Earlier this month, we began what we hope to become a regularly updated newsletter rounding up relevant news articles about security and privacy concerns in the world today, in order to inform our customers and anyone interested in these issues.
We plan to continue this roundup on a monthly to semi-monthly basis, and wherever possible, follow up on these stories throughout the month. The following stories are from the past few weeks, and again arranged in reverse chronological order, to keep you as up to date as possible.
- “Certifi-gate” vulnerability being exploited - briefly makes appearance on Google Play- August 25th
- Number of compromised users in May’s IRS Get Transcript breach may exceed 330k - August 17th
- 60 Minutes Australia reveals “new” Mobile Phone Vulnerabilities - August 16th
- CSIS alleged to be spying illegally on peaceful protesters - August 12th
According to a report by Check Point, the “Certifi-gate” vulnerability mentioned in our article last week is now being exploited by malicious parties, and briefly managed to make an appearance in a ‘legitimate’ app on the Google Play Store.
Certifi-gate is a vulnerability related to remote administration systems that were not properly secured. Examples of the apps in question include certain versions of the Teamviewer, Mobile Support, and CommuniTake Remote Care Apps. The certificates provided to such apps give complete access to the Android OS and device hardware. To make matters worse, these apps are (or were) routinely pre-installed on Samsung, LG and HTC handsets.
The exploit was found on a very small number of devices, but this could be a herald of things to come. A tool called “Recordable Activator” from UK-based Invisibility Ltd was advertised as an “EASY Screen Recorder” that did not require root access to the device. Once installed from the Google Play store, however, a vulnerable version of the TeamViewer plug-in was installed from another source. According to the Check Point blog, “Because the plug-in is signed by various device manufacturers, it’s considered trusted by Android, and is granted system-level permissions. From this point ‘Recordable Activator’ exploits the authentication vulnerability and connects with the plug-in to record the device screen.”
This issue is tricky for Google or manufacturers each to resolve on their own, because the vulnerability that allows the plug-in to be installed without the user’s knowledge can’t be easily fixed - the permissions for remote access are burned into the ROM of the device itself. In some cases, as Bobrov said at Black Hat, the tool is pre-installed and unreachable by the customer. “To get rid of it, you need an upgrade of the Android OS,” he explained. Even worse, according to Bobrov, “it’s not just the bug itself, it's the architecture. The vendors themselves signed this tool with their certificate, and there is no way to patch this problem currently. If someone a year from now can trick you into installing a vulnerable version, they’ll still be able to take control.”
As Bobrov stated, upgrading your OS is an option to reduce your risk, which would then force an adversary to convince you to install a compromised version. In our opinion, a better solution by far is to get a secured OS, in which permissions are tightly controlled, and inaccessible from the device itself. Considering the relative ease in which Invisibility Ltd snuck their vulnerability-laden app into the Play Store is cause for concern. There may already be several similarly compromised apps hidden in Google Play already.
You can limit the communication received from the company, and you can limit the company’s ability to share your data, but Spotify can still gather the data in the first place, as long as you use their service.
Mr. Ek, the CEO of Spotify, has apologized for the confusion surrounding the policy, stating that the changes should have been communicated better, in order to provide users a better understanding of what the data would be used for. However, he has not promised to significantly change it.
Mass gathering of user data is quickly becoming the new normal, and if Spotify’s privacy “blunder” does not result in significant blowback or financial cost (ie, everyone moving to Apple Music, or something of that nature), it can likely be expected that we will see similar privacy policies from other services and applications.
Considering ongoing efforts to revive zombie bills like CISA, the gathering of private data is still a strong concern. The more privacy we give away, even if we do not authorize sharing of such information, the more likely it is to reach unwanted eyes and ears. Unless Spotify changes it’s policies, those deciding to leave the service may have the right idea.
Last May, the IRS reported a data breach that targeted their Get Transcripts online portal. By circumventing Get Transcript's authentication protections, based on antiquated knowledge-based authentication methods, hackers are believed to have gained access to taxpayer information, including Social Security numbers.
The estimated damage of the reported breach was 114 thousand compromised clients. It is now estimated that the number could be much higher. The new estimate, 334 thousand compromised users, is just shy of three times the original estimate. Senior Security Analyst for Tripwire, Ken Westin, states that in these cases, there is a great deal of challenge in determining scope. The breach was not a compromised database, in which a determined number of files were stolen, but rather it was data “harvested from legitimate website forms, making it more difficult to identify which requests were fraudulent and which were legitimate." In addition to their original estimate of 114 thousand affected taxpayers, the IRS also cited another 110 thousand failed attempts.
The IRS will be mailing letters in the coming days to taxpayers whose data might have been compromised. Because of the above noted difficulty in determining scope, and whether the suspected access was indeed fraudulent, the notices will advise taxpayers to disregard the notice if in fact they were the ones seeking their files.
In addition, they will be alerting other taxpayers that although identity thieves failed in efforts to access their records via Get Transcript, their information might still be at risk.
The pilfered information could be used to file fake tax returns in 2016, and the IRS urges taxpayers to protect themselves by availing themselves of free credit monitoring offered by the agency to those whose information is believed to have been inappropriately accessed. Personal identity number are also being issued to potential victims that can be used to verify their next tax return.
