Edward Snowden designs phone case to show when data is being monitored

Snowden and co-designer Andrew ‘Bunnie’ Huang’s ‘introspection engine’ knows when a cellular, Wi-Fi or Bluetooth connection is being used to share data

American whistleblower Edward Snowden delivers a speech during the Roskilde Festival in Denmark last month.

---

Edward Snowden has helped design a mobile phone case called the “introspection engine” that, he claims, will show when a smartphone is transmitting information that could be monitored.

Presenting via video link to event at the MIT Media Lab in Cambridge, Massachusetts, Snowden and co-designer Andrew “Bunnie” Huang showed how the device connects to a phone’s different radio transmitters, showing its owner knows when a cellular, Wi-Fi or Bluetooth connection is being used to share or receive data.

Initial mockups of the introspection engine show a small, monochromatic display built into its casing shows whether the phone is “dark”, or whether it is transmitting, and it also can supply an iPhone with extra battery power and cover the rear-facing camera.

It could be developed to act as a sort of “kill switch” that would disconnect a phone’s power supply when it detects that a radio is transmitting data after its owner has attempted to turn it off.

The device is an academic project and nowhere near ready for the mass market, but could still influence how consumers view the “tracking devices” – otherwise known as smartphones that they rely on every day.

“If you have a phone in your pocket that’s turned on, a long-lived record of your movements has been created,” Snowden said. “As a result of the way the cell network functions your device is constantly shouting into the air by means of radio signals a unique identity that validates you to the phone company. And this unique identity is not only saved by that phone company, but it can also be observed as it travels over the air by independent, even more dangerous third parties.”

Most smartphones disable Wi-Fi, Bluetooth and cellular transmission when in airplane mode, but Snowden and Huang say that can’t be trusted.

“Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface,” they write in their paper on the device. “Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

The project is an extension of Snowden’s work to inform the public about the surveillance capabilities available to governments around the world. In June 2013 he revealed information about mass surveillance programs from the National Security Agency, where he was a contractor, and he has since become the closest thing digital security has to Neil DeGrasse Tyson or Bill Nye: a recognizable name that can explain these issues in a way the average person can understand.

In addition to educating people about security risks, he now wants to help citizens defend themselves – if the introspection engine ever becomes a reality.

Snowden and Huang say there’s no guarantee the device will ever be more than a mockup. “Over the coming year, we hope to prototype and verify the introspection engine’s abilities,” they write. “As the project is run largely through volunteer efforts on a shoestring budget, it will proceed at a pace reflecting the practical limitations of donated time.” If they do receive the proper funding, they could release the device in partnership with the Freedom of the Press Foundation media advocacy group.

Snowden said the introspection engine was designed to help protect journalists. “One good journalist in the right place at the right time can change history. One good journalist can move the needle in the context of an election. One well-placed journalist can influence the outcome of a war,” he said.

“This makes them a target, and increasingly the tools of their trade [are] being used against them. Our technology is beginning to betray us not just as individuals but as classes of workers, particularly those who are putting a lot on the line in the public interest.”

Sunday Times war correspondent Marie Colvin was reportedly killed in Syria after government forces were able to trace her position, according to a new lawsuit.

Snowden and Huang are concentrating on working with Apple’s iPhone, but also said the device could be modified to work on other smartphones. It’s not immediately clear how Apple will respond to the introspection engine; while it has worked to give consumers security features meant to thwart even sophisticated attackers, the company might not be fond of a device that can separate an iPhone from all networks. Apple has not responded to a request for comment.

Still, the connection to Snowden and the rush of attention following MIT Media Lab’s event might inspire others to work on devices similar to the introspection engine. Even if the tool never becomes more than an interesting subject discussed at an academic conference, it could lead to consumers having more control over what exactly their iPhone is sharing from their pockets.

Source: The Guardian UK

Read More

Police recreate murder victim’s finger so they can unlock his iPhone

It could be the crucial clue to solving a murder mystery.

A lab in Michigan has managed to recreate a dead man’s finger

---

A dead man’s finger has been 3D printed at a Michigan lab in order to unlock their iPhone.

Police hope that the technology will help catch the killer who remains at large, reports Fusion.net

A set of fingerprints the police took from the victim during an unrelated arrest were taken to the lab in Michigan State University where they were used as blueprints.

Anil Jain and his team at the lab are still perfecting the fingers

---

Computer science professor Anil Jain, who specialises in biometric identifiers like fingerprint scanners, created a 3D printed replica of all ten fingers.

Anil told Fusion that the police are not sure which finger the victim used to unlock his phone.

He said: ‘We think it’s going to be the thumb or index finger, that’s what most people use, but we have all ten.’

iPhones use a capacitive sensor to identify fingerprints – an electrical charge that can only be detected through a living person.

Police hope one of the fingers will allow them to access the victim’s iPhone

---

But after a person dies, the tissue in the skin starts to deteriorate, therefore the electrical charge is lost.

To overcome this, Anil had to coat the 3D fingers in a thin layer of metallic particles.

The fingers now need to be tested and refined before they are handed back to the police for use.

It is still not full proof as the police may still require a passcode if the touch screen has not been used for 48 hours.

Their investigation continues.

Read More

KickAssTorrents down: US authorities seize domain name in move that could kill world’s biggest torrent site

The suspected founder of the site has been arrested and it could never go back online

Protesters demonstrate in Stockholm over the conviction of four men involved with The Pirate Bay filesharing site

---

The world’s biggest torrent site has been taken offline and could never go back up.

US authorities have seized the KickAssTorrents domain name in an operation that also saw them arrest a man who is alleged to have run the file-sharing site.

The website was by many measures the biggest file-sharing website in the world. But it now appears that it could never return, since the US government now owns all of the domains that it operates under.

KickAssTorrents has regularly moved to different domains registered around the world, as authorities have cut off access to specific addresses. Those have included kickasstorrents.com, kat.ph, kickass.to, kickass.so and kat.cr, all of which have been run from places around the world.

