Category Archives: Security

Kids-Secrets

Shhh… The “Secret” App – Parents Should Beware How Kids Are Keeping & Sharing Secrets Through Anonymous Posts that Aren’t Really Anonymous

This is one app all parents should be aware of. The Secrets app is the cyberspace where kids make their confessions and share their best kept secrets and the nightmare is, their supposedly anonymous postings were highly vulnerable after all.

HealthcareHacks

Shhh… The Why’s, How’s and What’s of Hacks into Health Insurance Companies Like Anthem and Premera

It should come as no surprise that health insurance companies store lots, lots more sensitive and personal information about their clients than banks and credit card companies and it certainly doesn’t help when they were not taking cybersecurity seriously, as the recent hacks on Anthem and Premera (article below) have highlighted.

And what’s going to happen to these clients following the (Anthem and Premera) hacks? Watch the video clips below.

The disturbing truth behind the Premera, Anthem attacks

March 24, 2015 | By Dan Bowman

As details continue to emerge following the recent hack attacks on payers Anthem and Premera–in which information for close to 90 million consumers combined may have been put at risk–perhaps the most disturbing revelation of all is that, in both instances, neither entity appears to truly take security seriously.

Premera, for instance, knew three weeks prior to the initial penetration of its systems in May 2014 that network security issues loomed large. A report sent by the U.S. Office of Personnel Management’s Office of Inspector General detailed several vulnerabilities, including a lack of timely patch implementations and insecure server configurations.

The findings were so bad, they prompted OPM to warn Premera, “failiure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached.” In addition, OPM told the Mountlake Terrace, Washington-based insurer that failure to remove outdated software would increase the risk of a successful malicious attack on its information systems.

“Promptly” to Premera apparently meant eight months down the road. And one month after its self-imposed Dec. 31, 2014, deadline to resolve its issues, guess what the payer found?

Just imagine how much damage could have been spared had Premera acted with more haste.

In Anthem’s case, negligence continues to persist. The nation’s second-largest payer has refused to allow a federal watchdog agency to perform vulnerability scans and compliance tests on its systems in the wake of its massive hack attack. It also prevented auditors from adequately testing whether it appropriately secured its computer information systems during a 2013 audit, citing corporate policy prohibiting external entities from connecting to the Anthem network.

Corporate policy is all well and good, but it’s not going to mean squat to a consumer two years from now when Anthem’s complimentary credit monitoring wears off and the hackers begin wading through the treasure trove of stolen information. As one of those consumers, it would be nice to hear Anthem take the advice Shaun Greene, chief operating officer of Salt Lake City-based Arches Health Plan, who told my colleague Brian Eastwood last month that payers should hire third parties to conduct HIPAA risk assessments.

“That way, you avoid internal posturing and receive objective feedback,” Greene said.

Following last summer’s massive Community Health Systems breach–and on the heels of other high-profile cybersecurity attacks–it appeared earlier this year that the healthcare industry was finally starting to truly prioritize information protection.

That’s not to say that the majority of the industry doesn’t take such matters seriously. But it’s disappointing to see that some of its biggest players seem to feel differently. – Dan (@Dan_Bowman and @FierceHealthIT)

MacBookAir-USB-c

Shhh… The USB-C Makes those new MacBooks More Vulnerable

You may want to think twice about the new MacBook.

Apple may have ideas about its newly introduced USB-C but widely reported vulnerabilities of USB devices amplify big troubles ahead, as the following article explains.

MacBookAir-USB-c2

The NSA Is Going to Love These USB-C Charging Cables

Mario Aguilar
3/17/15 12:35pm

Thanks to Apple’s new MacBook and Google’s new Chromebook Pixel, USB-C has arrived. A single flavor of cable for all your charging and connectivity needs? Hell yes. But that convenience doesn’t come without a cost; our computers will be more vulnerable than ever to malware attacks, from hackers and surveillance agencies alike.

The trouble with USB-C stems from the fact that the USB standard isn’t very secure. Last year, researchers wrote a piece of malware called BadUSB which attaches to your computer using USB devices like phone chargers or thumb drives. Once connected, the malware basically takes over a computer imperceptibly. The scariest part is that the malware is written directly to the USB controller chip’s firmware, which means that it’s virtually undetectable and so far, unfixable.

Before USB-C, there was a way to keep yourself somewhat safe. As long as you kept tabs on your cables, and never stuck random USB sticks into your computer, you could theoretically keep it clean. But as The Verge points out, the BadUSB vulnerability still hasn’t been fixed in USB-C, and now the insecure port is the slot where you connect your power supply. Heck, it’s shaping up to be the slot where you connect everything. You have no choice but to use it every day. Think about how often you’ve borrowed a stranger’s power cable to get charged up. Asking for a charge from a stranger is like having unprotected sex with someone you picked up at the club.

What the Verge fails to mention however, is that it’s potentially much worse than that. If everyone is using the same power charger, it’s not just renegade hackers posing as creative professionals in coffee shops that you need to worry about. With USB-C, the surveillance establishment suddenly has a huge incentive to figure out how to sneak a compromised cable into your power hole.

It might seem alarmist and paranoid to suggest that the NSA would try to sneak a backdoor into charging cables through manufacturers, except that the agency has been busted trying exactly this kind of scheme. Last year, it was revealed that the NSA paid security firm RSA $10 million to leave a backdoor in their encryption unpatched. There’s no telling if or when or how the NSA might try to accomplish something similar with USB-C cables, but it stands to reason they would try.

We live in a world where we plug in with abandon, and USB-C’s flexibility is designed to make plugging in easier than ever. Imagine never needing to guess whether or not your aunt’s house will have a charger for your phone. USB-C could become so common that this isn’t even a question. Of course she has one! With that ubiquity and convenience comes a risk that the tech could become exploited—not just by criminals, but also by the government’s data siphoning machine.

Apple-Location-Maps2

Shhh… Apple Still Wants to Find You Even When Location Services are Switched Off

Interesting live demonstration – see video clip below, where the publisher Chris Gagné said:

Apple’s help text says “You can also turn Location Services off altogether by deselecting Enable Location Services in the Privacy pane of Security & Privacy preferences. However, here’s a video showing that although Location Services are turned off, Apple’s com.apple.geod (their location services daemon) is still active and attempting to communicate with gsp-ssl.ls.apple.com. It’s blocked from doing so by Little Snitch, whose Network Monitor is showing all of these attempts. This is on Mac Os 10.10.2.

