Thursday, 5 December 2013

The NSA Is Stalking You Through Your Cellphone

NSA HQ It turns out the National Security Agency's data collection program isn't just about call metadata. The program is also scooping up location data from smartphones, too.
The bulk phone records collection was one of the first revelations that came out of the internal NSA documents stolen by Edward Snowden. The massive program appeared to focus on call metadata, such as the time the call was made, the duration of the call, and the number called. The latest revelations from these documents show that the agency gathered "nearly five billion records a day on the whereabouts of cellphones around the world," the Washington Post reported yesterday.
The records are part of a vast database—27 terabytes in size, according to one figure obtained by the Post—and contain location data for "hundreds of millions of devices," the Post said. Analysts can pick a cellphone from anywhere in the world and go through the database to find all the places associated with that particular device. We've already seen how the NSA's astonishing XKEYSCORE system has overcome some of the issues associated with storing, retrieving, and investigating huge amounts of intercepted data.
Where is the Data Coming From?
The NSA is getting "location data from around the world by tapping into the cables that connect mobile networks globally," a senior collection manager told the Post. These networks serve U.S. cellphones as well as foreign ones, and since the NSA doesn't know beforehand which pieces of data it will need, it hoovers up all of them.
Location data is not as anonymous as we would like to think. With its treasure trove of data, the NSA can recreate a detailed itinerary of where the individual carrying the phone has ever been, or track their current travels, regardless of whether they are going to a friend's house, seeing a doctor, going to a meeting, or entering a house of worship. By retracing the movements, analysts can "expose hidden relationships among the people using them," the Washington Post said.
The NSA could also glean information from instances when location information is not available. "If everyone attending a sensitive meeting turns off their cell phones first, the NSA can look for that, and other suspicious patterns," Tweeted ACLU Principal Technologist and Senior Policy Analyst Christopher Soghoian.
It's not clear if the NSA is receiving the data directly from the carriers or if they are circumventing the carriers in this case. Carriers have access to several shared databases, giving them access to data about individuals who aren't their customers, so an intelligence agency "can get 'one-stop shopping' to an expansive range of subscriber data just by compromising a few carriers," Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania, told the Post.
Privacy Concerns
People concerned about privacy can encrypt their emails and text messages (though the NSA may be able to crack it),take care with the data they share online, and use anonymizers and other tools to obscure their activities. But phones transmit their location just by the virtue of being powered on. Even if you have your phone's GPS turned off, every time you make a call or receive a call, the phone connects to a cell tower and sends your location information.
Even keeping your phone tunred off until you make a call won't keep you hidden. The Post also noted that analysts paid special attention to disposable cellular phones and phones that were turned on for brief periods of time to make a call. For example, it is possible to "see when a new telephone connects to a cell tower soon after another nearby device is used for the last time," according to the Post.
"The paths that we travel every day can reveal an extraordinary amount about our political, professional, and intimate relationships," said Catherine Crump, staff attorney with the ACLU Speech, Privacy & Technology Project. "The dragnet surveillance of hundreds of millions of cell phones flouts our international obligation to respect the privacy of foreigners and Americans alike."
The Law
The latest disclosures come just as Congress is divided on how it will handle the NSA's broad powers. Senior officials have defended the program as being necessary. There are multiple bills circulating Congress about NSA's authority, but they disagree on the fundamental questions of what the NSA can and cannot do.
"It is staggering that a location-tracking program on this scale could be implemented without any public debate, particularly given the substantial number of Americans having their movements recorded by the government," Crump told SecurityWatch. "The government should be targeting its surveillance at those suspected of wrongdoing, not assembling massive associational databases that by their very nature record the movements of a huge number of innocent people."

Is That Facebook Friend a Scammer or Someone You Actually Know?

