Online Privacy and Security

What's New

Police Requests To Access Your Smart Speaker Are Up 72% Since 2016 2020-08-25

Please get these "smart devices" out of your house.

Amazon said it had received more than 3,000 requests for smart speaker user data from police earlier this year, according to a new article from Wired. Even more stunning, Amazon complied with the police's requests on more than 2,000 occasions, forking over recordings and data that give law enforcement an ear into someone's household.

Class Action against the Company that Knows it All 2020-07-31

"Class action lawsuits have been filed against Plaid, a financial technology and identity verification company"

Their service “provides an easy way for you to connect your bank account and other financial accounts to software applications [...]” While it is still unclear how many payment applications have embedded Plaid (hence the lawsuit), a few of the known integrations include Venmo, Coinbase, Gemini, Square Cash, Stripe, and Gusto.

Imagine there is a company that knows every dollar you deposit or withdraw, every dollar you charge or pay to your credit card, and every dollar you put away for retirement, within hours after you make the transaction. Imagine this includes every book or movie ticket or meal you purchase, every bill you pay to a doctor or hospital, and every payment you make (or miss) on your mortgage, student loan or credit card bill. Imagine this company maintains a file on you containing all of this information going back five years.

[...] Plaid potentially has access to “the following types of identifiers, commercial information, and other personal information” that they collect “in general”:

Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, and account and routing number; Information about an account balance, including current and available balance; Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate; Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms; Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis; Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information; Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts.

College Recruitment Database Leak : Close to 1 Million Students Affected 2020-07-23

One more reason to choose homeschooling/unschooling : College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data :

Institutions just don't care about your privacy.

We recently discovered an unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information.

Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students’ and parents’ names, email addresses, home addresses, phone numbers and more. [...]

Through an Amazon representative, CaptainU claimed that the sensitive educational data was “meant to be openly available.” But it seems that CaptainU never mentioned this fact to the students or their parents.

Rick Garcia, whose daughter had at one point been a member of CaptainU — and whose personal files are still contained in the database — informed us that he never knew or intended for his daughter’s information to be publicly available, but to just share that on the platform for other coaches to see. “We did not agree to publish all of her educational information to the public,” he said. “We thought we were just giving her GPA.”

The Twitter Hack 2020-07-20

Krebs on Security talks about the recent Twitter hack :

Can we be surprised? It's, yet again, a lesson about the perils of centralized services. Instead of Twitter, try Mastodon. To follow Twitter feeds, look into Nitter.

Surveillance Firm Used Fake Apps to Scrape Social Media 2020-07-10

Be careful with OAuth logins :

"They were shitty little apps that took advantage of some of the data that we had but the catch was that they had a ton of OAuth providers," one of the former employees said. OAuth providers are methods for signing into apps or websites via another service, such as Facebook's "Facebook Connect," Twitter's "Sign In With Twitter," or Google's "Google Sign-In." These providers mean a user doesn't have to create a new account for each site or app they want to use, and can instead log in via their already established social media identity.

But once users logged into the innocent looking apps via a social network OAuth provider, Banjo saved the login credentials, according to two former employees and an expert analysis of the apps performed by Kasra Rahjerdi, who has been an Android developer since the original Android project was launched. Banjo then scraped social media content, those two former employees added. The app also contained nonstandard code written by Pink Unicorn Labs: "The biggest red flag for me is that all the code related to grabbing Facebook friends, photos, location history, etc. is directly from their own codebase," Rahjerdi said.

DuckDuckGo... I'm Disappointed in You... 2020-07-03

Apparently, DuckDuckGo was not as trustworthy as was commonly thought/hoped :

Apps/Websites Copying your Clipboard Data 2020-07-03

Apparently, many websites/apps (linkedin, reddit, etc) are copying your clipboard data :

LinkedIn is copying the contents of my clipboard every keystroke. IOS 14 allows users to see each paste notification. I’m on an IPad Pro and it’s copying from the clipboard of my MacBook Pro. Tik tok just got called out for this exact reason.

Immunity Passports To Be Rolled Out 2020-06-18

Mass-Tracking COVI-PASS Immunity Passports To Be Rolled Out In 15 Countries :

A British cybersecurity company, in partnership with several tech firms, is rolling out the COVI-PASS in 15 countries across the world; a “digital health passport” that will contain your COVID-19 test history and other “relevant health information.” According to the company website, the passport’s objective is “to safely return to work” and resume “social interactions” by providing authorities with “up-to-date and authenticated health information.” [...]

More practically, VST now has a direct partnership with the UK government and has secured contracts to deploy its technology in 15 countries, including Italy, Portugal, France, India, the US, Canada, Sweden, Spain, South Africa, Mexico, United Arab Emirates and the Netherlands.

In May, VST signed a deal with international digital health technology firm and owner of COVI-PASS, Circle Pass Enterprises (CPE) to integrate VST’s VCode into the biometric RFID-enabled “passports” which can be accessed via mobile phone or a key fob will flash colored lights to denote if an individual has tested negative, positive or is to be denied entry to public locations. [...]

The Innovation for Uptake, Scale and Equity in Immunisation (INFUSE) project was launched in Davos, Switzerland in 2016. The program was developed by an organization funded by the Bill & Melinda Gates Foundation called GAVI (The Vaccine Alliance), which has been calling for a digital health ID for children along with partners in the broader !D2020 initiative like the Rockefeller Foundation and Microsoft.

Google Doesn't Honor the Incognito Mode : Sued for 5 Billions USD 2020-06-18

From cnet (web archive) :

Google faces $5 billion lawsuit for tracking people in incognito mode [...]

"Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy," reads the complaint. The search giant surreptitiously collects data through Google Analytics, Google Ad Manager, website plug-ins and other applications, including mobile apps, according to the complaint.

Some options to de-google yourself : Privacy Cookbook - Chapter 1 – Google, Google, GTF!

The Perils of KYC-ing on Cryptocurrency Exchanges 2020-06-03

Canadian cryptocurrency exchange's private data on customers stolen : "Hackers Plan to Use Stolen Cryptocurrency Exchange Data for SIM Swapping"

KYC ("know your client") rules are dangerous for users; especially for cryptocurrency users. The private information that clients voluntarily hand over to these websites (under compulsion from the State) make users vulnerable to : identity theft, SIM swapping (getting control of other accounts (websites, banks, etc)), and potentially physical attacks (once a thief knows who you are, where you live and how much cryptocurrency you have...).

This time, apparently, rather than a hack, it seems it was an employee stole the info.

Coinsquare, the impacted exchange, says a former employee stole the data.

Hackers who obtained personal data on users of Canadian cryptocurrency exchange Coinsquare say they plan to use the information to perform so-called SIM swapping attacks, according to one of the hackers.

The news shows hackers' continued interest in trying to leverage security issues with telecom-based forms of authentication. In a SIM swapping attack, a hacker takes control of a target's phone number, which then gives them the ability to request password resets for some websites or a victim's two-factor authentication code. Often, SIM swappers will use these techniques to steal cryptocurrency. The breach also signals the continued risk of insider access, with Coinsquare telling Motherboard a former employee was responsible for stealing the data.

Celebs' Confidential Info Leaked : Their Lawfirm Hacked 2020-05-18

The best way to keep a secret is to not tell anyone. Even deep-pocket lawfirms can't protect their clients' secrets :

Grubman Shire Meiselas & Sacks, a large media and entertainment law firm, appears to have been the victim of a cyberattack that resulted in the theft of an enormous batch of private information on dozens of celebrities, according to a data security researcher.

The trove of data allegedly stolen from the New York-based firm by hackers — a total of 756 gigabytes — includes contracts, nondisclosure agreements, phone numbers and email addresses, and “personal correspondence,” according to an image of the hackers’ post provided to Variety by Emsisoft, a cybersecurity software and consulting company specializing in ransomware.

The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC. Facebook also is on the hackers’ hit list.

US : Web Browsing History without a Warrant 2020-05-18

What else is new? ... "We don't need no stinkin' warrants, yur honor" :

The US Senate has voted to give law enforcement agencies access to web browsing data without a warrant, dramatically expanding the government’s surveillance powers in the midst of the COVID-19 pandemic.

The power grab was led by Senate majority leader Mitch McConnell as part of a reauthorization of the Patriot Act, which gives federal agencies broad domestic surveillance powers. Sens. Ron Wyden (D-OR) and Steve Daines (R-MT) attempted to remove the expanded powers from the bill with a bipartisan amendment.

But in a shock upset, the privacy-preserving amendment fell short by a single vote after several senators who would have voted “Yes” failed to show up to the session, including Bernie Sanders. Nine Democratic senators also voted “No,” causing the amendment to fall short of the 60-vote threshold it needed to pass.

Can't wait for the lawmakers or the government to respect/protect our basic human rights. Again, let's all remember that "cypherpunks write code".

US Senate Intelligence Chairman : FBI Gets his Cellphone and iCloud Data 2020-05-14

Cellphones and iCloud accounts are not safe. Now you know why :

FBI Seizes Senate Intel Chairman's Cellphone As Probe Into Suspicious Virus-Linked 'Insider Trading' Heats Up

The seizure represents a significant escalation in the investigation into whether Burr violated a law preventing members of Congress from trading on insider information they have gleaned from their official work.

To obtain a search warrant, federal agents and prosecutors must persuade a judge they have probable cause to believe a crime has been committed. The law enforcement official said the Justice Department is examining Burr’s communications with his broker.

Such a warrant being served on a sitting U.S. senator would require approval from the highest ranks of the Justice Department and is a step that would not be taken lightly. Kerri Kupec, a Justice Department spokeswoman, declined to comment.

A second law enforcement official said FBI agents served a warrant in recent days on Apple to obtain information from Burr’s iCloud account and said agents used data obtained from the California-based company as part of the evidence used to obtain the warrant for the senator’s phone.

Bluetooth Can Be Hacked : Complete Device Hijack Possible 2017-09-12

Bluetooth should always be turned off. Now you know why :

If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side. [...]

Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction.

