Future Tense
The Citizen's Guide to the Future

July 29 2015 2:46 PM

Netizen Report: Emails Suggest Lebanon Used Angry Birds to Infect Devices With Malware

The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world. It originally appears each week on Global Voices Advocacy. Juan Arellano, Ellery Roberts Biddle, Hae-in Lim, Katitza Rodriguez, and Sarah Myers West contributed to this report.

GVA logo

Emails leaked after Hacking Team’s systems were hacked in early July—and now searchable on WikiLeaks—indicate that Lebanon’s Interior Security Forces, General Security office, and Cybercrime Bureau all pursued contracts with the Milan-based surveillance-software maker. Emails suggest that Security Forces personnel were able to successfully infect target devices with the help of Hacking Team staff and that they created a technical “backdoor” in the devices (a virtual channel through which authorities can monitor a user’s activities) by exploiting a security flaw in Angry Birds.

These revelations confirm what various bloggers and political activists had suspected after they were summoned for questioning by the Cybercrime Bureau. Beirut-based technology journalist Habib Battah described the bureau’s approach in June:

In some cases, bloggers have claimed that police agents tricked them into giving up information by sending malware to their computers, a practice [Major Suzan Hajj Hobeiche, head of the Cybercrime Bureau] seemed to endorse by claiming “ethical hacking” used by law enforcement is sometimes needed to protect the greater good. Yet, increasingly that greater good seems to be defined by the interests of the wealthy and well-connected. …

Peru and Pakistan erode citizen privacy with new surveillance tactics
A recent executive decree from Peru’s government compels all telecommunications companies and Internet service providers to store traffic data for three years. Assuming that the decree holds, telcos will be forced to provide police with individual user data from these logs upon their request. Issued one day before Peru’s independence day, the decree explicitly states that the police should have access to geolocation data without a warrant or court order and that this data is not protected under the Peruvian Constitution. Peruvian lawyer Miguel Morachimo told the Electronic Frontier Foundation: “Any policy like that is controversial in itself, but the fact that it was directly approved by the Executive Branch without prior debate and in the middle of national holiday season is especially undemocratic.”

The decree has significant potential for abuse of its new powers. It ignores the fact that most cellphones today constantly transmit detailed location data about every individual to their carriers and that all this location data is housed in one place—with the telecommunications service provider. This will leave Peruvian police with access to more precise, more comprehensive, and more pervasive data than would ever have been possible under previous policies.

Pakistan too is planning to expand its surveillance capabilities, which could include monitoring broadband Internet traffic, phone records, and cellular data transmissions, according to a report by Privacy International. The Verge notes that because Pakistan already has stringent registration requirements, such as a national biometric ID program and SIM card registration by fingerprint, these bulk surveillance plans may be particularly invasive.

U.K. High Court strikes down discrete data retention practices
In slightly better news from the world of digital surveillance, a U.K. High Court ruled against data retention laws that allowed the government to order telecommunications companies to retain their users’ metadata for one year. The reason: The laws failed to require authorities to obtain judicial approval prior. The court also took issue with the lack of “clear and precise rules” for the collection of data in the Data Retention and Investigatory Powers Act 2014 (sections 1 and 2). The Home Office says it will appeal the decision.

Malaysia blocks news website in face of public finance investigation
Malaysia blocked news website the Sarawak Report and suspended two local papers after they published investigative reports on the suspicious transfer of $700 million from a government-managed investment fund into the personal bank account of Malaysian Prime Minister Najib Razak. While there is evidence that the government has censored the Internet in the past, this marks the first time it has publicly acknowledged doing so. Although the Malaysian Communications and Multimedia Commission claims that the block was carried out legally under the Communications and Multimedia Act of 1998, the law does not sanction censorship of online websites.

Is YouTube headed for Russia’s Internet blacklist?
Russian media and Internet watchdog Roscomnadzor issued an official warning to YouTube July 22 that the site may be added to the country’s Internet blacklist for copyright violations. The warning comes after the Moscow city court ruled that copyright was violated when two Russian TV shows were uploaded to YouTube. Though YouTube took down the videos, others were subsequently uploaded; Roscomnadzor reported seeing 137 copies on the site as of July 20.

Transparency reports: When it comes to takedowns, copyright is king
The online marketplace Etsy shut down more than 168,000 accounts over the year 2014, according to its first transparency report. It shut down 3,993 shops for violations of Etsy’s intellectual property policy and disabled 176,137 listings in response to DMCA takedown requests. However, the majority of the shutdowns were for non-IP related issues, such as spam and the sale of items prohibited on the site.

