Privacy, Government, Surveillance, and You.

(Ars Technica) Facebook suspends tens of thousands of apps in ongoing privacy investigation.

Facebook is also suing and/or pressing charges against some developers. I'm impressed that Facebook is finally doing this, even if it is in response to increased public scrutiny for their laxity in enforcing privacy rules.

(Ars Technica) Why big ISPs aren’t happy about Google’s plans for encrypted DNS

DNS, or Domain Name Service, is a network of servers that translates the name of a site (google.com) into an IP address (172.217.10.142), so that an electronic device can communicate with it. It is one of the core technologies underlying the Internet.

Summarizing, Google will soon be deploying to Chrome a feature (already present in Firefox, but nobody cares) that encrypts DNS queries when that feature is available: specifically, when the DNS server supports HTTPS connections. Internet Service Providers are suing to prevent this, on two grounds:

• Google is engaging in anti-competitive practices by pushing its own DNS servers with this new tech.
  • Google denies this, saying that the technology gives no preference to any particular DNS server as long as it supports encryption.
• The new tech will block ISPs' ability to snoop on their users' DNS queries.
  • This is true, and at the heart of the issue.

ISPs can snoop on DNS queries for a variety of reasons, some good and some bad. For example:

• Detect malware on users' machines via DNS lookup patterns.
• Apply content filtering for children's protection (safe search, etc.).
• Direct users to network sign-on pages (mainly used for public WiFi networks).
• Collect marketing information for targeted advertising.
• Scan for copyright infringement.
• In the EU, ISPs comply with anti-pornography laws by DNS snooping.

ISPs would still be able to tell what IP addresses you visit even with secure DNS, but this would be much cruder given that many different websites could reside on a particular IP address.

Not discussed in the article is the use of VPNs, which also encrypt DNS queries after establishing the initial secure connection. One wonders how this would impact the lawsuit, since it can be demonstrated that users already possess the ability to evade DNS snooping.

This feels like a lawsuit that is destined to fail on straightforward privacy grounds, but governments have been getting increasingly intrusive into their citizens' online activity and may not agree.

Edited by Fighteer on Oct 1st 2019 at 2:27:55 PM

Awesome! A small but worthy victory.

(Ars Technica): Attackers exploit 0day vulnerability that gives full control of Android phones

The vulnerability, which is being actively exploited, allows full control of at least 18 different phone models if the user installs an untrusted app or in combination with a Chrome rendering exploit.

The overall incidence of the exploit is fairly low, but users of the indicated devices should be cautious until regular security updates go out later this month.

The vulnerability was discovered by an Israeli company named NSO Group, which is in the business of finding and selling exploits to government entities. It originated in a version of the Linux kernel that was patched but did not get a CVE, and thus was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel.

https://www.theguardian.com/world/2019/oct/11/japanese-assault-suspect-tracked-down-pop-star-via-eye-reflection-in-selfie

https://www.bbc.com/news/world-asia-50000234

TMPD arrested a stalker when he tracked her through the reflection in her eyes on a selfie she posted.

It's now raising issues on whether HD quality improvements on phones to post pictures online is worth it.

That's a technology that can't be put back in the box. We just need to have sensible conversations about it.

While the capabilities of HD software is impressive, the truth is you shouldnt post selfies of yourself in places you frequent regularly where the public can see them,esp. if you are a celeb.

Nvm

Edited by M84 on Oct 12th 2019 at 9:52:50 PM

Ars Technica: Hackers steal secret crypto keys for NordVPN. Here’s what we know so far.

In a nutshell, 19 months ago, hackers broke into a server leased by NordVPN in a Finland-based datacenter, gained root access, and stole a number of encryption keys that could allow them to spoof the DNS of NordVPN or perform man-in-the-middle attacks on encrypted sessions, although not actually read the transmitted data itself. The compromise was not caused by the company's own software, but rather by a remote management system installed by the datacenter's administrators, whose contract has since been terminated. The keys that were stolen all expired in 2018, so would not be useful ongoingly.

