Month: marzo 2014

WASHINGTON — American officials have long considered Huawei, the Chinese telecommunications giant, a security threat, blocking it from business deals in the United States for fear that the company would create “back doors” in its equipment that could allow the Chinese military or Beijing-backed hackers to steal corporate and government secrets.

But even as the United States made a public case about the dangers of buying from Huawei, classified documents show that the National Security Agency was creating its own back doors — directly into Huawei’s networks.

The agency pried its way into the servers in Huawei’s sealed headquarters in Shenzhen, China’s industrial heart, according to N.S.A. documents provided by the former contractor Edward J. Snowden. It obtained information about the workings of the giant routers and complex digital switches that Huawei boasts connect a third of the world’s population, and monitored communications of the company’s top executives.

One of the goals of the operation, code-named “Shotgiant,” was to find any links between Huawei and the People’s Liberation Army, one 2010 document made clear. But the plans went further: to exploit Huawei’s technology so that when the company sold equipment to other countries — including both allies and nations that avoid buying American products — the N.S.A. could roam through their computer and telephone networks to conduct surveillance and, if ordered by the president, offensive cyberoperations.


Ren Zhengfei, founder of Huawei, is seen as a Chinese version of Steve Jobs. Credit Dmitry Lovetsky/Associated Press
“Many of our targets communicate over Huawei-produced products,” the N.S.A. document said. “We want to make sure that we know how to exploit these products,” it added, to “gain access to networks of interest” around the world.

The documents were disclosed by The New York Times and Der Spiegel, and are also part of a book by Der Spiegel, “The N.S.A. Complex.” The documents, as well as interviews with intelligence officials, offer new insights into the United States’ escalating digital cold war with Beijing. While President Obama and China’s president, Xi Jinping, have begun talks about limiting the cyber conflict, it appears to be intensifying.

The N.S.A., for example, is tracking more than 20 Chinese hacking groups — more than half of them Chinese Army and Navy units — as they break into the networks of the United States government, companies including Google, and drone and nuclear-weapon part makers, according to a half-dozen current and former American officials.

If anything, they said, the pace has increased since the revelation last year that some of the most aggressive Chinese hacking originated at a People’s Liberation Army facility, Unit 61398, in Shanghai.

The Obama administration distinguishes between the hacking and corporate theft that the Chinese conduct against American companies to buttress their own state-run businesses, and the intelligence operations that the United States conducts against Chinese and other targets.

American officials have repeatedly said that the N.S.A. breaks into foreign networks only for legitimate national security purposes.

A White House spokeswoman, Caitlin M. Hayden, said: “We do not give intelligence we collect to U.S. companies to enhance their international competitiveness or increase their bottom line. Many countries cannot say the same.”

But that does not mean the American government does not conduct its own form of corporate espionage with a different set of goals. Those concerning Huawei were described in the 2010 document.

Continue reading the main story
“If we can determine the company’s plans and intentions,” an analyst wrote, “we hope that this will lead us back to the plans and intentions of the PRC,” referring to the People’s Republic of China. The N.S.A. saw an additional opportunity: As Huawei invested in new technology and laid undersea cables to connect its $40 billion-a-year networking empire, the agency was interested in tunneling into key Chinese customers, including “high priority targets — Iran, Afghanistan, Pakistan, Kenya, Cuba.”

Whatsapp, è allarme sicurezza delle chat

La denuncia di un blogger olandese: «Un’app può rubare le conversazioni».

Durante il blackout di Whatsapp a metà febbraio, l'app ha perso milioni di utenti che si sono rivolti ai suoi competitor.

(© Ansa) Durante il blackout di Whatsapp a metà febbraio, l’app ha perso milioni di utenti che si sono rivolti ai suoi competitor.

