Security And Privacy In A Brave New Work From Home World

from the security-from-home dept

We have moved to a radically remote posture, leaving a lot of empty real-estate in corporate offices and abandoning the final protections of the digital perimeter. For years, we’ve heard that the perimeter is dead and there are no borders in cyberspace. We have even had promises of a new and better style of working without being bound to a physical office and the tyranny and waste of the commute. However, much like the promise of less travel in a digital age or even the total paperless office these work-life aspirations never had a chance to materialize before COVID-19 forced us to disperse and connect over the Internet. This has massive implications on corporate culture and productivity. More immediately, the surge in use of remote work capabilities has consequences from a security and privacy perspective that cannot be ignored.

For some, working from home isn’t new. This is especially true for those in sales and field marketing across many industries or for knowledge workers, such as federal government employees that are familiar with their telecommuting contract. The day after the “stay home” order is given, the rest of the company suddenly find themselves doing the math on how to stay productive, whether they are the 20% of largely general and administrative or management staff who are always in the office for a young tech startup or the 80% of all employees at a big blue chip company. Some already have a laptop that they bring with them everywhere and are used to bringing home, but for others it’s time to spark up the family computer or get a hastily issued company laptop and try to get it running without an IT technician parked at their elbow to help. Others will grab a tablet or a smartphone, once relegated to mostly personal use, and repurpose it to attend to professional needs. Any way you look at it, the enterprise footprint just grew and radically changed in a 24 hour period.

From a security perspective, the basics are critical. This is true whether a company is a mature security shop or not—risk management is the lodestar. It starts with a risk analysis and dialog. You’ll need to first create a master list of security essentials and rank them in order of sensitivity, likelihood and impact. The reality is that you can do anything, but you can’t do everything; and ultimately this is a triage game.

High on the list are concerns about misinformation, weaponized information and social engineering. While companies can’t control machines that they don’t own, they have to try to get the most secure endpoints they can and ensure identity integrity. This means emphasizing what channels are appropriate or not for employees and their families for information: news networks, websites and the like. But COVID-19 is our new common watering hole, and malicious actors are manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications and more. Regular, short, routine communications to remind people of the basics, to gain a pulse on the organization and to provide clear policies are essential.

Also at the highest level of concern is securing the connection to the network and back into the environment. This requires VPN connections, strong authentication and endpoint prevention and detection controls. In the back office generally and in the security operations center specifically, baselines from which anomalies are normally noted for focus will be in flux; everything will look like an anomaly for a while in the brave new remote world.

Which brings us to the most difficult of topics: privacy.

Did employees bring notes and data home before the office closure? Are they creating IP and data protected by privacy laws and regulations as they continue to do business? Who is in the immediate environment physically? These are some of the critical questions. In some cases you may never know the answers to these questions or you may not have a right to know the answers but must appreciate others’ living situations and assume some worst case scenarios.

There are still more questions. Should cameras be on for conference calls when employees might be embarrassed of their personal space being seen by colleagues? Should they use headsets when a life partner might work for another company or even a competitor or perhaps a roommate might simply overhear sensitive information? Do we encourage them to care for a child when they are crying or do workers feel the need to hide their families? While many companies have previously developed “work from home” policies now we are beginning to understand what is really needed for remote, working employees. Now is the time to take a fresh look at privacy in your work from home policy.

Finally, we must understand the adversary is moving into a new normal as well. They may not be able to immediately exploit all weaknesses or even any given weakness. They too will pursue the lowest hanging fruit while investing in some longer term R&D to develop new attacks specifically for the home environment. Threat actors may be purchasing tools from cybercriminals, mining existing botnets to see what IP is on those already-compromised machines or targeting home automation, printers and routers after triangulating IP addresses and digital locations for targets. In the weeks ahead, targeting new dimensions of technical diversity and innovating to develop new attack vectors will be the name of the game for the bad guys.

The future is very much a moving target for security and privacy professionals. Here is where the ongoing maintenance on an ongoing basis is critical: watching vulnerabilities in the new battery of enterprise applications for remote productivity, moving to the next order of vulnerabilities and so on. This might involve extending IT support and patching advice to home users on how to secure their home network, how to configure Amazon or Alexa devices or new tools and services for secure note-taking, collaboration, use of newly available standard operating environment systems and so on. In short, the game of security and privacy will be about rates of adaptation between asymmetric opponents.

The brave new work from home world would be best if it was short lived, but the genie won’t go back in the bottle. While the economy will adapt and move on at some point, it’s too early to tell what percentage of current remote workers will continue to work from home permanently in a post COVID-19 world or if we will return to the tyranny of the commute. Regardless, the lasting effect of innovation on both attack and defense will persist. As has been said, never waste a good crisis: let’s hope that IT, corporate culture, security and privacy all benefit from the current situation to make a more productive and humane cyber world when we return to a more normal epidemiological world.

