NSA, on US soil, systematically searches Americans' cross-border communications without warrants

In the New York Times today, Charlie Savage has another new, important story on the National Security Agency's surveillance programs. He reports: Read the rest

Lavabit, email service Snowden reportedly used, abruptly shuts down

Remember when word circulated that Edward Snowden was using Lavabit, an email service that purports to provide better privacy and security for users than popular web-based free services like Gmail? Lavabit's owner has shut down the service, and posted a message on the lavabit.com home page today about wanting to avoid "being complicit in crimes against the American people."

According to the statement, it appears he rejected a US court order to cooperate with the government in spying on users.

The email service offered various security features to a claimed user base of 350,000, and is the first such firm to have publicly and transparently closed down, rather than cooperate with state surveillance programs. The email address Snowden (or someone sending emails on his behalf) is reported to have used to send invites to a press conference at Moscow's Sheremetyevo Airport in mid-July was a Lavabit account.

Below, the full message from Lavabit's founder and operator Ladar Levison: Read the rest

Some copiers randomly change the numbers on documents

In Xerox scanners/photocopiers randomly alter numbers in scanned documents, computer scientist David Kriesel shows that the Xerox WorkCentre 7535 randomly changes the numbers in its scans. The copier has firmware that tries to compress images by recognizing the numbers and letters in the documents it scans, and when it misinterprets those numbers, it produces untrustworthy output. The bug also occurs in the Xerox 7556 and possibly other machines, and as Kriesel points out, this could mean that engineering diagrams, invoices, prescriptions, architectural drawings and other documents whose numeric values are potentially a matter of life-and-death (or at least financial stability) are being randomly edited by machines we count on to produce faithful copies. Read the rest

Ethical questions for security experts

Alex Stamos's Defcon 21 presentation The White Hat’s Dilemma is a compelling and fascinating look at the ethical issues associated with information security work in the era of mass surveillance, cyberwar, and high-tech extortion and crime. Read the rest

Attacking the popular Kwikset lock: open in 15 seconds with a screwdriver and a paper clip

Kwikset makes an incredibly popular line of reprogrammable locks that can be easily re-keyed, meaning that landlords don't have to physically change the locks when their tenants move out. Kwikset boasts that their locks are extremely secure, but Marc Weber Tobias and Toby Bluzmanis will present six Kwikset vulnerabilities at DEFCON; their demo includes an attack that opens the lock "in 15 seconds with a screwdriver and a paper clip." Tobias and Bluzmanis have spoken to Kwikset technicians about this, and in recorded conversations, the Kwikset employees insisted that the product was secure, something that can't be taken seriously if you've seen Bluzmanis and Tobias work on them. Read the rest

Anonymous Web-host shut down, owner arrested; Tor users compromised by Javascript exploit

FreedomWeb, an Irish company known for providing hosting for Tor "hidden services" -- services reached over the Tor anonymized/encrypted network -- has shut down after its owner, Eric Eoin Marques, was arrested over allegations that he had facilitated the spread of child pornography. Users of Tor hidden services report that their copies of "Tor Browser" (a modified, locked-down version of Firefox that uses Tor by default) were infected with malicious Javascript that de-anonymized them, and speculate that this may have originated with with FBI. Tor Browser formerly came with Javascript disabled by default, but it was switched back on again recently to make the browser more generally useful. Some are predicting an imminent Bitcoin crash precipitated by the shutdown. Read the rest

Petition to Congress: don't put people in jail for violating terms of service!

A large group of "security researchers, academics, and lawyers" have signed onto a letter to Congress demanding that lawmakers enact "Aaron's Law," which would reform the antiquated and terrible Computer Fraud and Abuse Act, which US prosecutors claim makes violating online terms of service into a felony punishable by imprisonment. This is the law that was used to persecute Aaron Swartz, who was accused of violating terms of service by automatically downloading academic articles, rather than accessing them one at a time. The federal prosecutor threatened Aaron with 35 years in prison. Read the rest

My workflow in the WSJ

I'm profiled in today's Wall Street Journal, where they asked me about the tools I use to be productive, safe and happy on the road and at home. Read the rest