Hacked

Shhh… Anatomy of a Hack – What Should You Do After You’re Hacked?

Ever wonder what happens when one’s hacked?

Here’s an insightful chilling account of how one victim attempted to trace the hacker who invaded into his onlife life and Bitcoin wallet.

Hacked-AnatomyOfAHack

Anatomy of a Hack

In the early morning hours of October 21st, 2014, Partap Davis lost $3,000. He had gone to sleep just after 2AM in his Albuquerque, New Mexico, home after a late night playing World of Tanks. While he slept, an attacker undid every online security protection he set up. By the time he woke up, most of his online life had been compromised: two email accounts, his phone, his Twitter, his two-factor authenticator, and most importantly, his bitcoin wallets.

Davis was careful when it came to digital security. He chose strong passwords and didn’t click on bogus links. He used two-factor authentication with Gmail, so when he logged in from a new computer, he had to type in six digits that were texted to his phone, just to make sure it was him. He had made some money with the rise of bitcoin and held onto the bitcoin in three protected wallets, managed by Coinbase, Bitstamp, and BTC-E. He also used two-factor with the Coinbase and BTC-E accounts. Any time he wanted to access them, he had to verify the login with Authy, a two-factor authenticator app on his phone.

Other than the bitcoin, Davis wasn’t that different from the average web user. He makes his living coding, splitting time between building video education software and a patchwork of other jobs. On the weekends, he snowboards, exploring the slopes around Los Alamos. This is his 10th year in Albuquerque; last year, he turned 40.

After the hack, Davis spent weeks tracking down exactly how it had happened, piecing together a picture from access logs and reluctant customer service reps. Along the way, he reached out to The Verge, and we added a few more pieces to the puzzle. We still don’t know everything — in particular, we don’t know who did it — but we know enough to say how they did it, and the points of failure sketch out a map of the most glaring vulnerabilities of our digital lives.

Mail.com

It started with Davis’ email. When he was first setting up an email account, Davis found that Partap@gmail.com was taken, so he chose a Mail.com address instead, setting up Partap@mail.com to forward to a less memorably named Gmail address.

Some time after 2AM on October 21st, that link was broken. Someone broke into Davis’ mail.com account and stopped the forwarding. Suddenly there was a new phone number attached to the account — a burner Android device registered in Florida. There was a new backup email too, swagger@mailinator.com, which is still the closest thing we have to the attacker’s name.

For simplicity’s sake, we’ll call her Eve.

How did Eve get in? We can’t say for sure, but it’s likely that she used a script to target a weakness in Mail.com’s password reset page. We know such a script existed. For months, users on the site Hackforum had been selling access to a script that reset specific account passwords on Mail.com. It was an old exploit by the time Davis was targeted, and the going rate was $5 per account. It’s unclear how the exploit worked and whether it has been closed in the months since, but it did exactly what Eve needed. Without any authentication, she was able to reset Davis’ password to a string of characters that only she knew.

AT&T

Eve’s next step was to take over Partap’s phone number. She didn’t have his AT&T password, but she just pretended to have forgotten it, and ATT.com sent along a secure link to partap@mail.com to reset it. Once inside the account, she talked a customer service rep into forwarding his calls to her Long Beach number. Strictly speaking, there are supposed to be more safeguards required to set up call forwarding, and it’s supposed to take more than a working email address to push it through. But faced with an angry client, customer service reps will often give way, putting user satisfaction over the colder virtues of security.

Once forwarding was set up, all of Davis’ voice calls belonged to Eve. Davis still got texts and emails, but every call was routed straight to the attacker. Davis didn’t realize what had happened until two days later, when his boss complained that Davis wasn’t picking up the phone.


Google and Authy

Next, Eve set her sights on Davis’ Google account. Experts will tell you that two-factor authentication is the best protection against attacks. A hacker might get your password or a mugger might steal your phone, but it’s hard to manage both at once. As long as the phone is a physical object, that system works. But people replace their phones all the time, and they expect to be able to replace the services, too. Accounts have to be reset 24 hours a day, and two-factor services end up looking like just one more account to crack.

Davis hadn’t set up Google’s Authenticator app, the more secure option, but he had two-factor authentication enabled — Google texted him a confirmation code every time he logged in from a new computer. Call forwarding didn’t pass along Davis’ texts, but Eve had a back door: thanks to Google’s accessibility functions, she could ask for the confirmation code to be read out loud over the phone.

Authy should have been harder to break. It’s an app, like Authenticator, and it never left Davis’ phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve’s control.

It was the same trick that had fooled Google: as long as she had Davis’ email and phone, two-factor couldn’t tell the difference between them. At this point, Eve had more control over Davis’s online life than he did. Aside from texting, all digital roads now led to Eve.

Coinbase

At 3:19AM, Eve reset Davis’s Coinbase account, using Authy and his Mail.com address. At 3:55AM, she transferred the full balance (worth roughly $3,600 at the time) to a burner account she controlled. From there, she made three withdrawals — one 30 minutes after the account was opened, then another 20 minutes later, and another five minutes after that. After that, the money disappeared into a nest of dummy accounts, designed to cover her tracks. Less than 90 minutes after his Mail.com account was first compromised, Davis’ money was gone for good.

Authy might have known something was up. The service keeps an eye out for fishy behavior, and while they’re cagey about what they monitor, it seems likely that an account reset to an out-of-state number in the middle of the night would have raised at least a few red flags. But the number wasn’t from a known fraud center like Russia or Ukraine, even if Eve might have been. It would have seemed even more suspicious when Eve logged into Coinbase from the Canadian IP. Could they have stopped her then? Modern security systems like Google’s ReCAPTCHA often work this way, adding together small indicators until there’s enough evidence to freeze an account — but Coinbase and Authy each only saw half the picture, and neither had enough to justify freezing Partap’s account.


BTC-E and Bitstamp

When Davis woke up, the first thing he noticed was that his Gmail had mysteriously logged out. The password had changed, and he couldn’t log back in. Once he was back in the account, he saw how deep the damage went. There were reset emails from each account, sketching out a map of the damage. When he finally got into his Coinbase account, he found it empty. Eve had made off with 10 bitcoin, worth more than $3,000 at the time. It took hours on the phone with customer service reps and a faxed copy of his driver’s license before he could convince them he was the real Partap Davis.