Cronologia delle conversazioni Whatsapp a rischio.
Grazie a qualsiasi app, creata ad hoc, per rubarle.
Insomma, la sicurezza e la politica di privacy del colosso delle chat, recentemente acquistato da Facebook per 19 miliardi di dollari, sono finite nella bufera. Grazie a un hacker olandese che sul suo blog ha dimostrato come sia possibile intromettersi e scaricare le conversazioni altrui. Accuse che Whatsapp ha definito «esagerate».
 Secondo Bas Bosschert, alla base di possibili intrusioni esterne ci sono delle disattenzioni da parte di WhatsApp. La prima deriva dalla scelta degli sviluppatori della chat di salvare la cronologia dei messaggi sullo spazio di archiviazione del telefono, rendendola così reperibile. La seconda riguarda invece la gestione dei permessi all’interno del sistema operativo Android, permessi che spesso vengo chiesti all’utente che scarica un’app per accedere, ad esempio, ai contatti o alle foto, in questo caso di accedere allo spazio di archiviazione del telefonino. E gli utenti oramai danno permessi ‘alla cieca’, senza neanche controllare.
UNA SOLA CHIAVE PER CRITTOGRAFARE. Inoltre, per Bosschert, l’altra vulnerabilità starebbe nel meccanismo usato da WhatsApp per proteggere crittograficamente il database dei messaggi, quindi renderli non leggibili, che consiste nell’usare la stessa chiave per tutti gli utenti.
Un malintenzionato potrebbe dunque individuare la chiave e accedere al database salvato in locale, ripetendo poi lo stesso processo per tutti gli utenti del servizio.
Detto in parole povere, installando una qualsiasi app sul proprio cellulare questa potrebbe chiedere il permesso di leggere l’intera cronologia dei messaggi. E l’utente potrebbe dare l’assenso alla leggera, senza avere alcuna notifica di quello che sta facendo.
LA ‘PROVA’ SUL BLOG. Per confortare la sua tesi, Bosschert, ha costruito un giochino che ha dimostrato come la cronologia della chat viene scaricata e ha postato l’esperimento sul suo blog:
«Questi report non hanno dipinto accuratamente il quadro e sono esagerati», commentato un portavoce di WhatsApp, specificando che l’app di messaggistica sul Google Play, lo store per i dispositivi con sistema operativo Android, «è stata aggiornata per proteggere ulteriormente gli utenti dalle applicazioni malevole».
ISTANZA PER TUTELARE LA PRIVACY. Dure critiche alle politiche di difesa della privacy, ma in senso più generale, sono arrivate solo qualche giorno prima da parte di due associazioni no profit americane, che hanno chiesto all’authority delle comunicazioni Usa di bloccare l’acquisizione da 19 miliardi di dollari di WhatsApp da parte di Facebook, almeno fino a quando non è chiaro come il social network intenda usare i dati dei 450 milioni di utenti del servizio di messaggistica.
CRESCONO LE CHAT CONCORRENTI. Nel frattempo, stanno lievitando i servizi di chat concorrenti, soprattutto quelli che garantiscono l’anonimato. Come Telegram, che offre messaggi crittografati e ‘a tempo’: durante il ‘down’ di WhatsApp del 22 febbraio ha guadagnato in poche ore quasi 5 milioni di utenti.

Sabato, 15 Marzo 2014

Blackphone: Privacy for Lazy People

The Blackphone is indeed black.

There are lots of lists out there of things you should do to protect your privacy: Use an ad blocker. Use encryption. Use a VPN. Turn off the Wi-Fi and Bluetooth on your smartphone… Those who want privacy but don’t want to run through that checklist regularly are the target buyers for a new smartphone that will come with these types of privacy and security features built in. CalledBlackphone, it has encrypted messaging from Silent Circle, encrypted data storage from SpiderOak, anti-tracking services from Disconnect, and anti-WiFi sniffing from Kizmet (to prevent your phone being used by retailers to track your movements). Those who want easy smartphone privacy will need to be willing to slap down $629 for it, the price tag on the phone that’s expected to be released in April.

