Category: security

Snooper’s Charter – UK Passes Surveillance Law

This was always likely to happen given recent events, the ridiculous snooper’s charter which was originally tabled in 2012 by the then home secretary Theresa May has been approved and passed.

12-01-2009-anonsymoussurfingsoftware-anonymous_democracy-dictators

Over the years it’s been blocked and repealed with good cause, civil liberties groups have described it as the most extreme surveillance legislation ever passed in a democratic nation.   It’s a huge blow to personal privacy with the government basically having access to pretty  much everything we do online.

Here’s some stand out points:

Internet provider’s Forced to Log Web History for 12 Months

This is a great one, your ISP will be forced to record every single web site you visit for 12 months.  So just imagine this, Government departments will be able to generate a list of every single web site you have visited for the last year.   Sounds a bit Orwellian,  a bit intrusive?  We thinks so!  Further imagine sitting down for an interview or an application with some Government official sitting across the desk from you with that list in hand.

Decrypt Data on Demand

The government will have the power to force any company or individual to decrypt data on demand.  Obviously no one really has any idea how this will work or how it can be implemented, but this just means it can be made up to suit the situation.  Is your VPN a protection, who knows if the law demands you hand over the key perhaps not.

Intelligence Agencies can Hack into Our Devices and Computers

Great eh!  Not only do they get a list of every porn site you may have inadvertently clicked on over the last 12 months, but the Government can legitimately hack into your phone, TV or internet enabled toaster to pry just a little bit further.  The use of the word ‘devices’ means they have pretty much ‘carte blanche’ to break into every electronic device in your possession and create sinister, snoopy lists and databases.

government-snoop-information

There are many other provisions, and in the spirit of oppressive regimes everywhere lots  of them are kept suitably vague and unclear.  This is important because it allows the security agencies to do pretty much anything and claim it is covered under the legislation.  Places like Iran, Turkey and China have been doing this for decades.

Is privacy a basic human right?  Many people think so, yet this legislation completely erodes that concept.   It’s been criticized from all quarters – privacy groups, United Nations representatives, lots of IT companies and even the parliamentary committee that was tasked with looking through the bill.

Nothing seemed to matter and the UK has now established a legal right to spy on it’s citizens like some second rate, despotic regime.

The Big Business Hackers

When you imagine a team of highly skilled hackers attempting to make money, most people will probably think of some criminal exercise of exploitation, cyber crime or extortion.   You certainly wouldn’t think of the stock market or investment firms profiting directly from this sort of enterprise – yet it seems this is exactly what is happening.

Hacking is going mainstream and it looks likely that there will be a lot more profit going legitimate than through the standard ransom or blackmailing routes.   Others will perhaps argue that these new methods are pretty much the same as the criminals use.

The story arises from the tactics of a company called MedSec a cyber security firm which has recently started up.  They investigated a range of hospitals and medical hardware for potential security issues and identified one medical devices company to be at particular risk – St Jude Medical Incorporated, more specifically the pacemakers and defibrillators they make.

At this point MedSec faced a classic, traditional ‘hackers dilemma’ – you find a serious vulnerability – what do you do?   For the ethical hacker it often represented a difficult choice particularly if a little digital trespassing was involved.  Many individuals have found themselves behind bars after attempting to inform a company or organisation about a vulnerability in their software or network, while some have been praised and rewarded.   The MedSec guys though have a plan to inform and profit at the same time, although the ethics seem fairly dubious to many.

They approached an investment firm run by Carson Block called Muddy Waters Capital LLC with their money making initiative.   The idea was unusual, MedSec team would prepare all the evidence demonstrating the problems with the medical devices, however before making this public the investment company would take out a short position on the parent company of St Jude Medical.    Basically they would both make money if the share price fell in response to the negative news.

Sounds like insider dealing? Perhaps, although it is assumed legal advice was taken before this unusual tactic  – here’s a MedSec representative justifying their tactics.

Convinced? Nope me neither, I suspect they may be in trouble for using this tactic. Where will it end ? The false concern about patients using these medical devices to try and justify their money making scheme was particularly hard to believe. Currently the tactic seems to have paid off though with the share price falling significantly and presumably making the ‘short’ position profitable.

Do You Trust Your TV? It Could be Spying on You.

