Researchers publish secret details of cops' phone-surveillance malware


Kaspersky Labs (Russia) and Citizen Lab (University of Toronto) have independently published details of phone-hacking tools sold to police departments worldwide by the Italian firm Hacking Team (here's Kaspersky's report and Citizen Lab's). The tools can be used to attack Android, Ios, Windows Mobile and Blackberry devices, with the most sophisticated attacks reserved for Android and Ios.

The spyware can covertly record sound, images and keystrokes, capture screenshots, and access the phones' storage and GPS. The tools are designed to detect attempts to search for them and to delete themselves without a trace if they sense that they are under attack.

Hacking Team insists that its tools are only sold to "democratic" police forces, but Citizen Lab's report suggests that the tool was used by the Saudi government to target dissidents.

The means of infection is device-specific. If police have physical access, it's simple. Android devices can be attacked by infecting a PC with a virus that installs the police malware when the device is connected to it. This attack also works on jailbroken Iphones.

Read the rest

Anti-forensic mobile OS gets your phone to lie for you

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that "lies" for you so that adversaries who coerce you into letting them take a copy of its data can't find out where you've been, who you've been talking to, or what you've been talking about.

I'm interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc -- all the things that are useful to have in daily use -- but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn't work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don't need to seize your phone in the first place.

Read the rest

US appeals court rules a warrant is required for cell phone location tracking

logo25

Big news in the fight for security and privacy in the US: the 11th Circuit Court of Appeals this week ruled that a warrant is required for cell phone location tracking.

Read the rest

Criminal website selling thousands of credit cards hijacked from PF Chang's diners


In an echo of the massive breach of credit-card numbers from Target, credit-card numbers from thousands of PF Chang's customers who used their cards at the restaurant between March and May 2014 are being sold on the criminal underground. Rescator, the criminal selling the PF Chang's customers' card, has branded his product "Ronald Reagan", and offers cards at different prices based on whether they're regular, gold or platinum cards.

Read the rest

Encrypt like a boss with the Email Self-Defense Guide


Libby writes, "Today the Free Software Foundation is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder. We're releasing it as part of Reset the Net, a global day of action to push back against the surveillance-industrial complex. The guide will get you encrypting your emails in under 30 minutes, and takes you all the way through sending and receiving your first encrypted email."

Email Self-Defense - a guide to fighting surveillance with GnuPG (Thanks, Libby!)

Hackers in Iran set up fake news websites in cyberattack on US

"An elaborate, three-year cyberespionage campaign against United States military contractors, members of Congress, diplomats, lobbyists and Washington-based journalists has been linked to hackers in Iran." The NYT's Nicole Perlroth has more from a report released this week by the Dallas computer security firm iSight Partners.

Massive theft of medical data in LA sparks new security moves

la-me-ln-county-data-encryption-20140527-001In Los Angeles, the theft of computers from a county contractor's office that contained personal data for over 342,000 patients has led to a call for tighter security.

Read the rest

US gov may block Chinese nationals from Defcon hacker event

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. Picture taken January 2, 2014. REUTERS/Edgar Su

The US government may use visa restrictions to ban hackers from China from participating in the 2014 Defcon hacker conference in Las Vegas. The move is part of a larger effort by the US to combat Chinese internet espionage.

Read the rest

Schneier: NSA's offense leaves Americans undefended

Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need.

Read the rest

100 creeps busted in massive voyeurware sweep


More than 100 people around the world have been arrested in a coordinated sweep of RATers (people who deploy "remote access trojans" that let them spy on people through their computers cameras and mics, as well as capturing their keystrokes and files). The accused are said to have used the Blackshades trojan, which sold for $40 from bshades.eu, mostly for sexual exploitation of victims (though some were also accused of committing financial fraud).

A US District Court in Manhattan handed down indictments for Alex Yücel and Brendan Johnston, who are said to have operated bshades.eu. Yücel, a Swedish national, was arrested in Moldova and is awaiting extradition to the USA. Johnstone is alleged to have been employed by Yücel to market and support Blackshades.

Read the rest

Photo of NSA technicians sabotaging Cisco router prior to export


One of the Snowden documents published by Glenn Greenwald with the release of his new book is a photo showing an actual NSA Tailored Access Operations team sabotaging a Cisco router before it is exported, a practice reported earlier this week in a story Greenwald wrote for the Guardian.

The great irony is that this kind of sabotage is exactly the sort of thing that the USA has repeatedly accuse Chinese authorities of doing to Huawei routers, something for which we have no evidence. Unlike the photographic evidence we have here of the NSA doing this to a Cisco router.

Read the rest

Movie plot threat semifinalists announced

Bruce Schneier has announced the semifinalists in his seventh annual Movie-Plot Threat Contest, wherein contestants dream up implausible reasons to justify extreme surveillance and other lawless policing techniques like torture and indefinite detention. My favorite: Homeopathic Factoring, "The NSA, through the White House's Office of Faith Based and Community Initiatives formed a partnership with Zicam Digital to explore and exploit homeopathic techniques for advanced cryptanalysis."

Read the rest

Estonia's online voting system is horrifically insecure and can't be trusted

Jason Kitcat writes, "I'm currently in Tallinn, Estonia as part of a team of independent security and elections researchers sharing our findings that the Estonian online e-voting system has serious flaws. We monitored the e-voting system in live use as accredited observers during municipal elections in October 2013. Then, using the source code the Estonian National Election Committee publishes, a replica of the system was built at the University of Michigan."

Read the rest

16 year old Canadian arrested for over 30 "swattings"


A 16-year-old Canadian male has been arrested for calling in over 30 "swattings," bomb threats and other hoax calls to emergency services in North America. The young man is alleged to be the operator of @ProbablyOnion on Twitter, which had previously advertised swattings (sending SWAT teams to your enemies' homes by reporting phony hostage-takings there, advising police that someone matching your victim's description is on the scene, armed and out of control) as a service, and had bragged of swatting computer crime journalism Brian Krebs twice. Krebs had previously caught a kid who swatted him, and outed him to his father -- this may have made him a target for other swatters.

Read the rest

Forged certificates common in HTTPS sessions

In Analyzing Forged SSL Certificates in the Wild [PDF] a paper authored by researchers at CMU and Facebook, we learn that "a small but significant percentage" of HTTPS connections are made using forged certificates generated by adware and malware. Disturbingly, some of this malware may be working by attacking anti-virus software and stealing its keys, and the authors also speculate that anti-virus authors may be giving their keys out to governments in order to allow police to carry out man-in-the-middle attacks.

The researchers used a technique to detect forged-cert connections that has post-Heartbleed applications, since it would allow sites to discover whether their visitors are being man-in-the-middled through keys stolen before Heartbleed was widely known. This all points to a larger problem with HTTPS, which has been under increased scrutiny since Heartbleed, but whose defects were well understood within the security community for a long time. I co-wrote this editorial for Nature with Ben Laurie in 2012 describing a system called "Certificate Transparency" that makes it easier to audit and remediate problems with SSL certificates, which Google is now adding to Chrome.

Read the rest