Category Archives: Security

Human Rights Defenders Using WhatsApp

Facebook’s “secure” messaging app has been found vulnerable to compromise by a simple call.

…malicious code,…transmitted even if users did not answer their phones, and the calls often disappeared from call logs

The discovery was made by security researchers helping protect human rights defenders from targeted attacks by private firms. These private firms sell skills to highest-bidders, like mercenaries, which tends to correlate funding from targets of human-rights complaints.

And before we go too deeply into questions like “don’t these 0click vulnerabilities exist in other platforms that exist” let me suggest we ask why human rights defenders are using Facebook at all.

We can’t prove a teapot doesn’t exist in space, but we can say with certainty that atheist lawyers are less safe when using an app delivered by a church with a track record of denying the science of safety.

XKCD
“Unfortunately, NASA regulations state that Bertrand Russell-related payloads can only be launched within launch vehicles which do not launch themselves”

CIA Launches “Onion” Site

Headlines are popping up all over that the CIA has created an “Onion” site. If you are like me, you immediately think of things like this:

And on that note, the first story on the CIA Onion site might be something like “CIA Prototypes Real-life Wolverine Missile-claws”.

Then it would give examples of how a remote-controlled projectile can penetrate small armored spaces to murder anyone inside, as blades launch that won’t harm bystanders outside the boundary.

Oh, wait, that’s a real news disclosure.

The new missile, which has never been acknowledged publicly before today, is called the R9X and is a variant of the Hellfire missile. But unlike a traditional Hellfire, the R9X is designed with six long blades that only emerge from the missile seconds before impact. The R9X, nicknamed the “flying Ginsu” by insiders, doesn’t contain a warhead. The goal, according to anonymous U.S. officials speaking with the Journal, is to reduce unnecessary casualties and hopefully only kill the person who was targeted in the first place.

Saying “Ginsu” in that story reveals something about the age of those involved. I’d expect “vita-mix” if this were a younger research team.

Anyway, saying the CIA has an “Onion” news site is not really a good way to describe what is happening. It doesn’t disambiguate from or give some kind of shout out to “The Onion” news site, which we all know and love for its past reporting on the CIA.

Thankfully Wired posted a more clear (albeit yelling) headline with “CIA SETS UP SHOP ON TOR

…people around the world can browse the agency’s website anonymously…the US government can benefit from using the anonymity service…

Ohhhh, it’s a Torrent option for connecting to CIA information. And that begs the question why not use a headline like “CIA Offers Reader Privacy with New Information Service”?

Privacy is the real story here, and probably should go right in the headline. Not mine, though, as I’m trying to draw attention to The Onion.

The Facebook Trust Disaster Was Easily Predicted

Five years ago in 2014, the future of Facebook trust was in the balance. What happened?

‘When I joined Facebook in 2016, my mom was so proud of me, and I could walk around with my Facebook backpack all over the world and people would stop and say, ‘It’s so cool that you worked for Facebook.’ That’s not the case anymore,’ a former product manager says. ‘It made it hard to go home for Thanksgiving.’

First of all, Thanksgiving is literally a holiday created by Abraham Lincoln after the defeat of pro-slavery forces that had been aiming to break apart the United States. It’s supposed to be the easiest time to get back together with family, even for those unwilling to give up human slavery.

Second, 2016? Let’s talk about warnings as early as 2011, which are easy to find even in the public forums…and maybe the better question is what didn’t happen? Facebook didn’t hire a qualified CSO during these years, and didn’t have executive leadership committed to respect for human rights (e.g. privacy) let alone ethics.

Third, recent studies by the Eller College of Management, University of Arizona cited that only 14% of Facebook users deleted their account after Cambridge University researchers violated privacy. More importantly, the studies found that user behavior changed measurably and “sensitive words” were removed as users start self-censoring and encoding their meanings in a manner similar to slaves in American history.

The Oscillation Range of Human Languages

Being caught as a non-native speaker can have serious implications, like death. That probably is why a BBC article about overcoming the exact cause of accents is going to be of more than just casual interest.

Recent studies show that native speakers develop expertise with a specific oscillation range:

Every human language oscillates at a different range of frequencies, with British English fluctuating considerably between 2,000 to 12,000 Hz and French much less so between 15 to 250 Hz and 1,000 to 2,000 Hz. If French can be described as flat, English is very wavy. Russian fluctuates between an incredible 125 to 12,000 Hz. This means that some languages, like English and Russian, can go much higher and lower in pitch than say French.