Facebook Scammer Received a friend request on Facebook? Make sure it's really your friend before accepting.
Fake profiles abound on Facebook. Cyber-scammers grab photos from other profiles and create fake identities, and then spam people with friend requests. Ars Technica reports on a new twist, where scammers create a fake profile with the name of a real friend and send a request. So even if users are careful about accepting requests from strangers, they may not think twice about accepting these friend requests because the name is familiar. Depending on how many other people the scammer had already duped, the user may even see a lot of mutual friends.
According to Ars Technica, attackers cloned accounts for several reporters and producers at a Baltimore television station and targeted friends, co-workers, and viewers with fake friend requests. "The attack gave the scammer access to a huge audience's Facebook news feeds," Ars reported.
Value of Being a Friend
Facebook makes a lot of personal information about the user available through "friend" and "like" connections. This makes becoming a Facebook friend even more attractive for scammers looking for personal data to mount social engineering attacks. Once that fake profile is added as a friend, the scammer behind it has access to everything you post and your personal information. It doesn't matter if you restrict your privacy settings so that outsiders can't see your information if the scammer is already inside your "friends" list.
Study after study has shown Facebook users accept friend requests from people they don't know. Men are more likely to accept friend requests from accounts with a profile photo of an attractive woman, for example. It's clear that regardless of who the request is from, users should vet every request.
If you need to have a work-related account, you should keep it separate from your personal account. Make sure only people you actually know have access to the personal persona, and that no personal information is available on your work-related profile.
Vet Those Requests
When you get a request from someone you know, it may be worth taking the time to check your list to see if you already had that person on your list, and if you did, find out if they'd created a new account or not. It's a little tricky to ask a person to verify their identity without giving out potentially sensitive information.
If your friend starts posting spam links, assume the person has been hacked or it's a fake profile. Notify Facebook immediately using the Report/Block setting under the gears icon on the top right corner of the screen. It's difficult for Facebook to figure out which accounts are fake and which are real, so it relies heavily on user reports to weed them out.
It's definitely a tricky line to walk, figuring out who to trust online. So even if you are a hundred percent sure you know who has access to your profile, keep certain types of personal information off social networks, such as information that can be used as your password hint or security questions (your mother's maiden name, for example). Who you share data with may not be entirely under your control, but what you share is still up to you.