NordVPN did not inform anyone about the incident until asked by reporters, so the breach was not disclosed to the public for nearly 19 months. According to the company, no user information, passwords, or similar data was stolen, although they did not say what, if anything, else was done with the server during the time it was compromised.

Hackers could potentially have used the information to spoof VPN sessions on public Internet nodes, such as open WiFi hotspots, and/or intercept users' data streams in order to store the data offline for later cracking attempts. Doing the latter would require somewhat sophisticated methodology, and would be limited to sessions for that specific server, but it's still a risk.

While this is not a critical breach, it does identify some flaws in NordVPN's management and potentially reduces consumer confidence in the whole field of private VPN companies.

That I much agree.

If that guy wasn't a stalker, I'd say that he makes a pretty good OSINT investigator.

Recently I've begun using Proton VPN, which is free. So far, I am favorably impressed. It's a lot faster than TOR, for one thing.

Yeah, but to actually do anything on a large scale with the key obtained is extremely difficult for the amount of work you can gain—I've seen so many responses that immediately jump to "and that means that they could fake a server anywhere that you would connect to!" Completely ignoring that the TLS key allows you to decrypt received traffic, not change the entire way that NordVPN is structured to obtain that traffic in the first place. If network backbones were compromised like that, VPN traffic would be nothing.

The takeaway is that any VPN service's greatest weakness is the servers. If they aren't a first party provider, which is unlikely, then if the server owner leaves a remote exploit... that's a problem.

The bigger issue is not coming out about this. Though given that this is the company that actually got its privacy practices fully audited, I don't think they're being misleading when they said that they did a full audit to check something like this couldn't happen again.

I'm not going to seek out a refund... it'd probably just wind up going to another service that hasn't been openly hacked yet and is probably more likely to be. That's a fun irony.

Edited by RainehDaze on Oct 22nd 2019 at 12:59:21 PM

As a follow up, seems that NordVPN really is taking the security seriously.

Ars Technica: Researchers hack Siri, Alexa, and Google Home by shining lasers at them

This exploit, which has only occurred in research environments as far as we know, relies on the technology behind the microphones found in most modern voice-command electronic devices. Called MEMS, or micro-electro-mechanical systems, the components of these microphones have been discovered to respond to light as if it were sound, allowing remote voice commands using devices as simple as a pocket laser pointer. In experiments, telephoto lenses could allow this to be done from hundreds of feet away, through multiple windows and from one building to another.

The attack worked on every device tested, from Siri (on phones) to Alexa and Google Assistant. While the internal security of such devices can mitigate harm to some extent, most accept at least a subset of commands without authentication, and the ones that require a 4-digit PIN can often be brute-forced. Several manufacturers responded to the article by saying they are looking into the issue.

Caveats: The attack requires direct line of sight to a vulnerable device (specifically, the microphone), and it requires special software to manipulate the laser device to produce the desired signals, not things a casual attacker would be able to accomplish.

"The attack exploits a vulnerability in microphones that use micro-electro-mechanical systems, or MEMS. The microscopic MEMS components of these microphones unintentionally respond to light as if it were sound. While the researchers tested only Siri, Alexa, Google Assistant, Facebook Portal, and a small number of tablets and phones, the researchers believe all devices that use MEMS microphones are susceptible to Light Commands attacks."

Fascinating. I can see this being useful in a spy thriller.

Ars Technica: Google has access to detailed health records on tens of millions of Americans

Based on reporting by the Wall Street Journal, Google partnered with healthcare company Ascension in a massive data sharing operation, in which Google received access to the complete profiles and medical records of tens of millions of Americans. Neither company notified patients of this, although HIPAA does not require them to do so.

The ostensible objective is for Google to develop AI-based machine learning algorithms to sort through the medical data to better treat patients, as well as to improve revenue from patients. One example given is ordering additional medical tests.

The privacy implications are staggering, and really begin to stress our ideas of how our data should be managed by large corporations.

