Tag: Security

Categories
Links

Major Qualcomm chip security flaws expose 900M Android users

Major Qualcomm chip security flaws expose 900M Android users:

Qualcomm makes chips for the majority of the world’s phones, holding a 65 percent share of the market. Most of the major recent Android devices are expected to be affected by the flaw, including:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6, and Nexus 6P
  • HTC One, HTC M9, and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2, and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Three of the four holes have already been patched, with a solution for the fourth on the way. However, most users are at the mercy of their handset manufacturers if they want these patches applied. Owners of Google’s Nexus devices have already had patches pushed to their phones, but other manufacturers have historically been less interested in patching flaws found in their devices after release.

In many cases these updates will never be released, leaving people permanently vulnerable to this very, very, very serious vulnerability. But hey: at least it only affects around 12-13% of the world’s population. Maybe phone manufacturers and cellular carriers will actually promptly act to protect their users when closer to 20-35% of the world population is affected by the next Android vulnerability…

Categories
Writing

So Hey You Should Stop Using Texts for Two-Factor Authentication

One of the problems with contemporary computer systems is that they rely on login and password information, and both of these kinds of information are routinely either disclosed through data breaches or are configured by users such that it is relatively easy to guess the login and password combination. Two-factor authentication is designed to alleviate these problems by issuing a second code to a user, which they input in order to access the service. This ‘other factor’ is meant to prevent unauthorized third-parties from accessing protected systems (e.g. email, social media accounts).

However, many of these second-factor codes are delivered over text messages. The problem is that there are a litany of ways that texts can be either intercepted or diverted and, thus, reduce the efficacy of the two-factor system. Some companies have moved away, partially, from SMS-based second factors but others such as Twitter have not. The aim of the article is to suggest that it’s important for users to themselves migrate from text-based second factors to a more secure method.

This is entirely accurate…when individuals are being targeted. But when an attacker is unwilling to invest much time or effort — such as running password lists or otherwise just ‘testing’ accounts without seriously attacking them — then even text-based two-factor authentication can suffice. While I agree that ideally individuals will move to a second-factor that isn’t SMS-based there is a significant degree of friction in getting individuals to download new applications and ‘token-based’ modes of authentication can be challenging to deploy because they get lost/damaged/forgotten/etc. In effect: while the call from the author is good I have to ask whether this ‘solution’ is the one that we should be spending years shuffling users towards or if we should instead wait for a superior alternative.

Categories
Links

I Ran the C.I.A. Now I’m Endorsing Hillary Clinton.

I Ran the C.I.A. Now I’m Endorsing Hillary Clinton:

During a 33-year career at the Central Intelligence Agency, I served presidents of both parties — three Republicans and three Democrats. I was at President George W. Bush’s side when we were attacked on Sept. 11; as deputy director of the agency, I was with President Obama when we killed Osama bin Laden in 2011.

I am neither a registered Democrat nor a registered Republican. In my 40 years of voting, I have pulled the lever for candidates of both parties. As a government official, I have always been silent about my preference for president.

No longer. On Nov. 8, I will vote for Hillary Clinton. Between now and then, I will do everything I can to ensure that she is elected as our 45th president.

The securocrats are increasingly throwing their hats in the Clinton camp. And I suspect that Trump will use this to fire up his own base by discounting those same securocrats as democratic patsies, despite many democrats having railed against the heads of the CIA, NSA, and other agencies over the years following 9/11.

Categories
Links

Dear activists, please stop telling everyone Telegram is secure

Dear activists, please stop telling everyone Telegram is secure:

Telegram was not wrong in promoting its security features back in 2013 – end-to-end encryption in mobile chat apps was rare back then. Since then, however, other chat apps have caught up and in many cases surpassed its security features. This isn’t to say Telegram doesn’t have its merits – neither Whatsapp nor Signal have support for channels (public groups) or bots, and Telegram does have a handy, Snapchat-like, self-destruct feature for conversations. But to recommend Telegram, without reservation, to protesters and activists is simply irresponsible. Dear activists: please stop telling people Telegram is more secure – either stick with WhatsApp or direct people to Telegram’s “Secret Chat” feature.

A good, and quick, piece written to explain the deficiencies of Telegram as opposed to its competing – and more secure and equally usable – chat applications.

Categories
Aside Links

Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us

Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us:

In March, Brazilian police briefly jailed a Facebook exec after WhatsApp failed to comply with a surveillance order in a drug investigation. The same month, The New York Times revealed that WhatsApp had received a wiretap order from the US Justice Department. The company couldn’t have complied in either case, even if it wanted to. Marlin­spike’s crypto is designed to scramble communications in such a way that no one but the people on either end of the conversation can decrypt them (see sidebar). “Moxie has brought us a world-class, state-of-the-art, end-to-end encryption system,” WhatsApp cofounder Brian Acton says. “I want to emphasize: world-class.”