Sam Curry is Chief Product and Security Officer at Cybereason.
Ari Schwartz was Special Assistant to President Obama for Cybersecurity and Is Managing Director for Cybersecurity Services at Venable.

Filed Under: cybersecurity, privacy, security, work from home

Cybersecurity Firm Hired By Voatz To Audit Its System Finds Voatz Is Full Of Vulnerabilities

from the bringing-new-attack-vectors-to-previously-excluded-voters dept

Mobile voting app Voatz is still a mess. Two years ago, West Virginia decided to give the app a spin to allow some voters to vote from home during the midterm elections. Nobody in the security world thought this was a good idea. The only people who did feel this was a safe, secure way to collect votes were state legislators and Voatz itself. Some early poking and prodding by security researchers immediately found problems with Voatz's handling of votes, including out-of-date SSH and unproven facial recognition tech that was supposed to verify voters by matching their selfies to their government IDs.

Two-and-a-half years later, not much has improved. Voatz is still courting state governments, trying to talk them into using its app to allow the housebound and those overseas to vote in their elections. An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes -- and alter or trash them -- without anyone on either end realizing they'd been hacked.

Voatz responded badly, insulting the researchers and claiming its server-side software would miraculously prevent the described attack from happening. When the researchers pointed out Voatz was wrong about its own software, it published a blog post attacking the researchers as "publicity hounds" seeking to disrupt the election process.

Another month has passed and it's more bad news for Voatz. Voatz and Tusk Philanthropies hired cybersecurity firm Trail of Bits to perform a security audit of its software. Guess what? It's still a mess.

Our security review resulted in seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.

More specifically, it's pretty much everything about the entire system:

Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles. The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development. It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been (TOB-VOATZ-009). Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously (TOB-VOATZ-014). Mobile clients neglect to use recent security features of Android and iOS (TOB-VOATZ-034 and TOB-VOATZ-042). Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001). Many of its cryptographic protocols are nonstandard (TOB-VOATZ-012).

This is software that's been used by governments to collect more than 80,000 votes in more than 50 elections. This is the software Sen. Ron Wyden has called "snake oil." When Voatz actually attempts to fix something, it sometimes makes it worse. From Motherboard's report on the Trail of Bits audit:

In at least one instance, a fix that Voatz put in place to address a vulnerability resulted in a new bug. In this instance, Trail of Bits initially identified an issue where an attacker with knowledge of the target's phone number could hijack the target's Voatz account during re-registration process, locking the target out of the account and giving the attacker access. Voatz fixed this issue, but the fix it put in place introduced a new issue that "can allow an attacker to bypass SMS verification during pre- and re-registration." Voatz said this issue was fixed, but Trail of Bits could not independently confirm because it did not have access to the updated, supposedly fixed code.

Voatz continues to seek shelter in the comforting embrace of denial, even when faced with findings from researchers it hired to audit its software. The company's CEO, Nimit Sawheny, told Motherboard that while he didn't dispute any of the technical details, Voatz is still safe to use because the deficiencies highlighted were "theoretical" and that he had not seen any proof yet that Voatz has been hacked.

Even theoretical holes can do real damage, once attackers figure out how to exploit the flaw. Just because Voatz hasn't been hacked yet doesn't mean it won't be. And it won't get more hack-proof if the company continues to downplay researchers' findings or -- in the case of the MIT study -- publicly attack people who are doing everything they can to ensure elections aren't disrupted (or hijacked) by malicious parties.

Worse, even as Trail of Bits was confirming the findings of the MIT report, the company's CEO continued to claim MIT's findings were mere "opinion" and that this report was filled with errors. This led to the following statement from the MIT team:

"It is profoundly troubling to hear that Voatz was aware that the vulnerabilities found in our research were still active at the same time they were misrepresenting and downplaying our findings to the Department of Homeland Security, state elections officials, and the public," the authors of the MIT report told Motherboard in a statement.

Bringing voting options to people who previously had no choice but to sit out elections is important. But that doesn't mean the American public should be forced to settle for half-assed solutions just because something better isn't available at the moment. No parent wants to hear their child is ugly and full of security flaws, but Voatz's insistence on attacking researchers and their findings does not make the company seem any more trustworthy or capable of providing a secure mobile voting option.

Filed Under: blockchain, cybersecurity, electronic voting, mobile voting, security
Companies: voatz

Ring Says It Helps Cops Fight Crime But The Data Shows It's No Better At This Than Any Other Security Camera

from the and-its-competitors-aren't-dragged-down-by-law-enforcement-baggage dept

The number of law enforcement agencies Ring partners with continues to grow -- up to nearly 900 by the latest count. Ring pitches its devices to homeowners as a better way to keep their homes secure. And maybe it is. But the pitches it makes to law enforcement agencies are something else.

