• Report : Facebook Helped the FBI Exploit Vulnerability in a Secure Linux Distro for Child Predator Sting

    Une affaire très intéressante. Tout part d’une « bonne intention » (arrêter un pédophile ; cela aurait aussi pu être des terroristes) mais conduit à d’une part avoir Facebook se comporter comme un Etat et d’autre part diminuer la sécurité des activistes, journalistes et autres usagers de systèmes hypersécurisés.

    Facebook security personnel and engineers helped the FBI track down a notorious child predator by helping a third-party company develop an exploit in a security-focused version of the Linux operating system, Tails, per a Wednesday report by Vice. But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw, potentially violating security industry norms while handing over a surveillance backdoor to federal agents.

    Facebook had tasked a dedicated employee to unmasking Hernandez, developed an automated system to flag recently created accounts that messaged minors, and made catching Hernandez a priority for its security teams, according to Vice. They also paid a third party contractor “six figures” to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip. Three sources told Vice that an intermediary passed the tool onto the FBI, who then obtained a search warrant to have one of the victims send a modified video file to Hernandez (a tactic the agency has used before).

    There’s no clear evidence as to whether the FBI knew the exploit was developed in part by Facebook, leading one to wonder how forthcoming it was planning to be about its involvement. There are also obvious ethical issues with developing exploits in another company’s product, especially Tails, which was designed with the security of users including reporters, whistleblowers, stalking victims, and political activists in mind.

    Facebook also never notified the Tails team of the flaw—breaking with a long industry tradition of disclosure in which the relevant developers are notified of vulnerabilities in advance of them becoming public so they have a chance at implementing a fix. Sources told Vice that since an upcoming Tails update was slated to strip the vulnerable code, Facebook didn’t bother to do so, though the social media company had no reason to believe Tails developers had ever discovered the bug.

    Some of the current and former Facebook employees aware of the decision to help the FBI were critical, with one telling Vice that the “precedent of a private company buying a zero-day to go after a criminal” was “fucked up” and “sketchy as hell.” Others told the site it was a decision made of last resort that doesn’t set a precedent, with one saying it was the “right thing” to do and other companies would not be willing to “[spend] the amount of time and resources to try to limit damage caused by one evil guy.”

    #Facebook #Cybersécurité #FBI

  • How a Bad App—Not the Russians—Plunged Iowa Into Chaos - The Atlantic

    You may be wondering if the Iowa caucus chaos is a hit job by election-meddling Russians. The morning after caucus-goers filed into high-school gyms across Iowa, the state’s Democratic Party is still unable to produce results. The app it developed for precisely this purpose seems to have crashed. The party was questioned before by experts about the wisdom of using a secretive app that would be deployed at a crucial juncture, but the concerns were brushed away. Troy Price, the state party’s chairman, claimed that if anything went wrong with the app, staffers would be ready “with a backup and a backup to that backup and a backup to the backup to the backup.” And yet, more than 12 hours after the end of the caucus, they are unable to produce results. Last night, some precinct officials even waited on hold for an hour to report the results—and got hung up on.

    If the Russians were responsible for this confusion and disarray, that might be a relatively easy problem to fix. This is worse.

    It appears that the Iowa Democrats nixed the plan to have precincts call in their results, and instead hired a for-profit tech firm, aptly named Shadow, to tally the caucus results. (As if the name weren’t enough to fuel conspiracies, the firm is run by an alum of Hillary Clinton’s presidential campaign.) The party paid Shadow $60,000 to develop an app that would tally the results, but gave the company only two months to do it. Worried about Russian hacking, the party addressed security in all the wrong ways: It did not open up the app to outside testing or challenge by independent security experts.

    This method is sometimes dubbed “security through obscurity,” and while there are instances for which it might be appropriate, it is a fragile method, especially unsuited to anything public on the internet that might invite an attack. For example, putting a spare key in a secret place in your backyard isn’t a terrible practice, because the odds are low that someone will be highly motivated to break into any given house and manage to look exactly in the right place (well, unless you put it under the mat). But when there are more significant incentives and the system is open to challenge by anyone in the world, as with anything on the internet, someone will likely find a way to get the keys, as the Motion Picture Association of America found out when its supposedly obscure digital keys, meant to prevent copyright infringement, quickly leaked. Shadow’s app was going to be used widely on caucus day, and independent security experts warned that this method wasn’t going to work. The company didn’t listen.

    But why bother hacking the system? Anything developed this rapidly that has not been properly stress-tested—and is being used in the wild by thousands of people at the same time—is likely to crash the first time it is deployed.

    There never should have been an app. There are officials responsible for precinct results, but there are also representatives of campaigns on the ground in every precinct. Even without a more substantial reform of the complex and demanding caucus process, a simple adversarial confirmation system (a process used by many countries) would have worked well.

    America already knows how to do election integrity. The National Academy of Sciences released a lengthy report about it last year, complete with evidence-based recommendations for every step of the electoral process. I wrote a summary of that report, but the full thing is available online. It tells us why optical paper-scan systems offer us the best mix of convenience and security, and advises us how to keep a proper paper trail. Experts and civil-society organizations have been advocating for these changes for years. It would take just a bit of money and political will to fix much of this, and fairly quickly. Instead, we’ve kicked off a 2020 election season that promises to be fraught in any number of ways. Several campaigns have reported that the same app is due to be used in Nevada in just three weeks.

    Who needs the Russians?

    #Zeynep_Tufekci #Iowa_Caucus #App_inutile #Cybersécurité

  • Sonos Makes It Clear : You No Longer Own The Things You Buy - VICE

    $300 smart hubs that are suddenly bricked when the manufacturer is sold. Video game consoles that mysteriously lose features after you bring them home. Books or films you purchase that you suddenly and inexplicably lose the ability to access. Printers that don’t print without an ink subscription.

