Category Archives: Cyber Security

Software Industry Greed is Driving the Assault on our Privacy & Security

The motivation to release software, without proper testing, in order to generate a quick buck is as much of a threat to our security and privacy as the activities of hackers and alphabet agencies. It is time that software companies started to pay the price for the sorry mess that their greed is helping to create.

Once upon a time these matters could be considered in isolation but with the “Internet of Things” connecting millions more devices every day we are headed for a world that will have 28 billion IoT devices by 2020.

Consumer concern will not halt the rollout. A staggeringly high number of consumers hold serious concerns about the possibility of their information getting stolen from everyday devices – their smart home, their tablet, their laptop. One would think therefore that this concern would pressure software manufacturers to be more rigorous in their pre-GA testing activities. Not so.

Why? Because so much of this IoT stuff is embedded and consumer awareness is mainly limited to the high profile exposures. Consumers are not hesitating to purchase connected devices because consumers do not know that the devices are connected.

Samsung’s SmartThings smart home platform is a leaky colander of loosely connected hack prone software. IoT security hardening is not just about the particular application but also about building security into the network connections that link applications and that link devices.

And then there is the “Data”. The amount of this stuff that is generated by IoT is intractably large. As few as 10,000 households can generate 215 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.

The number and variety of privacy attack vectors becomes unmanageable very quickly. From the CIA hacking your Samsung TV, uBeacons doing their bit (uXDT & Audio Beacons – Introduce your Paranoia to your Imagination), hackers controlling your car, it’s a worryingly real threat to the personal security and privacy of every one of us.

If the CIA’s Directorate of Digital Innovation (DDI), who are tasked with delivering cyber-espionage tools and intelligence gathering capabilities, cannot even secure their own USB drives then what chance do the rest of us have.

Unfortunately the answer is that we have no chance.

ENDS 

“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News

ENDS

Is Moxie Still An Anarchist, Are Farcebook Deliberately Hobbling WhatsApp & Does SIGNAL Leak?

Recently I wrote in a blog post “When The Privacy Advocate Becomes An Apologist For The Opponent” about the main stream media sponsored spat that had @Moxie from @WhisperSystems siding with @WhatsApp and @Facebook in a face off against @Guardian and their contributor @tobiasboelter (Security and Crypto at UC Berkeley) in a “man in the middle” versus “design” versus “vulnerability” versus “backdoor” versus “privacy” versus “convenience” versus “user experience” tit for tat.

1. Is Moxie Still An Anarchist?

I said of Moxie Marlinspike that:

“When the advocates become apologists for the mainstream then they longer deserve to be called advocates in the purest sense of the word. And Moxie does consider himself “pure”. He is not. In July 2016 Wired wrote “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us” but being an “anarchist” and an ally of Zuckerberg are incompatible ideological stances.”

The blog post drew some comment on Peerlyst and elsewhere that took the debate in a number of different directions that I think are worthy of note. My personal belief is that WhatsApp is a more inferior app than most people will accept and that Moxie’s stance also leads me to doubt the once unassailable position of Signal as a trustworthy option.

Peter Stone on Peerlyst commented that:

“Your assertion that Moxie‍ fundamentally is no longer an anarchist when he sides with Zuck holds. And you’re right it matters that they made this design choice, and yes it can be a threat if you have Governments in your threat model. I cannot argue with you at all. My only point, and thanks for the mention, was that it wasn’t, as such, a backdoor.”

Conclusion: Moxie is not an anarchist

2. Are Farcebook Deliberately Hobbling WhatsApp?

This comment led me to ask:

“I agree with you Peter and my post is only expressing my view from the lens of being one of those “crypto geeks” that you and Dave Howe were discussing on the original thread. I accept all of the points that you both make about barriers to entry / usage and cost factors for “average” users in adopting escalating levels of security. But would you agree with the statement that:

“WhatsApp have made a design choice that can be exploited as a backdoor – the rest is semantics”?

Any takers?”

Boelter in his articles laments the fact that Farcebook, after being notified of the weakness in the “design-choices” that they had made for WhatsApp, still refused to take action.

This to me betrays an unwillingness to properly secure the platform for whatever reason and while I accept that a legitimate interim position between releases of a product is to state “it is good enough – for now – but lets see if we can make it even better” that does not seem to be what the Farcebook approach is to ongoing WhatsApp app hardening.

