Top Security and Privacy News: Scrambled Bits Vol. 30
Millions Wiretapped, Wrestling Fans Exposed, Turkey Intimidates, and More.
This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.
Gadgets and Gizmos
Beyond Fingerprints: 3D Facial Recognition
Biometrics have a problem: they can’t change. Using a fingerprint as a password means that if a fingerprint is stolen, the password can’t be changed. This problem isn’t constrained to just fingerprints.
Rumors suggest that Apple’s next iPhone won’t have a fingerprint scanner, but will instead authenticate a user via 3D facial recognition, so head sculptures might be the new password theft.
Beyond Fingerprints: Border Iris Scanners
On the US/Mexican border, fingerprints are falling short. Due to self-harm, alterations caused by manual labor, and the comparatively small number of possible variations, law enforcement is moving on to more sophisticated technology.
Consequently, sheriff’s departments along the border are installing iris scanners, which work by taking high-resolution images of a person’s iris with a special infrared camera. The image is then used to construct a unique iris template, which is a combination of over 240 unique characteristics of the iris. This significantly increases the precision of identification. These scanners will become ubiquitous in sheriff’s stations over the next few months.
Meet KARL
Meet KARL — Kernel Address Randomized Link — a new feature of OpenBSD. KARL creates a unique kernel binary every time a machine reboots.
The new binary is constructed by relinking kernel files in random order. This is different from Address Space Layout Randomization (ASLR) because it produces binaries with random internal structures. This will make it even harder for hackers to reliably exploit buffer overflows and other attacks that require predictable memory layouts.
Privacy
One Wiretap, Millions Of Conversations, Zero Convictions
US authorities intercepted 3.3 million phone conversations with a single wiretap order at a cost to taxpayers of $335,000. The wiretap order stood for several months and resulted in a dozen arrests. But despite the incredible scope of the tap, none of the arrests went to trial, and the tap led to zero convictions. The sheer volume of the conversations intercepted suggests that this was an unsuccessful fishing expedition and should have used other investigative methods instead.
States Refuse to Dox Residents to Feds
Despite zero evidence of voter fraud, the President’s Election Commission requested voter data from all states. The request asks for public voter information and data such as birth dates, party affiliation, and the last four digits of voters’ social security numbers. So far, 44 states have refused the request.
Google Home Calls the Police
We’re not sure how to feel about this one: the always on, always listening Google Home was recently in the right place at the right time when it overheard a domestic dispute. A man pulled a gun on his girlfriend and asked if she called the sheriff. Google home heard this as a command and obliged. A SWAT team showed up soon thereafter.
Government
Turks Tamp Tech Training
Turkish police raided a digital security training lead by German and Swedish instructors. Human rights activists from a variety of organizations, including Amnesty International, and were arrested for attending and are now being held. They are being held without access to lawyers or communications.
Digital security classes teach basic principles of modern technology. The Turkish government, without any legal basis, chose to arrest and intimidate students simply for learning digital defense.
UPDATE: Kaspersky Opens Up
Last week we noted that Kaspersky was under investigation by the FBI and under attack by Senators worried about Kaspersky’s Russian ties. This week, Kaspersky agreed to allow the U.S. Government to review its source code. Meanwhile, Russia is asking the same thing of U.S. companies like Cisco, IBM, and Symantec. Some of these companies are complying.
UPDATE: Over a Dozen Nuclear Facilities Breached
Last week we reported on a breach of a U.S. nuclear power plant. This week we learned more details. At least a dozen power plants were breached, including the Wolf Creek nuclear facility in Kansas. Fingers are once again being pointed at Russia, with little supporting evidence in public. Russia is the bogeyman du jour for good reason, but cyber attribution is hard, and bad assumptions are the root of many errors.
Notable Vulnerabilities and Breaches
- Vault 7: Stealing SSH — Wikileaks published two more exploits stolen from the CIA: BothanSpy and Gyrfalcon. These exploits work on Windows and Linux, respectively, and steal SSH credentials from active SSH sessions.
- Australia’s Medicare Machine — Australia’s Medicare system appears to be seriously compromised, and sensitive information of nearly all Australian citizens is available for sale on the dark web. For US $22 per identity, given the name and date of birth of a target, the vendor will sell full Medicare details, which can then be used to buy goods, lease or buy property, or to defraud the government of Medicare rebates.
- WWE Leaked Personal Data of 3M Wrestling Fans — World Wrestling Entertainment (WWE) exposed personally identifiable information belonging to over three million fans. WWE stored names, addresses, email accounts, earnings, ethnicity, children’s age ranges, and birthdates as plain text in a database on a publicly accessible server. Is it even a data breach if you just put the data out there? This breach is just one in a series that stem from misconfiguration and poor security practices.
- Ad Abuse — A malicious ad network was recently uncovered that has been operating undetected for over a year. The malvertising network, called AdGholas, infected as many as a million computers per day.
- CopyCat Malware Infects 14 Million Android Smartphones — The malware has primarily spread through Asia, but some 280,000 U.S. phones are also compromised. The malware makes money on ads and also steals the information of infected users. The malware was distributed on third-party app stores (not Google’s store) in bundles with otherwise popular apps.
Bottom of the News
- Will the Real Petya Please Stand Up? — The master key to Petya ransomware — the original one, not the impersonator now called NotPetya — was released on Wednesday by the author.
- Wildcard Winners — Let’s Encrypt will begin offering wildcard certificates in 2018, making it even easier for developers to use HTTPS everywhere. No more excuses.
- Samba Spreading WannaCrypt — Just as Microsoft is trying to kill off SMBv1, the ancient protocol exploited in several recent malware outbreaks including WannaCry and NotPetya, Google is adding support into Android. Bad idea. Bad Google. Bad.
- NCIA’s Misspent IT Overhaul — The agency that operates and defends NATO’s IT and telecommunications networks, the NATO Communications and Information Agency (NCIA), is about to spend $3.4 billion on modernization. But of that $3.4b, only $79.5 million will be spent on cyber security upgrades. Oops.
If you liked this, please click the 💚 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.
Subscribe to our email digest to avoid missing another update.
