Category Archives: Privacy

Ohio Man Indicted For Spying on People for 13 Years

NOTE: THE CONTENTS OF THIS POST MAY NOT BE SUITABLE FOR YOUNGER READERS.

A 28 year old Ohio man has been indicted for creating and installing malware on hundreds of Apple Mac and Microsoft Windows computers.

The man, Phillip Durachinsky, used the software to spy on people.  This includes recording what the camera and microphone pick up in the same room as the computer.

In addition to capturing audio and video, the software that he created also stole passwords and used that to access third party sites.  He also used the software to steal tax, medical and banking records and also photos and private communications.

The 16 count federal indictment includes the production of child pornography, so it doesn’t take much to figure out if you kid had a Macbook in the bedroom and it was infected, this guy may have captured video of your kids doing whatever and, apparently, while naked – something that doesn’t seem completely unexpected in a bedroom, but which you and your kids certainly do not expect.  People expect to be safe and secure in their bedroom.

The software alerted him when the user used certain search terms, such as pornography.  People who watch porn might be doing certain things while naked, hence the charge of producing child porn. Kind of boggles the mind.

As an indication of how deranged this guy is, he is alleged to have kept regular, detailed notes.

Durachinsky, who is 28 now, has been spying on people for the last 13 years, according to the feds, so he must have created this software when he was around 14 or 15.  If it weren’t so warped, the skill would be pretty impressive.

What has not been revealed yet is the total number of computers infected or the number of people affected.  It is also not clear how much video exists and if the video has been published or if he was keeping it for himself.  Given that he was charged with PRODUCING child porn and not with DISTRIBUTING child porn, you might conclude that he was not selling or giving away the video that he captured.

The researcher who found the software, called Fruitfly, discovered it on at least 400 Macs, so it looks like the software was not widespread.

A simple way to protect yourself, at least in part, is to join the ranks of Facebook founder Mark Zuckerberg and former FBI Director James Comey and cover your laptop camera with a piece of opaque tape.  Many companies make small devices that you can slide back and forth or remove that are a little more elegant than black electrical tape.

For parents, have kids close the lid on their laptops when they are not using it and, of course, do not use your laptop when you are sans clothing.

It is a sad thing that you have to worry about such things.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

FBI Says Tech Industry Should Follow Financial Services in Saving Messages

FBI Director Christopher Wray suggested that the tech industry follow the model of the financial services industry.  Some of the big banks have created a messaging app with delete capability so to keep the regulators happy, they agreed to save a copy of each message for 7 years.

Lets apply that to the tech industry

Whatsapp currently serves up 55 billion messages plus 4.5 billion photos plus 1 billion videos a day.

iMessage serves up 40 billion messages a day.

Lets assume a message, with overhead is 1,000 bytes, a photo is 3 megabytes and a video is 20 megabytes AND lets ignore every other secure messaging platform.  The math is:

(95 billion x 1kB + 4.5 billion x 3mB + 1 billion x 20mB ) x 365 x 7

That equals 33,595,000 Billion bytes per day or

12,262,175,000 billion bytes per year or

85,835, 225,000 billion bytes in 7 years.

That would be 85,000,000,000,000,000,000 characters, if I did the math right.  Lets ignore compression for the moment since videos and photos don’t compress and they are the bulk of the disk space.

Assuming a 5 TB disk drive, that would only require 17,167, 045 disk drives to hold the data.

Double that if you would like just one backup copy.

That assumes zero growth during that time, which, as we know, growth is in the double digits per year.

That is a lot of disk drives for someone to buy.  And maintain.  And pay for the electric and people to keep them running.  Roughly the size and cost of the NSA’s Utah data center, which cost about $4 billion to build, estimates say and probably, a hundred million dollars a year to run.

Scale IS a problem here.  A big problem.

Lets say you scale that back and say that you only keep messages for a year.  Now you only need two and a half million disk drives, assuming zero growth.

If we assume that people don’t keep all their messages, someone else is going to have to and that will be VERY expensive.  Even if you build a back door into phones, if people delete their messages, that back door doesn’t help you.

I’m not saying there is no answer, but there is no simple or inexpensive or privacy protecting way.

And, of course, if you force Apple to build a back door into iMessage, some dude in Pakistan will build his own app that doesn’t have a backdoor.  Now you have to police every phone on the planet for a long list of apps that changes daily.  Again, possible, but not cheap or inexpensive.

NOTE: These numbers are only for examples.  They could be off by a factor of 10 in either direction – or more.

Information for this post came from The Washington Post.

 

Facebooktwitterredditlinkedinmailby feather

DHS Issues New Rules For Searching Electronic Devices

In 2015 some 380 million international travelers arrived in the U.S. and only 8,503 of those travelers had their electronic devices searched – only .002 percent.  That is a pretty small number.

In 2016 there were 390 million international arrivals and CBP examined the devices of 19,033 of them – a little more than double the number from the prior year.  Still it is a very small number.