I really liked what Dave Howe had to say in reply to my original comment:

“I can agree totally on the first part of that. WhatsApp have made a design choice that can be exploited as a backdoor.

In fact, I would go further; WhatsApp have made a series of poor design choices which impact severely the security of the solution.

The first is that mail will be retransmitted without an option to block if a new device is added.

The second is that a new device can be added and, by default, this will be silently accepted by the system, and

The third is that the account holder has no reliable way to know a new device was added unless WhatsApp notify them – which of course for a TLA “listening tap” will not happen.

However, “the rest is semantics” I disagree with.

The impact of these poor choices is severe, but the solution is still better than it was before the protocol was added, and more importantly, now WhatsApp is aware of the mistake, it is in a position to fix it.

The detail is therefore important, and while a lot of crypto purists would class anything not a provable success as an abject failure, a more pragmatic security enthusiast will take any improvement as an improvement, and work to build on that platform.

Similarly, to a purist, a system is broken if, given a compute cube the size of the moon, you could break a message on average every thousand years or so – while a pragmatist would say “it’s good enough – for now – but lets see if we can make it even better”

We need to push them to get better. If nothing else, this “backdoor” publicity put this in the public eye (only for Brexit and Trump to push it back under cover of course).

I have to wonder if there is some sort of instruction preventing them from doing so – I know they can insist on that in the UK now, but I wasn’t aware this was true in the US yet (See my blog post Silencing the Canary & The Key Powers & Reach of The IPA)

Solution is obvious though – increase user choice, and make it so they can turn that *off* if they want to, not off by default.

New device added? Have confirmation of new devices as an option.

Until confirmed, new messages will *not* be encoded to the new key, so you can email the old keyset asking if they really have added a new device.

Options can have “auto accept” “ask” and “deny” with the default set to “ask”.

Unacknowledged messages? Have that only resend if the new device is confirmed, and not until; that takes care of that problem too.

If users then choose to disable the “annoying popup” then that’s their choice, not something imposed on them by Farcebook.”

Aside from the poor “design choices” that are covered in “When The Privacy Advocate Becomes An Apologist For The Opponent” and above by Dave here are a few more “design choices” WhatsApp chose not to include from the SIGNAL protocol:

Ability To Password Protect The WhatsApp App

WhatsApp does not have any password system built into the app. WhatsApp say there are many apps in the Google Play store that provide that functionality so just tag on a third party app to make it even weaker

screen-shot-2017-02-01-at-20-41-45

“Disappearing Messages” Option in WhatsApp 

There is no “disappearing messages” option in WhatsApp.

Conclusion: Yes Farcebook are deliberately hobbling WhatsApp IMHO. Their reasons? I do not know but I do not accept “user experience” as a justification.

3. Does SIGNAL Leak? 

Would anyone care to comment on this statement regarding the signal app and “leakage”:

“Note that Open Whisper Systems, the makers of Signal, use other companies’ infrastructure to send its users alerts when they receive a new message. It uses Google on Android, and Apple on iPhone. That means information about who is receiving messages and when they were received may leak to these companies.”

Found at on a post on ELECTRONIC FRONTIER FOUNDATION Surveillance Self-Defense.

Conclusion: I don’t know

ENDS

The Irish PM, Cabinet Ministers & Head of Police Force use Gmail for Official Business

The leader of the country whose government presides over the data protection compliance of a host of global social media sites uses Gmail for government business.

Let’s just think about that for a second. The guy uses a service who in a 2013 filing, while defending a data-mining lawsuit, said that people have “no legitimate expectation of privacy in information” voluntarily turned over to third parties.

Ireland sits next door to the most surveilled society on the planet who last week passed into law the most intrusive surveillance laws ever enacted in a democracy. This is what the British have publicly declared they are willing to do to their own citizens and foreign residents and they even had the audacity to spin “that the protection of privacy is at the heart of this legislation“.

What do you think they might have in their more covert bag of tricks for use on foreign governments?

One wonders why the Irish so close to the British geographically are as so far removed from realising the national security implications of having a kindergarten knowledge level with respect to mass surveillance, industrial espionage and cyber security.

The whole sorry mess and the puerile responses from the PM’s spokespersons made to queries regarding the Irish prime minister’s use of the service were widely covered in the last two weeks by The Irish Daily Mail and The Irish Mail on Sunday in articles by  Senior Reporter Seán Dunne.