    In the modern internet era, it’s increasingly clear that consumers no longer actually own the things we buy. Instead, we’re shelling out big bucks for products that can easily lose features or worse—stop working entirely on the whim of a corporation.

    The latest example comes courtesy of Sonos, which this week informed customers in an email that it would no longer be supporting certain speaker systems. In the email, the company says that certain “legacy” systems will stop receiving security and software updates starting in May.

    “Legacy products were introduced between 2005 and 2011 and, given the age of the technology, do not have enough memory or processing power to sustain future innovation,” the company’s email claims. Users that have shelled out hundreds or thousands of dollars for smart speakers that still work didn’t take the news particularly well.

    Nathan Proctor, the head of USPIRG’s Right to Repair Campaign, told Motherboard that Sonos’ decision to leave consumers between a rock and a hard place is emblematic of a tech industry in which sustainability, security, and consumer rights are often distant afterthoughts.

    “This is an epidemic problem,” Proctor said, noting that having millions of unsupported and unpatched devices connected to the internet poses significant security risks for an internet of things sector already widely criticized for being a privacy and security dumpster fire.

    Proctor said forced obsolescence also not only incentives the public to discard perfectly good hardware, products now effectively have expiration dates that consumers aren’t being clearly informed of at the time of purchase.

    #Obsolescence_programmée #Internet_des_objets #Cybersécurité

  • Zeynep Tufekci : Get a red team to ensure AI is ethical | Verdict

    In cybersecurity, red team professionals are tasked with finding vulnerabilities before they become a problem. In artificial intelligence, flaws such as bias often become apparent only once they are deployed.

    One way to catch these AI flaws early is for organisations to apply the red team concept when developing new systems, according to techno-sociologist and academic Zeynep Tufekci.

    “Get a read team, get people in the room, wherever you’re working, who think about what could go wrong,” she said, speaking at Hitachi Vantara’s Next conference in Las Vegas, US, last week. “Because thinking about what could go wrong before it does is the best way to make sure it doesn’t go wrong.”

    Referencing Hitachi CEO and president Toshiaki Higashihara description of digitalisation as having “lights and shadows”, Tufekci warned of the risks associated with letting the shadowy side go unchecked.
    AI shadows

    One of these “shadows” is when complex AI systems become black boxes, making it difficult even for the AI’s creators to explain how it made its decision.

    Tufekci also cited the example of YouTube’s recommendation algorithm pushing people towards extremism. For example, a teenager could innocently search ‘is there a male feminism’ and then be nudged towards misogynistic videos because such controversial videos have received more engagement.

    And while data can be used for good, it can also be used by authoritarian governments to repress its citizens, or by election consultancies to manipulate our votes.

    Then there are the many instances of human bias finding their way into algorithms. These include AI in recruitment reflecting the sexism of human employers or facial recognition not working for people with darker skin.

    “If the data can be used to fire you, or to figure out protesters or to use for social control, or not hire people prone to depression, people are going to be like: ‘we do not want this’,” said Tufekci, who is an associate professor at the UNC School of Information and Library Science.

    “What would be much better is to say, what are the guidelines?”
    Using a red team to enforce AI ethics guidelines

    Some guidelines already exist. In April 2018, the European Union’s High-Level Expert Group on AI presented seven key requirements for trustworthy AI.

    These requirements include human oversight, accountability and technical robustness and safety. But what Tufekci suggests is having a team of people dedicated to ensuring AI ethics are adhered to.
    3 Things That Will Change the World Today
    Get the Verdict morning email

    “You need people in the room, who are going to say there’s light and there are shadows in this technology, and how do we figure out to bring more light into the shadowy side, so that we’re not blindsided, so that we’re not just sort of shocked by the ethical challenges when they hit us,” she explained.

    “So we think about it ahead of time.”

    However, technology companies often push back against regulation, usually warning that too much will stifle innovation.

    “Very often when a technology is this new, and this powerful, and this promising, the people who keep talking about what could go wrong – which is what I do a lot – are seen as these spoilsport people,” said Tufekci.

    “And I’m kind of like no – it’s because we want it to be better.”

    #Intelligence_artificielle #Zeynep_Tufekci #Cybersécurité #Biais #Big_data

  • Websites have been quietly hacking iPhones for years, says Google - MIT Technology Review

    Websites delivered iOS malware to thousands of visitors in the biggest iPhone hack ever. There’s no telling who was infected—or who was behind it.
    by Patrick Howell O'Neill
    Aug 30, 2019
    Malware could steal passwords, encrypted messages and contacts
    It’s not clear who was behind the hacking campaign or who was targeted
    If you have updated your iPhone you are protected
    The largest ever known attack against iPhone users lasted at least two years and hit potentially thousands of people, according to research published by Google. 

    The malware could ransack the entire iPhone to steal passwords, encrypted messages, location, contacts, and other extremely sensitive information. The data was then sent to a command and control server which the hackers used to run the operation. The scope, execution, and persistence of the unprecedented hacking campaign points to a potential nation-backed operation but the identity of both the hackers and their targets is still unknown. 

    “The data taken is the ‘juicy’ data," says Jonathan Levin, a researcher who has written books on Apple’s operating system. “Take all the passwords from the keychain, location data, chats/contacts/etc, and build a shadow network of connections of all your victims. Surely by six degrees of separation you’ll find interesting targets there.”

    Sign up for The Download — your daily dose of what’s up in emerging technology

    Also stay updated on MIT Technology Review initiatives and events?YesNo

    Apple patched the bugs quickly in February 2019 so everyone who has updated their iPhone since then is protected. Rebooting the iPhone wiped the malware but the data had already been taken. Exactly who was infected remains an open question. iPhone users themselves likely wouldn’t know because the malware runs in the background with no visual indicator and no way for an iOS user to view the processes running on the device. 

