WIRED

How the Iranian Government Shut Off the Internet

WIRED

Photograph: AFP/Getty Images

Amid widespread demonstrations over rising gasoline prices, Iranians began experiencing internet slowdowns over the last few days that became a near-total internet and mobile data blackout on Saturday. The government is apparently seeing to silence protestors and quell unrest. So how does a country like Iran switch off internet to a population of more than 80 million? It’s not an easy thing to do.

Though some countries, namely China, architected their internet infrastructure from the start with government control in mind, most don’t have a central set of levers they can pull to influence country-wide access to content or connectivity. But regimes around the world, including those in Russia and Iran, have increasingly been retrofitting traditional private and decentralized networks with cooperation agreements, technical implants, or a combination to give officials more influence. In countries like Ethiopia, Venezuela, and Iraq, along with disputed regions like Kashmir, government-led social media blocking and more extensive outages have become the norm.

“This is the most wide-scale internet shutdown that we’ve seen in Iran,” says Adrian Shahbaz, research director at the pro-democracy group Freedom House, which tracks internet censorship and restriction worldwide. “It’s surprising to see the Iranian authorities block all internet connections rather than only international internet connections, because the latter is a tactic that they’ve used in the past. It could mean they are more fearful of their own people and worry that they cannot control the information space amidst these economic protests.”

The process to block an entire country’s internet connectivity depends on the set-up. Places like Ethiopia that have relatively limited internet proliferation typically have just one government-controlled internet service provider, perhaps alongside some smaller private ISPs. But all usually gain access from a single undersea cable or international network node, creating “upstream” choke points that officials can use to essentially block a country’s connectivity at its source.

Full article

Naked Security

Facebook fixes iPhone camera bug

Naked Security

Facebook was quick to reassure iPhone users this week that it wasn’t secretly spying on them via its app, after someone found the software keeping the phone’s rear camera active in the background.

Facebook user Joshua Maddux discovered the problem on Saturday 9 November when looking at another user’s profile picture on the iPhone version of the Facebook app.

Full article

Cybersecurity Insiders

Ransomware news trending on Google

Cybersecurity Insiders

Pemex, a Mexican Oil, and Petroleum Company have stated that it has become a victim of a ransomware attack last week and hackers were demanding USD 5 million as a ransom to allow back access to files.

Going deep into the details, the bad guys somehow infiltrated the networks of the Mexican Petroleum company and decided to shut down the computer systems by introducing the file-encrypting malware. The disruption was so severe that many payment transactions were also halted and the employees were asked to keep a distance from the digital systems till a recovery was possible.

However, a fresh statement issued by Pemex early today says that only 5% of its computers and storage and distribution facilities were interrupted by the cyberattack as the company’s servers were hit by either DoppelPaymer or Ryuk Ransomware.

Full article

Naked Security

Mozilla says ISPs are lying to Congress about encrypted DNS

Naked Security

Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt – they’re dropping “factual inaccuracies” about “a plan that doesn’t exist,” it says.

Both of the entities behind those browsers – Mozilla and Google – have been moving to embrace the privacy technology, which is called DNS over HTTPS (DoH). Also backed by Cloudflare, DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.

Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers.

DoH isn’t a panacea – you can check out Paul Ducklin’s explanation of the issues it raises in the Naked Security podcast below – but it promises to at least seriously gum up tracking and monetization of data.

In September, Mozilla announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. Within days, Google issued a me-too, officially announcing its own DoH experiment in Chrome.

Full article

Cybersecurity Insiders

How to prevent Pegasus malware from attacking your WhatsApp number

Cybersecurity Insiders

Last week, WhatsApp users worldwide were surprised by the news that Facebook is planning to sue an Israel based agency named NSO Group for snooping over 1400 users through Pegasus spyware and WhatsApp application.

Going by the details, the social media giant confirmed that a survey conducted by one of its associate company has discovered that NSO Group tried to exploit the video calling feature on WhatsApp by sending a malware named Pegasus Spyware in the phones of the said photo and video sharing application users.

However, the company facing the allegation says that its technology is not designed or licensed to be used in espionage-related activities and is solely used for white hat purposes by government agencies.

WhatsApp has issued a news update yesterday on the issue and said that users of its online messaging service can keep their smartphones safe from hackers by using the latest version of WhatsApp on their device and keeping their mobile operating system up to date to receive the latest security protective cover.

Full article

ZDNet

We must stop smiling our way towards a surveillance state

ZDNet

In the last few years facial recognition has been gradually introduced across a range of different technologies.

Some of these are relatively modest and useful; thanks to facial recognition software you can open you smartphone just by looking at it, and log into your PC without a password. You can even use your face to get cash out of an ATM, and increasingly it’s becoming a standard part of your journey through the airport now.

