Samsung Galaxy back-door allows for over-the-air filesystem access


Developers from the Replicant project (a free Android offshoot) have documented a serious software back-door in Samsung's Android phones, which "provides remote access to the data stored on the device." They believe it is "likely" that the backdoor could provide "over-the-air remote control" to "access the phone's file system."

At issue is Samsung's proprietary IPC protocol, used in its modems. This protocol implements a set of commands called "RFS commands." The Replicant team says that it can't find "any particular legitimacy nor relevant use-case" for adding these commands, but adds that "it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

The Replicant site includes proof-of-concept sourcecode for a program that will access the file-system over the modem. Replicant has created a replacement for the relevant Samsung software that does not allow for back-door access.

Read the rest

How the NSA plans to automatically infect "millions" of computers with spyware




A new Snowden leak, detailed in a long, fascinating piece in The Intercept, explains the NSA's TURBINE initiative, intended to automate malicious software infections. These infections -- called "implants" in spy jargon -- have historically been carried out on a narrow, surgical scale, targeted at people of demonstrated value to spies, due to the expense and difficulty of arranging the attacks.

But TURBINE, which was carried out with other "Five Eyes" spy agencies as part of the NSA's $67.6M "Owning the Net" plan, is intended to automate the infection process, allowing for "millions" of infections at once.

The article mentions an internal NSA message-board posting called "I hunt sys admins," sheds some light on the surveillance practices at the NSA. In the post, an NSA operative explains that he targets systems administrators at companies, especially telecoms companies, as a "means to an end" -- that is, infiltrating the companies' networks. As Glenn Greenwald and Ryan Gallagher point out, this admission shows that malware attacks are not targeted solely or even particularly at people suspected of terrorism or other crimes -- rather, they are aimed at the people who maintain the infrastructure of critical networks and systems to allow the NSA to control those systems.

The malware that TURBINE implants can compromise systems in a variety of ways, including hijacking computer cameras and microphones, harvesting Web-browsing history and email traffic, logging passwords and other keystrokes, etc.

Read the rest

Security as a public health discipline, not an engineering one

In my latest Guardian column, If GCHQ wants to improve national security it must fix our technology, I argue that computer security isn't really an engineering issue, it's a public health issue. As with public health, it's more important to be sure that our pathogens are disclosed, understood and disclosed than it is to keep them secret so we can use them against our enemies.

Read the rest

Break up the NSA and save American spooks from themselves

On CNN, Bruce Schneier lays out the current organizational structure of the NSA, dividing its activities in to three categories: spying on specific people; spying on everyone; and breaking the Internet to make spying easier. He then proposes a new structure for the American intelligence apparat: move spying on specific people to a totally separate US Cyber Command under the DoD ("attacking enemy networks is an offensive military operation, and should be part of an offensive military unit"); move spying on Americans to the FBI and create safeguards to be sure this is done in accord with the law and the Constitution; and terminate the NSA's program of undermining security.

Instead, put the NSA in charge of improving the security of Internet users -- including American residents, businesses and government agencies -- so that the nation is resilient. As Schneier writes: "We need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts -- from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly -- no secrecy required."

Read the rest

Bletchley Park's new management chucks out long-term volunteers

Here's more bad news from historic computing site Bletchley Park, where a new, slick museum is being put together with enormous corporate and state funding. Last month, it was the fact that McAfee had apparently banned any mention of Edward Snowden in a cybersecurity exhibit.

Now there's this heartrending BBC report on how volunteers who've given decades of service to Bletchley have been summarily dismissed because they don't fit in with the new plan. The museum of Churchill memoribilia that shared the Bletchley site has been evicted.

For people like me who've donated over the years, fundraised for it, and joined the Friends of Bletchley, this is really distressing news. I've always dreamt of Bletchley getting enough funding to do the site and its collection justice, but if it comes at the expense of decency and integrity, they may as well have left it as Churchill did -- abandoned and forgotten.

Update: Bletchley Trust has clarified to me that while this volunteer was dismissed from guiding tours because he refused to conduct the tour to the new spec, he still volunteers with the Trust in its educational department.

BBC News Bletchley Park s bitter dispute over its future (via /.)

How to configure Chrome to stop websites from bugging you with your computer's microphone and camera


Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.

Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on.

Read the rest

HOPE X call for participation now open

Emmanuel Goldstein from 2600 Magazine writes, "The call for participation at HOPE X in New York City is now open. There is room for over 100 talks and panels, dozens of workshops, and all kinds of creative artwork with hacker overtones. This is expected to be one of the largest conferences dealing with hacking, whistleblowing, social change, surveillance, and new technology ever presented in the United States. There will be no government agency recruiters, no commercial exploitation, and no shortage of controversy. The doors are now open for imaginative ideas at this very crucial point in hacker (and human) history. HOPE X takes place July 18-20, 2014 at the Hotel Pennsylvania in New York City." Cory 1

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer. Cory 10

Your refrigerator probably hasn't joined a botnet


A mediagenic press-release from Proofpoint, a security firm, announced that its researchers had discovered a 100,000-device-strong botnet made up of hacked "Internet of Things" appliances, such as refrigerators. The story's very interesting, but also wildly implausible as Ars Technica's Dan Goodin explains.

The report is light on technical details, and the details that the company supplied to Goodin later just don't add up. Nevertheless, the idea of embedded systems being recruited to botnets isn't inherently implausible, and some of the attacks that Ang Cui has demonstrated scare the heck out of me.

For more speculation, see my story The Brave Little Toaster, from MIT's TRSF.

Read the rest

Details about the malware used to attack Target's point-of-sale machines


The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.

Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems.

Read the rest

HEADWATER: NSA program for sabotaging Huawei routers over the Internet


Bruce Schneier leads a discussion of HEADWATER, the NSA's tool for compromising Huawei routers over the Internet and turning them into snoops. It's one of the entries from the notorious TAO catalog:

Read the rest

Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data

Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."

He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.

It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.

But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.

The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all.

Read the rest

Senior execs are the biggest risk to IT security

Stroz Friedberg, a risk-management consultancy, commissioned a survey [PDF] of information handling practices in businesses that concluded that senior managers are the greatest risk to information security within companies.

Read the rest

Hackers vs the NSA in 1986

Emmanuel Goldstein from 2600 Magazine sez, "It shouldn't be that surprising, but Volume Three of The Hacker Digest contains all kinds of news items and articles concerning the National Security Agency, its attempts to control encryption, and the threat of surveillance. This was the hacker world of 1986."

Read the rest

NSA has a 50-page catalog of exploits for software, hardware, and firmware

A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).

ANT's catalog runs to 50 pages, and lists electronic break-in tools, wiretaps, and other spook toys. For example, the catalog offers FEEDTROUGH, an exploit kit for Juniper Networks' firewalls; gimmicked monitor cables that leak video-signals; BIOS-based malware that compromises the computer even before the operating system is loaded; and compromised firmware for hard drives from Western Digital, Seagate, Maxtor and Samsung.

Many of the exploited products are made by American companies, and hundreds of millions of everyday people are at risk from the unpatched vulnerabilities that the NSA has discovered in their products.

Read the rest