Category Archives: Safety

Wireless Home Security – Good Theater, Bad Security

Alarm companies like wireless alarm sensors because they cost less to install and are prettier since there are no wires.  They are also remarkably less secure.

It is useful to understand that you neighborhood junkie might not be able to pull off the attack, but any serious burglar would not have a problem.

In this particular case, a lawyer who has an interest in security was able to buy a signal jammer for $2 that disabled the SimpliSafe alarm system in his house.

While the alarm company disputed his claim with statements like “this is not practical in real life:, the lawyer stands by his claim.

To me, the attack is obvious.  If you can jam the signal, the alarm will not go through.

SimpliSafe says that they will detect what they call interference and the lawyer agreed that it did, but only sometimes.  He also said that the interference never actually triggered an alarm.

People often purchase an alarm for peace of mind, but if the alarm is jammable, is the peace of mind justified.

If you really care about your personal security, demand that all of the sensors are hardwired to the control panel.  If the alarm company can’t or won’t do that, find a different company.

Of course, if the alarm is just for appearances, a wireless system will be just fine.

The second half of the problem is the communication between the alarm and the monitoring station.  Some alarms use your internet; others use a cell modem.

The Internet based alarm is easy to defeat as the wire for your internet connection is typically exposed in a plastic box outside your house for the convenience of your internet provider.  All it takes is a wirecutter to defeat it.  For cell based alarms, a cell jammer does the trick.

In general, you want two different communications paths back to the monitoring station.

All of this depends on how serious you are about your alarm system protecting you.  Most consumer alarms are really designed to lull you into thinking you are secure and it works because most people don’t have the security knowledge to understand what the weaknesses are.

To watch a video of the hack, additional recommendations on being safer and more details of the attack, go to the article on the Verge.

Facebooktwitterredditlinkedinmailby feather

Is The Encryption Debate Over?

Attorney General Barr said that he wants an encryption back door and if it compromises your privacy, well, we are not talking about protecting nuclear launch codes.  So we  know where he stands.

What came as a bit of a surprise is that Facebook says that they are going to build a back door into WhatsApp.  Not sure why.  Where is the pressure?  Who has the compromising pictures? Likely it is just greed.  They want to be able to operate in every country and since there are a number – a small number right now – that won’t let them operate without allowing those governments to spy on their users, the simple answer is to cave.

Here is what Facebook says they are going to do.  They are not going to, technically, insert a back door.  They might even claim this is a service to their users.

Think about this for a moment.  Right now WhatsApp cannot read your messages so they can’t target ads at you.  If they did know what you are saying, they could use or sell that data to advertisers.  That is just one possible use.

They are going to modify their app to do “content moderation”.  Content moderation is a covert word for censorship.  If China, for example, doesn’t want anyone to say anything bad about Xi, the moderation software will look for people saying bad things about him and stop it.

Since this happens on the user’s device, the encryption is not an issue because the user can decrypt stuff on their device.

Then, to make sure that the government will allow them to operate, they will send any banned content to a central moderation facility (AKA the government censors) to figure out who the local goon squad should come visit.

Obviously, the country can tell Facebook what they want them to look for.

Now say that you decide that you don’t like that and you switch to Signal.

The government could go to Signal and say “if you don’t want to be blocked you have to do content moderation.  It has nothing to do with your encryption.  Don’t say you can’t do it, because Facebook is doing it”.  At that point, privacy is pretty much done with.

It is *possible* that Signal, since it is not a commercial profit making company, might say go for it, block us.  That is not great for Signal, but, it might be better than compromising their principles.  Who knows.

Any government, no matter how repressive, now has a way to demand that software vendors give the their back door.

Facebook won’t say when this will be deployed – assuming it is not already deployed.  Why?  Because it might cause their customers to leave and that would, kind of, defeat the purpose.  I can already see the handwriting on the wall, so I am working to migrate away from WhatsApp and delete the application.

The total end game here could be to force Apple and Google to add “content moderation” to the operating system.  That is really what the repressive regimes like China and other repressive regimes (including, apparently, the US) would like to happen.

Stay tuned.  It is not clear how this is going to come down, but we certainly have a roadmap.

Source: Forbes.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 26, 2019

Equifax Agrees to Pay UP TO $700 Million to Settle Breach Lawsuits

First – the settlement hasn’t been agreed to by the court yet, so this is all speculation.

Of the $700 million pot, at least $300 million is set aside to pay damages to consumers.  Another $100 million plus is to pay for credit monitoring.

There are lots of details.  For the most part, unless you can prove damages and prove that those damages were caused by the Equifax breach and not some other breach, you probably will not get paid much.  You can get paid up to $250 if you file a claim and without proof.  Everything past that requires proof.   With 150 million victims and a $300 million pot, that averages to $2 a person.

BUT there is one thing you should do and that is get the free credit monitoring.    Go to EQUIFAXBREACHSETTLEMENT.COM and wait until it says that the court has approved it.  Note this is not a site owned by Equifax and given what a mess they are, this is good.  Read more details here.