Oh look, a hacked package delivery drone

We read that Amazon–the online retail giant, not the huge river–is developing a drone-based delivery service. They’re calling it PrimeAir. Hopefully it won’t become known as Prime Target, but some folks are already stepping up to take a shot. In my corner of the world, there are plenty of shotgun-toting and slightly suspicious denizens of security who might (when they aren’t pimping their bunker) get all giddy at the prospect of taking out a drone or two with some buckshot.
In a similarly situated community in Colorado some folks are itching to pass an ordinance allowing (legal) drone hunting (as opposed to the use of drones for hunting, which Colorado is thinking of banning)., presumably lax in their viewing of the flocks of drone-based sci-fi movies (which I think you can access through Amazon, ironically enough), has set to work on a proof-of-concept flock of their own, this time delivering the latest tech hotness to a yard near you.
Only it’s not quite ready for prime time. And while taking to the skies with their own micro fleet to improve customer service seems strangely laudable, some folks (even those who don’t tote shotguns) have their doubts.
First objection that leaps to mind? Airlines have worked for years to avoid sucking ducks, geese, and other airborne terrorists into their expensive jet engines (followed by the ensuing mayhem and even water skiing lessons for one memorable passenger jet back east). The folks who rule the skies can be expected to want to know more about Amazon’s plans, a lot more. While geese and other feathered things disdain centralized control schemes (and control tower communications), ordering delivery drones out of the flight path for JFK seems like it would be very important.
Second, the prospect of hobby store aficionados picking up all the parts to impersonate the delivery drones and causing mayhem seems totally obvious, possibly resulting in a nightmare for more than a few folks. (I think you can even pick up fake Amazon stickers for a few bucks online.)
Need a drone-takeover proof of concept? One hacker has already released details of how this might work (we wouldn’t be good antivirus researchers if we neglected to mention the same hacker was once convicted of releasing a worm that affected tens of thousands of social media profiles).
Jamming control or positioning signals seems obvious to the slightly more tech-ambitious who may seek to hack the platforms, and maybe even pick up a donor drone in the process for future hacking endeavors. (Hey, let’s send a package to the neighbors and then claim we didn’t get it, and so on, and so forth).
And while the micro drone engineers are finding a way to tote more capacity for longer distances (in case you ordered size 12 boots instead of size 6 slippers), gluing on an hacking platform as extra payload is another plausible exploit. Sending the “enhanced” drone back across the town on it’s return trip to the warehouse could harvest digital credentials, a boon thing for less-than-ethical hackers. To victims it might look like Amazon just hacked your WiFi and then did bad things.
Amazon itself would need to be highly scrupulous in the coding of these things. Remember the “accidental” harvesting of data by Google Street View camera cars?
And if the idea of delivery drones still seems promising, where are the FedEx drones? After all, FedEx, UPS and other familiar names have been toting packages for a living for a long time now, usually in boxy trucks that make particularly bad aircraft, but carry lots of weight down tiny bumpy roads, crowded streets and a host of other nasty environments. For decades, boxes got high speed delivery from hub to hub over the air every day, but last mile delivery is still a bit murky (or snowy) – sometimes literally.
Still, it’s good to see Amazon ambitiously plodding forward, and hey, new tech is always worth exploring, (and subsequently debugging). And whether or not the FAA will come to terms with the potential liabilities of unleashing a swarm of civilian drones in the future, it seems likely that some flavor of drone will be flying in an area near you sooner than you might be comfortable with. Though if you’re in a tiny town in Colorado, there’s still time to perfect your aim at airborne targets.
(Disclaimer: We are not advocating the shooting of  drones. Shooting at airborne man-made objects other than clay pigeons is likely to remain highly illegal in every jurisdiction in America.)
How do you feel about drone-based deliveries? Invasion of privacy or personal airspace? Blight on the landscape? See any potential problems? Leave a comment and let us know what you think.

JP Morgan warns 465,000 cardholders of data leak after hackers breach defenses

Personal information for up to 465,000 customers of JP Morgan, Chase & Co. may be at risk after hackers breached its network in July, the bank has admitted – and has issued warnings to state officials and cardholders across America.
The breach affects prepaid cards, specifically the bank’s Ucards, according to Reuters. Hackers breached the the bank’s servers, and accessed data, possibly including unencrypted information.
Speaking to Reuters, bank spokesman Michael Fusco said that the company was investigating which accounts were affected, and said that the bank is notifying those at risk. Users of Ucard – commonly used to distribute tax refunds and government benefits – will be notified via email.
“Seems to me that the last few years have established  that no-one is too big, too powerful, or too well-secured to suffer an attack or leakage,” says ESET Senior Research Fellow David Harley.
“Security companies like RSA and defence-oriented companies like the big aerospace enterprises (not to mention certain government agencies) put a lot of resource into security and still get breached. It could be argued that some kinds of attack –especially those with an element of social engineering, targeted phishing and so on – are more likely to be successful in large organizations.”
Ucard users account for around 2% of the bank’s customers, Fusco said, and refused to rule out the possibility that personal information was stolen in the attack. Such information is usually stored in encrypted form, but the bank admitted that hackers may have briefly had access to computer logs containing information in plain text, according to Opp Trends.
The IB Times reported that the bank said “only a small amount of information” had been accessed – and said that customers’ social security numbers and birth dates were not at risk. The bank admitted, according to IB Times, that such information was briefly available in plain text in computer log files.
So far, there has been no evidence of the information being used fraudulently, JP Morgan said, but the bank is continuing to investigate. JP Morgan declined to explain how the breach occurred.
Fusco said, “In the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken.”
JP Morgan officials notified state agencies in Louisiana of the breach, as up to 8,000 residents may have been among those affected, according to local news service
The breach may have affected Louisiana residents issued cards for tax refunds, for child support benefits, and unemployment benefits, and affects those who registered cards between July and September this year, according to Commissioner Kirsty Nichols.
“We will be working with law enforcement officials as this investigation continues,” Nichols said, speaking to The Advocate. “We will hold JPMorgan Chase responsible to make certain that the rights and personal privacy of these Louisiana citizens is protected.”
ESET’s Harley says that raising awareness among employees is the best defense against such attacks (although he points out that JP Morgan is yet to reveal details of this particular incident. Harley says the current attack is evidence that large organizations can face problems due to their sheer scale.
“Thoroughgoing training, education, policy enforcement and so on raises awareness of psychological manipulation and the kind of apparently innocuous information sharing that can be built into a data aggregation attack,” Harley says, “But the bigger the organization, the more difficult and expensive it is to ensure that everyone gets the full benefit of those measures.”
“In a small organization, people are likelier to know each other well enough to recognize a message that doesn’t ring quite true, though that doesn’t mean they’ll always deal with the situation appropriately. In a big company, it’s far from uncommon for an individual to be contacted by someone they may never have met or even heard of, and it’s harder to pick up on those personal and procedural cues and clues that might alert them to something off-key.”
“At the same time, large organizations are required to conform to some transparency about what they do and who works there – maybe some organizations more than others… – which makes it easier for a determined attacker to gather intelligence that will help with the attack.”

