Ministry of Truth is Created in the UK

More like Airstrip One everyday. UK Govt. Approves Net Censorship – Free Speech Dies – Liberty Nation.

The United Kingdom has become the first Western nation to move ahead with large-scale censorship of the internet, effectively creating regulation that will limit freedom on the last frontier of digital liberty. In a move that has the nation reeling, Prime Minister Boris Johnson has unveiled rules that will punish internet companies with fines, and even imprisonment, if they fail to protect users from “harmful and illegal content.”

Couched in language that suggests this is being done to protect children from pedophiles and vulnerable people from cyberbullying, the proposals will place a massive burden on small companies. Further, they will ultimately make it impossible for those not of the pervasive politically correct ideology to produce and share content.

Western Civilization was nice while it lasted. (Hat tip)

Why Aren’t You Using Signal?

Because security is important. Signal is finally bringing its secure messaging to the masses | Ars Technica.

Or are you comfortable living in a state like the old East Germany under the Ministerium für Staatssicherheit, or the Stazi?

But Deb, they make it so hard to share emojis and security is hard, and I really want a chocolate bar, and to get one all I have to do is turn over my life to Google, or F*c*book, or Apple or the NSA, or – Oh look! a squirrel! </sarcasm>

Marlinspike has always talked about making encrypted communications easy enough for anyone to use. The difference, today, is that Signal is finally reaching that mass audience it was always been intended for—not just the privacy diehards, activists, and cybersecurity nerds that formed its core user base for years—thanks in part to a concerted effort to make the app more accessible and appealing to the mainstream.

So there really is no excuse.

Big Grocery Is Watching You

Everything. You. Do. Customer Tracking at Ralphs Grocery Store.

To comply with California’s new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy.

Health. Insurance. Property. Bank Accounts. What you do online. Geolocation data – which is vague. (Where you go in the store or where you go in general?) There’s more.

And when people got creeped out, they said they may have to rethink how they worded the disclosure.

That’s the company’s solution. Don’t spy on people less, just change the wording so they don’t realize it.

More consumer protection laws will be required.

Bets on Whether the Swamp Will Restrain the NSA?

Still, it should be interesting to see the politicos explain why privacy is such an outmoded concept. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance.

The reforms this bill wants to impose are quite extensive and here is a shortlist of the highlights:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.

  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

It’s beginning to feel like we live in the Soviet Union, or East Germany, where the .gov can do pretty much what it wants, and it will destroy anyone who gets in the way.

The Future of Texting Is Broken

Whiskey. Tango. Foxtrot. The Future of Texting Is Far Too Easy to Hack: Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess..

Can we PLEASE get some secure communications. Aside from Signal that is. (Look, I love Signal. I wish I could get everyone to use it, but for some reason I can’t.) And in what is essentially 2020 there is no fucking excuse to have insecure communications. We know how to do this.

But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.

For the love of all things Holy. USE Signal.

Big Amazon Is Watching You

Massive surveillance of everything is in the hands of Amazon. What could go wrong? Amazon’s Ring Home Surveillance Network Raises Big Privacy Concerns.

According to Motherboard, police officers can request homeowners’ surveillance footage through Ring. In a statement, Ring said that law enforcement requests must be tied to an active investigation, and though the owner’s consent is required, a warrant isn’t necessary.

Edward Snowden’s privacy concerns are starting to sound less and less like paranoia.

And the terms of service will change over time. You know, that legally binding statement you agreed to when you opened the package. The fine print that no one ever reads, and changes regularly anyway.

Google Has Patient Data – Wants to Squeeze More Money

What a shock. Google has access to detailed health records on tens of millions of Americans.

Google quietly partnered last year with Ascension—the country’s second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal.

The endeavor, code-named “Project Nightingale,” has enabled at least 150 Google employees to see patient health information, which includes diagnoses, laboratory test results, hospitalization records, and other data, according to internal documents and the newspaper’s sources. In all, the data amounts to complete medical records, WSJ notes, and contains patient names and birth dates.

So much for protections for privacy.

2019 Hacks and Other Cyber-insanity

I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.

It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.

Two months to go.

It Isn’t Just Amazon and Google Spying on You

As if that wasn’t enough. Alexa and Google Home abused to eavesdrop and phish passwords.

By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google.

Privacy is such a 20th Century concept.

Welcome to the Panoptican

Netflix. Roku. Smart-TVs. They are all spying on you. Facebook and Google have ad trackers on your streaming TV, studies find.

Modern TV, coming to you over the Internet instead of through cable or over the air, has a modern problem: all of your Internet-connected streaming devices are watching you back and feeding your data to advertisers. Two independent sets of researchers this week released papers that measure the extent of the surveillance your TV is conducting on you. They also sort out who exactly is benefiting from the massive amounts of consumer data that is taken with or without consumer knowledge.

They just can’t stand the idea that you have any privacy. Or that you think thoughts they don’t approve of, but that’s another story.