There are many recent examples of risk to draw from. The BBC goes with an ancient history one to highlight why being identified by accent is so dangerous; why some work so hard to understand how to more easily jump into different ranges:

Speech has been used to segregate people for millennia. When the Tribe of Gilead defeated the Ephraimites in The Bible, they used accent as a means of identifying surviving Ephraimites trying to flee.

Anyone who claimed not to be a survivor was asked to say the Hebrew word “Shibboleth”, which means stream. People from Gilead pronounced it with a “sh” sound, whereas Ephraimites could not say “sh”, so anyone who said “Sibboleth” was killed on the spot: 42,000 people failed the test, according to the Old Testament.

Of course accent is just the beginning. Cultural meaning is another problem entirely. Take being happy, for example:

  • Chinese “Xingfu” – Sustainability and meaningfulness through sufficiency
  • Greek “Meraki” – Focused attention that achieves devoted precision to creative tasks
  • Japanese “Wabi Sabi” – Appreciation of the imperfection and complexity of reality
  • Brazilian “Saudade” – The longing for a happiness that once was or could be
  • Finnish “Kalsarikaanit” – Staying home wearing only your underwear and drinking

Karlsarikaanit

DHS Binding Operational Directive 19-02

The US government has just reduced the official critical vulnerability remediation timeline from 30 days after a report has been issued to 15 days after detection, according to the freshly published DHS BOD 19-02.

This announcement is significant not least of all because I don’t have to explain why a 30 day response timeline to critical vulnerabilities exists on the Internet. “It’s an outlier because government” only goes so far. Wonderful to see the change, even though it’s still far from the 24 hour turnaround expected in commercial space.

Legal Brief on Airstrikes That Destroyed Hamas Cyber Operations

Lawfare has posted a short analysis of why airstrikes to destroy a “cyber operations” facility are nothing new or special. To be precise, the analysis offers the reader two options:

Either the news is “descriptively true, but it is uninteresting” or “interesting if true, but it is not true”.

Spoiler alert…the author argues it’s the former, and therefore uninteresting.

It’s an excellent read, and the sentence that really stood out to me was characterizing a targeted facility as “civilian members of organized armed groups who have a continuous combat function“.

Escape from Tehran: Big Data Edition

A new query tool has been posted online that purportedly searches all the flight booking services to find deals for travel. The name of the tool is “Escape” and the URL even is more interstingly: greatescape.co

For some reason the first thing that comes to mind for me is a series of US evacuation/escape stories from history. Whether it be Tehran (commercial jet), Saigon helicopter or even the March 24, 1944 plan to escape Nazi camps (as “immortalized” by Steve McQueen’s famous motorcycle freedom leap over walls), the marketing takes me here:

Real Americans Hate Nazi Walls

I wonder whether movie posters for “Great Escape” are what the site creators were thinking about when they named their product…

Marketing the film released to theaters on Independence Day, 1963. Based on the book by Paul Brickhill, True story of Allied prisoners who break out of Nazi detention camp. 76 of 250 prisoners escaped. 50 escaped prisoners were murdered by Nazi prison guards. 18 of those Nazis later were convicted of war crimes.

Let’s take Tehran as a simple example. We query a one-way escape flight query for tomorrow (unfortunately we can’t select January 27, 1980) and here is our map:

March 31, 2019 Escape from Tehran

Yes, I ran a bunch of queries for historic escapes by Americans using modern routes. This is probably why I’m not popular at some parties. Someone says “hey I found a vacation tool that maximizes my spend so I can consume more…” and I say “could it represent the shortest exit for Embassy staff rushed to leave a deteriorating political situation based on forged visa options?”

To be fair, some parties don’t mind these topics. I can see my next drinking session with security operations teams discussing and ultimately adding this tool to a list of things to consider when assessing travel risks and disaster response. It’s not just that people we care about are landing in some usually stable city for a meeting, it’s “who can deliver me a list of escapes for the next three days correlated with increasing probability of disaster?”

On second thought, what if the creators of the tool really are making a political statement about the current administration? The default configuration of the tool does seem to be finding inexpensive paths out of America. Have you planned your great escape?

Great Escape from…

This Day in History: Nazis Invade Czechoslovakia

Radio Praha remembers this dark day in history with a post including some poetry. It begins…

Eighty years ago today, on March 15 1939, Hitler gave Czechoslovak President Emil Hácha a stark choice: accept becoming a protectorate or face destruction.