Iphones and other Apple devices can be compromised with malicious fake charger

Billy Lau and Yeongjin Jang from Georgia Institute of Technology have presented a demo at Black Hat of a way of stealthily compromising Iphones and other Ios devices with gimmicked chargers. The devices need to be unlocked -- either having no unlock code to begin with, or unlocked by the user after connection -- but apart from that, the device can compromise any Ios device. Read the rest

FBI pays for malware so it can spy on us with our phones and computers

The Wall Street Journal covers the FBI's use of malware to take over peoples' computers and phones, including one package that is used to turn the microphone in Android devices into a remote listening device. The story is alarming, but misses the two most significant points:

1. That this undermines the security of all of us, not just the people whom the FBI spies upon. The fact that the FBI and other law enforcement organizations have created a market for bugs that can be turned into spyware means that people who find bugs are less likely to present them to the manufacturers for patching. That means that when those bugs are independently identified by criminals, we're all at risk of having our devices subverted.

2. The same companies that sell malware to the FBI also sell it to dictatorships around the world. The FBI legitimizes the development of spyware that is used by despots to decide whom to arrest, whom to disappear, and whom to murder. Read the rest

Private-Public Surveillance Partnership: how the private sector has become an arm of the NSA

A law that required you to give a list of all your friendships to the NSA would die in a hail of political outrage. A law that allows the NSA to make Facebook tell you who all your friends are somehow doesn't create a similar problem. Bruce Schneier's The Public-Private Surveillance Partnership makes an important point about the way that corporations have become an arm of the surveillance state. Read the rest

NSA capo heckled at Black Hat conference

Noted perjuror and NSA Director Keith Alexander appeared onstage at the Black Hat security conference today, where he was heckled by audience members, notably a 30-year-old security consultant named Jon McCoy, who shouted things like "Freedom!" and "Bullshit!" and then got into some more substantive points. Read the rest

How ad networks could be use to create a million-strong botnet

Jeremiah Grossman and Matt Johansen's Black Hat presentation "Million Browser Botnet" demonstrated a real-world attack whereby ad networks were tricked into serving malicious code that caused browsers to open numerous spurious connections to a target site. The ad networks do poor Javascript checking (and even very good checking might not catch bad code) and if the malicious code was injected into a popular site, the resulting botnet could be so vast as to be unstoppable. They also demonstrated how captured browsers could be put to work cracking hashes, sending spam, and brute-forcing passwords. Read the rest

Whisper-thin gas-pump credit-card skimmers

A pair of crooks in Oklahoma made more than $400,000 with a whisper-thin gas-pump credit-card skimmer that they installed in Wal-Mart gas stations, using rental cars while they were doing the installation. Kevin Konstantinov and Elvin Alisuretove allegedly harvested their skimmers every two months or so, creating bogus credit cards with the data and then withdrawing cash at ATMs or sharing it with crooks in Russia and the former USSR. Brian Krebs details the technology, as well as a series of next-gen gas-pump skimmers that use tiny, unobtrusive Bluetooth bugs to harvest credit-card data. Read the rest

At VW's request, English court censors Usenix Security presentation on keyless entry systems for luxury cars

Flavio Garcia, a security researcher from the University of Birmingham has been ordered not to deliver an important paper at the Usenix Security conference by an English court. Garcia, along with colleagues from a Dutch university, had authored a paper showing the security failings of the keyless entry systems used by a variety of luxury cars. Volkswagon asked an English court for an injunction censoring his work -- which demonstrated their incompetence and the risk they'd exposed their customers to -- and Mr Justice Birss agreed. Read the rest

Pwning a house

Badly configured home automation systems are easy to locate using Google, and once you discover them, you can seize control of a stranger's entire home: "lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices." The manufacturers blame their customers for not following security advice, but even "enthusiast" customers who think they've locked down their networks are sometimes in for a nasty surprise.

Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)

“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.

In Thomas Hatley’s case, he created a website that acted as the gateway for a number of services for his home. There is a password on his website, but you can circumvent that by going straight to the Insteon port, which was not password protected.

Read the rest

PIN-punching $200 robot can brute force every Android numeric screen-password in 19 hours

Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs). Read the rest

More posts