In the interest of keeping our clients informed about relevant security and privacy issues in the world today, Secure Group wants to share with you some of the top related stories in the past few weeks. We plan to continue this roundup on a monthly basis, and wherever possible, follow up on these stories throughout the month.
In order to stay as current as possible, we’ll start in reverse chronological order.
- EFF’s Street Level Surveillance Project
- EFF and Coalition aim to improve “Do Not Track” browser function via policy
- CISA to return to the senate floor this week
- Massive Android Exploit Discovered
- Poitras, Snowden Documentary Film-maker (CitizenFour), sues US Government for access to Airport Detainment and Search records
- Kill-Switch” legislation enacted in California“
August 3rd - The EFF (or Electronic Frontier Foundation), an organization that fights for “your rights in the digital world” has announced a new initiative called the Street Level Surveillance Project. They have created a Web portal designed to provide comprehensive information on police spying tools such as license plate readers, biometric collection devices, and IMSI Catchers (popularly dubbed “Stingrays”.)
Many people have expressed concerns regarding the violations of privacy revealed by Snowden, with regards to the NSA and other high level espionage and law enforcement agencies. EFF is hoping to bring the matter home, by providing information on the possible excesses in gathering private data at a local law enforcement level. Already several stories of interest have been posted, including their recent successful efforts to gain access to Automated License Reader data gathered by the Los Angeles Police and Sheriff’s office.
These information repositories put a great deal of information into public hands, and we commend the EFF on their efforts on our behalf. A possible suggestion to improve their site would be a map with daily reported sightings of police surveillance systems, such as IMSI catchers, and a way to quickly report these to the organization.
August 3rd - Most of the popular modern browsers today incorporate a “Do Not Track” feature. Chrome uses a mode called “Incognito”, Firefox calls it Private Browsing , and Internet Explorer calls it InPrivate browsing. EFF, privacy company Disconnect, and a coalition of internet companies have announced a “new policy standard that, coupled with privacy software, will better protect users from sites that try to secretly follow and record their Internet activity, and incentivize advertisers and data collection companies to respect a user’s choice not to be tracked online.”
The policy can be reviewed here:
August 3rd - Privacy activists breathed a sigh of relief earlier this summer (June 1st) when elements of the Patriot Act, including the controversial Section 215, which provided the NSA with their basis for gathering the phone records of millions of Americans, failed to be renewed. However, there are always new threats to privacy on the horizon, including the latest attempt to reform cybersecurity policy, CISA (Cybersecurity Information Sharing Act). This bill is set to return to the Senate floor this week.
CISA provides tech companies, data brokers, and any other private organization that performs web-based collection (mining) of user information with the ability to volunteer this information with “appropriate Federal entities” upon request, which then have the power to share it further with the rest of the government branches.
The worst part of this bill is that the latitude given to these tech companies is not accompanied by any sort of transparency. In fact, it exempts these tech companies from the Freedom of Information Act, and state and local sunshine laws, ostensibly protecting these companies from having to divulge that they are sharing this private information with the government.
This bill is being heavily lobbied for by private interests, notably the National Cable & Telecommunications Association, the BSA (Software Alliance), and the Financial Services Round Table. This is because the bill, in making it easier to share information with the govenrment, also legitimizes their efforts to gather more and more private data, and makes it easier to do so without legal repercussions.
In related news...
The latter organization (the FSR) has in fact begun a public campaign to promote the CISA bill, called “Stop Cyber Threats”. This ad campaign shares infographics with some useful information - how many americans are affected by cyber crime, how many are increasingly concerned, and how widespread the problem is perceived to be.
Where it fails the public, however, is in explaining exactly how the provisions will help prevent cyber threats. One large infographic is provided, outlining “Myths” vs “Facts”. It implies that the bill allows for organizations to be “good samaritans” and provides organizations with the power to volunteer information only about cyber threats, and not private information, but does not mention legislation preventing over-sharing, only guidelines. More importantly, they make claims about adequate protections within the legislation, without providing the wording of the legislation in question. In responding to so-called “Myths”, they provide precious little substance to their “facts”. In fact, at the time of creation, it is doubtful the FSR even fully knew what was in the bill, as the bill was marked up and modified by the Senate intelligence committee in complete secrecy this week. Only afterward was the public allowed to see many of the provisions passed under its name.