New Research

Video Advertisement

July 28 2015 10:18 PM

Jack Dorsey Wants to Reinvent Twitter

Less than a month after taking the tiller as interim CEO, Twitter co-founder Jack Dorsey is charting a new course.  

The famous Twitter timeline, in which tweets from everyone you follow are displayed in reverse chronological order, is no longer getting the job done, Dorsey said on an earnings call with investors Tuesday evening. And tweaks intended to help the company reach a broader user base, like instant timelines and a new home page for casual visitors, have failed. As a result, Twitter’s growth has been “unacceptable,” said Dorsey, who could be seen wearing a gray hoodie and a generous beard as he live-streamed the earnings call on Periscope.

Those tweaks, it’s worth noting, were implemented by his well-liked but cautious predecessor, Dick Costolo, before he was pushed out last month.

What’s needed, Dorsey said, is a broader overhaul of the Twitter product to make it more accessible to the majority of Internet users who don’t regularly log in. He called for a “questioning of our fundamentals,” including the reverse-chronological timeline, in order to “balance recency with relevance.”

For those who don’t speak social media, that’s code for “we need to get more like Facebook.” Whereas Twitter’s timeline ranks tweets by recency, Facebook’s News Feed ranks posts by relevance, as determined by complex algorithms that adapt to each user’s behavior and preferences. Twitter has been experimenting with similar software, which it now uses to show you a series of older tweets when you log in, under the heading “While You Were Away.” Expect to see more of that in the future, as Dorsey sang the feature’s praises multiple times on Tuesday’s call. “I’m definitely seeing a lot more value at the top of my stream,” he said.

Another forthcoming feature, code-named “Project Lightning,” will employ human editors to collect top tweets about trending news topics and live events as they unfold. Dorsey endorsed that as well, adding that he expects to release it this fall. But he suggested “While You Were Away” and Project Lightning are only the first steps toward an eventual shift away from reverse chronology. “There’s a lot more to do there,” Dorsey said.

From a business perspective, the Dorsey-led earnings call amounted to a blast of #realtalk from a company that under Costolo was at pains to reassure investors it was on the right path. Dorsey repeatedly said he was “not happy” with the company’s direction. Anthony Noto, the company’s buttoned-down chief financial officer, matched his boss’s grim tone. He warned investors that the user growth they’ve been clamoring for likely won’t come “for a considerable amount of time.”

An inability to grow beyond its core of loyal users has dogged Twitter since it went public in November 2013. Investors expecting the next Facebook have been disappointed quarter after quarter as user growth has flattened. This is despite consistently strong revenue growth, as Twitter has built a thriving mobile advertising business in just the past two years. Revenue was strong yet again in the most recent quarter. It topped $500 million, up 61 percent from the same quarter in 2014.

Costolo had sought to shift investors’ expectations for the company, arguing that Twitter could reach more people than Facebook even without persuading them to log in regularly. As I’ve explained, Costolo saw Twitter’s future as that of a media platform rather than a social network, with syndicated tweets gaining wide audiences beyond Twitter itself. It was a realistic vision, but evidently not a bold enough one for shareholders.

Dorsey, in contrast, hinted that Twitter will return to its earlier mission of becoming a daily destination for the majority of people on the Internet—like Facebook. Twitter should be, he said, “the first thing everyone in the world checks before they start their day.”

And whereas Costolo had essentially admitted defeat in Twitter’s bid to get more people tweeting, Dorsey argued it isn’t enough for people to consume tweets passively. In addition to being a window to the world, he said, Twitter should be “the most powerful microphone in the world.”

Key to all of these goals will be convincing people that they need another social network in their lives. To that end, Twitter is reportedly planning its first major marketing campaign.

Who will lead the company down this new path has been the subject of much speculation, particularly after reports that Square—where Dorsey is founder and CEO—is about to go public. Asked whether he is a candidate to take on the top post at Twitter on a permanent basis, Dorsey said he had “no update to provide.” But he sounded like a man gunning for the job.   

Previously in Slate:

July 28 2015 3:28 PM

The Real Reason Elon Musk Is Worried About Killer Robots

If you believe Elon Musk, you should be very, very afraid of killer robots, but maybe not for the reason you think. In an open letter published Tuesday by the Future of Life Institute, Musk, Stephen Hawking, and thousands of co-signatories call for a “ban on offensive autonomous weapons beyond meaningful human control.” This is the kind of phrase that summons up images of Arnold Schwarzenegger in the Terminator films, but that’s not what Musk and his collaborators seem to have in mind.

Nevertheless, it’s this familiar image of dystopian robopocalypse that opens all too many stories about the letter. The Washington Post, New York Times, and Huffington Post—to name but three examples—all illustrate their articles on the topic with Terminator stills. Though the articles’ authors don’t come out and say it, the connotations are clear: The robots are coming, and they want your blood.

