Enter 'The Glass Room,' Where Privacy Goes To Die

The line of people moving down Mulberry Street in Manhattan’s SoHo district on Tuesday night could’ve easily been confused for a product launch. It was pouring rain, and the mostly-young crowd was slowly shuffling past designer handbag stores and into a shiny, brightly-lit storefront reminiscent of Apple’s trademark retail destinations.

Unbeknownst to them or anyone casually passing by on the street, their smartphones were being tracked. An array of cylindrical Yagi antennas pointed outward from the storefront’s windowed entrance, recording the positions and unique MAC addresses of every WiFi-enabled device that wandered by—a setup reminiscent of the “Stingray” fake cell tower devices secretly used by police to track cellphones en-masse. Inside, a huge screen displayed a map of those devices as their owners sauntered about the space, consuming hors d’oeuvres and cocktails with cheeky cyber-themed names like “The Firewall.”

The “store” isn’t actually a store, of course. This was the opening party for The Glass Room, a pop-up digital privacy space that’s free and open to the public through December 14, courtesy of Mozilla, makers of the Firefox browser, and the Tactical Technology Collective, a Berlin-based activist group known for interventions in online security and digital rights.

One of the featured exhibits at The Glass Room. Image: Joshua Kopstein

The “products” that sit on pedestals inside the Glass Room aren’t for sale, and range from playful art installations to demonstrations of actual surveillance tools used by law enforcement and private corporations. Near the front is a multi-volume hardcover encyclopedia of LinkedIn passwords leaked in a 2012 data dump, printed by artist Aram Bartholl. On a large table behind the books is a glass bubble enclosing a scale model of Mark Zuckerberg’s infamously-secluded home (he bought the 4 surrounding houses to ensure his privacy) as well as a reconstruction of the main offices of Palantir, the shadowy US government data mining contractor started by noted Donald Trump supporter and alleged vampiric billionaire Peter Thiel.

Further back beyond a small set of stairs are more white pedestals displaying actual surveillance products, like Snapshot, a DNA phenotyping service offered by a company called Parabon NanoLabs, which reconstructs “mugshot” facial profiles from DNA samples. (Not long ago, the same capability was first demonstrated as a speculative art project by artist Heather Dewey-Hagborg.)

The Data Detox exhibit at the Glass Room. Image: Joshua Kopstein

Another display attempts to recreate a real surveillance system called Texas Virtual BorderWatch, which until 2012 used a network of 200 connected cameras to allow real-time crowdsourced policing of the US-Mexican border. There’s also Humanyze, a wearable tracking device that lets companies collect “people analytics” about employees’ movements and activities while on the clock, to optimize for productivity—something the device’s creators unnervingly claim “will become the norm of future workplaces.”

Mark Surman, the executive director of Mozilla’s non-profit arm, hopes the installations will help provoke an awakening in regular people who never thought they had skin in the privacy and security game.

“Really, this is a moment where we need to get everybody as citizens thinking about the health of the internet,” he said during a press preview event just prior to the space’s opening.

With the imminent arrival of an administration that has openly expressed contempt towards privacy, the free press, civil rights, and the rule of law, Surman’s concern seems like a huge understatement. The list of surveillance powers President-elect Donald Trump will inherit on January 20th—which privacy advocates have long fought against—is frighteningly long, and still growing: On Thursday, Congress failed to block a procedural rule change that gives the FBI the legal authority to hack millions of computers around the globe under a single warrant.

As Surman and I chatted about the closely-intertwined dangers presented by large-scale data collection, unaccountable machine learning algorithms, and the pathetically-insecure Internet of Things, it was hard not to be overwhelmed by the sense that we’re completely and utterly fucked. But seeing the mobilization of security-focused activist groups in the aftermath of the election, along with high-profile interventions like the Glass Room, there seems to be evidence that many people are finally done hitting the snooze button on stepping up their privacy game.

For what it’s worth, the Edward Snowden-approved encrypted messaging app Signal has seen a significant jump in popularity since in the weeks since the election. And in New York and elsewhere, digital security trainings that teach threat-modeling and privacy tools are starting to spring up with a renewed sense of urgency, as activists and marginalized communities brace themselves for at least four years of a Trump presidency.

The Glass Room will also be hosting workshops on digital security and surveillance, as well as handing out “digital detox” kits—a kind of privacy 10-step program designed to reduce your data footprint.