Well if you have a new Samsung TV then perhaps you should think twice before answering that question.  Their new generation of Smart TVs have a voice activation feature that allows you to switch on and off, change channels and stuff like that, but it’s possible that this comes at a significant cost.

 

An eagle eyed EFF activist called Parker Higgins, took the time to read the privacy policy of these TVs and discovered a rather alarming paragraph which stated –

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

So let’s just have a think about this, if you enable the voice recognition function on your shiny new Samsung Smart TV, the bloody thing will not only listen to all your conversations it will also transmit them to a myriad of  third party companies.  Your TV would actually be sitting in the corner of your room spying on you!

Now putting aside my personal dislike of all voice enabled devices, I mean why is talking to an inanimate device preferable to pushing a button, this is a seriously worrying threat to people’s privacy.  For a start you’d have to be permanently on your guard, who knows where your conversations are going to – just some spotty Samsung technical geek  or more likely a selection of marketing companies?   Secondly, it’s not only spying on you the owner of the TV but anyone who happens to be in the room – have they given their permission ?  Should anyone entering your living room be given a disclaimer and need to sign a consent form !!

Samsung have now modified the wording in their policy insisting that the TV doesn’t in fact listen to ordinary conversations.  This is however rather difficult to believe after the initial policy wording,  I mean you’d never put that down in writing if it wasn’t in some way true.  There is obviously little thought being put into the design of these devices, as far as privacy goes – relying on stuffing a few sentences deep in the TVs documentation (which it probably thought nobody would read).

There are other aspects to the technology which makes it even more unlikely that conversations can’t be monitored by the device.  For start the TV is capable apparently of recognising complex requests like –

‘recommend a good Sci-Fi Movie’ or ‘open BBC iPlayer

I mean a TV would have to listen to pretty much everything to pick up and filter requests like that, this is beyond someone like me shouting OFF  in his stupid accent.

What is more that the TV doesn’t have a single microphone, you can’t just huddle in the corner away from the TV whispering – there’s another in the damn remote control.   Cunning move, the TV remote in my house for example it is the singlest most difficult to find device by far.  It routinely turns up in all sorts of obscure locations and I’m sure my children are on some sort of retainer to hide it every time they’ve finished watching.

Well I for one, will not be purchasing one of these things, however unfortunately it will also involve me upgrading my general level of paranoia.  I foresee a future of creeping around electronic stores or checking the backs of friends TV sets when I enter their house  (and of course enquiring about the location of the remote).

Does anyone really need this rubbish !!

Lessons from the Internet of Things – Do you Trust Your Fridge?

The ‘Internet of Things‘ is one of the most discussed topics on technical forums at the moment. The idea that you can enable all sorts of devices with a network card and a bit of memory to attach it online obviously has many benefits. It reminds me of the excitement of the ‘Trojan Room Coffee Machine which was a live video stream of a coffee machine hooked up in Cambridge University, via MPLS and an Acorn Archimedes (remember them!) in 1993. Sure it was just a coffee machine, certainly the picture rarely changed – it was either full, empty or half empty – but the realisation that you could check on it in real time without leaving your chair was kind of exciting at the time. The web cam was switched off in 2001, but many of us can still recall checking that the geeks in Cambridge had enough coffee.

isyourfridge-spamming

Nowadays of course, our devices are increasingly network aware, printers were of course, the logical first piece of equipment to stick online, it saved having them hooked up to computers and people could use them remotely. However it didn’t take long for hackers to target the first network enabled printers to infiltrate networks, distribute malware or just muck about by sending huge print jobs to them.

A story has broken this week in the security press which adds a strange twist with the first reported Spam attack by a fridge. The report released by the security firm, Proofpoint claims that a fridge took part in sending 750,000 email messages in a wide bot enabled Spam attack. It’s actually a little late as there have been similar reports as early as 2013 of this new vocation of our kitchen appliances, however it’s still rather disturbing.

Many of us, will perhaps question the need for kitchen appliances to have access to the internet. I for one can happily live without my fridge tweeting me that I’m out of milk, in fact being nagged by my fridge doesn’t appeal at all!! Manufacturers will point to the fact that internet access will provide a host of other benefits like fault finding and notifying manufacturer of potential problems. Again, the old school method of the fridge simply stopping working seems more than adequate. Imagine getting a call from a Samsung customer representative who has just been notified that your fridge light is not working by your erm fridge. It’s an internet horror story and the benefits negligible at best and in reality pretty much pointless.