What about the two other wallets? There was $2,500 worth of bitcoin in them, with no advertised protections that the Coinbase wallet didn’t have. But when Davis checked, both accounts were still intact. BTC-e had put a 48-hour hold on the account after a password change, giving him time to prove his identity and recover the account. Bitstamp had an even simpler protection: when Eve emailed to reset Davis’s authentication token, they had asked for an image of his driver’s license. Despite all Eve’s access, it was one thing she didn’t have. Davis’ last $2,500 worth of bitcoin was safe.


Twitter

It’s been two months now since the attack, and Davis has settled back into his life. The last trace of the intrusion is Davis’ Twitter account, which stayed hacked for weeks after the other accounts. @Partap is a short handle, which makes it valuable, so Eve held onto it, putting in a new picture and erasing any trace of Davis. A few days after the attack, she posted a screenshot of a hacked Xfinity account, tagging another handle. The account didn’t belong to Davis, but it belonged to someone. She had moved onto the next target, and was using @partap as a disposable accessory to her next theft, like a stolen getaway car.

Who was behind the attack? Davis has spent weeks looking for her now — whole afternoons wasted on the phone with customer service reps — but he hasn’t gotten any closer. According to account login records, Eve’s computer was piping in from a block of IP addresses in Canada, but she may have used Tor or a VPN service to cover her tracks. Her phone number belonged to an Android device in Long Beach, California, but that phone was most likely a burner. There are only a few tracks to follow, and each one peters out fast. Wherever she is, Eve got away with it.

Why did she choose Partap Davis? She knew about the wallets upfront, we can assume. Why else would she have spent so much time digging through the accounts? She started at the mail.com account too, so we can guess that somehow, Eve came across a list of bitcoin users with Davis’ email address on it. A number of leaked Coinbase customer lists are floating around the internet, although I couldn’t find Davis’ name on any of them. Or maybe his identity came from an equipment manufacturer or a bitcoin retailer. Leaks are commonplace these days, and most go unreported.

Davis is more careful with bitcoin these days, and he’s given up on the mail.com address — but otherwise, not much about his life has changed. Coinbase has given refunds before, but this time they declined, saying the company’s security wasn’t at fault. He filed a report with the FBI, but the bureau doesn’t seem interested in a single bitcoin theft. What else is there to do? He can’t stop using a phone or give up the power to reset an account. There were just so many accounts, so many ways to get in. In the security world, they call this the attack surface. The bigger the surface, the harder it is to defend.

Most importantly, resetting a password is still easy, as Eve discovered over and over again. When a service finally stopped her, it wasn’t an elaborate algorithm or a fancy biometric. Instead, one service was willing to make customers wait 48 hours before authorizing a new password. On a technical level, it’s a simple fix, but a costly one. Companies are continuously balancing the small risk of compromise against the broad benefits of convenience. A few people may lose control of their account, but millions of others are able to keep using the service without a hitch. In the fight between security and convenience, security is simply outgunned.

3/5 11:10am ET: Updated to clarify Bitstamp security protocols.

MicrosoftHELLO-Hepburn2

Shhh… Windows 10 – “Windows Hello” Biometric Authentication Technology has Potential Serious Security Loopholes

Something is fundamentally wrong…

The new Windows 10, reportedly to be released this summer, comes with Windows Hello, which will log in users with biometric authentication, ie. the technology will unlock the devices by using the users’ face, fingerprint or iris which Microsoft label as “more personal and more secure” with security and privacy accounted for.

Well, let’s see how this would last. Recall Apple’s fingerprint reading technology on its previous iPhones was hacked within 24 hours.

And speaking of facial recognition, I know someone whose six year old son managed to fool a Samsung smartphone because of the resemblance to his mother. All it took for him was to stare at her mom’s phone while she was asleep and… Bingo!

So here’s my question: what about identical twins?

Good luck, Windows 10.

Microsoft-PhoneSupport-Scam2

Shhh… Live Recording: Microsoft Phone Support Scam at Work

If there’s any one lesson on computer/phone scams you need to remember: Microsoft, or Apple for that matter, will not initiate a call to offer a remote computer scan to fix a “problem”.

So here’s an actual incident when the scammers called and met their match – it was a computer security researcher on the line, who recorded the entire conversation (his two audio files below).

At one point, after allowing the scammer to gain some limited control of his computer screen, he informed the caller that she was busted, who in turn threatened to hack him (second audio file).

Enjoy witnessing scammers at work and here’s the article for a brief background.

Oh by the way, the caller’s number was 949-000-7676.

Airport-SecurityChecks

Shhh… What Can You Do If Airport Checkpoints Demand for Your Smartphone Password?

Ever wonder if this could happen to you? A Canadian man was charged for not revealing the password of his smartphone when requested by airport’s border officials.

I wrote in an earlier column about how spies cope with airport security checkpoints but what can you do if you anticipate this (see article below) could happen to you at the airport?

I reckon at the very least, reset the password to your phone before you reached the checkpoint. If your phone has an external SD card, transfer all your files to the card before you remove and replace it with a spare and ideally empty SD card – hide the files-loaded SD card deep inside your hand-carry bag. And bingo if you have a spare or expired SIM card…

You have then done the best you could to preserve your privacy. Good luck.

Quebec resident Alain Philippon to fight charge for not giving up phone password at airport

Whether border officials can force you to provide password hasn’t been tested in Canadian courts

By Jack Julian, CBC News Posted: Mar 04, 2015 9:32 PM AT Last Updated: Mar 05, 2015 2:05 PM AT

A Quebec man charged with obstructing border officials by refusing to give up his smartphone password says he will fight the charge.

The case has raised a new legal question in Canada, a law professor says.

Alain Philippon, 38, of Ste-Anne-des-Plaines, Que., refused to divulge his cellphone password to Canada Border Services Agency during a customs search Monday night at Halifax Stanfield International Airport.

Philippon had arrived in Halifax on a flight from Puerto Plata in the Dominican Republic. He’s been charged under section 153.1 (b) of the Customs Act for hindering or preventing border officers from performing their role under the act.

According to the CBSA, the minimum fine for the offence is $1,000, with a maximum fine of $25,000 and the possibility of a year in jail.

