Tag Archives: Spying

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week

Another Public Private Partnership Between Police and Hackers

A few days ago I wrote about a public-private partnership between the Russian spy folks and Russian hackers that was uncovered when the Feds indicted two hackers and two Russian spies.  In that case, the hackers gave the Russians the data that they wanted and kept and used the rest for themselves.

Now there are reports of a similar but different arrangement with the Metropolitan Police in London.  These reports are unsubstantiated as of right now.

The anonymous person who used to work for the intelligence community (or so they say), said it worked this way.

Scotland Yard worked with the Indian police who hired hackers to hack the emails of political dissidents.  The hacked passwords were supposedly then returned to Scotland Yard so that they could then read the emails of environmental campaigners and journalists.  It is not clear how the hackers benefited from this other than for being paid for their work.  How the public-private partnership between the Indian hackers and Indian police worked may come out in the future – or may not.

Some of the passwords were verified by their owners as being their passwords, which certainly adds some legitimacy to the conversation.

The person who reported the crime said that the police had been rummaging through journalist’s and activist’s emails for several years.

The complaint was referred to the Independent Police Complaints Commission (IPCC) and they are reported to be investigating.  The IPCC is already investigating a complaint that the intelligence unit shredded large numbers documents in 2014 in spite of an order to preserve the documents for review by the court.  The complainer said that documents had been shredded on a far greater scale than the IPCC seems to be aware of.

Lawyers who received the letter in question said it contained 10 userids and passwords and they were able to confirm that five were the correct password for those users and one more was almost identical.

The Metropolitan Police said that they need to keep track of thousands activists to detect the few bad apples. They didn’t explain HOW they might do that – legal or otherwise.

Combine this with the details that WikiLeaks revealed about CIA efforts to hack into iPhones and there certainly is the appearance of widespread efforts to eavesdrop on people’s emails.

Certainly law enforcement has authority to a certain amount of eavesdropping, based on a set of rules laid out by law.  Those laws vary from country to country.

On the other hand, there is sometimes a bit of fuzziness as to what is legal and what is not.

It may be easier – although likely much less legal – to obtain the password of people they want to monitor such as journalists – than to get multiple warrants.  It is also likely difficult to get a warrant to monitor the emails of journalists if the journalist is just reporting the news.

For those people who wear tin foil hats (i.e. think the government is out to get them), this is just more evidence that they are right.

For people who just want to increase their level of privacy, using two factor authentication definitely helps to make it more difficult for this tactic to work – at the cost of a little more effort to log in.

For those people who want to go the extra privacy mile, using a solution that encrypts your email from end to end where you keep control of the encryption keys is a more secure solution.  This solution, while significantly improving the privacy of your email, is also significantly more complicated to use.

Email solutions that claim to be encrypted but do not require you to know or manage any encryption keys likely do not provide much additional privacy for a variety of reasons.

Bottom line is that it depends on your level of paranoia and the length that you are willing to go to in order to gain some additional privacy.

For most people, keeping the contents of their email private is, at best, a nuisance.  For other people, including journalists and investigators, privacy likely rises to a higher level.

Certainly interesting.

Information for this post came from The Guardian.

UK “Snoopers Charter” Will Require All Companies To Bake In Back Doors

Britain is following in the United States’ footsteps.  Just like with the U.S. Foreign Intelligence Surveillance Act Court or FISA Court, The new bill in Britain called The Snoopers’ Charter by people who don’t like it (and called the Investigatory Powers Bill by the government) would require any company to bake in a back door to hack their users and, most importantly, like with US FISA Court orders would be prohibited from publicly challenging the order or even telling users that they have added a back door.

The British call it a technical capabilities notice rather than calling it a demand to secretly spy on your customers, but by either name it is still eavesdropping.  The bill as it is currently written says that anyone who receives one of these notices is under a duty not to disclose either the contents or existence of that notice.

With the exception of companies who have less than 10,000 users, all companies will be required to provide a permanent technical capability to spy on its customers.  Smaller companies will be required to build such a capability if the government asks.

The bill also allows the government to serve a warrant on a software company outside the U.K. to spy on its customers if asked to.  It would seem that their ability to enforce such a warrant is limited.  Say they want Daesh (ISIS) to build them a back door.  It is not clear exactly who they would serve it on, but it is pretty clear it would be ignored.  In fact, since the Germans, for example, have stated clearly that they do not support such a law, it could be hard to enforce in Germany.

The British government could try to stop users from downloading German or other software, but that is likely hard to do unless they disconnect from the Internet, which would likely cause bigger problems for the British economy.

The British Parliament committees who have looked at this bill have had significant concerns and since the process of legislating in the U.K, like in the U.S., is  similar to watching sausage being made (i.e. somewhat nauseating), we shall see comes of this.

Information for this post came from Tech Crunch.

New York tracks you by your license plate – and keeps it

According to an item in USA Today, counties in New York State not only snap pictures of your license plate, but keep them in a database with date-time and location information.

The data is accessible by police throughout the state as well has the Department of Homeland Security.

If you take a bunch of pictures of your license plate at different times, you can piece together a picture of where you go, what you do and who you connect with.

I suspect that the courts will say that when you are out and about you have no reasonable expectation of privacy.  You and I might view it differently, but I doubt the courts will.

Here is the interesting part of this.  While the cameras can be used to ferret out stolen cars, wanted people and expired license plates, that group, collectively, probably represents 1/100th of 1 percent of the pictures taken.  The rest are people going out about their daily business, not committing a crime and being watched.

There is no central database;  each county does their own thing and there are no statewide rules about it.

Here is a little data:

  • Monroe, Albany, Westchester and New York City keep the data for 5 years.
  • The New York State Police keeps the data for 5 years also.  They have 140 cameras.
  • Erie and Onondaga counties keep the data for 1 year.
  • Monroe county had 3.7 million snapshots as of last week
  • Onondaga county had 5.2 million as of a couple of weeks ago
  • Albany county, where the state capital is, had 37 million pictures
  • Erie county said they have the capacity to store 12 million pictures and plan to add more storage.
  • Most agencies declined to say how many pictures they had.

In a sense, this is like the NSA – no rules, no watchdogs, no transparency – just trust us.

To me, that doesn’t seem like a really good plan – just saying!