February 5, 2019
Home DNA kit company says it’s working with the FBI
By Lisa Vaas
FamilyTreeDNA – one of the larger makers of at-home genealogy test kits – has disclosed that it’s quietly been giving the FBI access to its database of 1 million DNA profiles to help solve violent crime.
Investigators’ use of public genealogy databases is nothing new: law enforcement agencies have been using them for years. But the power of online genealogy databases to help track down and identify people became clear in April 2018, when police arrested Joseph James DeAngelo on suspicion of being the Golden State Killer: the man allegedly responsible for more than 50 rapes, 12 murders and more than 120 burglaries across the state of California during the 70s and 80s.
What’s new about FamilyTreeDNA’s cooperation with the FBI – as reported by BuzzFeed News on Thursday – is that it’s the first time that a private genealogy company has publicly admitted to voluntarily letting a law enforcement agency access its database.
A spokesperson for FamilyTreeDNA told BuzzFeed that the company hasn’t signed a contract with the FBI. But it has agreed to use its private lab to test DNA samples at the bureau’s request, and to upload the profiles to its database, on a case-by-case basis. It’s been doing so since this past autumn, according to BuzzFeed.
The spokesperson said that working with the FBI is “a very new development” that started with one case last year and “morphed.” At this point, she said, the company has cooperated with the FBI on fewer than 10 cases.
Read more at https://nakedsecurity.sophos.com/2019/02/05/home-dna-kit-company-says-its-working-with-the-fbi/
Half of IoT devices let down by vulnerable apps
By John E Dunn
Testing Internet of Things (IoT) devices for security weaknesses can often resemble a large fist punching a wet paper bag. Researchers report a litany of firmware vulnerabilities, insecure wireless communications, and consumer complacency about the risks of connecting smart devices to a home network.
With so much bad press, might things be improving?
Not as fast as they should be, according to a test by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan, who took a closer look at 32 smartphone apps used to configure and control the 96 top-selling Wi-Fi and Bluetooth-enabled devices sold on Amazon.
There’s a lot for IoT makers to secure, including the apps themselves, their connection to cloud proxies (typically used during initial setup), and the subsequent wireless connection and authentication to and from the IoT device.
It’s also a lot of equipment to test, which is why the researchers in this study started by inferring potential weaknesses using heuristic analysis of the apps themselves.
Disappointingly, 31% of the apps (corresponding to 37 devices out of 96) had no encryption at all while another 19% had hard-coded encryption keys an attacker might be able to reverse engineer even if they’d been obfuscated.
Read more at https://nakedsecurity.sophos.com/2019/02/05/half-of-iot-devices-let-down-by-vulnerable-apps/
Crypto exchange in limbo after founder dies with password
By Danny Bradbury
Customers of Canadian cryptocurrency exchange QuadrigaCX are missing over $250 million CAD in fiat and virtual currency (a total of around $190m in US dollars) after its founder died without telling anyone the password for his storage wallet.
QuadrigaCX enabled users to trade between fiat currency and cryptocurrencies including Bitcoin, Bitcoin Cash, Litecoin and Ethereum.
Gerry Cotten, the 30-year-old founder of the Vancouver-based exchange, passed away in India on 9 December 2018 due to complications from Crohn’s disease. In an affidavit to the Supreme Court of Nova Scotia, his partner Jennifer Robertson explained that cryptocurrencies had been stored in a cold wallet under his sole control.
In cryptocurrency trading, a wallet is a repository for cryptocurrency addresses that contain assets, along with private keys to access them. There are two kinds of wallet: hot, and cold.
A hot wallet is a software program connected to a blockchain, enabling it to make cryptocurrency transactions. A hot wallet can be vulnerable to hacking via software compromise.
A cold wallet stores address and private key details off the blockchain. It can take several forms. A paper wallet stores the details in writing, while a hardware wallet stores addresses and keys in a device. A cold storage wallet could even be a simple text file containing the appropriate addresses and keys. It can still be physically stolen, but because it isn’t connected to a blockchain it isn’t vulnerable to online compromise.
Read more at https://nakedsecurity.sophos.com/2019/02/05/cryptocurrency-exchange-in-limbo-after-founder-dies-with-password/
Kids’ GPS watches are still a security ‘train wreck’
By Lisa Vaas
A year after Norwegian researchers found that child-tracking, GPS-connected smartwatches had major security flaws – flaws that would have let strangers eavesdrop on a child, talk to them behind their parent’s back, use the watch’s camera to take their picture, stalk them, or lie about their whereabouts – not much has changed.
When Pen Test Partners decided to check up on how one of the four models the Norwegian researchers looked at had shaped up over the course of 14 months, things turned out to be status quo: the security of TechSixtyFour’s Gator watch and thousands of other watches was still a train wreck.
Pen Test Partners’ TL;DR:
Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches
Following the Norwegian Consumer Council’s (NCC’s) 2017 report about these Internet-of-Things (IoT) wrist wraps, bad press broke out like so much prepubescent acne. At least one UK retailer, John Lewis, responded by yanking the Gator 2.
In November 2018, TechSixtyFour founder Colleen Wong said on the company’s blog that it had responded to the NCC’s report with a complete, one-month-long system overhaul. It also hired a vulnerability assessment firm to review its systems on an ongoing, monthly basis.
Read more at https://nakedsecurity.sophos.com/2019/02/05/kids-gps-watches-are-still-a-security-train-wreck/
Security weaknesses in 5G, 4G and 3G could expose users’ locations
By John E Dunn
Fifth generation (5G) wireless test networks are barely in the ground and already researchers say they’ve uncovered new weaknesses in the protocol meant to secure it.
5G security is built around 5G AKA (Authentication and Key Agreement), an enhanced version of the AKA protocol already used by 3G and 4G networks.
A big issue this was supposed to address was the ease with which surveillance of 3G and 4G devices can be carried out using fake base stations known as IMSI catchers (International Mobile Subscriber Identity-catcher, sometimes called ‘StingRays’).
Disappointingly, according to a research paper, New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols, made public late last year, 5G AKA might not solve this thanks to deeper issues with the AKA protocol on which it is based.
As the name suggests, IMSI catchers work by tricking devices into connecting to them instead of the real base station, exploiting the fact that under GSM (the Global System for Mobile Communication mobile phone standard), devices prioritize closer and stronger signals.
Luring a smartphone to connect to a fake base gives attackers the power to identify the device’s owner, track their physical location, and potentially execute a downgrade attack by asking it to remove security such as encryption.
Read more at https://nakedsecurity.sophos.com/2019/02/04/security-weaknesses-in-5g-4g-and-3g-could-expose-users-locations/