Access to the site had already been blocked by courts in the United Kingdom, Ireland, Italy, Denmark, Belgium and Malaysia.

But now that the site has been taken offline it won’t be able to be accessed through VPNs, mirrors or any other workarounds.

The site’s net worth has been estimated at $54 million, according to the US government, which is based on the millions of dollars of advertising money that is generated through the website.

Read More

Investigatory Powers Bill: Theresa May-led legislation could be killed by ruling from European Court, privacy campaigners claim

The case was originally brought by a member of Ms May's own cabinet

During her speech at the 2011 Conservative Party conference, Theresa May announced plans to clamp down on illegal immigrants hiding behind the human rights act

---

A European Court of Justice ruling could deal a “serious blow” to Theresa May’s most prized piece of legislation, campaigners have said.

The new Prime Minister’s time in her previous job as Home Secretary was arguably defined by her oversight of the Investigatory Powers Bill – which hands over vastly more spying powers to police and other agencies, and forces internet companies to store information about users’ entire browsing history. But that bill could have been dealt a serious blow by a case brought by a member of her own cabinet.

The European Court of Justice heard a case against the government’s powers to store data on their own citizens, arguing that such bulk collection is not legal. And though the court’s advocate general said that such storage might be legal – its findings could still cause huge problems for Theresa May’s spying powers.

The case had originally been brought by a group including David Davis, the Conservative MP who has campaigned on privacy issues. But he dropped off the case in the last week, soon after he re-joined the cabinet.

Campaign group Privacy International said that the opinion is a “serious blow” to the bill, and that the full judgement from the court is likely to cause further problems.

“The bulk powers - what we would call mass surveillance powers - embedded throughout the IPBill go far beyond tackling serious crime,” said Privacy International’s general counsel, Caroline Wilson Palow. “They would give a range of public bodies, not just the Police and intelligence agencies, the power to access the personal data of innocent people, often without any form of warrant.

“The Advocate General's opinion supports our calls for much stricter safeguards and oversight to protect us from serious violations of our privacy - including that all access to our data, including communications data, must be authorised by an independent authority such as a judge.”

The group said that the opinion should serve as “a wake up call for lawmakers that the IPBill's powers and safeguards need to be overhauled."

Green Party peers agreed that the opinion should lead lawmakers to rewrite major parts of the bill.

“Today’s European Court of Justice ruling - that bulk data collection is only lawful if it is used to tackle serious crime - makes it clearer than ever that the Investigatory Powers Bill currently passing through the House of Lords is simply not fit for purpose,” said Baroness Jones of Moulsecoomb, who represents the Green Party in the House of Lords.

“The Bill poses serious risks to our civil liberties, sanctioning unprecedented surveillance of citizens’ communications and failing to put in place sufficient safeguards against the misuse of powers granted to the security services."

Read More

Google My Activity shows everything that company knows about its users – and there’s a lot

The new site collects every website you’ve been on, everything you’ve searched and many of the things you’ve done with your phone

There's a lot to see

---

Google has launched a new site that shows absolutely everything it knows about its users. And there’s an awful lot of it.

The new My Activity page collects all of the data that Google has generated by watching its customers as they move around the web. And depending on your settings that could include a comprehensive list of the websites you’ve visited and the things you’ve done with your phone.

Google has long allowed its users to see the kinds of information that is being generated as people use the company’s products, including letting people listen in on automated recordings that it has made of its users. But the new page collects them together in a more accessible – and potentially more terrifying – way than ever before.

The page shows a full catalogue of pages visited, things searched and other activity, grouped by time. It also lets people look at the same timeline through filters – looking at specific dates, which go all the way into the past, and specific products like Google search, YouTube or Android.

When users open up the page for the first time, pop-ups make the case for why it has been launched and why Google collects quite so much data. You can use the site to “rediscover the things you’ve searched for, visited and watched on Google services” and help “delete specific items or entire topics”.

All of the information that’s used is how Google uses its ads services. By tracking people around the internet it can tailor those ads – but people can use the same site to opt out from the tracking entirely, or just delete information that they would rather wasn’t used for advertising.

Users aren’t automatically opted into the interest-based advertising tools, despite heavily rolling out the feature. The site asks people instead to turn it on – encouraging people to do so because it makes adverting more helpful and muting any specific ads that people don’t want to see.

Read More

Theresa May could launch huge attack on privacy and internet surveillance protections as prime minister, campaigners warn

The new Prime Minister was labelled the villain of the year by the internet industry, and has come to stand for many of the most invasive parts of the modern surveillance state

Britain's Home Secretary Theresa May passes a police officer as she arrives in Downing Street

---

Theresa May might have some fans but her time in the Home Office will also be remembered less favourably – by the privacy campaigners and internet industry that named her “villain of the year”.

Ms May’s time in the Home Office has been marked by conflicts with the biggest technology and internet companies over laws that would see them forced to break their own security to help surveillance. That has come despite an apparent commitment to liberal ideals in her campaign speeches, leaving many campaigners worried that she might actually pursue more aggressive policies despite her public statements.

"Theresa May has been a draconian Home Secretary, introducing the wrong policies at the wrong times for the wrong reasons,” said Harmit Kambo, campaigns director at Privacy International. “Instead of responding to public alarm about the Edward Snowden disclosures by rolling back state surveillance powers, she has instead ratcheted it up with the Investigatory Powers Bill, the most intrusive surveillance legislation of any democratic country.”

The Investigatory Powers Bill – which in its earlier form was stopped by the Liberal Democrats – looked to hand huge new surveillance powers to bodies including the police and spies. It seems to force companies to weaken their own security technology to let those authorities in, and compels internet companies to store huge amounts of data on their customers’ browsing histories, which can be accessed at any time by the Government.

