Category: Security

HTML 5 is just as rubbish as Flash

flash_superhero_running-t2Rather than saving the world from the security nightmare which is Flash, HTML 5 might be drawing us into a bigger load of hurt, according to the latest security report.

Since Steve Jobs blamed Flash for breaking his perfect operating system, the world has been a little hard on Flash. It has been gradually downgrading it and replacing it with HTML 5.

However according to GeoEdge, an ad scanning vendor, Flash has been wrongly accused as the root cause of today’s malvertising campaigns, and switching to HTML5 ads won’t safeguard users from attacks.

The problems are in the platforms and advertising standards themselves and not Flash.

For many years, Adobe has been slow to patch vulnerablities but things changed recently after browser vendors threatened to have the plugin disabled for most of their users. But this has come too late.

But according to GeoEdge Malvertisers don’t care if ad is Flash or HTML5 they rely on standards used to build the advertising network’s infrastructure, regardless if they deliver static or video ads.

Video ads, the primary root of malvertising use the VAST and VPAID advertising standards. If the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections.

These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users.

 

Apple’s open OS is a security nightmare

Safe-with-Open-Door_Silver-Trading-Company_iStock_000016460757_ExtraSmallSome security experts who inspected Apple’s new version of iOS were surprised; it appears that the security geniuses at Jobs’ Mob had forgotten to encrypt the operating system.

Suddenly crucial pieces of the code destined to power millions of iPhones and iPads were laid bare for all to see making it a doddle to find security weaknesses in Apple’s flagship software.

The Tame Apple Press insists that is all deliberate and the secretive company may have adopted a bold new strategy intended to encourage more people to report bugs in its software.  However, the smart money is on the fact that this is a cock-up.

Apple has so far said it would strengthen security and privacy features and yet here it is showing an unencrypted version of the Kernel which controls how programs can use a device’s hardware and enforces security.

The Tame Apple press insists that does not mean that the security of iOS 10 is compromised. Butit makes finding flaws easier and reduces the complexity of reverse engineering considerably.

However on the plus side opening the iOS for anyone to examine could weaken the trade in holes  market by making it harder for certain groups to hoard knowledge of vulnerabilities and make the iOS more stable.

However for that to happen it would require such a psychological change in Apple that it is nearly impossible to consider. For a start, Apple would have to admit that there is a flaw and fix it straight away. Apple’s current policy when notified if there is a flaw is to ignore it until enough people complain and then issue a patch a few months later.

Apple does not offer “bug bounty” cash payments to people that disclose flaws they have found in its products, for example. So if you reverse engineer or find a hole in the iOS you would never take it to Apple, you would flog it to the government, or one of those dodgy security outfits which help them.

 

Human Rights groups furious about new US warrant law

police-stateThe Electronic Frontier Foundation and the Tor Project are rallying human rights groups to fight against law changes that would allow coppers and spooks vast new surveillance authorities and undermine anonymity online.

Currently Rule 41 only authorises federal magistrate judges to issue warrants to conduct searches in the judicial district where the magistrate is located. The new Rule 41 would for the first time authorize magistrates to issue warrants when “technological means,” like Tor or virtual private networks (VPNs), are obscuring the location of a computer. The rule would authorise warrants to remotely access, search, seize, or copy data on computers, wherever in the world they are located.

The EFF and more than 40 partner organisations are holding a day of action for a new campaign—noglobalwarrants.org—to warn citizens about the dangers of Rule 41 and push U.S. lawmakers to oppose it.

The process for updating these rules was intended to deal exclusively with procedural issues. But this year a US judicial committee approved changes in the rule that will expand judicial authority to grant warrants for government hacking.

The organizations are collecting petition signatures at noglobalwarrants.org and website operators can go there to download widgets that express their opposition to Rule 41.

In May, Senator Ron Wyden (D-Ore.) filed a bill to block Rule 41, writing at the time: “When the public realises what is at stake, I think there is going to be a massive outcry: Americans will look at Congress and say, ‘What were you thinking?’”

Russian into Putin backdoors into messaging

putin-buzz1While the US ums and ahs about installing security backdoors into nation’s messaging software, the Russian government under Tsar Putin has no difficulty worrying about it.

A new bill in the Russian Duma, the country’s lower legislative house, proposes to make cryptographic backdoors mandatory in all messaging apps in the country so the Federal Security Service—the successor to the KGB—can obtain special access to all communications within the country.

Apps like WhatsApp, Viber, and Telegram, all of which offer varying levels of encrypted security for messages, are specifically targeted in the “anti-terrorism” bill. Fines for offending companies could be about $15,000.

