Australia is Spending Millions on Cyber-Security

In this day and age, cyber-security is a huge issue for countries and companies alike, and everyone wants to upgrade and protect their systems. The latest to join this barrage of countries if Australia who recently announced a new strategy in cyber-security.

Prime Minister Malcolm Turnbull launched the new strategy in Sydney, with a budget of $178 million, the scheme will look to bolster their defensive and offensive capabilities. That’s right while he didn’t confirm if the country had used its offensive capabilities against other countries, Turnbull did acknowledge it had hacking capabilities by saying that it “adds to [Australia’s] credibility as it promote norms of good behaviour on the international stage and, importantly, familiarity with offensive measures enhances [its] defensive capabilities as well.”

The funding will create new centers for cyber-security and give 5,000 companies the means to test their security. Supporting the country and the companies based within the new funding will look to support an already growing cyber economy, something which the schemes document claims is “growing twice as fast as the rest of the global economy”.

With GCHQ stating that a recent investment into cyber-security didn’t go as well as planned and a recent survey showing that executives thinking cyber-security is an IT problem, any investment to protect people from malicious hackers online should be welcome.

Opera Browser Introduces Free Integrated VPN

Norwegian internet browser Opera now includes a free, unlimited VPN natively, meaning that its users “don’t have to download VPN extensions or pay for VPN subscriptions to access blocked websites and to shield your browsing when on public Wi-Fi,” according to the official announcement.

Opera’s blog post reads:

According to Global Web Index*, more than half a billion people (24% of the world’s internet population) have tried or are currently using VPN services. According to the research, the primary reasons for people to use a VPN are:

  • To access better entertainment content (38%)
  • To keep anonymity while browsing (30%)
  • To access restricted networks and sites in my country (28%)
  • To access restricted sites at work (27%)
  • To communicate with friends/family abroad (24%)
  • To access restricted news websites in my country (22%)

According to the research, young people are leading the way when it comes to VPN usage, with almost one third of people between 16-34 having used a VPN.

The in-browser VPN is only available as part of the most recent developer version, but set to arrive in the release version following successful testing and refinement.

Opera’s in-browser VPN follows its native ad-blocker, released as part of its last developer version last month, in an effort to centralise its user’s needs in one package.

Opera 38 developer version can be downloaded here.

Android Security Report Published by Google

Compared to Apple and their almost uncrackable iOS, security on Android has always seemed poor. Despite the constant security patches, it seems like Google’s mobile OS is fraught with security flaws with new flaws like Stagefright appearing and reappearing with troubling frequency. Google don’t agree with this image, however, and their second annual Android security report seems to back up their stance that Android is, in fact, quite secure.

The majority of the issues identified with their security came from apps not loaded through the Google Play Store. Between 2014 and 2015, attempts to load malware through the Play Store dropped drastically with only 0.15 percent of users being infected with rogue code from the app platform. When you compare this to the 0.5 percent of all Android users that have been hit with malicious code, it shows an increase in attempts to attack Android devices without going through the Play Store.

Lead engineer of Android Security, Adrian Ludwig, released a few snippets of data to illustrate the lengths Google go to in order to keep Android secure.

  • Google checks six billion installed apps daily for malware (Potentially Harmful Apps in Google’s parlance).
  • A total of 400 million devices per day are scanned for network-based and on-device threats.

Android’s security is only set to improve too, with the monthly security updates able to respond to new threats quickly after they emerge. Google are also pushing for device manufacturers to keep up to date with the monthly updates that are automatically rolled out to their Nexus devices.

The full 2015 security report is 48 pages long and can be found on Google’s website.

Congressman Wants Longstanding Mobile Security Flaw Investigated

When it comes to our technology, we like to think there might be a hint of privacy in their use. Signaling System 7 is a set of protocols used to help route data, messages, and even phone calls through mobile networks but the problem is that such a widely used system is actually flawed. This flaw led to Ted Lieu, a congressman for  the state of California, calling for an investigation into the longstanding mobile security flaw after it was demonstrated to him by a group of hackers based in Germany.