Philippon did not want to be interviewed but said he intends to fight the charge since he considers the information on his phone to be “personal.”

The CBSA wouldn’t say why Philippon was selected for a smartphone search.

In an email, a border services spokesperson wrote, “Officers are trained in examination, investigative and questioning techniques. To divulge our approach may render our techniques ineffective. Officers are trained to look for indicators of deception and use a risk management approach in determining which goods may warrant a closer look.”​

Rob Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University, said that under Canadian law, travellers crossing the Canadian border have a reduced expectation of privacy.

He said border officials have wide-ranging powers to search travellers and their belongings.

“Under the Customs Act, customs officers are allowed to inspect things that you have, that you’re bringing into the country,” he told CBC News. “The term used in the act is ‘goods,’ but that certainly extends to your cellphone, to your tablet, to your computer, pretty much anything you have.”

Philippon has been released on bail, and will return to court in Dartmouth on May 12 for election and plea.


Not tested yet in court

Currie said the issue of whether a traveller must reveal a password to an electronic device at the border hasn’t been tested by a court.

“This is a question that has not been litigated in Canada, whether they can actually demand you to hand over your password to allow them to unlock the device,” he said. “[It’s] one thing for them to inspect it, another thing for them to compel you to help them.”

Currie said the obstruction case hinges on that distinction.

“[It’s] a very interesting one to watch.”

Blurred-pics

Shhh… Fujitsu Can Detect Faces in Blurred Security Videos

Above photo credit: http://background-kid.com/blurred-people-background.html

Great, now there’s a new technology to get true clear pictures out of blurred CCTV images just when we learned last week that there are gadgets to hide one’s identity from the prying eyes of facial recognition programs like the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System.

Fujitsu, the Japanese multinational information technology equipment and services company, recently said it has invented a new, first of its kind image-processing technology that can detect people from low-resolution imagery and track people in security camera footage, even when the images are heavily blurred to protect privacy. See full story below.

Sad to say, this is probably the easiest, effective and most feasible solution:

FaceMask

Fujitsu tech can track heavily blurred people in security videos

By Tim Hornyak
IDG News Service | March 6, 2015

Fujitsu has developed image-processing technology that can be used to track people in security camera footage, even when the images are heavily blurred to protect their privacy.

Fujitsu Laboratories said its technology is the first of its kind that can detect people from low-resolution imagery in which faces are indistinguishable.

Detecting the movements of people could be useful for retail design, reducing pedestrian congestion in crowded urban areas or improving evacuation routes for emergencies, it said.

Fujitsu used computer-vision algorithms to analyze the imagery and identify the rough shapes, such as heads and torsos, that remain even if the image is heavily pixelated. The system can pick out multiple people in a frame, even if they overlap.

Using multiple camera sources, it can then determine if two given targets are the same person by focusing on the distinctive colors of a person’s clothing.

An indoor test of the system was able to track the paths of 80 percent of test subjects, according to the company. Further details of the trial were not immediately available.

“The technology could be used by a business owner when planning the layout of their next restaurant/shop,” a Fujitsu spokesman said via email. “It would also be used by the operators of a large sporting event during times of heavy foot traffic.”

People-tracking know-how has raised privacy concerns in Japan. Last year, the National Institute of Information and Communications Technology (NICT) was forced to delay and scale down a large, long-term face-recognition study it was planning to carry out at Osaka Station, one of the country’s busiest rail hubs.

The Fujitsu research is being presented to a conference of the Information Processing Society of Japan being held at Tohoku University in northern Japan. The company hopes to improve the accuracy of the system with an aim to commercializing it in the year ending March 31, 2016.

Fujitsu has also been developing retail-oriented technology such as sensors that follow a person’s gaze as he or she looks over merchandise as well as LED lights that can beam product information for smartphones.

ProtonMail

Shhh… ProtonMail: Email Privacy and Encryption

Sending an email message is like sending a postcard. That’s the message Hillary Clinton probably now wish she heard earlier.

Andy Yen, a scientist at CERN – the European Organization for Nuclear Research – co-founded ProtonMail, an encrypted email startup based in Geneva, Switzerland. As he explained in this TEDTalk, it is easy to make encryption easy for all to use and keep all email private.

But curiously, it seems so much like PGP.

Obama-China

Shhh… How Come Obama Suddenly Understood & Explained to China Why Backdoors into Encryption is Really Bad?

“Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

That’s a quote from Obama reported in The Guardian (see article below).

Oh great, so Obama actually understood the consequences of government gaining backdoors into encryption? He should give the same advice to his NSA director Mike Rogers who somehow struggled when asked about the issue recently.

Building backdoors into encryption isn’t only bad for China, Mr President

Trevor Timm
@trevortimm
Wednesday 4 March 2015 16.15 GMT

Want to know why forcing tech companies to build backdoors into encryption is a terrible idea? Look no further than President Obama’s stark criticism of China’s plan to do exactly that on Tuesday. If only he would tell the FBI and NSA the same thing.

In a stunningly short-sighted move, the FBI – and more recently the NSA – have been pushing for a new US law that would force tech companies like Apple and Google to hand over the encryption keys or build backdoors into their products and tools so the government would always have access to our communications. It was only a matter of time before other governments jumped on the bandwagon, and China wasted no time in demanding the same from tech companies a few weeks ago.

As President Obama himself described to Reuters, China has proposed an expansive new “anti-terrorism” bill that “would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.”

Obama continued: “Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

Bravo! Of course these are the exact arguments for why it would be a disaster for US government to force tech companies to do the same. (Somehow Obama left that part out.)

As Yahoo’s top security executive Alex Stamos told NSA director Mike Rogers in a public confrontation last week, building backdoors into encryption is like “drilling a hole into a windshield.” Even if it’s technically possible to produce the flaw – and we, for some reason, trust the US government never to abuse it – other countries will inevitably demand access for themselves. Companies will no longer be in a position to say no, and even if they did, intelligence services would find the backdoor unilaterally – or just steal the keys outright.

For an example on how this works, look no further than last week’s Snowden revelation that the UK’s intelligence service and the NSA stole the encryption keys for millions of Sim cards used by many of the world’s most popular cell phone providers. It’s happened many times before too. Ss security expert Bruce Schneier has documented with numerous examples, “Back-door access built for the good guys is routinely used by the bad guys.”