Ms May’s pushing of that bill put her in a bitter and unprecedentedly public dispute with many of the biggest technology companies – including Apple, Facebook and Google – over whether the law should be passed. Campaigners argued that it was a law that allowed more intrusive surveillance than anywhere else in the world.

Her commitment to strengthening surveillance and rolling back privacy could be further strengthened by the fact that Brexit could allow the UK to opt out of many of the European laws that safeguard people’s privacy, campaigners have warned.

The first test of Ms May’s approach to surveillance will come when European courts decide on a dispute between the Government and two MPs, David Davis and Tom Watson, who argue that the DRIPA legislation that is used to spy on Britons is unlawful. The court is expected to give a preliminary judgement later this month, though it will not in itself be binding.

Campaigners say that it will be important to watch how Ms May responds to the judgement, which could compel the Government to change some of its surveillance practices. Though the UK has voted to leave the EU, it is bound to accept its judgements until it actually does so and the degree to which the new Prime Minister accepts them could define her time in power.

In the longer term, how Ms May chooses to deal with the various parts of European law that will be scrappable could define her approach to privacy. EU rules have been a restraining factor on Ms May’s Home Office, serving as a framework that protects against certain data protection abuses and forces companies to look after information in particular ways.

“If [Theresa May] goes for a full-on exit from European law, we’re going to have some really fundamental challenges,” said Jim Killock, the executive director of the Open Rights Group. “What happens to data protection law? Do we have the same standards, or ones that are similar or weaker?”

The same questions can be asked of electronic privacy regulations, net neutrality, safe harbour rules and copyright. “Nearly everything we do that’s digital is European law at the moment”, notes Mr Killock, and all of them can be re-written once Britain leaves the EU.

In the wake of all of those decisions, we could encounter problems because there will be a rush towards getting rid of regulations rather than preserving or re-writing them. The UK parliament has shown little interest in deciding on laws governing digital rights and privacy, potentially meaning that those decisions will be made by civil servants instead.

Much of the surveillance and anti-terror policy that Ms May has been criticised for began under the Labour government that preceded her. And the Home Office has gradually moved towards an approach of assuming that the best amount of surveillance is also the most, and that it is best limited by legislation that decides how exactly it can be used rather than how much data can be stored.

That will mean that the new Home Secretary is likely to keep much of the same surveillance policy, whoever is chosen to take on Ms May’s now vacant job.

Campaigners have also pointed to reasons for believing that Ms May’s new and public commitment to liberal policies could signal a switch towards being more open about privacy.

“While in opposition she opposed the introduction of ID cards,” said Mr Kambo. “As Home Secretary she has reformed police stop and search powers and has strongly supported equal marriage. She has also recently indicated that she will not pursue earlier plans to pull out of the European Convention of Human Rights, admittedly only because the majority of Parliament opposes withdrawal, not because she does.”

Read More

Are YOU on the FBI's SECRET facial scanning database?

AN ALARMING number of citizens are included in the most advanced facial recognition service run by the US' top law enforcement agency, a new report has claimed.

Facial scanning is more widespread than thought as law enforcement agencies step up their activity

---

New fears have been raised about the scale of the US government's cyber surveillance after figures revealed just how huge its operations really are.

An investigation has found that a staggering 411 million photos are currently being stored in the FBI's facial recognition database – that's more than one photo of every citizen in the United States.

The terrifying scale of the FBI's operations comes courtesy of a Government Accountability Office report commissioned by senior government body the Senate Privacy and Technology Subcommittee.

Facial recognition scans could be tracking you

Facial recognition scans could be being used by the government to keep tabs on you

---

The report raised some particularly worrying issues about how the FBI audits its own use of facial recognition technology, or even how accurate its systems are, according to one top politician.

173 million of the pictures apparently come from the driving licences of US citizens, the report says.

US Senator Al Franken, the top democrat in charge of the report, said that the report, "raises some very serious concerns, and reveals that the FBI’s use of facial recognition technology is far greater than had previously been understood."

The FBI is using extensive facial scanning services, the report found

---

The FBI began using its system in April 2015, and since then its agents have carried out more than 36,000 scans, the report says.

When presented with an image of an individual, the database can provide investigators with as many as 50 matching faces it suggests may be a fit.

Along with facial recognition, the agency's database also contains biometric data such as fingerprint readings and retina scans, all of which could be used to identify an individual.

However such information is often not given with the individual's consent, being taken either as part of police questioning or even when an individual enters the US at an airport.

Fears have been growing about the US government's facial tracking capabilities for several years following the numerous disclosures by famous whistleblower Edward Snowden.

This includes the fact that the National Security Agency (NSA) intercepts “millions of images per day”, around 55,000 of which are “facial recognition quality”, according to a secret 2011 document.

But facial recognition technology is also becoming increasingly popular among consumers as they search for a more personal way to secure their devices.

Edward Snowden told the world about the FBI's tracking

---

Apple confirmed earlier this week that its new iOS 10 mobile software will use facial recognition tools to scan a user's pictures and identify particular people.

This will allow its Apple Photos app to collect together images of a group of friends or family members and create personalised photo albums.

Windows 10 also offers a facial recognition unlock function using its Windows Hello program, which scans a user's face to open up their device.

Source: Express UK

Read More

Hackers are using this nasty text message trick to break into people's accounts

The attacker can sometimes even spoof their identity - so the text looks like it comes from Google, or Facebook

he hacker enters the victim's password, followed by an ill-gotten 2FA code, and they're in

---

Two-factor authentication is a godsend for securing your accounts.

It requires a second level of proof of who you are - typically a code sent to your phone - before you can log in. This prevents anyone from gaining unauthorised access to your account, even if they manage to get hold of your password.

However, hackers and hijackers are managing to find ways around it.

Earlier this week, Alex MacCaw, cofounder data API company Clearbit, shared a screenshot of a text attempting to trick its way past Two-factor authentication (2FA) on a Google account.

Here's how it works:

The attacker sends the target a text message, pretending to be the very company that the target has an account with.