The mobile security flaw was demonstrated on 60 minutes by german security researcher Karsten Nohl, with it initially being revealed all the way back in 2014. Nohl managed to use the exploit after knowing nothing more than just the congressman’s phone number. With just their number Nohl stated that they could track people’s locations, read their texts and even what was said in their phone calls.

Lieu is coming hard at those who might have known about this issue, saying that any government employee that knew about the SS7 problem should be fired because “this affects so much of daily life to your personal phone”. With everyone using their mobile phones people don’t protect them, often being lulled into a false sense of security and risking their personal lives and data on a daily basis.

Apple Claims ‘Most Effective Security Organization in the World’

In a recent press conference with some of Apple’s engineers, the company stated that they had the ‘most effective security organization in the world’. It wasn’t just an idle statement either, with them revealing a number of the security features that are packed into their iPhone both on the hardware and software levels.

The conference itself was a highly technical affair, with the attending engineers going to great lengths to detail the security protocols they have in place. More than just being a podium for Apple to  grandstand, this conference was a show of clear defiance against the revived effort by the US government to unlock the iPhones of criminals with them restating the point that making the popular smartphone less secure for them would risk compromising the privacy and security of their customers.

Unlike Android and the numerous companies developing Android devices, Apple control all aspects of their phone’s development which allows them to bake security into every level of their device, from hardware to firmware to software. The features employed in order to make the device so secure include a number of both industry-standard and Apple-specific features, which, when employed together secure the device at all levels, making it impossible to even flash the device with a hacked version of iOS or similar super-low-level attacks. They also believe that the chance of a bug occurring at a low enough level to cause a major compromise is small.

Getting users to ensure their phones run the latest version of iOS is another important step to keep devices secure, as each new iteration of the mobile operating system includes new security improvements and bugfixes. Some of the ways that Apple have employed to increase the adoption rate of the newest versions of their software include shrinking the size of the operating system from 4.6GB in iOS 8 to just 1.3GB in iOS 9 and also offering “while you were sleeping” update options, both of which seem to be effectual, with iOS 9 having an adoption rate of 80% so far.

It is plain to see how important Apple believe that security and encryption are to our future by the effort they put into ensuring their devices are secure. Their struggle to convince governments that slackening of security and precedents to force companies to unlock devices would have long-term damage is likely far from over, but we can be assured that Apple (and many other tech firms) will continue to struggle against these demands and ensure a safer and more secure digital future.

Police In Canada Used BlackBerry’s Key To Read Encrypted BBM Messages

When it comes to mobile phones Blackberry pride themselves on their security, with many companies taking up the device as their go-to model thanks to its support and security features. It now appears that those security features may not have been so secure after all with the Royal Canadian Mounted Police (RCMP) gaining the ability to read encrypted BBM messages.

When it comes to encryption, companies are having to be careful with the likes of Apple going to congress to discuss just how much they can be expected to help and support law enforcement without oversight or detailed rulings on how and when they can access private data. In this case, the RCMP gained access to BlackBerry’s BBM (BlackBerry messenger) services by using the encryption that came with your everyday BlackBerry, meaning the only ones that were safe from this interception are those connected to enterprise servers.

If you weren’t connected to an enterprise server, your BlackBerry would have used a peer-to-peer key that is loaded into your phone when it’s built, something that the RCMP managed to gain access to and in turn granted them access to people’s encrypted BBM messages and conversations.

As part of an operating, titled Project Clemenza, the RCMP intercepted and decrypted roughly one million messages as reported by Vice news in a joint investigation with Motherboard, who in turn revealed that the RCMP actually had a server in Ottawa that acted like a mobile phone by simulating “a mobile device that receives a message intended for [the rightful recipient]”.

With BlackBerry looking to step away from mobile devices and into security consulting, this news couldn’t come at any worse of a time given that if the server is still operational (key and all) then without a large update to its phones, the RCMP could still be reading people’s messages to this day even after the operation ended in 2012.

Homeland Security & Trend Micro Recommend Uninstalling QuickTime Now

When it comes to software that you may not have heard of, or even used, recently QuickTime appears on my mind. A popular video software the system seems to have faded away, from both ours and Apple’s minds. These actions have led for Trend Micro and the Department of Homeland Security to recommend that if you have QuickTime installed on your Windows PC, uninstall QuickTime for your own safety.

