Tag Archives: Hacking

Software Industry Greed is Driving the Assault on our Privacy & Security

The motivation to release software, without proper testing, in order to generate a quick buck is as much of a threat to our security and privacy as the activities of hackers and alphabet agencies. It is time that software companies started to pay the price for the sorry mess that their greed is helping to create.

Once upon a time these matters could be considered in isolation but with the “Internet of Things” connecting millions more devices every day we are headed for a world that will have 28 billion IoT devices by 2020.

Consumer concern will not halt the rollout. A staggeringly high number of consumers hold serious concerns about the possibility of their information getting stolen from everyday devices – their smart home, their tablet, their laptop. One would think therefore that this concern would pressure software manufacturers to be more rigorous in their pre-GA testing activities. Not so.

Why? Because so much of this IoT stuff is embedded and consumer awareness is mainly limited to the high profile exposures. Consumers are not hesitating to purchase connected devices because consumers do not know that the devices are connected.

Samsung’s SmartThings smart home platform is a leaky colander of loosely connected hack prone software. IoT security hardening is not just about the particular application but also about building security into the network connections that link applications and that link devices.

And then there is the “Data”. The amount of this stuff that is generated by IoT is intractably large. As few as 10,000 households can generate 215 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.

The number and variety of privacy attack vectors becomes unmanageable very quickly. From the CIA hacking your Samsung TV, uBeacons doing their bit (uXDT & Audio Beacons – Introduce your Paranoia to your Imagination), hackers controlling your car, it’s a worryingly real threat to the personal security and privacy of every one of us.

If the CIA’s Directorate of Digital Innovation (DDI), who are tasked with delivering cyber-espionage tools and intelligence gathering capabilities, cannot even secure their own USB drives then what chance do the rest of us have.

Unfortunately the answer is that we have no chance.

ENDS 

Mass Surveillance & The Oxford Comma Analogy

Acknowledgments, Contributions & References: This blog post was written in collaboration with and using contributions from Mr. Dean Webb (find Dean’s profile on PeerLyst). The clever and insightful bits are all Dean, the space fillers and punctuation are mine – except the “Oxford Comma” analogy, which even though it is lifted from @Grammarly on Twitter, is mine – and I like it (a lot). Enjoy.

Who Do We Like, Who Do We Dislike (Today)

Wearable tech is on its way, for surveillance during times when one is away from the vidscreen. But we need this stuff in order to protect against Eurasia. We have always been at war with Eurasia. We will always be at war with Eurasia until 20 January, at noon. Then we will always have been at war with Eastasia. And then we will need all this stuff to protect against Eastasia.

On a more serious note, anonymity has been dead for quite some time. As an example, about 10 years ago Dean Webb was running a web forum for students involved in an academic competition.

He and other teachers had volunteered to be admins for the board. They had a student that began to harass others on the board and post some highly inappropriate material. They banned his account, and he would connect again with another account.

So, Dean took down the IP addresses he’d used for his accounts and did a quick lookup on their ownership. They were at a certain university, so he contacted that university with the information and the times of access and they were able to determine which student was involved.

He was told to stop posting, or face discipline at the university. That got him to stop.

Simple Methods, Complex Implications

The point is, that IP address and timestamp for most people is going to be what gets them in the end. They don’t know what a VPN is from a hole in the ground, let alone what a TOR node is.

At best, most of them will use a browser in anonymous / incognito mode, without realising that cookies are still retained and updated, credit card transactions remain on the record, and ISPs will still retain IP address information with timestamps.

It could be argued that a Layer 2 hijacking of someone else’s line is the way to go anonymously, but that involves a physical alteration of someone’s gear, and that means physical evidence, which is very difficult to erase completely.

Even if anonymity is not completely dead (mostly dead, perhaps?), it is certainly outside the reach of most people because they lack general IT knowledge about the basics of the Internet.