New Police Powers : Your Smart Fridge Will Now Rat on You 2017-09-08

In Australia :

A bill which gives Queensland police the potential ability to remotely turn citizen’s smart device into a surveillance tool has passed the state’s parliament.

The tough new laws designed to boost the response capabilities of police during a terrorist emergency give authorities the ability to use existing gadgets for surveillance, including remotely installing software to use devices such as smart fridges or AI-powered home speakers as listening devices.

Yeah, a "terrorist emergency". The "new normal". France has been in a "state of emergency" for months now. People are constantly told they have to get used to terrorism. I guess that means we also have to "get used" to "special" police powers...

A Really Dumb Idea 2017-09-08

Following the news about Equifax getting hacked, one social commentator summed up the situation pretty well :

"In retrospect it seems like a really dumb idea to give three random companies access to the entire financial records of every American."

Well said!

Equifax Hacked : 143 Million Social Security Numbers 2017-09-08

Equifax, one of the biggest credit-reporting companies, has been hacked making millions of people vulnerable to identity theft. But there's a silver lining : Equifax insiders were able to dump a lot of their shares before making the hack public (wow, that was close!!! /sarc) :

Credit-reporting company Equifax shocked investors, and more than a third of America, when it announced on Thursday afternoon that hackers had breached its data systems, compromising the personal information of approximately 143 million U.S. consumers. The information accessed "primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers." In other words, pretty much everything that should have been hidden behind an n-number of firewalls, is now available to the dark net's highest bidder. [...]

The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.

Hacking Smart Devices With Ultrasounds : Siri, Alexa & Other Voice Assistants 2017-09-08

Hacking smart devices with ultrasounds :

Dubbed DolphinAttack, the attack technique works by feeding the AI assistants commands in ultrasonic frequencies, which are too high for humans to hear but are perfectly audible to the microphones on your smart devices.

With this technique, cyber criminals can "silently" whisper commands into your smartphones to hijack Siri and Alexa, and could force them to open malicious websites and even your door if you have a smart lock connected.

More NSA Hacking Tools Leaked : Taking Control of Windows Computers 2017-09-08

More NSA hacking tools leaked by ShadowBrokers, for Windows (who still uses Windows???) :

The Snowden documents suggested the agency used the tool alongside other pieces of malware, including CAPTIVATEDAUDIENCE, GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT, to infect millions of computers around the world.

CAPTIVATEDAUDIENCE is for recording conversations via the infected computer's microphone

GUMFISH is for covertly taking control over a computer’s webcam and snap photographs

FOGGYBOTTOM for exfiltrating Internet data like browsing histories, login details and passwords

GROK is a Keylogger Trojan for capturing keystrokes.

SALVAGERABBIT is for accessing data on removable flash drives that connect to the infected computer.

Apache Struts2 (Java) : Take Over Servers With a Browser 2017-09-06

Apache Struts2 is used by many huge organisations, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. Now we learn that all that is required to hack Apache Struts is a web browser :

"On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser," Man Yue Mo, an LGTM security researcher said.

All an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.

Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.

It's fascinating to see that some people still use Java in 2017!

Peak Spying : CIA Spying on the FBI, NSA, DHS 2017-08-24

This is delicious :

Today, August 24th 2017, WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services -- which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

VPN : Be Careful Which Provider You Choose 2017-08-08

"Hotspot Shield VPN Accused of Spying On Its Users' Web Traffic" :

The 14-page-long complaint filed Monday morning by the Centre for Democracy and Technology (CDT), a US non-profit advocacy group for digital rights, accused Hotspot Shield of allegedly tracking, intercepting and collecting its customers' data.

Developed by Anchorfree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an estimated 500 million users around the world.

Web Developer Chrome Extension : Hijacked 2017-08-04

Always be careful about which browser extensions you install. In this case, a Chrome extension for web developpers was hijacked :

Now just yesterday, another popular Chrome extension 'Web Developer' was hijacked by some unknown attackers, who updated the software to directly inject advertisements into the web browser of over its 1 million users.

Sweden Leaks Personal Details of Nearly All Citizens, Including Police And Military 2017-07-20

Well, ... What more can I say... :

Sweden’s Transport Agency moved all of its data to “the cloud”, apparently unaware that there is no cloud, only somebody else’s computer. In doing so, it exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation. Names, photos, and home addresses: the list is just getting started. The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.

And they want to go cashless over there... Well... Ok...

Ethereum Parity Multi-Sig Wallet Hacked : 30 Million USD 2017-07-20

A third hack in 20 days for the ethereum network. This time, it's related to the Parity Wallet :

An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars.

The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017.

Cisco WebEx Extensions : Remotely Hackable 2017-07-18

Always make sure you really need to install a browser extension before doing so. It increases your attack surface. Here we learn that Cisco WebEx browser extensions can lead to being remotely hacked :

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer. [...]

To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.

Australia Wants to Weaken Encryption 2017-07-17

The Australian PM wants tech companies to help weaken encryption to help law enforcement. And, believe it or not, he actually said this :

"The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia."

Wow... Just... wow...

Verizon : Customers' Data Exposed On Unprotected AWS Server 2017-07-15

No comment ... :

Verizon, the major telecommunications provider, has suffered a data security breach with over 14 million US customers' personal details exposed on the Internet after NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details open on a server.

Smartphones : Broadcom Wi-Fi Chip Can Be Hacked Remotely 2017-07-13

Some Android smartphones and iPhones can be hacked remotely because of their Broadcom Wi-Fi Chip :

Google has released its latest monthly security update for Android devices, including a serious bug in some Broadcom Wi-Fi chipsets that affects millions of Android devices, as well as some iPhone models.

Security Firm CEO : Identity Stolen, Declared Bankrupt 2017-07-13

Sweden is rapidly going cashless. They might want to rethink that strategy :

The 59-year old CEO of Swedish Security Firm Securitas was declared bankrupt this week after hackers stole his identity, took out a loan in his name, then filed for bankruptcy. As Bloomberg noted, “the sub-optimal branding implications were hard to miss.”

Internet Search History : Subpoeaned 2017-07-12

It's probably good to keep in mind that your Google search history can be subpoeaned, as this research scientist found out :

The first rule of insider trading is never to buy calls on the target (although these days the acquiror will also do) days if not hours ahead of a merger announcement. The second rule, as Chinese research scientist Fei Yan just found out, is to never google "how sec detect unusual trade" before (while and after) trading on inside information.

[...] the SEC simply subpoeaned Yan's search history.

Warning : RedHat/CentOS Netfilter CIA Attack 2017-07-01

WikiLeaks :

Today, June 29th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.

The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain.

Critical Flaw in Systemd 2017-06-30

Critical flaw in Systemd, the successor to "init", used in many linux distributions.

A critical vulnerability has been discovered in Systemd [...] that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.

This affects all linux distributions that use Systemd, notably :

This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year. Of course, systemd-resolved must be running on your system for it to be vulnerable. The bug is present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.

But this is hardly a surprise. Systemd should never have been introduced in linux.

Luckily, there are options to stay away from Systemd. Remove it or use one of the distributions that stay away from it, notably devuan, a fork from debian for that very purpose.

Warning : Update OpenVPN Quickly 2017-06-27

A critical remote code execution bug in OpenVPN

The vulnerability could allow a remote authenticated attacker to craft and send a certificate that either crashes the OpenVPN service or triggers a double free that potentially lead to remote code execution within the server.

CIA Breaching Airgaps on Windows 2017-06-22

CIA using thumbdrives (usb keys) to infect airgapped Windows systems :

Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.

Update : Linux Shared Environments Vulnerable to Stack Clash 2017-06-20

If you use a unix-based server (linux, freebsd, etc), you should update as soon as possible to protect against the Stack Clash vulnerability :

Attackers can locally exploit the privilege escalation vulnerability to gain root access over Linux, Solaris and BSD machines. This is bad news for Unix-based servers, and even more so for multi-tenant environments. [...]

Stack Clash completely bypasses stack guard-pages. [...] the Linux kernel added stack guard page to mitigate this class of attack. The guard-page acts as a divider between the stack and the heap. However, Qualys researchers were able to bypass the guard pages entirely because the applications were not built with sufficient stack protection checks in their code.

“Unfortunately, a stack guard-page of a few kilobytes is insufficient. [...] The size of the stack guard-page should be increased to 1MB at a minimum as a short term workaround until updates can be applied.

In more details.

Records Of 198 Million US Voters Exposed 2017-06-20

If one wants to protect one's personal information, one should avoid giving it away or making it public... Here's another example why : "Records Of 198 Million US Voters "Accidentally" Exposed By RNC Contractor"

Deep Root Analytics left a database containing 24 terabytes of data, including information about 198 million potential voters, or virtually the entire eligible population. The data included sensitive, but publicly available, information like voters’ addresses and phone numbers.

But more interesting than any personal information involved in the leak was the insight into Deep Root’s "big data" modeling tactics. The data included probabilities for individual voters’ positions on dozens of political issues, as well as estimates of how they voted in past elections.

Warning : KMail’s ‘Send Later’ and PGP 2017-06-16

For those using KMail with PGP: make sure to update your software before using the 'Send Later' feature. There's a bug and those emails will be sent unencrypted. An update to KMail version 17.04.2 fixes that bug.

I recently discovered the security vulnerability CVE-2017-9604 in the KDE Project’s KMail email client. This vulnerability led KMail to not encrypt email messages scheduled to be sent with a delay, even when KMail gave every indication that the email contents would be encrypted using OpenPGP. [...]

KMail versions between 4.11 and 17.04.1 are vulnerable. KMail version 17.04.2, released on 2017-06-08, contains a fix for the problem. You should update KMail before sending any private messages with OpenPGP, to ensure your messages will remain private. Different Linux distributions will push out this update on their own schedules.