The warnings both from Trend Micro and the Department of Homeland Security come as Trend Micro discover two new critical vulnerabilities within the software that could be used by remote attackers to gain control of your system. While there aren’t any active attacks targeting this problem, both groups are recommending you uninstall the software from your windows system as Apple will no longer release security updates for QuickTime on windows.

The options seem pretty clear-cut, uninstall some software or risk being exposed to a threat that will never get fixed. While QuickTime on Mac’s is unaffected, Windows users should look to use some of the alternative options available for them if you want to watch media content on your PC.

For information on how to uninstall QuickTime, you can visit Apple’s support page here.

Apple & FBI Heading Back to Congress to Debate Encryption

When Apple and the FBI first appeared in front of congress the debate was if Apple could be ordered to unlock an iPhone, and if so should they then create a method where they could easily access future devices for law enforcement? While the case revolving around the San Bernardino phone is over, with the FBI gaining access with help from an external group, the debate is still far from over with both the FBI and Apple looking to appear before a congressional committee to debate encryption yet again.

The debate over encryption will see several people join the committee as witnesses, including Bruce Sewell (General Counsel, Apple Inc), Amy Hess (Executive Assistance Directory for Science and Technology, FBI) and Amit Yoran (President, RSA Security). Other witnesses include Ron Hickman representing the National Sheriffs Association and two police officers, Captain Charles Cohen and Chief Thomas Galati (Indiana state police and New York City Police respectively). With two university representatives Daniel Weitzner (MIT) and Matthew Blaze (University of Pennsylvania) appearing as well, it would appear that congress want to hear the debate from research, implementation and law enforcements points of views in an attempt to fully understand the debate that is raging on in countries all over the world about privacy vs protection.

With countries all over looking to this court case as an example of how technology has advanced while the law remains unclear, the congressional hearing could have a big impact on companies throughout America. The hearing will take place on April 19th and will be streamed on their site for ease of access.

Obama to Appoint Execs From Uber, Mastercard & Microsoft to Cybersecurity Panel

Cybersecurity is a big issue this year, with people becoming more and more aware of the steps that both governments and companies are making to gain access to or stop others accessing their data. After its recent attempt to get Apple to help bypass the security features on an iPhone, the FBI rather embarrassingly revealed that government systems had been accessed by an unknown party since 2011. In a move to help combat cybersecurity issues, President Obama intends to appoint executives from several major technology companies to a new cybersecurity panel to help act on these matters.

As part of a $19 billion proposal, the Commission on Enhancing National Cybersecurity will see people who are described by President Obama as being “dedicated individuals [who will] bring a wealth of experience and talent to this important role, and I look forward to receiving the Commission’s recommendations.”.

Among the names appear the likes of General Keith Alexander, director of the NSA from 2005 till 2014; Ubers Chief Security Officer Joe Sullivan; the CEO of MasterCard Ajay Banga and corporate vice president of Microsoft Research, Peter Lee. With these being just a few of the names listed, the list seems to be focused on gathering the support of those who have experience within the industry, and while the released statement may be an announcement of his intent, any of the members on the list could provide valuable insight into cybersecurity.

Amazon Recommends Users Change Their Passwords

Who doesn’t have an Amazon account? If you do it may be worth changing your password as Amazon recommends users take the precaution after it discovered that some of their Amazon accounts could be found online.

Amazon discovered the leaked passwords were contained within a password list online, and while not exclusive to Amazon services, it has recommended that users change their passwords, even more, so if they use the same password on several sites. If your accounts email address was found to be on any of the lists then Amazon has taken the precaution to force a password reset on your account.

While many recommend against it, it’s common practice for people to use the same password and email combinations on several sites, thus increasing the chance that if one account is hacked, others will be compromised alongside.

While it’s recommended by some that we get rid of passwords altogether, alternative methods like biometric scanners for your fingerprints have been seen as easily bypassed and companies are even looking at using videos or selfies to access your accounts, a technique that has been met with mixed views. Would you prefer to access your account with a selfie or video of yourself or do you believe that the password still has a while to go if used correctly?

UPDATE: We were asked to remove the image, so one of our own, Robert Ainsworth, provided us with a copy of the email he received.

