Australians who won’t unlock their phones could face 10 years in jail

By Danny Bradbury

The Australian government wants to force companies to help it get at suspected criminals’ data. If they can’t, it would jail people for up to a decade if they refuse to unlock their phones.

The country’s Assistance and Access Bill, introduced this week for public consultation, strengthens the penalties for people who refuse to unlock their phones for the police. Under Australia’s existing Crimes Act, judges could jail a person for two years for not handing over their data. The proposed Bill extends that to up to ten years, arguing that the existing penalty wasn’t strong enough.

The Bill takes a multi-pronged approach to accessing a suspect’s data by co-opting third parties to help the authorities. New rules apply to “communication service providers”, which is a definition with a broad scope. It covers not only telcos, but also device vendors and application publishers, as long as they have “a nexus to Australia”.

These companies would be subject to two kinds of government order that would compel them to help retrieve a suspect’s information.

The first of these is a ‘technical assistance notice’ that requires telcos to hand over any decryption keys they hold. This notice would help the government in end-to-end encryption cases where the target lets a service provider hold their own encryption keys.

But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target’s information where possible.

Read more at https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/

Sacramento admits to tracking welfare recipients’ license plates

By Lisa Vaas

As the American Civil Liberties Union (ACLU) found out in 2015 through the Freedom of Information Act, the US Drug Enforcement Administration (DEA) has for years been building a massive national license plate reader (LPR) database that it shares with federal and local authorities, with no clarity on whether courts are overseeing its use.

That blasé approach to mass surveillance of drivers is holding steady, as evidenced by recent revelations about California using an LPR database to track down welfare cheats.

It’s doing so in a manner that’s against the law. As the Electronic Frontier Foundation (EFF) noted when it revealed the surveillance two weeks ago, “California law is crystal clear” on this: any entity – including government agencies such as those that administer welfare programs – that access data collected by automated license plate readers (ALPRs) must implement a privacy and usage policy that ensures that use of this sensitive information “is consistent with respect for individuals’ privacy and civil liberties.”

ALPRs snap photos of all license plates from street poles and police cars as vehicles drive by. To legally get at those images, the Sacramento County Department of Human Assistance (DHA) should have had a policy that includes periodic audits. Also, each time that LPR data was looked up, a purpose should have been recorded.

But for the two years preceding the EFF’s California Public Records Act request, the DHA didn’t tick off those two basic legal requirements – or if they did, it didn’t show up in the logs seen by the EFF.

In fact, between June 2016 through July 2018, 22 employees working on welfare fraud searched ALPR data more than 1,000 times – all without privacy policies posted online or written anywhere, as required by law. Some employees only dipped a toe into the database, only running a single search, while others ran more than 100 searches. One employee ran 214 searches over the course of 20 months, the EFF found.

Read more at https://nakedsecurity.sophos.com/2018/08/16/sacramento-admits-to-tracking-welfare-recipients-license-plates/

Silk Road founder Ross Ulbricht is dictating tweets from prison

By Lisa Vaas

Ross Ulbricht is forbidden from going online, but that hasn’t stopped him from tweeting.

Ulbricht – formerly known as Dread Pirate Roberts, founder of the Silk Road Dark Web online market – was convicted in 2015 on charges of money laundering, conspiracy, drug and hacking-related charges.

He was sentenced to double life sentences without parole, plus another 40 years – but that hasn’t kept him quiet: his family opened a Twitter account for him in June, and they’ve been posting his tweets ever since.

After he was convicted, Ulbricht’s mother, Lyn Ulbricht, launched the “Free Ross Ulbricht” campaign, which accuses the government of framing her son as part of the “failed War on Drugs.” The campaign portrays his case as a milestone in the government’s crackdown on internet freedom.

The campaign reads:

This is a sentence that shocks the conscience. The website Silk Road was an e-commerce platform similar to eBay, where individual users chose what to list for sale. Both legal and illegal items were sold, most commonly small amounts of cannabis.

Ross is condemned to die in prison, not for dealing drugs himself but for a website where others did. This is far harsher than the punishment for many murderers, pedophiles, rapists and other violent people.

You might be forgiven if you were to raise an eyebrow at Ulbricht being called nonviolent, given that six separate murder-for-hire incidents were leveled against him. If he had been found guilty of any of those charges, we could safely assume he had a rather harsh way of dealing with business competitors.