Trusted Third Parties Are Security Holes 2017-06-10

Don't forget that the best way to keep a secret is to not tell anybody. In the same way, the best way not to be deceived or betrayed is to not "trust" anybody. As the brilliant polymath Nick Szabo reminds us that "trusted third parties are a security hole":

Commercial security is a matter of solving the practical problems of business relationships such as privacy, integrity, protecting property, or detecting breach of contract. A security hole is any weakness that increases the risk of violating these goals. In this real world view of security, a problem does not dissapear because a designer assumes it away. The invocation or assumption in a security protocol design of a "trusted third party" (TTP) or a "trusted computing base" (TCB) controlled by a third party constitutes the introduction of a security hole into that design. The security hole will then need to be plugged by other means.

We have yet again a great illustration of this principle today with this piece of news :

Chinese authorities have announced the arrest of around 22 distributors working as Apple distributors as part of a $7 million operation, who stole customers’ personal information from an internal Apple database and illegally sold it to Chinese black market vendors.

Do whatever you can to minimize the need to "trust" anyone or anything in your security setups.

Privacy-Busting Printers 2017-06-09

Please keep in mind that many printers embed secret codes to squeal on you when you print :

The watermarks, shown in the image above—an enhancement of the scanned document The Intercept published yesterday—were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation have reverse-engineered the grid pattern employed by this class of printer; using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218.

More Trouble For Intel's Active Management Technology (AMT) 2017-06-09

It's called "Platinum" and it's one more reason to fear Intel's AMT :

But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating system's own IP stack and, as such, is invisible to the operating system's own firewall or other network monitoring software. [...]

In this way, PLATINUM's malware can move files between machines on the network while being largely undetectable to those machines.

Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place; if it's not turned on at all, there's no remote access. Microsoft's write-up of the malware expressed uncertainty about this part; it's possible that the PLATINUM malware itself enabled AMT—if the malware has Administrator privileges, it can enable many AMT features from within Windows—or that AMT was already enabled and the malware managed to steal the credentials.

IP Cameras : Hard-Coded Passwords! 2017-06-08

Wow, that was dumb on an epic scale : this manufacturer (Focsam) hard-coded passwords in IP cameras. You can't just change the default credentials; they're hard-coded. What were they thinking?

Vulnerabilities found in two models of IP cameras from China-based manufacturer Foscam allow attackers to take over the camera, view video feeds, and, in some cases, even gain access to other devices connected to a local network. [...]

In addition to the Foscam and Opticam brands, F-Secure also said the vulnerabilities were likely to exist in 14 other brands that use Foscam internals, including Chacon, 7links, Netis, Turbox, Thomson, Novodio, Nexxt, Ambientcam, Technaxx, Qcam, Ivue, Ebode and Sab.

But it gets better! More vulnerabilities :

The flaws discovered in the IP cameras includes:

Insecure default credentials

Hard-coded credentials

Hidden and undocumented Telnet functionality

Remote Command Injections

Incorrect permissions assigned to programming scripts

Firewall leaking details about the validity of credentials

Persistent cross-site scripting

Stack-based Buffer overflow attack

Can this be just incompetence? I fear it may be more than that. Trade accordingly.

Bitcoin on a Malware-Infested Computer 2017-06-07

It's good to keep in mind that malware on your computer can change a Bitcoin address that you copy-paste. Malware can continuously check for Bitcoin addresses in your clipboard. This poor guy lost quite a few coins to that hack :

ask_for_pgp

scammed / hacked: I copy pasted BTC address into electrum and confirmed the bitcoin transaction. the clipboard replaced my bitcoin intendet bitcoin address with a different one. few minutes later i discuss with friend if he already sees it in his wallet. he didnt. It sent to wrong address

i checked all browser windows, private messages, chat histories. i do not know this address that grabbed the 13 BTC.

nkorslund

Wait, so there are viruses that auto-detect BTC addresses in the clipboard?

Well that's actually pretty clever.

filenotfounderror

Yes, they've been around a long time.

U.S. : No Right to Self-Defense Anymore 2017-06-07

The U.S. Supreme Court has decided that it's ok for police to barge in to someone's house, without a warrant and without announcing themselves, and start shooting :

As the U.S. Supreme Court’s ruling in County of Los Angeles vs. Mendez makes clear, Americans can no longer rely on the courts to mete out justice.

Continuing its disturbing trend of siding with police in cases of excessive use of force, a unanimous Court declared that police should not be held liable for recklessly firing 15 times into a shack where a homeless couple—Angel and Jennifer Mendez—was sleeping.

Understandably, the Mendezes were startled by the intruders, so much so that Angel was holding his BB gun, which he used to shoot rats, in defense. Despite the fact that police barged into the Mendez’s backyard shack without a search warrant and without announcing their presence and fired 15 shots at the couple, who suffered significant injuries (Angel Mendez suffered numerous gunshot wounds, one of which required the amputation of his right leg below the knee, and his wife Jennifer was shot in the back), the Court once again gave the police a “get out of jail free” card.

Trade accordingly.

Hacking Pacemakers ... 2017-06-06

Two huge problems : 1. flaws in pacemakers could give hackers power of life and death over a patient, and 2. personal data written on pacemakers (name, social security numbers, etc) is not encrypted... :

In a recent study, researchers from security firm White Scope analysed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers. [...]

What's even more frightening? Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them. [...]

So, any working tool sold on eBay has the potential to harm patients with the implant. Yikes! [...]

What's more? In some cases, researchers discovered unencrypted patients' data stored on the pacemaker programmers, including names, phone numbers, medical information and Social Security numbers (SSNs), leaving them wide open for hackers to steal.

Another issue discovered in the pacemaker systems is the lack of the most basic authentication process: login name and password, allowing the physicians to authenticate a programmer or cardiac implant devices without even have to enter a password.

Why You Should Learn To Fix Your Own Computer 2017-06-05

Apparently, the FBI has been cultivating informants in Best Buy's tech support. I'd be surprised if that wasn't the case in other companies and in other countries as well.

A federal prosecution of a doctor in California revealed that the FBI has been working for several years to cultivate informants in Best Buy’s national repair facility in Brooks, Kentucky, including reportedly paying eight Geek Squad employees as informants. [...]

At no point did the FBI get warrants based on probable cause before Geek Squad informants conducted these searches. Nor are these cases the result of Best Buy employees happening across potential illegal content on a device and alerting authorities.

Hadoop : Over 5,000 Terabytes of Data Exposed 2017-06-04

Nearly 4,500 servers with the Hadoop Distributed File System (HDFS) — the primary distributed storage used by Hadoop applications — were found exposing more than 5,000 Terabytes (5.12 Petabytes) of data, according to an analysis conducted using Shodan search engine. [...]

Here are the instructions on how to run Hadoop in "secure mode".

On The Importance of Using Firefox (not Chrome) 2017-06-03

Google is now moving (even more) to strangle voices of people they don't approve of. First, there was Google's Youtube's new policy on pulling ads from "controversial" videos and now this new "tool" that Google intends to implement in Chrome. Google will try to block ads they don't approve of (eventually pretty much all ads that are not google ads?). They will also try to block other ad-blockers that are not Google's own ad-blocking tool. You'd have to either watch the ad or "pay". To "pay" means that you would have to be logged-in somehow (for the system to be able to charge you). That means they get to watch what you do online and track you. And if you disable your own ad-blocker, they can track you (with cookies and fingerprinting technologies). That means, either way, they can track what you do online. World, meet your new Overlord, "Google", presenting you your "new internet", AOL 2.0, the "Google-Net" .

The Google ad-blocker will block all advertising on sites that have a certain number of "unacceptable ads," according to The Wall Street Journal. [...]

Chrome is the most popular Web browser, with more than 50 percent of the market. The Chrome ad-blocker is likely to be turned on by default. Any decisions by Google about what ads are "acceptable" will have a huge effect on the online advertising space.

And about Youtube's new ad policy :

YouTubers used to say the best thing about the platform was that they could say whatever they wanted, and no one could say no. They weren’t held back due to their bosses or editors or advertising pressure. Now the other shoe has dropped. That all may still be true, but there is now advertising pressure. You suddenly won’t get advertisers anymore if you fall into the wrong category.

That writer also has a few solutions that all businesses should keep in mind when dealing with potential censors :

For starters, if you've got a gaming channel on YouTube, you should be supplementing revenue with a streaming site. Either a full partnership on Hitbox so you can get subscribers, or that new affiliate program on Twitch which lets you get bits. Or, um, just take donations on whatever streaming service.

Consider Patreon and figure out what you can do to incentivize people to support you on that platform. Network a bit and get a paid brand deal where you directly sponsor a game/product. This usually goes “if you can get X amount of views in Y amount of videos that feature our product, we'll give you a lump sum.” Unlike ads which are volatile, with direct sponsorship/brand deals you know exactly how much money you're getting. Provided you can get the requisite number of views.

You can merchandise through a service like Teespring, Zazzle or RedBubble. Get that funny meme printed on a coffee mug. Partner with that extremely gifted fan who is wasting their talent drawing stuff for you for some damn reason and split the money on t-shirt sales. Get in the game, here!

OneLogin Password Manager : Hacked. Change All Your Passwords 2017-06-02

For those still using a password manager... please don't :

OneLogin, the cloud-based password management and identity management software company, has admitted that the company has suffered a data breach. [...]

The stolen data also includes "the ability to decrypt encrypted data."

A Bitcoin Beginner’s Guide to Surviving the BIP 148 UASF 2017-06-01

You may have heard about BIP 148 (bitcoin improvement proposal 148) which will kick-in on August 1st. The gist of the situation is that some well-meaning "bitcoiners" are trying to force a more rapid adoption of SegWit (SegWit, or "segregated witness", would be a great technological leap forward for Bitcoin). There are other ways of forcing SegWit adoption but they require more time and some don't want to wait. I sympathize but would have preferred the slow approach. The BIP 148 will lead to short-term disruption to the Bitcoin network and we should know how to prepare. Aaron van Wirdum wrote a great article on the topic. Here's his summary :

So, to Recap ...

Control your private keys.

To be on the safe side, avoid any transactions on and shortly after August 1st. (How “shortly after” depends on what happens.)

If there are still two chains when the dust settles, split your coins into different wallets.