Governments preparing Stuxnet 2.0 malware for nuclear strike

Cooling towers at a nuclear power station
The Israeli and Saudi Arabian governments are working to create a new, even more destructive variant of the notorious Stuxnet malware, according to local Iranian news outlet Farsnews.
Farsnews reported that an unnamed source with links inside the Saudi Arabian secret service confirmed the news, warning the two nations plan to use it to further disrupt Iran's nuclear power program.
"Saudi spy chief Prince Bandar bin Sultan bin Abdulaziz Al Saud and director of Israel's Mossad intelligence agency Tamir Bardo sent their representatives to a meeting in Vienna on 24 November to increase the two sides' co-operation in intelligence and sabotage operations against Iran's nuclear program," claimed the unnamed source.
"One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet (a comprehensive US-Israeli program designed to disrupt Iran's nuclear technology) to spy on and destroy the software structure of Iran's nuclear program."
The original Stuxnet malware was uncovered targeting Iranian nuclear systems in 2010, and is believed to have been a joint project between the US and Israeli governments. The malware is considered a game changer in the security community for its ability to physically sabotage systems in power plants.
It is currently unclear if the Farsnews report is accurate, though director of security strategy at FireEye Jason Steer said it is certainly plausible.

"Given that this has already happened with Stuxnet, it is certainly more than plausible to believe that Stuxnet 2.0 is also possible. One would be naive to assume it wouldn't happen again. With the change in relationship between Iran and the US, it is highly likely that Israel and Saudi Arabia united to try and negate the threat of nuclear bombs on their front door,” he said.
The original Stuxnet worm hijacked control of Siemens industrial control systems, then forced them to alter key processes to damage machinery. The malware has since managed to spread outside of Iran and has affected several other power plants, some close to Europe.
Steer told V3 that, given how successful the original Stuxnet was at spreading, the fallout of a more advanced variant could be devastating for power plants, but will be of little concern to most regular businesses.
“Stuxnet was pretty powerful at disrupting the SCADA environment it was introduced to and has since jumped and gone into the wild – where it has even appeared on the International Space Station and Russian power stations, that we are aware of. So we should expect Stuxnet 2.0 to have an impact of a similar nature,” he said.
“Most businesses don't run SCADA [supervisory control and data acquisition] systems so unless you run a refinery, oil pipeline or something similar, then they will be safe from these types of industrial-style attacks. Most businesses should be more worried about the cybercrime attacks that wash up via email and on web pages their employees surf to every day that will enable remote access capabilities to their network, like Zeus and Houdini, that are exfiltrating data out of their business.”
Security tycoon Eugene Kaspersky confirmed in November that at least one Russian Nuclear Plant has been very badly infected by Stuxnet. Security experts have since said it is only a matter of time before a Stuxnet infection is discovered in the UK.
Attacks on critical infrastructure areas, such as power, are a growing problem facing governments and businesses. Numerous other cyber attacks have been uncovered hitting companies involved in critical infrastructure areas, and many of these attacks are currently believed to stem from China.