For Marlinspike, a failed wiretap can mean a small victory. A few days after Snowden’s first leaks, Marlin­spike posted an essay to his blog titled “We Should All Have Something to Hide,” emphasizing that privacy allows people to experi­ment with lawbreaking as a precursor for social progress. “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed,” he wrote. “How could people have decided that marijuana should be legal, if nobody had ever used it? How could states decide that same-sex marriage should be permitted?”

We live in a world where mass surveillance is a point of fact, not a fear linked with dystopic science fiction novels. Moxie’s work doesn’t blind the watchers but it has let massive portions of the world shield the content of their communications – if not the fact they are communicating in the first place – from third-parties seeking to access those communications. Now unauthorized parties such a government agencies are increasingly being forced to target specific devices, instead of the communications networks writ large, which may have the effects of shifting state surveillance from that which is mass to that which is targeted. Such a consequence would be a major victory for all persons, regardless of whether they live in a democratic state or not.

Categories
Links

Policy – Privacy Paranoia: Is Your Smartphone Spying On You?

Policy – Privacy Paranoia: Is Your Smartphone Spying On You?:

Privacy alarmism is one act in a bigger spectacle. In alarmists’ minds, something could go terribly wrong, and although it never has nor is it likely to happen, we should change the world and imposed new political and bureaucratic order to prepare for it. Privacy concerns in general are fertile breeders of this pattern, and have already inflicted on us useless and expensive laws like HIPPA and FERPA. Now, privacy alarmism has set its sights on the biggest prize: the shrinking of Big Data.

While I’m glad that the author has apparently never suffered an issue linked to a privacy infringement, the same cannot be said for an enormous percentage of the world’s population. Mass intrusion, with and without consent, into communications privacy is a prominent issue internationally because of how private and public bodies alike exploit information that is collected.

We are functionally experimenting on the entire population when collecting and applying math to enormous datasets: to say that there has been no harm, ever, to date is possible. But doing so functionally depends on ignoring the lived reality of many of the persons impacted by big data and digital technology.

Categories
Links

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes:

When WIRED reached out to trucking industry body the National Motor Freight Traffic Association about the Michigan research, the NMFTA’s chief technology officer Urban Jonson said the group is taking the researchers’ work seriously, and even funding future research from the same team. And Jonson acknowledged that the possibility of the nightmare scenario they present, of a remote attack on heavy vehicles, is real. “A lot of these systems were designed to be isolated,” says Jonson. “As automobile manufacturers are increasingly connecting vehicles with telematics systems, some of these issues need to be addressed.”

That the Association’s reaction is to work with researchers instead of trying to sue them is a very good sign.

Categories
Links

How foreign governments spy using PowerPoint and Twitter

How foreign governments spy using PowerPoint and Twitter:

Right now, there are probably many journalists, human rights organizations and democracy activists walking around oblivious to the invisible tracking that is going on behind their backs. It’s time to wake up to the silent epidemic of targeted digital attacks on civil society and do something about it.

The protections built into our technologies are flimsy and routinely subverted. The merits of a ‘first to market’ ethos that predominates technical innovation must be contrasted, and weighed, against the mortal risk these same technologies pose to some users.

Categories
Aside Links

How Not To Get Hacked When Renting An Airbnb Apartment

How Not To Get Hacked When Renting An Airbnb Apartment:

The problem is that, thanks to the rise of home-sharing services such as Airbnb and HomeAway, thousands of people are letting strangers into their houses and apartments, and, potentially, into their networks and routers.

That’s why, Galloway argues, we need to be careful when connecting to Wi-Fi networks in Airbnbs, and just treat them like we treat airport or Starbucks connections.
“When you’re traveling and you’re on an unfamiliar network, you should behave like it and not behave like when you’re at home,” Galloway says. “You don’t use the Airbnb toothbrush, and you should probably think twice before just jumping on their network and putting your bank credentials in there.”

If you’re a renter, Galloway says the first thing to do to stay safe is using a virtual private network, or VPN, that will encrypt and protect all your connections. (There’s a lot of easy to use options out there, such as Freedome or TunnelBear.) Another, slightly more complex precaution, is to hardcode DNS settings into their devices, switching to Google Public DNS, for example.

I don’t disagree with this advice but admit it’s only something I consider when travelling for work (in part because I do so few ‘risky’ things when vacationing and decision to mostly rely on apps which I hope – though often cannot know – are transmitting credentials over SSL). But more broadly I think that what is being argued for is out of touch with how people are generally taught to understand computing and out of touch with how most Airbnb hosts operate: guests rarely meet their host and it’s unclear how often hosts themselves ever really look in on their properties. So maybe before we insist that people be wary of landlords and Airbnb hosts we should be considering what baseline requirements for offering such services themselves should be.

Categories
Links

Android’s full-disk encryption just got much weaker—here’s why

But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

Yikes.

Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device.

And double yikes: do we now need to get phone manufacturers to release transparency reports that indicate whether they’ve compromised devices after receiving requests to do so from law enforcement agencies?