Stamos repeatedly (and commendably) pushed the NSA director for an answer on what happens when China or Russia also demand backdoors from tech companies, but Rogers didn’t have an answer prepared at all. He just kept repeating “I think we can work through this”. As Stamos insinuated, maybe Rogers should ask his own staff why we actually can’t work through this, because virtually every technologist agrees backdoors just cannot be secure in practice.

(If you want to further understand the details behind the encryption vs. backdoor debate and how what the NSA director is asking for is quite literally impossible, read this excellent piece by surveillance expert Julian Sanchez.)

It’s downright bizarre that the US government has been warning of the grave cybersecurity risks the country faces while, at the very same time, arguing that we should pass a law that would weaken cybersecurity and put every single citizen at more risk of having their private information stolen by criminals, foreign governments, and our own.

Forcing backdoors will also be disastrous for the US economy as it would be for China’s. US tech companies – which already have suffered billions of dollars of losses overseas because of consumer distrust over their relationships with the NSA – would lose all credibility with users around the world if the FBI and NSA succeed with their plan.

The White House is supposedly coming out with an official policy on encryption sometime this month, according to the New York Times – but the President can save himself a lot of time and just apply his comments about China to the US government. If he knows backdoors in encryption are bad for cybersecurity, privacy, and the economy, why is there even a debate?

PrivacyGlasses-AVG3

Shhh… How to Make Yourself Invisible to Facial Recognition with the New “Privacy Glasses”?

Forget Google Glass, there’s something more fun and useful (picture above) but first, consider this picture below.

FacialRecog-FBI4

It may sounds like the Hollywood movie Matrix but let’s face it, everyone would sooner or later have their photos captured in the public space.

Consider for example, the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System – was already up and running with the aim to capture photographs of every Americans and everyone on US soils.

FacialRecog-GovtDB

The pictures above is an example of what the US government had collected of one individual – she filed a Freedom of Information Act request to see what was collected and the Department of Homeland Security subsequently released the data collected under the Global Entry Program.

But apart from immigration checkpoints, and potentially other files from other government departments (local and global), we are also subjected to the millions of CCTV cameras in public areas and the facial recognition programs scanning through the captured images (and also those on the internet and social networks).

So it’s good to know there may be a potential solution – though it’s still early days and it may not apply to cameras at immigration checkpoints.

PrivacyGlasses-AVG4

The (computer) antivirus software company AVG is working on a “privacy glasses” project. These glasses (above) are designed to obfuscate your identity and prevent any facial recognition software from figuring out who you are, either by matching you with the pictures in their database or creating a new file of you for future use.

Find out more from this article below.

PrivacyGlasses-AVG5
PrivacyGlasses-AVG6

Mega-cloud

Shhh… US Pressures Forced PayPal to Punish Mega (& MegaChat) for Encrypted Communications & Keeping Our Privacy

This is bizarre (see article below) but a good sign that what Mega offers in encrypted communications is the real deal and the authorities are certainly not impressed, thus the pressures on credit card companies to force Paypal to block out Mega, as they did previously with WikiLeaks.

BUT don’t forget Kim Dotcom’s newly launched end-to-end encrypted voice calling service “MegaChat” comes in both free and paid versions – see my earlier piece on how to register for MegaChat.

Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files

By Andy
on February 27, 2015

After coming under intense pressure PayPal has closed the account of cloud-storage service Mega. According to the company, SOPA proponent Senator Patrick Leahy personally pressured Visa and Mastercard who in turn called on PayPal to terminate the account. Bizarrely, Mega’s encryption is being cited as a key problem.

During September 2014, the Digital Citizens Alliance and Netnames teamed up to publish a brand new report. Titled ‘Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,’ it offered insight into the finances of some of the world’s most popular cyberlocker sites.

The report had its issues, however. While many of the sites covered might at best be considered dubious, the inclusion of Mega.co.nz – the most scrutinized file-hosting startup in history – was a real head scratcher. Mega conforms with all relevant laws and responds quickly whenever content owners need something removed. By any standard the company lives up to the requirements of the DMCA.

“We consider the report grossly untrue and highly defamatory of Mega,” Mega CEO Graham Gaylard told TF at the time. But now, just five months on, Mega’s inclusion in the report has come back to bite the company in a big way.

Speaking via email with TorrentFreak this morning, Gaylard highlighted the company’s latest battle, one which has seen the company become unable to process payments from customers. It’s all connected with the NetNames report and has even seen the direct involvement of a U.S. politician.

According to Mega, following the publication of the report last September, SOPA and PIPA proponent Senator Patrick Leahy (Vermont, Chair Senate Judiciary Committee) put Visa and MasterCard under pressure to stop providing payment services to the ‘rogue’ companies listed in the NetNames report.

Following Leahy’s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to MEGA. As a result, Mega is no longer able to process payments.

“It is very disappointing to say the least. PayPal has been under huge pressure,” Gaylard told TF.

The company did not go without a fight, however.

“MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA,” the company explains.

paypalWhat makes the situation more unusual is that PayPal reportedly apologized to Mega for its withdrawal while acknowledging that company’s business is indeed legitimate.

However, PayPal also advised that Mega’s unique selling point – it’s end-to-end-encryption – was a key concern for the processor.

“MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA’s ‘unique encryption model’ presents an insurmountable difficulty,” Mega explains.

As of now, Mega is unable to process payments but is working on finding a replacement. In the meantime the company is waiving all storage limits and will not suspend any accounts for non-payment. All accounts have had their subscriptions extended by two months, free of charge.

Mega indicates that it will ride out the storm and will not bow to pressure nor compromise the privacy of its users.

“MEGA supplies cloud storage services to more than 15 million registered customers in more than 200 countries. MEGA will not compromise its end-to-end user controlled encryption model and is proud to not be part of the USA business network that discriminates against legitimate international businesses,” the company concludes.

US-China

Shhh… NSA Demands on Crypto Backdoors Led to US-China Spat on Backdoors & Encryption

Photo (above) credit: US-China Perception Monitor.

GlennGreenward-Tweets

The tweet from Glenn Greenwald above sums up the prevailing stance between the US and China (see video clip below) on backdoors and encryption matters – please see also article below.

It’s not like the NSA has not been warned and China may just be the first of many to come.

The United States Is Angry That China Wants Crypto Backdoors, Too

Written by
Lorenzo Franceschi-Bicchierai
February 27, 2015 // 03:44 PM EST

When the US demands technology companies install backdoors for law enforcement, it’s okay. But when China demands the same, it’s a whole different story.

