TOWR TECH & SECURITY

TOWR Security Brief: 11 August 2016

Kit Perez

08 August 2016

The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them.

In this week’s brief:

  • Websites can track you through your mobile device’s battery level.
  • John Robb is doing a Reddit AMA (Ask Me Anything) on open source insurgency.
  • It’s safe to assume that all laser printers put tracking dots in documents they print, but there’s a for-sure list.
  • A new low of creepiness: Even sex toys are spying on you.
  • Tor has released a social contract, explaining what their goals and promises are.
  • FBI Chief Comey says “We have never had absolute privacy,” and he’s determined to take what little we have left.
  • A hacker used a fake boarding pass app to get into first class lounges at various airports. TSA doesn’t care so…
  • There’s a way to soundproof a room or closet in your house cheaply…use your imagination for why that’s useful.
  • Almost every single VW car sold since 1995 is at risk for an unlocking hack.

Websites can track you via the battery level of your device.

Photo from Okilla.com

In 2015, a battery status API was introduced in HTML5 that concerned security researchers because it seemed to allow websites to track a user based on how much juice their battery had. It turns out, that’s exactly what it does.

The API was released with the aim of helping websites know when to display a ‘low-power-mode’ version of the site or web-app and then disable unnecessary features that drain the most battery…“Suppose a user loaded their church website in their version of Firefox, and then opened up the website for a satanic cult using a Chrome browser in private browsing mode piped through a secure VPN. Ordinarily, the two connections should be very difficult to associate with one another, but an advert that was loaded on both pages at once would be able to tell that the two devices were almost certainly the same, with the certainty increasing the longer they stayed connected.”

Obviously they’re using a fairly hyperbolic example, but you can extrapolate how it applies to you and the sites you visit. What can be done about it? Right now, nothing. Researchers hope that users will be able to disable that battery tracking, but right now there’s no option to do so. So the best practice in this case is simple, and falls back to the standard: If you don’t want your website traffic tracked, don’t visit sensitive websites on a mobile device. Period. Use TAILS, Tor, Qubes, etc., on a computer not connected to your home or work internet, for starters.

“…it is probably safest to assume that all modern color laser printers do include some form of tracking information that associates documents with the printer’s serial number..”

Now, let’s say you DO use those best practices. You visit a website that you don’t want to be tracked at, and while you’re sitting at the library on a public computer, you decide to print out some information from that site. Guess what? There is a VERY good chance that you’re still not out of danger because the printer probably embedded its serial number and tracking information on the document you printed, which means it puts your identity on that document. Don’t see the connection? Let’s take a closer look.

The document you printed on that color laser printer has the printer’s serial number on it, for the specific purpose of forensic tracking. This means that if you (or someone else) gets caught with said document, they can find the exact printer it came from, which means they can find the exact computer used to print it, and the date/time of the print event. They cross-reference that with your mobile device location at the time. If that’s not enough…did you have to use your library card number to log into the computer? Now they know exactly who printed it.

This goes for any document, not just website info. Let’s say you made a list of all the lawmakers in a specific state who voted for a specific piece of legislation and got all of their home addresses to provide to an anonymous (or not anonymous) blogger. Maybe you printed out blueprints for a 3D gun and don’t want to advertise that. Maybe….fill in the blanks. Anything you print on that color laser printer will link directly to you.

How do you get around that? Several ways.

  • Get a library card in a different name. I’ll leave it to you to figure out how.
  • Instead of using the library computers, use a laptop that never connects to your home or work internet and is never online in the same place as your phone or tablet. Which means…
  • Don’t take your phone with you when you do this, obviously, and use public transportation to get there. Set a routine with your phone, and have someone continue that routine for you. Your phone goes one way as expected for that day and time, and you go the other. Bonus points if your car, with your phone, hits a license plate reader as expected for that day and time as well.

These types of actions require planning and adherence to certain practices. Take the time to learn the practices…and then actually practice them. Make them second nature.

 

 

While we wouldn’t normally discuss this kind of topic, it needs to be mentioned because it illustrates exactly how far the greater surveillance net will go to track literally every single detail of your life.

