Monday 5 August 2013

Moto X is Always Listening, What Could Possibly Go Wrong?

Moto X
Yesterday, Motorola announced the Moto X; the company's first from-scratch Android phone since being acquired by Google. Among its many features is close integration with Google Now's Glass-esque voice commands. That's nothing to worry about—right?
In her hands-on with the device, PC Mag's Chloe Albanesius described the feature thusly: "Once activated, you can talk to your Moto X from up to 15 feet away, asking it to call certain people, look up things online, or get directions. Say "OK Google Now" to wake it up and command away."
Chloe also pointed out that, unfortunately, there's no way to change your command phrase—so just about anyone could walk up and give your phone a command. Like most voice recognition software, the Moto X can be trained to your voice, making it at least less likely that someone could give your phone a command for you.
That's not what really worries me, though. I've already heard stories about pranksters shouting commands at Google Glass wearers and the devices responding. What bugs me is that this is a phone—a connected network device—that is always waiting for commands. It is, in short, always listening.
What's the Problem?
Most phones or headsets don't have physical switches for microphones, meaning that they could theoretically be activated without your knowledge. This is an issue that the government is already worried about. The difference, to my mind, is that the Moto X's mic is already running all the time. Someone aiming to exploit it doesn't need to figure out how to turn the mic on, just how to get access to the information it gathers.
In the era of NSA PRISM and Xkeyscore surveillance, that's pretty worrisome.
Now before you assume Google wouldn't do something really stupid, remember that Google Glass originally read any QR code that it happened to photograph and would execute it without first informing the user. The issue was caught by Lookout and Google quickly and quietly issued a fix, but it shows that the company doesn't always get it right the first time around.
Of course, Google Glass is an experiment made by Google and in the hands of a select few while the Moto X will be in wide release and made by the venerable phone manufacturer Motorola. Hopefully, the bone-headedness will be kept to a minimum.
But even if there isn't an obvious flaw out-of-the-box, the opportunity to take advantage of an "always listening feature" is sure to attract some attention among security researchers. Perhaps we'll be seeing this at Black Hat 2014.

Snowden Effect: Germany Ends Cold War Spying Pact with US, Britain

Germany canceled a Cold War-era surveillance pact with the United States and Britain on Friday in response to revelations by National Security Agency leaker Edward Snowden about those countries' alleged electronic eavesdropping operations.
The move appeared largely symbolic, designed to show that the German government was taking action to stop unwarranted surveillance directed against its citizens without actually jeopardizing relations with Washington and London.
With weeks to go before national elections, opposition parties had seized on Snowden's claim that Germany was complicit in the NSA's intelligence-gathering operations. . . .
"The cancellation of the administrative agreements, which we have pushed for in recent weeks, is a necessary and proper consequence of the recent debate about protecting personal privacy," Germany's Foreign Minister Guido Westerwelle said in a statement.
British Foreign Office brushed off the significance of the German move. "It's a loose end from a previous era which is right to tie up," the Foreign Office said in a statement, noting that the agreement had not been used since 1990. . . .
A German official, speaking on condition of anonymity, also said the cancellation would have little practical consequences.
He said the agreement had not been invoked since the end of the Cold War and would have no impact on current intelligence cooperation between Germany and its NATO allies. . . .
Germany is currently in talks with France to cancel its part of the agreement as well.

Customs Department of India’s Indira Gandhi International Airport Hacked

A Pakistani hacker called “H4$N4!N H4XOR” has breached and defaced the official website of the customs department of India’s Indira Gandhi International Airport (igiacustoms.gov.in).
On the defacement page, the hacker claims that he will target the website again if its administrators don’t secure it properly.
Currently, the website is still defaced. A mirror of the defacement is available on zone-h.org.
It’s worth noting that only the site’s main page has been impacted. The rest of the pages appear to be working properly.
According to HackRead, the Indira Gandhi International Airport website is only one of the over 800 websites stored on a server breached by the hacker. The site of the Tamilnadu State Agricultural Marketing Board is also among the defaced websites.
The attack by “H4$N4!N H4XOR” comes in response to the defacement of an Islamic site, bayan-e-quran.com, by an Indian hacker.

