Category: Security

Tech companies ask Trump to backtrack on encryption

orangeUS internet companies including Facebook and Amazon have penned a letter to president elect Donald “Prince of Orange” asking him to be a little more accommodating to their policy priorities – particularly strong encryption.

Trump took an anti-encryption stance during the election, demanding tech companies provide spooks with back-doors. While some tech-companies are visibly upset about Trumps election, it appears that Facebook and Amazon hope they can get him to change his mind with a nice letter.

The letter sent by the Internet Association, a trade group whose 40 members also include Alphabet’s Google, Uber and Twitter, represents an early effort to repair the relationship between the technology sector.

Michael Beckerman, president of the Internet Association said that the internet industry looks forward to engaging in an open and productive dialogue.

Some of the policy goals stated in the letter may align with Trump’s priorities, including easing regulation on the sharing economy, lowering taxes on profits made from intellectual property and applying pressure on Europe to not erect too many barriers that restrict U.S. internet companies from growing in that market.

The association seeks immigration reform to support more high-skilled workers staying in the United States. Trump made tougher immigration policies a central theme of his campaign, but he has shied away from arguing against more H-1B visas for skilled workers. In March, he said he was “softening the position because we need to have talented people in this country.”

Trump has also urged a boycott of Apple products over the company’s refusal to help the Federal Bureau of Investigation unlock an iPhone associated with last year’s San Bernardino, California, shootings, threatened antitrust action against Amazon, and demanded Apple manufacture its products in the United States.

In a statement, Beckerman said the internet industry looked forward to working closely with Trump and lawmakers in Congress to “cement the internet’s role as a driver of economic and social progress for future generations.”

Boffins work out how your fingers can grass you up

Fingers crossedA team of insecurity experts has worked out that that it is possible to hack a smartphone by listening into the way a user’s fingers move across the keypad.

If you listen carefully to a phone, usually with specialist gear, you can hear the way your fingers move across a phone’s touchscreen. This is because the wifi signals transmitted by a mobile phone change when the touchscreen is activated, causing interruptions that an attacker can intercept, analyse, and reverse engineer to accurately guess what the user has typed on his phone or in password input fields.

Dubbed WindTalker, the attack sounds like the user is suffering from a bad case of beans.  Fortunately it is less smelly and can only be done when the attacker controls a rogue wifi access point to collect WiFi signal disturbances.

This control is needed because the attacker must also know when to collect WiFi signals from the victim, to work out the exact moment when the target enters a PIN or password.

The attacker uses access over the WiFi access point to sniff the user’s traffic and detect when he’s accessing pages with authentication forms.

The attack uses radio signals called Channel State Information(CSI) which is part of the WiFi protocol, and it provides general information about the status of the WiFi signal.

When the user’s finger moves across the smartphone his hand alters CSI properties for the phone’s outgoing WiFi signals, which the attacker can collect and log on the rogue access point.

According to Bleeping computer  the attack as a 68 per cent accuracy.

Microsoft fixes huge Windows 10 bug

bugSoftware King of the World, Microsoft has fixed a rather juicy security flaw in its Windows 10 operating system, which it found only last week.

The security flaw itself allowed for attackers to take advantage of privilege settings which would allow them to potentially install and run applications. Apparently Russian hackers were already taking advantage of the situation. Vole said the security update resolves vulnerabilities in Microsoft Windows.

“The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. This security update is rated Important for all supported releases of Windows. The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.”

The security update should have already installed in the background on most Windows 10 devices. If not, an update can be force by opening up Settings, Update & security, and clicking on ‘Check for updates’.

China brings in tough new cyber security law

ChinaThe glorious People’s Republic of China has bought in new tough new cybersecurity regulations on companies operating behind the bamboo curtain.

The proposed Cybersecurity Law features with data localisation, surveillance, and real-name requirements. It will require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited”.  Real name policies restrict anonymity and can encourage self-censorship for online communication.

There is also an element of data localisation, which would force “critical information infrastructure operators” to store data within China’s borders.

According to Human Rights Watch, an advocacy organisation that is opposing the legislation, the law does not include a clear definition of infrastructure operators, and many businesses could be lumped into the definition.