There is a sex toy that tracks you in ways that redefine creepy. It sends data back to the manufacturer when it’s used, and how it’s used. We won’t get into the details, but suffice it to say that even if you’re not into that kind of thing, you should read the article.

Tor has been taking some hits lately, and so they’ve clearly defined a ‘social contract.’

Photo from WikiCommons

As we saw in the brief from earlier this week, Tor’s been catching a lot of flak lately. They’ve released a ‘social contract,’ in which they outline what they promise to do and what their goals are. The two parts pertinent to the resistance folks using it are these:

5. We are honest about the capabilities and limits of Tor and related technologies.

We never intentionally mislead our users nor misrepresent the capabilities of the tools, nor the potential risks associated with using them. Every user should be free to make an informed decision about whether they should use a particular tool and how they should use it. We are responsible for accurately reporting the state of our software, and we work diligently to keep our community informed through our various communication channels.

6. We will never intentionally harm our users.

We take seriously the trust our users have placed in us. Not only will we always do our best to write good code, but it is imperative that we resist any pressure from adversaries who want to harm our users. We will never implement front doors or back doors into our projects. In our commitment to transparency, we are honest when we make errors, and we communicate with our users about our plans to improve.

Read those very closely, note the use of the word “intentionally” and act accordingly.

FBI Director James Comey is whining that there are 650 phones the FBI can’t get into.

Comey said in the first 10 months of the last fiscal year, FBI examiners received about 10,000 devices from various law enforcement agencies where authorities asked for help to open them. “Above 650, we could not open,” Comey said. “They’re a brick to us. Those are cases unmade, evidence unfound.”

Pay attention to the first part of that. The FBI got 10,000 requests to open phones and only 650 of them didn’t get opened. They’re mad about those 650 phones. Comey says:

We have never had absolute privacy in this country. Cars, safe deposit boxes, our apartments, our houses, even the contents of our minds—any one of us, in appropriate circumstances, can be compelled to say what we saw. We have never lived with large swaths of our life off limits, where judicial authority is ineffective. That is something we need to talk about. I don’t think the FBI should tell people what to do. I don’t think tech companies should tell people what to do. The American people need to decide.

…except, he’s wrong. Marc Rotenberg, head of the Electronic Privacy Information Center (EPIC), responded:

“I will concede Mr. Comey has a problem with his 500 phones, but he should be concerned that consumers have a problem with their 3 million phones [stolen in 2013 alone with huge amounts of personal information] that would be subject to misuse [without strong encryption].”

Rotenberg also pointed out that Comey’s assertion about absolute privacy isn’t even true. He cited lawyer-client confidentiality and the 5th Amendment as two examples of absolute privacy.

 

In some amusing news, a hacker used a fake boarding pass app to get into first class airline lounges in Europe.

According to WIRED, the U.S. Transportation Security Administration (TSA) and the International Air Transport Association (IATA) don’t consider this particular issue a problem that needs fixing. They said “any such boarding pass security flaw would be the airlines’ issue.”

We’ll leave it to you to decide if this is useful info, but if you find yourself stuck on a long layover and you know the TSA doesn’t care…we’re just saying, have fun.

 

If you were to ever have a use for making an area of your house sound-absorbent, Lifehacker has an interesting and cheap way to do it: old towels. Again, this comes under the “use your imagination” heading. We’re just sharing the info.

Perks tested thin, flat sponge, egg holder sponge, two layers of egg holder sponge, a seat cushion, and a folded towel with a spread of 17khz, 13khz, 10khz, 7khz, and 5khz frequencies. All in all, Perks found that a folded towel, either four layers thick or twelve layers thick, absorbed the most of all frequencies.

 

Remember when VW got caught with cars that had hackable ignitions? Apparently their keyless entry is hackable too. The best part is, it affects other makes of car as well.

One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot….

Both attacks use a cheap, easily available piece of radio hardware to intercept signals from a victim’s key fob, then employ those signals to clone the key. The attacks, the researchers say, can be performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an attached radio receiver that can be purchased for $40. “The cost of the hardware is small, and the design is trivial,” says Garcia. “You can really build something that functions exactly like the original remote.”

That’s it for this brief. Look for the next one Monday, 15 August.

Clef two-factor authentication