#Infosec

Another list of recent news items about computer security, privacy, and surveillance.

Among the approved targets of the NSA surveillance site – code-named TITANPOINTE – were the International Monetary Fund, the World Bank, the Bank of Japan, the European Union, the United Nations, and at least 38 different countries, including U.S. allies such as Italy, Japan, Brazil, France, Germany, Greece, Mexico, and Cyprus.
theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-york-hidden-in-plain-sight/

An attacked computer can remotely be configured to swap the headphone jack for the microphone jack, allowing any headphones that might potentially be plugged in to serve as a microphone — making it possible to use them as an eavesdropping device.
www.engadget.com/2016/11/23/hijacked-headphones-could-be-used-to-listen-in-on-your-life/

These Are The 48 Organizations That Now Have Access To Every Brit’s Browsing History.
www.zerohedge.com/news/2016-11-26/these-are-48-organizations-now-have-access-every-brits-browsing-history

Law enforcement agencies are dramatically increasing their use of Opal card public transport data to track the movements of people in New South Wales, with approvals for data more than doubling this year. Police can be handed the information of “collateral cardholders”, or people who are not suspects, when their person of interest’s identity is unknown.
www.theguardian.com/world/2016/dec/02/steep-rise-police-requests-opal-data-nsw-public-transport

“If you have nothing to hide, what do you really have, aside from the panoptic attention of a state, which itself keeps secrets?” – William Gibson
www.nytimes.com/2016/12/06/opinion/the-future-of-privacy.html

To spy on a telephone, all that was required was that the aircraft be cruising at an altitude above 10,000 feet. Secret aerial stations on the ground could intercept the signal as it transited through a satellite. The simple fact that the telephone was switched on was enough to give away its position.
theintercept.com/2016/12/07/american-and-british-spy-agencies-targeted-in-flight-mobile-phone-use/

Federal Government departments — that are not currently permitted to access the metadata of Australians — have attempted to work around the restrictions established in last year’s Data Retention Bill by requesting the Australian Federal Police do the searches for them.
www.abc.net.au/news/2016-10-04/government-departments-obtain-metadata-via-afp/7898648

Amazon won’t say if Echo has been wiretapped. Echo is an always-on device, which, when activated, can return search queries, as well as read audiobooks and report sports, traffic, and weather. It can even control smart home devices. The company is said to have sold three million Amazon Echo speakers. The FBI neither confirmed nor denied whether it tapped the Echo.
www.zdnet.com/article/alexa-have-you-been-wiretapped-by-the-fbi/

If you are referred for a secondary inspection at the U.S border, your right to privacy is essentially moot. Either a CBP officer or an Immigration and Customs Enforcement (ICE) special agent will likely question you and may inspect your possessions. This can mean anything from a quick look through your bags to copying and detaining your electronic devices—it’s up to the agent and his or her supervisor, not due process.
motherboard.vice.com/en_us/article/qkvmvq/you-have-no-right-to-electronic-privacy-when-you-cross-the-us-border

When it comes to breaking into phones, it’s tougher to access devices that aren’t as popular as iPhones or Samsungs, according to investigators. Most forensics technology developers don’t waste their time trying to find design flaws in off-brand phones.
www.csmonitor.com/World/Passcode/2017/0202/Hunting-for-evidence-Secret-Service-unlocks-phone-data-with-force-or-finesse

“Bulk collection kills people,” says Bill Binney, a former NSA analyst. “You collect everything, dump it on the analyst, and they can’t see the threat coming, can’t stop it”.
theintercept.com/2017/02/10/former-cia-analyst-sues-defense-department-to-vindicate-nsa-whistleblowers/

A US-born NASA scientist was detained at the border until he unlocked his phone. Bikkannavar did not want to hand over the device, because it was given to him by JPL and is technically NASA property. “I told him I’m not really allowed to give the passcode; I have to protect access. But he insisted they had the authority to search it.”
www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkannavar-detained-cbp-phone-search-trump-travel-ban

Once border agents have your password, we have to wonder, what do they do with it? Where they keep it, how secure it is, and how long they can hang on to it? The answer to the last question is, probably indefinitely.
www.engadget.com/2017/03/03/the-border-patrol-can-take-your-password-now-what/

Australia’s attorney general, George Brandis, appears to have granted the country’s domestic spy agency access to journalists’ metadata in a small number of cases, the agency’s head has revealed.
www.theguardian.com/australia-news/2017/feb/28/asio-spy-agency-access-to-journalists-phone-web-records-metadata

The GCHQ, the UK signals intelligence agency, conducts bulk interception by tapping undersea fiber optic cables landing in the UK. The US and UK governments have a long-standing arrangement to share intelligence, particularly signals intelligence, with each other, as well as with Australia, Canada and New Zealand (“Five Eyes alliance”).
medium.com/privacy-international/how-bulk-interception-works-d645440ff6bd

While it’s not true that all Internet traffic flows through the US, the addition of a few listening posts at key Internet exchanges in Europe (London, Paris) and some in Asia (Hong Kong, Tokyo) ensure that the NSA and its Five Eyes partners can analyse and ingest the majority of international Internet traffic.
arstechnica.co.uk/information-technology/2017/03/internet-surveillance-map-nsa-gchq/

