Why intelligence services need access to your phone

How many of you recall the terrorist attack in San Bernardino back in December 2015? An Islamist terrorist couple went in to a California health sector office’s Christmas party and opened fire, killing 14 and wounding 22.

In the end, the FBI allegedly paid a hacker to get into the phone and allow the Bureau to continue their investigation anywayThe two were later killed in a hail of police gunfire, but that is where the controversy over the incident really started. In an attempt to find out the motivation behind the attack, US law enforcement tried to get into Syed Rizwan Farook’s cellphone only to find they could not as it was password protected. Authorities approached the phone’s manufacturer, Apple, for help only to be rebuffed.

The company said variably that it could not unlock the device or that by doing so it would set a dangerous precedent and undermine their users’ confidence in Apple’s ability to ensure privacy. In the end, the FBI allegedly paid a hacker to get into the phone and allow the Bureau to continue their investigation anyway.

Image: Police tape in front of the Inland Regional Center in San Bernardino, California

The issue has not gone away

At the time this debate was heated with strong positions on both sides. Those in favour of meeting the government’s request who thought Apple should comply said that terrorists – especially dead ones – have no expectations of privacy and that the FBI needed the phone’s data to see who else was involved in the plot and whether others were being planned. Those against said the State has no business asking for private information and that if Apple had complied nothing would be secure ever again from Big Brother’s prying eyes (and ears).

I saw both arguments and weighed in – cautiously – on giving the police access, albeit on very strict conditions.

Well, guess what? The issue has not gone away. In early September the US intelligence community, in conjunction with their ‘5 eyes’ partners (the ‘5 eyes’ is a group of nations that includes Australia, Canada, New Zealand, the UK and the US and is the world’s premier intelligence club), apparently ‘quietly warned’ technology firms that they will “demand lawful access to all encrypted emails, text messages and voice communications” and threatened to impose compliance if such assistance is not rendered.

The company said variably that it could not unlock the device or that by doing so it would set a dangerous precedent and undermine their users’ confidence in Apple’s ability to ensure privacy.

Wow, is that ever strong!

The community will ‘demand access’ and if denied will look into legislation to make sure they get what they want/need. Is this acceptable in a liberal democratic society (I assume police states and dictatorships have no compunction on making these threats)?

There are rules and procedures to follow and judges who deem certain cases too weak can turn them down (this does happen by the way)In a word, yes, with a caveat. My position has not changed since 2015 and I do think we can achieve security and privacy at the same time. Just as spies and cops cannot normally intercept communications of citizens without a court-approved warrant (SIGINT organizations like CSE do not get warrants but they also do not collect domestically) nor should they be able to demand access to encrypted domestic communications without one. If CSIS or the RCMP can make a case that an ongoing investigation into a serious threat can only go forward with access to data they cannot currently read, they can go before a Federal Court judge and make that case, much as they currently do for other intercept warrants. Who would be opposed to this? There are rules and procedures to follow and judges who deem certain cases too weak can turn them down (this does happen by the way).

Just as spies and cops cannot normally intercept communications of citizens without a court-approved warrant nor should they be able to demand access to encrypted domestic communications without one.

There is, of course, a downside to having to get a warrant

It presupposes that you already have begun an investigation into an individual or cell and already have enough info to make your case. You are asking for part of the puzzle you don’t have yet. It does not allow for ‘fishing expeditions’ into those who have not already crossed your radar (which was what transpired in San Bernardino, no?). In other words, even a warrant does not guarantee 100% security. As a free society we have to accept that. The alternative is unfettered and uncontrolled State access to everyone’s communications and I am fairly confident no Canadian (or Australian, or Brit or…) wants that.

We as a society have to decide what the balance is between giving our security intelligence and law enforcement agencies the tools they need and safeguarding the privacy and immunity from eavesdropping we crave. I happen to think we can achieve both through the courts – what say you?
Advertisements

Just as critics feared, Fortnite for Android came with an epic security risk

After watching friends play Fortnite on their iPhones for months, you may have downloaded the game the second it became available for your Android phone. I get it. But doing so could have put you at risk.

As spotted by Android Central, Google has disclosed a huge vulnerability in Epic Games’ original Fortnite installer for Android, one that could have taken advantage of the Fortnite installer to install and launch a rogue app, and even give that app access to your phone’s data without you ever knowing.