I (Graham) was met with the following comment when I posted a tweet some time before Xmas 2016 about Identity Theft:

“despite the hysteria the theft of most peoples personal information is / will be inconsequential”

The use of the word “inconsequential” by the commenter on my post reminded me of the hilarious Doctor Evil therapy session monologue in the Austin Powers movie when Doctor Evil stated, when asked about his life, that “the details of my life are quite inconsequential”. But 60 seconds of monologue later it was quite clear that they were far from “inconsequential” – it is a matter of perspective as to what is and what is not. That is the problem. And that is the potential worry.

Threat Awareness & Counter Measures

The vast majority of people and their browsing habits are innocuous. The point though that the comment misses and which is the point that Dean makes in his comments about the average John Q. Citizen’s awareness of the threats and the countermeasures available is that the public in general has moved their private communications on to a platform where they do not understand the implications of the ability of externals to eavesdrop or to store and reference data at a future point.

There was a blog post I (Graham) made some time ago about the risk of “profiling” and of “false positives” and the threat that they posed especially with respect to miscarriages of justice. (See “The Sword of Islam” story below)

The point is not whether “the theft of most peoples personal information is / will be inconsequential” or the storage of most peoples browsing history or contacts with other parties is / will be inconsequential or not – the point is that it can be made to look very different to what was actually happening originally.

Like a misquoted partial comment in a newspaper article – actions taken out of context can look very different.

The Oxford Comma Analogy

Recently I posted a tweet about the Oxford comma and it does indirectly inform the point that I am trying to make here:

Excerpt begins from Grammarly

“Unless you’re writing for a particular publication or drafting an essay for school, whether or not you use the Oxford comma is generally up to you. However, omitting it can sometimes cause some strange misunderstandings.

“I love my parents, Lady Gaga and Humpty Dumpty.”

Without the Oxford comma, the sentence above could be interpreted as stating that you love your parents, and your parents are Lady Gaga and Humpty Dumpty. Here’s the same sentence with the Oxford comma:

“I love my parents, Lady Gaga, and Humpty Dumpty.”

Those who oppose the Oxford comma argue that rephrasing an already unclear sentence can solve the same problems that using the Oxford comma does. For example:

“I love my parents, Lady Gaga and Humpty Dumpty.”

could be rewritten as:

“I love Lady Gaga, Humpty Dumpty and my parents.”

Excerpt Ends

The analogy serves to demonstrate one of the main concerns of mass surveillance and mass retention of user data. People are now being profiled and tracked and their behaviours stored and analysed and they do not know why or by whom or for what purpose – they barely understand how to use a browser.

In the wrong hands that potentially makes them cannon fodder. Accuse me of being alarmist and dramatic – fair enough – so did everyone four years ago when I wrote about mass immigration as a weapon, the rise of radical Islam and the dangers of the USA supporting a sectarian Shi’a government in Baghdad, the marginalisation of Sunnis and the Ba’ath party, the randomness of the Arab Spring, the threat of Libya turning into a terrorist haven and so on.

The point is people ignore these developments at their peril but you may as well be talking to a concrete block. You can make all the compelling philosophical points that you like to someone but if they do not have the capacity to understand them then you are wasting your time.

And most of our politicians fall into that category.

Mass Profiling, Mass Surveillance Will Be Inconsequential Until It Isn’t

Dean once met a man named Saifal Islam. He has a devil of a time getting on an airplane because a terror group has the same name – “Sword of Islam”.

He is constantly explaining that the man (him) isn’t the group (them) and that he’s had his name longer than they’ve had theirs. That, yes, the group (them) should be banned from getting on airplanes, but that, no, the man (him) should be allowed on the plane.

Hell of a false positive, and that’s not the only one. Mismatches on felon voting lists, warrants served to the wrong address for no-knock police invasions, people told that they can’t renew driver’s licenses because they’re dead, the list goes on.

Be happy in the knowledge though that your data is apparently “inconsequential” and this privacy debate and the growing intrusion on your personal life is all “hysterical” alarmism.

You can use that statement when you are in the dock defending your very own hysterical “false positive” – no charge.

The next post will be “KarmaWare & Thieves of Thoughts” again in collaboration with Mr. Dean Webb.

ENDS

The Irish PM, Cabinet Ministers & Head of Police Force use Gmail for Official Business

The leader of the country whose government presides over the data protection compliance of a host of global social media sites uses Gmail for government business.