GPS Trackers for Kids Making Data PUBLIC

This is BEYOND stupid. Buggy GPS Trackers Expose Childrens’ Real-Time Location.

It seems that corporations haven’t learned a damn thing about security, and people are so excited about convenience they don’t seem to care that it comes at the cost of privacy and/or security.

So when you bought the GPS tracker to keep tabs on your kid, did you think it would make their every move public? Did you think you would be outfitting them with a microphone that anyone on the planet could listen to? Did you think you get a “really good” system for next to no money?

The security flaws were found in GPS location trackers manufactured by the Shenzhen i365 Tech, with over 600,000 users from countries all over the world and resold under multiple brands on various e-commerce platforms like Amazon or eBay.

The details are at the link, but in short… There is a default password for EVERY tracker, which is “123456” and user-id is the serial number. While you can define a more stupid “security model,” it would be hard to come up with one in 2019.

Back in 2017, the European Consumer Organisation (BEUC) also issued a public service announcement warning that most children’s GPS-tracking smartwatches are stuffed to the brim with various security flaws exposing their location or allowing potential attackers to take control of the devices.

Various “children’s tablets” that could be hacked and used for phishing. Trackers. Smart watches. Do you really want to bet your kid’s safety on cheap technology from a company you never heard of, sold by an “Amazon Affiliate” – which is about the equivalent of buying something from a flea market.

Bluetooth? I’ll Keep My 3.5mm Headphone Jack, Thanks

This isn’t the first exploit to hit Bluetooth, and it probably won’t be the last. New Attack exploiting serious Bluetooth weakness can intercept sensitive data.

Address book syncing between a car and phone, keystroke from a keyboard, it isn’t a particular product that is vulnerable, it is the ENTIRE Bluetooth architecture.

KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.

Architectural level problems are the hardest to fix, though several companies have implemented fixes to “mitigate” the issue.

“Why Schools?” – That’s The Wrong Question

Why aren’t schools doing anything to prepare? (And they’re not.) That would be a better question. Why School Systems? The Rise of Ransomware in Public Schools.

And if you ask the wrong question, any answer that you get won’t result in any useful insights.

Due to their wealth of data and limited budget for cybersecurity staff and training, schools have drawn the eye of hackers. Experts recommend backing up data and investing in cybersecurity training and preparedness.

My personal recommendation is that schools cut back on that “wealth of data” until such time as they have a wealth of “cybersecurity training and preparedness” in place, and deployed to protect it. And even then, they should ask if they really need to have that information online, because while ransomware has been in the news, there have been instances where all the data needed to steal identities was taken out of school systems. That’s a lifetime of having to worry about identity theft for people who are not old enough to drink. (Thanks Public Schools Idiots Everywhere who think you know how much you need to spend on security.) All because some administrator somewhere, with next to no knowledge of the risks, decided that he couldn’t be bothered to look up a kids address the 2 times during the year when he needed that information. And how often to school administrators need SSN? Really? They couldn’t get by 99.999% of the time with an in-house student ID number?

But back to the schools.

“The principal reason is that it’s a relatively easy target to aim for,” he said, explaining that school systems typically suffer from a fairly limited IT staff, older equipment and less-than-optimal cybersecurity expertise.

Then repeat after me. If that statement (limited expertise, limited staff, etc.) applies to your organization, that purge every last bit of data that is not needed, and some that is needed. And it isn’t needed just because you’ve “always collected it.” Schools do NOT need SSN. Not online they don’t. They don’t need every piece of information for stealing identities in a place where they can be stolen by the lowest-knowledge hacker on the planet. How big is your school? You can’t file a couple of 1000 pages of info. (Like home address, and SSN for the one time in 4 years when you MIGHT need it?) Stop pretending that having “everything at your fingertips” is a requirement. It isn’t.

Another instance where people asked the wrong question. What diet leads so many people in this area to live past 100? (Hint: It isn’t diet.)

Why Does Everything Have to be WiFi Enabled?

In this case Canon cameras. Even DSLR cameras are vulnerable to ransomware.

More to the point, why aren’t WiFi enabled interfaces secure?

The hackers (white hat) showed that if a camera had WiFi turned on, and that camera was in range of their WiFi access point, they could encrypt the photos on the camera’s memory card.

Canon issued an advisory telling folks to avoid unsecured WiFi, turn off network functions and install a new security patch.

The issue affects most of Canon’s camera lineup, from the EOS 70D to the mirrorless EOS R. It might not be limited to Canon, either, as Check Point told The Verge that other manufacturers, which use the same PTP protocol, could also be vulnerable. [My emphasis.]

PTP or Picture Transfer Protocol is an Unauthenticated interface used by a lot of cameras and software.

Could manufacturers of everything please check to see if they have

  1. any non-secure interfaces
  2. hard-coded passwords or other backdoors

and get rid of them immediately? Probably not.

Apple Only Cares About Your Privacy When They Get Bad Press

So they’re just like every other tech giant. And they did get bad press. Apple suspends Siri response grading in response to privacy concerns.