Ring drives this particularly questionable engagement by insinuating people who've received free or cheap cameras will become part of a surveillance network overseen by cops, who will be able to solve tons of crimes and receive tons of footage from compliant recipients without a warrant.

None of this appears to be happening. While homes with Ring cameras are arguably more secure, the same could be said for any consumer camera -- most of which aren't handed to homeowners by law enforcement. A recent report by Cyrus Farivar for NBC News shows there's not much crime being solved by the vast network of Ring cameras and the company's hundreds of law enforcement partners. (via Jeffrey Nonken in the Techdirt chat window)

Thirteen of the 40 jurisdictions reached, including Winter Park, said they had made zero arrests as a result of Ring footage. Thirteen were able to confirm arrests made after reviewing Ring footage, while two offered estimates. The rest, including large cities like Phoenix, Miami, and Kansas City, Missouri, said that they don’t know how many arrests had been made as a result of their relationship with Ring — and therefore could not evaluate its effectiveness — even though they had been working with the company for well over a year.

The extensive agreements with Ring -- ones that allow the company to write press releases and veto law enforcement statements it doesn't like -- apparently don't require any sort of data gathering or reporting that would tie Ring cameras to arrests. The report says none of the 40 departments contacted collect data that might indicate whether or not the increased installation of cameras has reduced crime or resulted in more arrests.

Ring cameras may be everywhere, but their contribution to combating crime is apparently no greater than its competitors. Any other camera company could boast it's contributed just as much as Ring has, all without blurring the line between public and private by aggressively courting law enforcement agencies. The list of criminals taken down by Ring footage reads like a small town paper's police blotter:

Of the arrests that police connected to Ring, most were for low-level non-violent property crimes, according to interviews and police records reviewed by NBC. These arrests detailed the theft of a $13 book, the theft of a Nintendo Switch video game console (and several items, including two coffee mugs, purchased from the Home Shopping Network valued at $175. In Parker County, Texas, two people were arrested for allegedly stealing a dachshund named Rufus Junior, valued at $200.

These are the success stories. And that's from agencies that actually have success stories to relate. Most don't have anything to talk about or are only reporting a very small number of arrests in relation to their cities' overall property crime rate.

But it has opened a dialog of sorts between citizens and law enforcement. Some people view their cameras and the law enforcement portal as a "may I speak to the manager" connection.

Ring makes it so frictionless to share footage with police that some residents submit videos of anything they find displeasing, even when there is no indication that a crime has been committed, Lt. Santos, of Winter Park, said.

“We’ve gotten videos of racoons in the yard, with people saying, ‘Hey, can you deal with these racoons?’” he said. “That’s the type of people we’re dealing with. They’re constantly sending us video clips.”

Ring continues to insist its hundreds of law enforcement partnerships makes citizens safer. But outside of a handful of arrests related to small property crimes, there's nothing in the data that suggests the thousands of cameras and hundreds of partnerships has actually increased public safety.

Filed Under: doorbells, law enforcement, overhype, policy, ring, security
Companies: amazon, ring

Surprise! MIT Study Claims Voatz E-Voting Technology Is A Security Dumpster Fire

from the we've-kinda-been-over-this dept

You'd be pretty hard pressed to find a single respected cybersecurity expert that thinks voting via smartphone is a good idea. There's just too many potential attack vectors as your voting data floats from your personal device, across the internet, and into the final tally repository. Despite this there's an endless chorus of political leaders, cities, and states who continue to insist they know better. From West Virginia to Washington State, the quest for great inclusivity in voting access often results in people ignoring these warnings in the belief that they're helping.

The West Virginia effort has been handed over to internet voting vendor Voatz, whose smartphone voting system had already been criticized for being risky and insecure. Last November, Senator Ron Wyden wrote to the Pentagon to raise concerns about Voatz’s security and to ask for a full audit of the app.

Criticism of the company grew much louder this week after MIT researchers released a paper (pdf) showing how Voatz's technology has some fairly basic problems that would let an attacker intercept votes as they’re transmitted from mobile phones to the voting company’s server -- without anybody being the wiser:

"We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections."

While Voatz has repeatedly complained that its blockchain technology should have protected this from happening, the researchers found said implementation wasn't actually implemented in the way the company claimed, providing no additional security protection to the vote transmissions. On top of those issues, computer science professor Alex Halderman found other issues with the certificate pinning and servers Voatz implemented:

The New York Times, which first reported the research, notes that a copy of the findings had already been submitted to the Department of Homeland Security and the various election officials who've signed off on the platform. Like many e-voting companies, Voatz claims transparency isn't really necessary because it utilizes an array of anonymous experts to audit the company's systems. But the findings of those audits have yet to be made public, even to the officials using the systems. See the problem yet?