Australia is collecting more metadata per capita and issuing more warrants to intercept communications than the U.S, UK and Canada.
www.huffingtonpost.com.au/2016/10/02/australia-collects-more-metadata-intercepts-more-calls-than-u-s_a_21479871/

Certain generations are more amenable to government snooping than others. Among millennials (ages 18-34), 20 percent would rather the government see the contents of their phone than their significant other compared to only 8 percent of adults ages 35 and older.
blog.radware.com/security/2017/04/millennial-government-privacy-harris-poll/

The NSA harvests data from major Internet companies like Facebook, Google and Apple without a warrant, because it is ostensibly “targeting” only foreigners. But the surveillance program sweeps up a large number of Americans’ communications as well.
theintercept.com/2017/04/21/in-secret-court-hearing-lawyer-objected-to-fbi-sifting-through-nsa-data-like-it-was-google/

An investigator with the Australian Federal Police sought and acquired the call records of a journalist without a warrant. No disciplinary action has been taken against the investigator behind the breach, with Commissioner Colvin saying he did not believe there was any “ill will or bad intent”.
www.abc.net.au/news/2017-04-28/afp-officer-accessed-journalists-call-records-in-metadata-breach/8480804

UK law enforcement agencies may soon be able to remotely disable or restrict a mobile phone if it is suspected of being used for drug dealing or related to it, and in some cases regardless of whether a crime has actually been committed.
motherboard.vice.com/en_us/article/3dxzb9/uk-cops-can-now-remotely-disable-phones-even-if-no-crime-has-been-committed

Since we cannot trust the government to behave responsibly, nor can we trust them with our information, the only thing we can do is change our behaviour. This is the antithesis of freedom. Nobody should feel that they cannot do something completely legal because the wrong person could gain access to their data.
leanpub.com/queerprivacy

“The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia” – Australian Prime Minister Malcolm Turnbull announces war on encryption.
www.sbs.com.au/news/article/2017/07/14/australia-may-force-tech-companies-crack-encrypted-messages

Theresa May says there should be no “means of communication” which “we cannot read” — and no doubt many in her party will agree with her, politically. But if they understood the technology, they would be shocked to their boots. It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security.
boingboing.net/2017/06/04/theresa-may-king-canute.html

The lovely catch 22 of living in the age of mass surveillance is that the NSA isn’t even sure when it’s illegally spying on you. To determine whether its activities are illegal, the NSA would have to conduct additional, also illegal surveillance. And so Americans are being illegally spied on, but no one knows how often this happens, why it happens, or how it happens.
motherboard.vice.com/en_us/article/wjqj5m/the-nsa-says-it-has-to-spy-on-you-to-find-out-if-its-spying-on-you

The Australian State of Queensland wants the power to force citizens to unlock their devices during a declared terrorist emergency. The bill also seeks to silence citizens who’ve had their phone searched. Part of the justification is that people might have taken photos or videos of a terrorist incident, which they then post to social media, and these might help identify an attacker. Refusal to unlock and hand over phones and/or laptops would be punishable by up to a year in prison.
www.theregister.co.uk/2017/06/26/queensland_police_want_access_to_unlocked_phones_laptops/

When made aware of online surveillance by the government, noteworthy percentages of respondents were less likely to speak or write about certain things online, less likely to share personally created content, less likely to engage with social media, and more cautious in their internet speech or search. In other words, there was a clear chilling effect.
www.slate.com/articles/technology/future_tense/2017/07/women_young_people_experience_the_chilling_effects_of_surveillance_at_higher.html

The NSA uses the term “traffic shaping” to describe any technical means that deliberately reroutes Internet traffic to a location that is better suited, operationally, to surveillance. Since it is hard to intercept Yemen’s international communications from inside Yemen itself, the agency might try to “shape” the traffic so that it passes through communications cables located on friendlier territory.
www.schneier.com/blog/archives/2017/07/more_on_the_nsa_2.html

It’s a huge strain on the resources of telecommunications companies to keep your metadata safe from hackers. Can we trust them to be competent? Let’s hope so. Given how many inferences about someone’s personal life can be drawn from their communications metadata, you’d hope it was being kept safe away from prying eyes. Recent IT security breaches on a national scale ask pertinent questions about whether or not this is the case.
www.vice.com/en_au/article/mba7px/metadata-retention-sounds-boring-but-is-terrifying

Women should carefully consider the privacy and security tradeoffs before deciding to use any of these applications for Android and iOS which claim to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy.
www.eff.org/wp/pregnancy-panopticon

The Queensland Police have asked the Australian Parliament to give them the right to covertly install malicious software on your home devices in order to conduct mass surveillance during times of “national emergency”.
boingboing.net/2017/07/27/spies-in-the-toilet.html

The WannaCrypt exploits used in the recent cyberattack were drawn from the exploits stolen from the National Security Agency in the United States. This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.
blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/