Category Archives: Privacy

Hackers Fool iPhone FaceID for $150

It usually doesn’t take very long.  Whether it is fooling the fingerprint reader or jailbreaking an iPhone, it often comes within hours of a new device or software release.  Maybe, in this case, it says that Apple did good because it took a week to break Face ID.

On the other hand, it only took about $150 to do it.

Wired spent thousands trying to create 3D masks and were unable to fool it,  but some hackers in Vietnam it on a budget.

In Apple’s defense, they did have to spend about 5 minutes videoing the subject to get good data, but if you are going after a politician or a celebrity, getting 5 minutes of HiDef video will not be a problem.

The first thing they did is take the video and make a 3D printed frame for the attack.

Next they added a silicon nose.

Finally, they 2D printed (like on a piece of paper) the user’s eyes and attached them to the mask,

In the demo, when they uncovered the mask, the iPhone X unlocked.

So much for security on your $1,000 phone.

Probably, for the average person, the level of security FaceID provides is adequate.

But remember, the iPhone X is a status symbol, not a phone.  Who is going to buy them are business executives on expense accounts and politicians using other people’s money.   Those are great targets for the bad guys and worth, for sure, spending $150 to compromise their phone.

In fairness to Apple, the researchers have not revealed enough details to enable people to recreate this.

In fairness to the researchers, they have presented previous hacks of Lenovo and Toshiba facial recognition at Black Hat.

So, depending on your level of concern regarding the security of your phone, a good old password is likely best.  Make it reasonably long and avoid the glitz.

For the billionaires who buy an iPhone X, you might want to reconsider your proclivity for convenience over security and steer clear of FaceID.

Your call.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

Facebooktwitterredditlinkedinmailby feather

Trouble in Paradise

A couple of weeks ago I wrote about yet another breach at a law firm.  This time the firm was Appleby, a law firm based in Bermuda and home to the rich and famous – especially those that are looking for tax shelters and the similar.  Most of these tax shelters are legal but the optics of using them are terrible.  For many of the rich and famous, they don’t want the NOT rich and famous to know what they are doing.

So imagine what happens to a law firm (or any firm) that caters to those people who is hacked and threatened with disclosure.  They likely have some unhappy soon-to-be-ex-clients.

Well at least some of the 13 million plus hacked documents are now public and it paints an unflattering picture.  Likely legal, but very unflattering.

The hack is being called the Paradise Papers.  In sheer size, it is the number two breach, only surpassed by the Panama papers hack in 2016, which revealed 2.6 terabytes of data.  The Paradise Papers hack revealed 1.4 terabytes of data.

Among what was disclosed is:

  • Millions of Pounds from the Queen of England’s private estate has been invested in a Cayman Islands fund which makes questionable investments.
  • Extensive offshore dealings by Donald Trump’s cabinet members, advisors and donors, including substantial payments from a firm co-owned by Vladimir Putin’s son-in-law to the shipping group of US commerce secretary Wilbur Ross.
  • How Twitter and Facebook received hundreds of millions of dollars in investment that can be traced back to Russia.
  • The tax avoiding Cayman Islands Trust managed by the Canadian Prime Minister Justin Trudeau’s chief moneyman.
  • A previously unknown $450m offshore trust that has sheltered the wealth of Lord Ashcroft.
  • Aggressive tax avoidance by companies like Nike and Apple.

And on and on.

As I said, I assume that most of this is legal, but as people like President Trump and Prime Minister Theresa May have been talking about closing tax loopholes, the optics of this could not happen at a worse time.

According to reports, this does not appear to be state sponsored; just a hacker out to do a little “social justice”.

The message is that any business that stores sensitive information (and apparently the information stolen goes back 70 years) probably ought to look at how you are protecting it and improve that security – unless you want to be the next P papers – Pentagon Papers, Panama Papers, Paradise Papers ……..

I assume that there will be a large exodus of clients from this firm.

Information for this post came from The Guardian.

 

Facebooktwitterredditlinkedinmailby feather

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather

Who Owns Your Financial Data Anyway?

Consumers have been wrestling for years now about access to their personal data.  There are many non-bank financial products such as Mint and WalletGyde that help consumers manage their money, but it has always been a fight between the banks and these companies (of which there are at least hundreds, maybe more).  As a group, these companies are called FinTechs.

In Europe, the government said that consumers owned their data and even forced a standard on banks for sharing data with FinTechs that consumers wanted to share with.

In the U.S. there is no standard and up until now no requirement that banks allow you to be able to grant access to your own data.  This has led to FinTech companies having to ask you to trust them with your banking userid and password and those same companies having to scrape your data right off the screen.  About a year ago I got a message from Chase warning me that if I shared my password with a FinTech company (or anyone else), the bank was disavowing any responsibility for what happened.

This week that all changed.

The Consumer Financial Protection Bureau issued a long waited-for ruling on the subject.  Their answer.

