March 10, 2017
UNM4SK3D: CIA, Headphones, and Consumer Reports
March 10, 2017
True or false? That's the question being asked by millions of Americans after Wikileaks released a series of 8,761 documents titled 'Vault 7,' which detail the CIA's cyber spying techniques and capabilities. Big news. Some people are questioning the validity, others are questioning their personal privacy.
The documents, which are being called 'Zero Year' by Wikileaks, are apparently the first of many they plan to release. This is especially significant because the documents contain details of the CIA's global hacking program, its malware, and zero-day exploits for a number of devices. Two of the most important documents show the CIA's iOS and Android exploits, complete with clever code names like 'Winterspy' and 'Elderpiggy.' Looks like those agents are a fan of Game of Thrones and the Muppets. But cell phones aren't the only devices mentioned in Vault 7. According to Wikileaks, the vulnerabilities they exploit cover everything from web browsers to smart TVs, which can be turned into 'spying devices.'
You may be having Edward Snowden deja vu, and we are too. The former NSA contractor recently tweeted that the documents 'look authentic,' although the CIA has neither denied nor confirmed whether the documents are real. On the one hand, much of what was described in the documents was aimed at older devices that have known security flaws, with the documents dated between 2013 and 2016. Nor did any of them appear to be classified above the level of “secret/noforn,” which is a relatively low-level of classification. On the other hand, security experts warn the leak is 'a big deal' because it assists other countries that were trying to catch up to the United States, Russia, China and Israel in electronic spying.
"Names, email addresses and external IP addresses have been redacted in the released pages (70,875 redactions in total) until further analysis is complete." And while Wikileaks is being mysterious for the time being, who knows when or if further information could be leaked. For now, all they're saying is that the documents came from an "isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina." This could mean intelligence agencies need to reassess the practice of sharing secrets widely inside their walls.
This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA -Wikileaks
Take a closer look at the can of worms opened by Snowden. Read: 'Encryption Software and Combating Cyber Crime.'
#vulnerabilityYour smart TV and even some of your children's toys can record you. Now, your headphones can too. This attack vector is utilized in different forms across different devices. The most recently patched headphone vulnerability noted in the March 2017 Android Security Bulletin from Google focuses specifically on a critical vulnerability in Nexus 9. If you're a Nexus 9 owner, you can breathe a sigh of relief. But prior to the patch, researchers were able to exploit the vulnerability to leak stack canaries, derandomize ASLR, conduct a factory reset, and even access HBOOT, allowing for communication with internal System-on-Chips (SoCs). For those of you who are less technical, just know that none of that is good news.Feeling betrayed by your headphones? Unfortunately, this isn't the first time they've been used as spying devices. In November 2016, a group of Israeli security researchers at Ben Gurion University created a proof-of-concept code that converts typical headphones into microphones and then uses them to record all your conversations in the room. Dubbed "Speake(a)r," the malicious code is able to hijack a computer to record audio even when its' microphone is disabled or completely disconnected from the computer. It works by utilizing the existing headphones to capture vibrations in the air, converting them to electromagnetic signals, altering the internal functions of audio jacks, and then flips input jacks (used by microphones) to output jacks (used for speakers and headphones). This allows a hacker to record audio, though at a lower quality, from devices with disabled or no microphone. Maybe it's time to break out the antique record player.
The Speake(a)r attack works on practically any computer running Windows or MacOS, and most laptops, as well, leaving most computers vulnerable to such attacks -Mordechai Guri, Ben Gurion University lead security researcherIf you're an Android user looking to protect your privacy, read: 'Top 10 Android Tools for Security Auditing and Hacking.'
#privacyIf you thought product reviews were only for middle-aged women with shopping addictions, think again. Consumer publication Consumer Reports will soon begin considering cyber security and privacy safeguards when scoring products.The group, which issues scores that rank the products it reviews, said they collaborated with several outside organizations to develop methods for studying how easily a product can be hacked and how well customer data is secured. You may not be aware, but the products they review include items such as smart TVs, routers, security cameras, thermostats, and software products such as apps and web browsers, so the feedback is actually useful. "We think it’s unfair and unrealistic to expect consumers to constantly play defense when the products and services they use aren’t engineered with basic privacy and security protections built in... That’s why we’re now launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy—and we hope the industry will use that standard when building and designing digital products."The hope is that the standard will ultimately be used to help Consumer Reports develop specific and repeatable testing procedures. Then, this information will be utilized to better evaluate products and give consumers the ability to compare products against each other on the basis of factors like privacy protection. Among the criteria this standard will look at are whether consumers are required to choose unique usernames and passwords during setup, if companies delete consumer data from their servers upon request, and if companies are transparent about how personal consumer information is shared with other companies.
65% of people said in the Consumer Voices survey that they were either slightly or not at all confident that manufacturers were looking after their personal data properly -Consumer ReportsTenable surveyed 700 security practitioners from nine different countries across seven industry verticals. The report assesses the overall confidence levels of information security professionals in detecting and mitigating organizational cyber risk. Read: 'Global Cybersecurity Confidence Declines.'