Security Flaw Allowed The FBI To Create The iPhone Cracking Software

Apple vs the FBI looks liked it would never end, originally starting with the FBI requesting (and then a federal judge ordering) Apple’s support in unlocking and gaining access to an iPhone in a court case. Apple looked to defend itself and ultimately the FBI recalled its actions when it received support from an outside party. It has now been revealed how the tool used by the FBI gained access to the iPhone through the use of a security flaw.

The security flaw, one that was previously unknown to Apple, allowed the creation of a tool to crack the four digit pin used to protect the phone from 10 failed attempts to gain access to a phone. The group that provided the tool to the government was a group of “grey hat” hackers who actively seek out flaws in software to then sell on to groups such as the government.

The exposed flaw affects both the iPhone 5 and iOS 9 iPhones, and may not affect work on newer versions of both iPhones and the iOS operating system. With FBI director James B. Comey saying that they may or may not disclose the security flaw to Apple, but with the latest leak revealing where they need to focus, Apple may now fix the problem before others are able to exploit it.

US Congress Bill Plans to Make Effective Encryption Illegal

In the wake of the FBI’s feud with Apple over bypassing the encryption of San Bernardino shooting suspect Syed Rizwan Farook’s iPhone, the US Congress is proposing a new bill that aims to outlaw effective encryption, what is termed “technical assistance”, requiring any company or entity to build in backdoors to its security systems for law enforcement to exploit.

In a draft of the proposed bill, written by a committee led by Senators Dianne Feinstein (D-California) and Richard Burr (R-North Carolina) and leaked by politics news outlet The Hill, businesses are required to release “information or data” if served with a court order – meaning that they are legally obligated to have access to that data in the first place – or provide law enforcement agencies with “technical assistance as is necessary to obtain such information in an intelligible format or to achieve the purpose of the court order.”

While talk suggests that the leaked draft of the bill is close to its final iteration, its final draft could still change, especially since it does not have the support of President Obama. It is not yet known if this version of the bill has been submitted to Congress.

“While the bill claims that it in no way is designed to force companies to redesign their products, this is a subtle hypocrisy,” Jonathan Zdziarski , a computer forensics and encryption expert, wrote in a blog post. “The reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States.”

“This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!–more secure products and services,” Kevin Bankston, Director of the New America Foundation’s Open Technology Institute, told Vice Motherboard. “The fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening.”

WordPress Enables Free HTTPS Connections to Custom Domains

WordPress is a free, open source content management system, typically used for blogs and quick makeshift websites. While it’s nice to have your own content, you want to make sure that its safe and secure, something which the “Lets Encrypt” project hopes to improve upon, a project that WordPress have now joined.

The Lets Encrypt Project announced on March 9th that it would soon take on a new name as it transitioned to its new home at the Electronic Frontier Foundation (EFF) a group specialising in the law, security and technology.

WordPress has now announced that it has joined the program, offering the green lock symbol everyone loves to see when travelling through the internet, with any custom domains (those that don’t have .wordpress.com in their address) now gaining the benefits of the free SSL certificate issues by the program automatically with little to no effort on their owners behalf. You can find the steps to give your website access to HTTPS certificates here, giving everyone the benefit of free and reinforced security for their websites.

Not only is it free but you get a more secure connection for minimal effort, something that has been hard to do for website up until now. What is not to like about this program? Especially those with WordPress blogs.

iOS Lock Screen Bypass Vulnerability Fixed By Apple

Apple has reportedly fixed a security flaw in the iOS operating system that would allow attackers to be able to bypass passcode lock screens on iPhone 6S and 6S Plus that are running version 9.3.1 of iOS. The bypass would have allowed malicious parties to be able to access the address book and photos of a targeted device, which could expose a lot of private data.

German security firm, Evolution Security, were responsible for discovering the bypass, which takes advantage of the integration of Siri with apps such as Twitter or Facebook, as well as the new 3D Touch feature that is included only in the iPhone 6S and 6S Plus. Even while the device is locked, an attacker would be able to request information on @ tags from Twitter, Facebook, and Yahoo. From there, the 3D touch’s hard push feature can be used to bring up the context menu for a string such as an email address. This menu provides the ability to add the data to a contact in the phone’s address book and from there, by accessing the choice to change user pictures, the photo gallery can be launched.

