Windows 10’s Privacy Policy: the New Normal?

from the no-i-do-not-want-to-send-a-crash-report dept.

An anonymous reader writes:

The launch of Windows 10 brought a lot of users kicking and screaming to the “connected desktop.” Its benefits come with tradeoffs: “the online service providers can track which devices are making which requests, which devices are near which Wi-Fi networks, and feasibly might be able to track how devices move around. The service providers will all claim that the data is anonymized, and that no persistent tracking is performed… but it almost certainly could be.” There are non-trivial privacy concerns, particularly for default settings. 
According to Peter Bright, for better or worse this is the new normal for mainstream operating systems. We’re going to have to either get used to it, or get used to fighting with settings to turn it all off. “The days of mainstream operating systems that don’t integrate cloud services, that don’t exploit machine learning and big data, that don’t let developers know which features are used and what problems occur, are behind us, and they’re not coming back. This may cost us some amount of privacy, but we’ll tend to get something in return: software that can do more things and that works better.”

Posted by Soulskill 2 days ago

 

Justice Department: Default Encryption Has Created a ‘Zone of Lawlessness’

ORIGINAL ARTICLE

from the what-would-you-call-this-zone-that’s-allegedly-associated-with-danger? dept.
Jason Koebler writes:
Leslie Caldwell, an assistant attorney general at the Justice Department, said Tuesday that the department is “very concerned” by the Google’s and Apple’s decision to automatically encrypt all data on Android and iOS devices.

“We understand the value of encryption and the importance of security,” she said. “But we’re very concerned they not lead to the creation of what I would call a ‘zone of lawlessness,’ where there’s evidence that we could have lawful access through a court order that we’re prohibited from getting because of a company’s technological choices.

Posted by Soulskill 2 days ago

FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN

Law would allow law enforcement to search electronic data if target computer location has been hidden through Tor or VPN

2015/01/img_2530.jpg
Original Article

by NICOLE KARDELL | FEE | JANUARY 20, 2015

The FBI wants to search through your electronic life. You may think it’s a given that the government is in the business of collecting everyone’s personal data — Big Brother run amok in defiance of the Constitution. But under the limits of the Fourth Amendment, nothing it finds can be used to prosecute its targets. Now the FBI is taking steps to carry out broad searches and data collection under the color of authority, making all of us more vulnerable to “fishing expeditions.”

The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant.

It’s called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court’s jurisdiction.

The change may sound like a technical tweak, but it is a big leap from current procedure. As it stands, Rule 41(b) only allows (with few exceptions) a court to issue a warrant for people or property within that court’s district. The federal rules impose this location limitation — along with requirements that the agent specifically identify the person and place to be searched, find probable cause, and meet other limiting factors — to reduce the impact an investigation could have on people’s right to privacy. Now the FBI is asking for the authority to hack into and search devices without identifying any of the essential whos, whats, wheres, or whys — giving the FBI the authority to search your computer, tablet, or smartphone even if you are in no way suspected of a crime.

All you have to do is cross the FBI’s virtual path. For instance, the proposed amendment would mean that agents could use tactics like creating online “watering holes” to attract their targets. Anyone who clicked on law enforcement’s false-front website would download the government malware and expose their electronic device to an agent’s search (and also expose the device to follow-on hackers). One obvious target for this strategy is any forum that attracts government skeptics and dissenters — FEE.org, for example. Such tactics could inadvertently impact thousands of people who aren’t investigation targets.

This sort of sweeping authority is in obvious conflict with the Constitution. The Fourth Amendment makes it clear that the government cannot legally search your house or your personal effects, including your electronic devices, without (1) probable cause of a suspected crime (2) defined in a legal document (generally, a search warrant issued by a judge) (3) that specifically identifies what is to be searched and what is to be seized.

The FBI is not the first government agency to find itself challenged by the plain language of the Fourth Amendment. Past overreach has required judges and Congress to clarify what constitutes a legal search and seizure in particular contexts. In the 1960s, when electronic eavesdropping (via wiretaps and bugs) came about, Congress established the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Act). The law addressed concerns about these new surreptitious and invasive investigative tactics and provided several strictures on legal searches via wiretap or bug. Since covert investigative tools can be hard to detect, it was important to institute more rigorous standards to keep agents in line.

The same concerns that Congress addressed in the 1960s are present today, but they take on far greater significance. With our growing reliance on electronic devices to communicate with others, to transact business, to shop, travel, date, and store the details of our private lives, these devices are becoming our most important personal effects. The ability of government actors to enter our digital space and search our electronic data is a major privacy concern that must be checked by Fourth Amendment standards. As the Supreme Court recently pronounced in Riley v. California, the search of a modern electronic device such as a smartphone or computer is more intrusive to privacy than even “the most exhaustive search of a house.”

