October 1, 2019
Cloudflare adds VPN features to 1.1.1.1 privacy app
By John E Dunn
As promised in April, Cloudflare has finally launched Warp, a consumer mobile privacy app that looks a lot like a VPN without actually being one.
That sounds confusing so let’s start by describing the service itself, which can be accessed via a free Android and iOS app called Warp, and a $4.99 per month subscription app called Warp+.
The first, Warp, is a development of the 1.1.1.1 service and mobile apps launched in 2018 as an alternative DNS resolver that headlined on the theme of privacy – i.e. we don’t log the sites you visit.
More recently, the 1.1.1.1 app added support for the emerging encrypted DNS standards, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which hide the domains people visit from ISPs and anyone else listening in (Mozilla recently integrated this service into Firefox).
Now 1.1.1.1 has become ‘1.1.1.1 with Warp’ by adding the ability to encrypt all traffic from the mobile device and not just DNS queries, hence the similarity to a full VPN.
What does the Warp+ subscription add to this? Despite being limited to one device, the user gets unlimited bandwidth and 30% better performance thanks, Cloudflare says, to Warp+ traffic being routed over its global network in an optimized way.
Note that if you signed up for the Warp waiting list via the 1.1.1.1 app, you also get the chance to try Warp+ free of charge with an initial 10GB of data.
If Warp isn’t a VPN, what is it?
Traditional VPNs route a user’s network traffic to a trusted, internet-connected server, via an encrypted ‘tunnel’. The security benefit of a VPN is that it lets a user send traffic via a provider they trust (the VPN company) while hiding it from others they don’t trust (ISPs, Wi-Fi snoopers and bad actors, which can’t).
Read more at https://nakedsecurity.sophos.com/2019/10/01/cloudflare-adds-vpn-features-to-1-1-1-1-privacy-app/
Hacking 2020 voting systems is a ‘piece of cake’
By Lisa Vaas
It’s still child’s play to pick apart election systems that will be used in the 2020 US presidential election, as ethical hackers did, once again, over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August.
The results are sobering. This is the third year they’ve been at it, and security is still abysmal.
On Thursday, Voting Village organizers went to Capitol Hill to release their findings, in an event attended by election security funding boosters Sen. Ron Wyden and Rep. Jackie Speier.
In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called “trivial attacks” that required “no sophistication or special knowledge on the part of the attacker.” They didn’t get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.
From the Voting Village press release:
In too many cases physical ports remain unprotected, passwords remain unset or left in default configurations and security features of the underlying commercial hardware are left unused or even disabled.
Same old, same old
During the three years that Voting Village has tested voting system security, there’s been no shortage of warnings about the potential for tampering with any election systems connected to the internet or to any network. The state of election non-security is serious enough that the Defense Advanced Research Projects Agency (DARPA) is working on it: it’s hoping to create an electronic voting system that it hopes will prevent tampering with voting machines at the polls.
Read more at https://nakedsecurity.sophos.com/2019/10/01/hacking-2020-voting-systems-is-a-piece-of-cake/
China’s 500-megapixel camera is capable of mega-facial-recognition
By Danny Bradbury
Stop bragging about how many megapixels your snazzy new prosumer DSLR camera has – China has beaten you to it. Researchers there have just announced a 500mp camera. Rather than taking stunning vacation photos, though, one of the most likely uses for this wide-angle, beer crate-sized device is for identifying people dozens of meters away using facial recognition.
Fudan University worked with the Changchun Institute of Optics, Fine Mechanics and Physics of Chinese Academy of Sciences to develop the camera, which takes both pictures and video in unparalleled detail. ABC’s story suggests that this is five times the resolution of the human eye, but scientific imaging specialist Roger Clark says that the human eye has an effective resolution of around 576mp.
Whichever figure you believe, 500 megapixels (or 0.5 billion pixels) is more than enough to pick out faces in a stadium or on a street corner with the camera’s built-in facial recognition techniques.
This should have your privacy alarm bells ringing, but that’s just one part of the story. There’s also the possibility of a link with China’s emerging social credit system (SCS). Designed for a full national rollout in China next year, it assigns points for activities deemed socially acceptable, like donating blood and doing volunteer work, while subtracting them for negative actions like jaywalking or not showing up for restaurant reservations.
Apparently, in some local prototypes, telcos show you a message when calling someone on the social credit system’s blacklist telling you that the person you’re calling is dishonest. We didn’t think that we’d find ourselves living in Black Mirror’s excellent Nosedive episode for a while yet, but oh well, here we are.
Read more at https://nakedsecurity.sophos.com/2019/10/01/chinas-500mp-camera-will-identify-you-at-a-distance/
Darknet hosting provider in underground NATO bunker busted
By Lisa Vaas
A large piece of the dark web’s spine has been broken: German investigators announced on Friday that they’ve excavated the CyberBunker.
The so-called bulletproof hosting provider, located five floors underground in a heavily fortified, Cold War-era, former NATO bunker in Germany is a data center with around 2,000 servers, dedicated to shielding illegal activity from the eyes of law enforcement.
Thirteen suspects connected to CyberBunker – seven arrested and the rest still at large – are being investigated in connection to the websites hosted by the data center, which involved arms trafficking, trafficking in child abuse imagery and drugs, selling fake documents, marketing stolen data, conducting large-scale cyber-attacks, or, as described by a spokesman for the Rhineland-Palatinate State Office of Criminal Investigation (LKA):
Anything you can imagine on the Darknet.
Prosecutor Jürgen Brauer and regional criminal police chief Johannes Kunz said in a press conference on Friday that the countrywide, nearly five-year, complex investigation is the first time that German police have managed to break the operations of a bulletproof hosting provider.
The accused include 12 men and one woman, aged between 20 and 59. Police have arrested seven men and have issued warrants for the rest of the men and the one woman. Four of the suspects are Dutch, one is Bulgarian and two are German. As well, 18 search warrants have been issued.
Wall Street Market crumbles
So far, investigators have determined that the darknet marketplaces and forums hosted by CyberBunker servers included, for one, the Wall Street Market (WSM): the second-largest marketplace of its kind in the world. An e-commerce site, it was something like an eBay for drugs, police said. They say it handled 250,000 transactions for a total of more than 41 million euros (USD $44.66m, £36.28m).
Read more at https://nakedsecurity.sophos.com/2019/10/01/darknet-hosting-provider-busted-in-underground-nato-bunker/