Sophie Richardson, Human Rights Watch’s China director said the new law will effectively put China’s Internet companies, and hundreds of millions of Internet users, under greater state control.

Many of the regulations are not new, most were informally carried out or specified in low-level law. However, implementing the measures on a broader level will lead to stricter enforcement.

Companies are required to report “network security incidents” to the government and inform consumers of breaches, but the law also states that companies must provide “technical support” to government agencies during investigations. “Technical support” is not clearly defined, but might mean providing encryption backdoors or other surveillance assistance to the government.

The Cybersecurity Law also criminalises several categories of content, including that which encourages “overthrowing the socialist system,” “fabricating or spreading false information to disturb economic order,” or “inciting separatism or damage national unity.”

India tries to restore hacked embassy websites

15-days-yoga-meditation-and-trekking-retreat-in-the-indian-himalayasIndian officials are trying to restore the websites of seven Indian embassies in Europe and Africa that were hacked.

The websites saw their data put online, much to the country’s embarrassment.  The websites of Indian embassies in Italy, Switzerland, South Africa, Libya, Malawi, Mali and Romania were hacked by a crew who dubbed themselves Kaputsky and Kasimierz L.

External Affairs Ministry spokesman Vikas Swarup told reporters that it was “aware of the problem” and was trying to fix it.

Attempts were being made to track the IP addresses of the hackers, who posted online the names, email addresses, phone numbers and passport numbers of some embassy staff members.

This is the latest series of high-profile Indian websites to be hacked this year. Last month, Pakistan-based hackers targeted more than 7,000 Indian websites after India launched a series of attacks on terror camps in Pakistan. Also in October, the security of around 3.2 million debit cards in India was breached when hackers inserted malware through an ATM network.

FBI wasted two years chasing “satire” cult

The_Untouchables_Desilu_Playhouse_1959The untouchables are getting rather a bad rap of late. Not only have they been seen as trying to get Donald Trump elected they also have spent two years investigating a made-up anti-Goth cult.

According to Muck Rock,  the FBI spent two years chasing down leaders of “God Hates Goths” church before realising the whole thing was made up.

In December 2005, the FBI opened a file on as religious extremist group the “Church of the Hammer.” Named after the infamous treaty on witchcraft and allegedly founded by a protégée of Westboro Baptists’ Fred Phelps, the group called for violent retribution on those in defiance of God’s will.

The Bureau’s main source on the case was a goth who had engaged with members of the Church via their Yahoo Group “GodHatesGoths.” For some reason the FBI thought that the Church enough of a threat to move beyond mere fact-finding into full-on investigation. To be fair, agents feared that if they didn’t act soon, they might have another Waco on their hands.

But agents soon found that none of the people asked about the many incidents the Church was supposedly involved knew anything about it.  Then after a couple of years the FBI visited GodHatesGoths.com and found a disclaimer – in small print, mind – that the site and and the Church were satire.

Amercians have a bit problem with satire in that they do not have a clue what it is.  For years people, have been putting up unfunny made up news and calling it “satire.”  Usually “the joke” is obvious but it took two years after the FBI opened an investigation into the Church of the Hammer, it got the gag.

Microsoft defends Viking chess champion from Russian hackers

vikingNorwegian Magnus Carlsen, the world chess champion has asked the Software King of the World, Microsoft, to protect him from Russian hackers.

Carlsen is worried that he will become plagued by cyber-attacks before the match with the Russian grandmaster Sergey Karjakin.

Carlsen uses technology and computing power to prepare the match and he is afraid that Russian hackers would attempt to break into his computers to access information that could help Crimean-born Karjarin to win the match.

Beating Calsen would be a bit of propaganda coup for Tsar Putin. Karjakin represents Russia now but comes from Ukraine and supports Putin’s annexation of the region. It is therefore useful to Putin to create an image that a religious belief in all he stands for grants you victory. After all it is what he has been doing for his chum Trump in the US.

Vole has promised to protect Carlsen’s data and will secure communications to make sure that nothing is lost or compromised. Carlsen’s advisers will also be protected, as Russian hackers could also launch attacks against them to get data about the match.

