Yearly Archives: 2015


  NO2ID Press Release – IMMEDIATE 4th November 2015 The new draft surveillance bill is like an iceberg, with a vast bulk of technical change obscured beneath the surface, according to civil liberties organisation NO2ID[1]. Theresa May presented the Investigatory Powers Bill [2] to parliament today as a measure “consolidating and updating our investigatory powers, strengthening the safeguards”. But it amounts to a dramatic alteration in the powers already available not just to the intelligence services, but to police, tax inspectors, and officials and regulators in almost every department of state [3]. It replaces several pieces of complex and technical legislation. Guy Herbert General Secretary for NO2ID, said: “I would have more sympathy for the Home Secretary if she did not resort to glib hypotheticals about kidnapped children. This is not a proposed bill that is easy to understand or straightforward in effect.” “The much trumpeted change in oversight focuses […]

NO2ID on IP Bill: Government expects parliament to swallow an ...


An article on the Techdirt website about the ease with which a Smart Kettle can be hacked has highlighted the dire state of device security for the ‘Internet of Things’. The iKettle by allows users to remotely turn it on from anywhere using a Smartphone App.  However, researchers have pointed out that the Kettle is relatively easy to hack especially if the user has not configured the kettle properly.  The company that produces the iKettle has said its associated Android and iOS APPs would be upgraded to eliminate the security vulnerabilities.  However, there is still the wider problem of ‘Internet of Things’ devices opening up vulnerabilities in people’s home networks, especially where device security is an afterthought. The advice the researchers give is to not put ‘Internet of Things’ devices on your network unless you are absolutely sure they are secure.

Easily Hacked Kettle Highlights the Lack of ‘Internet of Things’ ...


4
Nikolaj Nielsen reports in the EU Observer that France is proposing that all travelling EU nationals should be required to give their fingerprints and possibly also have their faces scanned as part of the Smart Borders programme. Smart Borders was proposed in 2013 by the EU Commission to allow management of the external borders of the Schengen Member States.  Biometric scanning of visiting non-EU nationals was also included in the scheme.  It has been on hold for a while due to cost concerns; however, an updated plan for the scheme is expected before the end of the year. In a document submitted by the French delegation it is claimed that an expanded Smart Borders scheme is required to address terrorist threats and gives examples such as the Charlie Hebdo attack in Paris and the recent attack on an Amsterdam to Paris train to justify their proposal.  Further justifications include dealing […]

France Wants all Travelling EU Nationals Fingerprinted



2
A team at WP Engine have conducted an interesting analysis of some 10 million passwords that had been collected from various sources such as leaks and dumps of passwords.   Virtually none of the passwords were still in use so the researchers considered that it was ethical to use the dataset in their research. The analysis highlights that people tend to choose passwords based on defined patterns and what comes into their mind when asked for a password.  So it is not surprising that in the 50 most used passwords, the most common text-based password is the word password itself.  However, the use of patterns does often make guessing passwords very easy, especially for password cracking software such as HashCat which can make up to 300,000 guess at a password per second. Other patterns identified were people adding their year of birth to their name to create a password and an […]

What 10 million passwords reveal about the people who choose ...



2
The creepy extent to which folk at GCHQ have been monitoring and spying on all web users has been revealed in leaked documents on operation ‘Karma Police’. The documents published by The Intercept demonstrate that the UK government’s listening service GCHQ was building a “web browsing profile for every visible user on the internet”. James Baker NO2ID Campaigns Manager said: “Sensitive meta data can be used to build up a profile of the websites you visit. If you’ve ever sought marriage guidance, googled medical conditions or viewed pornography then chances are this programme will have used that information to build up a profile about you. “This is out of control surveillance which demonstrates that ,more than ever, we need independent judicial oversight of government surveillance powers.” These surveillance powers are a typical example of a database state, which is the term we use to describe the tendency of governments to […]

GCHQ surveillance powers – less ‘Karma Police’ and more ’Creep’



The BBC news website reports that More than 11 million passwords stolen in the Ashley Madison website hack have been decoded by a password cracking group. Initially, it was thought that the hacked passwords were unbreakable because hashing with bcrypt had been employed which effectively scrambles the password.  However, an amateur password cracking group called Cynosure Prime has discovered that the site had at some point changed the way passwords were stored, which reduced the strength of the bcrypt protection.  As a result the group have been able to crack 11 million passwords scrambled since the changes were made. Exactly, why Ashley Madison changed the way passwords were stored is not known, but it is speculated that it was done to make accessing the site easier. In a previous Newsblog post it has been highlighted that it is often the case that the reputational and financial impact on companies from […]

Flaws found in Ashley Madison password protection


2
Last month we learnt that government officials were planning a digital ‘vault’. Entirely unlike the National Identity Register the ‘vault’ would store people’s addresses, phone numbers, tax details, where they are registered to vote, driving records and benefit claims, as well as information about their mortgages, pensions and bank accounts. The scheme would be voluntary, although probably in about the same way as agreeing to a credit check is voluntary e.g. not if you ever want a financial service again. An on-line poll hosted by the Telegraph says that 82% of people wouldn’t sign up to such a service.  Of course we all know on-line polls are not really that representative of public opinion, but it isn’t surprising that people might have some issue with all their financial details being stored in a single place. Even those in the ‘nothing to hide’ camp who don’t grasp the dangers of surveillance will have […]

Telegraph poll – 82% of people wouldn’t sign up ...