In the first half of FY 2017 14,993 travelers had their devices searched.   Assuming the second half of the year matches the first half, just about 30,000 travelers will have their devices searched.  That will be about 350% of the 2015 numbers.

Of course there is no way to extrapolate what that means for 2018, but if the trend continues, it will likely increase.

One of the complaints that people have expressed is that there are no obvious rules governing whether a device can be searched.  With all kinds of personal and sometimes embarrassing content on people’s phones and computers, DHS has decided to publish some general guidelines.  Far from rules, but better than what was known before.

The Supremes have ruled in the past that Customs does not need either a warrant or reasonable cause to search your devices.  If you are a U.S. citizen you can’t be denied entry into the country if you refuse to unlock your device, but if you NOT a citizen, they could send you back to from where you came.

In both cases they can detain you for a while – no definite time, which may encourage you to cooperate.

And, they can also search your device when you leave the country, but I suspect that is much less frequent.

The right to their arbitrary searches is rooted in the Constitution and was based on the concept of looking through your luggage for contraband.  Extending that to your phone seems like a bit of a stretch, but the Supremes have weighed in and said it is OK.

Under the new rules, agents can search information stored ON the device, using the software on the device.  This, in theory, says that they can’t read your GMail by opening your Mail app since that is not stored on your phone – or maybe it is.  The way they have decided to deal with that is either CBP agents will ask you to put the phone in Airplane mode or if they don’t trust you to do that, they will do it for you.

Unless they have reasonable suspicion – whatever that means.  Then they can use advanced search techniques – which I assume means that they can use forensic tools.

They can ask you for your passcode and detain a device that is encrypted (and, I assume, that you won’t decrypt).

The document also says that agents should take care not to make changes to the device.  I assume that the first thing someone would say if CBP claims they found something incriminating is that it was planted.  Advanced searches should be done in the presence of a supervisor, if available.  Searches should also be done in the presence of device owner unless there are reasons not to allow this.

If the device owner says that information on the devices is protected by attorney-client privilege, the agent is supposed to ask for clarification as to what specific files or folders contain that information.  Prior to searching  those folders, the agent has to contact the CBP assistant chief counsel, who will coordinate with the U.S. Attorney’s Office on how to proceed.  While they will still search that information, they will segregate it so that it might, possibly, be better protected.

At the completion of the CBP review, any copies of information will be destroyed unless they need to be preserved in accordance with a litigation hold.

All of this process needs to be documented on specific CBP forms.  That alone will probably discourage agents from poking around.  Filling out government forms is no fun.

Business confidential and trade secret information needs to be protected as well.

All of that information can still be shared with other agencies as long as they have processes in place to protect it – undefined processes.

If they ask for your passcode and you give it to them, they may keep those passcodes in case they need them later.  Another reason not to reuse passwords.

If the device owner will not unlock the device, CBP can try to break into it.

Officers may detain devices and/or information on them for a reasonable period, usually 5 days, but that can be extended for a week at a time with approval, if needed.

If CBP keeps your device, they need to give you a receipt.

If CBP needs to get assistance from another agency for breaking into the device or evaluating the information on it, they need to get a supervisor’s approval and they need to tell the owner unless the purpose for sharing is counter-terrorism related.

So what should you do?

That kind of depends on your level of paranoia and what is stored on your device.

In general, try to avoid taking sensitive or embarrassing information across the border.  For many companies, that means issuing burner phones and burner laptops (this is actually a more common practice than you might think).  Upload encrypted data to the cloud before crossing the border in any direction and wipe and overwrite the files off the local device.

If CBP retains the device or takes it out of your sight, depending on your level of paranoia and the sensitivity of your mission, assume the device is compromised or bugged and treat it accordingly.

Mostly, it depends on your view of what is on the device and how much you trust or distrust the government.

Given the government’s inability to keep much of anything confidential, I would not assume that the government should be counted on to protect anything that they observe or copy.  This is not because they are evil, but because they are part of a large bureaucracy.  Large scale operations have some benefits, but privacy is not one of them.

Overall, it is a good, small, step forward that they have documented these rules, but there are a lot of loopholes in them.

Remember that this coming from someone is who way more paranoid than the average bear, so take that into consideration.

Information for this post came from CBP and CNN.

Facebooktwitterredditlinkedinmailby feather

Congress Votes to Kick The Can Down The Road on Spying

Section 702 of the Foreign Intelligence Surveillance Act allows the intelligence community to collect intelligence on non-Americans outside the United States without a warrant.  As the intelligence community hoovers up huge quantities of data (they just built a new facility in Utah so that they could bring enough storage online to hold all the data), it is inevitable that they will collect information on Americans, absent a warrant, absent probable cause.  They say there are controls in place to protect Americans, but those controls do not, some say, match the requirements of the Fourth Amendment to the U.S. Constitution.

