Xiaomi phones are pre-backdoored; your apps can be silently overwritten

iC1yJL.kSM3w

Thijs Broenink audited the AnalyticsCore.apk app that ships pre-installed on all Xiaomi phones (Xiaomi has their own Android fork with a different set of preinstalled apps) and discovered that the app, which seemingly serves no useful purpose, allows the manufacturer to silently install other code on your phone, with unlimited privileges and access. Read the rest

In a leaked "weaponized information" catalog, Indian cyberarms dealer offers blackest-ever SEO

1472825788119723

In 2014, an Indian company called Aglaya brought a 20-page brochure to ISS World (AKA the Wiretappers' Ball -- the annual trade fair where governments shop for surveillance technology): the brochure laid out the company's offerings, which ranged from mobile malware for Ios and Android to a unique "Weaponized Information" selection that combined denial-of-service with disinformation to "discredit a target" online. Read the rest

The DoJ is using a boring procedure to secure the right to unleash malware on the internet

Screen-Shot-2016-06-21-at-4.48.28-PM

The upcoming Rule 41 modifications to US Criminal Justice procedure underway at the Department of Justice will let the FBI hack computers in secret, with impunity, using dangerous tools that are off-limits to independent scrutiny -- all without Congressional approval and all at a moment at which America needs its law-enforcement community to be strengthening the nation's computers, not hoarding and weaponizing defects that put us all at risk. Read the rest

Leaked catalog from UK surveillance arms-dealer full of gadgets sold to US cops

050 056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1173

Cobham PLC is a surveillance vendor who sells to some of the world's most egregious human rights abusing governments; in 2014, they provided a catalog of cyberweapons and spy tools to Florida Department of Law Enforcement, from whom it leaked. Read the rest

Watch: leaked demo of malware offered to spying governments

1473189548637815

Someone captured and leaked a live presentation by an RCS sales tech, demonstrating his company's cyber-weapon for spying on dissidents, criminals, and whomever else the customer wanted to infect. Read the rest

1 billion computer monitors vulnerable to undetectable firmware attacks

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1153

A team led by Ang Cui (previously) -- the guy who showed how he could take over your LAN by sending a print-job to your printer -- have presented research at Defcon, showing that malware on your computer can poison your monitor's firmware, creating nearly undetectable malware implants that can trick users by displaying fake information, and spy on the information being sent to the screen. Read the rest

EFF and partners reveal Kazakh government phished journalists, opposition politicians

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1152

At Defcon, researchers from the Electronic Frontier Foundation, First Look Media and Amnesty International, revealed their findings on a major phishing attack through which the government of Kazakhstan was able to hack opposition journalists and arrange for an opposition politician's extradition from exile in Italy to Kazakhstan. Read the rest

Russian bill mandates backdoors in all communications apps

800px-Moscow_05-2012_Kremlin_23

A pending "anti-terrorism" bill in the Duma would require all apps to contain backdoors to allow the secret police to spy on the country's messaging, in order to prevent teenagers from being "brainwashed" to "murder police officers." Read the rest

United Arab Emirates hacked UK journalist

roadmap

A new research report from Citizenlab painstaking traces the origins of a series of sophisticated hacking attacks launched at Rori Donaghy, a UK journalist for Middle East Eye who founded the Emirates Center for Human Rights, which reports critically on the autocratic regime that runs the UAE, and 27 other targets. Read the rest

The UK government's voice-over-IP standard is designed to be backdoored

dadams2

GCHQ, the UK's spy agency, designed a security protocol for voice-calling called MIKEY-SAKKE and announced that they'll only certify VoIP systems as secure if they use MIKEY-SAKKE, and it's being marketed as "government-grade security." Read the rest

If the FBI can force decryption backdoors, why not backdoors to turn on your phone's camera?

HAL9000.svg

Eddy Cue, Apple's head of services, has warned that if the FBI wins its case and can force Apple to produce custom software to help break into locked phones, there's nothing in principle that would stop it from seeking similar orders for custom firmware to remotely spy on users through their phones' cameras and microphones. Read the rest

Racial justice organizers to FBI vs Apple judge: crypto matters to #blacklivesmatter

600_439824805

Phenomena like the Harlem Cryptoparty demonstrate the connection between racial justice and cryptography -- civil rights organizers remember that the FBI spied on and blackmailed Martin Luther King, sending him vile notes encouraging him to kill himself. Read the rest

DoD wants $660M to respond to Freedom of Information request on "Hotplugs"

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x983

The Department of Defense sent Muckrock a demand for $660 million as a requirement for fulfilling a Freedom of Information Act request for records about the Hotplug, a gadget that allows you to transport computers without shutting them down -- used by law enforcement to move suspect computers to forensic facilities without shutting them down and potentially parking drives in an encrypted state. Read the rest

Wanting it badly isn't enough: backdoors and weakened crypto threaten the net

fantasy-639115_960_720
As you know, Apple just said no to the FBI's request for a backdoor in the iPhone, bringing more public attention to the already hot discussion on encryption, civil liberties, and whether “those in authority” should have the ability to see private content and communications -- what's referred to as “exceptional access.”[1]

Juniper blinks: firewall will nuke the NSA's favorite random number generator

image02

In the month since network security giant Juniper Networks was forced to admit that its products had NSA-linked backdoors, the company's tried a lot of different strategies: minimizing assurances, apologies, firmware updates -- everything, that is, except for removing th Dual_EC random number generator that is widely understood to have been compromised by the NSA. Read the rest

Juniper's products are still insecure; more evidence that the company was complicit

MX480_left.png

It's been a month since Juniper admitted that its firewalls had back-doors in them, possibly inserted by (or to aid) US intelligence agencies. In the month since, Juniper has failed to comprehensively seal those doors, and more suspicious information has come to light. Read the rest

If you think self-driving cars have a Trolley Problem, you're asking the wrong questions

train

In my latest Guardian column, The problem with self-driving cars: who controls the code?, I take issue with the "Trolley Problem" as applied to autonomous vehicles, which asks, if your car has to choose between a maneuver that kills you and one that kills other people, which one should it be programmed to do? Read the rest

More posts