Vibeke Hansen, head of the Communications department at Microsoft Norway said the element of surprise is vitally important in chess and no one expects Volish minions to go Viking on them.

“Preparing for a World Championship demands a lot of work, analysis and strategic sparring – and a lot of computing power. The last few months before a match are filled with a lot of preparation and hard work; it is crucial that no data is lost or compromised,” Hansen said.

Boffins use magnets to repair gizmos

MagnetBoffins at the engineering lab team at the University of California, San Diego have come up with a way to fix electronic gizmos by creating magnetic ink particles that self-heal when they break.

Sensors printed with this ink would magnetically attach to each other when a rip or tear occurs, automatically fixing a device at the first sign of disintegration.

Amay Bandodkar, a member of the research team said the magnetic repairing system works a bit like the human skin making it stretchable and self-healing.

“Within a few seconds it’s going to self-heal, and you can use it again,” he said.

The team first created sensors that can be incorporated with fabrics. The result is smart clothing that can repair cuts up to three millimetres long in 50 milliseconds. Now the next thing is to make the magnets do something more electronic.

To create the self-healing effect, the team used pulverized neodymium magnets typically found in fridges and hard drives and combined them into the ink. This helps the researchers avoid the traditional process of adding chemicals and heat, which could take hours to complete.

Bandodkar said that $10 worth of ink can create “hundreds of small devices” that can help reduce waste, since you won’t need to throw these wearables and gadgets out when they’re broken.

The team is currently evaluating the best ink ratios to use for different gadget-printing applications, with the goal of using them to create anything from solar panels to medical implants.

Hackers take an entire country offline

li-areaHackers have managed to take an entire country offline, which even it is a small one, is showing the power of a denial of service attack.

The Mirai botnet was tuned to attack Liberia in Africa and chucked more than 1.1Tbps at the small country,  Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen.

One transit provider said the attacks were over 500Gbps in size. Beaumont said that given the volume of traffic, it “appears to be the owned by the actor which attacked Dyn”.

Liberia has a basic and spotty internet coverage, which has a single fiber internet cable off its shores providing internet to the country. Just six percent of the country has an internet connection, according to official statistics. Most residents with an internet connection used satellite technology to get online until the arrival of the ACE fibre cable in 2011 along the west African coast, which provides a capacity of up to 5.1Tbps of data and is divided up to serve the entire coast.

“The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state,” said Beaumont.

It is not clear why anyone would want to attack Liberia, some security experts think that it is being used as a testing ground for new cyberweapons.

 

UK wants to geoblock prisons

jailThe UK Ministry of Justice, is becoming rather worried at the number of illegal drone activities at prisons and is apparently working with drone manufacturers to include prison coordinates in pre-programmed no-fly zones.

A report on Prison Safety and Reform presented to Parliament said that the MoJ will ‘trial, together with industry, the inclusion of prison coordinates in no-fly zones which have the potential to be programmed into the majority of drones on the market.  Apparently it has no plans to make the information publically available so the drone flying friends of the lags don’t know if the drone they have paid out for is geoblocked.

While currently the number of attempts to deliver contraband over the walls of a prison by drone is still far outnumbered by conventional methods incidences are increasing. In England and Wales, there were two  in 2014, and 33 in 2015.

The MoJ report notes that the increase in numbers may be due to improvements in awareness and reporting of incidents, but that it also reflects the growing knowledge of the technology and availability of drones to the average buyer.

If a prison is designated by the manufacturer as a no-fly zone, the drone will be automatically repelled from flying over the coordinates for the prison area. This does mean  releasing prison GPS coordinates to the public which creates a security problem. Some manufacturers offer an opt-out function on their drones, which allows a user to override pre-programmed geo-fencing coordinates. Other No-fly zones currently include military airspace mainly used for fighter pilot or weapons training, and very few other areas as defined by the National Air Traffic Service in the UK. Prisons are considered ‘restricted space’, as are nuclear facilities, but neither have no-fly coordinates programmed by the manufacturer prior to sale.