Police body cameras open to attack

By Danny Bradbury

Police officers in the US often wear body cameras to protect themselves and reduce complaints from the public. Now, though, a security researcher has revealed that these cameras could put evidence – and even police officers themselves – at risk.

Josh Mitchell, a consultant at security firm Nuix, analysed cameras from five vendors who sell them to US law enforcement agencies. Presenting at the DEF CON conference last week, he highlighted vulnerabilities in several popular brands that could place an attacker in control of a body camera and tamper with its video.

Attackers could access cameras in several ways, Mitchell said. Many of them include Wi-Fi radios that broadcast unencrypted sensitive information about the device. This enables an attacker with a high-powered directional antenna to snoop on devices and gather information including their make, model, and unique ID. An attacker could use this information to track a police officer’s location and find out more about the device that they are using. They might even be able to tell when several police officers are coordinating a raid, he said.

Mitchell’s research found that some devices also include their own Wi-Fi access points but don’t secure them properly. An intruder could connect to one of these devices, view its files and even download them, he warned. In many cases, the cameras relied on default login credentials that an attacker could easily bypass.

Read more at https://nakedsecurity.sophos.com/2018/08/14/police-body-cameras-open-to-attack/

11-year-old hacker changes election results

By Lisa Vaas

At the DefCon Voting Village in Las Vegas last year, participants proved it was child’s play to hack voting machines: As Wired reported, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine.

This year, it was literally child’s play: the DefCon village this past weekend invited 50 kids between the ages of 8 and 16 to compromise replicas of states’ websites in the so-called “DEFCON Voting Machine Hacking Village.”

11-year-old Emmett Brewer is too young to vote, but it turned out that he’s not too young to learn how to change election results on a replica of Florida’s state website… in under 10 minutes, mind you, as the Voting Village announced on Friday.

The kids were given rudimentary instruction in performing SQL injection attacks: one of the web attacks that refuses to die.

The organizers are still analyzing the results of the project, but they said that they invited the kids to tamper with vote tallies, candidate names, and party names.

Mission accomplished: Nico Sell, the co-founder of the non-profit r00tz Asylum – an organization that teaches kids reverse engineering, soldering, cryptography, and responsible bug disclosure and which helped to organize the event – told PBS News Hour that more than 30 children managed to change state site replicas in under 30 minutes.

Read more at https://nakedsecurity.sophos.com/2018/08/14/11-year-old-hacker-changes-election-results/

Facebook news feed changes – it’s a hoax!

By Lisa Vaas

Remember Certs? It was a candy mint. It was a breath mint. It was two! Two! Two mints in one!

The Facebook hoax du jour is like that: it’s a hoax about Facebook limiting your news feed to 26 people! It’s a hoax about users being able to copy and paste their way into a Whole New News Feed! It’s Two! Two! Two hoaxes in one!

Here are the hoax mongers’ instructions on how to dupe Facebook’s cursed (fictional) friend-limiting algorithm.

It WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years.

Here’s how to bypass the system FB now has in place that limits posts on your news feed.

Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, I ask you all a favor so I can see your news feed and you can see mine.

Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste.

This will bypass the system.

The 26-friends-only algorithm hoax dates back to the beginning of the year, coming as it did on the heels of a real Facebook announcement from 11 January about a major overhaul in how Facebook’s newsfeed works.

The change wasn’t about squeezing out your friends, though. In fact, Facebook had the opposite in mind: squeezing businesses out of your news feed. The point was to get more personal content from friends and family into our news feeds, as opposed to corporate posts, be they from corporations, businesses or media.

Read more at https://nakedsecurity.sophos.com/2018/08/14/facebook-news-feed-changes-its-a-hoax/

How a cryptocurrency-destroying bug almost didn’t get reported

By Danny Bradbury

A researcher recently revealed how he found a bug that could have brought the fourth largest cryptocurrency to its knees – and how he struggled to report it.

Cory Fields, who works as a developer at MIT Media Labs’ Digital Currency Initiative, found the bug in Bitcoin Cash, which is an alternative cryptocurrency to Bitcoin based on software called Bitcoin ABC. A group of activists in the Bitcoin community introduced the software after becoming unhappy with the direction that the developers of the original Bitcoin software (known as Bitcoin Core) were taking.

When people began using Bitcoin ABC, they created a hard fork of the Bitcoin blockchain. This is a separate blockchain – a new ledger of transactions that split off from the original Bitcoin blockchain and is incompatible with it. It’s akin to one community in a town leaving and setting up their own town with its own rules.

Since then, the Bitcoin Cash blockchain has existed as an alternative to the original, and various members of its community have proclaimed it as the ‘real’ Bitcoin. At the time of writing, it had the fourth biggest market capitalization of any cryptocurrency at almost $10bn.