Let’s just think about that for a second. The guy uses a service who in a 2013 filing, while defending a data-mining lawsuit, said that people have “no legitimate expectation of privacy in information” voluntarily turned over to third parties.

Ireland sits next door to the most surveilled society on the planet who last week passed into law the most intrusive surveillance laws ever enacted in a democracy. This is what the British have publicly declared they are willing to do to their own citizens and foreign residents and they even had the audacity to spin “that the protection of privacy is at the heart of this legislation“.

What do you think they might have in their more covert bag of tricks for use on foreign governments?

One wonders why the Irish so close to the British geographically are as so far removed from realising the national security implications of having a kindergarten knowledge level with respect to mass surveillance, industrial espionage and cyber security.

The whole sorry mess and the puerile responses from the PM’s spokespersons made to queries regarding the Irish prime minister’s use of the service were widely covered in the last two weeks by The Irish Daily Mail and The Irish Mail on Sunday in articles by  Senior Reporter Seán Dunne.

How much of Ireland’s bargaining strategy with respect to the Brexit negotiations will the British authorities possess foreknowledge of when a teeny-bopper hacker who took a few hacking 101 classes at the local tech could access the comms of the Irish politicians centrally involved in the discussion.

This blog has made it’s view of Ireland as a Privacy Advocate and the abilities of the Office of the Data Protection Commission in Ireland well known.

The office of the Data Protection Commissioner in Ireland was established under the 1988 Data Protection Act. The Data Protection Amendment Act, 2003, updated the legislation, implementing the provisions of EU Directive 95/46.

The Acts set out the general principle that individuals should be in a position to control how data relating to them is used. The Data Protection Commissioner is allegedly responsible for upholding the rights of individuals as set out in the Acts, and enforcing the obligations upon data controllers.

The Commissioner is appointed by Government and is allegedly “independent” in the exercise of his or her functions but has fallen foul several times to allegations that they are inherently political in their motives and policy.

The DPC have been censured by The High Court in Ireland regarding their a decision to refuse to investigate a data privacy complaint by Austrian law student Max Schrems against Facebook and his attempt to expose the cosy attitude to abuses of Safe Harbour.

Digital Rights Ireland have also claimed in a 2016 lawsuit that the Irish State has not properly implemented EU legislation on data protection. They claim “Ireland’s data protection authority doesn’t meet the criteria set down by the EU case law for true independence,” it added “As the Irish government has refused to acknowledge this to date, we are turning to the courts to uphold Irish and EU citizens’ fundamental rights.”

The group also claims Ireland has not properly implemented EU legislation that requires data protection authorities to be genuinely independent from the government.

DRI had previously taken a case to the Court of Justice of the European Union that led to an EU data-retention directive, then the basis for Irish law, being thrown out in 2014.

Facebook love the Irish Data Protection Commission as do all the other social media giants who not only get a free run enjoying multi-billion dollar tax breaks while the people of Ireland pay for their free ride with swingeing austerity.

Last week I received an email from Twitter and when I clicked the link I read:

“Twitter’s global operations and data transfer – Our services are a window to the world. They are primarily designed to help people share information around the world instantly. To bring you these services, we operate globally. Twitter, Inc., based in the United States, and Twitter International Company, based in Ireland, (collectively, “we”) provide the services, as explained in the Twitter Terms of Service and Privacy Policy. We have offices, partners, and service providers around the world that help to deliver the services. Your information, which we receive when you use the services, may be transferred to and stored in the United States, Ireland, and other countries where we operate, including through our offices, partners, and service providers. In some of these countries, the privacy and data protection laws and rules on when data may be accessed may differ from those in the country where you live. For a list of the locations where we have offices, please see our company information here.”

The section above that I have highlighted and italicised prompted me to tweet:

I followed this tweet up with an emailed request for clarification – which much like my many failed attempts to acquire the elusive “Blue Tick” was met with a stony silence. Which is code I think for “Please go away Mr. Penrose you are a massive pain in the neck”.

