Twitter rejects claims that it snoops on your private messages

By Lisa Vaas

Twitter has pushed back after the release of undercover videos in which Twitter employees – primarily senior network security engineer Clay Haynes – are depicted as saying that they “view everything” users post on their servers, including private messages and sexual photos, and that employees are more than happy to participate in a Department of Justice investigation into Donald Trump.

The videos were posted by Project Veritas, an independent media outlet known for doctored clips it promotes as exposés on mostly liberal organizations.

The videos look like they were recorded via hidden camera while Haynes shared drinks with members of Project Veritas. The outlet claims to have met with him multiple times.

In one video, Haynes said Twitter is…

More than happy to help the Department of Justice in their little investigation [by providing them with] every single tweet that [Trump] has posted, even the ones he’s deleted. Any direct messages, any mentions.

In another meeting, Haynes says that Twitter has the ability to disclose…

Every single message, every single tweet, whatever you log into, what profile pictures you upload.

That second meeting was attended by Veritas Project founder and Donald Trump ally James O’Keefe, disguised in a wig and glasses. According to the New York Times, Trump has been supporting O’Keefe’s work for years, having donated $10,000 from his foundation to O’Keefe’s group.

During the meeting – a video of which O’Keefe posted here on Twitter – O’Keefe suggests that Haynes peek into direct messages in the accounts of both Donald Trump Senior and Junior. Haynes responds by emphasizing that such access is only permissible as part of the “subpoena process.”

It’s within the context of the subpoena process that Haynes says that Twitter can look at “every single message, every single tweet, whatever you log into, what profile pictures you upload.”

Read more at https://nakedsecurity.sophos.com/2018/01/17/twitter-rejects-claims-that-it-snoops-on-your-private-messages/

Firefox locks down its future with HTTPS ‘secure contexts’

By John E Dunn

Mozilla’s embrace of HTTPS, the secure form of HTTP, has ratcheted up a notch with the news that Firefox developers must start using a web security design called ‘secure contexts’ “effective immediately.”

This isn’t a surprise –  Mozilla mandated that security-sensitive geolocation be added as a secure context last March – but the signal is still significant.

Announced Mozilla:

All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP.

Everyone involved in standards development is strongly encouraged to advocate requiring secure contexts for all new features on behalf of Mozilla.

The odd thing is that while secure contexts (also called ‘secure origins’) matter a lot to end user security, almost nobody beyond web devs has ever heard of the mechanism or pondered why it might be a big deal.

This could be about to change thanks to the publicity generated by the much better-known campaign by Google and others to migrate websites from insecure HTTP connections to encrypted HTTPS.

The principle of secure contexts is an incredibly simple one – that certain powerful web capabilities and APIs (whose risks users are often barely aware of) should be forced to work over HTTPS.

These mostly hidden functions currently include:

• Geolocation
• Bluetooth
• HTTP/2
• Web notifications API
• Webcam and microphone access
• Google’s Brotli web compression algorithm
• Google’s Accelerated Mobile Pages (AMP)
• Encrypted Media Extensions (EME)
• The Payment Request API
• Service Workers used for background sync and notification

(Another three – the AppCache API, Device motion/orientation, and Fullscreen – will follow in time.)

Read more at https://nakedsecurity.sophos.com/2018/01/17/firefox-locks-down-its-future-with-https-secure-contexts/

Man charged with selling billions of breached records on LeakedSource

By Lisa Vaas

A year ago, LeakedSource – a site that sold access to credentials stolen in data breaches – suddenly blinked out of sight, reportedly after the FBI raided it and seized its servers.

On Monday, the Royal Canadian Mounted Police (RCMP) announced that a man who was allegedly the site’s sole operator appeared in a Toronto court that day.

27-year-old Jordan Evan Bloom, of Thornhill, Ontario, was arrested on 22 December 2016 and charged on Monday with selling people’s data for a “small fee,” according to the RCMP. Those small fees must have added up: Bloom allegedly raked in approximately $247,000 from administering the site, which allegedly trafficked approximately three billion stolen personal identity records.

LeakedSource sold subscriptions to any and all comers. That allowed breach-as-a-service customers to browse through troves of data breach files. Buyers could also easily search for a victim’s name, username and email address so as to access other information, including their cleartext passwords.

The investigation into LeakedSource – an investigation Canadian authorities dubbed Project “Adoration” – began in 2016. That’s when the RCMP learned that LeakedSource was being hosted on Quebec servers. The Dutch National Police and the FBI helped out with the investigation.

LeakedSource was initially set up in 2015 and shut down in early 2017 – a lifespan during which it collected and sold those three billion personal identity records and their associated passwords from a string of major breaches. According to the International Business Times, the breaches included those at LinkedIn, MySpace, DropBox and AdultFriendFinder.

Bloom is facing charges of trafficking in ID information, unauthorized computer use, mischief to data, and possession of property obtained by crime.

Reuters talked to Toronto cybersecurity lawyer Imran Ahmad, who said that the charges against Bloom carry maximum sentences of between five and 10 years in prison.