    In January 2019, Google’s Threat Analysis Group (TAG), the tech giant’s counterespionage specialists, first found hacked websites that were delivering malware to thousands of visitors per week. The tactic is known as a watering-hole attack: attackers lace carefully selected websites with malware and wait for expected visitors to arrive to be infected. Just visiting the site was enough to download the malware.

    Google’s discovery included, over a period of years, five so-called “exploit chains” with 14 vulnerabilities including at least one active zero-day vulnerability, the term used to describe an exploitable bug undiscovered by a company like Apple. When one exploit chain was rendered useless by an Apple patch, the hacker quickly implemented the next one.

    TAG passed the intelligence to Apple, who issued iOS patch 12.1.4 on February 7 with a fix, as well as to others within Google. Google’s Project Zero, the company’s security analysis team, has spent the last seven months dissecting these bugs.

    “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” Google’s Ian Beer wrote.

    It’s not clear who was infected. Google’s Project Zero did not release key information including which websites were infected. It seems likely that neither Apple nor Google would have a full accounting of victims but there could be other clues, including which populations typically visit the infected website. 

    So, who is behind it? There is an entire offensive hacking industry that creates and sells hacking tools to governments and companies around the world. NSO Group is the most famous but their tools have reportedly been tightly targeted. But Levin thinks the signs point to a nation state being behind this attack, as the model used is not something a typical hacker or small company could afford to run. 

    The revelation instantly made waves throughout the cybersecurity industry. "This is the first time evidence has been found of such exploits being used massively, indiscriminately as ‘net fishing’ against whatever unsuspecting individuals end up visiting the infected websites," says Levin.

    One of the most notable victims of iPhone malware ever is Ahmed Mansoor. Mansoor, a world-renowned human rights activist imprisoned for criticizing the United Arab Emirates government, is nicknamed “the million dollar dissident” because of the high cost of the malware used to hack his iPhone and spy on him.

    Until now, the implication of the high prices had been that deploying these weapons is rare and tightly targeted. Exploiting Apple’s iOS operating system, the software that powers both the iPhone and iPad, is a complex and expensive process. “iOS exploitation requires sidestepping and bypassing Apple’s formidable defenses, in multiple layers ,” says Levin. Google’s discovery throws some of those assumptions in the air.

    It will also upend perceptions of the security of iPhones. High-risk individuals including journalists, lawyers, activists, and more use iPhones in the hope that the devices will provide a real defense against hackers who, in some cases, can be a genuine life or death threat.

    “Real users make risk decisions based on the public perception of the security of these devices,” Beer wrote. “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted."

    #Cybersécurité #iPhone

  • GitHub sued for aiding hacking in Capital One breach | ZDNet

    Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker.

    While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site.
    Lawsuit claims GitHub failed to detect stolen data

    The lawsuit claims that “decisions by GitHub’s management [...] allowed the hacked data to be posted, displayed, used, and/or otherwise available.” According to the lawsuit, details about the Capital One hack were available from April 21, 2019, to mid-July before they were taken down.

    “GitHub knew or should have known that obviously hacked data had been posted to GitHub.com,” the lawsuit claims.

    The lawsuit said GitHub had an obligation under California law and industry standards to keep off or remove the Social Security numbers and personal information from its site. The plaintiffs believe that because Social Security numbers had a fixed format, GitHub should have been able to identify and remove this data, but they chose not to and allowed the stolen information to be available on its platform for three months until a bug hunter spotted the stolen data and notified Capital One.

    The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act.

    However, spokespersons from both Capital One and GitHub have told ZDNet that the data uploaded on GitHub by the hacker did not contain any personal information.

    “The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information,” a GitHub spokesperson told us. “We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”
    Lawsuit claims GitHub actively encouraged hacking

    The lawsuit also makes a bold claim that “GitHub actively encourages (at least) friendly hacking.” It then links to a GitHub repository named “Awesome Hacking.”

    Plaintiffs might have a hard time proving that GitHub promoted hacking as this repository is not associated with GitHub staff or management, but owned by a user who registered on the platform and claims to live in India.

    There are thousands of similar GitHub repositories hosting hacking, pen-testing, cyber-security, and reverse engineering resources and tutorials — all of which are not illegal.

    Furthermore, other sites like Pastebin or AnonFile are also abused in a similar way that GitHub was during the Capital One breach, with hackers uploading stolen information on their respective servers, or hosting hacking tutorials.

    The lawsuit seems to gloss over the fact that users are responsible for abiding by a platform’s rules and terms of service, and not the platform itself.

    All in all, the chances of GitHub being found guilty are slim, as this just just another classic case of “guns don’t kill people; people kill people.” Otherwise, Apple might be similarly held accountable when someone uses an iPhone to commit a crime.

    But while Microsoft might have a case to convince the court to drop GitHub out of the lawsuit, Capital One does not, and will have to defend its cyber-security lapses in court.

    The lawsuit pointed out that Capital One had suffered previous security breaches before in November 2014, July 2017, and September 2017.

    The class-action lawsuit complaint is available here. Newsweek and Business Insider first reported the lawsuit.

    The hacker responsible for the Capital One breach, Paige Thompson, was arrested earlier this week. She is believed to have hacked multiple other companies, besides Capital One. The list includes Unicredit, Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation.

