Pete Recommends – Weekly highlights on cyber security issues January 19 2019

Subject: The Federal Government Offers a Case Study in Bad Email Tracking
Source: EFF via beSpacific
https://www.bespacific.com/the-federal-government-offers-a-case-study-in-bad-email-tracking/

EFF: “The U.S. government sends a lot of emails. Like any large, modern organization, it wants to “optimize” for “user engagement” using “analytics” and “big data.” In practice, that means tracking the people it communicates with—secretly, thoroughly, and often, insecurely. Granicus is a third-party contractor that builds communication tools to help governments engage constituents online. The company offers services for social media, websites, and email, and it boasts of serving over 4,000 federal, state, and local agencies, from the city of Oakland to the U.S. Veterans Administration to HealthCare.gov. In 2016, the company merged with GovDelivery, another government-services provider. It appears that parts of the federal government have been working with GovDelivery, now Granicus, since at least 2012. Last October, we took a closer look at some of the emails sent with Granicus’s platform, specifically those from the whitehouse.gov mailing list, which used the GovDelivery email service until very recently. The White House changed its email management platform shortly after we began our investigation for this article. However, several other agencies and many state and city governments still use Granicus as their mailing list distributors.

beSpacific Subjects: Civil Liberties, Cybercrime, Cybersecurity, E-Government, E-Mail, E-Records, Privacy
EFF Topics: Privacy, Encrypting the Web

EFF Deeplinks Blog: https://www.eff.org/deeplinks/
Related article: https://www.eff.org/deeplinks/2019/01/stop-tracking-my-emails

Ed. Note — I found the EFF article to be insightful /pmw1

RSS feed for EFF: https://www.eff.org/rss/updates.xml
RSS feeds mentioned that are NOT from EFF:

Non-EFF feeds you might like:

Lawrence Lessig’s blog
Legal Tags
Ed Felten Freedom to Tinker
The Shifted Librarian
Slashdot: Your Rights Online
Sabrina Pacifici’s beSpacific
Edward Hasbrouck’s The Practical Nomad


Subject: Limiting the potential abuse of smartphone sensors
Source: GCN
https://gcn.com/articles/2019/01/11/smartphone-sensor-risk.aspx

Smartphones are jam-packed with a variety of sensors that provide real-time data collection about everything from a device’s movement to its environment. Consider the collection of sensors in the iPhone Xs, for example.

  • Face ID (facial recognition): Scans the user’s face as part of the authentication process.
  • Barometer: Measures the device’s altitude based on ambient pressure.
  • Motion sensors (gyroscope, accelerometer and digital compass): Measure the device’s motion, including rotation, acceleration and direction.
  • Proximity sensor: Measures the distance of an object (like a user’s ear during a phone call) from the touchscreen.
  • Ambient light sensor: Measures the light level in the device’s environment for adjusting screen brightness.
  • Two cameras: Enable photo/video capture and streaming video.
  • Four microphones: Enable phone calls, Siri usage, audio memos and more.
  • GPS: Calculates the device’s location.
  • NFC: Enables Apple Pay (contactless payment) and more.
  • 3D Touch (pressure-sensitive display): Enables different options based on varying degrees of touchscreen force.

To combat the abuse of smartphone sensors, both iOS and Android have implemented permission models. In theory, it’s up to the user to explicitly approve access to certain sensors by an app or mobile website. In practice, however, permissions often obfuscate — maliciously or unintentionally — the requested access. Other issues related to permissions include:

Various RSS feeds:

https://gcn.com/rss-feeds/rss-list.aspx

Related Articles


Subject: California police use genealogy websites to arrest suspect in 1990s rapes
Source: Reuters via Yahoo
https://news.yahoo.com/california-police-genealogy-websites-arrest-suspect-1990s-rapes-004317884.html

LOS ANGELES (Reuters) – A California man has been arrested in connection to rapes committed in the 1990s after his DNA was linked to the crime scenes through commercial genealogy websites, which initially turned up the both the suspect and his twin, police said on Friday….