Anna Hodgekiss reports on the Mail Online that a sexual health clinic in London’s Soho has revealed the names of up to 780 HIV positive patients in an e-mail error. The error involved patients who had signed up to the Clinic’s Option E service when a monthly newsletter was sent out. It appears to have occurred when the newsletter was sent out using an open group circulation list rather than as a blind copy. The clinic tried to recall the message using Microsoft Outlook’s recall function and then sent another e-mail apologising for the error and asking recipients to delete the message. Comment from the Newsblog Editor: A mistake like this is easy to make on an e-mail client like Microsoft’s Outlook, where an e-mail list can easily be mistakenly copied into the wrong field and sent out as a CC (carbon copy) to all recipients, rather than as a […]

Hundreds of HIV-positive patients have their identities revealed in e-mail ...



In a very interesting article on the Slate website Kevin Bankston highlights that despite claims by some law enforcement officials that encryption is a tool that will allow criminals to evade justice, the use of strong encryption actually helps to reduce crime. Bankston points out that although it is true that criminals will make use of encryption technology to shield their activities, the use of the technology will overall prevent millions of crimes.  For example smartphone theft is at epidemic proportions, with millions being stolen annually which often involves robberies which are by definition violent crimes.  However, strong encryption will block the criminals from using the commonly available tools to unlock a smartphone, rendering it useless to them. The article also highlights that criminals are increasingly not just interested in the phone, but also the personal and other data contained on it which can for example, allow them to commit […]

Smartphone encryption will help cops more than it hurts them


The Electronic Frontier Foundation (EFF) has released a tool called Privacy Badger to allow web users to block tracking cookies and spying adverts which ignore the Do Not Track setting in browsers.  Privacy Badger is not an ad blocker and adverts which do not contain tracking functionality, or respect Do Not Track settings are not blocked. Privacy badger also offers some protection against browser fingerprinting (see Panopticlick) by blocking third-party domains that use the technique, although it is not totally effective against what is a very sophisticated and subtle form of tracking. The plug-in is currently available for Chrome and Firefox and can be found and downloaded here.

EFF Release Privacy Badger Browser Plug-in to Stop Online Tracking


Darren Pauli reports on The Register website that security researchers have discovered that the HTC One Max phone stored user fingerprints as clear text in a “world readable” folder that could be accessed by  other Apps.  The Samsung Galaxy S5 was also found to have similar vulnerabilities. The revelation was made by researchers presenting at the Black Hat security conference in Las Vegas earlier this month.  It was one of four situations in which biometric data on an Android phone could be accessed by hackers.  In one scenario they showed how attackers could have money transfers authenticated by getting a user scan their fingerprints on a fake login screen to unlock the device. A link to the original research paper can be found here.

HTC Phone Stored Fingerprints as Clear Text



Mark Stockley reports on the Sophos Naked Security website that the HTML5 battery status API (Application Program Interface) on mobile phones can be used to track the phone user. The technique in a recently released paper, relies on the fact that browsers such as Chrome, Firefox and Opera will provide information about battery status to any website that asks for it, without asking the phone users permission.  The information given up is a series of values covering discharging and charging.  However, it is very unlikely that two or more users will have the same value in a short time frame thus effectively making it a unique identifier for the device. These battery values are usually very short-lived; however, they could last long enough to allow a tracking website to respawn deleted cookies and defeat incognito modes.  Currently the only browser that offers protection against battery tracking is the Tor browser […]

How your Battery Life could be used as an Undeletable ...


Sally Adee discusses in an article in New Scientist magazine whether it is possible to permanently delete a social media profile. The article highlights the situation with the recently hacked Ashley Madison website (an adultery website) which guaranteed to remove all members date upon payment of a £15 fee.  However, the recent hacking of the site has highlighted that due to financial auditing requirements, credit card details and the name used to scrub the account have been retained.  This obviously defeats the point of the user paying to have their records removed. Many sites such as Facebook have ambiguous policies on deleting data and what data is actually deleted after a user deletes their account.  This is compounded by the fact that deleting digital records is not necessarily as straight-forward as it seems, as account information may be held in multiple data centres distributed across the world. The problem with […]

Is it Possible to Permanently Delete a Social Media Profile?


The BBC News website reports that HM Revenue and Customs (HMRC) wants to collect information from internet companies to allow it to identify companies and individuals who have not declared income from online sales. The planned powers would cover sites that carry advertising, App stores such as those for Apple and Google, booking intermediaries like Airbnb and also e-commerce sites such as Ebay.  The plan does raise obvious concerns about the potential for fishing expeditions by HMRC, as they plan to cross-reference this third-party information against other records they hold and information supplied by taxpayers themselves, in order to identify individuals and businesses evading tax. HMRC have issued consultation document on the plans which can be found here. Comment from the Newsblog Editor: These proposed powers are interesting in the context of past attempts to increase HMRC surveillance powers.  HMRC was to be one of the chief beneficiaries of the […]

HMRC Plans to Monitor internet Sites and Transactions for Tax ...