According to the Washington Post, the vulnerability was patched by Apple on Tuesday without users needing to install a software update. Considering the high level of security on the iPhone that led to Apple’s protracted battle with the FBI, it is surprising that so much user data can be exposed by a flaw in the lock screen, which is often the first and last line of defense for the security of the data on the device.

39 Android Flaws Fixed in Major Security Patch

Google’s latest patch for their Android operating system is one of the biggest security patches ever released for the OS. This monthly security update covers 39 vulnerabilities that had been found, of which 15 were of the highest rating, critical, which mean they could be used to lead to total compromisation of a device. This patch, which is part of the latest firmware image for Android devices rolled out to Nexus devices starting on Monday, with the update to be added to the Android Open Source Project during the next 24 hours.

One of the vulnerabilities that were included in this patch is one that Google was alerted to just two weeks ago, which has already been employed by a publicly available rooting application. With the tracking tag of CVE-2015-1805, this flaw was originally in the Linux kernel until April 2014, but until recently it wasn’t known that Android was also affected.

As many as nine critical remote code execution flaws were patched in Android’s media codec, media server, and Stagefright library. Of these, five were rated as high impact, including one privilege escalation vulnerability and four information disclosure issues. Critical flaws were also patched in the Android kernel, the Dynamic Host Configuration Protocol client, Qualcomm Performance module and the Qualcomm RF modules.

Aside from CVE-2015-1805’s use in a rooting application, there is no known exploitation of the other vulnerabilities fixed in this patch according to a security advisory from Google. As a result of the large number of high-impact and critical flaws fixed in this patch, it is highly recommended that any updates to Android 6 offered by manufacturers are installed before attacks that make use of them are released into the wild.

WhatsApp Turns on Encryption for All Platforms

In a move that is sure to rile the FBI, following the law enforcement agency’s feud with Apple over its refusal to unlock the iPhone of a suspect in the San Bernardino shooting, instant messaging app WhatsApp has added end-to-end encryption to every iteration of its software on every platform, providing added security to an additional one billion users.

“Building secure products actually makes for a safer world, (though) many people in law enforcement may not agree with that,” WhatsApp co-founder Brian Acton told WIRED.

“We’re somewhat lucky here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you don’t have these checks and balances,” added Jan Koum, the second co-founder of the company. “The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”

Mark Zuckerberg, Chief Executive of WhatsApp’s parent company Facebook, was a vocal supporter of Apple during its court struggle against the FBI. “We’re sympathetic with Apple,” Zuckerberg said during a technology conference in February. “I don’t think requiring back doors into encryption is either going to be an effective way to increase security or is really the right thing to do.”

TSA Spent $47,000 on a Random Lane Picker

Governments and companies often contract out work to help create app’s and software to make systems. The problem is that the app’s and software comes at a price, it would now seem that the TSA spent quite a bit on a random lane picker.

It’s being reported that the TSA spent $47,400 on a piece of software that would help TSA staff pick lanes to separate and ease up congestion at Airport terminals, as shown in the video below.

The information comes as part of a freedom of information request revealed by Kevin Burke, revealing a contract with IBM totaling $336,413.59. Included in this documentation was a document relating to “randomizer software”.

The deal could have included more than just the software, with the iPad’s and tablets used for the software possibly also included in the deal. People are hoping this is the case, with the software being considered entry-level programming. The app itself was a random number generator, assigning people to the right or left lane (1 or 2) at airport security.

It’s got to be embarrassing that such a simple piece of software would come at such a high cost, all while governments are being scrutinized for their spending, higher taxes and budget cuts. The app is no longer in use, with the process of being randomly allocated lanes also being removed from their processes.

Executives Feel Like Cyber-Security is Just an IT Problem

Cyber-security is a big issue, with people and companies finding out the hard way that their security is exposed when it turns up online for sale or they receive phone calls advertising features with details they never hand out. With big companies like TalkTalk and even the government being victims of hacks, people are acting more and more with security at their mind front. This may change though soon as a survey of executives found they felt like cyber-security is just an “IT problem”.