I also sent an email to the lovely Ms. Dixon, Irish Data Protection Commissioner requesting a comment. Do I need to tell you what I received? Well – just in case you own an irony bypass – I received nothing.

When regulation is in the hands of amateurs and when policy is set on subjects by people with no qualifications in the matter and when both of them are in the pay of those they are inspecting then what hope do we have really? Again recognising that some do not recognise rhetorical questions, the answer is that we have none.

END

Overwatch – The Five Eyes Espionage Alliance

The “Five Eyes” (FVEY‍) is an intel‍ alliance that unifies elements of the national alphabet agencies of theunited Kingdom, the United States, Australia, canada and New Zealand and their intel gathering infrastructures.

The AA’s in each member country and the terms of their information exchange mandate is encapsulated in the multilateral‍ agreement called the “UKUSA Agreement”.

The origins of the FVEY can be traced to the closing months of World War II when the Atlantic Charter was issued by the Allies to lay out their “goals” for a post-war world.

Signals Intelligence (SIGINT)

The espionagealliance‍ was conceived in order to deliver trans- jurisdictionalcoordination‍ andcooperation‍ for signals intelligence (SIGINT‍) but has expanded into many other areas especially in the last 20 years and most aggressively since the beginning of the vaguely defined parameters of the ” War‍ on Terror‍ “.

Not just a reactive program it is specifically proactive. The FVEY can count in many thousands theirdeployment of various rootkit‍ hacks, backdoors‍ , trojans‍ , worms‍ , spyware‍ , malware‍ , keystroke logging, PGP private key reversal and voice comms undermining projects. It has an eye watering arsenal of BH tactics‍ at its disposal. Take a peak at a tiny subset of them here .

GEMALTO & Public Scrutiny

But probably their most effective hack was undermining the integrity of sim card encryption after the highly successful (for them) Gemalto hack.

No citizen based protests or national laws or international regulations or Privacy advocates or leaks or “net neutrality” activists or whistleblowers will ever affect the activities of the Five Eyes.

It is and will remain the most pervasive, extensive, expansive and secretive (independent and to the large part unregulated) espionage alliance in history.

The ECHELON Program

During the course of the Cold War, the ECHELONsurveillance‍ system was initially developed by the FVEY to monitor the communications of the USSR‍ and European countries on the wrong side of the Iron Curtain.

The FVEY has been accused of monitor trillions of privatecommunications‍ worldwide.

In the late 1990s, the existence of ECHELON was disclosed and triggered a major debate in brusselsand to a lesser extent in Congress. As part of efforts in the ongoing, vaguely defined, War on Terror since 2001, the FVEY further expanded their surveillance‍ capabilities.

Internet Backbone

The bulk of the current focus is placed on monitoring digital comms across the internet backbones and much if not all of the cables delivering the service have FVEY listeners at the receiving stations and national termination points and not just in the member countries.

The current face-off between the US and china in South East asia – aside from the sabre rattling over the Paracel & Spratly issue and Chinese territorial claims in the South China Sea – is who will get to deliver and therefore control the internet backbone to Cambodia, terminating in Sihanoukville.

That cable will service the needs of the region (Laos, Myanmar, Thailand, Vietnam, Cambodia, and unofficially parts of China, Malaysia, Indonesia and Singapore)

Snowden (Again)

NSAwhistleblower / traitor (depending on your viewpoint) edward snowden described the Five Eyes as asupranational‍ intelligence organisation that doesn’t answer to the known laws of its own countries”.

Snowden’s leaks revealed that the alliance were spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domesticregulations‍ on surveillance of sovereign nations’ citizens in “peace time”.

Again the definition of “peace time” and its current status is in the eye of the beholder so to speak.