    #Git_hub #Hacking #Cybersécurité #Plateformes

  • Baltimore paralysée par un virus informatique en partie créé par la NSA

    Le problème, c’est que, trois semaines plus tard, l’affaire n’est toujours pas résolue. Les serveurs et les e-mails de la ville restent désespérément bloqués. « Service limité », indiquent les écriteaux à l’entrée les bâtiments municipaux. Les équipes municipales, le FBI, les services de renseignement américains et les firmes informatiques de la Côte ouest s’y sont tous mis : impossible de débarrasser les dix mille ordinateurs de la ville de ce virus, un rançongiciel. Et pour cause : selon le New York Times, l’un des composants de ce programme virulent a été créé par les services secrets américains, la National Security Agency (NSA), qui ont exploité une faille du logiciel Windows de Microsoft. L’ennui, c’est que la NSA s’est fait voler en 2017 cette arme informatique devenue quasi impossible à contrôler.

    Alors, beaucoup de bruit pour rien ? Non, à cause du rôle trouble de la NSA. Selon le New York Times, celle-ci a développé un outil, EternalBlue (« bleu éternel »), en cherchant pendant plus d’une année une faille dans le logiciel de Microsoft.

    L’ennui, c’est que l’outil a été volé par un groupe intitulé les Shadow Brokers (« courtiers de l’ombre »), sans que l’on sache s’il s’agit d’une puissance étrangère ou de hackeurs américains. Les Nord-Coréens l’ont utilisé en premier en 2017 lors d’une attaque baptisée Wannacry, qui a paralysé le système de santé britannique et touché les chemins de fer allemands. Puis ce fut au tour de la Russie de s’en servir pour attaquer l’Ukraine : code de l’opération NotPetya. L’offensive a atteint des entreprises, comme l’entreprise de messagerie FedEx et le laboratoire pharmaceutique Merck, qui auraient perdu respectivement 400 millions et 670 millions de dollars.

    Depuis, EternalBlue n’en finit pas d’être utilisé, par la Chine ou l’Iran, notamment. Et aux Etats-Unis, contre des organisations vulnérables, telle la ville de Baltimore, mais aussi celles de San Antonio (Texas) ou Allentown (Pennsylvanie). L’affaire est jugée, à certains égards, plus grave que la fuite géante d’informations par l’ancien informaticien Edward Snowden en 2013.

    Le débat s’ouvre à nouveau sur la responsabilité de la NSA, qui n’aurait informé Microsoft de la faille de son réseau qu’après s’être fait voler son outil. Trop tard. En dépit d’un correctif, des centaines de milliers d’ordinateurs n’ayant pas appliqué la mise à jour restent non protégés. Un de ses anciens dirigeants, l’amiral Michael Rogers, a tenté de dédouaner son ancienne agence en expliquant que, si un terroriste remplissait un pick-up Toyota d’explosifs, on n’allait pas accuser Toyota. « L’outil qu’a développé la NSA n’a pas été conçu pour faire ce qu’il a fait », a-t-il argué.

    Tom Burt, responsable chez Microsoft de la confiance des consommateurs, se dit « en total désaccord » avec ce propos lénifiant : « Ces programmes sont développés et gardés secrètement par les gouvernements dans le but précis de les utiliser comme armes ou outils d’espionnage. Ils sont, en soi, dangereux. Quand quelqu’un prend cela, il ne le transforme pas en bombe : c’est déjà une bombe », a-t-il protesté dans le New York Times.

    #Virus #NSA #Baltimore #Cybersécurité

  • The Terrifying Potential of the 5G Network | The New Yorker

    Two words explain the difference between our current wireless networks and 5G: speed and latency. 5G—if you believe the hype—is expected to be up to a hundred times faster. (A two-hour movie could be downloaded in less than four seconds.) That speed will reduce, and possibly eliminate, the delay—the latency—between instructing a computer to perform a command and its execution. This, again, if you believe the hype, will lead to a whole new Internet of Things, where everything from toasters to dog collars to dialysis pumps to running shoes will be connected. Remote robotic surgery will be routine, the military will develop hypersonic weapons, and autonomous vehicles will cruise safely along smart highways. The claims are extravagant, and the stakes are high. One estimate projects that 5G will pump twelve trillion dollars into the global economy by 2035, and add twenty-two million new jobs in the United States alone. This 5G world, we are told, will usher in a fourth industrial revolution.

    A totally connected world will also be especially susceptible to cyberattacks. Even before the introduction of 5G networks, hackers have breached the control center of a municipal dam system, stopped an Internet-connected car as it travelled down an interstate, and sabotaged home appliances. Ransomware, malware, crypto-jacking, identity theft, and data breaches have become so common that more Americans are afraid of cybercrime than they are of becoming a victim of violent crime. Adding more devices to the online universe is destined to create more opportunities for disruption. “5G is not just for refrigerators,” Spalding said. “It’s farm implements, it’s airplanes, it’s all kinds of different things that can actually kill people or that allow someone to reach into the network and direct those things to do what they want them to do. It’s a completely different threat that we’ve never experienced before.”

    Spalding’s solution, he told me, was to build the 5G network from scratch, incorporating cyber defenses into its design.

    There are very good reasons to keep a company that appears to be beholden to a government with a documented history of industrial cyber espionage, international data theft, and domestic spying out of global digital networks. But banning Huawei hardware will not secure those networks. Even in the absence of Huawei equipment, systems still may rely on software developed in China, and software can be reprogrammed remotely by malicious actors. And every device connected to the fifth-generation Internet will likely remain susceptible to hacking. According to James Baker, the former F.B.I. general counsel who runs the national-security program at the R Street Institute, “There’s a concern that those devices that are connected to the 5G network are not going to be very secure from a cyber perspective. That presents a huge vulnerability for the system, because those devices can be turned into bots, for example, and you can have a massive botnet that can be used to attack different parts of the network.”

