Archive for July, 2014

A lot of concern about the NSA’s seemingly omnipresent surveillance over the last year has focused on the agency’s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited.

Two researchers have uncovered such built-in vulnerabilities in a large number of smartphones that would allow government spies and sophisticated hackers to install malicious code and take control of the device.

The attacks would require proximity to the phones, using a rogue base station or femtocell, and a high level of skill to pull off. But it took Mathew Solnik and Marc Blanchou, two research consultants with Accuvant Labs, just a few months to discover the vulnerabilities and exploit them.

The vulnerabilities lie within a device management tool carriers and manufacturers embed in handsets and tablets to remotely configure them. Though some design their own tool, most use a tool developed by a specific third-party vendor—which the researchers will not identify until they present their findings next week at the Black Hat security conference in Las Vegas. The tool is used in some form in more than 2 billion phones worldwide, they say, including Android and BlackBerry devices and a small number of Apple iPhones used by Sprint customers. They haven’t looked at Windows Mobile devices yet.

The researchers say there’s no sign that anyone has exploited the vulnerabilities in the wild, and the company that makes the tool has issued a fix that solves the problem. But it’s now up to carriers to distribute it to users in a firmware update.

Carriers use the management tool to send over-the-air firmware upgrades, to remotely configure handsets for roaming or voice-over WiFi and to lock the devices to specific service providers. But each carrier and manufacturer has its own custom implementation of the client, and there are many that provide the carrier with an array of additional features.

To give carriers the ability to do these things, the management tool operates at the highest level of privilege on devices, which means an attacker who accesses and exploits the tool has the same abilities as the carriers.

The management tools are implemented using a core standard, developed by the Open Mobile Alliance, called OMA device management. From these guidelines, each carrier can choose a base set of features or request additional ones. Skolnik says they found that some phones have features for remotely wiping the device or conducting a factory reset, altering operating system settings and even remotely changing the PIN for the screen lock.

Read more

When Target lost data on some 110 million customers, it recommended them to credit bureau Experian for “identity theft protection,” offering to cover the cost for a year.

Think you’re in better hands? Think again.

Sometime before the Target (TGT) hack, Experian had its own data leak — via a subsidiary. That data leak got plugged before Target sent victims to Experian. But it shows that even those entrusted with our most sensitive data don’t know how to protect it.

Experian unknowingly sold the personal data of millions of Americans — including Social Security numbers — to a fraudster in Vietnam. That guy then sold the personal information to identity thieves around the globe.

It wasn’t until U.S. Secret Service agents alerted Experian that the company stopped.

Hieu Minh Ngo, now 25, was caught and admitted to posing as a private investigator in Singapore to get exclusive access to data via Court Ventures, an Experian subsidiary. Ngo then sold access to fellow criminals.

Read more

Phone texts don’t die: they hide

The computer forensics expert who recovered the text messages that brought down parliamentary Speaker Peter Slipper has warned that any messages or files you think you have deleted from your smartphone are still there if someone really wants to find them.

The national head of the IT forensics practice at corporate advisory firm PPB Advisory, Rod McKemmish, was brought in by the legal team of Mr Slipper’s former staffer James Ashby, as some of the messages he had received from the former speaker had been deleted.

He was able to use an automated forensic process to bring the messages back from the dead.

“The delete button on the phone should really be called the ‘hide’ button, because the data is still there, you just can’t see it,” Mr McKemmish said. “In the forensic process we can bring it all back.”

While most politicians and business people are unlikely to be communicating about the sort of topics that brought down Mr Slipper, many might rethink the privacy of their communications.

With soaring levels of smartphone penetration in Australia, it is fair to assume that a significant amount of sensitive discussions take place via SMS.

Mr McKemmish said his skills were increasingly being called upon to investigate corporate cases, where firms were concerned about confidential information residing on the phones of staff leaving. Most phones have a “factory reset feature”, which is supposed to revert the phone to the state when it was first used, but it’s insufficient.

IBRS technology analyst James Turner said businesses needed to be more alert to the permanent nature of digital communication, as more important conversations were handled by SMS and email.

“This can be share price-impacting information, because deals can be made via an SMS that are worth a lot of money,” he said. “The audit trail is all important when it comes to being able to report that due process has been followed, so i f people are using electronic communications, then they must expect that there is a record.”