“My mantra right now is we have to take this set of issues and bring it into the mainstream, because the stakes are going up,” Surman told me. “None of this is unsolvable, we just have to try and take it seriously.”

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

from Enter 'The Glass Room,' Where Privacy Goes To Die

Signal Downloads Spiked After Election Results

If you use the popular encrypted messaging app Signal, you may have noticed an influx of friends downloading the app following the conclusion of the 2016 US presidential election.

Signal received some significant buzz on November 9th, as the world awoke to find out Donald Trump was president-elect. In the 48 hours after the final results were announced, my phone had buzzed with no less than two dozen notifications informing me that friends and acquaintances—many of whom I’d long lost contact with—had finally installed the end-to-end encryption app, which has been praised by security experts and famously endorsed by NSA whistleblower Edward Snowden.

“Signal's growth has really accelerated over the past week, and it isn't showing any sign of slowing down,” Moxie Marlinspike, the pseudonymous creator of Signal’s encryption protocol, told Motherboard in an encrypted chat.

On Twitter and the App Store, Signal began trending in the US as cybersecurity experts recommended people download the app as part of their preparation for the difficult days ahead. Open Whisper Systems, the non-profit behind the app’s open-source development, didn’t mention any specific plans to respond to the turn of events in the US. But its creators note that Signal—which was adopted by Hillary Clinton’s campaign staffers after a series of damaging data breaches—was specifically designed to protect people in these kinds of situations.

“People are really starting to take privacy truly seriously, perhaps for the first time since the Snowden revelations,” Signal designer Tyler Reinhard told me after Signal downloads spiked earlier this week.

For privacy advocates, it’s a silver lining to a highly contentious election year. Given that Trump has explicitly promised to jail his political opponents, prosecute journalists, and punish women for having abortions, there will likely be no shortage of people newly-emboldened to take steps to protect their communications and data.

The crypto wars will likely continue as well, and there’s no guarantee Signal will be shielded from the fray. A significant portion of Signal’s development is currently paid for by a grant from the Open Technology Fund, an initiative that also funds the Tor anonymity software and is backed by the US government entity the Broadcasting Board of Governors. On the surface, that seems like it could be bad for Open Whisper Systems, given that Trump has openly expressed hostility towards strong encryption—specifically, by railing against Apple when it refused to help the FBI build a backdoor into the iPhone.

“That’s not really something we’re wringing our hands over,” said Reinhard, the Open Whisper Systems designer, adding that having an open-source community of developers bringing usability to Signal is more precious than government funding.

As for how encryption technology might develop under a Trump administration, Reinhard is optimistic.

“People really underestimate or under-index how crazy things were during the Bush administration,” he says. “That was a really dystopian time, but if you look at it in retrospect, that’s also where so many new ideas in technology came from.”

Update: This article has been updated with comment from Tyler Reinhard.

from Signal Downloads Spiked After Election Results

How to Get Zcash, Bitcoin’s Anonymous Baby Cousin

Image: Zcash

Cryptocurrencies are a dime a dozen these days, and it seems like a week doesn’t go by without news of digital thefts, crashes, and cataclysmic conflicts in the world of decentralized digital money.

Nevertheless, a newly-launched cryptocurrency created by expert cryptographers holds the distinction of being the only one explicitly designed to provide bitcoin’s biggest missing feature: anonymity.

Zcash, which went live on Friday with version 1.0 “Sprout,” is essentially an experimental fork of bitcoin that attempts to address an inherent contradiction of the supposedly “untraceable” cryptocurrency. Rather than publish the full details of all transactions on a distributed public ledger called the blockchain, Zcash can mask the sender, recipient, and amount of all transactions using what’s known in mathematics as a zero-knowledge proof.

Basically, a zero-knowledge proof is a way to mathematically prove a statement is true without revealing any of the information you’d normally need to prove it. Suffice it to say, this sorcery allows Zcash transactions to be validated without actually exposing any of their details. Zcash founder and CEO Zooko Wilcox-O’Hearn has been working on the concept for at least as long as bitcoin’s mysterious pseudonymous creator, Satoshi Nakamoto, and has enlisted cryptographers from Johns Hopkins University who had originally drew up plans for a bitcoin anonymity upgrade called ZeroCoin.

As Zcash’s creators put it: “If bitcoin is like http for money, Zcash is https,” referring to the now-ubiquitous secure protocol that protects a website’s visitors from eavesdropping.

Zcash also notably addresses another of the biggest pitfalls of bitcoin and its ilk: that big corporations with tons of dedicated computers are pretty much the only ones with any shot at mining the cryptocurrency.