Edited by Fighteer on Nov 12th 2019 at 3:35:24 PM

Lately Ive been reading the book "Mindf*ck" (thats literally the title, * and all) by the Cambridge Analytica whistleblower. Can recommend it. The things they did with facebook data are mindblowing. They literally found a way to develop personality profiles for everyone.

Ars Technica: Breach affecting 1 million was caught only after hacker maxed out target’s storage

The Utah-based IT provider InfoTrax Systems is being sued by the FTC over a series of data breaches starting in May 2014 that resulted in the theft of personal information for about a million consumers and full payment information for thousands more. The breach went undetected until the original hacker's archive files filled up a hard drive.

The company is accused of failing to detect the breaches, failing to test or validate the security of its network, failure to delete personal data it no longer needed, and so on.

Ars Technica: Intel’s SGX coughs up crypto keys when scientists tweak CPU voltage

This is one of those super-technical exploits that gets people dizzy when you to explain it to them, but as simply as I can put it, researchers found a way to crack Intel's Software Guard Extensions, a "secure vault" for cryptographic data that is supposed to keep privileged information secret even if a computer is compromised by an attack that grants elevated privileges. The crack involves manipulating the CPU voltage to cause errors to occur. It does not require physical access to a computer.

Intel has released a fix for the problem, tracked as CVE-2019-11157.

From Bob Sullivan, a consumer privacy advocate: Ring camera hacking stories abound — and there’s one billion more cameras to go.

Ring is a home security product that allows you to put wireless cameras up around your home with motion activation, allowing remote monitoring. It also has microphones and speakers for two-way audio conversations.

Well, it seems that if your account is compromised, someone in possession of your login information can take over the cameras, looking inside your home and even talking to whoever may be there... such as your children.

In a related article from Vice.com, hacker chatrooms already abound with lists of stolen Ring logins.

Advice to consumers who want to use these kinds of products includes only putting them outside your home, disabling the audio, and adding two-factor authentication so a stolen password won't compromise your security. Still, it's ironic that a purported security product is making us less safe.

Edited by Fighteer on Dec 12th 2019 at 12:30:49 PM

The Big Change Coming to Just About Every Website on New Year’s Day:

"Starting New Year’s Day, you may notice a small but momentous change to the websites you visit: a button or link, probably at the bottom of the page, reading “Do Not Sell My Personal Information.

The change is one of many going into effect Jan. 1, 2020, thanks to a sweeping new data privacy law known as the California Consumer Privacy Act."

This is a huge victory for privacy advocates across the US.

Ars Technica: Exploit that gives remote access affects ~200 million cable modems

Yes, this probably includes yours, and it's a big deal. The attack is called Cable Haunt, and that link goes to a website detailing it and providing scripts to test your cable modem, as well as lists of modems known to be affected. The article specifically refers to European ISPs, so I don't know if any other regions are affected. I can't tell from the language.

In a nutshell:

• The hack allows attackers to execute arbitrary code on cable modems, using an endpoint associated with the spectrum analyzer. It exploits a buffer overflow vulnerability in that system.
• A compromised modem may have its firmware remotely updated, its DNS settings changed, and/or be made part of a botnet. It can spy on all unencrypted network traffic.
• A malicious website or ad can trigger the exploit, which bypasses the cross-origin resource sharing (CORS) protection of your browser because it uses websockets, which aren't covered by this protection.
  • This specific exploit doesn't work on Firefox for technical reasons, but there is alternate way to do it.
• It is virtually impossible for an end-user to detect when their modem has been compromised in this manner.

The fix for the issue is to have your ISP patch the modem's firmware, as it is generally under their control. The Cable Haunt website lists providers who have reported fixing their modems or not being vulnerable to the exploit.

Edit: My cable modem's firmware is vulnerable to the exploit. I'm sending my ISP an email.

Edited by Fighteer on Jan 13th 2020 at 11:00:26 AM

Update: My ISP replied on Twitter that they are researching the issue. Thank goodness. I advise everyone who uses a cable modem to check their model and firmware against the list provided by the Cable Haunt website and inquire with their ISP about their response if it's potentially vulnerable.

I think that website has folder issues...