They say they have detected “suspicious” activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.

The victim, worried they are being hacked and not wanting to lose access to their data, sends the code back, believing they have thwarted the attempted hack.

But in doing so, they actually give the hacker the one thing they needed to break into the account.

The hacker enters the victim's password, followed by this ill-gotten 2FA code, and they're in.

The attacker can sometimes even spoof their identity - so the text looks like it comes from Google, or Facebook, or Apple, rather than an unknown number.

Of course, the attacker still needs the victim's password for this to work. But there are a number of ways they could get hold of it. Often they look at data dumps from old hacks for emails/usernames and passwords which they then try on other sites, because so many people reuse passwords across multiple accounts and platforms.

Huge databases of tens of millions of email addresses and passwords have been floating around in the last few weeks - notably from LinkedIn and MySpace. So if you reuse passwords, your login details may be being shared online right now without you realising.

Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC

— Alex MacCaw (@maccaw) June 4, 2016

The text message that Alex MacCaw shared on Twitter is above.

To stay safe, use a strong, unique password for every account you have - managing them all with a password manager if necessary - and don't text your Two-factor authentication codes to anyone, even if they appear legitimate.

Source: Business Insider UK  &  Independent UK

Read More

Details of 33 million Twitter accounts hacked and posted online

Twitter security officials said they are 'confident the information was not obtained from a hack of Twitter’s servers'

Security experts said the most common password affected by the breach was '123456'

---

Twitter has been forced to lock around 33 million accounts after their security details were posted online for sale.

The accounts were breached by Russian hackers and posted on to ‘the dark web ’ – a web service that requires specific advanced software to access.

The hack was made public by security firm LeakedSource.

According to Michael Coates, Twitter’s trust and information security officer, the social networking site is “confident the information was not obtained from a hack of Twitter’s servers.”

Rather, the usernames and passwords were stolen from email accounts and other social networking sites, such as LinkedIn and MySpace.

“Regardless of origin, we’re acting swiftly to protect your Twitter account,” Mr Coates said.

Twitter quickly responded to the breach by cross-checking the details of 32,888,300 records with its user database. It immediately locked any Twitter accounts it believed were vulnerable.

The social networking service guaranteed: “If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the ‘dark web’– then you have already received an email that your account password must be reset.”

“Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.”

LeakedSource explained the breach was caused by computers infected with malware that “sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter”.

The security website observed the most common password affected by the breach was ‘123456’, followed by ‘123456789’ – ‘qwerty’ and ‘password’ were third and fourth respectively.

It also showed that Russian cyber-surfers were the worst affected.

Speaking to Ars Technica, security researcher Troy Hunt said: “I'm highly sceptical that there's a trove of 32 million accounts with legitimate credentials for Twitter.

“The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low.”

Just this week, Facebook founder Mark Zuckerberg had his Twitter and Pinterest accounts hacked after hackers used a password obtained from a LinkedIn breach in 2012.

Twitter warned that to prevent your account from being hacked, users should “use a strong password that you don’t reuse on other websites.”

Source: Independent UK

Read More

Why is everyone covering up their laptop cameras?

Stickers and slides serve to ease concerns that spooks could be watching our every move, as even the FBI director says he puts tape on his camera

The crowdfunded product Eyebloc failed to reach its $5,000 funding target despite appealing to a legitimate concern about surveillance. Maybe duct tape is quite good enough?

---

For the past half decade, the technology industry has been racing to build better cameras into the hardware we use every day.

Yet the surveillance age has inspired an odd cottage industry battling against this trend: a glut of cheap stickers and branded plastic slides designed to cover up the front-facing cameras on phones, laptops and even televisions.

For years, security researchers have shown that hackers can hijack the cameras to spy on whomever is on the other end. To put that in perspective, think of all the things your devices have seen you do.

Such warnings have finally caught on. Last month, the FBI director, James Comey, told an audience: “I put a piece of tape over the camera because I saw somebody smarter than I am had a piece of tape over their camera.”

The corporate swag company Idea Stage Promotions describes its Webcam Cover 1.0 as “the HOTTEST PROMOTIONAL ITEM on the market today”. The cable channel USA Networks sent journalists a “Mr Robot” webcam cover for the popular hacker thriller’s upcoming season.

This Mr. Robot webcam cover I got from @USA_Network is the most clever TV promo item I have received in a long time! pic.twitter.com/pBL3mcUsv9

— Christine Champagne (@itsthechampagne) May 3, 2016

Covering cameras isn’t new for those who know that the internet is always watching. Eva Galperin, a policy analyst for the Electronic Frontier Foundation, says that since she bought her first laptop with a built-in camera on the screen, a MacBook Pro, in 2007, she’s been covering them up.

EFF started printing its own webcam stickers in 2013, as well as selling and handing out camera stickers that read: “These removable stickers are an unhackable anti-surveillance technology.”

“People purchase these regularly,” a spokesman said.

The fear over web cameras has penetrated deep into popular culture. The trailer for Oliver Stone’s forthcoming biopic Snowden, on the US spy contractor, features a clip of actor Joseph Gordon-Levitt, who plays the title character, looking nervously|(see video below) at his laptop camera during an intimate moment with his girlfriend.

So are we all being paranoid? Well, it’s not science fiction. Researchers in 2013 showed how they could activate a Macbook’s camera without triggering the green “this-thing-is-on” light. One couple claimed a hacker posted a video of them having sex after hacking their smart TV. And federal court records shows that the FBI does know how to use laptop cameras to spy on users as well.

So, naturally, where there’s fear, there is money to be made.

The DC-based CamPatch describes itself as “the Mercedes Bens [sic] of putting tape over your webcam”. Its founders started the company in 2013 after hearing a briefing from Pentagon cybersecurity experts on how webcams were a new “attack vector”, said Krystie Caraballo, CamPatch’s general manager.