For the attack to work, it sounds like you would have already needed to have a piece of malware on your phone, ready and waiting to strike. But not a particularly sophisticated one. After you ask the Fortnite Launcher to download Fortnite, Google claims that any app with the WRITE_EXTERNAL_STORAGE permission would have been able to sneakily replace the real Fortnite app with a fake one after security checks were already complete. It’s known as a “man-in-the-disk” attack.

> Read entire article Just as critics feared, Fortnite for Android came with an epic security risk | Anti-Corruption Digest 

Fake Fortnite for Android links found on YouTube

Already, there are several videos on YouTube with links claiming to be versions of Fortnite for Android, despite the fact the game has yet to be released on this platform.

Swati Khandelwal of The Hacker News highlights the emerging threat in her article, Epic Games Fortnite for Android–APK Downloads Leads to Malware. Taking it a step further, I grabbed some of these malicious apps and took them for a spin.

The apps are not located on the Google Play Store. Instead, people have found them by searching “How to install Fortnite on Android” or “Fortnite for Android” in Google, or stumbling across links in YouTube ads. From there, the apps can be downloaded.

> Read entire article Fake Fortnite for Android links found on YouTube | Nathan Collier | MalwayreBytes

Facebook keeps tabs on Android SMS and calls

Users find Facebook has been keeping records of their calls and text messages.

Published on InfoSecurity | By Phee Waterfield

One week after the Cambridge Analytica data breach went public, Facebook is continuing to lose trust with its users as many go to delete their accounts.

however, for many users, the surprises keep coming, as they were shocked to find out Facebook had been collecting call records and SMS messages.

According to Ars Technica, a user from New Zealand, Dylan McKay was looking through data Facebook had collected, which he had downloaded from the social network site. While scanning through information the tech giant had about his contacts, McKay discovered that Facebook had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers and the length of each call made or received.

Since this original flag, many users have also taken to Facebook with their own Facebook data archives.

Read entire article Facebook Keeps Tabs on Android SMS and calls | InfoSecurity

When the threats get weird, the security solutions get weirder

Next year, our phones and desktops will be ground zero for an arms race between bizarre new threats and strange new innovations in cybersecurity.

The world of security is getting super weird. And the solutions may be even weirder than the threats!
I told you last week that some of the biggest companies in technology have been caught deliberately introducing potential vulnerabilities into mobile operating systems and making no effort to inform users.

One of those was introduced into Android by Google. In that case, Android had been caught transmitting location data that didn’t require the GPS system in a phone, or even an installed SIM card. Google claimed that it never stored or used the data, and it later ended the practice.
Tracking is a real problem for mobile apps, and this problem is underappreciated in considerations around BYOD policies.

Next year, our phones and desktops will be ground zero for an arms race between bizarre new threats and strange new innovations in cybersecurity.

Read complete article
When the threats get weird, the security solutions get weirder | Mike Elgan | Computer World

Android Security gets a boost with Google Play Protect

In a timely move given the rash of trojanized apps showing up in the official Google Play store of late, the internet giant has debuted Google Play Protect.

The biggest piece of this is the news that, using machine learning, Google said that it now scans more than 50 billion apps every day to hunt for risks and potentially harmful code. Automated remediation is also part of the enhancement.

Edward Cunningham, product manager for Android Security, said:

“Play Protect is built into every device with Google Play, is always updating, and automatically takes action to keep your data and device safe, so you don’t have to lift a finger.”

Google has also implemented a “Find My Device” feature, which allows users to locate, ring, lock and erase Android devices remotely—including phones, tablets and watches.

The news comes after several instances of bad apps showing up in Google Play. For instance, HummingWhale, a new variant of the HummingBad malware, was found hiding in more than 20 apps on Google Play in January; the infected apps were downloaded several million times by unsuspecting users before the Google Security team removed them.

RELATED: Malware discovered pre-installed on Android devices

Similarly, The FalseGuide malware was found in April to be infesting 40+ guide apps in the Google Play store; these were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an alarming 2 million infected users.

Source: InfoSecurity

Read entire post grey  Related Training grey

Trending this week on The Resilience Post

Have you missed some of our publications this week? Find below links to our most popular posts.

And many more posted daily!