In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide. Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake.

In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.

This is similar to mess Google is in.

Privacy is such a 19th Century concept.

Locking the Barn Door After the Horses Escaped

Personally I like “Putting a guard on the picket lines, after the horses have been stolen.” But few people know that saying. LAPD Police Officers’ Personal Information Stolen in Data Breach.

So after the breach…

“Out of an abundance of caution we’re applying extra layers of security around our personnel system and enhancing defenses,” Ross told NBCLA Monday.

Which would have been fine if they’d done that BEFORE the data breach took place. Shouldn’t all their sensitive data have “enhanced defenses?”

The breach itself…

A suspected hacker claimed he or she had stolen the personal information of about 2,500 LAPD officers, trainees, and recruits, along with approximately 17,500 police officer applicants, in what may be a large breach of data held by the city of Los Angeles’ Personnel Department.

Maybe cities should consider NOT putting everything online.

What Happens When a Software Company Ignores a Disclosed Vulnerability?

Even worse, they argued that a security backdoor was “critical for their seamless user experience.” In other words, we want it to be easy, not secure. Zoom fixes webcam flaw for Macs, but security concerns linger.

When a security researcher finds a problem, you get 90 days. They ignored the issue for 10, then they were able to confirm the issue. They held the first meeting on day 72, and came up with a “solution” that didn’t fix anything. Or in other words, Epic Fail.

You can find discussions of the technology all over the place, but I’m more interested in the insanity of the corporate schmucks. (You can find one such link at the bottom of this post.)

“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom CISO Richard Farley, said in a blog post. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”

That statement is the key. Here’s what the CISO was really saying, when you strip out the corporate double-speak.

We didn’t see the value in fixing the problem pointed out by the security community because we give a rat’s ass about our clients’ security and privacy, and this fix would tarnish our image (or something), but when it was clear it was turning into a PR disaster we decided that maybe we aren’t as smart as we think we are, and will promise to value security in the future. Cross our hearts…

So what happens when a SW company ignores the security of their customers? They get handed their hats. (Schneier on Security has details on the technology, if you want to more info.)

Stupid Criminals and WiFi Auto-login

It’s good to see that the American educational system is still just like it always was. Wi-Fi Auto-Login Helped Identify Hate Crime Vandalism Suspects.

The plan was to write “Class of 2018” everywhere, but it didn’t end there. They painted racist, homophobic and antisemitic graffiti all over the place.

They knew there were security cameras, so they covered their faces.

What the suspects did not realize however, is that their smartphones automatically connected to the school Wi-Fi once they were in the area. Which of course, would only possible if they have an account or attend the school. Since each student has their own unique ID, their login times were recorded on the server and could be cross-referenced with the surveillance video.

To be completely surrounded by technology, to use that technology every day of your life, and to be so completely ignorant of how that technology works… I guess they figure it is like magic, they go to school and get connected to WiFi, and don’t bother to think what that means. Or when they go to their favorite coffee shop, fast food restaurant, or anywhere else that they use the free WiFi. Privacy? What’s that? Stupidity they seem to have a handle on.

Google: “Like a horror movie villain that just won’t die”

When they first got busted on this, they said, just delete the emails. Google Keeps Gmail Purchase History.

At the time, Google claimed it tracks the info so that Google Assistant can track packages or reorder items, adding that users could simply delete everything by tapping into a purchase and removing the Gmail. However, it only worked if each purchase was deleted individually, which could take hours or even days depending on a person’s purchase history.

Still, Haselton decided to delete everything in his Gmail inbox — more than a decade of information. And it didn’t work.

Even after deleting all those emails, Google still had a record of his purchases.

“Like a horror movie villain that just won’t die,” he wrote, adding that he can “still see receipts for things I bought years ago. Prescriptions, food deliveries, books I bought on Amazon, music I purchased from iTunes, a subscription to Xbox Live I bought from Microsoft — it’s all there. Google continues to show me purchases I’ve made recently, too. I can’t delete anything and I can’t turn it off.”

I still have a Gmail account connected to this blog, though I may dump it as well. But Google is mostly out of my life. It should be out of yours as well.

Your Not-so-smart Home – 2 Billion Records Exposed

Billion with a B. If you think your smart home is making you safe, you might be kidding yourself. Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach.

Orvibo is a Chinese company that makes “smart home” hubs, and outlets, and a bunch of other things. It turns out they have an awful lot of data about their customers, and they made it all public.

The list of data included in the breach is extensive according to the vpnMentor report and includes:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise geolocation
  • IP address
  • Username
  • UserID
  • Family name
  • Family ID
  • Smart device
  • Device that accessed account
  • Scheduling information

The kinds of thing that this lets bad guys do… Access your security camera. Unlock your smart lock. Lock you out of your account.

OK this is a story about data being made public, but why are they logging all of this data? Even if they don’t make it public, this is a lot of data to entrust a company that doesn’t seem to have your security on its radar.