Far from worrying that artificially intelligent killing machines are going to wipe out humanity, however, FLI has a more immediately relevant concern: research priorities. Musk has famously described artificial intelligence as an “existential threat.” But he’s also helped back research to help society “reap the benefits” of artificial intelligence “while avoiding potential pitfalls.”

This is not the first time the FLI has broached the issues surrounding A.I. through an open letter. In a previous missive, issued in January, the institute had proposed that researchers should work to “maximize the societal benefit of A.I.” by ensuring that intelligent systems “do what we want them to do.” While the attached statement of research priorities touched on autonomous weapons, it did so only in passing, offering little indication as to whether and how considerations of them should proceed.

A careful reading of the FLI’s latest open letter on autonomous warfare reveals that its authors aim to correct this oversight. “If any major military power pushes ahead with A.I. weapon development, a global arms race is virtually inevitable,” they write. Here, the danger isn’t so much that the technology will become more and more powerful but that more and more research energy will be directed toward military A.I. As it does, there will be fewer resources available to those hoping to design A.I. that preserves and sustains life.

The letter also suggests that as autonomous weapons become easier to produce, they will inevitably fall into the “hands of terrorists, dictators wishing to better control their populace, warlords wishing to perpetrate ethnic cleansing, etc.” While this is a serious and real concern, it is a far cry the hyperbolic fantasies suggested by comparisons to the Terminator films. FLI isn’t worried that A.I. will set out to kill humans. It’s concerned that humans will use A.I. to more efficiently kill one another.

Far from warning of an impending robopacalypse, then, FLI and the letter’s many co-signatories are encouraging us to rethink the way we approach A.I. today. The letter compares its proposed moratorium on autonomous weapons development to bans on chemical and biological warfare. Refraining from research into these areas doesn’t mean A.I. is on the verge of destroying all life—just that we don’t feel such research contributes to the experience of living. As Cecilia Tilli, who signed the January FLI artificial-intelligence letter, wrote in Slate, “being mindful doesn’t mean that experts believe danger lurks behind the next advance in artificial intelligence.”

It’s unfortunate that the FLI’s letter has contributed to fears about A.I. Adam Elkus has argued that such excessive concerns only make it harder for most of us to educate ourselves about what’s really going on. If we’re really going to follow the advice of Musk, Hawking, and their co-signatories, we should focus more clearly on A.I.’s “great potential to benefit humanity” and work to ensure that it can do so.

July 28 2015 2:45 PM

White House Finally Responds to Snowden Pardon Petition

Whistleblower Edward Snowden left the United States more than two years ago, and since then a petition has been circulating on WhiteHouse.gov demanding that he be pardoned. After conspicuous silence—the petition has 167,954 signatures, and all entries on the site with 100,000 or more are guaranteed a response—the administration finally posted an answer on Tuesday. It isn’t positive.

Where the petition calls for Snowden to be “issued a a full, free, and absolute pardon,” the White House response from Lisa Monaco, the president’s advisor on homeland security and counterterrorism, says, “He should come home to the United States, and be judged by a jury of his peers.”

Monaco writes:

Instead of constructively addressing these issues, Mr. Snowden’s dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it.
If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do: Challenge it, speak out, engage in a constructive act of protest, and -- importantly -- accept the consequences of his actions.

The Intercept points out that the petition response does not cite any specific examples of “severe consequences” caused by the disclosures. Additionally, Snowden himself did not publicly disclose anything classified, since news outlets like the Guardian and the New York Times were the entities that actually released documents and information. (Update July 28: Just to clarify, this is a popular interpretation among Snowden supporters like the Intercept, though many others view it as a stretch.)

The White House also said on Tuesday in a seperate blog post that it had “caught up” with responding to “every petition in our We the People backlog — 20 in all.”

In the case of Snowden, Monaco writes, “The balance between our security and the civil liberties that our ideals and our Constitution require deserves robust debate and those who are willing to engage in it here at home.” So, yeah, that blanket pardon seems like a no right now.
 

July 28 2015 9:30 AM

Court Rules That You Can’t Expect Privacy If You Butt Dial Someone

If people want to spy on your calls they can tap your phone, but they don't even have to if you inadvertently dial them yourself. And if you're in the process of committing a crime, you probably shouldn't let your smartphone call 911. Now a Cincinnati federal appeals court has ruled that if you accidentally butt dial someone you don't have a reasonable expectation of privacy.

Last week, Judge Danny Boggs compared a butt dial (which he calls a pocket-dial) to leaving a window uncovered such that a neighbor or anyone else can peer in. He was deciding an appeal in a case in which an executive on the Cincinnati/Northern Kentucky International Airport board, James Huff, called the CEO's assistant, Carol Spaw, finished the call, put his phone in his pocket, and then unintentionally called her back. During that second call, Huff started talking to another executive about replacing the airport's CEO.* Spaw said hello a few times and tried to get their attention, but they were talking about her boss, so when that didn't work she started recording the 91-minute call and taking detailed notes. Gotta do it.

By the end of call, Huff had met up with his wife, Bertha Huff, and he summarized what he had discussed with the other executive for her—just in case Spaw didn't quite catch it the first time. After the incident, Spaw distributed the recording and her notes to other members of the airport board. The Huffs are the plaintiffs in the lawsuit.

There are a lot of strange things about this butt dial, which occurred in October 2013. As Bloomberg points out, it's unusual not to check your phone for more than an hour, and as Gawker notes, it seems like even when Huff did finally identify the butt dial he didn't actually terminate the call for two minutes. Of course, the difference between leaving your curtains open and calling someone by accident is intent. You open your curtains by choice, or should be able to clearly see that they're open, as opposed to being oblivious to a butt dial. But Boggs wrote, "James Huff lacked a reasonable expectation of privacy in his statements only to the extent that a third-party gained access to those statements through a pocket-dial call that he placed." (Emphasis preserved.)

Boggs notes that there are ways to prevent butt dials, like adding a numeric code or other lock screen. He wrote:

In sum, a person who knowingly operates a device that is capable of inadvertently exposing his conversations to third-party listeners and fails to take simple precautions to prevent such exposure does not have a reasonable expectation of privacy with respect to statements that are exposed to an outsider by the inadvertent operation of that device.

The discussion goes on to say that Bertha Huff did have a reasonable expectation of privacy, because she was speaking with her husband in their hotel room and should be able to expect that he hasn't butt-dialed someone, just like she should be able to expect that he wasn't intentionally recording their conversation. Boggs wrote:

If Bertha waived her reasonable expectation of privacy from pocket-dials by speaking to a person who she knew to carry a pocket-dial-capable device, she would also waive her reasonable expectation of privacy from recordings and transmissions by speaking with anyone carrying a recording-capable or transmission-capable device, i.e., any modern cellphone.

The case will go back to district court to determine whether Spaw is liable for recording Bertha Huff. If you're not already locking your phone for security reasons (you should be), maybe it's time to do it. Your butt can get you in a lot of trouble if you're not careful.

*Correction, July 29: This post originally misidentified a speaker involved in a lawsuit about privacy expectations during cellphone pocket dials. Assistant to the CEO of Cincinnati/Northern Kentucky International Airport Carol Spaw was not talking to an executive during a phone call. Board member James Huff was.

July 27 2015 4:56 PM

Google Finally Admits Defeat on Google Plus

Google is finally going to stop trying to make Plus happen.

The company announced in a blog post Monday that it will no longer force people to use a Google Plus account to log in to other, more popular Google services. That includes YouTube, whose users have been howling for years about the Google Plus requirement. Soon they’ll be able to log in with a plain old Google account.

From Google’s blog post:

When we launched Google Plus, we set out to help people discover, share and connect across Google like they do in real life. While we got certain things right, we made a few choices that, in hindsight, we’ve needed to rethink. So over the next few months, we’re going to be making some important changes.

Those changes include moving Google Plus’s location-sharing features into Google Hangouts and its (surprisingly excellent) photo-storage features into the new Google Photos app. Google also promises to make it easier for non–Google Plus users to delete the Google Plus profiles they never wanted in the first place.

Google is framing the changes as an example of its eagerness to listen and respond to the needs of its users:

People have told us that accessing all of their Google stuff with one account makes life a whole lot easier. But we’ve also heard that it doesn’t make sense for your Google+ profile to be your identity in all the other Google products you use.

That’s a bit rich, however. Google’s users, by and large, never wanted Google Plus in the first place, and they certainly never appreciated being dragooned into it in order to use other Google services that they did want.

So in reality, this is an admission of defeat. Google marshaled all the resources and monopoly power it could muster to build Google Plus into a viable Facebook rival, user backlash be damned. It didn’t work, and the best we can say of Google is that it’s finally acknowledging what has long been obvious to everyone else involved.

This is yet another opportunity for the tech press to declare Google Plus “dead,” but death is a very slow process when it comes to such a large product. Google prefers to call it “a more focused Google Plus experience.” By that it means that the social network will shift emphasis to what might be its only genuine constituency: interest-based communities who use the platform to share news and comments about niche topics like photography, electric cars, and outer space. Google Plus’s new “Collections” feature will let people group their posts by topic and follow topics rather than just other users. Think of it as a sort of male-dominated mini-Pinterest.

