Internet Insecurity Revisited

Standard

Your applications encrypt your data.  You’re protected, right?ben_franklin

Wrong.

There are three things you need to know about the latest round of papers made public by Wikileaks:

  • The CIA (in some cases in partnership with UK’s MI5) developed ways to hack device operating systems. The devices include all types of computers and cell phones, networked TVs, car onboard systems — basically everything anyone uses that’s connected to the Internet. The operating systems affected are Windows, Android and Apple.
  • The hack allows the user to read data as it is entered (typed or oral), before it is encrypted.  Everything.
  • The hack allows users to control devices and use them for spying on device owners.
  • The CIA may have LOST CONTROL of these hacks, meaning that they are out in the public domain where others can use them.

The CIA might not care about you, but are there others who might want your bank account?

The revelations have shocked experts.

Still, the amount of smartphone vulnerabilities and exploits detailed in these documents was shocking even to experts. “It certainly seems that in the CIA toolkit there were more zero-day exploits” – an exploitable vulnerability in software not known to the manufacturer – “than we’d estimated,” Jason Healey, a director at the Atlantic Council think tank, told Wired Magazine. He added: “If the CIA has this many, we would expect the NSA to have several times more.”(3)

Early reports are that the documents published by Wikileaks appear authentic.  None of the companies involved have commented on the situation. Nor do there appear to be any patches immediately in the offing.  After all, none of the players is yet admitting that they have something to patch.

Some writers see a bright side in these revelations: the decision to hack operating systems means that data encryption tools work.  That may or may not be true.  We don’t know what is still to be revealed.

Security problems aren’t under control or going away.

“Anybody who thinks that the Manning and Snowden problems were one-offs is just dead wrong,’’ said Joel Brenner, former head of U.S. counterintelligence at the office of the Director of National Intelligence. “Ben Franklin said three people can keep a secret if two of them are dead. If secrets are shared on systems in which thousands of people have access to them, that may really not be a secret anymore. This problem is not going away, and it’s a condition of our existence.’’(4)

I’ve said that nothing on the Internet is private, but this takes that statement to an entirely new level.  Nothing you type or speak into an Internet connected device is private. 

Ben Franklin was indeed a very wise man.


Sources:

  1. Sharon Profis and Sean Hollister, “WikiLeaks and how the CIA sees your WhatsApp messages, explained,” CNet, 7 March 2017. https://www.cnet.com/how-to/wikileaks-cia-hack-phone-tv-router-vault-7-year-zero-weeping-angel/?ftag=CAD3c77551&bhid=25995825932822145966367556179766
  2. Jose Pagliery, “Wikileaks claims to reveal how CIA hacks TVs and phones all over the world,” CNN Tech, 7 March 2017. http://money.cnn.com/2017/03/07/technology/wikileaks-cia-hacking/
  3. Trevor Timm, “WikiLeaks says the CIA can use your TV to spy on you. But there’s good news,” The Guardian, 7 March 2017. https://www.theguardian.com/commentisfree/2017/mar/07/wikileaks-says-the-cia-can-use-your-tv-to-spy-on-you-but-theres-good-news
  4. Devlin Barrett, “FBI prepares for new hunt for WikiLeaks’ source,” The Washington Post, 7 March 2017.

Body cams

Standard

ben_franklinBen Franklin said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

Police body cams can save lives and lawsuits.  There’s remarkable evidence from field trials supporting that claim:

In 2006, police officers in the United Kingdom tested body cameras and found that the technology enhanced the collection of hard-to-refute evidence and resulted in fewer cases going to trial. In 2012, a similar field test took place with the Rialto, Calif., Police Department. The 12-month experiment randomly tested body cameras on officers during their shifts. The cops used cameras from Taser International, which were water resistant, captured video in full color and had a battery life of 12 hours. The test results were startling: When the cameras were turned on, use of force by officers dropped 60 percent and complaints against the police fell nearly 90 percent. [Newcombe]

635902870224132893-bodycamHowever, technology changes, and new technology raises new issues with these devices.

A new (and relatively shoddy) report from the Department of Justice confirms that some body cameras used by police have facial recognition technology as well as some ability to detect weapons on an individual.  There is no comment on the accuracy of either technology.  We know that police radar guns have a statistical measurement error, but what’s the equivalent for facial recognition?

That changes the interaction between police and civilians.

It makes perfect sense that an officer would want to know if an individual he is approaching is a known criminal or potentially dangerous.  Certainly, the officer would want to know if the civilian is armed. Heck, I’d like to know that.

If the camera can provide that information, it makes no sense that a body cam would ever be disabled on initial approach to a suspect.  In shootings where the body cam is reported to have been non-working, that becomes more suspicious.  What officer would want to go on patrol with a key piece of equipment out of service?

The body cam raises issues for civilians with permits to carry concealed weapons.  If the officer knows someone is armed, will they approach the civilian differently?  Treat the civilian more like a criminal?  Would that raise the risk of the civilian being shot?

Obviously, protestors lose their anonymity.  Any protestor — whether it’s a protest over a shooting, taxes, firing of a school teacher or flag burning — will be identifiable if in range of a body cam.  There will be an electronic record of those so identified.  How will that record be used?  There are no regulations on that today, as protest is in theory a public act.  Could you lose a job because you participated in a protest?

What controls are there on the use of body cams by private detectives and civilians, or their placement on drones?

If an officer leaves the scene of a domestic violence complaint without making an arrest or report, is there still an electronic record?  Could that record be accessed for use in any subsequent court actions?

Lot’s of questions with no answers as yet.


Sources

 

 

 

 

Cellphone Insecurity

Standard

Apple takes great pains to secure its phones against intrusion.  So in theory does Google.  It turns out, that might not be such a big deal.

What do government agencies want to know from your cell phone?  Top of the list is who you are calling or texting.  Makes sense, right?

Well, it turns out that call data is being backed up on the cloud.  In Apple’s case, the iCloud.  Same difference.  A “cloud” is just a fancy name for a set of computer servers whose location is unknown to you.  These servers are used to store data from a large number of different users, and perhaps millions have access to these devices.

That includes, it seems, government agencies and some of the bad guys.  (Sometimes it can be hard to tell the difference.)

Anyway, Russian software company, Elcomsoft, announced this week that it can download call records from the Cloud or iCloud.  All it needs is the user name and password, and there are software programs to break passwords.  So all it really needs is the username.

So, the government doesn’t need your phone, and it doesn’t need to pay some hacker $1 million to hack the phone, to get most of the information it wants.  They don’t have to subpoena the phone company.  Anyone who wants the phone numbers of your family members or contacts doesn’t have to do that either.  They can just do it.

What’s not clear from the article is how detailed the calling information is.  Does it show your location when you place the call?  I imagine there are divorce attorneys who would love to get their hands on that.

This makes a strong case for using prepaid, “burner” phones.  Burners aren’t just for dealers anymore.


Sources:

  1. Brant, Tom, “Russian Software Downloads Call Records From iCloud,” PC Magazine, 17 November 2016.  http://www.pcmag.com/news/349677/russian-software-downloads-call-records-from-icloud?mailing_id=2469884&mailing=SecurityWatch&mailingID=A93358A7603BA1B0E91034E7487A3040