Caraballo wouldn’t disclose financials other than to say the company has had “six-figure revenues for the last several years” and that it has distributed more than 250,000 patches. The company advertises bulk pricing “as low as $2.79”.

Yet not everyone is on the camera-covering bandwagon. Brian Pascal, a privacy expert who has worked for Stanford and Palantir Technologies says a cost-benefit analysis led him conclude he’d rather have a usable camera, which he can use to record his son. But he acknowledged such stickers are a way for people signal that they too worry about Big Brother.

“Security actions without threat modelling are just performative,” said Pascal.

Others just haven’t gotten around to it yet.

“Because I’m an idiot,” replied Matthew Green, an encryption expert at Johns Hopkins University when asked why he doesn’t cover his cameras. “I have no excuse for not taking this seriously ... but at the end of the day, I figure that seeing me naked would be punishment enough.”

Of course, webcam paranoia is likely to be only the first of many awakenings as consumers bring more devices into their lives that can be turned into unwitting spies. Amazon.com has had enormous success with its Echo smart speaker that, by default, is always listening for its owners’ commands. Google plans to release a similar product this year called Google Home.

In a hearing on Capitol Hill in February, the US director of national intelligence, James Clapper, acknowledged how the so-called “internet of things” could be used “for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials”.

Source: The Guardian UK

Read More

Google's upcoming Allo messaging app is 'dangerous', Edward Snowden claims

Snowden said Google's decision to disable end-to-end encryption by default makes it 'unsafe'

The new chat app will be released this summer

---

Using Google’s upcoming messaging app is “dangerous”, according to Edward Snowden.

In a tweet, the whistleblower advised against using Allo, the search giant’s latest app, saying: "Google's decision to disable end-to-end encryption by default in its new Allo chat app is dangerous, and m it for now."

His warning came after Google’s security expert Thai Duong blogged about the app’s security features.

Allo, branded as a “smart messaging app”, offers extra features when compared to other services like WhatsApp and Facebook Messenger.

Its 'smart reply' feature scans messages and suggests replies, and integrates Google’s other services like Google Search and Maps, all in a single app.

Allo also offers two privacy settings: normal and incognito.

Although messages are encrypted in both modes, the normal setting allows artificial intelligence run by Google to read messages, analyse them and provide suggestions. Only the incognito mode uses end-to-end encryption, which ensures that the messages can only be read by the people on either end of the conversation.

However, the default setting is normal, and to have further encryption a user has to manually change the privacy settings to incognito.

Thai Duong, a security expert at Google, blogged about his “personal opinion” of the new application “as someone from outside the team who consulted on security for Allo.” He edited the post after it was uploaded.

Google's decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe. Avoid it for now.

— Edward Snowden (@Snowden) May 19, 2016

#Google's security expert blogged, discussing how #Allo is unsafe by default.
Hours later, he erased that part.

Lesson: Bosses read blogs

— Edward Snowden (@Snowden) May 20, 2016

Duong wrote in an update: “I erased a paragraph from this post because it's not cool to publicly discuss or to speculate the intent or future plans for the features of my employer's products, even if it's just my personal opinion.”

This statement does not clarify what has been deleted from the blogpost.

However, Snowden explained in his tweet that the security expert was “discussing how #Allo is unsafe by default," and commented: "[The] lesson - bosses read blogs."

TechCrunch reported the deleted part of Duong’s post read: “The burning question now is: if incognito mode with end-to-end encryption and disappearing messages is so useful, why isn’t it the default in Allo?”

It is not clear whether Google told Duong to delete the paragraph from his blogpost or not.

Source: Independent UK

Read More

Charging your mobile phone by plugging it into a computer could be enough to get you HACKED

If you thought plugging your phone into a computer to charge it up was fairly safe, you thought wrong

When your phone starts complaining that its battery is running low, you probably wouldn't think twice about plugging it into a computer to charge it up.

But security experts claim that this simple act could be enough to get you hacked.

According to researchers at Kaspersky Lab, plugging your iPhone or Android smartphone into a computer results in a whole load of data being exchanged between the two devices.

This could include the phone's name, the manufacturer, the device type, the serial number, firmware information, the operating system information, the file system and the electronic chip ID.

The amount of data sent varies depending on the device and the host, but each smartphone transfers the same basic set of information - like device name, manufacturer and serial number.

While this information may seem fairly innocuous, it is enough for a hacker to break into a smartphone and take control, according to Kaspersky.

Using a regular PC and a standard micro USB cable, the researchers were able to silently install a "root application" on a test smartphone, amounting to a total compromise of the device.

This is not the first time theft of data from a mobile connected to a computer has been observed.

This technique was used in 2013 as part of the cyberespionage campaign Red October . The Hacking Team group also made use of a computer connection to load a mobile device with malware.

In both of these cases, the hackers found a way to exploit the supposedly safe data exchange between the smartphone and the PC it was connected to.

By checking the identification data received from the connected device, the hackers were able to discover what device model the victim was using and then use this information to tailor their attack.

This would not have been as easy to achieve if smartphones did not automatically exchange data with a PC upon connecting to the USB port.

"The security risks here are obvious: if you’re a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware," warns Alexey Komarov, researcher at Kaspersky Lab.

"And you don't even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet."

It you're worried about getting hacked in this way, Kaspersky Lab says there are several ways to protect yourself:

• Use only trusted USB charging points and computers to charge your device
• Protect your mobile phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging
• Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data
• Install some kind of antivirus software that is capable of detecting malware even if a "charging" vulnerability is used

Read More

US nuclear weapons are still controlled by floppy disks, report finds

The US Government Accountability Office found that the defense department was still using 1970s-era computer systems

The Pentagon plans to update its computer systems by the end of 2017

The Pentagon coordinates the US' nuclear weapons – using a floppy disk, as it turns out.

A new report(see below) by the US Government Accountability Office (GAO) has found that the country’s department of defence is still using 1970s-era computer systems that require the original eight-inch floppy disks.