    This past January, Tom Wheeler, who was the F.C.C. chairman during the Obama Administration, published an Op-Ed in the New York Times titled “If 5G Is So Important, Why Isn’t It Secure?” The Trump Administration had walked away from security efforts begun during Wheeler’s tenure at the F.C.C.; most notably, in recent negotiations over international standards, the U.S. eliminated a requirement that the technical specifications of 5G include cyber defense. “For the first time in history,” Wheeler wrote, “cybersecurity was being required as a forethought in the design of a new network standard—until the Trump F.C.C. repealed it.” The agency also rejected the notion that companies building and running American digital networks were responsible for overseeing their security. This might have been expected, but the current F.C.C. does not consider cybersecurity to be a part of its domain, either. “I certainly did when we were in office,” Wheeler told me. “But the Republicans who were on the commission at that point in time, and are still there, one being the chairman, opposed those activities as being overly regulatory.”

    Opening up new spectrum is crucial to achieving the super-fast speeds promised by 5G. Most American carriers are planning to migrate their services to a higher part of the spectrum, where the bands are big and broad and allow for colossal rivers of data to flow through them. (Some carriers are also working with lower-spectrum frequencies, where the speeds will not be as fast but likely more reliable.) Until recently, these high-frequency bands, which are called millimetre waves, were not available for Internet transmission, but advances in antenna technology have made it possible, at least in theory. In practice, millimetre waves are finicky: they can only travel short distances—about a thousand feet—and are impeded by walls, foliage, human bodies, and, apparently, rain.

    Deploying millions of wireless relays so close to one another and, therefore, to our bodies has elicited its own concerns. Two years ago, a hundred and eighty scientists and doctors from thirty-six countries appealed to the European Union for a moratorium on 5G adoption until the effects of the expected increase in low-level radiation were studied. In February, Senator Richard Blumenthal, a Democrat from Connecticut, took both the F.C.C. and F.D.A. to task for pushing ahead with 5G without assessing its health risks. “We’re kind of flying blind here,” he concluded. A system built on millions of cell relays, antennas, and sensors also offers previously unthinkable surveillance potential. Telecom companies already sell location data to marketers, and law enforcement has used similar data to track protesters. 5G will catalogue exactly where someone has come from, where they are going, and what they are doing. “To give one made-up example,” Steve Bellovin, a computer-science professor at Columbia University, told the Wall Street Journal, “might a pollution sensor detect cigarette smoke or vaping, while a Bluetooth receiver picks up the identities of nearby phones? Insurance companies might be interested.” Paired with facial recognition and artificial intelligence, the data streams and location capabilities of 5G will make anonymity a historical artifact.

    To accommodate these limitations, 5G cellular relays will have to be installed inside buildings and on every city block, at least. Cell relays mounted on thirteen million utility poles, for example, will deliver 5G speeds to just over half of the American population, and cost around four hundred billion dollars to install. Rural communities will be out of luck—too many trees, too few people—despite the F.C.C.’s recently announced Rural Digital Opportunity Fund.

    Deploying millions of wireless relays so close to one another and, therefore, to our bodies has elicited its own concerns. Two years ago, a hundred and eighty scientists and doctors from thirty-six countries appealed to the European Union for a moratorium on 5G adoption until the effects of the expected increase in low-level radiation were studied. In February, Senator Richard Blumenthal, a Democrat from Connecticut, took both the F.C.C. and F.D.A. to task for pushing ahead with 5G without assessing its health risks. “We’re kind of flying blind here,” he concluded. A system built on millions of cell relays, antennas, and sensors also offers previously unthinkable surveillance potential. Telecom companies already sell location data to marketers, and law enforcement has used similar data to track protesters. 5G will catalogue exactly where someone has come from, where they are going, and what they are doing. “To give one made-up example,” Steve Bellovin, a computer-science professor at Columbia University, told the Wall Street Journal, “might a pollution sensor detect cigarette smoke or vaping, while a Bluetooth receiver picks up the identities of nearby phones? Insurance companies might be interested.” Paired with facial recognition and artificial intelligence, the data streams and location capabilities of 5G will make anonymity a historical artifact.

    #Surveillance #Santé #5G #Cybersécurité

  • Branle-bas de combat sur touiteur !
    Le compte officiel D’EMA, l’Etat-Major des Armées (pas En MArche, nop) a déclenché son opération annuelle #DEFNET.
    C’est la 6e edition de cet « exercice annuel interarmées » d’entraînement « à la gestion de crise cyber »
    Pensant à un bug je me suis moquée en imaginant la panique chez les conspis à l’avant-veille de l’acte 18 des Gilets Jaunes :

    Les français parlent aux français...
    Je répète : les français parlent aux français...
     ???♨ ????

    Mais grand merci à la personne qui m’a fait découvrir ce qui est, en même temps, un grand exercice de communication :

    #DEFNET 2018 : plus forts ensemble.
    310 militaires de 7 nations, 250 étudiants, plus de 50 réservistes et les partenaires industriels réunis.


    Voir aussi :



    #sécurité #cybersecurite #armée

  • « Le parlement thaïlandais a voté à l’unanimité une nouvelle loi sur la #cybersécurité ce jeudi 28 février 2019. Les agences gouvernementales dirigées par la junte militaire détiennent désormais des pouvoirs très étendus pour accéder aux données des réseaux informatiques ou saisir tout type d’appareil numérique en cas de "cybermenace". Les défenseurs des libertés civiles qualifient cette réglementation de "loi martiale numérique". »


    #Thaïlande #sécurité_et_liberté

  • 40% of malicious URLs were found on good domains - Help Net Security

    40 percent of malicious URLs were found on good domains. Legitimate websites are frequently compromised to host malicious content. To protect users, cybersecurity solutions need URL-level visibility or, when unavailable, domain-level metrics, that accurately represent the dangers.

    Home user devices are more than twice as likely to get infected as business devices. Sixty-eight percent of infections are seen on consumer endpoints, versus 32 percent on business endpoints.

