Category: Security

EU watchdogs want privacy assurances from Trump

European Union data privacy watchdogs are demanding that a move by US President Donald (Prince of Orange) Trump to crack down on illegal immigration will not undermine a transatlantic pact protecting the privacy of Europeans’ data.

Trump wrote an executive order on January 25 aiming to toughen enforcement of US immigration law. It ordered US agencies to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

This basically killed off any agreement that the EU had on safe harbour data transfers. It means that if there is a US company running a cloud operation in the EU it has to turn over any data on anyone.

The EU’s data protection authorities said they would write to U.S. authorities “pointing out concerns and asking for clarifications on the possible impact of the Executive Order” on that framework, known as the Privacy Shield, as well as on another agreement protecting law enforcement data shared between the United States and the EU.

The EU-US Privacy Shield is used by almost 2,000 companies including Google, Facebook and Microsoft to store data about EU citizens on US servers and makes possible about $260 billion of trade in digital services.

It replaced a previous system thrown out by the top EU court on the grounds it allowed US spies unfettered access to data stored on US servers.

The European Commission press office has played down concerns over any threat to the privacy of Europeans’ data, saying the US Privacy Act had never protected Europeans’ data and so any changes to it would not affect EU-US data transfer agreements.

But it might be that the European court might see things differently.

Simple Javascript hack breaks most chip protection

Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures.

This includes hardware from Intel, AMD, ARM, Allwinner, Nvidia and all the other names in the industry.

Dubbed ASLRCache, or AnC, the attack focuses on the memory management unit (MMU), a lesser known component of many CPU architectures which improves performance for cache management operations.

The researchers worked out that this component shares some of its cache with untrusted applications, including browsers.

All it took was a bit of malicious JavaScript that specifically targeted this shared memory space and attempted to read its content.

Basically the AnC attack can break ASLR and allow the attacker to read portions of the computer’s memory. From there it is possible to launch more complex exploits and escalate access to the entire OS.

Russian hackers seek to game Euro elections

After their success in helping get Donald (Prince of Orange) Trump elected in the US, Tsar Putin has set his Russian hackers gaming the EU elections, a US DoJ bloke has warned.

A former Justice Department official who served in the Obama administration said European countries must be willing to respond forcefully to efforts by Russia or others to use cyber-attacks to meddle in their elections.

While the US was also aware that attacks were taking place they didn’t manage to stop Putin getting a bloke who owes him and his chums money from getting elected.

Former Assistant Attorney General John Carlin, who ran the national security division at the Justice Department and oversaw the pursuit of cyber criminals, said the United States did not do enough to deter the hacking and leaking of Democratic Party emails during the 2016 presidential campaign.

“What we did was too late. We weren’t bringing deterrence at all to the table.”

Carlin warned that countries with upcoming elections should be prepared to offer forceful and timely responses to cyber-attacks.

“Pre-election, it’s vital that not just the United States but partners like Germany, like France make it clear what the red line is, that there’s going to be strong deterrence and that in terms of deterrence, our policy has got to be we are going to take action until the action stops,” Carlin said.

Elections are set this year in European countries including France, Germany and the Netherlands.

Digital “Geneva Convention” is Smith’s dream

Software king of the world Microsoft has called for a digital Geneva Convention which would see tech companies remaining neutral if any country goes to war in cyberspace.

Microsoft president Brad Smith is alarmed at the rising tide of nationalism and said tech companies must declare themselves neutral when nations go up against nations in cyberspace.

Talking to the RSA computer security conference, Smith said cyberspace is the new battlefield and Tech must be committed to “100% defence and zero percent offense.”

Smith called for a “digital Geneva Convention,” like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts.

The speech was echoed in a blog post on Microsoft’s site that went up yesterday.

The world’s governments need to pledge that “they will not engage in cyberattacks that target civilian infrastructure, whether it’s the electric grid or the political system,” Smith said.

The  digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.

Smith listed a string of increasingly threatening cross-border cyber incidents, beginning with the North Korean attack on Sony Pictures Entertainment in 2014 to thefts of intellectual property by China in 2015, ending with last year’s Russian involvement in the U.S. presidential election.

“We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks,” Smith said.

Technology companies, not armies, are the first responders when cyber-attacks occur, he noted. But they cannot and must not, respond in kind, or aid governments in going on the offensive, Smith said.

