jarrodwhaley.com

I make films. I'm also a nerd.

Posts Tagged ‘security’:

Gemalto Denies Sim Cards Were Hacked by NSA

Samuel Gibbs, The Guardian:

The firm allegedly hacked by the NSA and GCHQ has stated that it cannot find any evidence that the US and UK security services breached and stole the encryption keys billions of Sim cards.

Good news if true. I can’t help but be a little skeptical, however. Snowden’s revelations have proven time and again to be borne out by the facts. What’s more, don’t we think Gemalto would have a huge incentive to lie and say they were never actually breached?

Lenovo Installs Spyware on Consumer PC’s

As reported by Rick Osgood of Hackaday:

The software actually installs a self-signed root HTTPS certificate. Then, the software uses its own certificates for every single HTTPS session the user opens. If you visit your online banking portal for example, you won’t actually get the certificate from your bank. Instead, you’ll receive a certificate signed by Superfish. Your PC will trust it, because it already has the root certificate installed. This is essentially a man in the middle attack performed by software installed by Lenovo. Superfish uses this ability to do things to your encrypted connection including collecting data, and injecting ads.

Well, if compromising the security of our personal financial transactions makes good business sense for Lenovo, we’ll just have to toughen up and deal with it, won’t we?

They claim that server-side interactions have been disabled since January, which disables Superfish. They have no plans to pre-load Superfish on any new systems.

Oh, good. False alarm. So they’ve stopped doing this. I totally trust them not to be full of “it.”

Android Flashlight App LoJacks Users

Alice Truong, Fast Company:

The Android app Brightest Flashlight has been installed between 50 million and 100 million times, averaging a 4.8 rating from more than 1 million reviews. Yet its customers might not be so happy to learn the app has been secretly recording and sharing their location and device ID information.

I’m willing to bet a non-negligible amount of money, actually, that the number of shits given among those who’ve installed this app is less than or equal to 0.01. These users will never even know that their movements are filling a creepy database, and they wouldn’t care a whit even if they did know.

Ladar Levison May Be Arrested For Shutting Lavabit Down

NBC News:

The owner of an encrypted email service used by ex-NSA contractor Edward Snowden said he has been threatened with criminal charges for refusing to comply with a secret surveillance order to turn over information about his customers.

"I could be arrested for this action," Ladar Levison told NBC News about his decision to shut down his company, Lavabit LLC, in protest over a secret court order he had received from a federal court that is overseeing the investigation into Snowden.

Let’s take a minute to applaud the size of this guy’s balls. He’s willing to go to jail in order to protect his customers’ data. Henry David Thoreau would be proud.

Email Is Inherently Insecure

The recent shutdowns of Lavabit and Silent Circle—two supposedly "secure" email providers—demonstrate perfectly the limitations of the medium. MIT Technology Review notes:

When e-mail was created 40 years ago, security or anonymity wasn’t part of the design. The routing and labeling protocols plainly state what computer sent it or forwarded it, what computer received it, and what time all this happened. “There are far too many leaks of information and metadata intrinsically in the e-mail protocols themselves,” says Mike Janke, CEO of Silent Circle, whose customers include people in companies and government agencies with secrets to protect. “It doesn’t matter what you try to do with e-mail, there are these inherent weaknesses. So we got rid of Silent Mail [the company’s e-mail service]. We deleted all of it, burned it, and threw it in the ocean with locks and chains on it. People lost all their e-mail, but the response went from ‘Why would you do this?’ to ‘Thanks for doing this.’ “

Even if your email is encrypted by your provider, that provider will have to give the key(s) to any law-enforcement agency who cares enough to ask for it. Furthermore, the email protocol itself is exceedingly transparent about who sent the mail and who sent it. A lot of information about you is revealed even if you go to great lengths to encrypt your communications with the greatest crypto-nerd care.

This Gmail privacy kerfuffle is ridiculous. As soon as you hand your message to a third party, you lose any reasonable expectation of privacy. It’s not only the law, it’s just common sense. Remember trying to pass a "secret" note in elementary school, only to have it unfortunately intercepted by some dickhead middleman? It’s like that.

Digital Dead Drop is a Secure Web Notepad

Inspired by the Ender’s Game books, Tyler Spilker has written a dead-simple Python-based Web app called Digital Dead Drop; it’s designed to run on a local or remote server, and provides a quick and secure method with which to jot down a few thoughts and save them on the server side. Nothing is stored locally, so there’s no problem if your phone is lost. It’s a pretty cool idea.

Cars Can Get Hacked Too

Reuters :

Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government.

[…]

They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

Put an Internet-connected computer into something, and somebody will find a way to hack it. Maybe it’s not the best idea to connect every object in the world after all.

SIM Card Vulnerability Opens Millions of Phones to Attack

Pierluigi Paganini writes, for Security Affairs :

A serious vulnerability on SIM cards used in some mobile phones has been found, exploiting the flaw an attacker could eavesdrop on phone conversations, could install malicious applications on the device or it could impersonalize handset’s owner. The discovery is very concerning, the vulnerability could compromise the security for 750 million mobile phones.

You can barely look around recently without encountering yet another potentially disatrous security breach which affects millions of unsuspecting people. As Moore’s Law leads to faster and faster computation—while our encryption methods seem to advance and propagate at a slower rate—breaches and catastrophes are only going to become more and more common1.

Nohl revealed that it is possible to exploit the vulnerability in less than two minutes using a common PC.

In the words of the great philosopher, “yikes!”


  1. Get ready for a neverending stream of calls from your mother, your father, your aunt, your cousin, that one guy you used to work with who knows you’re some kind of geek or something, your neighbor’s friend, etc. 

Verizon Femtocell Exploit Allows Hackers to Hear Phone Calls

Security Affairs :

Two security researchers announced that they have succeeded to transform Verizon mobile phones into spy tools to track Verizon’s users.

The security experts revealed to the Reuters agency that it is possible to hack Verizon mobile phones for surveillance purpose, the researchers will present the discovery during the next hacking conferences this summer, the DEF CON and Black Hat.

Every single device you add to your arsenal provides an additional attack vector—particularly since your data is increasingly ubiquitous, due to syncing services. Be careful out there.

Security Hole Found In Dropbox’s Two-Factor Authentication

From a post at Security Affairs:

Few hours ago I was informed that Q-CERT team found a critical vulnerability in DropBox that allows a hacker to bypass the two-factor authentication implemented by the popular file sharing service.

I guess two-factor authentication isn’t inherently more secure.