Russian Senator Yelena Mizulina argued that the new bill needed to become law because, because the kids of today are brainwashed in closed groups on the internet to murder police officers. Of course that is not as bad as having police officers murdering journalists who write bad things about Tsar Putin but Mizulina also wants to look at “pre-filtering” messages. We are not sure how she will do that, we guess that if a person sends a message it will be looked at by a government official (or an AI bot) before it is sent.

 

While government authorities around the world argue in favor of special access backdoors, a vast consensus of technologists argue such backdoors will undermine cybersecurity and create an internet more dangerous and volatile than ever before.

Top three net companies sued over Paris deaths

parisThe dad of one of the 130 people killed in the Paris shootings is suing Google, Facebook and Twitter claiming that they knowingly helped the terrorists.

Reynaldo Gonzalez’s daughter, Nohemi, was among the 130 killed when religious extremists attacked Paris last year.  He claims that Twitter, Facebook and Google for facilitating the spread of “extremist propaganda” after alleging the trio “knowingly permitted” ISIS to recruit, raise money and spread its message across each of the respective platforms.

The court documents say that for years, the companies have knowingly permitted the terrorist group ISIS to use their social networks as a tool for spreading extremist propaganda, raising funds and attracting new recruits.

“This material support has been instrumental to the rise of ISIS, and has enabled it to carry out numerous terrorist attacks, including the 13 November 2015 attacks in Paris, where more than 125 were killed, including Nohemi Gonzalez.”

Without Twitter, Facebook and Google-owned YouTube, religious extremists would not have the infrastructure to get their message to the masses, he claimed.

While we are sympathetic for his loss, the court does appear a bit unfair. Each company goes to great lengths to police its ranks and remove offending content. It is a game of “wack-a-rat”, which companies often lose because of it being the internet. The danger is that he might actually win which would leave internet companies open to massive lawsuits every time there is a terrorist act.

Blaming the Internet for the sins of humanity is not the best way to move forward on anything.  The big three are developing AI in an attempt to clamp down on extremist posts.  If they pull it off then there will be fewer extremist sites and posts. It is taking a while to get the tech right.

Texas wants to charge systems admins with hacking

US court in texas

US court in texas

Systems administrators in Texas could suddenly find themselves locked up if case law accepts a recent decision by 12 Texas jurors.

Sys Admin Michael Thomas, 37 was found guilty under the Computer Fraud and Abuse Act, a verdict with a maximum sentence of 10 years in prison and up to $250,000 in restitution.  What the court heard though was that Thomas had deleted files before leaving his job at the auto dealership software firm ClickMotive in 2011.

According to Wired the prosecution presented evidence that Thomas intentionally harmed ClickMotive by combing through executives’ email, tampering with the network’s error-alert system, and changing authentication settings that disabled the company’s VPN for remote employees. He also deleted 615 backup files and some pages of an internal wiki.

However Thomas’ lawyer Tor Ekeland has pointed out, that was Thomas’s job. He added that Thomas wasn’t charged with the usual CFAA violation of “unauthorized access” or “exceeding authorized access,” but rather “unauthorised damages.” Ekeland said that the law is “dangerous for anyone working in the IT industry. If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony.”

ClickMotive, which was later acquired by the larger auto dealership software firm DealerTrack, claims that those changes caused $140,000 in damages as they struggled to determine the extent of Thomas’s tampering.

The prosecutor claimed that Thomas wanted to harm ClickMotive as revenge after two of his fellow IT staffers were laid off. However as his defense pointed out seems to have at least stopped far short of maximizing the amount of damage he could do.

Thomas went into the company’s offices the weekend before he quit—just days after those layoffs—to help defend the company against a denial-of-service attack on its website and to repair a cascading power outage problem.

Those 615 backup files he deleted were all replicated elsewhere on the network. There was not a single communication produced at trial, a single written document that showed he wasn’t authorized to do what he did, claimed Ekeland.

All it took was your boss to say ‘that wasn’t authorized,’ you violated an unwritten policy, and bang, you’re hit with a felony.”

The Electronic Frontier Foundation attorney Nate Cardozo points to the prosecution as a dangerous use of the law, and one that should have been settled with a civil lawsuit.

Thomas’s defence team says they plan to ask the judge in the trial to overrule the jury under a Rule 29 motion, and if that fails, to seek an appeal.

 

Obama ditches Blackberry

obama-funny-face-grr-growl-640x397President Barack Obama fought to keep his BlackBerry when he took office, now he is ditching it for an Android.

The President was given a BlackBerry 8830 World Edition with extra crypto—for unclassified calls and e-mail. He liked his Blackberry so much he continued to carry it even though the technology was getting rather elderly and the company has been going down the gurgler.