Read more at https://nakedsecurity.sophos.com/2018/01/17/man-charged-with-selling-billions-of-breached-records-on-leakedsource/

It’s raining fake missiles: Japan follows Hawaii with mistaken alert

By Paul Ducklin

No sooner had we written up that fake missile alert in Hawaii than another fake missile alert was sent out, this time in Japan.

Japan’s national broadcaster, NHK, published an apology:

NHK is apologizing after issuing a false alert that said North Korea had probably launched a missile and warned people in Japan to take cover.

The false message was sent in Japanese shortly before 7 PM local time on Tuesday. It went out through the public broadcaster’s Japanese apps and website.

A few minutes later, NHK corrected the wrong information. There are no reports of problems caused by the mistake. NHK says a switching error is to blame.

The incident comes just days after officials in the US state of Hawaii issued a false missile alarm and caused panic.

In the Hawaii incident at the weekend, a public servant who was supposed to perform a routine test of the state’s missile warning system apparently selected the “send real alert” option instead.

Despite the dreadful implications of a real alert, and the unlikelihood of a real alert compared to the regularity of a test alert, there was apparently no additional oversight needed – no supervisor approval or peer review requiring confirmation from a second person.

However, there was a precaution in place in Hawaii to prevent the inadvertent cancellation of warnings.

Read more at https://nakedsecurity.sophos.com/2018/01/16/its-raining-fake-missiles-japan-follows-hawaii-with-mistaken-alert/

FBI expert calls Apple ‘jerks’ as encryption tension simmers

By John E Dunn

Apple has been called many things in its time but never, as far as anyone can remember, “jerks” by an FBI employee speaking at a public conference.

The man who made these remarks – senior FBI forensic expert Stephen R. Flatley – reportedly followed this up by describing the company as “pretty good at evil genius stuff.”

We don’t have the full context of these remarks – was Flatley perhaps being humorous? – but the seriousness of the conflict that prompted the barbs is not in doubt.

It began on the day in September 2014 when Apple launched iOS 8, after which the company said it could no longer access data on an encrypted iOS device – even if asked to by a government agency handing it a warrant.

The technical backdoor that had always been there as a last resort for investigators was sealed. As the company explained this new world:

Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

As far as the FBI was concerned, shutting out investigators was an obstructive decision by Apple, while from Apple’s point of view, it had no choice. It was following the logic of encryption, which is that a security design in which a backdoor exists will end up being equivalent to no security at all.

Flatley also complained that Apple keeps ratcheting up iOS security, recently changing password iterations from 10,000 to 10m. This meant:

Password attempts speed went from 45 passwords a second to one every 18 seconds. […] At what point is it just trying to one up things and at what point is it to thwart law enforcement?

Not coincidentally, Flatley’s boss and FBI director Christopher Wray used the same event last week to argue that encryption backdoors would not compromise wider security, a viewpoint that many in the security industry have vigorously disagreed with for years.

According to Wray, encryption prevented the FBI from accessing 7,775 mobile devices in 2017, without saying how many of these were Apple’s.

Read more at https://nakedsecurity.sophos.com/2018/01/16/fbi-expert-calls-apple-jerks-as-encryption-tension-simmers/

Man charged over fatal “Call of Duty” SWATting

By Lisa Vaas

Tyler Barriss, the 25-year-old Los Angeles man who was arrested last month for his involvement in a SWATting incident, has now been charged.

He was charged with involuntary manslaughter in placing a SWATting call that resulted in a fatal police shooting of 28-year-old Andrew Finch in Wichita, Kansas on 28 December.

SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

In a police briefing the day following the fatal shooting, Wichita Deputy Police Chief Troy Livingston said that the result of the Wichita SWAT has been a “nightmare” for everyone involved: police, the community and Finch’s family.

After his arrest, Barriss didn’t admit to placing the call that led to Finch’s death. He did, however, express remorse in an interview from Sedgwick County jail that he gave to a local TV station.

From the recording:

As far as serving any amount of time. I’ll just take responsibility and serve whatever time, or whatever it is that they throw at me… I’m willing to do it. That’s just how I feel about it.

Barriss said that whatever punishment results from his role in the death of Andrew Finch, it doesn’t matter: it won’t change what happened.

Whether you hang me from a tree, or you give me 5, 10, 15 years… I don’t think it will ever justify what happened.

In the emergency call recording, a man said he’d shot his father in the head. The caller also said he was holding his mother and a sibling at gunpoint in a closet. He said he’d poured gasoline all over the house and that he was thinking of lighting the house on fire.

Police surrounded Finch’s Wichita home, prepared to deal with a hostage situation. When Finch answered the door, he followed police instructions to put up his hands and move slowly. But at some point, authorities said, Finch appeared to be moving his hand toward his waistband as if he was going to pull out a gun.

Read more at https://nakedsecurity.sophos.com/2018/01/16/man-charged-over-fatal-call-of-duty-swatting/