Konther was identified as a suspect by sheriff’s detectives using techniques similar to those used in recent years to help solve a number of older crimes. Last year, a 73-year-old former police officer was arrested over the ‘Golden State Killer’ string of murders and rapes across California in the 1970s and 1980s.

In investigating the 1990s rapes, which were committed in Orange County, investigators working with the Federal Bureau of Investigation compared DNA samples collected at two crime scenes to that found on the websites used by consumers to trace their ancestry, Braun said.


Subject: .gov security falters during U.S. shutdown
Source: Netcraft
https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.

The DigiCert certificate used by this U.S. Court of Appeals website expired on 5 January 2019 and has not yet been renewed. The site provides links to a document filing system and PACER (Public Access to Court Electronic Records).

With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.

One such example is https://ows2.usdoj.gov, a U.S. Department of Justice website which uses a certificate that expired in the week leading up the shutdown. The certificate has been signed by a trusted certificate authority, GoDaddy, but it has not been renewed since it expired on 17 December 2018.

site RSS feed:
https://news.netcraft.com/feed


Subject: Astronaut sparks panic after accidentally dialing 911 from space sending NASA security teams into a frenzy
Source: The Sun (not the celestial body)
https://www.thesun.co.uk/news/8116475/astronaut-calls-911-space-nasa-security/

AN astronaut has told how he accidentally rang 911 from space – sending security teams at NASA’s Houston base into a frenzy.

André Kuipers missed out a number when making a call through HQ back on Earth – and ended up connecting to US emergency services.

The astronomical blunder sparked panic at the Johnson Space Centre in Texas and a security team was scrambled to the room where the call was put through.

He had been orbiting Earth in the International Space Station when he tried to make the call.

The 60-year-old spaceman explained how he had pressed 9 to make an outside call.

He then tried to phone internationally by pressing 011 – but mistakenly left out the zero….The astronaut – who completed two space missions totaling 203 days – also told how it is surprisingly easy to communicate with earth while on board the ISS.

He said that calls worked 70 per cent of the time – but that huge time delays were a struggle.

Kuipers recalled: “Sometimes people would hang up because they thought I did not say anything, so later on I started to talk as soon as I had dialled the last number”.

RSS site feed:
https://www.thesun.co.uk/feed

RSS Tech feed:
https://www.thesun.co.uk/tech/rss


Subject: Hot new trading site leaked oodles of user data, including login tokens
Source: Ars Technica
https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/

The past few days have showered plenty of favorable attention on a new trading platform called DX.Exchange, with glowing profiles by Bloomberg News and CNBC. The only problem is that the site, which allows people to trade currencies and digitized versions of Apple, Tesla, and other stocks, has been leaking oodles of account login credentials and personal user information.

A few days ago, an online trader who heard about DX.Exchange decided to check out the site to see if it might be something he wanted to use. Besides assessing the robustness of the site’s features, he also wanted to make sure it had good security hygiene. After all, the site collects a fair amount of sensitive financial and legal information about its users, and this prospective customer wanted to make sure those details wouldn’t fall into the wrong hands. So he created a dummy account and began to poke around. To get better visibility, he turned on the developer tools inside the Chrome browser.

Super easy to criminalize – Almost immediately, the trader identified a major problem. When his browser sent DX.Exchange a request, it included an extremely long string of characters, called an authentication token, which is supposed to be a secret the site requires when a user accesses her account. For some unexplained reason, DX.Exchange was sending responses that, while valid, included all kinds of extraneous data. When the trader sifted through the mess, he found that the responses DX.Exchange was sending to his browser contained a wealth of sensitive data, including other users’ authentication tokens and password-reset links.

The tokens are formatted in an open standard known as JSON Web tokens. By plugging the leaked text strings into this site, it’s trivial to see the full names and email addresses of the DX.Exchange users they belong to. Even worse, the trader used his dummy account to confirm that anyone with possession of a token can gain unauthorized access to an affected account, as long as the user hasn’t manually logged out since the token was leaked.