Microsoft promises encryption overhaul to tackle spying concerns

Microsoft logo at its Redmond headquarters
Microsoft has said it will boost encryption across its portfolio of services, including Office 365 and Windows Azure, in order to protect its customers from government spy agencies.
Microsoft was one of many companies to discover that its data may have been siphoned off by US and UK government agencies after documents were released by whistleblower Edward Snowden in the summer.
Executive vice president for legal affairs at Microsoft Brad Smith wrote in a blog post that these issues have made concerns about snooping a top issue at the company, as it made the threat from snooping as big as cyber attacks by terrorists or criminals.
“We are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data," he wrote.
“If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an 'advanced persistent threat', alongside sophisticated malware and cyber attacks.”
As such, the firm is set on a task of boosting encryption across its services for the end of 2014. Smith said this would cover all its major services such as, Office 365, SkyDrive and Windows Azure.
It will also ensure all content moving between Microsoft and its customers and via its data centres is to be encrypted and it will also use ‘perfect forward secrecy' to make it harder to decrypt data. Twitter recently announced it would use this too to stop mass data siphoning from its services.
“While we have no direct evidence that customer data has been breached by unauthorised government access, we don't want to take any chances and are addressing this issue head on,” Smith said.
“Therefore, we will pursue a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.”
Microsoft said it would also make access to its encryption tools available for third-party developers building products that are hosted on Azure.
Smith also reiterated Microsoft’s intention to challenge government orders for data and to alert businesses whenever possible to requests for data that it receives.
“We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data,” he said.
Lastly, in order to counter some allegations that ‘back doors’ have been built into products in order to allow governments to easily access data, Microsoft will be opening transparency centres where customers can assess the source code of its products. These will available in Europe, the US and Asia.
“Just as we’ve called for governments to become more transparent about these issues, we believe it’s appropriate for us to be more transparent ourselves,” Smith explained.
“We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors.”
Other firms such as Yahoo have also encrypted information passing through their data centres, as tech giants move to reassure customers that they do not want government agencies to be able to access their data.

NSA logs five billion mobile phone records a day

The US National Security Agency (NSA) gathers data on nearly five billion phone records every day from citizens across the world, according to more documents leaked by Edward Snowden.
The Washington Post revealed that the papers Snowden provided show that the agency has the ability to track the movements of individuals, and their relationships to others through their phone data.
The NSA uses this data to gather intelligence on targets and their whereabouts in what is in essence a mass surveillance programme, the paper said.
An official at the NSA confirmed to the paper that the processes were in place and that it gathered “vast volumes” of data from the project. It does so by tapping into cables that serve mobile phone networks around the world, and in the US.
The revelations have drawn sharp criticism from some, with Catherine Crump, staff attorney with the American Civil Liberties Union’s (ACLU) Speech, Privacy and Technology Project criticising the government for its covert operations.
“It is staggering that a location-tracking program on this scale could be implemented without any public debate, particularly given the substantial number of Americans having their movements recorded by the government,” she said.
“The dragnet surveillance of hundreds of millions of cell phones flouts our international obligation to respect the privacy of foreigners and Americans alike. The government should be targeting its surveillance at those suspected of wrongdoing, not assembling massive associational databases that by their very nature record the movements of a huge number of innocent people.”
The revelations are the latest in a long line of insights into the closed world of government spying since Snowden leaked reams of documents and fled to Hong Kong, and then onto Russia.
Microsoft is one tech giant that has promised to boost encryption as a result of the PRISM scandal and other programmes that have come to light, such as the UK's Tempora. Others such as Yahoo and Twitter are also improving their security practices.