The Congress, in 2008, had the wisdom to require that Section 702 be renewed every few years.  The result of that is to force a debate and make Congress-critters go on record voting for or against whatever the revised 702 requires.  The last vote to renew Section 702 was in 2012 and it is set to expire on December 31, 2017, about 7 days from now.

In Congress there are several different factions right now:

  • One group wants to renew Section 702 as is and make it permanent.
  • Another group wants to require the FBI to get a court order before viewing information on Americans – information that they hope to use in criminal cases.
  • Others want the FBI to go to the Foreign Intelligence Surveillance Court to weigh in on the legality of query on Americans, pretty much a rubber stamp approval.
  • Finally others want to scrap it entirely.

So Congress does what it does best and renewed Section 702 for another 28 days and went on vacation.

Congress, is on vacation until January 8th and with absolutely no agreement on what to do and only 10 days between when Congress returns and the expiration, do not be surprised if Congress kicks the can down the road again and extends it another 30 days.

Unlike some bills in Congress, this is not an Elephants vs. Donkeys issue;  this is a privacy rights vs. national security issue.

The House Freedom Caucus Chairman told the media that no long term extension would get through Congress at this time.

Republican Sen. Rand Paul and Democratic Sen. Ron Wyden want to bring the fight to the floor.

My personal opinion is that Congress is unlikely to let Section 702 expire.  I just don’t think that is going to happen.  But what form of restrictions are going to be put in place – that is a much harder question to answer.

 

Information for this post came from the Washington Post.

 

 

Facebooktwitterredditlinkedinmailby feather

Researchers Find Directv Security Hole No One is Patching

Researchers tried to do this the right way with no luck so now they are seeing if bad publicity will get the job done.

AT&T Directv creates a private wireless network to transfer video, audio and the user interface between it’s wireless slave boxes  hanging off the back of your TVs and the DVR that they talk to.

According to researchers, the bug is trivial to exploit and will go undetected.

The wireless video bridge, as it is called, is running a web server and when the researcher decided to check it out, he discovered that the web server does not require you to log in to it.  After all, all that should be talking to it is a Genie slave unit.

Worse yet, the web server does not do any kind of input validation, so if you want to send it bogus data, you can own the box as ROOT, Linux’ super admin userid.

The good news is that this wireless bridge is not connected to the Internet, but if someone was able to compromise a PC on the network, then it would be trivial to use it to compromise the Directv box.

The first attack that the researchers considered is a Mirai botnet like attack where a couple of thousand AT&T Directv boxes are used to attack the Internet and take down Google or Microsoft or whomever.  Definitely possible.

The researchers notified AT&T 6 months ago and AT&T has gone completely dark, so they are announcing the  bug.  Maybe the fear of being on the front page of every newspaper in the country – after all, now millions of hackers are aware of how to break in – might get them off the dime.

From a user perspective, there are only a couple of things that you can do and #1 is to completely isolate your AT&T devices from the rest of your network.

Information for this post came from The Register.

 

Facebooktwitterredditlinkedinmailby feather

MOM – He’s WATCHING me!

In case you thought you were being paranoid, you were not.  Have you ever gone to a web site, wandered around but never clicked on anything and then closed the browser only to see an ad for whatever you were looking at show up on some other web site?

There is a reason for that and no, you are not imagining it.

Some web sites track every single keystroke and mouse click that you make, capture it and store it.  They can tell if you hover over an image (even if you don’t click on it) and how long you do that.

Hundreds of sites including Microsoft, Adobe and Godaddy capture every keystoke and mouse movement.  In many cases, that even includes passwords.  A study of 50,000 popular web sites found 482 of them did this.

Our course, without telling you.

These are called session replay scripts and can be used for many purposes from figuring out what part of their web sites are more trafficked to capturing data to send you spam and ads.

Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because they recorded all input including Social Security numbers, and dates of birth.

Here is a demo of the replay technology:

The research, conducted by Princeton’s Center for Information Technology Policy, only tested 50,000 web sites.  No one knows if the percentage (about 1 percent) would stay the same if the sample size increased.  Assuming that the percentage stays flat, that means of the one billion web sites, ten million are capturing your info, whether you want them to or not.

I guess the good news is that it is only one percent and not 70 percent.  But since these tools can capture credit card numbers and passwords and since the web site owners share the data with third parties, it makes me wonder how safe things are.

If you use two factor authentication to log on, that significantly negates the risk from some third party having your password, but since only a tiny percentage of folks do use two factor authentication, that won’t help most people.

Some web sites do “mask” sensitive data, but since they don’t even tell us that they are doing this, they certainly aren’t telling us if they are masking data or not.

Bottom line – assume everything that you are typing or clicking may be captured and shared with a third party.  AND, likely, AGGREGATED.

There are tools that can help you protect yourself but they complicate the world and slow things down.  Still, they may be worthwhile in some cases.

Depends on YOUR level of paranoia.

Information for this post came from Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather