TOWR Security Brief: 08 August 2016

Kit Perez

08 August 2016

Welcome to the first installment of TOWR Security Briefs. The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them.

In this week’s brief:

  • So-called “secure” messaging app Telegram was caught with a big data leak problem.
  • As we’ve mentioned, just using Tor isn’t enough. A federal judge has let slip some interesting info.
  • Android users aren’t safe either: Almost 900 MILLION users are affected by a new security hole found.
  • If that’s not enough, now your monitor can be hacked too.
  • All Delta flights got grounded this morning because of an IT problem. But sure, our infrastructure is safe.

Telegram claims to be a secure messaging app, but there are a lot of issues—enough to pass on it completely.

Photograph by Shutterstock

So called secure messaging app Telegram ran into (another) snag last week, as it was discovered that the app leaks anything that’s pasted into it.

In the OS X version, text that was copied-and-pasted into the app was also written to the file /var/log/system.log, better known as the syslog, creating a sort of ad-hoc and unnoticed backup of any private conversations or notes.

The app’s founder replied on Twitter that “any app can read your clipboard,” but Telegram quickly released a patch to fix the leak. Even so, there are far better apps to use if you’re looking for secure communications (at least, as secure as you can get using digital means).

“With all of Telegram’s problems thus far, it’s safe to say there are much better apps out there.”

The Tor browser took a hit lately as well. Recently, Ovie Carroll, who is with the Cybercrime Laboratory of the Department of Justice, advised a roomful of about 100 federal judges to use Tor because of data leaks and security problems on the ‘regular’ internet. Before you nod sagely and point to your own Tor install, take note of the second half of this story. A federal judge in Tacoma, WA who was present at that event had this to say:

I was surprised to hear him urge the federal judges present, a hundred or so of them, that they should use the Tor network to protect their personal information on their computers, like work or home computers, against data breaches and the like.

I did not respond to that. I almost felt like saying, “That’s not a good way to protect stuff, because the FBI can go through that like eggshells.”

What would make him say that? Here’s where it gets shady. That particular federal judge is the same one who “suppressed the FBI’s evidence in a recent child abuse case – evidence that was acquired even though the defendants allegedly used Tor to “protect” themselves from being tracked down.” Part of the reason that there was a controversy about that evidence at all was because the FBI didn’t want to reveal their Network Investigative Technique (NIT) that was used, which would have exposed their method of getting around Tor’s anonymity to begin with.

Naked Security asks some pointed yet valid questions:

Did the FBI hack the child abuse website and implant its NIT in a fake video on that very site, and thereby reveal a list of IP numbers that could be used to establish probably cause for a bunch of search warrants?

Or did it exploit a general security hole in Tor itself, and therefore perhaps pick up accidental visitors during the investigation?

Those of who you are still claiming “but I’m not doing anything illegal” would do very well to remember this story, and the questions it raises. If you think the government is above such conduct, think again.

Over 900 million Android users are affected by the latest security hole in Qualcomm chips.

You do have a burner phone or five, right?

A new set of vulnerabilities affecting Android phones was revealed at this year’s DEFCON. Named Quadrooter, the vulnerabilities are in the microchip at the heart of the Android device, and would give unfettered, complete access to a target’s phone.

An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.

So far the phones affected include:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Check Point, the group responsible for discovering Quadrooter, has released a free scanner app to help Android users know if their personal devices are at risk.


This is a monitor. This kind of monitor does not get hacked. Be like this monitor.

No, really.

As if finding out that your phone has a new security hole in it isn’t bad enough, your monitor can also be hacked. In fact, this particular vulnerability also targets almost one billion devices.

if a hacker can get you to visit a malicious website or click on a phishing link, they can then target the monitor’s embedded computer, specifically its firmware…the computer that controls the menu to change brightness and other simple settings on the monitor. The hacker can then put an implant there programmed to wait…for commands sent over by a blinking pixel, which could be included in any video or a website. Essentially, that pixel is uploading code to the monitor. At that point, the hacker can mess with your monitor…

[T]his could be used to both spy on you, but also show you stuff that’s actually not there. A scenario where that could dangerous is if hackers mess with the monitor displaying controls for a power plant, perhaps faking an emergency. The researchers warn that this is an issue that could potentially affect one billion monitors, given that the most common brands all have processors that are vulnerable…

And one more item for those blissfully ignorant souls that think a massive power outage wouldn’t reduce American society to a bunch of feral animals… This morning Delta airlines experienced a fire in their data center, resulting in a loss of power that took down all flight operations and bookings. All flights were grounded for several hours.  If there’s anything that can drive a group of people to feral behavior, it’s a FUBAR situation at the airport.  Remember this story from Southwest a few weeks ago?

This is the second severe IT-induced travel disruption in recent weeks. On July 20, Southwest Airlines lost a router in its Dallas data center, which resulted in 2,300 flight cancellations. Southwest’s CEO Gary Kelly described that event as a “once-in-thousand-year flood.”

Think about the ripple effect from these incidents. These aren’t just people going on vacation or going to see Grandma (and even cancelling or grounding their flights causes financial hardship, issues with work, etc). These are business professionals, packages, documents, you name it. A disruption in U.S. air travel affects industries all over the world.

We included this story in this week’s brief to get you thinking. What if you were the one stranded someplace other than home due to a natural disaster or power grid attack? How would you get home? Could you get home? Do you have a plan in place for that scenario? Does your family know what to do if they’re in that situation? These types of scenarios are exactly why we train and prepare.

That’s it for this week. Feel free to discuss these stories in the comments!

73 Rules of Spycraft for Patriots – Rules 61-73

This entry is part 7 of 7 in the series Dulles' 73 Rules of SpycraftHappy Sunday, Patriots. Check out our upcoming events – there are still a few seats for the AR-15 80% Receiver Completion course.  Think about this: for only $200 you leave the class with new...

Clef two-factor authentication