The Main Surveillance Programs

The main surveillance programs jointly operated by the Five Eyes are:

  • PRISM‍ – Operated by the NSA‍ together with the GCHQ‍ and the ASD
  • XKEYSCORE‍ – Operated by the NSA with contributions from the ASD and the GCSB
  • Tempora‍ – Operated by the GCHQ with contributions from the NSA
  • MUSCULAR‍ – Operated by the GCHQ and the NSA
  • STATEROOM‍ – Operated by the ASD, CIA‍ , csec‍ , GCHQ, and NSA

END

Privacy‍ , National Security

uXDT & Audio Beacons – Introduce your Paranoia to your Imagination

Ultrasonic‍ cross-device tracking‍ (uXDT‍) apparently represents an apocalyptic threat to privacy‍ . The techis being embedded in many apps but despite its significant intrusive abilities it is not complying – in most cases it would seem – with explicit consumer optin‍ / optout‍ choices.

At best it is an underhand advertising trick, at worst it stands to become one of the alphabet agencies handiest IoT mass surveillance piggybacking collection methods for device ownership cross referencing and tracking.

What the debate regarding uXDT and audio beacons does indicate though is that as IOTdevices expand exponentially they are accompanied by many little known and little understood elements that potentially expose consumers to threats ranging from low level adware‍ to full scale identitytheft and in the processinadvertently or intentionally expand the toolset available for mass surveillance‍ .

The concept of cross device tracking has been pitched as every marketers wet dream. In basic terms using audio beacons it can cross reference your habits across multiple devices to tell advertisers – amongst other things – what and where you are watching TV and more importantly use that to refine advertising.

“Audio Beacons” – As Used by SilverPush

The issue with creepy emerging‍ tech is well demonstrated by Silverpush which researchers from University College london last month again alleged could expose millions of devices to malicioushacking‍ . Signal360 and Audible Magic who have attracted investment from several VC leading lights and interest from a host of major companies are also engaged in rolling out uXDT services.

Even after silverpush withdrew the previous version of their software after an FTC warning to developers in March 2016 their current website still has very vague descriptions of their service offerings which fall squarely in the “creepy” category of marketing speak.

One of their TV products for marketeers is the unfortunately and unbelievably named PRISM‍ – whose NSA‍ surveillance program namesake was the subject of the snowden‍ revelations.

Chaps – I would have the marketing guys take another look at that choice of branding if I were you.

Using Inaudible Sounds To Link Device Ownership

In a Techcrunch article in 2014 SilverPush‘s original approach was explained by their CEO Hitesh Chawla. The company he said used “ultrasonic inaudible sounds.” If you are browsing and engage with a SilverPush advertiser then as they drop their cookie‍ they also ping one of those “inaudible” sounds.

You didn’t hear it but the app did and so did any app that used the SilverPush product suite. It passively listened for these sounds in the background. When an “audio beacon” was detected it was then able to establish that a desktop, laptop, phone, tablet or any other IoT device in range with the app installed belonged to the same person.

Who Uses / Used It

Sound.ly based in korea and Shopkick are other examples of a couple of startups embedding the tech in their stack. Before the FTC warning there were twelve app developers whose apps were available fordownload in the google play store who had the tech embedded in their product suites or apps.

The FTC was explicit about what it could mean for those developers “If your application enabled thirdparties to monitortelevision-viewing habits of U.S. consumers‍ and your statements or user interfacestated or implied otherwise, this could constitute a violation of the Federal Trade Commission Act,” the FTC’s letter to developers warned.

At that point several products and apps were voluntarily withdrawn.

Researching The “Threat”

There are now several research groups who have declared that they are planning to explore the uXDTecosystem‍, dig into the inner workings of popular uXDT frameworks‍, and perform an in-depth technicalanalysis‍ of the underlying technology, exposing both implementation & design vulnerabilities, and criticalsecurity‍ & Privacy shortcomings.

I look forward to reading their findings.

END

State Surveillance in Ireland Part 1: “Buddy” Warrant System & Lack of Oversight

Under the law in Ireland several agencies are completely within their rights to place you under covertsurveillance with only the permission of what is referred to in the legislation as a “Superior Officer”.

In lay man’s terms that means that some guy or gal who is a colleague or a friend of the guy or gal looking to place you under surveillance is allowed to grant the surveillance request.

And what one wonders are the qualifications of these “Superior Officers” to assess the intersection of the human and Privacy rights of Irish citizens versus random and highly intrusive surveillance requests.

The answer is that we do not know because no one will respond to questions on the issue requested via the The Freedom of Information Act 1997 (FOI) as amended by the Freedom of Information (Amendment) Act 2003 which supposedly obliges government departments and a range of other publicbodies to publish information on their activities.

There are several acts of law in Ireland that allow for the issue of serious and intrusive search and surveillance warrants by possibly unqualified individuals who serve in the very organisations seeking permission for the warrants.

This same “buddy” system of signing off serious warrants internally within the Gardai without recourse to external oversight was previously highlighted in the Section 29 warrants controversy surrounding an appeal a few years ago by radical Islamist Ali Charaf Damache.

After being arrested for conspiracy to murder, Damache’s house was searched by Gardaí on foot of a warrant signed by a Garda Detective Superintendent who was not only overseeing the investigation but also attended the search that he had issued the warrant for.

The supreme court ruled in that case that a search warrant could not be issued by a member of the Gardaí who was involved in the investigation of the same offence. The court held that if one of the investigating Gardaí issued the warrant then no independent decision-maker had a role in the issuing of the warrant and therefore this breached the constitutional right to the inviolability of the dwelling.

However, it was still ok to run down the road to a different Garda station and have some “Superior Officer” there sign off the warrant. In Ireland this is regarded as an improvement. In reality it is the same thing wearing a slightly different hat.

The fact that the legislation at that time in the form of the Offences Against the State Act gave the power for the issue of a search warrant to the Gardaí with no external oversight potentially rendered the processopen to wholesale abuse.

But we will never know what level of abuse took place or takes place because the government in Ireland and the agencies of the State refuse to publish statistics on the basic process let alone information on where catastrophic errors or abuses of these powers have led to miscarriages of justice, wrongful imprisonment or breaches of civil liberties.

The lack of oversight and reporting on the use of these powers within the Irish state is astonishing. Like many other things in Ireland when it comes to the people’s right to know what their government is doing – it is met with patronising, non-specific responses that repeatedly quote justification for stonewalling the non-disclosure of information or even basic statistics as being justified by “national security” concerns.

Part 2 is “State Surveillance in Ireland Part 2: Establishing Credibility & Demonstrating A culture of Silence”

The “FVEY” SIGINT Espionage Alliance

The French, Belgian, Egyptian and Yemeni authorities have all in the last 12 months failed to connect the dots on available data that might have prevented or lessened the Hebdo, Bataclan, Zaventem & Maalbeek atrocities.

Some of their foreign counterparts however are part of an exclusive alliance that shares intelligence that does in many cases provide insights that the individual portions do not.

The Five Eyes intelligence alliance is led by the USA. Often abbreviated as “FVEY” the alliance comprises Australia, Canada, New Zealand, the United Kingdom, and the United States. They are bound by the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

STASI - FIVE EYES

FVEY’s origins can be traced back to the Atlantic Charter issued by the Allies to lay out their goals for a post-war world in 1945. During the Cold War, the ECHELON surveillance system was initially developed by the FVEY to monitor the communications of the former Soviet Union and the Eastern Bloc. Later, it was alleged that it was also used to monitor billions of private communications worldwide.

ECHELON’s existence was disclosed in the late 1990’s and it triggered a major debate in the European Parliament. As part of efforts in the so called War on Terror the FVEY further expanded their surveillance capabilities, with much emphasis placed on monitoring internet communications.

Snowden describes the Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”. Documents leaked by Snowden in 2013 revealed that the FVEY have been spying on one another’s citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens.

The leaked documents also revealed the existence of numerous surveillance programs jointly operated by the Five Eyes including:

  • PRISM – Operated by the NSA together with the GCHQ and the ASD;
  • XKeyscore – Operated by the NSA with contributions from the ASD and the GCSB;
  • Tempora – Operated by the GCHQ with contributions from the NSA;
  • MUSCULAR – Operated by the GCHQ and the NSA;
  • STATEROOM – Operated by the ASD, CIA, CSEC, GCHQ, and NSA.

Despite the disclosures no amount of outrage will affect the Five Eyes which remains the most extensive known espionage alliance in history.

END.