What seems most troubling, though, is that the FBI is attempting to override the Fourth Amendment, along with the body of law developed over the years to reign in surveillance powers, through a relatively obscure forum. Instead of seeking congressional authority or judicial clarification, it has sought a major power grab through a procedural rule tweak — a tweak that would do away with jurisdictional limitations and specificity requirements, among other important checks on law enforcement. The request seems objectively — and constitutionally — offensive.

Transforming USB sticks into undetectable malicious devices

Original Article

IMG_2322.JPG

Two researchers Brandon Wilson and Adam Caudill released their attack code to reprogram USB sticks and use them as an undetectable hacking instrument.
Recently, two independent researchers, Brandon Wilson and Adam Caudill, have released the code which can reprogram, benign USB devices turning them in malicious components.

The experts published the code on the Github raising the question related to the real level of security of USB devices, the BadUSB research was approached in detail during the Black Hat conference when security experts demonstrated the risks related to an undetectable menace carried via USB.

Security experts explained that USB devices can be used to compromise personal computers in a potential new type of attacks that could not be detected with all actual security protections.

Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered that bad actors could exploit this new class of attacks loading malicious software low-cost computer chips that control the functions of USB devices.

The researchers from SR Labs, which presented the attack scheme during the Black Hat conference this summer, point a series of flaws in the software used to run a tiny electronic components, these components are usually designed without protections against tampering with their code.

Hackers can uncover such flaws and exploit them creating serious problems to the targeted architecture.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl.

Nohl explained that his team has written malicious code and deployed it into USBcontrol chips used in thumb drives and smartphones, at this point it is sufficient that victims connect the USB device to a computer to trigger the execution of malicious software.

Nohl and Lell’s BadUSB demonstrations during Black Hat illustrated how their code could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive.

Antivirus software are not able to detect malicious firmware that controls USB devices, the code inserted with this method can be used for many purposes, including spy on communications, data tampering and log keystrokes.

But while Karsten Nohl decided to not disclose the attack code, Brandon Wilson and Adam Caudill made public their source code to solicit the IT industry to adopt necessary measures for securing USB firmware from malicious manipulation.

“The security of these devices is completely compromised.” “The security of these devices is completely compromised,” Wilson said. “You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive.”
“We’re just taking advantage of the USB protocol,” Wilson said. “This drive is a reprogrammable computer that allows you to do all sorts of things. It allows you to be any device, and up until now, most developers had hard-coded them to behave in specific ways. The firmware on a flash drive makes it behave like a flash drive.”

After Black Hat, Wilson said he bought numerous drives and tested them and were able to take advantage of existing tools used to update firmware to get their code to overwrite the firmware on the Phison device. At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC.

“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”

This kind of attack is very insidious, it is necessary that the device manufacturers will improve the level of security for their devices, avoiding for example the unauthorized firmware overwriting using digitally signed code for the USB device firmware.

“The fact that we were so easily able to change the firmware is an easy fix. The manufacturers could implement code-signing, but they don’t do that at all” Wilson said. “That needs to change. And even if they do add code-signing, you still have the other aspect which is that the computer cannot trust what you’re plugging into it. To truly fix the problem, it has to be fixed on the host.” “When you have a firmware image, you want to protect it in some way. You want a checksum, or something that the drive uses to validate that something is coming across correctly,” Wilson added. “There’s nothing like that. There needs to be something. Code signing is one approach to take for now. But to really shut it down long term, the host needs to be aware that when you plug in a device you don’t trust, it has to be given an option not to trust it. Because once you plug it in, it’s done.”

Resuming, threat actors could exploit USB as an attack vector simply by reprogramming USB peripherals, so it is crucial to implement protection from such malicious reprogramming.

IMG_2323.JPG

Once reprogrammed, any USB devices could be used for various malicious purposes, including:

emulates a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
spoofs a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Unfortunately, no effective defenses from USB attacks are possible in this moment, antivirus cannot access the firmware running on USB devices and behavioral detection very hard to implement.

Pierluigi Paganini

(Security Affairs – hacking, USB)

A Cybersecurity Threat That Could Be Lurking On Your Phone

A Cybersecurity Threat That Could Be Lurking On Your Phone

Gary Miliefsky, SnoopWall CEO, and founding member of the US Department of Homeland Security announces a privacy breach posed by smartphone flashlight apps. Miliefsky has advised two White House Administrations on Cybersecurity.

He was scheduled to join us on set for Special Report, but we had to make room for breaking news. We know you were all excited to hear this story and so we brought Gary in just for The Daily Bret. Share your thoughts with us on Twitter @BretBaier or here on the blog– after hearing this story will you delete your flashlight app?