In an appearance on Late Night with Jimmy Fallon, Barack Obama said he now carries a secure “smartphone” that is so locked down that he compared it to an infant’s toy phone. The phone in question was not an iPhone of course but a “hardened” Samsung Galaxy S4.

The S4 is currently the only device supported under DISA’s DOD Mobility Classified Capability-Secret (DMCC-S) program. In 2014, a number of Samsung devices were the first to win approval from the National Security Agency under its National Information Assurance Partnership (NIAP) Commercial Solutions for Classified (CSfC) program—largely because of Samsung’s KNOX security technology. And the S4, layered with services managed by DISA, is the first commercial phone to get approval to connect to the Secret classified DOD SIPRNet network.

The DMCC-S handset sacrifices some of the Galaxy’s functionality for security purposes. While it uses biometric authentication, there’s no user-accessible camera. The Android applications on the DMCC-S Galaxy are restricted to a selection from DISA’s Mobile Application Store (MAS).

Obama’s device has even further security restrictions. Obama told Fallon that he cannot place phone calls on it—the phone is likely restricted to secure VoIP functionality, with outside calls controlled from a secure switchboard.

 

 

Blighty brings in a new spying law

 snooperWhile people are a bit distracted about Europe, David “bacon sandwich” Cameron brought in a new spying law which will make it possible for the rich elite to keep the great unwashed from revolting.

The new surveillance law gives security agencies extensive monitoring capabilities in the digital age. Lawmakers voted 444-69 in favour of the Investigatory Powers Bill, which interior minister Theresa May said would help “keep us safe in an uncertain world”.

The bill will now go to the House of Lords upper house of parliament where it is expected to be rubber stamped. After all the Lords don’t want the riff-raff revolting, they are already revolting enough.

Several lawmakers, including the opposition Scottish National Party, voted against the bill, saying that the protections for privacy were not strong enough.

May insisted that the bill had been scrutinised using her extra best and strongest scrute.  A new privacy clause would require agencies to consider less intrusive means to achieve the same ends and special protections for lawmakers, lawyers and journalists.

“It provides far greater transparency, overhauled safeguards and adds protections for privacy and introduces a new and world-leading oversight regime,” May claimed.

Facebook denies spying rap

what-we-learned-about-facebook-ceo-mark-zucke-L-gl5gYRSocial notworking site Facebook has denied that its app is listening in on users.

For those who came in late, The Independent reported that a communications professor from USF noticed Facebook serving ads with topics similar to stuff she had discussed near her phone.

The story spread rapidly on Facebook, which is pretty much proof that the outfit is not controlling news flow as this is exactly the sort of story you would expect it to censor.

A SpokesFacebook said: “Facebook does not use microphone audio to inform advertising or News Feed stories in any way. Businesses are able to serve relevant ads based on people’s interests and other demographic information, but not through audio collection.”

One of Facebook’s problems is that its terms of service are incomprehensible to someone without a law degree. Facebook does list a permission to use the microphone on iOS and Android, it’s only activated when a user tries to identify something like music or a TV show.

This story came out because most people are not sure what the permissions mean and think that anything listed might be in use all the time.

You can stop Facebook getting access to your microphone by disabling it.   However, remember that the amount of technology and bandwidth required to listen into your life to send you adverts is high. Facebook can get that data just by monitoring what you type on Facebook, which no one seems bothered about.

Apple sits on huge outage

alice_humpty-dumpty_2_detThe fruity cargo cult Apple suffered a huge international outage that inconvenienced all its users and is refusing to offer any explanation.

The outage started at 4pm on Thursday and took down its App Store, iCloud and the Photos application.  It took the best part of a day to fix and all was sorted out by Friday afternoon.

First fixed was the App Store functionality and the last were the iCloud and the Photos application had remained unavailable to some users.

However, Apple, while saying that the services were up has refused to comment about the nature of the outage. Any media inquiries are referred to a web page that shows that all the services are working.

It is as if Apple is trying to pretend that nothing happened and that if no one talks about it, Apple can claim it never did. The Tame Apple Press has done its best to gloss over the outage. While there were reports that the outage happened, most of the tried to mitigate the outage by providing Apple with free advertising. When each failed service was mentioned it was given epithets “the popular” or the “successful” as if this would help. Then, other than reporting the service was up, the press seemed happy to walk away as it was told leaving no one in Apple accountable for the mess.

They might be missing a great story. What if Apple’s network was taken out by the same well organised team of racoons which bought the US particle accelerator to its knees?  The Apple attack could be part of a well-organised racoon campaign by to raise the standards of the world by hacking into establishments that oppose evolutionary culture and the use of biological rubbish bins.  We will never know because Apple is not telling us the truth.