For its part, Voatz's response has been to double down on its previous positions while insulting the researchers that disclosed the problem, insisting that server-side protections would thwart the theoretical attack (cybersecurity experts were quick to disagree). The company issued a blog post in which it accused the researchers (MIT's Michael Specter, James Koppel and Daniel Weitzner) of being publicity hounds and attempting to "deliberately disrupt the election process":

"It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."

When every single respected infosec researcher and journalist is telling you e-voting can't be adequately secured and your solution to that problem is flawed and will only make that problem worse, insulting and ignoring researchers isn't a great look. Compounded by the GOP's refusal to pass any election security bills of note, and you can start to see how we're just begging for problems on what could potentially someday be a catastrophic scale.

Filed Under: blockchain, e-voting, mobile voting, research, security
Companies: voatz

China's To Blame For The Equifax Hack. But It Shouldn't Let Equifax, Or US Regulators, Off The Hook.

from the plenty-of-blame-to-go-around dept

The Department of Justice this morning formally announced that it has identified the Chinese government as the culprit behind the historic Equifax hack. If you've forgotten, the 2017 hack involved hackers making off with the personal financial data of more than 147 million Americans. Those victims were then forced to stumble through an embarrassing FTC settlement that promised them all manner of financial compensation that mysteriously evaporated once they went to collect it.

According to the FTC's press release and the indictment (pdf), the four Chinese government employees responsible for the hack were all members of the People’s Liberation Army's 54th Research Institute, an extension of the Chinese military. The four exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to first gain access to Equifax's systems, then ran more than 9,000 queries before managing to offload both consumer financial data and "proprietary Equifax info" (mostly related to databases) to a Dutch server.

In a statement, Equifax was happy to see the onus shifted entirely onto the backs of the Chinese:

"Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand."

That rhetoric was mirrored in the DOJ's announcement and Bill Barr's speech, which repeatedly framed the entire Equifax saga as largely a victory for U.S. national security:

"The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office. This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning."

Except there are a few things both Equifax and Bill Barr forget to mention. One, the vulnerability that allowed the hackers to gain access to this data was known about by Equifax months before the attack and the company did nothing about it. Two, that this data wouldn't be available to steal if companies like Equifax hadn't made an industry out of collecting this sort of data -- without consumer consent and with no way for consumers to opt out -- in the process creating such a delicious target. A target they then failed to adequately secure and protect.

So yes, while it's certainly great we've identified the hackers (who'll never see the inside of a jail cell), this entire mess could have been avoided.

A few lawmakers, like Senator Mark Warner, were quick to applaud the investigation while highlighting how it shouldn't distract from Equifax's failures:

"The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Senator Mark Warner said in a statement provided to Motherboard. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure."

Another thing neither Equifax or Bill Barr likely want to highlight is that the penalty for Equifax -- and the FTC settlement for consumers -- was little more than a cruel joke. While the $575 million FTC settlement was bandied about for being a "record" deal, like most hack/breaches, the final penalty was a far cry from the money made from collecting and selling access to this data for decades. And the consumer "compensation" aspect of the deal involved both useless "free" credit reporting software and $125 cash payouts that mysteriously disappeared when victims went to collect them, adding insult to injury.

A lack of any meaningful US privacy law for the internet era means there's repeatedly no real punishment for companies that fail to secure the vast troves of data they're now collecting on your every waking moment. Nor is there any real compensation for consumers who may not have wanted this data collected, stored, and sold to every nitwit with a nickel. There are so many points of failure here -- from corporations that treat privacy and security as an afterthought to captured regulators too feckless to do anything about it -- that focusing too extensively on national security risks us learning absolutely nothing from the experience.

Filed Under: china, cybersecurity, data breach, doj, security, william barr
Companies: equifax

Criminal Charges Finally Dropped Against Security Researchers Who Broke Into An Iowa Courthouse

from the all's-well-that-ends-unceremoniously dept

Security research isn't a criminal activity, no matter how many companies might wish otherwise when their bad security practices are exposed. But a couple of researchers working for Coalfire Security found themselves arrested and charged after performing a physical penetration test of an Iowa courthouse. Testing the physical security boundaries of the courthouse didn't go exactly as planned once the local sheriff showed up.

The two employees, Justin Wynn and Gary De Mecurio, showed Dallas County Sheriff Chad Leonard their credentials and the contract supposedly permitting them to perform a B&E but it didn't matter to Sheriff Leonard.