The Get Transcript system is offline, and no timeline for resuscitation has been offered by the IRS. They state that the system will be made available when security has been strengthened.
Criminals and Private Industry now exploiting older, well-known "secret" vulnerabilities
With new vulnerabilities reported for Android phones eating up headlines early in the month, the attention on mobile security and privacy has skyrocketed. Now, 60 minutes has offered it’s own discovery, stating that privacy on your smartphone has been compromised long before the Stagefright and “Certifigate” vulnerabilities, and continues to be compromised, even if patched for these issues. The issue at hand is not Android specific, either. Apple and Windows Phones are equally at risk, because the issue stems not from an OS or manufacturer vulnerability, but from an underlying transmission protocol used by telecom companies worldwide.
While 60 minutes may be explaining exactly how this is being done, and breaking the news that there are confirmed cases of at least one company is offering commercial access to SS7 for location tracking, and that fake cell towers are becoming common in Australia, the vulnerability of baseband communication has been a well-known ‘secret’ for years. Berlin hackers from SR labs reported the vulnerability of SS7 in 2008, and just last year, another hacker, Tobias Engel, demonstrated what could be done with such a hack.
Secure Group has been alerting its users to the dangers of IMSI catchers for several years now, and this latest report confirms many of the threats previously deemed as ‘potential’. Make no mistake - the reported prevalence of IMSI catchers (fake cell towers) in Australia is not an isolated situation. Organized crime, individual criminals, and even terrorists have had knowledge of this vulnerability for years, and are now almost certainly making use of it at a global scale.
As discussed in the above 60 minutes release, national governments have known about this baseband communication vulnerability for years, and have likely blocked(and continue to block) attempts to fix the vulnerability due to its usefulness in tracking and surveillance. They continue to attempt to block efforts of the tech industry to move towards full device encryption as well, and are to date succeeding to some extent. Until this changes, it is up to the private citizen to protect themselves, and one way to do this is with a Secure Phone.
Secure Group wagers that in today’s world, baseband communication is not necessary to communicate, and is too vulnerable to be safe. Data-only communication is easily encryptable, not vulnerable to interception by IMSI catchers, and cheaper too. Until government and security agencies stop risking private citizens by blocking improvements to international carrier systems, your best privacy solution may be to avoid SS7 vulnerabilities altogether.
As reported by CBC News, The BC Civil Liberties Union filed a complaint last year alleging that CSIS "broke the law by gathering information on the peaceful and democratic activities of Canadians." This complaint resulted in a hearing by a federal committee on Wednesday, August 12th.
According to BCCLA executive director Josh Paterson, CSIS documents reveal that the agency was watching people and groups opposed to pipeline expansion, and reported on, among other things, meetings held in a church basement in Kelowna, and at an All Native Basketball Tournament. A strong part of the outrage over this spying is that the information is allegedly being shared not only with the government and other law enforcement agencies, but also with the National Energy Board and oil and pipeline companies.
A Victoria retiree, Terry Dance-Bennick, was among those testifying at the hearing. She claims she was spied on while canvassing for the Dogwood Initiative, a group that opposes the Northern Gateway pipeline project.
"A guy at the distance was photographing us with a big long telephoto lens," Dance-Bennick told CBC News. "It's scaring people from exercising their constitutional rights to freedom of speech and freedom of assembly."
Update - August 28th
According to a warning by the Union of BC Indian Chiefs, the RCMP are planning a mass arrest of indigenous protesters camped out at Unist’ot’en Camp in protest of the Enbridge Northern Gateway and Chevron Pacific Trail pipelines.
Over 100 concerned groups and individuals have issued a letter expressing solidarity with the Unist’ot’en. The letter, which was addressed to the RCMP, federal government and BC provincial government, also denounced the government’s plan to “interfere in the rights of the Unist’ot’en to occupy, manage or maintain their lands.”
Those expressing support include the BC Assembly of First Nations, Blue Mountain Métis Nation, Idle No More, Canadian Union of Public Employees, Council of Canadians, Greenpeace Canada, Elizabeth May, David Suzuki, Naomi Klein, and Maude Barlow.
Expressing fears that Bill C-51 is being used to justify arrests of peaceful Canadian protesters, Barlow, the national chairperson of the Council of Canadians, stated that "Through the draconian Bill C51, the federal government is attempting to brand people defending the land and water as ‘security threats.’ The Unist’ot’en are heroes, while the real threat is this government destroying the planet and economy."
Related or not?
With the strong native support for anti-pipeline activities, is there a link between a decision that 36% of native communities potentially losing their funding for 'failing to disclose their finances?" It is a bit of a stretch, to be sure, but the timing of this report, shortly after the Union of BC Indian Chiefs issued warnings of possible mass arrests of indigenous protesters, is a little bit suspect. 98% of native bands complied with the ruling, making their finances public last year. This year, 210 bands have not complied. Might the bands be protesting Harper's government in a new way? Does Ottawa's desire to force native bands to "fall in line" go beyond financial reporting?