As time goes on, the “difficulty” of mining cryptocurrencies like bitcoin—which involves computers solving millions of complex math problems, to generate what’s called a “proof-of-work”—increases dramatically, making it virtually impossible to mine coins unless you own a storehouse in China filled with thousands of specially-designed CPUs. But because Zcash mining is mostly dependent on a computer’s RAM, it’s feasible to mine using regular old CPUs and GPUs, dramatically lowering the barrier to entry.

That means right now you can download the Zcash client (for best results, on a beefy PC), follow these instructions to configure your wallets and such, and get started mining.

For now, the Zcash client will unfortunately only run on 64-bit systems running Linux, and its interface is entirely command line-based. If you’re not the technical type, you can still buy Zcash (ZEC) with fiat currencies the usual way on various online cryptocurrency exchanges. You can also sign up for a service that mines ZEC for you on a dedicated machine in the cloud.

As with all cryptocurrencies, safety is not guaranteed. Zcash is experimental, and still has a number of outstanding security issues. But if you’re willing to accept the risk and want to spend some CPU cycles digging for Zcash coins, it’s always possible they’ll be worth something someday.

from How to Get Zcash, Bitcoin’s Anonymous Baby Cousin

Twitter Account Shows Mirai Botnets Using Your Security Camera In Cyber Turf War

In the wake of a major cyber attack that blocked access to popular websites along the East Coast on Friday, security researchers have created a Twitter account that posts live updates of ongoing distributed denial-of-service (DDoS) attacks being launched by massive armies of smart devices compromised by malware known as Mirai.

The account, called Mirai Attacks, includes updates showing the IP addresses being targeted by the zombie botnets bearing the malware’s digital signature, which currently include over half a million infected Internet of Things devices like security cameras and smart TVs. The compromised devices were partly blamed for a large attack on Friday that targeted key infrastructure supporting the internet’s Domain Name System (DNS), resulting in outages for popular sites including Twitter, Reddit, and Etsy.

Image: Mirai Attacks

The Twitter account uses data compiled by researchers known as MalwareTech and 2sec4u, who have been mapping the spread of the malware ever since it was found responsible for a record-breaking DDoS attack against the website of cybersecurity reporter Brian Krebs. Following that attack, a hacker named Anna-senpai released the malware source code for free through a criminal hacking forum, presumably to cover their tracks as the attacks began making headlines. The malware is designed to scan for security cameras and other internet-connected “smart” devices that are still using their default passwords.

It’s still unclear who is behind the attacks, and several distinct Mirai botnets have emerged since the malware’s release. According to the researchers, the botnets have even been observed attacking one another, in some kind of bizarre cyber-dystopian turf war.

In any case, it’s probably a good idea to change the passwords on all your Internet of Things devices—or preferably keep them offline altogether.

from Twitter Account Shows Mirai Botnets Using Your Security Camera In Cyber Turf War

Find Out If One of Your Devices Helped Break the Internet

Security experts have been warning for years that the growing number of unsecured Internet of Things devices would bring a wave of unprecedented and catastrophic cyber attacks. Just last month, a hacker publicly released malware code used in a record-breaking attack that hijacked 1.5 million internet-connected security cameras, refrigerators, and other so-called “smart” devices that were using default usernames and passwords.

On Friday, the shit finally hit the fan.

A massive distributed denial of service (DDoS) attack took down the core internet infrastructure supporting many popular websites, aided in part by a massive army of infected devices, or botnet, known as Mirai. The attack affected Domain Name System (DNS) servers hosted by the management company Dyn, making websites like Github, Twitter, and Reddit inaccessible throughout the day. Astonishingly, other companies responsible for monitoring internet infrastructure reported that the attack only utilized around 10 percent of the Mirai botnet, which currently recruits over half a million infected devices.

The attack is a reckoning of sorts for companies selling hordes of poorly-secured IoT products. But it should also be a major wake-up call to the thousands of people putting internet-connected fridges, light bulbs, thermostats, and other appliances in their homes.

In other words: If you’ve bought into the Internet of Things, now is the time to make sure your “smart” device isn’t being hijacked by hackers to take down the internet.

Thankfully, it’s pretty easy to check on this using online tools like Bullguard’s IoT Scanner. The scanner will detect any devices on your home network that are publicly exposed and potentially accessible to hackers using the vulnerability scanning service Shodan, which is kind of like Google for finding unprotected computers and webcams.

