Security

Devices on planes said to simulate cell towers and trick phones into reporting data

The Justice Department is using equipment on board aircraft that simulates cell towers to collect data from criminal suspects’ cell phones, according to a report Thursday.

Citing “people familiar with the operations,” the Wall Street Journal reports that a program operating under the U.S. Marshals Service is said to use small aircraft flying from five different airports around the country. Devices aboard those planes called “dirtboxes” essentially trick the suspects’ cellphones into thinking they’re connecting to legitimate cell towers from big wireless carriers like Verizon or AT&T, allowing the feds to scoop up personal data and location information about those targeted.

However, the report details those devices could be gathering data from “tens of thousands” of Americans in a single flight, meaning nonsuspects are likely to be included in the data roundup. The new report could shed some light on earlier reports of mysterious “phony” cell towers that security researchers have found around the country.

Read more at the Wall Street Journal

Some customer information may have been compromised as well

The U.S. Postal Service (USPS) revealed Monday that data on its employees may have been compromised in a “cyber intrusion incident.”

USPS said it recently learned of a data breach affecting the names, dates of birth, Social Security numbers, addresses, employment dates and emergency contact information of up to 800,000 employees.

Post office customers who contacted the Postal Service Customer Care Center via telephone or e-mail between Jan. 1 and Aug. 16 may have had their names, addresses, telephone numbers or e-mail addresses compromised, the USPS said, but added there’s no evidence to suggest customers’ credit card information was stolen or hacked.

“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” said USPS media relations manager David Partenheimer in a statement. “We began investigating this incident as soon as we learned of it, and we are cooperating with the investigation, which is ongoing. The investigation is being led by the Federal Bureau of Investigation and joined by other federal and postal investigatory agencies.”

Employees possibly affected by the data breach have been notified, and will receive credit monitoring services for one year at no charge, USPS said.

The mail service did not identify suspects in the investigation, but Partenheimer told the Washington Post that the intruder may be “a sophisticated actor that appears not to be interested in identity theft or credit card fraud.”

Apple moved quickly to combat a massive iPhone hack from a Chinese app store

Apple said Thursday that it’s blocking apps infected with malicious software in an effort to protect iPhone users in China from being hacked.

Over 450 apps available on third-party Chinese app store Maiyadi have been infected with Wirelurker malware, which steals data from iPhones and iPads by lying in wait on computers running Apple’s Mac OS X operating system.

Apple moved quickly to block the affected apps. “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” Apple said in a written statement Thursday, the Wall Street Journal reports.

Palo Alto Networks, the security company that first reported the breach, said that hundred of thousands of iPhone users may have been affected.

You can learn more about how to protect yourself from the Wirelurker malware here.

They also stole information from 56 million credit cards

The Home Depot hack was even worse than authorities originally thought, according to a new report. Along with compromising 56 million credit-card accounts, the hackers also exposed 53 million customer email addresses.

Two months ago, the hackers accessed the retailer’s system through usernames and passwords they stole from a refrigeration contractor’s electronic billing account. Target and other companies have been infiltrated in a similar fashion. Authorities who investigated the Home Depot incident revealed the full scope of the hack to the Wall Street Journal on Thursday.

The Home Depot hackers took aim at 7,500 of the company’s self-checkout lanes. The software hid itself for five months, collecting data and transmitting it to an outside system.

[WSJ]

Fingerprint scans are more secure, except when it comes to the Fifth Amendment

Cellphone fingerprint passcodes weren’t on James Madison’s mind when he authored the Fifth Amendment, a constitutional protection with roots in preventing torture by barring self-incriminating testimonials in court cases.

Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

“If you are being forced to divulge something that you know, that’s not okay,” said Marcia Hofmann, an attorney and special counsel to digital rights group Electronic Frontier Foundation. “If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection.”

“The important thing is,” Hofmann said, “is it something you know, or something you have?”

The Virginia ruling was perhaps the most clear-cut decision among similar cases whose outcomes have varied significantly by circumstance. In United States v. Fricosu (2012), a court ruled because it was “a foregone conclusion” that the defendant’s password-locked data was incriminating, the Fifth Amendment didn’t apply. In United States v. John Doe (2011), the defendant, who had a hard drive protected by encryption, at first didn’t receive Fifth Amendment protection, but that decision was reversed by an appellate court that ruled that if Doe provided his decryption password, then it would “lead the Government to evidence that would incriminate him.” Last week’s Virginia ruling is a fresh example of what can happen when a 225-year-old law is applied to a field as rapidly changing as digital security.

