypto is the same, and there are basic questions concerning the reliability of the companies providing the security assurance.

More broadly, that applications can route double-encrypted messages through Apple Messages will not necessarily enhance security but, instead, mean that comunications are only as secure as the application applying the second layer of security. Apple is a great big target that everyone wants to penetrate and so Apple hires terrific technical and legal staff to keep government and others at bay. Can we expect that app developers selling encryption apps for a dollar or two will possess an equivalent commitment and competency?

Categories
Links

Two critical bugs and more malicious apps make for a bad week for Android

Ars Technica:

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google’s official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

The bag of hurt continues unabated.

Categories
Links

For some safety experts, Uber’s self-driving taxi test isn’t something to hail

Washington Post:

Even so, the effort is raising concern from safety experts who say the technology has major limitations that can be very dangerous. Self-driving cars have trouble seeing in bad weather. Sudden downpours, snow and especially puddles make it difficult for autonomous vehicles to detect lines on pavement and thereby stay in one lane.

Walker Smith added that self-driving cars have sometimes confused bridges for other obstacles. “People need to understand both the potential and the limitations of these systems, and inviting them inside is part of that education,” he said.

The vehicles also have difficulty understanding human gestures — for example, a crosswalk guard in front of a local elementary school may not be understood, said Mary Cummings, director of Duke University’s Humans and Autonomy Lab, at a Senate hearing in March. She recommended that the vehicles not be allowed to operate near schools.

Then there’s a the human factor: Researchers have shown that people like to test and prank robots. Today, a GPS jammer, which some people keep in their trunks to block police from tracking them, will easily throw off a self-driving car’s ability to sense where it is, Cummings said.

Current self-driving cars often cannot see which lane they’re in, if it’s raining. They don’t understand what a bridge is versus other road-terrain. They don’t understand what a cross-walk guard is. And they are reliant on a notoriously brittle location technology.

What can go wrong with testing them in urban centres then, exactly?

Categories
Links

Russian Hackers Now Targeting U.S. Think Tanks That Specialize in Russia

Russian Hackers Now Targeting U.S. Think Tanks That Specialize in Russia:

“Any respectable think tank has been hacked,” Lewis told Defense One on Monday. “The Russians just don’t get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies.”

Any respectable think tank is proud to have such garbage security that the intellectual property it hopes to profit from, to say nothing of political advocacy, is available to unauthorized third parties.

Right….

Categories
Links

On Encryption and Terrorists

On Encryption and Terrorists:

I’ve come to see encryption as the natural extension a computer scientist can give a democracy. A permeation of the simple assurance that you can carry out your life freely and privately, as enshrined in the constitutions and charters of France, Lebanon as well as the United States. To take away these guarantees doesn’t work. It doesn’t produce better intelligence. It’s not why our intelligence isn’t competing in the first place. But it does help terrorist groups destroy the moral character of our politics from within, when out of fear, we forsake our principles.

If we take every car off the street, every iPhone out of people’s pockets and every single plane out of the sky, it wouldn’t do anything to stop terrorism. Terrorism isn’t about means, but about ends. It’s not about the technology but about the anger, the ignorance that holds a firm grip over the actor’s mind.

Nadim’s explanation of what encryption is used for, and his correlates between using encryption or automobiles for terror-related activties, is amongst the clearest I’ve read. It’s worth the 5-7 minutes it’ll take you to read.

Categories
Links Writing

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good:

Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.

Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.

The vulnerability is more fully and truly patched! Hurray!

A shame that few users will ever receive an update to the new version of Android, let alone the patches in the previous (version 6) of Android. The best/easiest way for most users to ‘update’ an Android-based mobile phone is to throw their current phone in the trash and buy a new one…and even then, the phone they buy will likely lack recent patches. Heck, they’ll be lucky if it has the most recent operating system!

This stands directly in contrast to iOS. Apple can push out a global patch and there are remarkably high levels of uptake by end-users. Google’s method of working with handset manufacturers and carriers alike puts end-users are greater and greater risk. They’re simply making available dangerous products. They’re behaving worse than Microsoft in the Windows XP days!

Categories
Aside Links

Meet USBee, the malware that uses USB drives to covertly jump airgaps

Meet USBee, the malware that uses USB drives to covertly jump airgaps:

The software works on just about any storage device that’s compliant with the USB 2.0 specification. Some USB devices such as certain types of cameras that don’t receive a stream of bits from the infected computer, aren’t suitable. USBee transmits data at about 80 bytes per second, fast enough to pilfer a 4096-bit decryption key in less than 10 seconds. USBee offers ranges of about nine feet when data is beamed over a small thumb drive to as much as 26 feet when the USB device has a short cable, which acts as an antenna that extends the signal. USBee transmits data through electromagnetic signals, which are read by a GNU-radio-powered receiver and demodulator. As a result, an already-compromised computer can leak sensitive data even when it has no Internet or network connectivity, no speakers, and when both Wi-Fi and Bluetooth have been disabled. The following video demonstrates USBee in the lab:

While this is still of limited value because you need to infect the airgapped computer in the first place, it’ll only take a while until this exfiltration method is weaponized. Airgaps have long been seen as a key way of keeping highly sensitive data secure but researchers working inside and outside of government keep revealing all the ways in which data can be quietly extracted from such systems. Their successes should give pause to anyone who is concerned about computer security, generally, to say nothing of those interested in the security of government and corporate systems.

Categories
Links

WhatsApp to start sharing user data with Facebook

WhatsApp to start sharing user data with Facebook:

WhatsApp says that sharing this information means Facebook can offer better friend suggestions by mapping users’ social connections across the two services, and deliver more relevant ads on the social network. Additional analytics data from WhatsApp will also be shared to track usage metrics and fight spam.

WhatsApp now provides about the best security of any chat application that is available. Sadly, the privacy aspects of the company are now being weakened as Facebook more fully integrates WhatsApp into the broader range of Facebook companies.