But he was not. None of the murder-for-hire allegations turned up in the final charge-sheet.

At the time of his sentencing, however, family members of several people thought to have died of drugs purchased on Silk Road appeared in court. Those deaths were highly significant in what might otherwise seem like an overly harsh sentence for a “nonviolent” offender.

Read more at https://nakedsecurity.sophos.com/2018/08/16/silk-road-founder-ross-ulbricht-is-dictating-tweets-from-prison/

Bogus journals being used to publish fake science

By John E Dunn

If post-truth has an alarming ring to it, try to imagine a world full of fake science – fake science that is incredibly hard to distinguish from the real thing.

According to a DEF CON presentation written up by Motherboard that would sound like the outline for an amusing Sacha Baron Cohen satire if it wasn’t so serious, such fake science is already upon us.

It seems that thousands of scientists and companies across the world want the credibility boost from having research published, and a cottage industry of bogus publishers has sprung up to service this need – for a fee of course.

Analyzing the 175,000 articles published by “predatory journals”, journalists Svea Eckert, Till Krause, and Online Privacy Foundation co-founder Chris Sumner, counted hundreds of papers from academics at leading universities as well as volumes promoted by pharmaceutical and tobacco companies.

This isn’t just vanity publishing, however – after studying two major sites in the sector, they discovered tens of thousands of abstracts for fake scientific papers, including 15,000 from India and 13,000 that originated from the US.

In the last decade, these sites alone had even received 162 papers from Stanford, 153 from Yale, 96 from Columbia, and 94 from Harvard.

It’s likely that several slightly different things are going on here. Some academics might be paying sites to cite research that might not pass strict peer review in order to boost their reputations.

Read more at https://nakedsecurity.sophos.com/2018/08/16/bogus-journals-being-used-to-publish-fake-science/

Google is tracking your location, even when the setting is turned off

By John E Dunn

Shock horror – it appears Google can track the location of anyone using some of its apps on Android or iPhone even when they’ve told it not to.

That’s according to an “exclusive” from the Associated Press (AP) which describes how researchers at Princeton University have confirmed that Google’s ability to record a user’s location history goes deeper than many realise.

Officially, Android users can turn off tracking using a slider button in the Location section under Settings.

Once deactivated, Google no longer stores a timeline and a precise record of a user’s movements when they take their Android device (or iPhone running Google services and apps) with them.

Checking this in Maps can be done by visiting Google’s Account Settings >My Account Activity > Other Account Activity > click ‘Visit Timeline’ under Location History. This should show a history of a user’s movements while using their device.

But according to AP’s research, turning off Location History doesn’t stop certain Google apps (Maps and Weather for instance) from storing a timestamped location when you open them.

Confusingly, this isn’t the same as Location Data, which uses a range of techniques (cell towers but especially Wi-Fi geolocation) to track where people are, sometimes to within a few metres.

Read more at https://nakedsecurity.sophos.com/2018/08/15/google-is-tracking-your-location-even-when-the-setting-is-turned-off/

Are your Android apps listening to you?

By Matt Boddy

Here’s a thing: numerous apps on your phone have permission to access your microphone.

Some, like the Phone app itself, were on the phone when you got it, but you’ve almost certainly added others – WhatsApp, Skype and Facebook, for instance – along the way.

From the moment you gave those apps audio permission, they’ve been able to listen in whenever they want, without telling you.

In theory, you’ll never know if an app is overstepping the mark; in practice, however, there are some cool ways of checking to see when an app is listening in.

Keeping track of an app’s behavior is a handy technical skill to have, so we’re going to show you how to look at the system calls made by your Android mobile to the audio subsystem.

No more audio secrets!

By following our tutorial, you can keep track of exactly when an app is accessing the microphone.

Note. For this article, we used a test device that was wiped first and then rooted. This means we deliberately altered the security settings to give us administrative access – on Linux/Android, the admin account is called root, so getting root access is colloquially called rooting. We strongly recommend that you don’t do research of this sort on your regular phone, just in case something goes wrong. And definitely don’t try this on your work phone!

Read more at https://nakedsecurity.sophos.com/2018/08/15/are-your-android-apps-listening-to-you/