It did matter to Iowa Court officials, who said the test had been authorized... but perhaps not exactly on those terms. And it mattered to their employer, which wrote an angry letter demanding to know why Coalfire's employees were still locked up even after things had been (mostly) cleared up by courthouse officials.

The sheriff refused to budge, claiming it was his sacred duty to protect taxpayer-funded courthouses from out-of-town interlopers (or words to that effect). Coalfire's CEO, Tom McAndrew, was less than enthused with the sheriff's self-assessment. He said Sheriff Leonard was actually hurting taxpayers more than helping them by locking up people trying to increase courthouse security and prevent unauthorized access to sensitive records and documents.

Nearly three months later, prosecutors have finally backed down. Apparently, enough pressure can result in the prosecutorial discretion we hear so much about when prosecutors and politicians claim broadly-worded laws won't result in a bunch of collateral damage.

Originally charged with third-degree felonies, the charges were reduced to misdemeanor trespassing after the story began gaining traction outside of Iowa. Those charges have now been dropped as well.

Dallas County Attorney Charles Sinnard and Coalfire officials released a joint statement Thursday in which they said they agreed to drop the charges when it became clear the Coalfire employees and the responding law enforcement had the community's safety in mind.

"Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges," they wrote in a statement provided by Sinnard. "Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing."

This is great but it seems like something that could have been cleared up three months ago and without putting felony arrests on the researchers' permanent records. The testing could have been handled a bit better by everyone involved but it's pretty tough to stress-test physical security measures without utilizing methods targets won't necessarily expect to be used. Breaking into courthouses is certainly unexpected. But once judicial reps made it clear the court system had engaged the service to test security, the researchers should have been released by the sheriff and all charges dropped. Instead, this got dragged out for another three months, providing more evidence there's nothing all that secure about a career in security research.

Filed Under: breaking and entering, chad leonard, charges, courthouse, dallas county, iowa, security, security research
Companies: coalfire security

Should Your Antivirus Software Be Spying On You?

from the there-is-no-privacy dept

Back in August, Wladimir Palant, the creator behind Adblock Plus, wrote a blog post detailing how Avast Online Security and Avast Secure Browser were collecting and selling the browsing data of the Czech company's 400 million users. In response, both Opera and Mozilla pulled Avast extensions from their respective add on markets, forcing Avast CEO Ondrej Vlcek to go on a PR tour last month to downplay the issue.

Vicek's going to have another busy week. A joint investigation by both Motherboard and PC Magazine (you should read both) obtained documents highlighting how the company collects the browsing data of its 450 million active antivirus customers, then, with the help of a third party outfit named Jumpshot, sells access to that data to a laundry list of companies:

"The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites."

Throughout the scandal, Avast, like so many other companies trafficking in your daily habits, insisted that this collection wasn't that big a deal because this collected data was "anonymized." But there's an endless list of studies showcasing how anonymized data isn't really anonymous, and user data of this type can easily be identifiable with just a small number of additional data points. "Anonymization" is treated as some silver bullet magical get out of jail free card in countless privacy policy conversations, and it really shouldn't be.

PC Mag, for example. highlights how it would take Amazon seconds to identify you from the data they buy from Avast based on the timing of purchases at Amazon. For example a single chunk of anonymized data like this on your clicking habits:

"Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold Behavior: Add to Cart"

...can pretty easily be used to identify you and build a not-so anonymous profile:

"At first glance, the click looks harmless. You can't pin it to an exact user. That is, unless you're Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx's activity—from other e-commerce purchases to Google searches—is no longer anonymous."

Given we long ago prioritized profits over user security, this certainly isn't new behavior. The telecom sector has been engaged in the same behavior for years, often either outright lying or denying that detailed data collection was happening. It was also reflected by the wireless industry's cellular location data scandals, which highlighted how your wireless carrier collects your every waking movement and then sells access to that data to pretty much any nitwit with a nickel. Nobody cared how that data could or would be abused, ensuring that it repeatedly was -- by everyone from stalkers to law enforcement.

While telecom, app makers, and a laundry list of other companies have been doing this sort of thing for years, you'd think we'd hold security software to a higher standard. Apparently not.

Update: After this article was written, Avast's CEO came out with a statement stating that the company would be shutting down its data collection and sale efforts, and terminating its relationship with Jumpstart. Again, something that would have never happened if a journalist hadn't discovered it:

"As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable. For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.

That's of course the right way to respond to such a scandal. That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (aside from journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name. And for every CEO like Palant, there's probably 10 executives who couldn't give any less of a shit about user privacy, and see it as their god-given right to hoover up your data and sell it to every nitwit with a nickel.