Floppy disks became obsolete by the late 1990s as CDs started to be widely used.

The report said: “Agencies reported using several systems that have components that are, in some cases, at least 50 years old.

“Department of Defense uses eight-inch floppy disks in a legacy system that coordinates the operational functions of the nation’s nuclear forces.

“Department of the Treasury uses assembly language code – a computer language initially used in the 1950s and typically tied to the hardware for which it was developed.”

As part of its investigation, the GAO said that the US government spent more than $80 billion a year on information technology.

It said that the Pentagon used the floppy disks within its “strategic automated command and control system” that coordinates the operational functions of the US’ nuclear forces such as intercontinental ballistic missiles, nuclear bombers and tanker support aircrafts.

The department plans to update the system by the end of 2017.

Read More

Jennifer Lawrence photo hacker Ryan Collins pleads guilty

A man has pleaded guilty to the hacking of emails and online accounts belonging to Hollywood stars and stealing private assets, including nude photos and video clips.

Ryan Collins used a ‘phishing’ scam to gain access to celebrity accounts

Ryan Collins, 36, had been accused of illegally accessing over 100 Google and Apple accounts, many of which belonged to famous women, between November 2012 and September 2014.

Prosecutors revealed that Collins used a ‘phishing’ scam to get his victims to enter their personal information.

He was then, in some cases, able to access all the files his victims had saved online. Some of these included naked videos and pictures.

Federal prosecutors said that they found no evidence to suggest that Collins distributed any of the explicit images obtained through his scheme.

Read More

Uber has the ability to access one surprising piece of information from your mobile phone

Taxi app admits to having capability to pull data straight from the smartphone of many of its customers

The taxi app Uber has admitted to having the ability to detect the battery level on its users' phones.

However, it denied using this information to charge customers the more expensive "surge" price just as their mobiles are about to run out of juice.

Keith Chen, head of research at the firm, told NPR Uber had access to "tremendous amount of data" about its customers.

The Uber app being used on an Apple iPhone 5

---

It can work out the battery life on people's phones, although Chen said this was used to work out when to switch into low power mode and save the last bit of battery.

"When your phone is down to 5% battery and that little icon on the iPhone turns red, people start saying I’d better get home or I don’t know how I’m going to get home otherwise," he said .

"We absolutely don't use that to push you a higher surge price."

Read More

60 per cent of Androids exposed by new attack on mediaserver

Yet again, the fix would be proper vetting of code in Google Play and other app stores

Duo Security researcher Kyle Lady says attackers can compromise more than half of enterprise Android phones by chaining two operating system and chip vulnerabilities.

The flaws affect scores of phones on the market from the most popular Lollipop version 5 Android system, second-placed KitKat version 4.4, and the barely-used modern Marshmallow version 6.

Some 60 percent of enterprise Android phones are affected based on tests of half a million phones.

Affected users can apply a January patch if one is available, although Android handsets other than Nexus units are locked into custom vendor ROMs and as such must hope manufacturers will distribute Google's security updates.

About 27 per cent of those devices were Android relics and so old they could not be owned using the attacks.

"If an attacker can get a user to run a malicious app on an affected Android device, the attacker can gain complete control over the entire device by exploiting this QSEE vulnerability," Lady says.

"This attack requires exploiting some vulnerability in mediaserver, and we’re assuming that the attacker has one, given how frequently critical or high severity bugs in mediaserver are found and patched.

"While the likelihood of getting malicious code onto a device is very low, all it takes is one success to get attack code in the Play Store."

Users need to download an attacker's app to be compromised, a gaffe which could be considered game-over regardless of any vulnerabilities in Android.

Malware developers are constantly finding success in uploading malicious applications to the Google Play Store, slipping undetected past Mountain View's security checks.

From there it exploits functions like accessibility, screen overlay, and root rights. The Marshmallow platform is much more hardened than Lollipop and significantly more so than Kitkat.

Now Lady (@kylelady) says a Qualcomm Secure Execution Environment (QSEE) vulnerability (CVE-2015-6639) colleague Gal Beniamini (@laginimaineb) reported earlier this month affects scores of enterprise Android phones.

Lady says the attacks are not of the heightened risk level of the seemingly-immortal Stagefright vulnerability which can compromise Android phones with little more than a phone number.

About one in 200 phones contain an unwanted or malicious application in what could be an indication of the potential effectiveness of Beniamini's attack.

Read More

Your money or your files: the growing threat of ransomware

Ransomware – whereby phishers lock data-access and blackmail the owners into paying for the key – is the new internet plague coming from the US. But since the criminals’ transactions are untraceable, what is the remedy? Seung Lee reports

Some cyber-security experts call the ransomware attacks an epidemic

---

The first wave of emotions, victims say, is a combination of panic and powerlessness. They click and reclick on files on their desktops – agendas for a weekend Christian camp, payroll data for hundreds of teachers or medical information for veterans – to no avail. Someone, or something, has converted the files to foreign MP3 files or an encrypted RSA format. And, next to these unopenable files, the victims get a ransom note in a text file or HTML file: “Help_Decrypt_Your_Files".

“All your files are protected by a strong encryption with RSA-4096 [military-grade encryption],” reads one note shared by a victim. “So there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!, and restore your data the easy way. If you have really valuable data, you better not waste your time.”

In February, the Hollywood Presbyterian Medical Center in Los Angeles made national news after it was the victim of ransomware, a virus that blocks owners from accessing their files. For weeks, the hospital had to shuttle its patients to nearby facilities. But hackers aren’t going after only big targets: in the past few months, school districts in South Carolina and Minnesota, hospitals in Kentucky and Georgia, and a church in Oregon have been paralysed for days, and many experts believe there are far more ransomware attacks that have gone unreported.

Institutions have resorted to using handwritten forms as they try to retrieve data that is locked by military-grade encryption. In many cases, the victims cough up hundreds or thousands of pounds in untraceable, open-source crypto-currency for the key that will allow them access to their own information.