There was no choice, really, as Hácha was tortured and literally manipulated by Nazi “doctors” into signing away his country’s existence. An eye-witness (M. Coulondre, French Ambassador in Berlin, in the French Yellow Book) reported it as heart-attack and injections until the suicidal papers were signed.

President Hácha was in such a state of exhaustion that he more than once needed medical attention from the doctors, who, by the way, had been there ready for service since the beginning of the interview. […] At 4:30 in the morning, Dr. Hacha, in a state of total collapse, and kept going only by means of injections, resigned himself with death in his soul to give his signature.

Two very notable points are made in the Radio Praha post, which a reader hopefully will not miss so I’ll call them out here.

1) Chamberlain was fighting an uphill political battle in Britain to oppose Hitler’s insanity. Although in retrospect many obviously want to say Chamberlain should have been more aggressive towards Nazi Germany, at the time he had to carefully navigate through many in Britain who wanted to embrace fascism.

Six months after the Munich deal was struck, Chamberlain explained invasion of Czechoslovakia as his “I told you so” moment to allow him to declare war, instead of being an oops moment he regretted. It’s a very subtle and important distinction in the texts.

It has been suggested that this occupation of Czecho-Slovakia was the direct consequence of the visit which I paid to Germany last autumn. It is said that, as this was the personal policy of the prime minister, the blame for the fate of Czecho-Slovakia must rest upon his shoulders.

“I may remind you that, when it was first announced that I was going, not a voice was raised in criticism. Everyone applauded that effort. It was only later, when it appeared that the results of the final settlement fell short of the expectations of some who did not fully appreciate the facts-it was only then that the attack began, and even then it was not the visit, it was the terms of settlement that were disapproved.

Had Britain been more aggressively opposed to Hitler earlier there’s a good chance Hitler would have been assassinated by the Nazi military itself, but that’s tough speculation. We know General Beck said his coup plans were cooled when he thought foreign nations wouldn’t support it.

More certain is the fact Chamberlain was trying to keep pro-Hitler factions at bay in his own country. He would likely have lost control of Britain by moving faster or more decisively against Germany. Chamberlain’s cautious approach ultimately meant handing control of his party to Churchill, who earlier had more aggressively opposed fascism.

While handing control to Churchill meant Chamberlain himself took a step away from leading, his party neither lost control (as Churchill famously proved) nor did Chamberlain allow Britain to side with the Nazis as so many in Britain had hoped. That’s the political complexity and proper context for the “I may remind you” quote above.

2) A popular commentator in Prague used a form of poetry to navigate the dark veil of censorship by Nazis

Allow me to mention a non-military fact. Somewhere from afar a black crow flew over Prague. It circled above the National Museum building above the headlights and listening devices of the German army and headed down Wenceslas Square to Můstek. Perhaps the crow was surprised by the noise it had heard and the picture it saw below.

Radio Praha points out that his attempts to avoid Nazi censorship weren’t enough, however as “eventually they lost patience with František Kocourek. He was arrested by the Gestapo and would later die like so many others in Auschwitz-Birkenau.”

Kalashnakov Kamikaze Drone

In 1951 the US boasted of having “pin point accuracy” in a radio-control bomb called ASM-A-1 or the “Tarzon” (TAllboy, Range and aZimuth ONly)

In reality, while the accuracy could be within 500 feet of target (i.e. bridges in Korea), the complexity of the design made it unstable and costly to maintain. In addition the accuracy depended on daytime low-altitude flights, which greatly deflated chances of accuracy (at least two Tarzon exploded within the plane delivering it).

Fast forward, and not to be outdone, the Kalashnakov company has just announced a radio-controlled bomb called KUB-UAV

MOD (Masters of Data) PodCast: The Big Security Topics of 2019

#bugbounty #privacymatters #govermentshutdown

Many thanks to all those who invited me in to crash the MODcast about “Big Security Topics of 2019“.

Special shout-out to George who kept calling me David.

The conversation has been blowing up my social channels so thought I might as well add some reference here as well.

“People have the right to know what others are doing with their data”

Government Shutdowns, Bug Bountires, and Ethics – what do these have in common? Our first live panel of security experts in 2019.

Click on the image or link above to have a listen, or the embedded player below. Feedback welcome.