    Phishing attacks increased 36 percent, with the number of phishing sites growing 220 percent over the course of 2018. Phishing sites now use SSL certificates and HTTPS to trick internet users into believing they are secure, legitimate pages. Seventy-seven percent of phishing attacks impersonated financial institutions, and were much more likely to use HTTPS than other types of targets. In fact, for some of the targeted financial institutions, over 80 percent of the phishing pages used HTTPS. Google was found to be the most impersonated brand in phishing overall.

    After 12 months of security awareness training, end users are 70 percent less likely to fall for a phishing attempt. Webroot found that organizations that combine phishing simulation campaigns with regular training saw a 70 percent drop in phishing link click-through.

    Nearly a third of malware tries to install itself in %appdata% folders. Although malware can hide almost anywhere, Webroot found several common locations, including %appdata% (29.4 percent), %temp% (24.5 percent), and %cache% (17.5 percent), among others. These locations are prime for hiding malware because these paths are in every user directory with full user permissions to install there. These folders also are hidden by default on Windows Vista and up.

    Devices that use Windows 10 are at least twice as secure as those running Windows 7. Webroot has seen a relatively steady decline in malware on Windows 10 machines for both consumer and business.

    “We wax poetic about innovation in the cybersecurity field, but you only have to take one look at the stats in this year’s report to know that the true innovators are the cybercriminals. They continue to find new ways to combine attack methods or compromise new and existing vectors for maximum results. My call to businesses today is to be aware, assess your risk, create a layered approach that protects multiple threat vectors and, above all, train your users to be an asset—not a weak link—in your cybersecurity program,” said Hal Lonas, CTO, Webroot.

    malicious URLs good domains

    Despite the decrease in cryptocurrency prices, cryptomining and cryptojacking are on the rise. The number of cryptojacking URLs Webroot saw each month in the first half of the year more than doubled in the period from September through December 2018. These techniques can be more lucrative than ransomware attacks, since they don’t require waiting for the user to pay the ransom, and they have a smaller footprint. As far as web-based cryptojacking, Coinhive still dominates with more than 80 percent market share, though some new copycat cryptojacking scripts are gaining in popularity.

    While ransomware was less of a problem in 2018, it became more targeted. We expect major commodity ransomware to decline further in 2019; however, new ransomware families will emerge as malware authors turn to more targeted attacks, and companies will still fall victim to ransomware. Many ransomware attacks in 2018 used the Remote Desktop Protocol (RDP) as an attack vector, leveraging tools such as Shodan to scan for systems with inadequate RDP settings. These unsecured RDP connections may be used to gain access to a given system and browse all its data as well as shared drives, providing criminals enough intel to decide whether to deploy ransomware or some other type of malware.

    #Cybersécurité #Phishing #Malware

  • How Libertarian theology and Trump are destroying the Internet — and America – Alternet.org

    With speeds up to 100 times faster than current 4G cellular data, 5G will make possible everything from driverless cars to cell-connected long-distance drones to precision remote surgery. The amount of data flowing through our cellular systems will explode, along with places it can be used and the uses to which it can be applied.

    Remote applications that are currently too difficult to wire for high-speed internet or won’t work well at 4G speeds will easily become remotely controlled, spreading the internet revolution to every device in the home, office, and even remote workplaces.

    Along with all this data will, inevitably, come hackers, both criminal and state-sponsored. The amount of data that it now takes a third of a year to harvest with 4G can be scooped up in a single day using 5G.

    Given that the U.S. government invented the internet (yes, Al Gore did co-author the legislation) and has a huge stake in its security, doesn’t it make sense that our government should provide, at least in framework and standards, for its security?

    But, no. Trump and Pence want to do to the FCC what they’ve done to the EPA, the Department of the Interior, the FDA, and to oversight of our banking systems.

    According to Trump and his billionaire libertarian owners, the safety and security of America is not the proper role of government. Not our air, our water, our public lands, or even our internet.

    “Just turn it all over to the billionaires,” they say. “What could possibly go wrong?”

    FCC Chairman Ajit Pai, the former Verizon lawyer, even went so far as to say that “the market, not government, is best positioned to drive innovation and leadership” with regard to internet security.

    Meanwhile, the President’s National Security Telecommunications Advisory Committee—after looking at how 5G will blow open data operations across the country—wrote just three months ago that “the cybersecurity threat now poses an existential threat to the future of the nation.”

    #Cybersécurité #Libertariens #Idéologie_californienne #5G #Normalisation

  • Le livre de Stéphane Bortzmeyer « Cyberstructure : L’Internet, un espace politique » obtient le prix du livre Cybersécurité délivré par le Forum FIC 2019.

    Cette semaine se tient à Lille le Forum International de la Cybersécurité (#FIC2019). Ce forum regroupe plus de 8600 participants venant de 80 pays, pour trois jours de débats et d’interventions, tantôt politiques et militaires, tantôt techniques (https://www.forum-fic.com/accueil.htm)

    Comme chaque année, le Forum compose un jury d’experts pour décerner des prix aux livres les plus importants dans le domaine. Cette année, il y avait 42 ouvrages en compétition, et 4 livres primés (voir infra).

    Dont le livre « Cyberstructure : L’Internet, un espace politique » de Stéphane Bortzmeyer publié par C&F éditions

    Il faut dire que celui-ci possède un attrait particulier :

    – il s’agit d’un ouvrage très précis techniquement ; une qualité qui lui permet également de ne pas se perdre dans des explications touffues, et au final de produire un livre très pédagogique. Tout étudiant en informatique devrait avoir lu un tel ouvrage pour comprendre la structure de l’internet, les enjeux de la cryptographie ou la blockchain, sans se noyer dans trop de détails, ni se contenter de visions superficielles, ou mal informées ;

    – Cyberstructure fait aussi le pont entre les enjeux techniques de l’Internet et les questions politiques fondamentales, notamment les droits humains. Comment des interprétations du code informatique peuvent réduire les capacités d’expression et de vie privée des internautes ; et comment ces questions doivent être présentes dans l’esprit de tout développeur informatique, pour inscrire la défense des droits humains dans le code et l’architecture du numérique.