If the scan identifies any devices exposing themselves on your network, it’s time to take action: Access the device through whatever app or admin panel the vendor specifies and immediately change its login and password. IoT devices are notorious for keeping their factory default usernames and passwords, and the Mirai malware specifically uses a list of those defaults to scan for unprotected devices to recruit into its zombie army. So taking this simple step can go a long way.

This will protect your devices from basic attacks like Mirai, which target default passwords. But keep in mind it won’t do any good if a hacker can exploit an unpatched security vulnerability--which, given the poor track record of IoT devices, seems fairly inevitable.

For extra security, it’s also a good idea to log in to your router and “whitelist” all the devices you use to access your network by entering their unique Machine Access Code (MAC) address. This way, you’ll have much better assurance that strange machines won’t be accessing devices on your network.

But given the laughably-poor state of security on most consumer IoT products, the best way to prevent your devices from DDoS’ing a gaming server in South Korea is to not connect them in the first place.

You don’t really need your dog to videochat you at work, do you?

from Find Out If One of Your Devices Helped Break the Internet

‘Shadow Brokers’ Whine That Nobody Is Buying Their Hacked NSA Files

The hacking group responsible for stealing a large cache of National Security Agency hacking tools is very upset that no one seems to be bidding on their pilfered files.

Early Saturday morning, the person or group which calls itself “TheShadowBrokers” authored another bizarre rant, expressing their annoyance at the seeming lack of interest in ponying up bitcoins to release the full set of stolen files.

“Peoples is having interest in free files ... But people is no interest in #EQGRP_Auction,” the mysterious hacker group complained in a ranting post on Medium, which seems to be purposely written in Borat-style broken English. “TheShadowBrokers is thinking this is information communication problem.”

The message also blindly lashes out at hackers, foreign intelligence services, and basically anyone else who hasn’t bid on the files.

“TheShadowBrokers … is thinking peoples is having more balls, is taking bigger risks for to make advantage over adversaries,” the group adds. “Equation Group is pwning you everyday, because you are giant fucking pussies.”

So Shadow Brokers are implicitly criticising me for not buying their zero days, or what? Mustafa Al-Bassam October 1, 2016

TheShadowBrokers originally made headlines after posting a sample of the cache, which contained exploit code matching the names and functionality of several previously-revealed NSA hacking tools. The contents and organization of the files led experts to conclude that they were accidentally left behind on a compromised server once used as a staging area by an NSA-linked hacking entity called Equation Group.

That theory was reinforced last week, when Reuters reported that “four people with direct knowledge” of an FBI investigation into the leak had stated that the files were found by Russian hackers after NSA operatives “mistakenly” abandoned them on a remote server. There is still no conclusive evidence that TheShadowBrokers is associated with Russian intelligence services, however.

Motherboard reached out to the hackers and will post an update if we receive a response. However, the group stated in their Medium post that they would only agree to interviews if offered money.

Of course, it’s not exactly surprising that no one is rushing to bid on the group’s stolen files. While the tools are likely legit, the high profile of the leak makes it insanely risky, and the suspected age of the exploit code makes it unclear whether the hacks are even still effective.

At the time of this writing, TheShadowBrokers have only received bids for a total of 1.76 bitcoins—or about $1,082—far below the group’s asking price of $1 million.

from ‘Shadow Brokers’ Whine That Nobody Is Buying Their Hacked NSA Files

Tor Users Might Soon Have a Way to Avoid Those Annoying CAPTCHAs

If you’ve ever used the Tor anonymity software to browse the web, there’s a good chance you’re very familiar with CAPTCHAs, the prove-you’re-a-human puzzles that have you select images containing street signs, storefronts, or bodies of water before accessing a site.

Tor users have to solve these puzzles constantly, and privacy advocates have complained that it dramatically degrades the experience of people who want to browse the web anonymously. CloudFlare, a content delivery network that has widely implemented CAPTCHAs, has staunchly defended its use against Tor-associated IP addresses, saying the tests are necessary to defend sites against bots and spammers since a the large amount of malicious traffic originates from the Tor network.

But a new repository on CloudFlare’s Github page shows that the company is developing an alternative method for anonymous users to access sites without having to repeatedly solve annoying CAPTCHA puzzles—something privacy advocates will likely see as a step in the right direction.