“I think the courts are struggling with this, because a fingerprint in and of itself is not testimony,” said Hayes Hunt, a criminal defense and government investigations lawyer at Cozen O’Connor. “The concern is, once we put a password on something or on ourselves, we have a certain privacy interest.”

Judges across the country will only have to make more decisions about biometrics, as their use by everyday consumers is on the rise. Today, our data is protected by everything from iris scans at airports to heartbeat measurements and ear-print smartphone locks. “This whole area is in such a state of flux,” said Jody Goodman, a counsel at Crowell & Moring. “It seems like every week there are new things happening.”

Apple in particular is one of the most widely-recognized consumer technology companies that have adopted biometrics, though it wasn’t the first. Its latest flagship iPhones and iPads come with Touch ID, which lets users unlock their devices or make payments by scanning their thumbprints instead of inputting a numeric passcode. But while Apple and other companies with fingerprint scanners on their devices say the feature provides more protection from data theft, the Virginia ruling means that data protected only by an old-school passcode is afforded stronger legal protection under the Fifth Amendment.

The solution for those seeking more legal cover for their data, though, is surprisingly simple. If a defendant’s data is protected by both a thumbprint and a passcode, he or she could invoke the Fifth for the thumbprint, thereby blocking access to the data — at least according to the precedent set by the Virginia case. But for now, iPhones at least lack this option, probably because it’s not being demanded by consumers.

“I think Apple will respond to what the market demands,” said Goodman. “Most people don’t want to be bothered [by additional security]. That’s why the fingerprint technology was created in the first place.”

New malware called Wirelurker may have affected hundreds of thousands users

Hackers are targeting Apple mobile and desktop users with malicious software in order to damage or steal information, a Silicon Valley security company said Wednesday. The malware has been targeting the iPhone iOS systems for the past six months.

Palo Alto Networks, the company that has discovered the attack, nicknamed the hacking campaign “Wirelurker” and called it “the biggest in scale we have ever seen” against Apple mobile and desktop users. Wirelurker has infected over 450 apps that are sold through a third-party iPhone application store in China called the Maiyadi App Store. The infected apps have been downloaded over 356,104 times in the last six months, Palo Alto Networks said, and “may have impacted hundreds of thousands of users.”

Why it might not be the end of the world. Wirelurker originates on apps downloaded through the third-party Maiyadi app store. You have to “jailbreak” your phone in order to make it allow it access to third-party app stores. Here’s the rub: Most Apple users simply download apps from the official App Store. So if you’re just doing your thing and downloading apps through Apple, you’ve greatly reduced your exposure to Wirelurker and other malware in general.

Why it actually might be the end of the world. Wirelurker is sophisticated, and once it infects a phone, it can travel to uninfected phones through desktop computers. When someone connects an infected iPhone to a computer running OS X via a USB cord, Wirelurker installs itself on the Mac. Then it listens for a USB connection to another iOS device and immediately infects that new device. So even if you’re not using apps from third-party stores, you can still catch Wirelurker that way.

Moreover, it’s not unusual for iPhone users to jailbreak their phones to use third-party app stores. For people who want access to a greater array of apps that might be unavailable through Apple, jailbreaking is an enticing alternative — but you’d know if you have a jailbroken phone.

What Wirelurker actually does. Palo Alto Networks says the “creator’s ultimate goal is not yet clear,” but the New York Times reports that the malware can be used to steal a victim’s address book, read iMessage messages and regularly connect with attackers’ command and control server, which could potentially let them control infected iPhones from afar.

What you can do to avoid it. First, avoid using third-party app stores, download sites or other untrusted sources to download applications or games. That’s where Wirelurker originates.

Second, don’t connect your phone to an untrusted computer, like one at your school or library. If you’re connecting your iPhone to a Mac to either charge or it or share data, and that Mac has been exposed to Wirelurker, you could risk infecting your phone. Stick to known computers only — if you need to charge your phone, plug it into an outlet instead.

New report says Skype, Facebook Chat and even "off the record" Gchat aren't actually that secure

So-called “secure messaging” systems, including popular apps like Skype and Facebook Chat, don’t actually live up to their supposed safety, according to a report released Tuesday by a digital rights group.

The Electronic Frontier Foundation’s Secure Messaging Scorecard judged the security of over 30 e-mail, social media, voice and video calling apps across seven categories, including whether the provider can read your messages and whether your previous communications are secure if your passkeys are stolen.

Some of the most popular chat platforms, including Facebook Chat, Snapchat, WhatsApp, BBM, AIM and even “off the record” Google Chat, lack the encryption necessary to protect communications from the app’s makers, though they do encrypt messages during transit, the EFF’s scorecard says.