    Appuyé sur une longue expérience d’ingénieur et écrit par un ardent défenseur de la liberté d’expression et du commun de la communication numérique, Cyberstructure est un livre qui s’adresse à de nombreux publics.

    Les premiers lecteurs sont unanimes : un livre à conseiller sans arrière-pensées pour comprendre internet et pour agir en défense des droits humains dans le monde numérique.

    Et ils/elles sont nombreuses : en un mois et demi, le premier tirage a été épuisé. Le deuxième tirage arrive vendredi, donc vous pouvez dès maintenant commander sans hésiter, auprès de votre libraire favori ou en ligne sur notre site : https://cfeditions.com

    Résultats du concours de livres FIC2019

    1/ L’ouvrage consacré à Louis Pouzin a été classé « hors concours ».

    Louis Pouzin recevra un hommage particulier en présence des auteurs lors de l’intervention de madame Parly, le mardi 22 janvier après-midi.

    2/ Ont été primés (42 ouvrages candidats)

    Prix « Grand public » : Gilles Fontaine, Dans le cyberespace, personne ne vous entend crier, éditions Jean-Claude Lattes

    Prix « Cybersecurité » : Stéphane Bortzmeyer, Cyberstructure, l’internet un espace politique, C&F Éditions

    Prix « Cyberdéfense » : Stéphane Taillat, Amaël Cattaruzza, Didier Danet, La Cyberdéfense, politique de l’espace numérique, éditions Armand Colin.

    « Coup de cœur du Jury » : Stéphane Mallard, Disruption, préparez-vous à changer le monde, éditions Dunod.

    #Cyberstructure #Stéphane_Bortzmeyer #FIC_2019 #Cybersécurité

  • Les grandes tendances de la mode 2019 en #cybersécurité
    (article d’il y a un mois (5/12/18)

    « Name and shame », « spear phishing »... les cybermenaces à craindre en 2019

    2019 devrait voir se multiplier les cyberattaques contre les réseaux matériels (routeurs, modems...) et l’Internet des objets, selon les prédictions du spécialiste russe de la cybersécurité, Kaspersky Lab. Retour sur les principales cybermenaces à venir pour l’année prochaine.
    [Attaque des routeurs]
    Cyberattaques à visée géopolitique
    Le « spear phishing », « infection la plus efficace »
    Asie et Moyen-Orient, terreaux de nouveaux pirates
    « La marche à l’entrée n’a jamais été aussi faible, avec des centaines d’outils très efficaces et des exploits de fuites re[c]ensés », estime Vicente Diaz [de Kaspersky Lab]. Et de poursuivre : « Et comme avantage supplémentaire, de tels outils rendent l’attribution (de cyberattaques) presque impossible et peuvent facilement être personnalisés. »

  • Première (?) BD à parler de #cybersécurité et de #cyberguerre, « #Cyberfatale » est une bonne introduction au monde de la lutte « cyber » entre États.

    C’est plutôt bien documenté et on y trouve très peu de bêtises ou d’erreurs. (En plus, c’est amusant.)


    Un interview des auteurs :


  • Beaucoup de gens croient que, contrairement au WiFi, les techniques de la téléphonie mobile (GSM, 3G, 4G, etc) sont sûres et (j’ai entendu ça dans une réunion pourtant sérieuse) « non piratables ».

    C’est évidemment tout à fait faux, comme le rappelle l’#EFF, qui demande une prise de conscience et une action sérieuse contre ces failles de sécurité.


    #cybersécurité #SS7 #IMSI_catcher

  • The CIA’s communications suffered a catastrophic compromise

    #Espionnage et #cybersécurité : des dizaines d’agents de la #CIA arrêtés ou exécutés... sur simple clic #Google !

    Au moins 30 agents « neutralisés », des dizaines d’autres démasqués. La CIA a payé un lourd tribut au renseignement entre 2009 et 2013. L’Agence américaine possédait des serveurs de communication « cachés » sur #Internet. Les services iraniens et chinois avaient trouvé la « formule magique » pour récupérer leurs adresses. Explications

    #Etats-Unis #Iran #Chine

  • Google va fermer Google + après la découverte d’une faille de sécurité ayant affecté les données d’au moins 500 000 utilisateurs
    https://abonnes.lemonde.fr/pixels/article/2018/10/08/google-va-fermer-google-apres-la-decouverte-d-une-faille-de-securite ?

    Le Wall Street Journal a révélé, lundi 8 octobre, qu’une faille de sécurité du réseau social Google +, lancé par Google en 2011 pour concurrencer Facebook, a mis en danger les données personnelles de ses utilisateurs. Selon l’article du quotidien américain, des informations personnelles des comptes étaient accessibles de manière non prévue, par l’interface de programmation du service (API, un ensemble de règles et de logiciels qui permettaient à des services extérieurs de se « brancher » sur Google +, par exemple pour se connecter.

    Ce « bug » inscrit dans le code de Google + est resté en ligne durant trois ans, entre 2015 et 2018, selon le Wall Street Journal, avant que Google ne découvre le problème en mars de cette année lors d’un audit interne, et décide de le corriger sans prévenir ni les autorités de régulation ni ses utilisateurs.

    D’après un mémorandum interne consulté par le Wall Street Journal, Google aurait hésité à rendre publique la découverte de cette faille. Et aurait finalement décidé de la corriger tout en gardant son existence secrète, afin d’éviter « d’être mis sous le feu des projecteurs avec ou à la place de Facebook ».