India ranks second in Facebook's $1M bug bounty

Facebook says it paid more than US$1 million to researchers who report bugs on its website, with India ranked second in terms of the number of bug bounty recipients.
The Asian economy was second on the list of countries with the fastest growing number of recipients of Facebook's Bug Bounty program, the social network said in a statement on its website on Friday. The social network had started the program a little more than two years ago to reward security researchers who report issues and encourage people to help keep the site more secure.
"The countries with the fastest growing number of recipients are, in order, the U.S., India, Turkey, Israel, Canada, Germany, Pakistan, Egypt, Brazil, Sweden, and Russia," Collin Greene, security engineer at Facebook, said in the statement, adding that 329 people had been awarded a bounty so far.
Overall, the bug hunters spread across 51 countries, with 20 percent of the bounty paid so far awarded to U.S.-based recipients.
The social network said the program had been more successful than it anticipated, and paid out more than US$1 million in bounties and collaborated with researchers from all around the world to stamp out bugs in their products and infrastructure. "Our Bug Bounty program allows us to harness the talent and perspective of people from all kinds of backgrounds, from all around the world," Greene added.
Industry watchers previously told ZDNet Asia rewarding security researchers to spot website bugs and loopholes could minimize post-breach consequences, but noted that site operators planning such activities could run into privacy and regulatory hurdles.

Android Jelly Bean runs on 40.5 percent of smartphones and tablets

Android Jelly Bean Google
Over 40 percent of Android smartphones and tablets are running on a variant of the latest Jelly Bean version of the operating system, according to statistics from the Google Developer forum.
The statistics showed Jelly Bean has overtaken 2.3 Gingerbread to become the most commonly used variant for the first time. The older Gingerbread version is listed as still running on a hefty 33.1 percent of all Android devices, marking a minor one percent decrease on the 34.1 percent figure recorded in July.
Despite the positive move, the Google mobile OS is still struggling to deal with fragmentation, with 6.5 percent running on Android 4.2 and the latest 4.3 version's share being too low to record. Older versions like Android 4.0.x Ice Cream Sandwich still hold a significant proportion of the Android ecosystem, with the developer stats listing it as running on 23.3 percent of all Android tablets and smartphones.
Such fragmentation is hardly surprising, as data last week revealed there are almost 12,000 unique devices running a variation of Android in the market.
For years now security researchers have listed fragmentation within the Android ecosystem as a key concern, warning it makes it next to impossible to fully secure the platform. This is because the fragmentation and low use of newer versions makes it overly costly and time consuming to release security patches or updates to newly discovered threats.
Such warnings have proven right with numerous vendors listing Android as the most targeted mobile operating system. This phenomenon was showcased earlier in July when Bluebox Security reported finding an Android Master Key vulnerability in 99 percent of all Android devices.
The Master Key bug reportedly affects all smartphones and tablets not running on the latest version of Android. According to security vendor Doctor Web, it is already being actively exploited by cyber criminals.