“While CAPTCHAs in themselves are supposed to be easily solvable for humans, Tor users are dealt a disproportionate amount of these challenges due to the regularity of Tor exit nodes being dealt with poor IP reputations,” the authors of the new specification write. “This problem has been likened to an act of censorship against Tor users as these users are the most targeted by this protection mechanism.”

To solve this, the authors propose a Tor browser plugin that would store “unlinkable” authentication tokens, which Tor users would provide to prove they’re not spammy bots without having to repeatedly solve CAPTCHAs or risk identifying themselves. As Brave developer Yan Xu points out, the spec is based around the concept of “blind signatures,” originally proposed in 1983 by cryptographer David Chaum.

“In essence, the protocol allows a user to solve a single CAPTCHA and in return learn a specified number of tokens that are blindly signed that can be used for redemption instead of witnessing CAPTCHA challenges in the future,” the CloudFlare authors write. “By issuing a number of tokens per CAPTCHA solution that is suitable for ordinary browsing but too low for attacks, we maintain similar protective guarantees to those of CloudFlare's current system. We also leave the door open to an elevated threat response that does not offer to accept bypass tokens.”

Cloudflare CEO Matthew Price confirmed to Motherboard that the company is working on the feature, but declined to comment at this early stage. “We’ll have a lot to say about this when it’s ready,” Prince told Motherboard in an email.

While it’s obviously a work in progress, the feature, if implemented correctly, could make the web a lot more usable for Tor users around the world. If nothing else, it seems to be a step in the right direction toward some sort of compromise between improving the experience of anonymous users and defending websites from spammers and hackers.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

from Tor Users Might Soon Have a Way to Avoid Those Annoying CAPTCHAs

Neural Networks Are Alarmingly Good at Identifying Blurred Faces

In a world of ubiquitous smart-phone cameras, drones, and Google Street View cars, there’s probably never been a more important time to start protecting the identities of people unwittingly captured in photos and videos.

But while websites like YouTube have started offering tools to obscure faces and other objects appearing in digital media, researchers have found that those protections can be defeated at an alarming rate thanks to recent advances in artificial intelligence.

In a paper released earlier this month, researchers at UT Austin and Cornell University demonstrate that faces and objects obscured by blurring, pixelation, and a recently-proposed privacy system called P3 can be successfully identified by a neural network trained on image datasets—in some cases at a more consistent rate than humans.

“We argue that humans may no longer be the ‘gold standard’ for extracting information from visual data,” the researchers write. “Recent advances in machine learning based on artificial neural networks have led to dramatic improvements in the state of the art for automated image recognition. Trained machine learning models now outperform humans on tasks such as object recognition and determining the geographic location of an image.”

For the experiment, the researchers trained the neural network on four different datasets to focus on defeating three types of image obfuscation: Pixelation (also called “mosaicing”), blurring (the gaussian blur you’ve probably seen applied to faces and signs in Google Street View), and a new method called Privacy Preserving Photo Sharing, or P3, which splits images into a “public” and “private” version, with the latter having sensitive elements removed.

After being trained on a dataset of 530 individuals, the researchers’ neural net was able to recognize pixelated images at a rate of 57 percent, increasing to as high as 72 percent when the system was fed the top five guesses. The neural net could also identify blurred images at over 50 percent accuracy after being trained on 40 black-and-white photos blurred by YouTube, and 40 percent accuracy when tested against images obscured by P3.

“The key reason why our attacks work is that we do not need to specify the relevant features in advance,” the researchers explain. “We do not even need to understand what exactly is leaked by a partially encrypted or obfuscated image. Instead, neural networks automatically discover the relevant features and learn to exploit the correlations between hidden and visible information.”

In the future, the authors say that people designing privacy systems will need to step up their game to consider not just how to obscure sensitive parts of a photo or video, but how to prevent visible data from being used by neural networks to reconstruct or infer the missing information.

“Unfortunately, we show that obfuscated images contain enough information corre-

lated with the obfuscated content to enable accurate reconstruction of the latter,” the authors conclude. “Modern image recognition methods based on deep learning are especially powerful in this setting because the adversary does not need to specify the relevant features of obfuscated images in advance or even understand how exactly the remaining information is correlated with the hidden information.”

from Neural Networks Are Alarmingly Good at Identifying Blurred Faces

Changing Passwords After a Breach Is Still Way Too Hard

Yahoo’s announcement earlier this week that 500 million user accounts were compromised inspired another prolonged sigh, at a time when data breaches are so commonplace they sometimes seem like background noise.

