IT security

For you to be anonymous, we must know who you are…

The British Internet provider O2 disputed the previous story that they don’t permit people to access tools that give them anonymity protection, like this VPN service. “You only need to show photo ID in one of our stores”, they said, via a link provided. So in order to be an anonymous and protected press source, you need to show a photo ID. You couldn’t make it up if you tried.

The German »Staatstrojaner« mission creep

A new law allowing the German police to hack into mobile phones for even minor crimes, is expected to be passed by the German parliament this week [update: the law has now been passed]. Currently, the use of a “Staatstrojaner” – government trojan – is only permitted in order to prevent future terrorist attacks. Under the new law, the authorities will be allowed to implant surveillance malware to help secure convictions for over 70 types of crime.

US: Republican Party voter data base found on a publicly accessible server

Sensitive personal details relating to almost 200 million US citizens have been accidentally exposed by a marketing firm contracted by the Republican National Committee.
The 1.1 terabytes of data includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.
The data was available on a publicly accessible Amazon cloud server.

BBC: Personal details of nearly 200 million US citizens exposed »

Vault7: How the CIA could hack your router

On Thursday, WikiLeaks published a detailed a set of descriptions and documentation for the CIA’s router-hacking toolkit. It’s the latest drip in the months-long trickle of secret CIA files it’s called Vault7, and it hints at how the agency leverages vulnerabilities in common routers sold by companies including D-Link and Linksys. The techniques range from hacking network passwords to rewriting device firmware to remotely monitor the traffic that flows across a target’s network.

Facebook to use your face/webcam to tailor ads based on emotions?

A newly discovered patent application shows Facebook has come up with plans to potentially spy on its users through their phone or laptop cameras—even when they’re not turned on. This could allow it to send tailored advertisements to its nearly two billion members. The application, filed in 2014, says Facebook has thought of using “imaging components,” like a camera, to read the emotions of its users and send them catered content, like videos, photos, and ads.

Bruce Schneier on NSA and WannaCry

People inside the NSA are quick to discount these studies, saying that the data don’t reflect their reality. They claim that there are entire classes of vulnerabilities the NSA uses that are not known in the research world, making rediscovery less likely. This may be true, but the evidence we have from the Shadow Brokers is that the vulnerabilities that the NSA keeps secret aren’t consistently different from those that researchers discover.

Social media vetting now in effect for US visas

“The U.S. is buttressing its paperwork walls with new requirements for social media disclosures as part of revised visa applications.” (…)
“The new questionnaire will ask for social media handles dating back over the last five years and biographical information dating back 15 years.” (…)
“Quoting an unnamed State Department official, Reuters reported that the additional information would only be requested when the department determines that ‘such information is required to confirm identity or conduct more rigorous national security vetting’.”

When subtitles attack

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io.

WannaCry: NSA knew about the dangers

It appears the NSA finally engaged in the Vulnerabilities Equity Process — not when it discovered the vulnerability, but rather when it became apparent the agency wouldn’t be able to prevent it from being released to the public. (…)
Officials called it “fishing with dynamite.” The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn’t bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

WannaCry: NSA is unforgivable and beyond irresponsible

It’s clear that in weaponizing a vulnerability instead of responsibly disclosing it (so hospitals and transportation infrastructure can be protected), the NSA made a critical error in judgment that put millions of people at risk. However, one would think that after learning 10 months ago that their entire cyberweapon arsenal had been stolen and was now out “in the wild”, the NSA would have immediately taken action and responsibly disclosed the vulnerabilities so systems around the world could be patched.