CONSUMERS SHOULD HAVE ACCESS TO FINANCIAL DATA THAT IS TIMELY, ACCURATE AND SECURE ON WHATEVER TRUSTED THIRD-PARTY TOOL THEY CHOOSE TO USE.

This is a win for consumers who now will be able to have a more timely and secure method of sharing their data with third parties and it is a win for the FinTechs who have been fighting for this.  For the banks, it is not good news, but probably expected.  Banks are fighting for their survival.  Until say ten years ago, they were the king of the financial hill.  Now, they are just one player of many and when it comes to data aggregation, the banks aren’t really much of a player at all.  This is one more nail in that coffin.

Up until now the data sharing between banks and FinTechs have been one off agreements between two parties such as:

  • Chase and Intuit have created a data interchange agreement
  • Wells and Xero have an agreement
  • Capital One and Xero have an agreement
  • And likely others that we have not heard about

The principles that the CFPB created include –

  1. Access – users can obtain information from a service provider and grant access to a third party
  2. Data Scope and Usability – The available data should include transaction and fee information and any other aspect of a consumer’s usage.
  3. Control and informed consent – Consumers can control their data sharing and revoke it whenever they want to
  4. Authorizing payments – Accessing data is different from authorizing payments to be made, but consumers may grant third parties both of these permissions.
  5. Security – The data has to be secure.  This seems to give the CFPB a camel’s nose under the tent to make sure that the FinTechs protect consumer’s data.
  6. Access Transparency –  Consumers need to be able to easily understand what permissions they have granted to whom with relevant parameters (like how often the third party can access their data).
  7. Accuracy –  Consumers can expect the shared data to be accurate and have reasonable means to dispute and resolve inaccuracies.
  8. Ability to dispute and resolve unauthorized access – Consumers have reasonable and practical ways to dispute and resolve issues related to unauthorized access and payments.
  9. Efficient and accurate accountability mechanisms –  Commercial participants (i.e. the FinTechs) are accountable for the risks, harms and costs they introduce to consumers.

So this swings both ways and the CFPB has already whacked FinTechs from time to time (Search for CFPB Dwolla consent decree, for example).  All in all, though, I would say that this is great news for consumers, good news for FinTechs and not so good news for banks.

Now it is up to the banks and the FinTechs to work out the details.  It is likely to get a bit messy before it gets cleaned up.  MAYBE, the banks will agree to a data interchange standard, which would be great, but I haven’t seen anything public on that subject.

Information for this post came from American Banker, here, here and here and the CFPB.

Facebooktwitterredditlinkedinmailby feather

Is Treasury Breaking the Law – The Jury Is Still Out

According to reports – and denied by the government – The US Department of the Treasury is either creatively stretching the definition of certain laws or outright breaking them.  It is likely that we will hear more about this over time.

The story goes like this.  There is a part of Treasury called FINCEN or Financial Crimes Enforcement Network, which, under law, receives reports of suspicious activity from banks and other financial institutions.  The purpose of these reports is to detect money laundering and other financial crimes.  This is all well within the law and FINCEN has been doing this for years.

There is another part of Treasury called the Office of Intelligence and Analysis or OIA.  This is a foreign intelligence group tasked with gathering intelligence on foreigners.

But, under certain circumstances and with certain privacy protections, OIA can access FINCEN’s data.

But what happens if Treasury placed OIA employees inside FINCEN and those employees searched for information on U.S. citizens, possibly in violation of the law.

Treasury first issued a one sentence denial and later Treasury issued a longer two sentence denial while at the same time said that OIA and FINCEN do share important information and operate within the bounds of the law.

The Treasury Inspector General has launched a review and said that they had no further content.

On the other side of the argument, a number of Treasury employees have said, off the record, that “this is domestic spying”.

Sources said that the spying had been going on under President Obama, but has continued under President Trump.

And sources also say that officials from CIA and Defense Intelligence Agency have come to work at OIA for as little as a week, at which time they got access to information on U.S. citizens that they could not get legally without this arrangement.

To turn this completely into a soap opera, apparently last year Treasury’s Office of Terrorism and Financial Intelligence proposed transferring much of FINCEN’s work to OIA, along with the budget and staff.  That certainly could upset FINCEN “whistle blowers”.  They said that OIA, part of the intelligence community, could not collect information on U.S. citizens unless it complied with Executive Order 12333 issued by President Reagan and reissued by President Bush, which sets rules on collecting intel on U.S. citizens, among other rules.  The EO requires certain privacy rules, approved by the Attorney General, and those rules did not exist at the time.   When FINCEN asked to review those guidelines, they were, they said, removed from the conversation.  These guidelines, apparently, have still not been approved by AG Sessions.

Some FINCEN employees have complained to Congress, but Congress doesn’t seem to have done much about it.  Possibly in light of some publicity, they may decide it should have a higher priority.

At this point it appears to be the stuff that prime time soap operas are made of and it is completely unclear what the truth is.

Information for this post came from Buzzfeed.

Facebooktwitterredditlinkedinmailby feather