Category: Security

French Windows privacy slammed

c3f9850de05b9d4e64c50e5353a17117The French government is furious that Windows 10 appears to collect rather too much user data.

France’s National Data Protection Commission (CNIL) has order Microsoft to comply with the French Data Protection Act within three months. and “stop collecting excessive data and tracking browsing by users without their consent.”

In addition to this, the chair of CNIL has notified Microsoft that it needs to take “satisfactory measures to ensure the security and confidentiality of user data”. The notice comes after numerous complaints about Windows 10, and a series of investigations by French authorities which revealed a number of failings on Microsoft’s part.

Microsoft is accused of not only gathering excessive data about users, but also irrelevant data. The CNIL points to Windows 10’s telemetry service which gathers information about the apps users have installed and how long each is used for. The complaint is that “these data are not necessary for the operation of the service”.

The company is also criticised for its lack of sufficient security — such as the four-digit PIN used to protect payment information which does not have a limit on the number of guesses that can be made. The CNIL’s list of complaints does not end there. It also took exception to the activation of an advertising ID for tailored advertising without user consent, the lack of cookie blocking options, and the fact that data is being transferred out of Europe to the US.

In a statement, the CNIL said:

Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.

The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.

It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).

Vole is probably not too concerned. It fully expects the cheese munching surrender monkeys to back down when the three month deadline it is up, but if France’s objection is heard by the Germans, who are a lot more earnest about privacy then it might have a fight on its hands.

Kickass torrent “mastermind” arrested

arrestUS coppers claim to have arrested the “mastermind” of KickassTorrents (KAT) which is one of the largest BitTorrent distribution sites.

When we looked this morning the site was still up so we are not sure if  Artem Vaulin, 30, of Ukraine’s alleged mastermind status was incorrect or if the site is being run by his minions.

Vaulin has been charged   with one count of conspiracy to commit criminal copyright infringement, one count of conspiracy to commit money laundering, and two counts of criminal copyright infringement.

Vaulin was arrested in Poland and the DOJ will shortly seek his extradition to the United States.

Assistant Attorney General Caldwell said that Vaulin was charged with running today’s most visited illegal file-sharing website, responsible for unlawfully distributing well over $1 billion of copyrighted materials.

“In an effort to evade law enforcement, Vaulin allegedly relied on servers located in countries around the world and moved his domains due to repeated seizures and civil lawsuits. His arrest in Poland, however, demonstrates again that cybercriminals can run, but they cannot hide from justice.”

What appears to have miffed Hollywood was that Vaulin did actually have method of dealing with DMCA violations. Hollywood studios would send their complaint and demand that the content be removed from the site and they would get a note back which said the following:

Greetings,
Your request has been reviewed, but cannot be processed due to one (or
more) of the following reasons:
1) The Claim wasn’t written in English language;
2) You provided no evidence showing that you are the copyright holder
or that you are acting on behalf of the copyright holder;
3) You provided no evidence showing that the content is legally
copyrighted;
4) There were more then [sic] 30 torrents mentioned in the Claim email;
5) Your content is hosted on a different website.
Please, make sure to fulfill all the conditions mentioned above before
sending a claim.
You can find more detailed information regarding the DMCA email
layout via the following article – https://kat.cr/dmca/
Respectfully,
KAT team
Keeping mum

It has been estimated that the sites annual advertising revenue as being more than $16 million per year as of 2016 although those figures are nearly always presented to the media hyped beyond belief. In this case they are based on the fact that an  undercover IRS agent purchased an ad on KAT in March 2016 at the rate of $300 per day.

The KAT representative provided details for a Latvian bank but warned the American buyer to “make sure that you don’t mention KAT anywhere.”

HSI and IRS looked into the historical hosting records of KAT and found that for about 3.5 years, ending in January 2016, the operation was hosted out of Chicago, Illinois, which explains why the case is now being prosecuted out of the Northern District of Illinois. The site also used a Canadian hosting service—the two American agencies also used MLAT to get an image of the Canadian server.

More interesting was that the fruity cargo cult Apple, which normally does not turn over data on terrorists  provided a copy of Vaulin’s e-mail account (tirm@me.com), which included other incriminating information that establishes probable cause of a criminal conspiracy. So it looks like Apple’s privacy morals stop when it comes to crimes against its chums in Hollywood.

Turkey tries to stuff Wikileaks as it does something useful

turkey_with_apples_-_croppedrszTurkey’s Internet watchdog has blocked access to the WikiLeaks website in Turkey, it said, after the whistleblower organisation released nearly 300,000 emails from the ruling AK Party.

The Telecommunications Communications Board said on Wednesday that an “administrative measure” had been taken against the website – the term it commonly uses when blocking access to sites.

All emails are attributed to “akparti.org.tr”, the primary domain of the main political force in the country, and cover a period from 2010 up until July 6, 2016, just a week before the failed military coup.