The survey questioned 1,530 C-level executives, that is anyone who’s job title contains chief or another word beginning with c in it. This illusion of responsibility, one which often ends up landing with executives, comes as companies spent 25% more on information security in 2015 compared to 2014.

The survey was conducted on companies that were deemed “vulnerable” resulted in 91 percent of the executives saying that they couldn’t interpret a cybersecurity report, with 40 percent of those responding admitting that they didn’t even feel responsible for cyber-security.

These figures are certainly more than a little scary, with company executives feeling like they aren’t responsible on every level for protecting your information or even being aware of the threats and dangers that they encounter. In a day and age where you are more than likely to be attacked via the internet and your computer systems than on a street, it is the responsibility of everyone, especially those in power, to make sure that they uphold their legal responsibilities, even if that comes at a weeks crash course in cyber-security.

The FBI Are Already Helping Others Unlock iPhones

In the recent Apple vs the FBI case, the concern was raised about what would happen if the FBI managed to get Apple to unlock the device. People were worried that this one high-profile phone could open the floodgates to requests to unlock the hundreds of iPhones that are in police custody. Initially, we were told that this wouldn’t be the case but as events unfolded this clarification seemed to fade away and we were left with the answer we had expected from the start, an answer that seems to be confirmed by the FBI already helping others unlock iPhones.

In a letter to local authorities, the FBI promise that “we are in this together” and that they would help local authorities unlock iPhones and even iPods where they can legally. In fact, they already have, in a case for Arkansas prosecutors, the FBI have already agreed to unlock both an iPhone and an iPod.

It doesn’t stop there, according to the Washington post, the FBI are looking at if it would be possible to share the tool with local law enforcement. With the firm that helped the FBI create the tool charging only a one-time flat fee, the FBI could offer the tool as long as it retains its classified tool, an issue which has already hampered and raised issues with devices such as the Stingray.

The full letter can be found below courtesy of Buzzfeed:

Since recovering an iPhone from one of the San Bernardino shooters on December 3, 2015, the FBI sought methods to gain access to the data stored on it. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention generated by the litigation with Apple, others outside the U.S. government continued to contact the U.S. government offering avenues of possible research. In mid-March, an outside party demonstrated to the FBI a possible method for unlocking the iPhone. That method for unlocking that specific iPhone proved successful.

We know that the absence of lawful, critical investigative tools due to the “Going Dark” problem is a substantial state and local law enforcement challenge that you face daily. As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners. Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints. You have our commitment that we will maintain an open dialogue with you. We are in this together.

Kerry Sleeper
Assistant Director
Office of Partner Engagement
FBI

Egypt Blocks Facebook’s Internet Service After Being Denied The Ability To Spy On Users

Facebook have been keen on allowing countries access to Free Basics, their low-cost internet system designed at giving people the ability to create a Facebook account and access a limited number of sites at no cost. Free internet sounds great doesn’t it? Some countries don’t believe so, with India already banning the platform and the system being suspended within Egypt, over what now seems to be because the government was denied the ability denied the ability to spy on users.

The Free Basics platform in Egypt was suspended officially on December 30th, 2015, with sources now stating the reason for the suspension was that Facebook wouldn’t allow the government to circumvent the systems security, thereby allowing surveillance to be conducted on users of the platform. Etisalat, the mobile carrier that provided the service when it started in October 2015, hasn’t responded to comment while Facebook has declined to comment while the Egyptian government has declined to say what kind of surveillance or changes they wanted to be made to the service.

Officially the line given is that the service was considered “harmful to companies and their competitors”, a tale that while believable may be as well be an April fools joke to cover what can only be considered a request to invade and monitor everyone’s internet access. With limited access already and concerns about net neutrality for the scheme, if it was found to provide monitoring and tracking the “free” basics program would almost certainly see counties drop the system.

Suspect In The UK Told To Decrypt His Devices For The US

Apple vs the FBI may be over but that doesn’t mean the question about decryption and the law is over. In the most recent case to catch our ears a suspect from the UK being asked to decrypt his devices for the US authorities.