And facial recognition is still getting smarter. Increasingly it’s not just faces that can be recognised, but emotional states too, if only with limited success right now. Soon it won’t be too hard for a camera to not only recognise who you are, but also to make a pretty good guess at how you are feeling.

But one of the biggest potential applications of facial recognition on the near horizon is, of course, for law and order. It is already being used by private companies to deter persistent shoplifters and pickpockets. In the UK and other countries police have been testing facial recognition in a number of situations, with varying results.

There’s a bigger issue here, as the UK’s Information Commissioner Elizabeth Denham notes: “How far should we, as a society, consent to police forces reducing our privacy in order to keep us safe?”

She warns that when it comes to live facial recognition “never before have we seen technologies with the potential for such widespread invasiveness,” and has called for police, government and tech companies to work together to eliminate bias in the algorithms used; particularly that associated with ethnicity.

She is not the only one to be raising questions about the use of facial recognition by police; similar questions are being asked in the US, and rightly so.

There is always a trade-off between privacy and security. Deciding where to draw the line between the two is key. But we also have to make the decision clearly and explicitly. At the moment there is a great risk that as the use of facial recognition technology by government and business spreads, the decision will be taken away from us.

In the UK we’ve already built up plenty of the infrastructure that you’d need if you were looking to build a total surveillance state.

Full article

WIRED

Security News This Week: Government Officials Hacked Via WhatsApp

WIRED

This week saw the cybersecurity world taking big strides against some of the world’s most aggressive hackers. In a dramatic and potentially precedent-setting move, WhatsApp, the Facebook-owned messaging platform, sued the Israeli surveillance contractor NSO Group for allegedly targeting 1,400 of WhatsApp’s users with malicious phone calls crafted to infect devices with data-grabbing malware. Meanwhile, over in United States Congress, lawmakers are still struggling to deal with increasingly ubiquitous ransomware attacks that often target vulnerable organizations like local governments and hospitals.

Microsoft reported findings that the Russian hacking group Fancy Bear (also called APT28 or Strontium) has targeted at least 16 antidoping agencies around the world in the lead-up to the 2020 Tokyo Olympics. Russian hackers have barraged the Olympics for three years now, including a particularly stealthy and insidious digital attack on the Pyeongchang Winter Games in 2018.

Full article

ZDNet

Android bug lets hackers plant malware via NFC beaming

ZDNet

Image: Jonas Leupe

Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming.

NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth.

Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source.

But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

Full article

Naked Security

Researchers find hole in EU-wide identity system

Naked Security

A flaw in a cross-border EU electronic identity system could have allowed anyone to impersonate someone else, a security consulting company has warned.

SEC Consult issued an advisory warning people of the flaw this week. It demonstrated the problem in the electronic identification, authentication and trust services (eIDAS) system by authenticating as 16th-century German writer, Johann Wolfgang von Goethe.

eIDAS came about because of a 2014 EU regulation that laid out the rules for electronic identification in Europe. The regulation, which came into effect in 2016, made it compulsory for EU countries to identify each other’s electronic IDs by the middle of last year. It covered a range of identification assets like electronic signatures and website authentication.

The problem is that there’s a flaw in the software used to manage this cross-border identification process, known as eIDAS-Node. Each country has to run a copy of this software to connect its own national identity management systems to others in the EU, creating a cross-border ID gateway. Using this gateway, citizens in the UK, say, could identify themselves to use electronic services in Germany, such as enrolling in a university or opening a bank account.

Like many federated identity systems, eIDAS uses the Security Assertion Markup Language (SAML). It’s an XML-based protocol from the nonprofit Organization for the Advancement of Structured Information Standards (OASIS). It lets users prove their identities across multiple service providers using a single login. Version 2, launched in 2005, includes support for features like encryption and the exchange of privacy information such as consent. It’s powerful but complex.

Full article

ZDNet

Microsoft: Russian hackers are targeting sporting organizations ahead of Tokyo Olympics

ZDNet

Microsoft said today that a group of well-known Russian government hackers has targeted at least 16 national and international sporting and anti-doping organizations ahead of next year’s Tokyo Olympics.

The attacks have taken place in the last month after the World Anti-Doping Agency (WADA) announced a possible indiscriminate ban of all Russian athletes from all sporting events, including upcoming world championships and Olympics.

Microsoft said the attacks involved spear-phishing, password spraying, exploiting internet-connected devices, and the use of both open-source and custom malware.

Responsible for the attacks is a group of Russian state-sponsored hackers that Microsoft calls Strontium, but are more widely known as APT28 or Fancy Bear.

Full article