Some cyber-security experts call the attacks an epidemic. Both the US and Canadian governments issued a rare joint alert in March warning businesses of ransomware. In 2015, affected Americans paid about $325m (£225m) due to ransomware attacks; in 2016, cyber-security analysts estimate, it will be much higher. “Ransomware is dangerous because anyone can [use] it and target anyone,” says James Scott, a senior fellow at the Institute of Critical Infrastructure Technology.

While the culprits come from all over the world, ransomware attacks are mainly co-ordinated by highly organised mercenary hackers based in Russia and other Eastern European countries, prompting some to hark back to Cold War-era concerns. “This is World War III,” says Clint Crigger, a cyber-security manager for SVA Consulting, though he insists he is not an alarmist.

Firewalls or antivirus programs do a terrible job detecting ransomware, but those are not the cause of the epidemic. Instead, many experts say, it lies with the people’s carelessness in clicking on phishing emails and infected advertisements. Two-thirds of ransomware cases stem from phishing emails, according to cyber-security research company Lavasoft.

Rookie hackers, known as script kiddies, can easily scrape together a fake email from a senior hospital doctor or school superintendent laced with ransomware viruses using social engineering. A common method is mass-collecting email addresses from the company’s domain name, identifying the top executives of the company using LinkedIn or Facebook, creating a fake email address under one of those executives’ names and sending a ransomware-laced email to a lower-level employee with a subject line reading “invoice” or something else that looks as if it demands attention.

Another variant is sending a phishing email under the name of your postman. One ransomware attack at a Georgia Veterans Affairs hospital began with an employee clicking on a fake US Postal Service email, paralysing the hospital for three days.

David Eppelsheimer, the pastor of the Community of Christ Church in Hillsboro, Oregon, can speak from experience. He found all his PowerPoint files mysteriously converted to the MP3 format on 18 February, and got a curt ransom note asking for 1.3 bitcoins (about £400). “I felt helpless, and it felt surreal,” he says.

After two days of frantically trying to obtain Bitcoins in shady-looking online markets, Eppelsheimer paid the hackers about £400 to obtain the encryption key to open the files. He said it took several weeks to retrieve and open hundreds of his personal files, one by one.

Several cyber-security experts say that paying ransom should be considered only in the worst-case scenarios, when one has no back-ups or lines of defence in place – much like Eppelsheimer. Paying ransom allows the hackers to carry on their ransomware activities. “If you pay the ransom, what you are saying is, you have been caught with your pants around your ankles,” Crigger says.

Charles Hucks feels like he had no choice. As the executive director of technology at the Horry County School District in South Carolina, he became a victim of ransomware. For a few weeks earlier this year, his county’s networks were frozen, bringing the daily routines of 42,000 students and thousands more staff and teachers to a halt. Despite having ready back-ups and a full-time information technology staff working 20 hours daily to get the data back, Hucks and the school district still had to pay 22 bitcoins (£6,900) to the hackers for the key as a “business decision.”

But experts say institutions and people aren’t helpless against ransomware. The best thing to do is to back up data frequently, on a cloud storage platform, with cold storage or on an external hard drive. Scott also advocates training employees about “cyber hygiene,” comparing not clicking on malvertisements to washing one’s hands before working in a restaurant or hospital. “Loose clicks sinks ships,” Crigger says.

If a company or server is breached, the recommended procedure is to cut off all servers from public access to prevent the virus from spreading and then have IT professionals comb every folder and network for infections. Scott says institutions need to be vigilant about ransomware viruses acting as diversions as the hackers launch an attack elsewhere in the network, perhaps downloading a company’s personal data to sell on the black market. One way to detect it, Scott says, is to monitor for abnormal spikes in downloads and other activities in unaffected networks during attacks.

But even some cyber-security experts seem to have a fatalistic view. Ransomware viruses are constantly evolving, with some able to self-mutate around anti-virus programs and security controls.

Without a massive overhaul in cyber-security infrastructure and an understanding of cyber hygiene, institutions such as small hospitals will remain easy targets. But Scott worries that even more critical and outdated systems that control dams or nuclear silos built during the Cold War with minimal upgrades can be similarly hacked.

For victims such as Eppelsheimer, it can be hard to deal with a faceless attack that can seem very personal. “My outlook is: love my neighbour, even if he steals from me,” Eppelsheimer says. “But I was angry [when it happened]. It felt like a faceless, nameless evil from the other side of the world descended on me and my church.”

Source: Newsweek & Independent UK

Read More

Face recognition app taking Russia by storm may bring end to public anonymity

FindFace compares photos to profile pictures on social network Vkontakte and works out identities with 70% reliability

Findface has amassed 500,000 users in the short time since the launch

---

If the founders of a new face recognition app get their way, anonymity in public could soon be a thing of the past. FindFace, launched two months ago and currently taking Russia by storm, allows users to photograph people in a crowd and work out their identities, with 70% reliability.

It works by comparing photographs to profile pictures on Vkontakte, a social network popular in Russia and the former Soviet Union, with more than 200 million accounts. In future, the designers imagine a world where people walking past you on the street could find your social network profile by sneaking a photograph of you, and shops, advertisers and the police could pick your face out of crowds and track you down via social networks.

In the short time since the launch, Findface has amassed 500,000 users and processed nearly 3m searches, according to its founders, 26-year-old Artem Kukharenko, and 29-year-old Alexander Kabakov.

Kukharenko is a lanky, quietly spoken computer nerd who has come up with the algorithm that makes FindFace such an impressive piece of technology, while Kabakov is the garrulous money and marketing man, who does all of the talking when the pair meet the Guardian.