Writing a Diary? : Better Not Travel ... 2017-05-28

An australian woman carried a diary with her on her way to the US. She ended up in federal prison because customs officers thought she wanted to immigrate illegally, based on what she wrote in her diary. Keep your thoughts to yourself or encrypt everything. We're not living in free countries anymore.

“In the end they were convinced I wanted to immigrate illegally because my diary had notes like ‘going away drinks’ and ‘last day at work’, things I got in order before expecting to be away for three months.” [...]

“A few more hours later, myself and a Japanese woman were handcuffed and transported to the detention centre, which was a federal prison,” Ms Hill said.

The customs officers didn't even have the decency of telling her boyfriend what happened. They just let him wait at the airport :

Her boyfriend Ross was left waiting at baggage claim. “I never made it there,” she said. “The customs officer told me with a smirk that he had been waiting there all day for me. And then I ... Yeah, I had no way to contact him.”She said she believed it was her mother who contacted him after someone from the Australian consulate called her.

Planning a trip to the U.S.? Well, you should probably know that U.S. Customs and Border Protection thinks that she was treated with respect ... so if you experience the same thing, don't expect any sympathy from them :

“U.S. Customs and Border Protection acted with respect, integrity, professionalism and according to current federal law when Molly Joan Hill, an Australian citizen presented herself for CBP inspection at Honolulu International Airport May 15,” a spokesperson said.

Trade accordingly.

DNA Genetic Tests : Be Careful 2017-05-27

DNA genetic tests are extremely risky from a privacy-protection perspective.

Do you want to give a company a "license" to your DNA?

Sending a swab of saliva in the post to discover your genetic background sounds simple, but Ancestry.com has come under fire for its terms and conditions, which grants the company “perpetual” license to keep and use your DNA – however way it likes.

How about being denied insurance because the insurance company can secretly figure out your odds of getting sick?

The clause is included in the company’s terms and conditions, which also outlines how the information could later result in a customer being denied insurance due to diseases in their DNA – should you fail to opt out of one of its 'informed consent' options. [...]

How about cloning?

Concerns have previously been raised about DNA being used in experimental research, such as cloning.

How about hackers? Having you DNA become public? Financial and identity fraud?

The company has promised to safeguard DNA in its informed consent document, but does note that “there is a potential risk that data about you could become public as the result of a security breach.”[...]

“In the future, there may be an incentive for hackers to target genetic databases in order to acquire data than can be used in financial or identity fraud,” Phillips notes.

Speaking to Global News in 2016, Ann Cavoukian of the Privacy and Big Data Institute at Ryerson University said “you have to assume that you’re going to lose control over that information.”

Android Phones : Vulnerable to Full Device Takeover Attack 2017-05-26

Wow... well that's a big one... And it can't be easily remedied. This attack abuses simple app permissions to (amongst other things) capture keystrokes.

Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.

The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.

Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity. [...]

University researchers have already disclosed this new attack vector to Google but noted that since the issue resides in the way Android OS has been designed, involving two of its standard features that behave as intended, the problem could be difficult to resolve.

Must Update : Some Media Players Are Vulnerable to Malicious Subtitle Files 2017-05-25

If you use "media players" (VLC, Kodi (XBMC), Popcorn Time, Stremio, SmartTVs, etc), you really should update as soon as possible :

Security firm Check Point Software Technologies publicly disclosed a new threat vector today in media player subtitles that could have potentially exposed millions of users to security risks. Simply by running a media file that downloads embedded malicious subtitles, Check Point alleges that end-user systems could have been taken over by attackers.

Check Point responsibly disclosed the vulnerability to the impacted media players including VLC, Kodi (XBMC), Popcorn Time and Stremio, and updated players are now available. VLC in particular is a widely used open-source media player that has over 170 million downloads on Windows alone. Media players are also widely used in smart TV platforms and other streaming media devices, with the total number of impacted devices estimated to be 200 million by Check Point.

For more details, you can also read this article.

Must Update : ImageMagick Library 2017-05-24

If your server uses ImageMagick (the popular open-source image processing library), you should upgrade as soon as possible :

The exploit abuses a security vulnerability in the ImageMagick library, which Evans dubbed "Yahoobleed #1" (YB1) because the flaw caused the service to bleed contents stored in server memory.

After Yahoo has been aware of the issue, Evans reported the vulnerability to the ImageMagick team, who released ImageMagick version 7.0.5-1 two months ago with a fix for the issue.

DocuSign (a digital signature service) : Hacked 2017-05-20

For those using DocuSign : it's been hacked but, luckily, only email addresses were accessed (apparently). For details, you can see this article :

Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems.

The hackers gained temporary access to a peripheral sub-system for communicating service-related announcements to users through email, the company said. It confirmed after what it described as a complete forensic analysis that only email addresses were accessed, and not other details such as names, physical addresses, passwords, social security numbers, credit card data or other information.

HaaS : Hacking as a Service? 2017-05-18

The ShadowBrokers will now offer access to hacking tools through a subscription ...

A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.

The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.

The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware program.

Android Apps Colluding to Steal Users' Info 2017-05-18

Many small apps getting together to steal your info...

The biggest security risks can come from some of the least capable apps. [...]

Something seemingly innocuous, like a torch app, could for instance leak a user’s geolocation data or contacts. [...]

“Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data,” said fellow co-author Professor Daphne Yao.

Chrome on Windows : Careful, It Might Leak Your Windows Password 2017-05-17

Chrome can leak your Windows password (applicable to all Windows versions, including Windows 10) :

Researcher Bosko Stankovic of DefenseCode has found that just by visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer's login credentials with hackers via Chrome and the SMB protocol.

This article also offers a few steps you can take to lessen the problem :

Simply, block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.

Stankovic also advises users to consider disabling automatic downloads in Google Chrome by going to Settings → Show advanced settings → and then Check the "Ask where to save each file before downloading" option.

NSA's Leaked Tools Used in Worst-Ever Worldwide Ransomware Attacks 2017-05-12

Hackers are now using leaked NSA tools in worldwide ransomware attacks. Tens of thousands of "users" are affected, including UK hospitals. Terrible attacks. This article even states :

A ransomware virus is spreading aggressively around the globe, with over 75,000 computers in 99 countries having been targeted, according to the latest data. The virus infects computer files and then demands bitcoins to unblock them.

The NSA must be very proud to have created those weapons and left worldwide Windows users unprotected for all that time...

Hospitals across the UK have been hit by what appears to be a major, nationwide cyber-attack, resulting in the loss of phonelines and computers, with many hospitals going "dark" and some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled, the BBC reports.

According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept “I’ve never seen anything like this with ransomware," and "the last worm of this degree I can remember is Conficker.” Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over nine million computers in nearly 200 countries. As The Intercept details,

Today’s WannaCry attack appears to use an NSA exploit codenamed ETERNALBLUE, a software weapon that would have allowed the spy agency’s hackers to break into any of millions of Windows computers by exploiting a flaw in how certain version of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in governments) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them–but from the moment the agency lost control of its own exploit last summer, there’s been no such assurance.

Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up.

HP Notebooks : Watch Out for that Keylogger 2017-05-12

A keylogger in an audio driver, how about that? Welcome to the wonderful world of HP Notebooks. For more details :

Any process that is running in the current user-session and therefore able to monitor debug messages, can capture keystrokes made by the user. Processes are thus able to record sensitive data such as passwords, without performing suspicious activities that may trigger AV vendor heuristics. Furthermore, any process running on the system by any user is able to access all keystrokes made by the user via file-system access. It is not known, if log-data is submitted to Conexant at any time or why all key presses are logged anyway.

Wikileaks : More CIA Malware Against Windows 2017-05-12

For those still interested in running Windows : Wikileaks released information about two Windows malware frameworks curtesy of the CIA.

"AfterMidnight" allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of "Gremlins" via a HTTPS based Listening Post (LP) system called "Octopus". Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components before loading all new gremlins in memory. "Gremlins" are small AM payloads that are meant to run hidden on the target and either subvert the functionality of targeted software, survey the target (including data exfiltration) or provide internal services for other gremlins. The special payload "AlphaGremlin" even has a custom script language which allows operators to schedule custom tasks to be executed on the target machine.

"Assassin" is a similar kind of malware; it is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. "Assassin" (just like "AfterMidnight") will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment. The "Assassin" C2 (Command and Control) and LP (Listening Post) subsystems are referred to collectively as" The Gibson" and allow operators to perform specific tasks on an infected target..

Good News! : Update on the Jailed Aussie Story (in the US) 2017-05-11

Being refused entry to Canada and thus overstaying his US visa by 90 minutes cost him 2 weeks in jail... The good news is that he's now free.

Update : Windows Remote Control Bug : Yeah, It's Bad 2017-05-09

A follow-up to yesterday's teaser about the latest Windows Remote Control critical flaw. It's pretty bad. As they say 'with friends like that, who needs enemies?" :

Microsoft's own antivirus software made Windows 7, 8.1, RT and 10 computers, as well as Windows Server 2016 more vulnerable.

The reported RCE vulnerability, according to the duo, could work against default installations with "wormable" ability – capability to replicate itself on an infected computer and then spread to other PCs automatically.

But the best part is that a proof-of-concept exploid code is small enough to be "tweeted" :

Natalie Silvanovich also published a proof-of-concept (PoC) exploit code that fits in a single tweet.

Windows : Another Remote Control Bug? 2017-05-08

Apparently, Google researchers have found a "crazy bad" remote control bug in Windows. They won't tell us for now in the interest of giving Microsoft the chance to fix it.

Google Project Zero's security researchers have discovered another critical remote code execution (RCE) vulnerability in Microsoft’s Windows operating system, claiming that it is something truly bad.

It seems pretty juicy though, if we can trust the "trailer" :

Tavis Ormandy announced during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered "the worst Windows remote code [execution vulnerability] in recent memory. This is crazy bad. Report on the way."

More Android Bugs, Affecting Even Recent Versions 2017-05-05

Please remember never to rely on a smartphone for anything secure :

Google has released its monthly security patches for Android this week, addressing 17 critical vulnerabilities, 6 of which affect Android Mediaserver component that could be used to execute malicious code remotely. [...]