The Chinese government is about to pass a new counter terrorism law that would require tech companies operating in the country to turn over encryption keys and include specially crafted code in their software and hardware so that chinese authorities can defeat security measures at will.

Technologists and cryptographers have long warned that you can’t design a secure system that will enable law enforcement—and only law enforcement—to bypass the encryption. The nature of a backdoor door is that it is also a vulnerability, and if discovered, hackers or foreign governments might be able to exploit it, too.

Yet, over the past few months, several US government officials, including the FBI director James Comey, outgoing US Attorney General Eric Holder, and NSA Director Mike Rogers, have all suggested that companies such as Apple and Google should give law enforcement agencies special access to their users’ encrypted data—while somehow offering strong encryption for their users at the same time.


“If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”

Their fear is that cops and feds will “go dark,” an FBI term for a potential scenario where encryption makes it impossible to intercept criminals’ communications.

But in light of China’s new proposals, some think the US’ own position is a little ironic.

“You can’t have it both ways,” Trevor Timm, the co-founder and the executive director of the Freedom of the Press Foundation, told Motherboard. “If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”

He’s not the only one to think the US government might end up regretting its stance.


Someday US officials will look back and realize how much global damage they’ve enabled with their silly requests for key escrow.

— Matthew Green (@matthew_d_green) February 27, 2015

Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.

Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.

Ironically, the US government sent a letter to China expressing concern about its new law. “The Administration is aggressively working to have China walk back from these troubling regulations,” US Trade Representative Michael Froman said in a statement.

A White House spokesperson did not respond to a request for comment from Motherboard.

“It’s stunningly shortsighted for the FBI and NSA not to realize this,” Timm added. “By demanding backdoors, these US government agencies are putting everyone’s cybersecurity at risk.”

In an oft-cited examples of “if you build it, they will come,” hackers exploited a system designed to let police tap phones to spy on more than a hundred Greek cellphones, including that of the prime minister.

At the time, Steven Bellovin, a computer science professor at Columbia University, wrote that this incident shows how “built-in wiretap facilities and the like are really dangerous, and are easily abused.”

That hasn’t stopped other from asking though. Several countries, including India, Kuwait and UAE, requested BlackBerry to include a backdoor in its devices so that authorities could access encrypted communications. And a leaked document in 2013 revealed that BlackBerry’s lawful interception system in India was “ready for use.”

Wanted-Evgeniy Bogachev

How to Cope With File-Encrypting Ransomware Risks (After US Offer $3mn Award for GameOver Zeus creator Evgeniy Bogachev)?

It could be game over for Russian hacker Evgeniy Bogachev as the US State Department and FBI have issued a “Wanted” poster with a US$3 million reward for information leading to his arrest, the highest price the US authorities had ever placed on a head in a cyber case.

Wanted-Evgeniy Bogachev2

Bogachev, apparently still in Russia, was charged by the US for running a computer attack called GameOver Zeus that has allegedly amassed in excess of US$100 million from online bank accounts of businesses and consumers in the US and around the world.

However, despite the taking down of the GameOver botnet and the demise of CryptoLocker, it’s not all over as new variants of file-encrypting ransomware still exist. The following screen is what you don’t want to see on your computer monitor.

CryptoDefense

Check out this nice article about how to protect yourself from ransomware with the Sophos Virus Removal Tool.

I have an easier, effective and unorthodox solution, which I have mentioned in public lectures and previous columns.: changing your cyber lifestyle by having “naked” computers, i.e. not storing a single file in the computer hard disks, apart from the operating system and software program files.

In essence, I store all my files on an external encrypted hard disk and use either the 1 laptop or 2 laptops approach – with the former you alternate between online and offline depending on when you connect the external disk to the laptop and with the latter, you attach the external disk to a laptop that is offline (you can go one step further with the Snowden approach by using an “air gapped” computer, as he has recommended to Glenn Greenwald) and work online only with the other computer. The latter would come handy when on the road (even with the extra weight) as there are always risks with public (which one should always avoid) and hotel internet connections, spying walls, etc.

NSA-Rogers

Shhh… NSA Want Framework to Access Encrypted Communications

NSA Director Admiral Michael Rogers said at a cyber security conference in Washington DC Monday this week that the government needs to develop a “framework” so that the NSA and law enforcement agencies could read encrypted data when they need and he was immediately challenged by top security experts from the tech industry, most notably Yahoo’s chief information security officer Alex Stamos (see transcript).

SIM-Gemalto3

Shhh… Security Experts Not Convinced By Gemalto’s Swift “Thorough” Investigations into NSA-GCHQ SIM Card Hacks

Gemalto, the world’s largest SIM cards manufacturer that The Intercept reported last week to be hacked by the NSA and GCHQ, putting at risk some two billion SIM cards used in cellphones across the world, has somehow and somewhat concluded its findings after a “thorough” internal investigations in just six days, with assurance that its encryption keys are safe and admitted that the French-Dutch company believes the US and British spy agencies were behind a “particularly sophisticated intrusion” of its internal computer networks, back four-five years ago.

In The Intercept follow-up report (please see further below):

“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union.

Or consider this (below – Source: https://www.youtube.com/watch?v=z0amvXr8BUk )

SIM-Gemalto2

So, time to decide for yourself if you’re convinced and also think of solutions like encrypted communications – and do check out the video clips below:

Gemalto Doesn’t Know What It Doesn’t Know
By Jeremy Scahill
@jeremyscahill

Gemalto, the French-Dutch digital security giant, confirmed that it believes American and British spies were behind a “particularly sophisticated intrusion” of its internal computer networks, as reported by The Intercept last week.

This morning, the company tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.

Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

After the brief investigation, Gemalto now says that the NSA and GCHQ operations in 2010-2011 would not allow the intelligence agencies to spy on 3G and 4G networks, and that theft would have been rare after 2010, when it deployed a “secure transfer system.” The company also said the spy agency hacks only affected “the outer parts of our networks — our office networks — which are in contact with the outside world.”

Security experts and cryptography specialists immediately challenged Gemalto’s claim to have done a “thorough” investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces.

“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union. He adds that Gemalto remains “a high-profile target for intelligence agencies.”

Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said, “This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.”