According to the company, a “state-sponsored actor” was responsible for the breach, which exposed “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers." The notification also came a month after a hacker known as “Peace” posted to a cybercrime forum claiming to have data from 200 million Yahoo accounts for sale.

Security experts have repeatedly offered sound advice after such breaches: Never reuse passwords and start using a password manager, which generates unique passwords for each login and stores them in one encrypted file protected by a single, strong “master” password. But one thing that remains unnecessarily frustrating about this setup is the crucial post-breach task of identifying and changing a potentially compromised password.

If, like me, you’re someone who uses a password manager (and you really, really should look into it if you’re not) you’ve probably noticed just how annoying it is to do this. Since all of your passwords are stored in one encrypted file, a data breach anywhere requires you to not only go to the affected site and change your password, but also update your password file with the new password for that login.

Specifically, that means you have to:

• Get notified when a breach occurs
• Go to the site and initiate a password reset
• Open your password manager and generate a new random password for that site
• Copy the new password into the site’s password reset form
• Save the new login information in your password manager

This is all worth it in the end, because it means you can easily login to any site or app with one or two clicks without having to remember any of the actual usernames or passwords (usually through a browser extension that automatically fills them in).

But every time I introduce people to password managers (I help train local activists and community organizers in computer security in my spare time), this vigilant process of constantly generating new, unique passwords is always the biggest hurdle to convincing them to adopt the password manager lifestyle.

A big part of it is the fact that no password manager has a really effective system for notifying and responding to data breaches. 1Password’s Watchtower, which was initially created to handle the infamous Heartbleed vulnerability in 2014, is supposed to notify you when a site you have saved in your password vault is at risk. But in my 2 years of using it I’ve never gotten a single notification, despite being affected by plenty of breaches.

Even if you are notified, updating your password using a password manager is still a pretty clunky experience. Most password managers have browser extensions that auto-detect when you’re entering login information into a form, and offer to save it to a new or existing entry in your password manager’s vault.

But the password reset forms on most sites are formatted differently than their login screens, and as a result you often end up with multiple password entries for the same site or app. Then, the next time you go to auto-fill your login information, the password manager will often wind up entering your old password instead of the new one—unless you manually go into your password vault and modify or delete the duplicate entries. Even more irritating, sites like Google have separate screens for entering a username and password, making password managers’ auto-fill process unnecessarily arduous.

To be totally clear, none of this should convince you not to use a password manager. The inconvenience of having to do occasional maintenance in the aftermath of a breach is far preferable to putting yourself at risk by using the same password everywhere.

But in a world where data breaches happen practically every week, websites and developers should work together on making the password-changing process as painless as humanly possible for people who use password managers. Sites could adhere to a password manager-friendly template for their login and password reset screens, so that password manager apps could more easily point compromised users to those forms and securely record the new password inside their password file.

The integration wouldn’t be easy or cheap, but users have a lot to gain from using password managers—and they deserve better.

from Changing Passwords After a Breach Is Still Way Too Hard

iOS 10 Has a 'Severe' Security Flaw, Says iPhone-Cracking Company

Apple has introduced a “severe” flaw in its newly-released iOS 10 operating system that leaves backup data vulnerable to password-cracking tools, according to researchers at a smartphone forensics company that specializes in unlocking iPhones.

In a blog post published Friday by Elcomsoft, a Russian company that makes software to help law enforcement agencies access data from mobile devices, researcher Oleg Afonin showed that changes in the way local backup files are protected in iOS 10 has left backups dramatically more susceptible to password-cracking attempts than those produced by previous versions of Apple’s operating system.

Specifically, the company found that iOS 10 backups saved locally to a computer via iTunes allow password-cracking tools to try different password combinations at a rate of 6,000,000 attempts per second, more than 40 times faster than with backups created by iOS 9. Elcomsoft says this is due to Apple implementing a weaker password verification method than the one protecting backup data in previous versions. That means that cops and tech-savvy criminals could much more quickly and easily gain access to data from locally-stored iOS 10 backups than those produced by older versions.

Being a company known for breaking into iPhones, Elcomsoft unsurprisingly did not disclose the vulnerability to Apple before publishing its blog. But CEO Vladimir Katalov told Motherboard that his company responded to Apple’s security team after it requested more information about the bug through the company’s online support system early Friday morning.

“Apple is definitely aware they have implemented [the flaw] themselves :)” Katalov told Motherboard in an email.

An Apple spokesperson confirmed that the company is working on a fix.