Interestingly, this vulnerability could be triggered while you sleep, as it’s not even necessary for you to open the file because as soon as your device receives the media file, the file system will cause Mediaserver to process it. [...]

The vulnerability was discovered in early January and affects Android versions 4.4.4 KitKat through 7.1.2 Nougat.

And it's also good to keep in mind tech giant Google won't protect you for more than 3 years (security updates) even when you buy their own special devices :

It's also worth noting that Google revealed last week that the Nexus 6 and Nexus 9, which were released in November 2014, would no longer be "guaranteed" to receive security updates after October 2017.

Silently Tracking Smartphone Users With Ultrasonic Signals 2017-05-05

We should always make sure we don't give microphone permissions to apps that don't actually require them :

Your smartphone may have some apps that are continuously listening inaudible (sic), high-frequency ultrasonic sounds from your surroundings and they know where you go, what you like and dislike — all without your knowledge.

Ultrasonic Cross-Device Tracking is a new technology that some marketers and advertising companies are currently using to track users across multiple devices [...].

Links to Google Docs : Be Careful 2017-05-04

Be careful with those links to google docs :

If you get a Google Doc link in your inbox today, scrutinize it carefully before you click—even if it looks like it comes from someone you trust. A nasty phishing scam that impersonates a Google Docs request has swept the internet today, including a decent chunk of media companies. You’ve heard “think before you click” a million times, but it really could save you from a whole lot of hassle.

Man Facing Jail After Overstaying US Visa by 90 Minutes 2017-05-03

We've all heard about how little privacy we're allowed when entering the US. Now we see it goes beyond just searching and seizing digital devices. For this young man, a simple overstay of an hour and a half WHILE TRYING TO LEAVE the US will result in months of detention. He just wants to leave!

An Australian man has been arrested by US immigration officials for reportedly overstaying his visit to the country by 90 minutes after being denied entry into Canada. [...]

Following his arrest, Reid was imprisoned at Buffalo Federal Detention Center where he could be held for six months before being brought before a judge.

He was dumb to cut it that close with his visa, but it's clear there was no intent to overstay since he was trying to leave! But I can sort of understand he would be arrested for technically "breaking the law". What is completely outrageous is the six month detention period before he can see a judge. At the most, it should have taken no more than a few hours to get him before a judge who could see this was insane and send him back on his merry way to Australia.

Do yourself a favor and avoid the US as much as you can.

Intel Server Chipset PCs : Remote Management Can Be Hacked 2017-05-02

Intel server chipsets? Be careful not to get hacked :

A critical remote code execution (RCE) vulnerability has been discovered in the remote management features on computers shipped with Intel processors for nearly a decade, which could allow attackers to take control of the computers remotely.

The RCE flaw (CVE-2017-5689) resides in the Intel's Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.

How many rented servers in data centers are affected by this vulnerability?

The only good news is that this vulnerability applies to something which is opt-in :

Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk.

Bitcoin Mining : Backdoor on Bitmain Hardware 2017-04-26

If you use Bitmain's mining hardware, you might be interested to know that Bitmain installed a backdoor on it, a sort of kill-switch. Bitcoin researchers have identified that backdoor and suggested a fairly simple solution. For more details, you might want to read this page :

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

You can also learn more about this by reading Peter Todd's comments on this reddit page :

So Sergio and Slush both noticed that there's a remote code execution vulnerability in this backdoor. The backdoor has NO authentication, so any MITM attacker or DNS attacker can trigger it.

With remote code execution you can reflash the firmware on those miners, and once you do that you can permanently brick them. In fact, it's almost certain that you could permanently destroy the HW - I used to work as an electronics designer, and I did that by accident w/ bad firmware quite a few times.

So tl;dr: we have a backdoor that could permanently kill ~70% of the Bitcoin hashing power, and it can be triggered by anyone with MITM capability or the ability to change DNS records.

Nvidia on a Windows PC? : Careful! 2017-04-26

If you have "Nvidia's Geforce Experience software" installed on a Windows PC, listen up :

Geforce Experience has previously come under fire over privacy concerns, in-app advertising, mandatory social media logins, and a litany of other questionable practices. This time though, the implications are more serious.

As it happens, Geforce Experience introduces a massive vulnerability over its tens-of-millions of installed devices by running a badly secured node.js server on startup, renamed “NVIDIA Web Helper.exe.”

The server can be used to gain full access to the Windows API and bypass whitelisting, or deploy malware disguised as signed code [...]

Used a Payment Card at a Holiday Inn Lately? 2017-04-25

If you stayed at a Holiday Inn recently and used a payment card, you might want to watch your bank statements...

InterContinental Hotels Group (IHG) is notifying its customers that credit card numbers and other sensitive information may have been stolen after it found malware on payment card systems at 1,174 franchise hotels in the United States.

It's the second data breach that U.K.-based IHG, which owns Holiday Inn and Crowne Plaza, has disclosed this year. The multinational hotel conglomerate confirmed a credit card breach in February which affected 12 of its hotels and restaurants.

And more information about the hack in this article :

The infections were spotted on September 29, 2016 but the infections weren't cleared up until March 2017, and some hotels might still have a problem.

Linksys Routers Flaws : Routers Can Be Hijacked 2017-04-24

The flaws range from low to high severity and directly impact over 7,000 routers that have their web-based administrative interfaces exposed to the Internet. Countless more are vulnerable to attacks launched over local area networks from compromised computers, phones or other devices. http://www.csoonline.com/article/3191254/security/flaws-let-attackers-hijack-multiple-linksys-router-models.html

Bose Headphones : No Privacy? 2017-04-23

According to a recently launched lawsuit, the Bose is monitoring its customers and selling the data ... :

If the accusations in a new lawsuit are true, premium headphone maker Bose could be using its Bose Connect mobile app to monitor what you listen to and then sell that data to third parties.

Leaked NSA Hacking Tools Already Being Used in the Wild 2017-04-22

Well, that didn't take long. The recently leaked hacking tools from our NSA overlords are already being used in the wild :

The NSA's Equation Group hacking tools, leaked last Friday by the Shadow Brokers, have now been used to infect thousands of Windows machines worldwide, we're told. [...]

"The polite term for what's happening is a bloodbath. The impolite version is dumpster fire clown shoes shit show," Tentler said. "I'm hopeful this is the wakeup moment for people over patching Windows machines." [...]

Amazon's AWS and Microsoft's Azure showed up on the top 100 most-infected domains as you'd expect as large hosts of customer virtual machines. Then there are systems at big names such as Ricoh in India, various universities, and machines on Comcast connections.

Microsoft Edge : Flaw Exposes User Identities 2017-04-21

For the poor folks stuck using Edge, please keep this in mind :

An independent researcher claims to have uncovered a security flaw in Microsoft Edge.

The issue enables any website to identify someone by their username from another website, according to Ariel Zelivansky. More specifically the bod alleges that Edge exposes the URL of any JavaScript Fetch response, in contradiction to the specification. This is a problem because it's possible to identify netizens by crafting a fetch() request in a webpage that will redirect to a URL containing the visitor's username e.g. requesting https://facebook.com/me will pull in https://facebook.com/username.

Magento Online Shop Owners : Be Careful! 2017-04-20

There's a security flaw in the Magento software which could allow attackers to execute code on your server. But Magento doesn't seem in a hurry to fix it.

An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops. [...]

The DefenseCode researchers claim that they've reported these issues to the Magento developers back in November, but received no information regarding patching plans since then.

Researchers have also found that hackers were hiding customers' payment information in product images (which could thus be seen by anybody). This allowed the hackers to gather information for a longer period of time without being detected.

The file in which the stolen payment card details were stored was actually a legitimate image depicting one of the products sold on the website.

The stolen data was appended at the end, after the image data, keeping the original image intact and viewable in a browser. This method is known as steganography and is even harder to detect than some other ways of hiding data.

"To obtain the stolen numbers, the attacker would not even have to maintain access to the site," Sucuri researcher Ben Martin said in a blog post. "The image was publicly accessible. All the attacker would need to do is download the image from the website just like any other and view its source code."

Wow! A Tricked URL You Think You Can Trust : But You Better Not! 2017-04-19

You think you did everything right? Before logging in to your account, you checked for the "https", you checked for the security green lock, you even checked every letter of the URL. You can still be tricked! There's a flaw in some versions of major browsers that allows hackers to use unicode URLs in a way that you can't easily detect.

Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalised domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.

Try these two websites to test your setup : One, Two

The article also explains how you can protect yourself. In summary : you can change a setting in your browser or you can click for more details on the certificate associated with the URL link (to make sure it does belong to who you think it does).

Using Smartphone Motion Sensors to Steal Your Passwords 2017-04-18

Most smartphones include many types of motion sensors. An app can use some of them even without asking for permission. When you type a PIN or password, you move the phone around slightly and that information can be used to guess your passwords, according to a recently released report from Newcastle University. The more often you type your password, the more likely motion sensor data will allow an accurate guess.

Try not to use your smartphone for anything serious (i.e. money!)

More VM Vulnerabilities 2017-04-17

Researchers have discovered a way to extract information from other VMs running on the same CPU. Cloud computing can be tempting but it can also be risky (depending on your threat model).

The results sound scarily impressive: a Black Hat Asia session detailing their work promised to peer into a host's cache and stream video from VM to VM.

NSA Spying on SWIFT 2017-04-16

Hackers have released proof that the NSA has been spying on the global financial network (SWIFT) for quite a while. Those hacks rely on Windows vulnerabilities. Now that those vulnerabilities have been made public, many more criminal groups are sure to try to use those techniques as well.

Hacking group Shadow Brokers has released a data dump allegedly stolen from the NSA that details the agency’s ability to hack international banks, as well as the SWIFT network, via Windows PCs and servers used in global financial transfers. [...]

It’s now feared that one of the world’s most secure methods of making payment orders has been irrevocably compromised with the NSA’s sophisticated arsenal of hacking tools now freely available online.