In its statement, Gemalto asserted:

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”

But security and encryption experts told The Intercept that Gemalto’s statements about its investigation contained a significant error about cellphone technology. The company also made sweeping, overly-optimistic statements about the security and stability of Gemalto’s networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees. “Their ‘investigation’ seem to have consisted of asking their security team which attacks they detected over the past few years. That isn’t much of an investigation, and it certainly won’t reveal successful nation-state attacks,” says the ACLU’s Soghoian.

Security expert Ronald Prins, co-founder of the Dutch firm Fox IT, told The Intercept, “A true forensic investigation in such a complex environment is not possible in this time frame.”

“A damage assessment is more what this looks like,” he added.

In a written presentation of its findings, Gemalto claims that “in the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable.” Gemalto also referred to its own “custom algorithms” and other, unspecified additional security mechanisms on top of the 3G and 4G standards.

Green, the Johns Hopkins cryptography specialist, said Gemalto’s claims are flatly incorrect.

“No encryption mechanism stands up to key theft,” Green says, “which means Gemalto is either convinced that the additional keys could not also have been stolen or they’re saying that their mechanisms have some proprietary ‘secret sauce’ and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That’s a deeply worrying statement.”

“I think you could make that statement against some gang of Internet hackers,” Green adds. “But you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”

In a press conference today in Paris, Gemalto’s CEO, Olivier Piou, said his company will not take legal action against the NSA and GCHQ. “It’s difficult to prove our conclusions legally, so we’re not going to take legal action,” he said. “The history of going after a state shows it is costly, lengthy and rather arbitrary.”

There has been significant commercial pressure and political attention placed on Gemalto since The Intercept’s report. Wireless network providers on multiple continents demanded answers and some, like Deutsche Telekom, took immediate action to change their encryption algorithms on Gemalto-supplied SIM cards. The Australian Privacy Commissioner has launched an investigation and several members of the European Union parliament and Dutch parliament have asked individual governments to launch investigations. German opposition lawmakers say they are initiating a probe into the hack as well.

On Wednesday, Gerard Schouw, a member of the Dutch parliament, submitted formal questions about the Gemalto hack and the findings of the company’s internal investigation to the interior minister. “Will the Minister address this matter with the Ambassadors of the United States and the United Kingdom? If not, why is the Minister not prepared to do so? If so, when will the Minister do this?” Schouw asked. “How does the Minister assess the claim by Gemalto that the attack could only lead to wiretapping 2G-network connections, and that 3G and 4G-type networks are not susceptible to this kind of hacks?”

China Mobile, which uses Gemalto SIM cards, has more wireless network customers than any company in the world. This week it announced it was investigating the breach and the Chinese government said it was “concerned” about the Gemalto hack. “We are opposed to any country attempting to use information technology products to conduct cyber surveillance,” Foreign Ministry spokesman Hong Lei said. “This not only harms the interests of consumers but also undermines users’ confidence.” He did not mention that China itself engages in widespread, state-sponsored hacking.

While Gemalto is clearly trying to calm its investors and customers, security experts say the company’s statements appear intended to reassure the public about the company’s security rather than to demonstrate that it is taking the breach seriously.

The documents published by The Intercept relate to hacks done in 2010 and 2011. The idea that spy agencies are no longer targeting the company — and its competitors — with more sophisticated intrusions, according to Soghoian, is ridiculous. “Gemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto’s security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too,” he said.

Green, the Johns Hopkins cryptographer, says this hack should be “a wake-up call that manufacturers are considered valuable targets by intelligence agencies. There’s a lot of effort in here to minimize and deny the impact of some old attacks, but who cares about old attacks? What I would like to see is some indication that they’re taking this seriously going forward, that they’re hardening their systems and closing any loopholes — because loopholes clearly existed. That would make me enormously more confident than this response.”

Green says that the Gemalto hack evidences a disturbing trend that is on the rise: the targeting of innocent employees of tech firms and the companies themselves. (The same tactic was used by GCHQ in its attack on Belgian telecommunications company Belgacom.)

“Once upon a time we might have believed that corporations like this were not considered valid targets for intelligence agencies, that GCHQ would not go after system administrators and corporations in allied nations. All of those assumptions are out the window, so now we’re in this new environment, where everyone is a valid target,” he says. “In computer security, we talk about ‘threat models,’ which is a way to determine who your adversary is, and what their capabilities are. This news means everyone has to change their threat model.”

Additional reporting by Ryan Gallagher. Josh Begley contributed to this report.

Out of Africa

Shhh… Out of Africa: Spies & Leaked Intelligence from the New “El Dorado of Espionage”

Here is an interesting story from The Guardian, based on a leaked cache of secret intelligence documents and cables.

Africa is new ‘El Dorado of espionage’, leaked intelligence files reveal

Continent emerges as the focus of international spying, with South Africa becoming a regional powerhouse and communications hub

Seumas Milne and Ewen MacAskill
Tuesday 24 February 2015 18.01 GMT

Africa emerges as the 21st century theatre of espionage, with South Africa as its gateway, in the cache of secret intelligence documents and cables seen by the Guardian. “Africa is now the El Dorado of espionage,” said one serving foreign intelligence officer.

The continent has increasingly become the focus of international spying as the battle for its resources has intensified, China’s economic role has grown dramatically, and the US and other western states have rapidly expanded their military presence and operations in a new international struggle for Africa.

With South Africa a regional powerhouse and communications hub, Pretoria has become a centre of the continent’s new Great Game, intelligence officials say, and a target of global espionage. The leaked documents obtained by al-Jazeera and shared with the Guardian contain the names of 78 foreign spies working in Pretoria, along with their photographs, addresses and mobile phone numbers – as well as 65 foreign intelligence agents identified by the South Africans as working undercover. Among the countries sending spies are the US, India, Britain and Senegal.

The United States, along with its French and British allies, is the major military and diplomatic power on the continent. South Africa spends a disproportionate amount of time focused on Iran and jihadi groups, in spite of internal documents showing its intelligence service does not regard either as a major threat to South Africa. “The Americans get what they want,” an intelligence source said.

The targets of foreign intelligence are myriad, ranging from jihadi groups to economic or technological theft. China has emerged as one of the biggest economic players on the continent, investing heavily in infrastructure, building a strong presence in many countries, in large part motivated by its huge appetite for fuel and resources.