The most secure mainstream chat apps are Apple’s iMessage and FaceTime, which are encrypted so that neither outsiders nor Apple can access your conversations. Still, both lack security functions to verify your contacts’ identities, and they also don’t release their code for independent review.

Of the 38 systems evaluated in the scorecard, only six managed to fulfill all seven categories: ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text and TextSecure, all lesser-known apps purpose-built for the security-minded.

Aside from Mxit, a messaging app popular in South Africa, the other app that failed all seven of the security indicators is QQ, a hit Chinese messaging app with nearly 1 billion users.

The EFF’s full scorecard can be viewed here.

A new report supports the theory that the Chinese government is sponsoring the attacks

Digital footprints from previous cyberthreats believed to have emanated from China have been linked to recent attacks on pro-democracy websites in Hong Kong, according to a new report.

The findings of cybersecurity forensics firm FireEye suggest that there may be a “common quartermaster” behind the two attacks, further supporting a running theory that Chinese officials are breaching Hong Kong’s networks to suppress or spy on the ongoing political uprising there. Protesters in Hong Kong have been demonstrating since September, pushing for greater freedom in choosing their political representation.

FireEye analysts said they made the discovery when they matched digital certificates from a series of quiet data thefts originating in China, which FireEye reported earlier this year, to those of a conspicuous network-blocking attack that disrupted a pro-democracy Hong Kong news site in October.

Because the two types of attacks have very different agendas, the fact that they shared common certificates suggests they may be motivated by Chinese state interests, said FireEye analyst Mike Scott, one of the report’s authors.

“We understand that there has been a long series of campaigns over the past 10 to 15 years coming from China [to steal intellectual property],” said FireEye analyst Ned Moran, who co-authored the report. “We can tie that intrusion activity through technology data points to the [pro-democracy news site attack], which is attempting to suppress speech in Hong Kong. Who would benefit from both of those activities?”

Scott added that the reason his team was able to detect the digital certificates was because whoever created the malware didn’t employ high levels of security, a step attackers often skip because digital certificates function more like receipts than fingerprints, revealing only usage and not attackers’ identities.

Supporters of the pro-democracy movement, known as Occupy Central, have been the target of recent attacks that cybersecurity watchdogs believe are also the work of the Chinese government. On Sept. 17, a group of coders backing transparency in Hong Kong’s government reported that several protesters’ Android operating systems had been infected with spyware. Two weeks later, Lacoon Mobile Security found that a similar spyware was targeting protesters’ iOS systems. The firm said that because cross-platforms attacks are so rare, the perpetrator is likely “a large organization or nation-state.”

FireEye analysts said that they did not discover any direct links between the attacks on protesters’ Android and iOS devices and the attacks on pro-democracy news sites, but said that the attackers may be using several methods to achieve their goal.

"This is not a breach"

Apple Pay competitor CurrentC defended the security of its mobile payment system in a Wednesday conference call, just hours after its parent company MCX reported that hackers had obtained some users’ e-mail addresses.

MCX CEO Dekkers Davidson said the attack, which targeted the company’s email vendor, was “not a breach” of the CurrentC app itself. He also emphasized that the incident affected mostly dummy e-mails used in the yet-unreleased service’s ongoing testing phase. Davidson also revealed that some dummy zip codes were stolen and that CurrentC’s systems had withstood several repeated attacks during the past week.

Davidson added the hack hasn’t made the company hesitant to store customer information in the cloud, a plan that’s been criticized given that CurrentC’s main competitor, Apple Pay, doesn’t collect any traceable information at all.

“In terms of consumers’ information and any payment credentials, they’re not stored on a device. They’re not actually present in the physical world,” Davidson said. “And that we think is a design or implementation that makes it far more secure than the world we live in today, and far more secure than many of the alternatives that have been advanced over the last few years.”

While MCX is a joint venture by retailers in order to create a retailer-owned payment system, Davidson said that the service is “first and foremost” about customer engagement. Part of that customer engagement will include a consumer privacy dashboard so that users can elect what information, if any, they would like to share with merchants.

MCX has been under scrutiny after reports suggested that MCX members CVS and Rite Aid disabled Apple Pay because of a contractual agreement for exclusivity. However, Davidson said that the company welcomes competition, and that it is the merchants’ choice whether or not to accept other forms of mobile payment. He added that MCX member retailers are not subject to fines if they choose to adopt Apple Pay, which registered 1 million credit cards in its first three days.

Davidson added that although some MCX merchants have blocked Apple Pay, MCX is open to member retailers using both Apple Pay and CurrentC simultaneously once the latter service goes public early next year.

“We have a great deal of respect for Apple, of course, and Apple Pay,” Davidson said. “We believe and our merchants believe we require two to three strong players in the space to build the ecosystem.”