UK Government Changes Law Covering Digital Surveillance

Edward Snowden exposed a world which some speculated, but few publically acknowledged. A world where every piece of information we send, be it through phone or computer, is monitored and recorded among thousands of others all searching for that one thing. The public has since been in an up cry about it, asking if it was even legal due to the severe invasion of privacy it entailed in order to do the most basic monitoring without legally requesting permission from a judge. From the use of the stingrays to intercept mobile communication, to the ruling stating that the mass collection of phone data in America was illegal, the law and digital monitoring has been at heads for a while now. The UK government has a simple answer, change the law.

GCHQ is the UK government’s digital branch in charge of monitoring electronic communications. It would seem that the Computer Misuse Act, one of the biggest pieces of legislation regarding hacking and the legality of using computers to access networks, was quietly rewritten on the 3rd of March 2015. The change in the legislation would essentially make the intelligence services exempt from legal action regarding hacking because they would be exempt from the legal areas outlining what is legal hacking.

Several large companies, including internet and communication services, filed complaints back in 2014 stating that the GCHQ’s activities would be considered unlawful under the Computer Misuse Act and that there was no legal authority that could be used to make their practices in line with the law.  This is a problem, especially given that hacking is an invasion of privacy, something considered a fundamental human right.

The legislation involved is called the Serious Crime Bill 2015, and came into effect on the 3rd May 2015, only two months after it was quietly passed amongst government groups without any public consultation. So not only does GCHQ now have the ability to hack people, they are practically immune to legal action regarding this (even though they have been found to be in breach of several sections of Law), this also means however that all current cases against GCHQ would be rendered null given that they now covered under a separate law. Also given that the code has not be subject to parliamentary process such as debates or discussions the changes have effectively rendered their illegal practises legal and their control over hacking (even those who have not been found as a threat to national security or suspected in a crime) exempt from legal process in what is turning out to be the biggest threat to the rights and laws of the 21st Century.

What do you think of this? I will refrain from commenting for fear that this post will be intercepted and my communications monitored. Personally, I really dislike that they have done this.

Thank you Privacy International for providing us with this information.

Image Courtesy of Reuters.

BadUSB Security Flaw and What It Means

You might have heard the term BadUSB in the news sometime during the last couple of months, but it’s still not widely known. We first saw the presentation of the security flaw by Karsten Nohl during the Black Hat conference this year. While scary, it didn’t have the big impact they had hoped. Nohl decided to not release the code or anything specific on how it worked in the interest of safety. The intention behind that was to give the industry time to come up with a fix before the flaw would be widely abused by criminals.

When such a secret is known to exist, one that can have such severe consequences, people will investigate and reverse engineer it. And that is just what has happened. Two people took it upon themselves to find out just how easy this was to do and how much you actually can do with it. Security researchers Adam Caudil and Brandon Wilson presented their findings at the recent DerbyCon conference in Louisville, Kentucky.

So what is BadUSB actually. It is a dangerous USB security flaw that allows an attacker to turn a simple device such as a cheap of the shelve USB stick into almost anything. Mentioned functions are network controllers and keyboards among others. This wouldn’t just allow an attacker direct access to your system, but in theory your entire network including out of the house connections.

The really bad part about this, and the reason why Nohl didn’t release his findings to the public, these problems can’t be patched. This is a flaw and not an exploit and it works by using the very way USB is designed, to be a universal connection for anything. Since there had been complete silence from the industry about the issue since Nohl presented his findings, Caudil and Wilson decided to make everything publicly available via GitHUB. So the code is out there now, for everyone to study and use/abuse.

During the DerbyCon presentation the two showcased how they could turn a USB stick into an automated keyboard, sending keystrokes to the system as soon as it is connected. They could also completely hide partitions on the drive and turn the password protections into nothing more than a facade.

The first demonstration showcased the programmable keyboard, basically just rubber ducking. When the hacked USB thumb drive is put into their laptop, it launches a notepad and starts to send characters. In the demo it is Bart Simpson that reminds you to lock your computer when you leave your workstation.

In the second demonstration they showed how data can be hidden on the device. When the drive is plugged in you see the normal active partition with its files and folders. You can format the drive, look at it with forensic tools or whatever you can throw at it. It will not reveal anything more. That is until you eject the drive, and only then. A few seconds after you eject the drive it will come back with the second and completely hidden partition. Eject or unplug the drive again and it turns back to the public partition. This is a very effective way to hide and protect files.

The final demonstration showcases the mode 7 exploit for thumb drives, well it should have. They were pressed for time and the demo failed. Most people only know and use mode 3 that gives you a single normal partition. Mode 7 on the other hand provides you with a public and a secure partition which is protected by a user-set password. While the demonstration failed, we still got an explanation on how it works. You can turn this protection into nothing more than a facade by modifying a few bytes of the drives firmware. It will then allow you to unlock it with any eight characters you give it.

There is no defence against this, but it is possible to detect it. So you can sit and watch it happen or panic and unplug the drive. Windows can detect when a device disappears and comes back as something completely different. This doesn’t effect all demonstrations though, as the programmable keyboard doesn’t show up as HID device but only as composite storage device. So effectively there is no defence. Basically you’re dealing with a tiny computer that has full control over what happens on your USB port. It can lie to you, tell you whatever it wants and do whatever it wants.

The only way block this is by inventing a new USB standard, one that has at least some form security and validation built-in. We have to keep in mind that the thumb drives used are over the counter drives that cost about £6.00. Cheap enough to buy a bunch and just drop them around the city and public transportation; see what happens. Just wait, someone is sure to pick it up and take it home. Strategic drops could also make this an effective way of penetrating otherwise secure systems.

There are a few basic steps you can take to decrease the chance of something like this happening to you:

  • Don’t pick up thumb drives you find. If you want to be nice you should actually pick it up, but throw it in the nearest trashcan.
  • Only buy sticks from well-known brands and vendors. Don’t be tempted by cheap knock-off brands
  • Don’t lend out your sticks to people you don’t fully trust and don’t use foreign sticks in your systems from people you don’t trust. Preferable don’t even use them if you trust people. They might not know the drive is “bad”.
  • Keep your security software updated. While it might not be able to detect the flaw, it will at the very least be able to catch malware being installed.

[youtube width=”740″ height=”500″][/youtube]

Thank you Adrian Crenshaw providing us with these information