That obviously isn’t what Google had in mind when it set out build a Facebook killer. And, given Google’s track record of unceremoniously shuttering niche products, it may not be enough to save the social network in the long run. Still, it’s better than what Google Plus might have eventually become if the company had kept shoving it down users’ throats: a Google killer.

Previously in Slate:

July 27 2015 2:06 PM

These Researchers Just Hacked an Air-Gapped Computer Using a Simple Cellphone

This post originally appeared in Wired.

Wired logo

The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.

But researchers in Israel have devised a new method for stealing data that bypasses all of these protections—using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a “breakthrough” in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.

The attack requires both the targeted computer and the mobile phone to have malware installed on them, but once this is done the attack exploits the natural capabilities of each device to exfiltrate data. Computers, for example, naturally emit electromagnetic radiation during their normal operation, and cellphones by their nature are “agile receivers” of such signals. These two factors combined create an “invitation for attackers seeking to exfiltrate data over a covert channel,” the researchers write in a paper about their findings.

The research builds on a previous attack the academics devised last year using a smartphone to wirelessly extract data from air-gapped computers. But that attack involved radio signals generated by a computer’s video card that get picked up by the FM radio receiver in a smartphone.

The new attack uses a different method for transmitting the data and infiltrates environments where even smartphones are restricted. It works with simple feature phones that often are allowed into sensitive environments where smartphones are not, because they have only voice and text-messaging capabilities and presumably can’t be turned into listening devices by spies. Intel’s manufacturing employees, for example, can only use “basic corporate-owned cell phones with voice and text messaging features” that have no camera, video, or Wi-Fi capability, according to a company white paper citing best practices for its factories. But the new research shows that even these basic Intel phones could present a risk to the company.

“[U]nlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone,” they note in their paper.

Though the attack permits only a small amount of data to be extracted to a nearby phone, it’s enough to allow exfiltration of passwords or even encryption keys in a minute or two, depending on the length of the password. But an attacker wouldn’t actually need proximity or a phone to siphon data. The researchers found they could also extract much more data from greater distances using a dedicated receiver positioned up to 30 meters away. This means someone with the right hardware could wirelessly exfiltrate data through walls from a parking lot or another building.

Although someone could mitigate the first attack by simply preventing all mobile phones from being brought into a sensitive work environment, to combat an attack using a dedicated receiver 30 meters away would require installing insulated walls or partitions.

The research was conducted by lead researcher Mordechai Guri, along with Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Elovici. Guri will present their findings next month at the Usenix Security Symposium in Washington, DC. A paper describing their work has been published on the Usenix site, though it’s currently only available to subscribers. A video demonstrating the attack has also been published online.

Data leaks via electromagnetic emissions are not a new phenomenon. So-called TEMPEST attacks were discussed in an NSA article in 1972. And about 15 years ago, two researchers published papers demonstrating how EMR emissions from a desktop computer could be manipulated through specific commands and software installed on the machine.

The Israeli researchers built on this previous knowledge to develop malware they call GSMem, which exploits this condition by forcing the computer’s memory bus to act as an antenna and transmit data wirelessly to a phone over cellular frequencies. The malware has a tiny footprint and consumes just 4 kilobytes of memory when operating, making it difficult to detect. It also consists of just a series of simple CPU instructions that don’t need to interact with the API, which helps it to hide from security scanners designed to monitor for malicious API activity.

The attack works in combination with a root kit they devised, called the ReceiverHandler, that gets embedded in the baseband firmware of the mobile phone. The GSMem malware could be installed on the computer through physical access or through interdiction methods—that is, in the supply chain while it is enroute from the vendor to the buyer. The root kit could get installed through social engineering, a malicious app or through physical access to the targeted phone.

The Nitty Gritty

When data moves between the CPU and RAM of a computer, radio waves get emitted as a matter of course. Normally the amplitude of these waves wouldn’t be sufficient to transmit messages to a phone, but the researchers found that by generating a continuous stream of data over the multi-channel memory buses on a computer, they could increase the amplitude and use the generated waves to carry binary messages to a receiver.

Multi-channel memory configurations allow data to be simultaneously transferred via two, three, or four data buses. When all these channels are used, the radio emissions from that data exchange can increase by 0.1 to 0.15 dB.

The GSMem malware exploits this process by causing data to be exchanged across all channels to generate sufficient amplitude. But it does so only when it wants to transmit a binary 1. For a binary 0, it allows the computer to emit at its regular strength. The fluctuations in the transmission allow the receiver in the phone to distinguish when a 0 or a 1 is being transmitted.