Unlike other face recognition technology, their algorithm allows quick searches in big data sets. “Three million searches in a database of nearly 1bn photographs: that’s hundreds of trillions of comparisons, and all on four normal servers. With this algorithm, you can search through a billion photographs in less than a second from a normal computer,” said Kabakov, during an interview at the company’s modest central Moscow office. The app will give you the most likely match to the face that is uploaded, as well as 10 people it thinks look similar.

Kabakov says the app could revolutionise dating: “If you see someone you like, you can photograph them, find their identity, and then send them a friend request.” The interaction doesn’t always have to involve the rather creepy opening gambit of clandestine street photography, he added: “It also looks for similar people. So you could just upload a photo of a movie star you like, or your ex, and then find 10 girls who look similar to her and send them messages.”

Some have sounded the alarm about the potentially disturbing implications. Already the app has been used by a St Petersburg photographer to snap and identify people on the city’s metro, as well as by online vigilantes to uncover the social media profiles of female porn actors and harass them.

The technology can work with any photographic database, though it currently cannot use Facebook, because even the public photographs are stored in a way that is harder to access than Vkontakte, the app’s creators say.

But the FindFace app is really just a shop window for the technology, the founders said. There is a paid function for those who want to make more than 30 searches a month, but this is more to regulate the servers from overload rather than to make money. They believe the real money-spinner from their face-recognition technology will come from law enforcement and retail.

Kukharenko and Kabakov have recently returned from the US, and Kabakov was due to travel to Macau and present the technology to a casino chain. The pair claim they have been contacted by police in Russian regions, who told them they started loading suspect or witness photographs into FindFace and came up with results. “It’s nuts: there were cases that had seen no movement for years, and now they are being solved,” said Kabakov.

The startup is in the final stages of signing a contract with Moscow city government to work with the city’s network of 150,000 CCTV cameras. If a crime is committed, the mugshots of anyone in the area can be fed into the system and matched with photographs of wanted lists, court records, and even social networks.

It does not take a wild imagination to come up with sinister applications in this field too; for example authoritarian regimes able to tag and identify participants in street protests. Kabakov and Kukharenko said they had not received an approach from Russia’s FSB security service, but “if the FSB were to get in touch, of course we’d listen to any offers they had”.

The pair also have big plans for the retail sector. Kabakov imagines a world where cameras fix you looking at, say, a stereo in a shop, the retailer finds your identity, and then targets you with marketing for stereos in the subsequent days.

Again, it sounds a little disturbing. But Kabakov said, as a philosophy graduate, he believes we cannot stop technological progress so must work with it and make sure it stays open and transparent.

“In today’s world we are surrounded by gadgets. Our phones, televisions, fridges, everything around us is sending real-time information about us. Already we have full data on people’s movements, their interests and so on. A person should understand that in the modern world he is under the spotlight of technology. You just have to live with that.”

Source: The Guardian UK

Read More

GCHQ says you should change your passwords LESS often, as one in three Brits admits to snooping on their partner's social media

Forcing people to change their passwords regularly is ineffectual, according to the UK spy agency

In a piece of advice that seemingly contradicts everything else we've ever heard, GCHQ has recommended you should change your password LESS often.

According to the spy agency's cybersecurity arm, forcing people to change their passwords regularly is ineffectual, because they are likely to choose a new password that is very similar to the old one.

They are also more likely to write the new password down, for fear of forgetting it. This increases the risk of the password falling into the wrong hands.

"Attackers can exploit this weakness," said the Communications-Electronics Security Group (CESG). "The new password may have been used elsewhere, and attackers can exploit this too."

Password expiry - Why CESG decided to advise against this long-established security guideline https://t.co/8YSIZteyZ6 #passwordday

— CESG HMG (@CESG_HMG) May 5, 2016

Instead of forcing a changed password at regular intervals, it recommends organisations provide users with information on when their account was last activated.

GCHQ says sticking to the same password for a long time - unless it's something like ABC123 - is a good idea.

The news comes as a new study into online privacy reveals that one in three Brits secretly know their partner's passwords .

The survey by money-saving website VoucherCodesPro has revealed the UK's attitude to trusting loved ones with our passwords .

It discovered that almost three quarters of us have looked through social media messages on someone else's account without their permission.

The team responsible for the study polled 2,211 UK adults between 18 and 45 who have been in their current relationship for at least two years.

Initially respondents were asked if their partner let them access their social media channels when they wanted to; 51% of respondents stated they did. Respondents were then asked if their partner had let them know their password for social media channels, 21% stated they had.

A couple checking Facebook together

---

Following straight on from this, all respondents were then asked if they knew their partner’s password without them being aware of this – with 34% stated they did.

Researchers asked these participants how it was they found their partners password out, 59% stated they ‘guessed’ it, 37% said they ‘keyboard watched’ and the remaining 4% asked their partner's friends.

As to what those sneaky snoopers got up to once they'd accessed their partner's accounts - the researchers provided a list:

• Looked through social media messages – 74%
• Looked through the photo gallery – 59%
• Looked through emails – 54%
• Looked through browser history – 46%
• Looked through bank statements – 39%

George Charles, spokesperson for www.VoucherCodesPro.co.uk , made the following comments regarding the study:

“Being open with your partner is incredibly important and snooping at their social media channels or any private documentation just isn’t the way to achieve a healthy relationship," said George Charles, a spokesperson for VoucherCodesPro.

"Knowing your partner’s password without their knowledge will only lead to trouble. It suggests you are looking for something and if you look hard enough, you will always find something to convince you that your fear is real.”

Source: Mirror UK

Read More

Fraudsters bribing insurance company staff for YOUR information

Fraudsters are bribing insurance company staff for information about their customers, the City of London Police has found.

Some scammers follow staff into pubs, cafes and car parks to corner them and coerce them into divulging data.

Stolen information is used to make false insurance claims and can also be used to apply for loans and bank accounts.

Detective Chief Inspector Oliver Little, of the National Fraud Intelligence Bureau, said that insurance staff who are tempted to give out or sell sensitive information could face criminal charges.

Read More