Fields, who is a Bitcoin Core developer, discovered a bug in Bitcoin Cash that could have allowed attackers to create their own involuntary split in the Bitcoin Cash blockchain. According to his Medium post, someone in the Bitcoin Cash developer community updated the rules in the software that verifies Bitcoin Cash transactions before including them on the blockchain.

Read more at https://nakedsecurity.sophos.com/2018/08/13/how-a-cryptocurrency-destroying-bug-almost-didnt-get-reported/

Siri is listening to you, but she’s NOT spying, says Apple

By Lisa Vaas

Are our iPhones eavesdropping on us? How else would Siri hear us say “Hey, Siri” other than if she were constantly listening?

That’s what Congress wondered, and it wanted Apple to explain. It also wanted to know about how much location data iPhones are storing and handing over about us.

So the US House of Representatives Energy and Commerce Committee sent a letter to Apple CEO Tim Cook on the matter of Apple having recently cracked down on developers whose apps share location data in violation of its policies.

The letter posed a slew of questions about how Apple has represented all this third-party access to consumer data, about its collection and use of audio recording data, and about location data that comes from iPhones.

On Tuesday, Apple responded.

Much of the response letter translates into “We Are Not Google! We Are Not Facebook!” As in, Apple’s business model is different from those of other data-hoovering Silicon Valley companies that rely on selling consumer information to advertisers:

The customer is not our product, and our business model does not depend on collecting vast amounts of personally identifiable information to enrich targeted profiles marketed to advertising.

Timothy Powderly, Apple’s director of federal government affairs, emphasized in the letter that Apple minimizes collection of data and anonymizes what it does collect:

We believe privacy is a fundamental human right and purposely design our products and services to minimize our collection of customer data. When we do collect data, we’re transparent about it and work to disassociate it from the user.

And no, Siri is not eavesdropping. The letter went into specifics about how iPhones can respond to voice commands without actually eavesdropping. It has to do with locally stored, short buffers that only wake up Siri if there’s a high probability that what it hears is the “Hey, Siri” cue.

Read more at https://nakedsecurity.sophos.com/2018/08/13/siri-is-listening-to-you-but-shes-not-spying-says-apple/

Feds indict 12 for allegedly buying iPhones on other people’s dimes

By Lisa Vaas

The Feds have indicted a dozen people for allegedly using hacked cell phone accounts to “upgrade” to nice, shiny new iPhones and other pricey gadgets, waltzing into stores to pay the small upgrade fees, sticking victims with the rest of the costs, selling the loot for full purchase price, and pocketing the profit.

The US Department of Justice (DOJ) announced the indictments on Thursday.

Geoffrey S. Berman, the US Attorney for the Southern District of New York, and Angel M. Melendez, a special agent with the New York office of the Immigration and Customs Enforcement’s (ICE’s) Homeland Security Investigations (HSI), said they’ve got seven suspects – six were arrested in southern New York, and one in Ohio – while another five are still on the loose.

They stand accused of improperly accessing more than 3,300 customers’ cellphone accounts and defrauding those accounts of the cost of more than 1,200 cellphones, causing losses of more than $1 million.

Berman said that the fraud ring pulled off the heists, which were carried out nationwide, by first allegedly buying their victims’ account details off the dark web, then allegedly hacking into their accounts.

Melendez said that the fraud network was operating out of New York – most particularly in the Bronx, which is where they sold many of the iPhones, iPads, tablets and watches they bilked people out of. It was also operating out of the Dominican Republic; from other, unspecified places; and on the dark web, he said.

According to the indictment, defendants allegedly traveled to 30 states to get the phones, then often brought them back to the Bronx to sell through fencing operations. The cellphone carriers absorbed the financial losses, but the victims suffered the theft of their identities and/or had their accounts accessed without authorization.

Read more at https://nakedsecurity.sophos.com/2018/08/13/feds-indict-12-for-allegedly-buying-iphones-on-other-peoples-dimes/

In-flight satellite comms vulnerable to remote attack, researcher finds

By John E Dunn

IOActive’s researcher Ruben Santamarta is the sort of person anyone interested in computer security would probably enjoy sitting next to on a long flight.

Take the journey he made last November between Madrid and Copenhagen on Norwegian during which (naturally) he decided to use Wireshark to study the aircraft’s in-flight Wi-Fi.

As well as finding that Telnet, FTP and web were available for certain IPs, it turned out that an interface page for a Hughes aircraft satellite communication (SATCOM) router could also be accessed without authentication.

This is the system used by Norwegian that connects a plane to the ground to provide internet connectivity. (Icelandair and Southwest are customers too.)

In a Black Hat show paper last week, Last call for SATCOM Security, Santamarta and his colleagues published details of how this simple discovery put them on the trail of a string of larger security flaws that build on IOActive SATCOM vulnerability research dating back to 2014.

Read more at https://nakedsecurity.sophos.com/2018/08/13/in-flight-satellite-comms-vulnerable-to-remote-attack-researcher-finds/