Filed Under: antivirus, browser data, data, ondrej vlceck, security, spyware
Companies: avast

Dear Reuters: This Is NOT How You Report On Dishonest, Disingenuous Talking Points From US Officials Regarding Encryption

from the come-on-guys dept

Attorney General William Barr and his DOJ and FBI have really ramped up their bullshit campaign against the public being able to use encryption. President Trump himself weighed in himself with some ignorant statements, suggesting that Apple owes him some sort of quid pro quo, because his policies may have helped them on trade:

We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW!

This is dumb and wrong for many, many reasons. First of all, no matter what the US government has done on an unrelated issue, that doesn't mean that Apple should do something on a totally different issue. Second, the issue is not Apple "refusing to unlock phones used by killers, drug dealers and other violent criminal elements." It's Apple offering encryption that protects all of us. It is not possible for Apple to "unlock" the phones of criminals without doing so for everyone else as well, putting everyone's information at tremendous risk. And, for very little benefit, seeing as there are multiple private companies who have figure out how to crack iPhone encryption and which the DOJ and other law enforcement agencies are already using.

Indeed, outside of the President and the DOJ, other parts of the federal government have come down against having Apple break encryption, including the intelligence community and the Defense Department who recently told Congress how important general purpose consumer encryption is in protecting national security.

But, because only the other side of the debate seems to get any attention, and because Trump toady's feel the need to kiss up to the President, now we have Treasury Secretary Steve Mnuchin, also repeating nonsense about Apple and encryption:

“I understand the president’s view, and it is absolutely critical for our technology companies to cooperate with law enforcement,” Mnuchin told CNBC in an interview.

Mnuchin later told reporters at the White House that he had not discussed the issue with Apple and did not know the specifics at hand. “I know Apple has cooperated in the past on law enforcement issues, and I expect they would continue ... to cooperate.”

Damn straight he doesn't "understand the specifics at hand." Still, political grifters spewing nonsense is nothing new. What frustrates me is how Reuters framed this story. Its headline blared: "Mnuchin urges Apple, other technology companies to work with U.S. law enforcement"

That's really bad framing, because it suggests to basically everyone (totally incorrectly) that the issue here is that Apple and other tech companies are somehow not "working with U.S. law enforcement." Except they are. Where possible and where reasonable and allowed by law. The issue at play when it comes to encryption literally has absolutely nothing to do with whether or not tech companies should or should not "work with" law enforcement, but rather whether they should put all of our security at risk, in order to make it marginally easier in a few limited cases for law enforcement to get into phones it probably already has access to through other means.

When framed that way, it's obviously dumb. But anyone reading Reuters' coverage of the issue won't get that. They'll think that Apple is somehow taking some sort of stand against US law enforcement. This is what Trump, Barr, and apparently Mnuchin, would like people to think, but it's not true, and it's fundamentally bad journalism for Reuters to frame it that way.

Filed Under: doj, donald trump, encryption, going dark, law enforcement, security, steve mnuchin, william barr
Companies: apple, reuters

Ring Throws A Moist Towelette On Its Dumpster Fire With A Couple Of Minimal Security Tweaks

from the [yelling-over-the-roaring-flame]-WE-CARE-DEEPLY-ABOUT-OUR-USERS dept

Things have gotten worse and worse for Amazon's Ring over the past several months. Once just the pusher of a snitch app that allowed city residents to engage in racial profiling from the comfort of their homes, Ring is now synonymous with poor security practices and questionable "partnerships" with hundreds of law enforcement agencies around the nation.

Ring owners recently discovered how easily their cameras could be hijacked by assholes with no moral compass and too much time on their hands. Using credentials harvested from security breaches, online forum members took control of people's cameras to entertain a podcast audience who listened along as hijackers verbally abused Ring owners and their children.

Ring is now being sued for selling such an easily-compromised product. Ring's response to the original reports of hijackings was to blame customers for not taking their own security more seriously. Ring does recommend two-factor authentication but that's about all it does. It does not inform users when login attempts are made from unrecognized IP addresses or devices, and does not put the system on lockdown after a certain number of failed attempts are made.

Yes, users should use strong passwords (and not reuse passwords), but blaming customers for engaging in behavior most customers will engage in is unproductive. Instead of making two-factor authentication a requirement before deployment, Ring has just repeatedly pointed to its prior statements about its "encouragement" of 2FA -- an "encouragement" that is mostly comprised of defensive statements issued in response to another negative news cycle.

Since it can't keep blaming its millions of customers for its own failings, Ring is taking a very, very small step in the direction of actually taking its customers' security seriously. [Please hold your tepid applause until the end of the announcement.]