Lots of Site RSS feeds:
https://arstechnica.com/rss-feeds/


Subject: Countering Russian disinformation the Baltic nations’ way
Source: GCN
https://gcn.com/articles/2019/01/09/estonia-disinformation-defense.aspx

There are already indications that Cyber Command conducted operations against Russian disinformation on social media, including warning specific Russians not to interfere with the 2018 elections. However, low-level cyberwarfare is not necessarily the best way. European countries, especially the Baltic states of Estonia, Latvia and Lithuania, have confronted Russian disinformation campaigns for decades. Their experience may offer useful lessons as the U.S. joins the battle.


Subject: Trick for turning your iPhone and AirPods into live spy mic goes viral
Source: Business Insider
https://www.businessinsider.com/apple-live-listening-feature-for-iphone-airpods-intended-for-hearing-loss-2019-1

  • A recently introduced feature for iPhones and AirPods called “Live Listen” is going viral.
  • It enables a person to use an iPhone’s microphone to listen in to conversations wirelessly through AirPods.
  • Some people are creeped out by the feature, suggesting it could be used to spy, but it was originally intended to help people with hearing aids or hearing loss to clearly hear conversations in crowded environments.

The “Live Listen” feature was introduced in an iPhone software update in September for Apple’s AirPods. It was previously available for a few models of Apple-certified hearing aids.

Here’s how it works. You turn it on, and then you point your iPhone’s microphone at the person you want to hear speaking. Then, you can hear what they have to say through your hearing aid or AirPods, carried over the air through Bluetooth….


Subject: Why the US Government Is Terrified of Hobbyist Drones
Source: Wired via beSpacific
https://www.bespacific.com/why-the-us-government-is-terrified-of-hobbyist-drones/

Wired: “If you want to understand why the government freaked out when a $400 remote-controlled quadcopter landed on the White House grounds last week, you need to look four miles away, to a small briefing room in Arlington, Virginia. There, just 10 days earlier, officials from the US military, the Department of Homeland Security, and the FAA gathered for a DHS “summit” on a danger that had been consuming them privately for years: the potential use of hobbyist drones as weapons of terror or assassination.

Other Wired articles on Drones:
https://www.wired.com/tag/drones/

Latest Security News RSS feed:
https://www.wired.com/feed/category/security/latest/rss


Subject: Dark markets have evolved to use encrypted messengers and dead-drops
Source: Boing Boing
https://boingboing.net/2019/01/14/drone-serviced-dead-drops.html

Buyers are now more likely to conduct sales negotiations through encrypted messenger technologies, and each customer is assigned their own unique contact, staffed by a bot that can answer questions on pricing and availability and broker transactions. Many of these transactions now take place through “private cryptocurrencies” that have improved anonymity functions (there is a lot of development on these technologies).

Delivery is now largely managed through single-use “dead drops” — hidden-in-plain-sight caches that are pre-seeded by sellers, who sometimes use low-cost Bluetooth beacons to identify them (these beacons can be programmed to activate only in the presence of a wifi network with a specific name: a seller provides the buyer with a codeword and a GPS coordinate; the buyer goes to the assigned place and creates a wifi network on their phone with the codeword for its name, and this activates the Bluetooth beacon that guides the buyer to their merchandise).

The logistics of these dead-drops are fascinating: there’s a hierarchy on the distribution side, with procurers who source merchandise and smuggle it into each region; sellers who divide the smuggled goods into portions sized for individual transactions, and sellers, whose “product” is just a set of locations and secret words that they give to buyers.

Topics:
dark markets / dead drops / dropgangs / drugs / infosec / physsec / security / war on drugs

Sample topic RSS feed:
https://boingboing.net/tag/dead-drops/feed

Posted in: Court Resources, Cybersecurity, E-Government, Privacy, Spyware
CLOSE
CLOSE