Security

Link

Huawei Equipment Backdoor Found in HiSilicon Chips

Andrew Orr ·

Hardware researcher Vladislav Yarmak found a Huawei equipment backdoor used in video recorders and security cameras.

To be clear, this security vulnerability is said to be present in the software HiSilicon provides with its system-on-chips to customers. These components, backdoor and all, are then used by an untold number of manufacturers in network-connected recorders and cameras.

It’s not a major threat, or anything people need to fret about, it’s just another indicator of Huawei’s piss-poor approach to security.

AKA do not let Huawei build your 5G infrastructure.

Link

Lindsey Graham’s Draft Bill Punishes Companies Using End-to-End Encryption

Andrew Orr ·

Senator Lindsey Graham is drafting a bill [PDF] that could penalize companies using end-to-end encryption.

Although the measure doesn’t directly mention encryption, it would require that companies work with law enforcement to identify, remove, report and preserve evidence related to child exploitation — which critics said would be impossible to do for services such as WhatsApp that are encrypted from end-to-end.

If technology companies don’t certify that they are following the best practices set by the 15-member commission, they would lose the legal immunity they currently enjoy under Section 230 relating to child exploitation and abuse laws. That would open the door to lawsuits for “reckless” violations of those laws, a lower standard than contained in current statutes.

Of all the dumb things this administration has done, attacking encryption is a doozy. It’s not clear how much this would impact Apple, since the company does in fact scan for child abuse images. But iMessage and a few other services are end-to-end encrypted.

Link

A $10 Million New York Lab Tries to Brute Force iOS Devices

Andrew Orr ·

Inside a lab in New York worth US$10 million, specialists are trying to brute force their way into iPhones and iPads.

What’s going on in the isolation room is important, if silent, forensic work. All of the phones are hooked up to two powerful computers that generate random numbers in an attempt to guess the passcode that locked each device. At night, technicians can enlist other computers in the office, harnessing their unused processing power to create a local supercomputer network.

Link

Hackers Dump 70,000 Tinder Photos of Women

Andrew Orr ·

Over 70,000 Tinder photos of women have been dumped in an online forum for cybercrime.

Contextual clues, including particular phone models like the iPhone X seen in the photographs, as well as limited metadata, suggest that many of the (mostly) selfies were taken in recent years. Some of the photos, in fact, contain timestamps dated as recent as October 2019.

Tinder also noted that all of the photos are public and can be viewed by others through regular use of the app; although, obviously, the app is not designed to help a single person amass such a massive quantity of images. The app can also only be used to view the profiles of other users within 100 miles.

Emphasis mine.

Link

Scotland Police to Use ‘Cyber Kiosks’ to Extract Smartphone Data

Andrew Orr ·

Starting January 20, 2020 Scotland police will use devices called cyber kiosks to analyze the contents of smartphones during investigations.

Police Scotland will only examine a digital device where there is a legal basis and where it is necessary, justified and proportionate to the incident or crime under investigation.

Cyber kiosks used by Police Scotland will not be enabled to store data from digital devices.  Once an examination is complete, all device data is securely deleted from the cyber kiosk.

Link

Google’s iPhone Security App Keeps You in its Ecosystem

Andrew Orr ·

Google updated its Smart Lock app on iOS to let iPhones be used for two-factor authentication. But it will only work inside Chrome. Now your only choices for Google two-factor authentication are this Smart Lock app, or a phone number (an insecure method). You can also use a physical security key but not an app like Authy.

After installing the update, users are asked to select a Google account to set up their phone’s built-in security key. According to a Google cryptographer, the feature makes use of Apple’s Secure Enclave hardware, which securely stores ‌Touch ID‌, Face ID, and other cryptographic data on iOS devices.

Update. So I made a mistake and you can use an app like Authy, but you first have to surrender your phone number to Google. Which I’m obviously loathe to do so I use a disposable number.

Link

Cellebrite’s Acquisition Adds Computer Forensics to its Portfolio

Andrew Orr ·

Cellebrite, a company specializing in hacking smartphones for law enforcement, has acquired BlackBag Technologies, a company specializing in hacking computers for law enforcement. This will let Cellebrite offer law enforcement an “all-in-one” forensic solution to cover smartphones, laptops, desktops, and cloud data.

It also means offering a broad array of field acquisition capabilities including consent-based evidence collection along with an integrated solution set that provides access, insight and evidence management to facilitate and control large-scale deployments and orchestrate the entire digital intelligence operation.

Cellebrite offers all of these capabilities to law enforcement, but the FBI still wants Apple to create a backdoored version of iOS.

Link

How to Avoid Online Scams With This Guide

Andrew Orr ·

Emily Long put together a guide on how to avoid online scams, like not clicking links in emails, not sharing passwords, and more.

The basic rule for surviving internet scams is simple: If it sounds too good to be true, it probably is. A little common sense goes a long way to realizing that you aren’t going to suddenly win the Spanish National Lottery when you didn’t even know you had a ticket.

A useful guide.