The Turkish supporters of President Erdogan are believed to have tried to break the Wikileaks site with a huge DoS attack to prevent the information getting out. So far Wikileaks thinks they have managed to have beat the attack off.

The government of Turkey is continuing its massive crackdown following a failed coup attempt during which more than 200 people lost their lives as fractions of the armed forces attempted to seize control of several key places in the cities of Ankara and Istanbul. Over 1,400 were injured over the course of armed clashes.

In the wake of the failed takeover, thousands have been detained or lost their posts across the judiciary, military, interior ministry and civil service sectors. This includes teachers and university professors because Turks under Erdogan don’t need no education .

Wikileaks has not been doing that much lately other than trying to increase the profile of its leader Julian Assange, who is still sitting in a London embassy because he refuses to answer questions from Swedish authorities about an alleged sex offence. Because of its “Assange orientation” Wikileaks has been basically subverted and eclipsed by leaks from Edward Snowden.

It is not clear what material Wikileaks has its paws on. However other leaks about Erdogan’s government have shown widescale corruption at the highest levels. Erdogan has done his best to block such information being released.

 

Microsoft blocks Linux installations

dead linuxSoftware king of the world Microsoft has blocked a flaw in Windows RT which  allowed the users to install non-Redmond approved operating systems on Windows RT tablets.

Microsoft has closed a backdoor left open in Windows RT even though the OS is pretty much dead in the water as Vole can’t be bothered with it any more.

This vulnerability in ARM-powered locked down Windows devices was left by Redmond programmers during the development process. Exploiting this flaw, a hacker could boot operating systems of his/her choice, including Android or GNU/Linux.

In fact the use of Linux on the tablets was pretty popular as Vole is killing the support for Surface RT tablets in 2017 and Windows RT 8.1 in 2018.  This means that if the tablet is going to be any use, users will have to run something different on them.

A spokesVole described the backdoor as a security vulnerablity and fixed it accordingly.  If you are planning to install some other operating system on your Windows RT tablet, avoid the lastest update. Of course chances are you are too late.

 

AI computers will try to hack each other

cybermen__quot_delete_quot__campaign_by_degaspiv-d33hjoaSeven AI computers will have a crackat hacking each other in Las Vegas early next month.

The seven will take part i nDARPA’s Cyber Grand Challenge finals and try to defend themselves and point out flaws without any human control. The object is to show that machines can beat even the best human hackers.

Mike Walker, programme manager for the CGC siad that it was  proof that eventually the entire security life cycle could be automated.

On average,  flaws in software go unnoticed for around 312 days — which hackers can often exploit. And then once those flaws are noticed by a human, they need to be understood, patched, and then released out to the broader community.

The CGC hopes this problem could be fixed within minutes, or even seconds, automatically.

Seven teams of finalists were given a DARPA-constructed computer. Their task was program it to be able to recognize and understand previously-undisclosed software, find its flaws, and fix it. And once the challenge starts, they won’t be able to jump on a keyboard and do anything more.

“The machines have to comprehend the language of the software, author the logic for that software, write their own network clients, And arrive at the path of the new vulnerabilities entirely on their own.”

While they are scanning their own systems for problems, the machines can also scan the other teams’ systems for issues, but they can’t actually hack them.

Walked likened it to calling your shot in a game of pool, without actually hitting the ball.

Instead, they will send a message of sorts to the DARPA referee, who will then go ahead and see if that exploit is correct, or if what was pointed out could crash the other machine.

The first place team will take home $2 million so it is worth a crack.

Sega Saturn DRM cracked

Sega-Saturn-Console-Set-Mk1It has taken more than 23 years, but hackers have finally broken the tough DRM which surrounded the Sega Saturn and might have saved the console from extinction.

Engineer James Laird-Wah wanted to get through the DRM to harness the Saturn’s chiptune capabilities.  The Saturn was looking doomed because there was a shortage of replacement parts coupled with an increasingly common fault with the drive.

Normally you could run the games from modern USB stick, but the Saturn came with some spooky DRM which made it darn difficult.

Laird-Wah by-passed the drive altogether and hacked into the Video CD Slot so it can take games stored on a USB stick and run them directly though the Saturn’s CD Block.

Laird-Wah said that he has got the Saturn to the point where it can boot and run games. He has also put in some audio support so it also has sound.

Right now he is the only one in the world who can write Saturn files to a USB stick. But he is not resting on his laurels. Laird-Wah wants to go back to his original plan which was using the Saturn’s chiptune to load samples and store your songs on the USB.

He has not issued any time-table for the release of his hack. But if enough people adopt it, it will go some way to preserving the Saturn and its games library.

 

Millions of Xiaomi phones have bugs

bugMillions of Xiaomi phones are vulnerable to a “flaw’ that could allow an attacker to remotely install malware.

Although the flaw in the analytics package in Xiaomi’s custom-built Android-based operating system has been fixed, it could be a while before users install the patch.

Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a so-called “man-in-the-muddle” attack and allow an attacker to run arbitrary code at the system-level.