The Next NSA Hacker Gets 9 Years

Harold Martin, the NSA contractor (employed by Booz, like Edward Snowden) was sentenced to 9 years for stealing 50 terabytes of data over the course of his 22 year NSA career.  The leak is something like 5 times the size of the Snowden leak.  He didn’t sell it;  he just liked data.  He had so much he had to store in in sheds in his back yard.  Many of the documents were clearly marked SECRET AND TOP SECRET.

The fact that he was able to steal hundreds of thousands of documentss doesn’t say much for NSA security, which is sad.  Source: Nextgov.

Huawei – Bad – Not Bad – Bad?!

President Trump said that Huawei is a national security threat and needs to be banned and then he said that maybe we can trade that threat for a better deal with China on trade.

Now it is coming out that Huawei helped North Korea build out their current wireless network.  The equipment was shipped into North Korea by Chinese state owned Panda International.  This has been going on since 2006 at least.  Huawei is likely continuing to provide technical support to North Korea.

This seems like a national security threat and not a bargaining chip for the President to toss in to get a trade deal that he wants, but what do I know.  Source: Fox News.

 

AG  Barr Says He Wants Encryption Back Door And Why do You Need Privacy – Just Suck it Up.

Attorney General William Barr said this week that if tech companies don’t provide a back door into consumer encryption,  they will pass a law forcing it.  And while this will allow hackers and Chinese spies to compromise US systems, it is worthwhile.

He said that they might wait for some terrorist event that kills lots of people and blame it on encryption (whether that is true or not).

He did seem to exclude “custom” encryption used by large business enterprises, whoever that might include.

Barr said that bad guys are using crypto to commit crimes what the police can’t investigate.  If that were true we would expect that crime would be going up.  If it is a really bad problem, it would be going way up.

Only problem is that the statistics say crime is going down.

You may remember that Juniper added such a back door, likely at the request of the NSA and it worked great until word got out about it and hackers had a field day.

This conversation is not over.  Source: The Register.

 

Facebooktwitterredditlinkedinmailby feather

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.

 

Facebooktwitterredditlinkedinmailby feather

Welcome to the Surveillance State

Let me first say that there is nothing illegal about what follows.  You may not like it, but it is not illegal.

Using a public records request, Motherboard obtained a user manual for the Palantir surveillance system called Gotham.

The system is used by law enforcement around country (including, for example, New York, New Orleans, Chicago and Los Angeles), but northern California has got them all beat.  It is also used by a number of private companies.

Northern Cal has created something called the Northern California Regional Intelligence Center or NCRIC.  Through NCRIC, 300 cities in California, home to almost 8 million people, had access to Palantir’s data.

So what can a city ask NCRIC for?

This includes emails, phone numbers, current and previous addresses, social security number(s), business relationships, license plates, and travel history as captured by license plate cameras. The tool also maps that person’s “possible relatives” and “possible associates,” or their friends and family.

They say that everything starts with something that’s perceived as being illegal.
Examples of data that the police can request include:
  • If they have the name of a person associated with a license plate, they can find out where that vehicle has been over any period of time via license plate reader data.
  • With a name, police can get email and phone info, current and previous addresses, bank accounts, social security numbers, business relationships, family relationships, height, weight and eye color.
  • They can find out who are the family members of the evil person along with their business associates.  Once they have those names, they can get the information above for those people too.  Those people, of course, may or may not have done anything illegal.

The feds pay for NCRIC including the 80 people who work there, through a grant.

NCRIC’s contract with Palantir expires this year and Palantir will be replaced by SAS, another big data company, but NCRIC has a license to use Gotham forever.

Again, remember, nothing about this is illegal and you might be able to do most of this yourself with some work, but in the case of Palantir, all you have to do is type a name and click a few buttons.

Welcome to 1984.

And, don’t forget, none of this is limited to law enforcement.  It is limited to only those people who’s credit cards or checks clear.

Source: Motherboard (there is a lot more info in the article).

Facebooktwitterredditlinkedinmailby feather

A Cyber Event Interrupted US Power Grid Operations

Stories – and only stories – abound about whether the Ruskies have infiltrated the US power grid – years ago.  The government is not going to tell the truth for fear of scaring the crap out of people.

On March 5th a “cyber event” interrupted the power grid in parts of the western United States.  While in this case it did not cause blackouts ….

California,  Utah. Wyoming.

A cyber event, according to the DOE, involves unauthorized access  to hardware, software or data.  Who?  Not clear.  What?  Not clear.  Why? Not clear.

But …. not a good sign.

The incident lasted from 7 AM to 9 PM that day.  That is a long time.

The DOE did not respond to a request for information.

The Western Electricity Coordinating Council declined to comment.

For security reasons we cannot disclose any further information was the only comment.

So, while this time we averted disaster, that doesn’t mean we will next time.

Was this a test?  To see how the grid responded?  To test a capability?  Kind of like pulling the fire alarm to see how long it takes for the fire department to arrive.

I suspect that, whatever happened, the feds will *TRY* to fix the problem.   But the feds do not have a great track record.

Now might be a good time to buy a generator.

Consider your own cybersecurity  program.

And your disaster recovery/business continuity program.

If you are not familiar with this song in the movie Hoodwinked, it is entertaining and relevent.  Source: Environment & Energy News.

Facebooktwitterredditlinkedinmailby feather