FBI Develop Hacking Tools To fight Cyber crime Over a Decade

FBI performs hacking activities on special cases that involve child pornography, organized crime, and counterterrorism.
The U.S law-enforcement officials are said to be expanding the use of various tools that are periodically adopted by computer hackers in order to get information on suspects, thus bringing the art of criminal wiretapping to the age of cyber technology, as reported by the Wall Street Journal.
Naturally, the U.S Federal Bureau of Investigation and other federal agencies have been mum on these capabilities. However, formal documents in court and interviews from those that are involved in the program show new details on the tools used for hacking which includes delivering spyware to PCs and phones by through email or web links. These attacking techniques are then commonly associated with those attacks done by criminals.
Qualified people that are familiar with the programs of the FBI have admitted that the use of hacking tools under court orders have expanded through the times as the agents find a way to keep up with suspected hackers. These hackers employ new communications technology which includes certain types of online chat and encryption generating tools.
The use of these forms of communication that bars agency-run wiretapping is termed as ‘going dark’ as far as law enforcement is concerned.
The agency internally develops some tools for hacking while other tools are purchased from the private sector. Using the technology allows the bureau to activate remotely and surreptitiously the phone’s microphone supported by Google’s Android software. After a successful activation, the bureau can then start recording conversations. The same thing also applies with laptops that have microphones.
The bureau performs hacking activities on special cases that involve child pornography, organized crime, and counterterrorism. It hesitates to use the said tools when they are investigating hackers, fearing that the pursued suspect will find out about it and make it publicly known.
Incidentally, the FBI has been in the hacking tool development project for more than 10 years. It has rarely revealed its techniques to the public whenever it’s on a legal case.

Schnuck Markets Data thieves swipe, vanish

In late March, before Schnuck Markets Inc. knew the extent of a breach that compromised as many as 2.4 million debit and credit cards, a Wal-Mart employee in Plano, Texas, saw something strange.
The employee, a loss prevention officer, noticed a woman acting oddly. She was trying to use several payment cards at the register, and she was buying gift cards. Both of those things raised red flags, so the officer took the woman aside.
Later that day, the woman was charged with credit card forgery. And sometime that same day, law enforcement authorities made a link: The 44-year-old Fort Worth, Texas, woman was attempting to shop with counterfeit cards containing data that had been stripped from a card used at a Schnucks grocery store, hundreds of miles away and probably months beforehand.
While thousands of fraudulent transactions linked to the breach were conducted all over the country, the woman's arrest is one of only a handful made so far and it was something of a fluke.
The fact is, experts say, it's not likely that many people will be called to account for their criminal connections to the breach.
The woman may have been what cyber-crime investigators consider a mule or a runner a person who takes fake cards encoded with stolen data and attempts to see if the cards work, reporting success or failure to higher-ups.
Or she may have bought the cards on the black market, hoping to get away with fraudulently purchased loot, or in this case, gift cards.
In other words, she is small potatoes not the person investigators are after. The people investigators really want are likely thousands of miles away, possibly in Eastern Europe, and they may never catch them.
Those thieves, experts say, have probably closed up shop and moved on, vanishing without a trace, leaving people such as the woman charged in Plano holding the proverbial bag.
Cyber-crime experts say that, given that information and given what they know from cyber-sleuth circles the data were lifted just after cards were swiped at the point of sale. Several said the likely culprit was a Romanian cyber gang.
“The Schnucks breach was the result of random access memory malware,” explained Al Pascual, a senior analyst of security risk and fraud at Javelin Strategy & Research, a California company that advises the payment industry. “That means there's malicious software at the point of sale.
After a card is swiped, the data goes into the register, then it goes to random access memory on the computer itself, and this malware pulls it right off the memory before it's transmitted somewhere else.”
Typically, after information is stolen, it gets sold in batches on the Internet. The thieves send the data to an IP address Internet Protocol address where other thieves can buy the information. This used to happen on what's known as the “dark Web,” beyond the reach of online search engines, but now, experts said, a buyer can find stolen data fairly easily.
“It used to be you had to know where to go,” Pascual said. “But it's made its way into the mainstream. Now you can actually Google the information, and you'll find forums. There are even groups on Facebook.”
After buyers get their hands on the information, they often encode it into cards, often blank cards known as “white plastics” in the industry or on gift cards that they recode with the stolen information. The data can be used to buy merchandise online in “card not present” transactions.
By the time these cards make their way down the food chain from the hackers, through the syndicates that sell the data, to the low-level mule or buyer on the street the IP address where the information was sent has long gone dark, and the criminals have vanished.
“They bounce information from different IP addresses, and then they burn them  they don't use them again,” explained Jim McKee of Red Sky Alliance, a network of cyber-security experts based in St. Louis. “So you have a dead end. The hackers sold all the credit card numbers, they've made their money, and they've moved on.”