How much of Ireland’s bargaining strategy with respect to the Brexit negotiations will the British authorities possess foreknowledge of when a teeny-bopper hacker who took a few hacking 101 classes at the local tech could access the comms of the Irish politicians centrally involved in the discussion.

This blog has made it’s view of Ireland as a Privacy Advocate and the abilities of the Office of the Data Protection Commission in Ireland well known.

The office of the Data Protection Commissioner in Ireland was established under the 1988 Data Protection Act. The Data Protection Amendment Act, 2003, updated the legislation, implementing the provisions of EU Directive 95/46.

The Acts set out the general principle that individuals should be in a position to control how data relating to them is used. The Data Protection Commissioner is allegedly responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers.

The Commissioner is appointed by Government and is allegedly “independent” in the exercise of his or her functions but has fallen foul several times to allegations that they are inherently political in their motives and policy.

The DPC have been censured by The High Court in Ireland regarding their a decision to refuse to investigate a data privacy complaint by Austrian law student Max Schrems against Facebook and his attempt to expose the cosy attitude to abuses of Safe Harbour.

Digital Rights Ireland have also claimed in a 2016 lawsuit that the Irish State has not properly implemented EU legislation on data protection. They claim “Ireland’s data protection authority doesn’t meet the criteria set down by the EU case law for true independence,” it added “As the Irish government has refused to acknowledge this to date, we are turning to the courts to uphold Irish and EU citizens’ fundamental rights.”

The group also claims Ireland has not properly implemented EU legislation that requires data protection authorities to be genuinely independent from the government.

DRI had previously taken a case to the Court of Justice of the European Union that led to an EU data-retention directive, then the basis for Irish law, being thrown out in 2014.

Facebook love the Irish Data Protection Commission as do all the other social media giants who not only get a free run enjoying multi-billion dollar tax breaks while the people of Ireland pay for their free ride with swingeing austerity.

Last week I received an email from Twitter and when I clicked the link I read:

“Twitter’s global operations and data transfer – Our services are a window to the world. They are primarily designed to help people share information around the world instantly. To bring you these services, we operate globally. Twitter, Inc., based in the United States, and Twitter International Company, based in Ireland, (collectively, “we”) provide the services, as explained in the Twitter Terms of Service and Privacy Policy. We have offices, partners, and service providers around the world that help to deliver the services. Your information, which we receive when you use the services, may be transferred to and stored in the United States, Ireland, and other countries where we operate, including through our offices, partners, and service providers. In some of these countries, the privacy and data protection laws and rules on when data may be accessed may differ from those in the country where you live. For a list of the locations where we have offices, please see our company information here.”

The section above that I have highlighted and italicised prompted me to tweet:

I followed this tweet up with an emailed request for clarification – which much like my many failed attempts to acquire the elusive “Blue Tick” was met with a stony silence. Which is code I think for “Please go away Mr. Penrose you are a massive pain in the neck”.

I also sent an email to the lovely Ms. Dixon, Irish Data Protection Commissioner requesting a comment. Do I need to tell you what I received? Well – just in case you own an irony bypass – I received nothing.

When regulation is in the hands of amateurs and when policy is set on subjects by people with no qualifications in the matter and when both of them are in the pay of those they are inspecting then what hope do we have really? Again recognising that some do not recognise rhetorical questions, the answer is that we have none.

END

Official Government Response to “Repeal the new Surveillance Laws (Investigatory Powers Act)” Petition

Dear Graham Penrose,

The Government has responded to the petition you signed – “Repeal the new Surveillance laws (Investigatory Powers Act)”.

Government responded:

The Investigatory Powers Act dramatically increases transparency around the use of investigatory powers. It protects both privacy and security and underwent unprecedented scrutiny before becoming law.

The Government is clear that, at a time of heightened security threat, it is essential our law enforcement, security and intelligence services have the powers they need to keep people safe.

The Investigatory Powers Act transforms the law relating to the use and oversight of Investigatory powers. It strengthens safeguards and introduces world-leading oversight arrangements.

The Act does three key things. First, it brings together powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It makes these powers – and the safeguards that apply to them – clear and understandable.

Second, it radically overhauls the way these powers are authorised and overseen. It introduces a ‘double-lock’ for the most intrusive powers, including interception and all of the bulk capabilities, so warrants require the approval of a Judicial Commissioner. And it creates a powerful new Investigatory Powers Commissioner to oversee how these powers are used.