Not all communication via SMS or email is related to big deals of course. Much could be slotted into the files marked “harmless banter” or “office gossiping”. Common stuff, but not necessarily words that people want to be accessible once the messages have been deleted.

Unfortunately for regular texters,cA computer forensics expert and adjunct professor at Queensland University of Technology, Bradley Schatz, says smartphones were designed to hold on to data as a guard against accidental loss.

He says there are a number of factors that will govern how long a message exists on a phone after it has supposedly been deleted, but a basic guide is that it will remain somewhere on the phone until all available space for new data has been exhausted.

“The memory inside many of these small-scale digital devices is called flash memory, which is the same kind of memory that you would find in a USB key,” Schatz said.

Read More

A federal judge has declared that one of the District’s principal gun control laws is unconstitutional and ordered that its enforcement be halted.

The ruling by Judge Frederick J. Scullin Jr., made public Saturday, orders the city to end its prohibition against carrying a pistol in public.

It was not clear what immediate effect the order would have.

The order was addressed to the District of Columbia and Police Chief Cathy Lanier, as well as their employees and officers and others “who receive actual notice” of the ruling. But it could not be determined Sunday who had received notice. Also unclear was whether the city would appeal and what effect that would have on the enforcement ban.

Legal sources said Saturday night that in general all parties to a case must be duly informed of a ruling and given the opportunity to appeal before it takes effect.

Alan Gura, the lawyer who represents the group challenging the ban, said Sunday that he believes the ruling to be in effect immediately. “The decision is in effect, unless and until the court stays its decision,” he said. “This is now a decision that the city is required to follow — the idea that the city can prohibit absolutely the exercise of a constitutional right for all people at all times, that was struck down. That’s just not going to fly.”

Citing studies of the number of registered gun owners who commit crimes, Gura said that he believes allowing citizens to carry handguns on the street for the purpose of self-defense will lead to a decrease in crimes.

Read More

NEW YORK (Reuters) - A mobile app from a law enforcement technology firm could soon allow emergency responders from different agencies to communicate seamlessly with each other in a crisis for the first time, sharing files and conducting impromptu conference calls.

BlueLine Grid’s applications target what has long been one of the most vexing challenges facing U.S. law enforcement and emergency responders. Communications breakdowns hampered responses to the Sept. 11, 2001 attack in New York and disasters including 2012′s Superstorm Sandy.

“It tells you who is near you, who can help you and allows you to communicate effectively with them,” said David Riker, chief executive officer of privately held BlueLine Grid.

Because the app relies on wireless connectivity it could fail during a disaster, so it is intended to supplement and not replace traditional emergency communications, Riker said.

The app works on devices running on Google Inc’s Android and Apple Inc’s iOS operating system.

BlueLine Grid is a law enforcement technology firm co-founded by New York Police Commissioner Bill Bratton in 2013, who since cut ties to the company to avoid conflicts of interest before returning to the NYPD in January.

The app would be the first to connect individual responders working in the field, using common standards shared in Android and iOS to enable communications between police, fire and other agencies in different jurisdictions, Riker said.

BlueLine Grid uses similar technology to Skype which is known as over-the-top (OTT) voice and messaging, meaning the services run on top of the wireless network, to solve the problem of interoperability.

Experts say that developing better communications systems is one of the key challenges in ongoing efforts to improve security preparedness.

“We have so much law enforcement in the U.S. – more than 700,000 agencies – and each of them has their own method of collecting and sharing information,” said Jim Bueermann, president of the non-profit Police Foundation.

“Finding a platform that is web-based works on mobile platforms and is easy to use is, I think, the holy grail of information sharing,” said Bueermann, a former chief of the Redlands, California police department, which is testing an inter-agency data sharing social media app called CopBook.

Earlier this month, John D. Cohen, the former head of intelligence for the Department of Homeland Security, joined BlueLine Grid’s corporate board.

View Source

Android app market pirates busted by FBI

Trouble with law enforcement started back in 2012 for the three alternative Android app markets.

