Archive | IT security

For you to be anonymous, we must know who you are…

The British Internet provider O2 disputed the previous story that they don’t permit people to access tools that give them anonymity protection, like this VPN service. “You only need to show photo ID in one of our stores”, they said, via a link provided. So in order to be an anonymous and protected press source, you need to show a photo ID. You couldn’t make it up if you tried.

Falkvinge @ PNO » British ISP: Of course you can be a protected anonymous press source, you just need to show us photo ID first »

0

The German »Staatstrojaner« mission creep

A new law allowing the German police to hack into mobile phones for even minor crimes, is expected to be passed by the German parliament this week [update: the law has now been passed]. Currently, the use of a “Staatstrojaner” – government trojan – is only permitted in order to prevent future terrorist attacks. Under the new law, the authorities will be allowed to implant surveillance malware to help secure convictions for over 70 types of crime. These include serious ones such as genocide, treason and murder, but also less serious crimes such as money counterfeiting, vehicle theft, computer fraud, rigged sports betting and tax evasion. Two kinds of trojans will be available. The first allows the authorities to eavesdrop on calls made with the mobile phone, whether using standard telephony or VoIP, while the second gives access to all information held on the device.

Glyn Moody on PNI: Police use of trojans to hack into mobile phones will become routine under new German law »

0

US: Republican Party voter data base found on a publicly accessible server

Sensitive personal details relating to almost 200 million US citizens have been accidentally exposed by a marketing firm contracted by the Republican National Committee.

The 1.1 terabytes of data includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.

The data was available on a publicly accessible Amazon cloud server.

BBC: Personal details of nearly 200 million US citizens exposed »

0

Vault7: How the CIA could hack your router

On Thursday, WikiLeaks published a detailed a set of descriptions and documentation for the CIA’s router-hacking toolkit. It’s the latest drip in the months-long trickle of secret CIA files it’s called Vault7, and it hints at how the agency leverages vulnerabilities in common routers sold by companies including D-Link and Linksys. The techniques range from hacking network passwords to rewriting device firmware to remotely monitor the traffic that flows across a target’s network. After reading up on them, you may find yourself itching to update your own long-neglected access point.

Wired: Wikileaks reveals how the CIA could hack your router »

0

Facebook to use your face/webcam to tailor ads based on emotions?

A newly discovered patent application shows Facebook has come up with plans to potentially spy on its users through their phone or laptop cameras—even when they’re not turned on. This could allow it to send tailored advertisements to its nearly two billion members. The application, filed in 2014, says Facebook has thought of using “imaging components,” like a camera, to read the emotions of its users and send them catered content, like videos, photos, and ads.

The Daily Dot: Facebook patent application describes spying on users through their webcams »

0

Bruce Schneier on NSA and WannaCry

People inside the NSA are quick to discount these studies, saying that the data don’t reflect their reality. They claim that there are entire classes of vulnerabilities the NSA uses that are not known in the research world, making rediscovery less likely. This may be true, but the evidence we have from the Shadow Brokers is that the vulnerabilities that the NSA keeps secret aren’t consistently different from those that researchers discover. And given the alarming ease with which both the NSA and CIA are having their attack tools stolen, rediscovery isn’t limited to independent security research.

Bruce Schneier in Foreign Affairs: Why the NSA Makes Us More Vulnerable to Cyberattacks »

0

Social media vetting now in effect for US visas

“The U.S. is buttressing its paperwork walls with new requirements for social media disclosures as part of revised visa applications.” (…)

“The new questionnaire will ask for social media handles dating back over the last five years and biographical information dating back 15 years.” (…)

“Quoting an unnamed State Department official, Reuters reported that the additional information would only be requested when the department determines that ‘such information is required to confirm identity or conduct more rigorous national security vetting’.”

Techcrunch: US approves social media background checks for visa applicants »

Reuters: Trump administration approves tougher visa vetting, including social media checks »

0

When subtitles attack

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.

Checkpoint: Hacked in Translation – from Subtitles to Complete Takeover »

0

WannaCry: NSA knew about the dangers

It appears the NSA finally engaged in the Vulnerabilities Equity Process — not when it discovered the vulnerability, but rather when it became apparent the agency wouldn’t be able to prevent it from being released to the public. (…)

Officials called it “fishing with dynamite.” The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn’t bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

Techdirt: NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked »

0

WannaCry: NSA is unforgivable and beyond irresponsible

It’s clear that in weaponizing a vulnerability instead of responsibly disclosing it (so hospitals and transportation infrastructure can be protected), the NSA made a critical error in judgment that put millions of people at risk. However, one would think that after learning 10 months ago that their entire cyberweapon arsenal had been stolen and was now out “in the wild”, the NSA would have immediately taken action and responsibly disclosed the vulnerabilities so systems around the world could be patched.

Unfortunately, there is no indication that they did so. If we read carefully the statement from Microsoft today, it appears the NSA deliberately withheld the information that would have allowed critical civilian infrastructure like hospitals to be protected. In our view, this is unforgivable and beyond irresponsible.

Proton Mail blog: Important lessons from the first NSA-powered ransomware cyberattack »

0