Third, it ensures powers are fit for the digital age. The Act makes a single new provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.

Public scrutiny

The Bill was subject to unprecedented scrutiny prior to and during its passage.

The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

The Government responded to the recommendations of those reports in the form of a draft Bill, published in November 2015. That draft Bill was submitted for pre-legislative scrutiny by a Joint Committee of both Houses of Parliament. The Intelligence and Security Committee and the House of Commons Science and Technology Committee conducted parallel scrutiny. Between them, those Committees received over 1,500 pages of written submissions and heard oral evidence from the Government, industry, civil liberties groups and many others. The recommendations made by those Committees informed changes to the Bill and the publication of further supporting material.

A revised Bill was introduced in the House of Commons on 1 March, and completed its passage on 16 November, meeting the timetable for legislation set by Parliament during the passage of the Data Retention and Investigatory Powers Act 2014. Over 1,700 amendments to the Bill were tabled and debated during this time.

The Government has adopted an open and consultative approach throughout the passage of this legislation, tabling or accepting a significant number of amendments in both Houses of Parliament in order to improve transparency and strengthen privacy protections. These included enhanced protections for trade unions and journalistic and legally privileged material, and the introduction of a threshold to ensure internet connection records cannot be used to investigate minor crimes.

Privacy and Oversight

The Government has placed privacy at the heart of the Investigatory Powers Act. The Act makes clear the extent to which investigatory powers may be used and the strict safeguards that apply in order to maintain privacy.

A new overarching ‘privacy clause’ was added to make absolutely clear that the protection of privacy is at the heart of this legislation. This privacy clause ensures that in each and every case a public authority must consider whether less intrusive means could be used, and must have regard to human rights and the particular sensitivity of certain information. The powers can only be exercised when it is necessary and proportionate to do so, and the Act includes tough sanctions – including the creation of new criminal offences – for those misusing the powers.
The safeguards in this Act reflect the UK’s international reputation for protecting human rights. The unprecedented transparency and the new safeguards – including the ‘double lock’ for the most sensitive powers – set an international benchmark for how the law can protect both privacy and security.

Home Office

Click this link to view the response online:

https://petition.parliament.uk/petitions/173199?reveal_response=yes

This petition has over 100,000 signatures. The Petitions Committee will consider it for a debate. They can also gather further evidence and press the government for action.

The Committee is made up of 11 MPs, from political parties in government and in opposition. It is entirely independent of the Government. Find out more about the Committee: https://petition.parliament.uk/help#petitions-committee

Thanks,
The Petitions Team
UK Government and Parliament

The “FVEY” SIGINT Espionage Alliance

The French, Belgian, Egyptian and Yemeni authorities have all in the last 12 months failed to connect the dots on available data that might have prevented or lessened the Hebdo, Bataclan, Zaventem & Maalbeek atrocities.

Some of their foreign counterparts however are part of an exclusive alliance that shares intelligence that does in many cases provide insights that the individual portions do not.

The Five Eyes intelligence alliance is led by the USA. Often abbreviated as “FVEY” the alliance comprises Australia, Canada, New Zealand, the United Kingdom, and the United States. They are bound by the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

STASI - FIVE EYES

FVEY’s origins can be traced back to the Atlantic Charter issued by the Allies to lay out their goals for a post-war world in 1945. During the Cold War, the ECHELON surveillance system was initially developed by the FVEY to monitor the communications of the former Soviet Union and the Eastern Bloc. Later, it was alleged that it was also used to monitor billions of private communications worldwide.

ECHELON’s existence was disclosed in the late 1990’s and it triggered a major debate in the European Parliament. As part of efforts in the so called War on Terror the FVEY further expanded their surveillance capabilities, with much emphasis placed on monitoring internet communications.

Snowden describes the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”. Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The leaked documents also revealed the existence of numerous surveillance programs jointly operated by the Five Eyes including:

  • PRISM – Operated by the NSA together with the GCHQ and the ASD;
  • XKeyscore – Operated by the NSA with contributions from the ASD and the GCSB;
  • Tempora – Operated by the GCHQ with contributions from the NSA;
  • MUSCULAR – Operated by the GCHQ and the NSA;
  • STATEROOM – Operated by the ASD, CIA, CSEC, GCHQ, and NSA.

Despite the disclosures no amount of outrage will affect the Five Eyes which remains the most extensive known espionage alliance in history.

END.