Follow us on your favorite social network:

Twitter https://goo.gl/vhHMX2 @ResiliencePost
Facebook https://goo.gl/83KyDl
LinkedIn https://goo.gl/TkdLqC
Google+ https://goo.gl/lhlfN0

The Resilience Post, your daily source for resilience information.

Malware discovered pre-installed on Android devices

Security researchers have found malware on nearly 40 different Android devices owned by two unnamed companies. While that may sound like a fairly normal occurrence, Check Point’s researchers claim the malware was pre-installed on the devices somewhere along the supply chain.

Check Point did not name the companies involved but said one was a large telecommunications company and the other a multinational technology company.

The malware found was not installed on the device by the users but was in fact already present when the users received them. The malware was not part of the ROM firmware supplied by the vendor. Therefore, Check Point said, malicious apps were added to the devices somewhere along the production line.

In some cases the malware was installed onto the ROM itself using system privileges. Removal of the malware in these cases required a full reinstall of the device.

Among the malware discovered on the devices was the Loki malware, which can be used to display illegitimate advertisements to generate revenue. It can also steal information about the device it’s installed on. Also discovered was the Slocker mobile ransomware. This can encrypt all files on the device and demand payment in exchange for the decryption key.

Most of the rest of the pieces of malware were information stealers and ad displayers, Check Point said.

The list of infected phones reads: Galaxy Note 2, 3, 4, 5, 8 and Edge, Galaxy Tab 2 and S2, Galaxy S7 and S4, Galaxy A5, LG G4, Xiaomi Mi 4i and Redmi, ZTE x500, Oppo N3 and R7 Plus, Vivo X6 plus, Nexus 5, Nexus 5X, Asus Zenfone 2, and Lenovo S90 and A850.

“The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge,” said Oren Koriat, Check Point Mobile Research Team.

RELATED: Hundreds of mobile websites and apps are found to leak personal info

Despite its worldwide popularity, Android continues to suffer from security issues. The ability to install apps on Android devices from unofficial app stores is causing a spike in malware infections. Even the official Google Play app store has been breached. On top of this the way the Android ecosystem works means many users don’t automatically get updates to the OS, leaving their devices vulnerable to security threats.

Source: infosecurity

Read entire post grey  Related Training grey

Wikileaks: The CIA is using popular TVs, smartphones and cars to spy on their owners

WikiLeaks has released thousands of documents that it claims show how the Central Intelligence Agency can break into smartphones, computers and other connected devices, including smart TVs.

The trove, which WikiLeaks is dubbing “Vault 7”, purports to be a massive archive of CIA material consisting of several hundred million lines of computer code that has been “circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

“This demonstrates conflicting challenges faced by the security developer community,” said Vikram Kapoor, co-founder and CTO at Lacework, a Mountain View, Calif. based provider of cloud security solutions, via email. “On one hand, this has scary implications for individual privacy rights and shows how extensively some of the systems can be hacked. On the other hand, it demonstrates how hard it is to manage security for insider risk and cloud workloads today for organizations.”

Most centrally, the documents show ways that the agency allegedly can hack mobile phones and can bypass the encryption used by messaging services like Signal, WhatsApp and Telegram. After penetrating Android phones, the CIA can collect “audio and message traffic before encryption is applied,” WikiLeaks said.

smart tv
The Central Intelligence Agency can break into smartphones, computers and other connected devices, including smart TVs.

He purported intelligence documents also include detailed information on CIA-developed malware—dubbed things like Assassin and Medusa. And, the documents point to an entire alleged unit in the CIA is devoted to hacking Apple products. Further, WikiLeaks alleges that the CIA is proven here to have deliberately failed to disclose security vulnerabilities and bugs to major US software manufacturers, choosing instead to leverage them for their own ends.

On a darker front, the documents claim that the CIA maintains remote hacking programs to turn various connected devices, including smart TVs, into recording and transmitting stations, with the feeds sent back to secret CIA servers.

Other capabilities “would permit the CIA to engage in nearly undetectable assassinations,” WikiLeaks said. One document lays out actions that the CIA allegedly took to infiltrate and take over vehicle control systems in cars and trucks.

Read Wikileaks Vault 7: CIA Hacking Tools Revealed

Source: infosecurity

read-entire-post