Smith wants an autonomous organisation, something like the International Atomic Energy Agency that polices nuclear non-proliferation.

“Even in a world of growing nationalism, when it comes to cybersecurity the global tech sector needs to operate as a neutral Digital Switzerland,” Smith said.

“We will not aid in attacking customers anywhere. We need to retain the world’s trust.”

This would mean that tech companies should refuse to aid governments, even the government of the country they are based in, in attacking other nations. That could mean not building backdoors into programs sold in other countries and not taking part in work to create cyberweapons.

Big Content Blames Canada

Big content pressure groups the MPAA and RIAA have waded into Canada, claiming that it is a “safe haven” for copyright infringers and pirate sites.

It moaned that the Canadians “notice and notice” system is ineffective at deterring pirates and that the broader legal copyright regime fails to deter piracy.

The International Intellectual Property Alliance (IIPA) has released its latest 301 ‘watch list’ submission to the US Government which is based on the numbers of complaints Big Content has against nation states.

Canada is discussed in detail with the recommendation to put it on the 2017 Special 301 ‘watch list.’

One of the main criticisms is that, despite having been called out repeatedly in the past, the country still offers a home to many pirate sites.

“For a number of years, extending well into the current decade, Canada had a well-deserved reputation as a safe haven for some of the most massive and flagrant Internet sites dedicated to the online theft of copyright material,” IIPA writes.

It all seems rather unfair given that the Canadians shut down the popular torrent site KickassTorrents, which was partly hosted there. The IIPA is worried about the emergence of stand-alone BitTorrent applications that allow users to stream content directly through an attractive and user-friendly interface. Basically, they are moaning about Popcorn Time.

The IIPA reports that several websites offering modified game console gear have also moved there to escape liability under US law.

The group specifically highlights R4cardmontreal.com, gamersection.ca and r4dscanada.com among the offenders, and notes that “This trend breathes new life into Canada’s problematic ‘safe haven’ reputation.”

Big Content claims Canada’s legal regime fails to deal with online piracy in a proper manner. This is also true for the “notice and notice” legislation that was adopted two years ago, which requires ISPs to forward copyright infringement notices to pirating subscribers.

But the main issue appears to be that there is no evidence that any of the anti-piracy crackdowns have worked. Big Content thinks that this is because there are no punishments involved for frequent offenders. Despite the failure of any measures to stop online piracy Big Content wants  to see crucifixions.

“…simply notifying ISP subscribers that their infringing activity has been detected is ineffective in deterring illegal activity, because receiving the notices lacks any meaningful consequences under the Canadian system,” IIPA writes.

It admits that the ‘notice-and-takedown’ remedy that most other modern copyright laws provide does not work but it does provide some incentives for cooperation, incentives that Canada’s laws simply lack,” Big Content muttered.

US rocket man held phone searched by airport security

A NASA rocket scientist was detained by US Customs and Border Patrol and pressured to turn over his phone and access PIN.

The move poses some serious security problems because US Customs and Border Patrol lacked the security clearance to hack Sidd Bikkannavar’s phone and since he worked for NASA’s Jet Propulsion Laboratory (JPL) this is a big deal.

Bikkannavar says his phone was issued by NASA and may have contained sensitive material that wasn’t supposed to be shared. Then there is the small matter that Bikkannavar is a US citizen and should not have been forced to give over his phone under the US constitution.

A CBP officer escorted Bikkannavar to a back room, and told him to wait for additional instructions. About 40 minutes later an officer took him to an interview room and sort of explains that I’m entering the country and they need to search my possessions to make sure I’m not bringing in anything dangerous.

The officer also presented Bikkannavar with a document titled “Inspection of Electronic Devices” and explained that CBP had authority to search his phone. Bikkannavar did not want to hand over the device, because it was given to him by JPL and is technically NASA property. He even showed the officer the JPL barcode on the back of phone. CBP asked for the phone and the access PIN despite Bikkannavar’s protests.

The officer insisted that he had a right to search the phone and did not allow him to leave until he handed over his PIN. This is also odd as Courts have ruled that travellers are not legally required to unlock their devices, although agents can detain them for significant periods of time if they do not.

When the phone  was returned Bikkannavar immediately turned it off because he knew he had to take it straight to the IT department at JPL. Once he arrived in Los Angeles, he went to NASA and told his superiors what had happened. The cybersecurity team at JPL was not happy about the breach. After all if Russia or China wanted US rocket plans all it would have to do was compromise the US Customs and Border Patrol which is not that difficult.