Xiaomi is advising users should update their devices as soon as possible. The flaws rely on a lack of encryption and code-checking and verification. The risk is that if the phone is already hacked the update could be theoretically modified in transit although the hackers would have to be rather quick.

Companies are getting more into trouble for software that they supply with their hardware.  Lenovo faced a scandle when some some its bloatware arrived with a particularly nasty security flaw. It did fix it and bundled off a patch, but the case highlighted the risks for suppliers in providing such software to users.

Guccifer lied about Clinton hack

pork-pie-croppedOne of the issues that made the case of Hillary Clinton’s private mail server so bad was that its security was so weak a Romanian hacker known as Guccifer turned it over during 2013.

Guccifer, AKA Marcel Lehel Lazar, bragged to Fox News and NBC News in May 2016 about his alleged hacking, so gaining his 15 minutes of fame. The news agencies were so desperate to run some Clinton dirt they overlooked the small fact that Lazar offered no proof at all.

He was a little more accurate when he was extradited to the US and questioned by the Untouchables. In fact, he just told them he was telling porkies. FBI Director James Comey testified under oath before Congress on Thursday that Guccifer never hacked into Clinton’s servers and in fact admitted that he lied.

That was not to say Lazar had not hacked some famous people in the past. Lazar is now in custody in Alexandria, Virginia, awaiting trial for hacking charges. He’s most famous for hacking former President George W. Bush and releasing Bush’s paintings.

But at the time the tech press and the security pendants thought the claims were pants but they were widely ignored.

This was because the Republicans, either believed, or were attempting to make the world believe that Clinton’s server was so insecure that it allowed state secrets to fall in the hands of hackers.  In fact there has been no proof that foreign governments even knew the server existed.

As far as the security was concerned, sophisticated hacking attempts against the server were made and they failed.

“Sky’s the limit” as it starts UK censorship of the Internet

cameron_pigGateDavid “I love bacon” Cameron’s dream of censored internet in the UK is going ahead, despite his 10exit from Downing Street.

Cameron felt that the UK would be a happy place if the great unwashed were not allowed to watch internet porn, making it available only to those who splash out on a VPN.  The move was also supposed to protect children who, rather than seeing porn on the PCs, would be free to be abandoned by their parents in pubs.

Murdoch’s Sky is enabling adult content filtering by default for all new customers. This means that if you want to see porn you have to specifically ask the nice woman who signs you up for the service “yes I want to see donkey porn”.

Murdoch, who is not normally a fan of censorship, claims that Sky wants to “help families protect their children from inappropriate content” even if the service is not being flogged to families or is going to a family which has parents who take their responsibly seriously.

The government has proposed that all money-making porn sites that operate in the UK need to have an age verification system in place, and in many ways Sky’s scheme is just an extension of the idea.

Sky’s approach, however, the reverse of similar systems used by other ISPs, Rather than asking customers if they want to enable the content filter, the question is flipped on its head so they are asked if they want to disable the option.

Announcing the filtering, Sky’s brand director for communications products, Lyssa McGowan, said: “From today, Sky Broadband Shield will be automatically switched on the moment a new customer activates their Sky Broadband. At the end of last year, we said that we wanted to do even more to help families protect their children from inappropriate content. The first time someone tries to access a filtered website, the account holder will be invited to amend the settings or turn it off altogether. It ensures a safer internet experience for millions of homes, while still giving account holders the flexibility to choose the settings most appropriate for their households.”

What though is being missed is that the decision to enable the filter by default was taken because only 5-10 percent of customers made use of the option when it was off by default. This would suggest that 90-95 per cent of Sky customers did not want censorship.  Imposing it would surely cost the outfit business.

 

Coppers breach cyber security for fun and profit

largeMore than 800 coppers have breached the rules regarding the police data base either for a laugh or to make a bit of dosh, according to a watchdog’s report.

Big Brother Watch said that UK police staff inappropriately accessed personal information between June 2011 and December 2015.

The report, which is based on Freedom of Information requests sent to all UK police forces, raises questions about the police’s ability to protect civilian data. In one case a Metropolitan Police officer found the name of a victim so funny that he attempted to take a photo of the driving licence and send it to his friend over Snapchat. In another case a Greater Manchester Police officer tipped someone off that they would be arrested, and one from North Yorkshire Police conducted a check on a vehicle on his phone whilst off-duty. A South Wales Police copper was dismissed after photographing and distributing restricted documents “for personal gain,” the report said.

The worry is if the coppers are doing these sorts of things now what are they going to get up to when they can see people’s internet records, which will become possible under the UK’s Investigatory Powers Bill.

Given that some of the information was leaked to organised crime groups, it is possible to see a bent cop supplying such types with blackmail information.

The coppers seem a bit lax when it comes to disciplining officers involved in such caused. The majority of incidents, 1,283, ended up with no disciplinary action taking place, while 297 ended in a resignation or dismissal, 258 resulted in a written or verbal warning, and 70 led to a criminal conviction or caution.