“A ‘0’ is determined when the amplitude of the signal is that of the bus’s average casual emission,” the researchers write in their paper. “Anything significantly higher than this is interpreted as a binary ‘1’.”

The receiver recognizes the transmission and converts the signals into binary 1s and 0s and ultimately into human-readable data, such as a password or encryption key. It stores the information so that it can later be transmitted via mobile-data or SMS or via Wi-Fi if the attack involves a smartphone.

The receiver knows when a message is being sent because the transmissions are broken down into frames of sequential data, each composed of 12 bits, that include a header containing the sequence “1010.” As soon as the receiver sees the header, it takes note of the amplitude at which the message is being sent, makes some adjustments to sync with that amplitude, then proceeds to translate the emitted data into binary. They say the most difficult part of the research was designing the receiver malware to decode the cellular signals.

For their test, the researchers used a nine-year-old Motorola C123 phone with Calypso baseband chip made by Texas Instruments, which supports 2G network communication, but has no GPRS, Wi-Fi, or mobile data capabilities. They were able to transmit data to the phone at a rate of 1 to 2 bits per second, which was sufficient to transmit 256-bit encryption keys from a workstation.

They tested the attack on three work stations with different Microsoft Windows, Linux, and Ubuntu configurations. The experiments all took place in a space with other active desktop computers running nearby to simulate a realistic work environment in which there might be a lot of electromagnetic noise that the receiver has to contend with to find the signals it needs to decode.

Although the aim of their test was to see if a basic phone could be used to siphon data, a smartphone would presumably produce better results, since such phones have better radio frequency reception. They plan to test smartphones in future research.

But even better than a smartphone would be a dedicated receiver, which the researchers did test. They were able to achieve a transmission rate of 100 to 1,000 bits per second using a dedicated hardware and receiver from up to 30 meters away, instead of a proximity phone. They used GNU-Radio software, a software-defined radio kit, and an Ettus Research Universal Software Radio Peripheral B210.

Although there are limits to the amount of data any of these attacks can siphon, even small bits of data can be useful. In addition to passwords, an attacker could use the technique to siphon the GPS coordinates of sensitive equipment to determine its location—for example, a computer being used to operate a covert nuclear program in a hidden facility. Or it could be used to siphon the RSA private key that the owner of the computer uses to encrypt communications.

“This is not a scenario where you can leak out megabytes of documents, but today sensitive data is usually locked down by smaller amounts of data,” says Dudu Mimran, CTO of the Cyber Security Research Center. “So if you can get the RSA private key, you’re breaking a lot of things.”

See also:

July 24 2015 5:17 PM

Anonymous Claims Responsibility for Census Bureau Hack

The hacking collective Anonymous says it is responsible for a breach of the United States Census Bureau's nonconfidential networks. The group tweeted about the attack on Wednesday and began posting links to troves of data and documents it had obtained.

The data includes usernames and work phone numbers/email addresses for the bureau's 4,200 employees, plus some names and job titles, information about who works in which department, and lists of internal IP addresses. As the Register points out, most of this information was already available online.

The bureau told the Register and Business Insider in a statement:

The US Census Bureau is investigating an IT security incident relating to unauthorized access to non-confidential information on an external system that is not part of the Census Bureau internal network. Access to the external system has been restricted while our IT forensics team investigates.
Security and data stewardship are integral to the Census Bureau mission. We will remain vigilant in continuing to take every necessary precaution to protect all information.

Anonymous says that the hack is in protest of Obama administration trade negotiations related to the Trans-Pacific Partnership, or TPP, and Transatlantic Trade and Investment Partnership, or TTIP. In a story about the negotiations published Friday, the Economist explained:

Gauging the exact benefits of the TPP is tricky, not least because the trade talks are still confidential. Critics have bemoaned the lack of disclosure but conducting negotiations in the open would have been a sure way to undermine them. Governments will have several months to review the final deal before deciding whether to give their assent.

Though the breach isn't as severe as the OPM hack disclosed last month, it evokes familiar feelings and potentially exposes the Census Bureau to more intense and refined phishing attempts. Monzy Merza, a security specialist at the data analysis firm Splunk, said in an email statement, "My real concern is that [the OPM hack] desensitized the public and government officials to smaller but still damaging breaches like the attack on the Census Bureau. ... Organizations need to understand who is accessing their networks, from where, and for how long."

Maybe in August we can try going a whole month without a government hack.