Apparently, those vulnerabilities are a really big deal, one might say "yuuuuuge" :

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

For more information, you can also read this article.

Spotting a Hacked ATM 2017-04-15

Would you be able to spot an ATM that has been modified to "skim" your card info?

Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use.

Read the rest of that article here.

The Trick to Getting People to Care about Computer Security? 2017-04-14

Bitcoins are not like your other online accounts. If someone gets access to your online bank account and steals money from you, you have a shot at convincing the bank to give you your money back. If you lose your bitcoins? Well, unless a miracle happens, those bitcoins are gone.

Bitcoin is slowly, but surely, training a whole new group of people how to do information security properly.

Why Bitcoin? For Stability. 2017-04-14

Bitcoin has become so popular that transaction fees are going up. Some see this as a problem. But as Andreas Antonopoulos (author of the book "Mastering Bitcoin) said, you need to have scale before you can have scaling problems.

Some think that unless Bitcoin changes quickly to adapt, it will become extinct. That's a bit like saying "nobody goes there anymore, it's too crowded".

There are many proposals going around but they are all stuck for now because Bitcoin requires consensus before any change can take root. That's a feature, not a bug.

Some competing projects want to change the software completely and keep calling it Bitcoin. Luckily, those projects are obviously going nowhere fast.

Bitcoin Core developers have a scaling proposal called "SegWit". It's largely accepted by the Bitcoin community except by the majority of miners who block it. Right now, most of the mining is controlled or influenced by one man (who is probably simply a straw man for other groups). But even though that's less than ideal (to say the least), the current situation shows that it's not as much of a problem as we feared. It will be dealt with eventually, all in good time, when it is safe to do so or if it ever becomes more of a problem.

Others have proposed forcing the upgrade to SegWit (that proposal is called BIP 148 UASF). It would be a 'user-activated soft-fork', meaning it would come online because Bitcoin users overwhelmingly demand it. However, this proposal also carries risk.

Bitcoin works right now. It's stable and secure. The transaction fees are higher than they were, but that's about it. We can thank the level-headed Bitcoin developers for this level of stability. Here's a recent post by Gregory Maxwell, Bitcoin Core developer. I'm quoting it here in its entirety because I feel that every word is important (but I do put some text in "bold") :

I do not support the BIP 148 UASF
Gregory Maxwell greg at xiph.org
Fri Apr 14 07:56:31 UTC 2017

I do not support the BIP148 UASF for some of the same reasons that I do support segwit: Bitcoin is valuable in part because it has high security and stability, segwit was carefully designed to support and amplify that engineering integrity that people can count on now and into the future.

I do not feel the the approach proposed in BIP148 really measures up to the standard set by segwit itself, or the existing best practices in protocol development in this community.

The primary flaw in BIP148 is that by forcing the activation of the existing (non-UASF segwit) nodes it almost guarantees at a minor level of disruption.

Segwit was carefully engineered so that older unmodified miners could continue operating completely without interruption after segwit activates.

Older nodes will not include segwit spends, and so their blocks will not be invalid even if they do not have segwit support. They can upgrade to it on their own schedule. The only risk non-participating miners take after segwit activation is that if someone else mines an invalid block they would extend it, a risk many miners already frequently take with spy-mining.

I do not think it is a horrible proposal: it is better engineered than many things that many altcoins do, but just not up to our normal standards. I respect the motivations of the authors of BIP 148. If your goal is the fastest possible segwit activation then it is very useful to exploit the >80% of existing nodes that already support the original version of segwit.

But the fastest support should not be our goal, as a community-- there is always some reckless altcoin or centralized system that can support something faster than we can-- trying to match that would only erode our distinguishing value in being well engineered and stable.

"First do no harm." We should use the least disruptive mechanisms available, and the BIP148 proposal does not meet that test. To hear some people-- non-developers on reddit and such-- a few even see the forced orphaning of 148 as a virtue, that it's punitive for misbehaving miners. I could not not disagree with that perspective any more strongly.

Of course, I do not oppose the general concept of a UASF but generally a soft-fork (of any kind) does not need to risk disruption of mining, just as segwit's activation does not. UASF are the original kind of soft-fork and were the only kind of fork practiced by Satoshi. P2SH was activated based on a date, and all prior ones were based on times or heights. We introduced miner based activation as part of a process of making Bitcoin more stable in the common case where the ecosystem is all in harmony. It's kind of weird to see UASF portrayed as something new.

It's important the users not be at the mercy of any one part of the ecosystem to the extent that we can avoid it-- be it developers, exchanges, chat forums, or mining hardware makers. Ultimately the rules of Bitcoin work because they're enforced by the users collectively-- that is what makes Bitcoin Bitcoin, it's what makes it something people can count on: the rules aren't easy to just change.

There have been some other UASF proposals that avoid the forced disruption-- by just defining a new witness bit and allowing non-upgraded-to-uasf miners and nodes to continue as non-upgraded, I think they are vastly superior. They would be slower to deploy, but I do not think that is a flaw.

We should have patience. Bitcoin is a system that should last for all ages and power mankind for a long time-- ten years from now a couple years of dispute will seem like nothing. But the reputation we earn for stability and integrity, for being a system of money people can count on will mean everything.

If these discussions come up, they'll come up in the form of reminding people that Bitcoin isn't easily changed at a whim, even when the whims are obviously good, and how that protects it from being managed like all the competing systems of money that the world used to use were managed. :)

So have patience, don't take short cuts. Segwit is a good improvement and we should respect it by knowing that it's good enough to wait for, and for however its activated to be done the best way we know how.

Microsoft Word : Careful with those Word Files 2017-04-13

Another day, another Microsoft hack. Be careful with those Word files :

Security researchers are warning of a new in-the-wild attack that silently installs malware on fully-patched computers by exploiting a serious — and yet unpatched — zero-day vulnerability in all current versions of Microsoft Office.

The Microsoft Office zero-day attack, uncovered by researchers from security firms McAfee and FireEye, starts simply with an email that attaches a malicious Word file containing a booby-trapped OLE2link object.

IT Suppliers = Security Hole 2017-04-13

Even if you do everything right, are you sure all your IT suppliers are doing everything right? There's the problem with giving IT suppliers access to your network or access to your data. Now we learn Chinese hackers are going after IT suppliers (and I'm sure it's not just the Chinese) :

Companies that choose to outsource their IT operations should be careful. Suspected Chinese hackers have been hitting businesses by breaching their third-party IT service providers.

Major IT suppliers that specialize in cloud storage, help desk, and application management have become a top target for the hacking group known as APT10, security providers BAE Systems and PwC said in a joint report.

That's one of the problem with "cloud" computing. Seen from the security angle, the saying "the cloud is just someone else's computer' is especially true.

But it's not just IT suppliers. Do you remember the Target hack back in 2014? The hackers actually used one of Target's HVAC (heating, ventilation and air conditioning) contractor's credentials! Target had given a HVAC contractor access to their network... How many people have access to your data?

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.

Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Chinese Bitcoin Exchanges Forced to Require ID 2017-04-12

It seems the chinese government has decided to force Bitcoin exchanges in China to require ID verification from their users. Governments are trying to make it more difficult to bridge the divide between the "fiat world" (dollars, euros, etc) and the Bitcoin world. However, the more governments crack down on the Bitcoin<->Fiat bridge, the more people will simply decide to avoid fiat altogether. If you earn Bitcoin and spend in Bitcoin, you don't need these exchanges (except for "trading", if you want to speculate).

Popular exchange OKCoin has announced more stringent anti-money laundering (AML) procedures for its customers worldwide. The new measures are part of several stricter new identification conditions at China-based exchanges, mandated by the national government.

Closed Source Software? : Police Hacked Over 3 Million Encrypted Emails 2017-04-12

Criminals relying on the closed source software on their Blackberry phones got a brutal wake-up call. Dutch police hacked over 3 million encrypted emails (7 terabytes of data). The software on those blackberries had been modified to use PGP but it was done in such a way that the keys were left vulnerable (not PGP's fault):

They found the Blackberries were modified so they could only communicate with other Ennetcom modified phones, leading to a probe into the company’s operations. This yielded a very important detail about the encrypted emails: they all passed through Ennetcom’s network, which employed the Blackberry Enterprise Server middleware, as well as the BIS network. These services generate the initial encryption key when adding devices to their Enterprise Mobility Management system, effectively providing a mirror of the integrated Blackberrys’ local, secure PGP keystores.

PGP encryption is like Bitcoin : who has the "keys"? Your keys, your encryption. Not your keys, not your encryption.

What the CIA Thinks of You 2017-04-11

With the leaks about Vault7, we learned what the CIA thinks of us privacy and security-desiring folks :

Comodo's user base, paranoid bastards that they are, has apparently caught wind of this and lots of them haven't upgraded to 6.X. Kind of a shame, cuz [sic] this is a hole you could drive a very large wheeled freight carrying vehicle through. However, if you're lucky enough to be going against a target running 6.X, have fun!

With all the power they have, you'd think they would remember the phrase "With great power comes great responsibility". You'd think they would want to help their citizens be better protected against hackers by warning Comodo about that vulnerability. But they prefer to just laugh at their own citizens.

Privacy : More Users Protecting Themselves by Using Tor 2017-04-11

Now that Trump has essentially allowed ISPs (internet service providers) to sell their customers' private data (browsing habits), users have started taking things into their own hands and are trying to protect themselves by using Tor :

Ever since congressional action started a few weeks ago to roll back privacy regulations governing ISPs, Gerchow says has seen a dramatic increase in the use of Tor for accessing his company's services, meaning security analysts have to check out whether the encrypted, anonymized traffic coming through Tor is from a legitimate user. [...]

Tor sessions used to crop up once a week or so, but now they roll in as often as 15 times a day, [...]

Gerchow says that so far every Tor login session Sumo Logic has come across proved to be a legitimate user who has taken to using the browser on their own initiative to prevent ISPs from selling browsing history to marketers so they can direct ads at them. “People are just trying to protect themselves,” he says.