Chinese intelligence is identified in one secret South African cable as the suspect in a nuclear break-in. A file dating from December 2009 on South Africa’s counter-intelligence effort says that foreign agencies had been “working frantically to influence” the country’s nuclear energy expansion programme, identifying US and French intelligence as the main players. But due to the “sophistication of their covert operations”, it had not been possible to “neutralise” their activities.

However, a 2007 break-in at the Pelindaba nuclear research centre – where apartheid South Africa developed nuclear weapons in the 1970s – by four armed and “technologically sophisticated criminals” was attributed by South African intelligence to an act of state espionage. At the time officials publicly dismissed the break-in as a burglary.

Several espionage agencies were reported to have shown interest in the progress of South Africa’s Pebble Bed Modular Reactor. According to the file, thefts and break-ins at the PBMR site were suspected to have been carried out to “advance China’s rival project”. It added that China was “now one year ahead … though they started several years after PBMR launch”.

In an October 2009 report by South Africa’s intelligence service, the National Intelligence Agency (NIA), on operations in Africa, Israel is said to be “working assiduously to encircle and isolate Sudan from the outside, and to fuel insurrection inside Sudan”. Israel “has long been keen to capitalise on Africa’s mineral wealth”, the South African spying agency says, and “plans to appropriate African diamonds and process them in Israel, which is already the world’s second largest processor of diamonds”.

The document reports that members of a delegation led by then foreign minister Avigdor Lieberman had been “facilitating contracts for Israelis to train various militias” in Africa.

The NIA’s relationship with its highly active Israeli counterpart, Mossad, has been mixed: close during the apartheid era, distant in the early years of the rule of the pro-Palestinian African National Congress, and more ambiguous in recent years.

One factor in South Africa’s attraction for rival spy agencies is the porous nature of its security services. A South African intelligence document, Security Vulnerabilities in Government, dated October 2009, offers an uncompromising look at the weakness of its security, a point rammed home by the fact it is marked secret but ended up among the leaked files.

The document says: “Foreign governments and their intelligence services strive to weaken the state and undermine South Africa’s sovereignty. Continuing lack of an acceptable standard of security … increases the risk.” It lists theft of laptop computers, insufficient lock-up facilities, limited vetting of senior officials in sensitive institutions, no approved encryption on landlines or mobiles, total disregard by foreign diplomats for existing regulations, ease of access to government departments allowed to foreign diplomats, and the lack of proper screening for foreigners applying for sensitive jobs.

According to one intelligence officer with extensive experience in South Africa, the NIA is politically factionalised and “totally penetrated” by foreign agencies: “Everyone is working for someone else.” The former head of the South African secret service, Mo Shaik, a close ally of the president, Jacob Zuma, was described as a US confidant and key source of information on “the Zuma camp” in a leaked 2008 Wikileaks cable from the American embassy in Pretoria.

The cables disclose an apparent assassination plot in Ethiopia against the South African politician Nkosazana Dlamini-Zuma, days after she became the new chair of the African Union Commission in 2012, giving a flavour of the day-to-day tribulations of intelligence operations in Africa.

South Africa’s head of station in Addis Ababa was warned of the plot, but instructed not to give details to the Ethiopians. Eventually, the Ethiopians were tipped off but the bodyguards assigned to Dlamini-Zuma’s hotel to protect her left their positions to get food and water.

In a frantic series of cables to Pretoria and in meetings with Ethiopian officials, South African intelligence officials are shown struggling to protect Dlamini-Zuma’s security without creating an impression of no confidence in Ethiopian security. When South Africa hands over a list of suspects, Ethiopian intelligence blames Sudan but is unable to link the names with Khartoum.

CitizenFour-Oscars

Shhh… Snowden’s Girlfriend at the Oscars for CitizenFour

Congratulations to Laura Poitras and her team behind “CitizenFour” in winning the Oscars for Best Documentary Feature. And did you notice Snowden‘s girlfriend Lindsay Mills was on the stage (see picture above (Credit: YouTube) and video clips below)?

The film on the Snowden revelations during his hiding in Hong Kong in 2013 will be aired on HBO later today.

Barbie2

Shhh… Doll Hack? New Wi-fi Connected “Hello Barbie” Risks Inviting Pedophiles Into the Barbie World

Barbie-HelloBarbie3

The newly announced internet-connected “Hello Barbie” (see video clip below) may be every girls’ dream but every parents’ nightmare.

The first-ever conversational doll (developed by ToyTalk in partnership with Mattel) will chat with the kids, record their conversations and transmit the recorded data to servers to be analyzed… and yes, risk being hacked and abused by pedophiles.

Think about it, it has all the hacking ingredients for any tech savvy blokes: wi-fi connection, speech-recognition software, phone apps (for kids?!), two-way conversations with kids and cloud storage.

Not convinced? Consider this: these capabilities mean these Barbies can also eavesdrop and record any conversation within the four-walls. Not much difference from the internet-connected spying Samsung smart TV.

“It wouldn’t take much for a malicious individual to intercept either the wi-fi communications from the phone or tablet, or connect to the doll over Bluetooth directly. These problems aren’t difficult to solve; the manufacturer needs to check the phone application carefully to make sure it’s secure. They also need to check that any information sent by the doll to their online systems is protected,” reportedly according to Ken Munro, a security researcher at Pen Test Partners, who has previously warned about the vulnerabilities in another doll called Cayla which uses speech-recognition and Google’s translation tools.

SIMcard

Shhh… Solutions to NSA & GCHQ Hacks into SIM Cards to Eavesdrop on Mobile Phones Worldwide?

Glenn-pg97

This news originally from The Intercept, based on leaked files from Edward Snowden, shouldn’t come as a surprise as the NSA had been on a mission to Collect It All (Chapter 3) according to Glenn Greenwald’s book “No Place to Hide” (see above).

High time to seriously (re)consider encrypted communications like encrypted calls and messaging apps (despite efforts to ban encryption by Obama and Cameron)?

LenovoThinkPad2

Shhh… Pre-installed Superfish Malware Leaves Lenovo Computers Vulnerable to Man-in-the-Middle Attacks

I’m a self-confessed hardcore fan of the good old IBM Thinkpad laptops but I’ve shied away from the black box ever since the Lenovo acquisition in 2005. And this (see video clips below) is one of those reasons. My tilt these days is towards those laptops with no parts made in China