July 27th - A flaw potentially affecting hundreds of millions of (nearly all) Android users was detected last week by a security researcher with Zimperium, Joshua Drake. The flaw is particularly dangerous because it requires no action from the user - simply receiving a text with multi-media content (such as a video or photo) is enough. Some apps, such as Google Hangouts, increase the exposure to this exploit, by automatically processing a video and placing it in gallery upon receipt. This means no action whatsoever is required from the user, not even viewing the message. Processing the video triggers the exploit, providing the adversary with access to most of your phones apps and data, and potentially the ability to open your mic and camera, and use your phone for remote surveillance. Standard text message users are highly at risk too, but for the exploit to be triggered, the message must be viewed. However, seeing as the user does not have to open the video or photo, this still poses a great danger.
This exploit has a fix, and it has been provided to Google, in the form of a patch. However, coordinating to ensure that all devices affected are patched is troublesome, because of device and OS fragmentation and an open system (many different device types, manufacturers, carriers and OS versions). Ensuring the patch is delivered on Google stock OS phones such as Nexus and HTC is fairly simple, but many devices patch policies are governed by carriers and brands. In other words, if T-mobile or Virgin use a proprietary build of Android on their devices, the carrier has to provide the patch. Samsung or other vendors who similarly provide a custom build and apps, would need to do the same. Communication of the issue is under way, with many carriers and companies confirming the patch will be delivered, but it will be awhile before all affected devices are patched.
Note: Secure Group’s Secure Phone is not affected by the issue, due to proprietary OS features preventing automated installation of malware. Installation can only be triggered from our Secure Administration System. No escalation of privilege can occur from the device itself. In addition, device encryption from moment of registration would prevent data theft - any data stolen would be encrypted.
Update:Several major manufacturers have confirmed patches or fixes forthcoming for this issue, including Samsung, LG, HTC, and carriers such as Sprint Mobile have confirmed release of the patch. However, there is some debate as to the effectiveness of said patch. More on this later in the week.
Poitras, Snowden Documentary Film-maker (CitizenFour), sues US Government for access to Airport Detainment and Search records
July 13th - Laura Poitras, the acclaimed (Pulitzer and Academy Award winning) film-maker of CITIZENFOUR, has been subjected to searches and hours-long screenings at border crossings both in the US and overseas on over 50 occasions in the past six years. She is suing the government for access to all records pertaining to these searches and detainments, with the help of the EFF.
“I’m filing this lawsuit because the government uses the U.S. border to bypass the rule of law,” said Poitras. “This simply should not be tolerated in a democracy. I am also filing this suit in support of the countless other less high-profile people who have also been subjected to years of Kafkaesque harassment at the borders. We have a right to know how this system works and why we are targeted.”
July 1st - California law, Senate Bill 962, now ensures that all phones sold in state must have a “kill-switch” anti-theft deterrent enabled within the initial device setup of a new smartphone.
A “kill-switch” means that the smartphone must have a solution providing the device owner the ability to disable the device's "essential features" - phone calls, text messaging, browsing, etc. The kill switch should also prevent access to workarounds via mobile applications.
Law enforcement officials have been urging this change for years, and California is the second state (Minnesota was first) to see it implemented - but the first to state that the kill-switch must be set as a default option, an important distinction.
“The Federal Communications Commission reports that mobile phone theft constitutes 30-40% of all robberies across the United States, a crime that cost US citizens $30 billion in 2012.”
Secure Group fully endorses this solution, and hopes it one day goes further, ensuring that device encryption is similarly included in legislation. Google attempted to enforce encryption by default in their latest Lollipop OS version, but was thwarted by challenges from the many vendors using variations of their OS (the default position would have slowed adoption). Legislation enforcing device encryption would equally deter device theft, and would protect users from privacy concerns as well.