Better Update in the Coming Weeks 2017-04-10

It's always best to update your system as often as possible but it will be especially important in the coming weeks. A hacker group has made public the password to decrypt files related to some of the NSA's hacking tools. Those will probably get picked up by hackers in the coming days. Hopefully, you're running open source software (you are, aren't you?) and will get security updates soon.

Since then, the Shadow Broker group, whose origin and identity still remains a mystery, disappeared from the radar only to emerge today, when in an article posted on Medium, the group wrote an op-ed, much of it in broken English, in which it slammed Donald Trump's betrayal of his core "base", and the recent attack on Syria, urging Trump to revert to his original promises and not be swept away by globalist and MIC interests, but far more imporantly, released the password which grants access to what Edward Snowden moments ago called the NSA's "Top Secret arsenal of digital weapons."

Bitcoin as Digital Gold 2017-04-09

There's a battle going on as to what Bitcoin really is. Is it just a new payment system or is it something much more radical : a secure and decentralized new asset class. Proponents of the latter theory believe that Bitcoin is actually like a kind of Digital Gold. Bitcoin is just software so it can morph at any time given enough user acceptance so the future will tell what Bitcoin will become. But at this stage, Bitcoin really does seem to be more like Digital Gold. An uncensorable, permission-less, decentralized currency. The US Federal Reserve (the US Central Bank, unlovingly referred to as the "Fed") can debase the US Dollar as much as it likes, but it can't debase Bitcoin. If governments can't just "print money", what will that mean for the way our society is currently organized and controlled? We live in interesting times.

Here's the best summary I've read so far about the distinction between Bitcoin as payment system vs Bitcoin as Digital Gold.

THIS is the true foundation of Bitcoin’s value. There are thousands of ways to create decentralized and anonymous payment layers on top of Bitcoin’s security model. When you stop to consider what will truly make Bitcoin king of Crypto, never forget that VISA has fast, cheap payments with a market cap of $207 Billion, Gold is expensive, slow and inconvenient with a market cap of over $7 Trillion. Security and decentralization are far more valuable to the market than fast, cheap payments.

Thanks Scottrade! : Bank Data Left Un-Encrypted in the Cloud 2017-04-07

A researcher was searching for random phrases on amazon cloud services and found this :

... a MSSQL database containing sensitive information on at least 20,000 customers that was inadvertently left exposed to the public.

I might forget a human mistake for accidentally exposing that info. But no encryption? :

The exposed database had no encryption and included 48,000 lessee credit profile rows and 11,000 guarantor rows, Vickery explained. Each row contained information such as Social Security Numbers, names, addresses, phone numbers, and other information that one would expect a bank to possess.

In addition, Vickery says the database also contained internal information, such as plain text passwords and employee credentials used for API access to third-party credit report websites.

But it's not the first time it happens to that group :

In 2015, Scottrade Inc. – another wholly owned subsidiary of Scottrade Financial Services, Inc. – alerted 4.6 million customers about a data breach impacting their personal information. Scottrade Inc. learned about the data breach after being contacted by the FBI.

Privacy? Not For Windows 10 Serfs 2017-04-07

Microsoft has upgraded its privacy-related efforts!!! Yay! Now they've compiled the list of "basic" info they'll collect on you. But it's pretty long, you know : after pressing "page-down" one hundred times (really) on that list, I still wasn't done so I gave up. But, please take some time from your busy day and go master that list. After all, whether you read it or not, Microsoft will have gotten your "consent" ...

Of course, that's just the Basic setting (you know, the setting for us "tinfoil" privacy-desiring freaks). For all the other Microsoft Kool-Aid drinkers, there's the "Full" setting! Oh, I like the sound of that!!! Gotta have me some full stuff. Get me that full one, baby!

This is some seriously messed-up stuff...

Better Turn Off that WiFi : Poisoned Wifi Signals 2017-04-07

Just being in the range of malicious wifi signals is enough to get hacked now. Android phones and un-patched iPhones are vulnerable :

Vulnerabilities in the Broadcom system-on-a-chip that provides wifi for many Android devices mean that simply lighting up a malicious wifi access point can allow an attacker to compromise every vulnerable device in range, without the users having to take any action -- they don't have to try to connect to the malicious network.

Iphones are also vulnerable to the attack, but Apple issued a patch for them on Monday.

We have to at least turn off the wifi, but even that may not be enough :

At the moment, it's not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.

I guess we at least also have to make sure "location" settings don't include wifi :

The researchers said the probes advertising that hardware-connected MAC addresses can be made even when Wi-Fi is turned off, for instance, when Wi-Fi-based location settings are enabled.

More Critical Flaws in the Cloud : Xen Hypervisor Flaws 2017-04-07

One more example that virtual machines can't be considered safe for applications where security is important :

A critical vulnerability in the widely used Xen hypervisor allows attackers to break out of a guest operating system running inside a virtual machine and access the host system's entire memory.

But, at this point, it may not matter much. We already know that security on any Intel computer is pretty much a pipe dream : Intel x86s hide another CPU that can take over your machine (you can't audit it)

It can't really be avoided at this point : we have to "airgap", at the very least. Or... go back to paper? :

In the wake of the US surveillance scandal revealed by the US whistleblower Edward Snowden, Russia is planning to adopt a foolproof means of avoiding global electronic snooping: by reverting to paper.

The Federal Guard Service (FSO), a powerful body tasked with protecting Russia's highest-ranking officials, has recently put in an order for 20 Triumph Adler typewriters, the Izvestiya newspaper reported.

Canadian Police Using Cellphone Trackers : Who Else Does? 2017-04-06

Seen in the news today : the RCMP (canadian police) also uses stingrays. The fact that this is news, is really news to me... But it makes you wonder how many other people are using those cellphone trackers.

But on Wednesday, after shrouding their own use of the technology in secrecy for years, the RCMP took the unprecedented step of speaking publicly about the devices — also known as Stingrays or Mobile Device Identifiers (MDIs) — to address public concern amidst mounting questions about their use.

But, not to worry, I'm sure the police always follow the law, right? Oh, wait :

Adam conceded that until two months ago the RCMP itself failed to get express approval to use MDIs from Innovation, Science and Economic Development Canada (ISED, formerly Industry Canada), the government body responsible for regulating technology that might interfere with wireless communications.

But it probably requires a warrant, right? Oh, wait :

Otherwise, he said police have almost always sought a warrant, though he noted a few exceptions.

But the best part must be their dedication to absolute transparency about the whole thing :

"We're not averse to reporting, to a degree, on the number of times this technology is used, but there is as of yet no requirement to do so," Adam said.

More Smart TV Bugs 2017-04-05

That Smart TVs are not great for privacy is pretty much common knowledge by now but still, there it is : Samsung Smart TVs are full of critical bugs.

Almost every Samsung Smart TV set sold in the past two years is vulnerable to hackers, according to independent Israeli security researcher Amihai Neiderman.

Samsung relied on its own "Tizen" operating system for those TVs and not many researchers had really bothered to look for flaws until now.

"I decided to start and research Tizen because it seems that nobody was doing it," Neiderman said.

The thing is, Samsung might be planning to use Tizen for even more products coming up. It seems Samsung is planning on keeping this Humble Writer quite busy in the years to come!

Buying Bitcoins in Preparation for Ransomware? 2017-04-04

If faced with ransomware, should you pay the ransom? Tough question. Many do pay up, for example :

Cyber attackers held an Austrian hotel network for ransom. The criminals demanded $1,800 in Bitcoin to unlock the network while preventing guests from checking in and out of the hotel and locking them out of their guest rooms. The hotel paid up.

Apparently, this has become more common thanks to Bitcoin :

“It wasn’t until the advent of Bitcoin in our society that ransomware was able to take off,” Young said. “Because now, as an attacker, I can anonymously monetize my target.”

But should you pay up? The NoMoreRansom.org Project says no. But if you do decide to pay up, it might be useful to have some bitcoins on hand :

If you think there's a chance that your company will be hit and that you might have to pay a ransom, it might make sense to set up your Bitcoin account ahead of time and go through the exchange's authentication system, and maybe even buy some Bitcoins to keep in reserve.

This is particularly important for companies that don't have an emergency procurement process, said Barak.

"In some enterprises, if they get hit by ransomware and want to buy Bitcoin, it can take a while to go through procurement," he said. "In some organizations, that can take days, maybe even more."

There are many more options for buying Bitcoin than those recommended in that article. However, https://Localbitcoins.com, Bitcoin ATMs and https://bitsquare.io can all be pretty good choices, depending on where you're situated.

The Risks of Biometric Security 2017-04-03

Once again, we see that biometric security doesn't work. This time it's Samsung's turn to show us.

But how some people can feel comfortable having their finger, eye or face be their password, I'll never understand. I really don't like the idea that the only thing standing between a thief and my money is a part of my body... Call me crazy. But even if you put those concerns aside, you still have other problems :

How can you "change" your biometrics (like you would a password) if they get compromised?
How can you be sure that no third party will ever get their hands on that data and use it to track you in other ways?
Many legal protections against self-incrimination won't be perceived by the legal system as deserving as much protection as a piece of information that is only in your head.

April Fools : Russia's New Voicemail 2017-04-01

Russia decided to have some fun for April Fools : new voicemail options for Russian embassies :

"You have reached the Russian embassy, your call is very important to us. To arrange a call from a Russian diplomat to your political opponent, press 1. To use the services of Russian hackers press 2. To request election interference, press 3 and wait until the next election campaign. Please note that all calls are recorded for quality improvement and training purposes."

One More Spying Agency 2017-03-31

Yay! Moooaar spying! Ever heard of the NGA (National Geospatial-Intelligence Agency)?

The NGA is to pictures what the NSA is to voices. Its principal function is to analyze the billions of images and miles of video captured by drones in the Middle East and spy satellites circling the globe. But because it has largely kept its ultra-high-resolution cameras pointed away from the United States, according to a variety of studies, the agency has never been involved in domestic spy scandals like its two far more famous siblings, the CIA and the NSA. However, there’s reason to believe that this will change under President Donald Trump.