Jeans-wearing executives from Silent Circle, Disconnect, and Spideroak met up with reporters at a hotel suite near the RSA Conference this week to show the phone off. Blackphone comes out of a partnership between Washington, D.C.-based Silent Circle and Spanish smartphone company GeeksPhone. The cost includes three years of encrypted calling and messaging (along with one year of Silent Circle for three privacy-loving family members and friends) and 5 GB of encrypted storage — both services that usually come with monthly fees from Silent Circle and SpiderOak, respectively. The importance of encrypted chatting is top of mind today for anyone who’s seen the Guardian’s story about a British spy agency intercepting Yahoo video chats, including intimate images of otherwise innocent sexy-time chatters.

Ethan Oberman of SpiderOak, Mike Janke of Silent Circle, and Casey Oppenheim of Disconnect

Ethan Oberman of SpiderOak, Mike Janke of Silent Circle, and Casey Oppenheim of Disconnect

“Facebook didn’t buy a messaging app when they acquired WhatsApp; they bought 400 million eyeballs,” said Silent Circle CEO Mike Janke. The technology ecosystem right now is all about “packaging data and selling it to advertisers. We want to be the bee in the bonnet of the phone industry, selling privacy to consumers instead.”

Verizon and AT&T, for example, collect information about their customers’ Web-browsing and location which they “aggregate and anonymize” to sell to marketers and others interested. The Blackphone would disrupt that, by, for example, allowing smartphone Web surfers to use a VPN, or virtual private network, for their browsing, which would encrypt their browsing activity so it couldn’t be used to reveal information about their interests.

The phone operates of “PrivatOS,” an Android-based operating system. In the U.S., it’ll work with every carrier but Verizon. Abroad, Dutch telecommunications company KPN has already committed to buy 500,000 Blackphones to sell exclusively in Germany, Belgium and the Netherlands, says Janke, generating a couple hundred million dollars in revenue for the new company.

“I’m glad they think they can make money selling privacy,” said ACLU technologist Chris Soghoian speaking at a security conference in San Francisco Thursday. “The proof is in the pudding. My biggest concern is ongoing updates for Android. The Blackphone may be secure today but it needs regular updates to make sure it stays secure.”

There’s also the possibility that someone using the phone would download malware or a malicious app from Google Play, though the phone will scan apps and let users decide how much information they want to share with each.

“It’s not an NSA-proof phone,” says Janke. “If you’re on the top 100 terrorists list, you’re pwned.”

Uh-oh, this computer virus can spread via Wi-Fi

Researchers at England’s University of Liverpool have created Chameleon, a virus that can proliferate via Wi-Fi as efficiently as the common cold infects humans.

 February 27, 2014 12:54 PM PST

(Credit: University of Liverpool)

British researchers have created a computer virus that they say is the first to spread like a real airborne contagion.

Chameleon can spread through densely populated areas like the common cold, the University of Liverpool researchers claim, by hopping from network to network via access points, spreading rapidly among homes and businesses. If as that wasn’t bad enough, the virus can avoid detection and identify weak wireless access points — those that are least protected by encryption and passwords.

“Wi-Fi connections are increasingly a target for computer hackers because of well-documented security vulnerabilities, which make it difficult to detect and defend against a virus,” said Alan Marshall, a professor of network security at the school. “It was assumed, however, that it wasn’t possible to develop a virus that could attack Wi-Fi networks; but we demonstrated that this is possible and that it can spread quickly. We are now able to use the data generated from this study to develop a new technique to identify when an attack is likely.”

The team simulated an attack on Belfast and London in a laboratory setting, and found that Chameleon behaved like an airborne virus, traveling across Wi-Fi networks via access points. It was able to remain hidden because current antivirus programs look for viruses on the Internet and in computers, and Chameleon stayed on the Wi-Fi network, moving past protected access points to find those that weren’t password-protected, such as public Wi-Fi access points at airports and coffee shops.