Enabling these devices means there’s another headache you are responsible for, you’ll need to configure your fridge to connect, ensure it’s got a strong password and it’s behaving itself online.  How do you connect to your fridge, could you compromise other logins, should you use a VPN to connect?  Coming down in the morning and finding your fridge cornered by the FBI might seem far fetched but it’s not as ridiculous as it might seem.   Using these devices in botnets to attack other machines, send out spam or as proxies to attack other machines is perfectly feasible and it’s actually happening now.

Network security on these enabled devices is normally an after thought, it’s often much easier to hack into a network enabled device than a laptop or computer.   For example how many people would log onto their fridge after purchase to change the default password – but if you’ve bought  a fancy internet enabled smart fridge it’s something you really should do.   Already hackers have demonstrated how to to steal your google login from a Samsung fridge, at this years DefCon conference.  The fridge ran a flawed implementation of  SSL which failed to check false certificates making it vulnerable to MiTM attacks.

This ‘internet of things’ basically sounds like a huge pain, introducing fairly pointless benefits at the cost of loads of hassle and vulnerabilities.  Of course for things like printers and using my Smart TV to access online entertainment then it makes sense.  However I for one will not be upgrading my fridge anytime soon.

Surprising New Palestine Charity Donors

If you follow the security and hacker world, you’ll know that there is a constant tit-for-tat battle going on across countries, religions and ideologies.  One group will deface a certain web site usually with badly spelt propaganda and  ‘1337 speak’, then a few days later another group will retaliate with an attack on a different web site.  There’s lots of threats and tough talk, and it sometimes seems like there are literally thousands of these groups all over the world fighting their own cyber way.
computercrime

The reality is that it’s been happening for so long it doesn’t really make much impact any more, unless it’s a really big commercial name.  There’s another problem with this attack method, especially due to the minimal impact – it usually takes much more effort than it’s worth.  Of course there are literally thousands of ways to hack a web site – vulnerabilities on the code, the host, bruteforce passwords or pinch user credentials – the list is virtually endless.

However it does take time, and can take an awful lot of effort which is why it often looks like a complete waste of time.  You spend days finding out a web sites vulnerabilities and hack into it, replace it with your leet message – then take a couple of screenshots.  What happens then?  The owner changes all the password, closes the vulnerability and restores the original from backup and it’s all back to normal.  Unless you dash out and advertise the hack, then it’s likely not that many have even noticed and those who do have seen it all before anyway.   Of course if it’s a bank or a big commercial site then there is much more of an impact and of course commercial implications – but those sites are likely to take much more effort and resources to hack into anyway.

Which is why I think this was a rather innovative angle by a group of  pro-palestinian (or perhaps just anti-Israeli) hackers called AnonGhost (not impressed with that name!).  They’re involved in an cyber offensive against the Israeli’s, which sounds a bit more impressive than the reality, and have been for several years in line with other Muslim extremist groups like ISIS.  It all get’s very messy here as you have a ‘free speech’ hacker group like Anonymous, working towards the same target alongside ISIS sympathising hacking groups such as AnonGhost.  Obviously supporting any ISIS related group is kind of a backwards step toward promoting free speech and liberty.

Anyway the point is that instead of just stealing a few user details and posting up a bit of tedious cyber graffiti which is overwritten half an hour later, they did something different.   They stole lots of credit card details from an Israeli based site and posted some of them online, the rest they used to make donations to a Palestinian children’s charity.

anonghostdonate

Well that’s the story at least, there is a little bit of evidence to support it but not enough to be completely sure. The irony of course relies on these being stolen Israeli credit cards. Though whether the payments were completed by the charity site – fundrazr, is also perhaps difficult to believe -especially after the facts were posted all over the web.

As usual, the attackers probably didn’t hide their tracks very well and unless they used some very secure VPNs, like these, have probably now got loads of their details listed on databases compiled by various security agencies like GCHQ and the NSA.  However as a stunt,  it was at least a little bit innovative.