Ring has announced that it is adding a new privacy dashboard to its mobile apps that will let Ring owners manage their connected devices, third-party services, and whether local police partnered with Ring can make requests to access video from the Ring cameras on the account. The company says that other privacy and security settings will be added to the dashboard in the future. This new Control Center will be available in the iOS and Android versions of the Ring app later this month.

It's barely enough to make any one feel whelmed, much less overly so. There are two small additions that put this ahead of what Ring offered prior to the newsworthy camera hijackings. First, the app will allow users to see who's logged in at any given time and logout unrecognized IP addresses or locations from within the app.

The second addition finally puts some (baby) teeth into Ring's 2FA recommendation:

[R]ing is continuing to inform its customers of the importance of two-factor authentication on their accounts and will be making it an “opt-out” thing for new account setups, as opposed to the opt-in setup it currently is.

Swell. So that's kind of… fixed. I guess. Now Ring just needs to work on all the other problematic things about itself, like the fact that it's still not going to notify users when new IP addresses, devices, or locations attempt to access their cameras. And it's not going to stop using cop shops as Ring marketing street teams. And for all of its insistence footage is never handed over to cops without the proper paperwork, it still deals from the bottom of the deck by claiming end users own all their footage even as it's handing this footage to law enforcement without the end user's permission or involvement.

Ring has a lot to fix if it's ever going to make its way out of the PR pit it's dug for itself. This is something, but it's just barely something. It's not enough. And it says Ring still isn't serious about protecting its customers -- not from law enforcement and not from malicious idiots who've found a new IoT toy to play with.

Filed Under: cybersecurity, dashboard, doorbells, police, ring doorbell, security
Companies: amazon, ring

Disappointing: Apple The Latest To Abuse DMCA 1201 To Try To Stifle Competition, Security Research, Jailbreaking And More

from the come-on-guys dept

Back in August, Apple kicked off an already questionable lawsuit against Corellium, makers of virtualization software that would let users create and interact with "virtual" iOS devices. It is a useful tool for a variety of reasons, including (importantly) for security researchers trying to hunt down bugs on a virtual iPhone. Over the last few months, security researchers in particular have been raising the alarm about this lawsuit. Then, just before the New Year, Apple made things much, much worse, with its amended complaint, that takes Section 1201 of the DMCA to new and even more ridiculous heights.

As Corellium's CEO Amanda Gorton noted in an open letter, this appeared to be Apple using copyright law to completely shutdown the idea of jailbreaking:

Apple’s latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned. The filing asserts that because Corellium “allows users to jailbreak” and “gave one or more Persons access… to develop software that can be used to jailbreak,” Corellium is “engaging in trafficking” in violation of the DMCA. In other words, Apple is asserting that anyone who provides a tool that allows other people to jailbreak, and anyone who assists in creating such a tool, is violating the DMCA. Apple underscores this position by calling the unc0ver jailbreak tool “unlawful” and stating that it is “designed to circumvent [the] same technological measures” as Corellium.

Apple is using this case as a trial balloon in a new angle to crack down on jailbreaking. Apple has made it clear that it does not intend to limit this attack to Corellium: it is seeking to set a precedent to eliminate public jailbreaks.

We are deeply disappointed by Apple’s persistent demonization of jailbreaking. Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device. For example, a recent analysis of the ToTok app revealed that an Apple-approved chat app was being used as a spying tool by the government of the United Arab Emirates, and according to the researchers behind this analysis, this work would not have been possible without a jailbreak.

You really should read the Apple filing directly. It is not subtle in what it is seeking to argue. It claims that any virtualization of its software is copyright infringement, and that any attempt to jailbreak its software violates Section 1201 of the DMCA, which is the anti-circumvention or "digital locks" part of the DMCA. We've long found 1201 to be incredibly problematic in general, and believe it should be dumped entirely as it has served to regularly prevent perfectly legal uses that might create competition. Here, however, Apple is taking the argument much, much further, and suggesting that because some security researchers might use the product for bad reasons, that alone proves that Corellium's offering is not done in good faith.

A key argument is that because security researchers using Corellium don't always report bugs directly to Apple, that proves Corellium is a bad actor. This is a huge stretch and would be a very dangerous interpretation of the law.

Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement. Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder. Indeed, Corellium’s largest customer admits that it has never reported any bugs to Apple.

Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher. Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created several programs to facilitate such research activity so that potential security flaws can be identified and corrected. Apple’s programs include providing as much as $1 million per report through “bug bounty” programs in accordance with the provisions of those programs. Apple has also announced that it will provide custom versions of the iPhone to legitimate security researchers to allow them to conduct research on Apple devices and software. These efforts recognize the critical role that members of the security research community play in Apple’s efforts to ensure its devices contain the most secure software and systems available.