Lauri Love is a British computer scientist, who is a suspect in the breach of US government networks, which are claimed to have caused “millions of dollars in damage”. After being initially arrested in 2013, and then released, Love was re-arrested back in 2015 and is facing extradition to the US for the suspected crime. While he has not been charged with any crimes, Love has been asked as part of a Section 49 RIPA notice (doesn’t sound that bad does it?) to decrypt his devices by providing them with the passwords and keys required to unlock his devices.

With his devices confiscated, something that Love is now fighting in a counter-sue in civil court, the authorities want to access the data on his devices which include, a Samsung Laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card and a Western Digital hard drive. Alongside this, the National Crime Authority, the UK branch that has demanded the devices be decrypted, are interested in files located on the SD card and external drive that are encrypted using TrueCrypt.

What is most worrying is that if Love was to provide the keys, and this evidence is used against him in the US, then it would breach his fifth amendment rights within the US. The fifth amendment can be described as allowing someone to present evidence against themselves, meaning that you can’t be forced to prove your guilt, by unlocking a computer for example.

In his argument, Love states that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt”. An argument that if extended to other circumstances, could be seen as worrying for any groups that share information and protect journalists, whistleblowers and anyone within the legal profession.

Apple Vs The FBI is Over!

The legal case of the year is over already. Apple vs the FBI is over in a court case that saw the question of security vs privacy raised on a national, and even global, level. After cancelling a court hearing with Apple, the FBI have officially closed the court case.

It would seem that even without their assistance, the FBI claim to have managed to break into and access the data required on the iPhone in question. In their response, the FBI stated that the new hack was “sufficiently plausible” to a point where they could stop pursuing Apple’s assistance.

Currently, there is no information about who performed the hack or how many iPhones the hack works against. With so little information about the hack, it’s hard to tell if the court case could reemerge in the future with over a hundred phones in government control still locked.

In their response the Department of Justice reminded us that they would continue to gather information from encrypted devices, saying that “It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety”, and then there is a small reminder that with or without help, “either with cooperation from relevant parties or through the court system”.

Petya – The Ransomware That Deletes Your Master Boot Record

Ransomware is getting nastier and nastier. Initially just an attempt to turn malicious software (malware) into something that is financially rewarding, ransomware works by encrypting your files and asking that you pay them (normally in bitcoins) in order to get the keys required to unencrypt the files. The latest one looks to make it even harder for you to bypass it by deleting master boot records on infected computers.

Named Petya, the new ransomware overwrites master boot records of affected PC’s meaning that your computer, next time it’s turned on, doesn’t even know where to go find our operating system, resulting in a computer that can’t even find the OS, let alone load it. Trend Micro report that the email seems to be hidden in emails that are advertising themselves as a job advert, with an email linking to a dropbox folder. Within the folder is a self-extracting archive, apparently the applicants CV and photo only once extracted the ransomware is installed.

The system is then tricked into a critical error, resulting in everyone’s favourite blue screen of death. During reboot the false master boot record (MBR) that was put in place by Petya will encrypt the master file table, this is the record of every file, location and where and how to get it to it on your system. By encrypting this file, you don’t need to go near the actual files, as any operating system will be unable to find the files. Encrypting one file instead of hundreds reduces the speed, meaning that people are often left with no choice but to pay the 0.99BTC (£296 roughly) fee that they request.

With ransomware getting even more aggressive in its tactics, it’s all that more important to ensure you check emails because you receive them and keep your anti-virus and anti-malware software up to date.

Ever Wondered What’s In Google’s Data Centres?

Google is known for a lot of things but the company was built on data, the storage and searching of information from all over the internet. Typically these things are locked behind closed doors but Google wants to show it all through an eight-minute video tour showing you everything you need to see in Google’s Data Centres.

First off you need security clearance, as even for Google employees the sites are normally locked down. After a small interview regarding all the different bits and systems that help ensure a 24-7 service of their systems. Stepping into the actual data centre requires more than just a pass as you need to get through a circle door locked by an iris scanner as part of the dual authentication.

Through the entire video, you can see how large a data centre is with it giving you just a small glimpse of the building. In an interview with Virginia, one of the people responsible for the network it’s revealed that a single building can support up to 75,000 machines while transmitting over a petabit of data per second.

They even go into detail about how data and drives are removed from the system. First, the drives are wiped only to then be placed in what is essentially a wood chipper designed just for hard drives.