Back in August 2012, websites called snappzmarket​.com, appbucket​.net and applanet​.net went off the air in a takedown that the Federal Bureau of Investigation (FBI) refers to as “the first time website domains involving mobile device app marketplaces [were] seized.”

Fast forward nearly two years, and things just got a lot worse for several of the alleged operators of those sites.

According to the FBI, Messrs Taylor, Walton, Sharp, Blocker, Buckley and Lee have recently been charged with criminal offences relating to Android app piracy.

We’re not talking about a couple of dodgy apps on your phone here.

The allegations claim that the accused served up more than 5,000,000 copies of other people’s Android apps, without bothering to ask permission first, and without bothering to pay up the fees that the apps’ authors would have collected by selling their apps on legitimate markets.

(The FBI doesn’t identify those legitimate markets, but it’s reasonable to assume that the Google Play Store is one.)

Four others connected with the piracy operation, Messrs Peterson, Dye, Narbone and Pace, were charged earlier in 2014 and pleaded guilty.

The piracy allegations relate to the period from August 2010 to the shutdown in August 2012, which means more than 5,000,000 downloads in just two years.

That works out at close to five Android users every minute who couldn’t resist the chance to avoid paying the typically modest price of a popular paid Android app by going “off market.”

Piracy and malware

The charges relate only to crimes involving intellectual property, such as copyright, so there’s no suggestion that the accused were running a malware dissemination racket at the same time.

So we’re not going to trot out the usual line that you should be careful of pirated apps in case you get infected.

We’ll ask you to avoid pirated apps because you jolly well know that you ought to be paying for them, or choosing legal free alternatives instead.

And, having said that, we are going to trot out the “be careful” line, after all.

For all that there are many reputable apps to be had in many reputable non-Google app markets, you should assume that anyone who cares little enough about an app’s creator to rip him off probably doesn’t care terribly much about you, either.

Read More

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit 2014 profiles that shape which ads, news articles, or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is HERE).

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.

Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.

Read More

(CNN) – Some residents of Oakland, California, fear their community is creating a monster.

The city calls it the Domain Awareness Center, but opponents call it a “spy machine” and a potential “tool of injustice.”

Known as “the DAC,” it’s a proposed central surveillance facility where authorities can monitor the Port of Oakland and the city’s airport to protect against potential terrorism.

But the broader issue of centralized data surveillance poses serious privacy questions for millions of people in cities around the globe.

In March, more than 100 worried Oakland residents waited past midnight to complain about it during a City Council meeting. Standing at the mic, Maya Shweiky, a self-described public school teacher and Muslim, warned lawmakers their proposal would be used to “discriminate against minorities and perpetuate racial, religious and political profiling.”

While the council voted on the proposal, rowdy protesters began chanting, “No! No! No! No!”

Council members have proposed expanding the DAC to add live, 24/7 data streams from closed circuit traffic cameras, police license plate readers, gunshot detectors and other sources from all over the entire city of Oakland.

The danger, say opponents, is putting all these data resources into one place.

“If you need to go to four different locations to track someone’s movements across town, you’re not going to do it unless you have a good reason,” said Linda Lye of the American Civil Liberties Union of Northern California. “But when you can do it with the press of a button because it’s all at your fingertips, you’ll end up doing it based on your idle curiosity.” That, Lye said, creates a situation ripe for abuse.

Oakland represents just one battleground in a fiery debate about how cities should be using so-called “Big Data,” especially aggregated video and other types of surveillance.

City closed-circuit TV cameras performed famously when they helped identify suspected terrorists in London in 2005 and in Boston last year.

Community surveillance 2.0

But the issue has progressed far beyond the power of a few hundred video cameras and streetlight posts. Community surveillance 2.0 is now all about huge data mash-ups and incredible software that quickly sorts through mountains of information. Bottom line: A relatively small number of people have easy access to data that can track your whereabouts.

In many cities, cameras mounted on police patrol cars gather video of millions of license plates. That data that can be used to track vehicles, possibly yours. Add traffic cameras to the mix. Then include cameras at bus stops, airports and train stations. How about cameras owned by schools and private security companies?

The key to using all this information is the data-mining software that can easily and effectively rifle through it.

Cities leading the way in video data collecting include London — an early and strong adopter of widespread camera surveillance. The UK reportedly has 5.9 million CCTV cameras nationwide. For every 11 British citizens, there’s one CCTV camera, according to Salon.