Republicans are destroying their emails

tumblr_m3cujpo5xc1qz4ar6o1_500US republicans are trying to avoid their embarrassing emails being found by hackers or foreign powers by using an app that destroys them after they have been read.

The messaging app is an encrypted, self-destructing messaging app called Confide and apparently it has been downloaded by “numerous senior GOP operatives and several members of the Trump administration”.

One operative told Axios that the app “provides some cover” for people in the party. He ties it to last year’s hack of the Democratic National Committee, which led to huge and damaging information dumps of DNC emails leading up to the 2016 election.

Confide makes it difficult to screenshot messages, because only a few words are shown at a time. That suggests that it’s useful not just for reducing paper trails, but for stopping insiders from leaking individual messages.

But the difficulty here is that it is probably illegal. As the Hillary Clinton scandal showed, messages have to be stored and monitored by government officials.

Encrypted message apps like Signal, Telegram, and WhatsApp apparently spiked in popularity after Trump’s election, and the Clinton campaign reportedly adopted Signal after the DNC hack was discovered.

Ironically the republicans say they want to clamp down on encryption and other similar security options so that they can spy on “terrorists.”

Eastern European hacker tried to blackmail Beckham’s spinners.

David-Beckham-swimwear-for-HMAn Eastern European hacker was having a crack at blackmailing the former UK footballer David Beckham’s spinners by using his hacked emails.

The sister company of a public relations firm that represents former England captain David Beckham has confirmed it was subject to a blackmail attempt over hacked emails between the footballer and his PR adviser Simon Oliveira.

A spokesman for Beckham, 41, confirmed that the private emails were hacked and doctored. BBC reports that the hacker is believed to be from eastern Europe or one of the former Soviet republics.

The hacker is believed to have approached Portugal-based Doyen Sports, the sister company of Doyen Global, the sports and entertainment agency co-founded by Oliveira. Doyen Sports refused to pay up and told the coppers.

The hacker is believed to have passed the hacked emails to European Investigative Collaborations, a network of journalists, who have spent months going through the material before finally distributing it to several European websites last week.

Beckham is believed to be claiming that the story is based on outdated material taken out of context.

Most of the material we have seen is about expenses and about how Beckham is managed by his spinners.

Microsoft does not have to share foreign email but Google does

POSTMANPATA US judge has decided that while Microsoft does not have to share email stored on its foreign servers with police and spies, Google will still have to.

A US judge has ordered Google to comply with search warrants seeking customer emails stored outside the United States.

US Magistrate Judge Thomas Rueter ruled that transferring emails from a foreign server so FBI agents could review them locally as part of a domestic fraud probe did not qualify as a seizure.

The judge said this was because there was “no meaningful interference” with the account holder’s “possessory interest” in the data sought.

“Though the retrieval of the electronic data by Google from its multiple data centres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States,” Rueter wrote.

Google said that the magistrate had departed from precedent, and it will appeal the decision.

The ruling came less than seven months after the 2nd US Circuit Court of Appeals in New York said Microsoft Vole could not be forced to turn over emails stored on a server in Dublin, Ireland that U.S. investigators sought in a narcotics case.

The case was watched closely by the EU which was spoiling for a reason to shut the US out of the European cloud business.

 

Android bug bounties getting huge

bugGoogle wrote more than $3 million in cheques last year in bug bounties as security experts cashed in on Android flaws.

Pay outs in 2016 take Google’s total payments under its bug bounty schemes have increased dramatically 2015 it paid researchers $2 million.

Last year was the first full year Android was covered by Google’s bug bounty, which earned researchers nearly a cool million for finding and reporting issues to the Android security team. That figure is significantly more than the $200,000 it paid in 2015 after launching the Android rewards programme in June.

Google’s acknowledgements to individuals who’ve helped improved Android security has grown in recent years as it has expanded efforts to secure the operating system.

The Android bug bounty appeared when Google started its monthly Android security bulletins, which aims to encourage handset makers to deliver patches regularly to devices and allows end-users to see what date their phones are patched to.

Another million was given to researchers who reported bugs in the longer-running Chrome vulnerability rewards program.

The company says its three rewards programmes attracted over 350 researchers from 59 countries, while it issued over 1,000 individual rewards with the biggest single reward being $100,000.