Take the tour in the video below and see for yourself just how big a company Google is and how many steps it takes to protect both companies and customers data. Be warned though the video is a bit of an advert for Google’s cloud platform so it may be a little cheesy at times.

Uber Accused of Skipping Out of Paying Bug Bounties

With all the apps and systems that are used, created and updated every day it is often impossible for you to be absolutely certain about their security. This resulted in the creation of external help through schemes like bug bounties unless your Uber who change the scope of what bug bounties they’ll be paying.

Bug bounty schemes are simple. If you find a problem in the code or system that a company uses, you report it to the company running the scheme and if they find it was a problem, you get paid. Even Microsoft and GitHub run schemes to help narrow down and find problems with their software. The issue comes here is that only this week popular taxi alternative app Uber launched its own bug bounty scheme.

Sean Melia found a few issues or rather a few admin panels/ports that were open. This fell in line with what Uber wanted under the grouping of “publicly accessible login panels” and “exposed administration ports (excluding OneLogin)”. After reporting the first issue which was quickly accepted as a bug, Melia went about finding others resulting in the large group he ended up reporting. The problem was that by this time Uber had updated their documentation to make these reports invalid, without informing people using the scheme. Free security support anyone?

The reason for the change? Ubers security engineering manager, Collin Greene, has stated they changed the rules so that they stopped researchers wasting their time on minor bugs. Greene then stated that “a successful bug bounty rests on researchers trusting us to run it well, which we take very seriously”, something that may not go down so well when you are willing to change the goalposts without telling people.

Was Uber right in this case? Should they have acted differently? A problems a problem, even with a lesser payment, should Melia have received something given that he did the work under the old rules?

Ethical Hacker Site Has Been Caught Spreading Ransomware

Security isn’t as black and white as people think, sometimes people do the bad things for the right reasons. This is the area that ethical hackers deal with, testing websites by employing the same techniques that those who want to cause harm or profit from your information illegally. Imagine the surprise then when a site used to support these ethical hackers was caught spreading ransomware this week.

Ransomware is a particularly nasty version of malware (malicious software) that works by encrypting your data, meaning you either pay the fee they want or potentially lose access to your data forever. Recently it’s affected several hospitals and even the FBI say you should just pay.

EC-Council is responsible for administrating the ethical hacker program, a system by which people can become trained and certified that their hacks are for legitimate and protective reasons, rather than malicious and illegal.

The site started spreading TeslaCrypt on Monday and seems to be targeting specific people. Those who visit the site using Internet explorer and only when they are redirected from a search engine are affected. If this didn’t cause enough trouble the hack seems to also use people’s IP addresses to determine their geographic location, meaning it targets a narrow group of people and makes its behavior seem more erratic, and thus harder to track and fix.

Requesting 1.5 bitcoins (around £442), the redirect exploit that allowed the ransomware to be installed was published by FOX News on Thursday after attempts to alert them privately yielded no responses.

Ethical hacking is a difficult business, with some companies considering you more foe than friend, but the help they provide stops issues like this (ironically) from happening.

Former CIA Director Thinks EU “Gets in the Way” of Security Services

Security is a big issue with companies and governments alike having issues raised when it comes to people’s data. With the UK soon to take part in a referendum, the EU is at the heart of debates about security, both digital and physical. It would seem that some think the EU doesn’t quite help security services.

Retired General Michael Hayden, former director of the CIA, seems to think that the EU wasn’t “a natural contributor to national security”. The EU proposed late last year a set of guidelines for its member countries to follow in cybersecurity, with specialist teams designed to help track and address issues, countries would be expected to share information and help each other learn about the new threat that can be found in the digital world.Digital

Digital security became a big topic when Edward Snowden revealed the extent that the US government (and other governments around the world, including the UK) monitored and tracked people’s information. Europe is currently debating how the new data sharing policy it has with the US should look like, a decision that will change how much information both Europe and America will be allowed to store, save and access.

Mr. De Backer of the Belgian Group of the Alliance of Liberals and Democrats for Europe has stated that members of the EU need to forget the “old concept of sovereignty” and understand that sharing information and pooling resources could only be beneficial to security services, something that is all too true for global systems like the internet.