The purpose of this lawsuit is not to encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works. Accordingly, Apple respectfully seeks an injunction, along with the other remedies described below, to stop Corellium’s acts of naked copyright infringement.

Before we get into the legal issues, just note carefully what Apple is arguing in the above three paragraphs. It is saying, in effect, that the only "good-faith security research" is that done in accordance with Apple's concept of what is good-faith research. That should worry everyone. While it is true that Apple is rather accommodating of many security researchers, allowing the company determine what qualifies as good security research practices of its own products, with significant legal liability associated with falling on the wrong side, should scare everyone. Even if Apple is a good steward of the research community, tons of other companies are not. And such a precedent would be hugely problematic.

As for the specifics of the lawsuit, Apple seems particularly perturbed that Corellium advertises its products to security researchers to hunt down bugs.

In August 2019, Corellium specifically emphasized, at the international cybersecurity Black Hat USA Conference, that the Corellium Apple Product is an exact copy of Apple’s copyrighted works, designed specifically to allow researchers and hackers to research and test their vulnerabilities, by “run[ing] real iOS – with real bugs that have real exploits.” In other words, the Corellium Apple Product is designed to find and exploit flaws in iOS. And Corellium’s Apple Product does so by, among other things, enabling its users to circumvent the technological protection measures that are designed to limit where and how Apple’s copyrighted works can be used.

Relatedly, it is clear that Apple considers the process of jailbreaking itself to violate copyright laws, which is bullshit.

On April 1, 2019, Corellium again highlighted the unlawful ends to which its product is aimed by publicly acknowledging that it had given access to its platform to the developers of code used to jailbreak iOS devices called “unc0ver,” so the developers could test the jailbreaking code “on any device running any firmware” and distribute that code to the public. Within weeks, those developers released a new version of unc0ver that allowed jailbreaking of iOS 12.6 In other words, Corellium has admitted not only that its product is designed to circumvent technological protection measures Apple puts in place to prevent access

A decade ago, Apple had also tried to make the argument that jailbreaking your iPhone was copyright infringement, and partly as a result, the Library of Congress made it clear that jailbreaking mobile devices was not infringing under 1201. Indeed, the Library of Congress triennial exemptions still contain jailbreaking phones. But... part of the issue is that the exemptions only cover you jailbreaking your own device, and not a 3rd party company offering a service or software to do it for you.

The details of the 1201 claims here are important. Kyle Wiens, over at iFixit, has a really good breakdown of many of the issues. But Apple's claims seem incredibly weak here:

The Copyright Act prohibits trafficking in products that are used to modify iOS and circumvent technological controls that protect copyrighted works. These “anti-trafficking” provisions, 17 U.S.C. &section 1201(a)(2) and (b), make it unlawful for any person to “manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof” that is primarily designed, produced, or marketed for the purpose of circumventing technological measures that either effectively control access to a copyrighted work (section 1201(a)(2)), or that protect the exclusive rights of a copyright owner (section 1201(b)).

But it's not at all clear how offering a virtualization product that allows for jailbreaking is "primarily designed... for the purpose of circumventing technological measures." It's primarily designed as a tool for security researchers. As Kyle points out, if Apple gets its way, that's bad news for lots of other products as well:

Apple is arguing that no one else should be able to make tooling for performing security research on their products. What happens if other companies start making the same claims?

This isn’t academic. Last year, GM sued aftermarket parts company Dorman for “overriding the security measures used in [GM]’s vehicle control modules” in their transmission repair tool. Dorman’s aftermarket transmissions moved the firmware from an existing transmission into their aftermarket part, so that it would be recognized by the vehicle and work.

John Deere has also been aggressively locking down their products, aiming to monopolize service and prevent farmers from doing repairs themselves. They opposed a DMCA exemption for farmers on the grounds that if owners could fix their own equipment, they might use their newfound freedom to pirate Taylor Swift’s music on their tractors.

As he notes, Apple understands all of this and should know better.

Meanwhile, Matt Tait, highlights that a separate, but equally problematic part of the lawsuit is the fact that Apple seems to be suggesting that the only acceptable security research is that done under Apple's approval. That's also worrying -- not because Apple is particularly bad in how it engages with security researchers (as noted above, the opposite is true). What's worrying is the precedent this would set for others, both about the nature of security work and how the DMCA 1201 might be further abused to shut down competition, ancillary markets, security research and more. It's a head-on attack on the concept of property rights and ownership, abusing the DMCA. It's an incredibly disappointing move from Apple, a company that should know better.

Filed Under: anti-circumvention, copyright, dmca, dmca 1201, good faith security research, jailbreaking, security, security research
Companies: apple, corellium