“We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update,“ the spokesperson said in a statement. “This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”

The flaw could be a huge boon for law enforcement, spies, and sophisticated criminals who are able to gain possession of a victim’s iOS backup file. While iOS devices themselves are known for having fairly solid security backed by a hardware module called the Secure Enclave, one of the remaining avenues of attack is to trigger a device to backup either to iCloud or a local computer, where data enjoys far less protection.

Normally, local backups are protected by a user’s password. But in iOS 10, Apple has implemented a weaker hashing algorithm—a function used to verify and store passwords in an unrecognizable format. This allows police and hackers to more easily “brute force” the backup file’s password by having a piece of forensics software guess millions of different passwords per second until it finds one that matches the stored hash.

Using an Intel i5 processor, Elcomsoft says it was able to guess passwords on iOS 10 backups 2,500 times faster than using the same hardware against an iOS 9 backup. That same processor was still 40 times faster than using a top-of-the-line graphics processor to brute force passwords on backups created by iOS 9. (Elcomsoft doesn’t support GPU-based password cracking yet on iOS 10, but it should increase the speed even more once it becomes available.)

When compounded with lists of commonly-used passwords, Elcomsoft says the amount of time it takes to crack an iOS 10 backup’s password can be reduced even further. Once an attacker has unlocked the backup, they can gain complete access to the device’s data in its saved state—including the keychain, a file that’s normally impossible to retrieve from the physical device which stores all the user’s logins and passwords.

For its part, Apple at least seems interested in issuing a fix. But given the various pieces of software involved, it remains unclear how long it would take to roll out.

“The fix itself is probably not so easy, because that hash might be used for some other purposes we are not aware of,” Katalov told Motherboard in an email. “So I guess that not just iOS update is needed, but also iTunes update as well, and probably some changes to the backup format.”

UPDATE: Sept. 23, 5:50 p.m. ET: This story has been updated to include Apple's statement. Also, a previous version of this article mentioned rainbow tables as a method for determining a backup file's password, however rainbow tables would in fact not be usable in this case.

from iOS 10 Has a 'Severe' Security Flaw, Says iPhone-Cracking Company

Federal Judge: Hacking Someone's Computer Is Definitely a 'Search'

Courts across the country can't seem to agree on whether the FBI's recent hacking activities ran afoul of the law—and the confusion has led to some fairly alarming theories about law enforcement's ability to remotely compromise computers.

In numerous cases spawned from the FBI takeover of a darkweb site that hosted child abuse images, courts have been split on the legality of an FBI campaign that used a single warrant to hack thousands of computers accessing the site from unknown locations, using malware called a Network Investigative Technique, or NIT. Some have gone even further, arguing that hacking a computer doesn't constitute a “search,” and therefore doesn't require a warrant at all.

But a federal judge in Texas ruled this week that actually, yes, sending malware to someone's computer to secretly retrieve information from it—as the FBI did with the NIT—is a “search” under the Fourth Amendment.

“[T]he NIT placed code on Mr. Torres' computer without his permission, causing it to transmit his IP address and other identifying data to the government,” Judge David Alan Ezra of wrote Friday, in a ruling for one of the NIT cases, in San Antonio, Texas. “That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import. This was unquestionably a “search” for Fourth Amendment purposes.”

As obvious as that sounds, not everyone agrees. Previously, another judge in Virginia stunningly ruled that a warrant for hacking isn't required at all, because a defendant infected with government malware “has no reasonable expectation of privacy in his computer.”

That judgment was a leap from several other rulings, in which judges claimed that users of the Tor anonymity network, where the illegal site was hidden, have no expectation of privacy in their IP address—even though hiding your IP is the entire point of using Tor. The argument—which the Department of Justice apparently agrees with—states this is because Tor users technically “reveal” their true IP address to another computer when they first enter the Tor network, through an entry point called a “guard node.” (That computer can not determine what sites the user visits, however)

But while the FBI's use of malware was definitely a search, Judge Ezra of Texas nevertheless denied the defendant's motion to suppress evidence obtained by the NIT.

That's because it can't be proven that the FBI “willfully” violated Rule 41(b), a procedural rule that's meant to stop judges from authorizing searches outside of their districts. The FBI is now controversially seeking to expand that rule, which would grant them the power to hack computers anywhere—not just within the jurisdictions where the hacking was authorized.