Nice, France, has been expanding its surveillance center, which is projected to eventually count one camera for every 500 residents.

As Rio de Janeiro hosts the World Cup and the 2016 Olympics, the city plans to make heavy use of its IBM-designed Operations Center, which combines video and other data from 30 agencies including traffic cameras, subways and even weather satellites.

The network includes more than 550 cameras, 400 employees and 60 different layers of data streamed from citywide sensors. Mayor Pedro Junqueira says the center helps emergency teams warn residents in landslide-prone areas when to evacuate during heavy rainstorms.

Read More

CHICAGO (AP) — Illinois’ Supreme Court declared one of the nation’s toughest eavesdropping laws unconstitutional, saying Thursday that the law was so overly broad that it would technically make the recording of screaming fans at a football game a crime.

The ruling is the final defeat for the Illinois Eavesdropping Act, which had made it a felony for someone to record a conversation unless all parties involved agreed. The 1961 law violates free speech and due process protections, the court decided in unanimous decisions in two related cases focused on audio recordings.

State legislators will now have to draft new rules in a very different privacy environment than existed five decades ago.

“The burden is now on the legislature to craft a statute that actually serves the goal of protecting privacy — and that does so without infringing on the rights of citizens to keep public officials honest,” said Gabe Plotkin, a lawyer for Annabel Melongo, a defendant in one of the two cases.

Melongo spent nearly two years in jail after being charged under the statute for recording a Cook County court official over the phone who she believed wasn’t carrying out her duties properly.

The Illinois law had suffered earlier defeats, including in 2012 when the 7th U.S. Circuit Court of Appeals struck down a provision that barred anyone from video recording police officers doing their jobs in public. Thursday’s decisions — in People v. Melongo and People v. Clark — mean lawmakers in Springfield will have to ensure the statute complies with court findings.

“Instead of serving as a shield to protect individual privacy, the statute was written so broadly that it allowed the state to use it as a sword to prosecute citizens for monitoring and reporting on the conduct of public officials,” Plotkin said.

Read More

New groundbreaking fingerprint test

Scientists in Newcastle could have made one of the largest leaps forward in crime scene investigation in decades.

Experts at Arro SupraNano, which is based in the Herschel Annex of Newcastle University, has created a new test that can give detailed information about a person just from one fingerprint, in minutes.

And such is the global interest in the new technique, which could save police huge amounts of time and money, that the firm is already winning awards for its work.

“A murder case could cost between £1m and £3m, with most of that in time and legwork,” said Arro’s managing director Eamonn Cooney, who describes existing fingerprinting techniques as a “pretty hitty-missy process.”

“But with this test you can say male or female, whether they are on medication, what their lifestyle is, are they taking or distributing drugs, or if they are a terrorists. And we can tell you that within minutes of a sample reaching the lab.

“If you took 100 suspects and had each of them take the test then you could narrow it down to two or three very quickly.

“Police say it has definite applications for serious crimes – murders, sexual assaults or arson.

“And we’ve even had defence attorneys in America come and ask whether they could use it to prove their clients are innocent.”

The technology behind the new powder – which its makers claim can alone improve the clarity of fingerprints by 40% – and test was first developed by Professor Frederick Rowell at Sunderland University in 2005, with Arro SupraNano founded in 2007.

After seven years of development by the firm, which employs six people, the powder launched in January and is now being sold around the world, with the patented analytic test set to go to market in the coming months.

The company recently received the Forensics and Expert Witness E Magazine’s annual product development award.

“Fingerprinting has not changed much in many years,” said Mr Cooney. “You go to a crime scene, brush with powder, lift the print with tape, take a photo and record it on a national database. But we’ve done two new things with nano particles.

“Our powder adheres much more closely to the ridges and troughs of a fingerprint, as the particles are chemically very sticky, which is really important as for comparison you’re looking for 12 to 20 points, and prints are often smudged, but you can now see the details much more clearly and there is less background staining.

“Then we decided to take it a step further because we found there is a lot of information of the fingertip itself.

“We can test for drugs, explosives or gun residue, or other substances that police might be interested in.

Read More