July 24 2015 3:36 PM

How the Secretive Market for Zero-Day Exploits Works

Wired logo

The underground market for zero-day exploit sales has long been a hidden dark alley to anyone but the hackers and sellers who call it home. But the recent hack of the Italian spyware maker Hacking Team, and the subsequent dump of 400 gigabytes of its internal emails, has shone a bright light on the nature of exploit sales, how they’re negotiated, and how they’ve been kept in check by security protections.

At least three zero-day exploits have been uncovered so far among the trove of data leaked by the attacker who breached Hacking Team. Hacking Team buys zero-day exploits in order to install its spyware, known as RCS, on targeted systems. It provides both the exploits and RCS to government intelligence and law enforcement agencies around the world, and has come under attack for selling to repressive regimes, who’ve used them to target political activists and dissidents. But more interesting than the fact that the company possessed zero days—this was already known—is the correspondence around how Hacking Team acquired these valuable tools, prized equally by criminal hackers and government intelligence agencies.

Security researcher Vlad Tsyrklevich culled through the leaked documents and says they provide one of the first extensive public case studies of the zero-day market. The emails expose a wealth of information about the going-rate for exploits, the terms-of-sale, and the parties negotiating deals with Hacking Team and other buyers.

One so-called Starlight-Muhlen exploit Hacking Team sought, for example, was going for $100,000. Exclusive iOS exploits could cost as much as half a million, according to one of Hacking Team’s sellers. It’s long been known that zero-days can sell for anywhere between $5,000 to half a million or more, but seeing the price negotiations in writing provides new insight into the fluid value of zero-days. Payments by Hacking Team were generally made in two- and three-month installments that instantly dissolved if a vulnerability the exploit targeted got discovered and patched by the software maker, eliminating its value.

The documents also help support assumptions about the effectiveness of some security controls. Hacking Team’s persistent request for exploits that could break out of sandboxes, for example, and its frustration over failed exploits, support assumptions that sandboxes are worth the effort to include them in software.

A sandbox is a security feature that’s meant to contain malware and keep it from breaking out of a browser and affecting a computer’s operating system and other applications. Sandbox vulnerabilities are highly prized because they’re hard to find and allow an attacker to escalate control of a system.

“[H]aving to buy Windows local privilege escalation [exploits] to get around Windows sandboxes is good for defenders,” Tsyrklevich told WIRED. “It’s good to know that [the security measure is] not completely trivial.”

The leaked emails are notable for another reason, however: they also show that Hacking Team struggled to find vendors willing to sell to it, since some suppliers would only sell straight to governments and refused to do business with the firm. Though Hacking Team began seeking zero days in 2009 and contacted a number of sellers over the years, it appears to have failed to secure zero days until 2013.

Furthermore, over the course of the six years that Hacking Team was in the market to purchase zero days, it appears to have only acquired about five, based on what Tsyrklevich was able to uncover in his analysis. This included three Flash zero-days, one Windows local privilege escalation/sandbox escape exploit, and one exploit for Adobe Reader.

“That’s fewer than what I think many people would have expected of them,” he told WIRED.

The emails show that in 2014, Hacking Team attended the SyScan conference in Singapore for the specific purpose of recruiting exploit developers to work directly for them and bypass the problem of reluctant sellers. They also thought it would help them avoid paying middlemen resellers who they felt were inflating prices. The strategy worked. Hacking Team met a Malaysian researcher named Eugene Ching, who decided to quit his job with D-crypt’s Xerodaylab and go solo as an exploit developer under the business name Qavar Security.

Hacking Team signed a one-year contract with Ching for the bargain price of just $60,000. He later got a $20,000 bonus for one exploit he produced, but it was a valuable exploit that Tsyrklevich notes could have sold for $80,000 alone. They also got him to agree to a three-year non-compete, non-solicitation clause. All of which suggests Ching didn’t have a clue about the market rates for zero days. Ching’s talents weren’t exclusive to Hacking Team, however. He apparently also had a second job with the Singapore Army testing and fixing zero-day exploits the military purchased,according to one email.

Others who didn’t have a problem selling to Hacking Team included the French firm VUPEN security, as well as the Singapore-based firm Coseinc, the US-based firms Netragard and Vulnerabilities Brokerage International and individual exploit developers like Vitaliy Toropov and Rosario Valotta.

Tsyrklevich notes that despite increasing publicity over the last few years about Hacking Team’s nefarious customers, the company suffered little blowback from exploit sellers. “In fact, by raising their profile these reports served to actually bring Hacking Team direct business,” he notes. A year after the research group at CitizenLab published a report that HackingTeam’s spy tool had been used against political activists in the United Arab Emirates, Hacking Team took on a number of new suppliers.