Instead, Judge Ezra wrote that the NIT warrant “has brought to light the need for Congressional clarification regarding a magistrate's authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user's identity.”

from Federal Judge: Hacking Someone's Computer Is Definitely a 'Search'

Soon You Won't Be Able to Tell an AI From a Human Voice

Hackers Can Now Unlock Phones With a VR Headset and Facebook Photos

Image: Xu et al

Fingerprint readers and iris scanners are just a few of the biometric security mechanisms that manufacturers have been putting in smartphones, tablets, and laptops lately. But while slick and futuristic, these new and unique methods for securing mobile devices inevitably have new and unique vulnerabilities.

Take face authentication, for example. To ensure a stranger can't access someone's phone just by holding a picture of the owner's face in front of its camera, devices that offer face-unlock features have recently implemented ways of detecting motion and “liveness” in a face—essentially, looking for facial movement patterns like blinking in order to tell a “live” face from a flat picture or video.

But in a paper presented earlier this month at the USENIX Security Symposium in Austin, TX, a group of researchers was able to circumvent that safeguard using a virtual reality model of a person's head recreated from a handful of photos taken from social media.

The researchers show it's possible to defeat modern face authentication systems by creating a virtual model derived from high-resolution photos of the device's owner. Essentially, they were able to convince the device it was looking at a live face by attaching it to a VR headset and loading the 3D head model, whose movements are realistically motion-tracked by the device's accelerometers and gyroscopes. The researchers could then further manipulate the 3D head model within the headset to make realistic facial movements like smiling or raising an eyebrow, which face authentication systems often prompt a user to do.

All five of the face authentication systems tested were successfully spoofed with 3D models built from high-resolution photos. Lower resolution photos from social media were also able to spoof all but one of the systems, though each had a somewhat lower success rate than their hi-res versions.

“We argue that such VR-based spoofing attacks constitute a fundamentally new class of attacks that point to a serious weaknesses in camera-based authentication systems: Unless they incorporate other sources of verifiable data, systems relying on color image data and camera motion are prone to attacks via virtual realism,” the researchers write, suggesting that a robust face authentication system would need to incorporate some kind of non-public imagery of the user, like a skin heat map.

"Given the widespread nature of high-resolution personal online photos, today’s adversaries have a goldmine of information at their disposal for synthetically creating fake face data."

from Hackers Can Now Unlock Phones With a VR Headset and Facebook Photos

After DNC Hack, Staffers Told to Use 'Snowden-Approved' App, Signal

Security and privacy advocates have long, and adamantly, recommended the end-to-end encrypted messaging app, Signal, as a go-to solution for secure mobile communications. Lately, the app seems to have broken into the mainstream, even making a recent appearance on Mr. Robot, USA Network's surprisingly tech-savvy series about hacker revolutionaries taking down a globe-dominating, evil megacorp.

But Signal hasn't only been the weapon of choice for scrappy hacktivists and privacy wonks.

In the tumultuous aftermath of the Democratic National Committee hack—the digital intrusion that led to the resignation of its controversial chairwoman, Debbie Wasserman Schultz—Vanity Fair reports that DNC staffers were specifically instructed to exclusively use the “Snowden-approved” app when saying anything about Republican presidential nominee, Donald Trump.

The directive reportedly came down during a meeting at the DNC's campaign headquarters, in the weeks after the organization first learned it had been compromised by an unknown intruder, now represented by a person or group who calls themselves “Guccifer 2.0.”

After leaked DNC emails were published to WikiLeaks, it was revealed that the organization had plans to diminish Democratic presidential candidate Bernie Sanders, in favor of his more institutionally-entrenched opponent, Hillary Clinton.

Two weeks after the breach went public, a memo was sent out to DNC staffers with instructions on how to download and use the app. Paranoia among employees has likely increased since then, as security experts and US spy agencies have insisted that Russia is the source of the hack, leading many to fear foreign meddling in the upcoming presidential election.

Russian plot or no, the DNC's use of encryption tools like Signal will come as relief to experts who have been pushing for better security hygiene among top-ranking political officials and others handling sensitive information.

Created in part with funding from the Open Technology Fund, Signal allows for end-to-end encrypted calls and text messages. All of its code is available online, and unlike email, is surprisingly resistant to forensic analysis and data breaches—though, like any tool, it's certainly not hack-proof.

Correction: The article originally stated that Signal was created with funding from US Department of State, and has been updated to reflect that funding came from the Open Technology Fund, a program of Radio Free Asia, which receives US government funding.

from After DNC Hack, Staffers Told to Use 'Snowden-Approved' App, Signal