LastPass : More Vulnerabilities 2017-03-30

I understand that it's tempting to have a password manager manage all your passwords but... please don't. It makes for such a big target. Here's more info on the latest LastPass vulnerabilities :

For the second time in two weeks developers of the popular LastPass password manager are working to fix a serious vulnerability that could allow malicious websites to steal user passwords or infect computers with malware.

Symantec SSL Certificates Vulnerable 2017-03-29

Apparently, API flaws are to blame :

If you purchased a Symantec certificate (or a cert from any of their associated subsidiaries and partners) through a third party, from at least as far back as early 2013 until recently; their third party certificate generation, management, and retrieval API allowed those certificates... including in some cases private keys generated by third parties... to be retrieved without proper authentication, or in some cases any authentication at all.

Bitcoin : Under Attack But Many Rise Up to Defend It. 2017-03-28

Bitcoin is under sustained attacks from the "Bitcoin Unlimited" project but, luckily, many are rising up to defend Bitcoin. Yesterday, Francis Pouliot of the Bitcoin Embassy (Canada) published a very clear statement against bitcoin controversial hard forks and also proposing how to go about hard forks in the future, if ever needed. Many important players in the Canadian Bitcoin space also signed the statement.

Gift Cards : Are You Sure You Still Have Money Left on Your Card? 2017-03-25

Hackers are testing gift card account numbers by the millions looking for balances and then draining them... :

Hackers are using a bot, dubbed GiftGhostBot, to test a list of potential gift card account numbers at a rate of 1.7 million gift card numbers per hour. It is believed that once they correctly identify gift card numbers, they are draining balances for resale on the dark web. On one retail customer site, there have been peaks of over 4 million requests per hour, nearly 10 times their normal level of traffic.

"Double Agent" : Hijacking All Windows Versions, for 15 Years? 2017-03-24

Another Windows critical vulnerability. This one allows attackers to gain full control of your computer. Apparently, this flaw can't be patched. Is that a "bug" or ... a feature for Microsoft's enablers?

"DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself."

[...] What's worse? DoubleAgent exploits a 15-years-old undocumented legitimate feature of Windows called "Application Verifier," which cannot be patched.

Wikileaks : CIA Bugs "Factory Fresh" Macs and iPhones 2017-03-23

Today, Wikileaks released a fresh batch of documents concerning the CIA. Apparently, for years, the CIA has been bugging “factory fresh” Macs and iPhones through suppliers.

These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

U.S. : You Forgot Your Decryption Password? Unlimited Jail Time for You! 2017-03-22

Well, that escalated quickly... No more fifth amendment in the US. You can now be held in contempt of court and jailed forever if you refuse to decrypt your laptop. Welcome to 21st century America. Trade accordingly. For all non-americans : it might also be a good time to revise your travel plans...

And the link to the actual ruling for those with a strong stomach.

A Judge Orders Google : Tell Us Who Searched for this Name 2017-03-21

Google has been ordered to release personal information about anyone who searched for a certain name :

The warrant, signed by Hennepin County Senior Judge Gary Larson, demands Google disclose any and all information on any person who searched the victim’s name from December 1st, 2016, to January 7th, 2017. According to the warrant:

“The user/subscriber information [is] to include, but not limited to: name(s), address(es), telephone number(s), date(s) of birth, social security numbers, email addresses, payment information, account information, IP addresses, and MAC addresses of the person(s) who requested/completed the search.”

Telnet into a Cisco Network Switch and Become Root 2017-03-21

The recent Wikileaks revelations about the CIA have allowed us to learn about a critical vulnerability in Cisco Network Switches. Telnet is all you need to exploit that 0-Day.

This exploitation could allow the attacker to remotely execute malicious code and obtain full control of the affected device or cause a reload of the affected device.

Intel's SGX Is Vulnerable 2017-03-16

Researchers have demonstrated that Intel's SGX is simply not secure. But... we already knew that SGX isn't great.

Using SGX to Conceal Cache Attacks [...] Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. https://www.schneier.com/blog/archives/2017/03/using_intels_sg.html

WhatsApp and Telegram Hacked 2017-03-16

Have you been using the WhatsApp or Telegram browser apps? Did you click on any pictures? You might want to make sure you weren't hacked.

Competing Bitcoin Project's Vulnerability 2017-03-15

Unless you follow Bitcoin news closely, you probably never heard of the "Bitcoin Unlimited" project. It's a competing project to the main Bitcoin project : "Bitcoin Core". While Bitcoin Core's code is well reviewed and carefully screened for vulnerabilities, Bitcoin Unlimited doesn't seem to think that's really necessary... They paid the price yesterday when half the Bitcoin Unlimited nodes went down following an attack. As Peter Todd of the Bitcoin Core project tweets :

Looks like this remote crash DoS has been in Bitcoin Unlimited for almost a year, and probably longer

Luckily, so far the vast majority of the Bitcoin ecosystem understands and values the work done by the Bitcoin Core development team so there's no immediate threat from Bitcoin Unlimited's attempts at taking over the Bitcoin project.

Pre-Installed Malware Found On Smartphones 2017-03-10

One might be tempted to think that the best way to get a secure smartphone is to buy one brand-new. And yet, one might be wrong. The supply chain is long and you can't control every single person who touched your phone before you bought it. Here we learn about pre-installed malware on 36 high-end smartphones.

Secure Messaging App 'Confide' Found Vulnerable 2017-03-09

Another example of the risks of trusting privacy-protecting "apps". Many critical flaws were identified by researchers in the messaging app 'Confide'.

Factory Robots : Hackable? 2017-03-08

The next level of security risks seems just around the corner :

Researchers at IOActive Labs released a report Wednesday warning that consumer, industrial and service robots in use today have serious security vulnerabilities making them easy targets for hackers or accidental breaches.

Wikileaks Releases "The Goods" on the CIA 2017-03-07

This is "yuuuuge". We always suspected it but now the "Vault 7" leaks from Wikileaks (released today) show that the CIA can hack pretty much everything including Android, iPhones, Samsung Smart TVs, etc. Even privacy-protecting apps such as Telegram, Signal and WhatsApp are simply bypassed : the information is gathered BEFORE encryption is applied, so even if the app does its job, it's already too late. A fascinating read.

Keeping Zimbabwe Afloat with Off the Books Cash Transactions 2017-03-07

It's interesting to note that "peer-to-peer", off the books, cash transactions are keeping Zimbabwe afloat; you know, "cash" transactions, the same "cash" that governments want to get rid of with their "war on cash".

But governments are right about this. How can they allow cash and still impose their negative interest rates and bank bail-ins? /sarcasm

How Old is the Kernel in your Router? 2017-03-07

How often do you update the firmware on your router? And even if you really keep up to date, how old is the kernel in the "latest" firmware image available for your router? Here's an article detailing some of the risks of older kernels : The working dead: The security risks of outdated Linux kernels; Like a plague of the undead, there are devices everywhere powered by versions of the Linux kernel that should have been long since retired

Oh, the Irony : Even Spammers Have Trouble Keeping their Information Private 2017-03-06

Spammer's Entire Operation Exposed : Database of 1.4 Billion Records leaked from World’s Biggest Spam Networks

Hacked Gmail and Yahoo Accounts on Sale ... 2017-03-06

Once again : you might want to make sure you change your passwords once in a while and also never reuse them. Hacker Selling Over 1 Million Decrypted Gmail and Yahoo Passwords On Dark Web

Data Breaches Soared 40% in 2016 (US) 2017-03-03

For 2016, the main cause of data breaches was still hacking/skimming/phishing attacks, including CEO spear fishing attacks. Here's a personal account of a data breach (well-known blogger) : http://wolfstreet.com/2017/03/03/none-of-my-data-is-safe-but-i-did-something-that-helps-credit-freeze/

US ISPs Will Be Allowed to Sell your Private Data 2017-03-02

Unless you take steps to protect your privacy online, your ISP knows pretty much everything you do online. Now, they'll be allowed to use that information to make money. Warm and fuzzy feeling ensues. http://thehackernews.com/2017/03/fcc-ajit-pai-net-neutrality.html

Another Yahoo Hack... 32 Million Accounts2017-03-01

Yet another Yahoo hack. This one for 32 million accounts. Is this even news anymore? Yahoo can't seem to get a break. https://www.cnet.com/news/yahoo-says-forged-cookie-attack-accessed-about-32m-accounts/

Password Managers = Unsafe 2017-02-28

"Password managers" or "how to put all your password eggs in one basket". What could possibly go wrong? : http://thehackernews.com/2017/02/password-manager-apps.html

"Smart Toys" for your Kids? : Think Again... 2017-02-27

This has been in the news quite a bit lately. "Smart" devices getting hacked. But the problem is not only the hacking. Many smart device manufacturers just don't care about their customers' privacy. Many don't even try to protect it. "[...] Spiral Toys used an open Amazon-hosted service that required no authorization to store the recordings, user profile pictures, children's names, and their relations to parents, relatives, and friends." http://thehackernews.com/2017/02/iot-teddy-bear.html

SHA1 Collisions 2017-02-24

We've known about the risks of using the SHA1 cryptographic hash function since at least 2005, but it's now official : SHA1 is dead. That has grave consequences for internet security, notably for Git and for SVN. https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ You can also look at this website : https://shattered.io/

Cloudflare : a Man-in-the-Middle Who Leaks 2017-02-23

Cloudflare is a content delivery network. It basically sits between you and the website you want to access. Now we learn it was leaking private information, including encryption keys, chat logs, cookies, and passwords... http://gizmodo.com/cloudbleed-is-a-problem-but-it-gets-worse-1792721147 This is as good a time as any to change one's passwords. https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/

The Risks of Allowing Javascript in your Browser 2017-02-16

Another Javascript exploit which could lead to your system being hijacked : http://thehackernews.com/2017/02/bypass-aslr-browser-javascript.html

Subscribe to our email newsletter for updates, useful tips and valuable resources.

One-on-One Answers

Answers to your questions by video/audio chat; 15$USD per 15 minutes, via bitcoin (Mainnet, Lightning or Liquid). Schedule a call : info@privacyliteracy.com