    Au moment de la découverte de la faille, Facebook était en effet au cœur d’un vaste scandale lié à l’utilisation par l’entreprise Cambridge Analytica de données personnelles captées sur des comptes du réseau social fondé par Mark Zuckerberg. Ces données avaient été utilisées à des fins politiques, pour soutenir la campagne présidentielle de Donald Trump en 2016 ou, la même année, la campagne du Brexit au Royaume-Uni. Elles avaient été collectées en utilisant une fonctionnalité de Facebook qui les rendait facilement accessibles, et l’entreprise avait été vivement critiquée, y compris par plusieurs gouvernements et commissions parlementaires aux Etats-Unis et en Europe.

    A quelques semaines près, Google n’aurait eu aucun choix en la matière : en Europe, le règlement général sur la protection des données (RGPD) impose de communiquer aux régulateurs de la vie privée la découverte d’une faille de ce type. Mais aussi d’informer les utilisateurs concernés par une fuite de données, le cas échéant. Le texte est entré en vigueur en mai 2018. Aux Etats-Unis, les grandes entreprises ne sont tenues d’annoncer la découverte de ce type de failles que si des données ont effectivement été dérobées.

    #Google #Cybersécurité #Données_personnelles

  • #Cybersécurité, #Reconnaissance_faciale et #Réseaux_Sociaux :
    Social Mapper, quand la reconnaissance faciale devient trop accessible… voire un danger

    Ce petit logiciel permet en effet de faire du tracking à travers différents réseaux sociaux. LinkedIn, Facebook, Twitter, Instagram…peu ou prou tous les réseaux sociaux sont au menu. Il suffit d’un nom et d’une photo. Ce petit logiciel permet de retrouver n’importe qui sur les différentes plateformes de façon automatique.

    Ce logiciel est en open-source, sous licence gratuite, il est disponible sur GitHub sans aucune limitation ou presque quant à son usage. Ce sont les chercheurs de Trustedwave SpiderLabs qui l’ont mis en ligne. L’idée est bien sûr d’aider les chercheurs en sécurité.

    Complément : Un outil de reconnaissance faciale traque les profils sur les réseaux sociaux

    Sur son blog officiel, #Trustwave a déclaré : « Et si cela pouvait être automatisé et réalisé à grande échelle avec des centaines ou des milliers de personnes ? »

  • #Cybersécurité : une faille découverte sur la #messagerie instantanée #WhatsApp

    Selon [le spécialiste israélien de la Cybersécurité] CheckPoint, d’éventuels pirates pourraient agir sur les conversations de trois manières différentes : en modifiant les messages publiés par une personne, en publiant un message dans un groupe en se faisant passer pour un des participants, ou en envoyant un message spécifique à un membre de groupe en le faisant passer pour un message groupé.

  • Russian agents allegedly used Bitcoin to fund the DNC hack - MIT Technology Review

    Among the many new details in today’s indictment (PDF) of 12 Russian intelligence officers for cyberattacks meant to interfere with the US presidential election in 2016, one in particular should stand out to techies: the defendants allegedly used Bitcoin to fund the operation.

    A web of dark money: According to the US Department of Justice’s indictment, the defendants “conspired to launder” more than $95,000 “through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as Bitcoin.” They allegedly mined coins and acquired them “through a variety of means to obscure the origin of the funds,” which were used to finance cyberattacks against Democratic party officials, members of Hillary Clinton’s campaign, and others.

    Cat and mouse: Though the indictment says they used hundreds of different e-mail accounts with fake names to handle Bitcoin payments and cover their tracks, investigators linked messages from “several dedicated email accounts” to corresponding transactions on the Bitcoin blockchain. According to the indictment, the defendants also sometimes facilitated Bitcoin payments on the same computers they used to “conduct their hacking activity.”

    The takeaway: If you weren’t convinced that cryptocurrencies are a magnet for would-be money launderers, this should help. Beyond that, though: Bitcoin is not anonymous! Using clues from outside the internet, which the Mueller team clearly had, it’s quite possible to follow the money on the blockchain and root out individuals behind the transactions (see “Criminals thought Bitcoin was a perfect hiding place, but they thought wrong”).

    #Bitcoin #Argent_sale #Cybersécurité

  • The percentage of open source code in proprietary apps is rising - Help Net Security

    Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed that:

    96 percent of the scanned applications contain open source components, with an average 257 components per application, and that
    The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.

    “Today, open source use is pervasive across every industry and is used by organizations of all sizes. The reasons are straightforward—open source lowers development costs, speeds time to market, and accelerates innovation and developer productivity,” analysts with the Synopsys Center for Open Source Research & Innovation (COSRI) have noted.

    #Logiciels_libres #Open_source #Cybersécurité

  • Huawei and ZTE Targeted While Security Ban Advances at U.S. FCC - Bloomberg

    U.S. regulators moved to extend a crackdown on China equipment makers as security risks, backing a ban on federal subsidies to buy networking gear from manufacturers such as Huawei Technologies Co. and ZTE Corp.

    The Federal Communications Commission voted 5-0 on Tuesday in favor of banning federal funds from being spent with companies determined to be a risk to U.S. national security. The ban won’t be final until a second vote by the FCC, which in a draft order noted congressional scrutiny of Huawei and ZTE as possible security threats.

    “For years, U.S. government officials have expressed concern about the national security threats posed by certain foreign communications equipment providers in the communications supply chain," FCC Chairman Ajit Pai said. "Hidden ‘backdoors’ to our networks in routers, switches, and other network equipment can allow hostile foreign powers to inject viruses and other malware, steal Americans’ private data, spy on U.S. businesses, and more.”

    #Commerce_international #OMC #Cybersécurité #Cyberwarfare #Surveillance