Among them was Vitaliy Toropov, a 33-year-old Russian exploit writer based in Moscow, who approached the company in 2013 offering a portfolio with three Flash zero-days, two Safari zero-days, and one for Microsoft’s popular Silverlight browser plug-in, which Netflix and others use for online video streaming.

His asking price? Between $30,000 and $45,000 for non-exclusive exploits—meaning they could be sold to other customers as well. Exclusive zero-days, he wrote, would cost three times this much, though he was willing to offer volume discounts.

Hacking Team had three days to evaluate exploits to determine if they worked as advertised. The company offered to fly Toropov to Milan to oversee testing, but he declined.

“Thanks for your hospitality, but this is too unexpected for me,” he wrote in an email, promising that his exploit code would lead to “fruitful collaboration.”

He turned out to be right about that. Although Hacking Team was disappointed in his offerings—the spy firm really wanted privilege-escalation and sandbox exploits that Toropov didn’t have—they were satisfied enough to buy Flash exploits from him. And when one of these got patched a month after purchase, he even gave them a replacement for free.

Another seller was the information security firm Netragard, despite the company’s stated policy against selling to anyone outside the US. Hacking Team got around the restriction by using a US middleman, Cicom USA, with Netragard’s approval. That is, until the relationship with Cicom deteriorated and Hacking Team asked to deal directly with Netragard. Netragard agreed to waive its US-only requirement, telling the Italian firm in March 2015 that it had recently begun to relax its customer policy. “We do understand who your customers are both afar and in the US and are comfortable working with you directly,” Netragard CEO Adriel Desautels told Hacking Team in an email. Netragard offered a fairly rich catalogue of exploits, but Desautels claimed in a recent tweet that his company “only ever provided one exploit to [Hacking Team] ever.”

Notably, Netragard abruptly announced last week that it was closing its exploit acquisition and sales business, following the public disclosure that it was doing business with a firm selling to repressive regimes. In a blog post, Netragard CEO Adriel Desautels wrote: “The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it.”

Another controversial supplier was VUPEN, a company whose sole business is selling exploits to governments. Its relationship with Hacking Team was apparently fraught with frustration, however. Hacking Team accused VUPEN of keeping its best exploits for other customers and only providing them with old or non-zero-day exploits. They also accused VUPEN of intentionally burning some exploits—for what purpose is unclear.

Altogether the trove of leaked data from Hacking Team underscores that the market for zero days is robust, but it only exposes one sector. Other more important ones remain opaque. “Hacking Team is a second-rate company that had to work hard to find people who weren’t going to treat it as such,” notes Tsyrklevich. More interesting would be comprehensive data on what the market looks like these days for the first-rate buyers who pose the greatest threat—well-resourced governments and intelligence agencies.

One good thing about the leak, however. The three zero-days exposed so far in Hacking Team’s possession have now been patched, and the leaked data contains a lot of additional information that security researchers can now use to investigate additional vulnerabilities that have never been disclosed and patched.

“There are some bugs described by these vendors (primarily VBI and Netragard) that people can audit for and fix,” Tsyrklevich told WIRED. “We can fix bugs that Hacking Team didn’t even buy!”

See also:

July 23 2015 7:02 PM

This New Ikea Place Mat Has a Smartphone Pouch. What Is Happening?

In the 21st century there's just an obligation to "go digital." But if you're, say, a furniture company, it might not be immediately clear how to do that. Ikea for one has been trying, but so far its efforts have seemed pretty forced. And the company's new place mat, which has a pouch sewn onto it for stowing your smartphone during a meal, is not helping things.

The mats are part of a new limited-edition tableware line coming out in September called Sittning. There are bowls, platters, wine glasses, pitchers, serving spoons, you get the idea. And then there are the place mats. (Huffington Post says that they will cost about $2 each.)

pocket1
You can’t read the notification, but you’re still distracted by it!

Photo by Joakim Kroger/Ikea

The mats have a pretty loose weave so you can see when your phone lights up. This seems like a problem, though, because you can't read what the screen says, but you can still be distracted by the light. I guess you could put your phone facedown in the pocket. Mashable, which spotted the mats, reports that they're going to be called “Logged out.Oof.

The most painful thing about this pouch is that I can see people (myself included) using it. If it's tucked away, your phone won't dig into your leg from inside your pants pocket and you won't get food on it. But to be clear, I can also see people not using the pouch. You may have already seen this happening all the time. We get by just fine stowing our phones in bags and pockets, or on surfaces that aren’t for food.

If we even need our place mats to give aesthetic and functional nods to electronics, we may officially be too obsessed. I wouldn't be surprised if a whole etiquette evolves around using the pouches, and that makes me sad.

pocket3
Spotted in the wild.

Photo by Joakim Kroger/Ikea

READ MORE STORIES