“When Chameleon attacked an AP it didn’t affect how it worked, but was able to collect and report the credentials of all other Wi-Fi users who connected to it,” Marshall said. “The virus then sought out other Wi-Fi APs that it could connect to and infect.”

The good news is that the virus was effectively blocked by secure networks, which can be set up pretty easily. Protecting yourself while using public Wi-Fi is a little trickier, but it can be done.

The University of Liverpool’s research appears in the Eurasip Journal on Information Security.

(Source: CNET Australia)

Mac and iOS users, here’s how to install that major security fix

Get the update for a security hole that allows third parties to intercept and modify activity on iOS and OS X Mavericks devices. This is an update you can’t afford to ignore.

Sharon Vaknin

 February 28, 2014 10:46 AM PST

(Credit: Screenshot by Sharon Vaknin/CNET)

Grab your iOS and OS X devices — this is a security update you can’t afford to ignore.

According to a study by Chitika released yesterday, only 25.9% of users have updated their operating system with a bug fix that prevents third parties from intercepting and fiddling with activity on an iOS device.

More specifically, without the update, the system does not check SSL/TLS hostnames, so connections that should be encrypted are left wide open.

The same security hole is also apparent in systems running OS X Mavericks.

iOS devices (all iPhone, iPad, and iPod Touch devices)
By now, a pop-up notification should have appeared on your phone, alerting you to update the system. But, if you ignored it, or never received it, here’s how to find it:

Go to Settings > General > Software Update. Those running iOS 7 will see the 7.0.6 update, while those running iOS 6 on older devices (including the iPhone 3GS and the 4th-gen iPod Touch) will see the iOS 6.1.6 update. Tap “Install Now” to get the update.

Once you’ve updated, the Software Update screen will indicate that “Your software is up to date.”

Mac OS X Mavericks
iOS wasn’t the only system affected by this security hole. Apple also released an OS X Mavericks system update Tuesday that patches the same hole that allows “an attacker” to “capture or modify data” transferred with Safari, Mail, iCloud and other Apple-created applications, according to Apple.

On Mavericks, system updates are conducted through the Mac App Store, but you won’t find the system update by launching it. Instead, open the Mac menu (the Apple logo), and click “Software Update.”

The Mac App Store will launch, and you’ll see the system update, along with other app updates. Choose to update the Software Updates, or click “Update All” to install all listed updates, including apps.

Tor Is Developing an Anonymous Instant Messaging Service

Tor Is Developing an Anonymous Instant Messaging ServiceSEXPAND

Now that we know the NSA is even spying on instant messaging services, the denizens of the deep web need a new way to chat anonymously. Of course, Tor comes to the rescue.

The same folks behind the Tor Browser Bundle that lets you surf the web anonymously are putting the finishing touches on an instant messaging service with similar features. The aptly named Tor Instant Message Bundle (TIMB) will simply funnel all of your chat data through the Tor network, which uses proxy servers to hide the identities of its users. The client itself will be built on top of Instantbird, an open source instant messaging service. They also considered using Pidgen and libpurple, the instant messaging library used by Adium, but decided against it for security and simplicity’s sake.

The Tor Foundation recently published the roadmap for TIMB and said they expect to have experimental builds available by March 31, 2014. If you need to do some anonymous chatting before then, you might take TorChat for a spin. This instant messaging client also uses the Tor network to provide anonymous and encrypted chat services but isn’t actually built by the Tor Foundation.

Not to be the Debbie Downer about all this—it’s exciting news!—but you should remember that even Tor isn’t necessarily safe from the prying eyes of the U.S. government. The NSA’s been trying to hack into the Tor network for years, and the FBI was recently caught seizing data from TorMail, an anonymous email service, and trying to use that data to catch hackers.

Inevitably, however, a reliable, anonymous instant messaging service will be a terrific resource not just for hackers but for everyone. So sit tight. It’ll be ready soon. [Tor via Ars Technica]

Image via Shutterstock / Tor