Just a few years ago, I was able to overhear a conversation between a hacker and an interested person. This would-be client asked the hacker whether he would be able to hack into the Blackberry he had obtained via court order from a business partner gone bad. I was pondering about the consequences of this happening, both legally and also ethically. Obviously, the borders of moral are fuzzy these days, with everyone and their uncle spying on anyone else if they can, and noone having a bad conscious in… Read more People Hire Hackers To Get The Job Done – Business Insider →
Heise and Aftenposten both report on IMSI catchers that have been detected in Norways government quarter. Now, given that anybody with a few thousand Euro in their hands can build such an IMSI catcher (which is capable of catching much more than just an IMSI, the unique mobile identification number of a cellphone, but can actually serve as a listening device to conversations and tape streams of voice-data), it is not neglect that is to be seen. In fact, it is an inability to see attacks while they are happening… Read more Surveillance in Oslo Government Quarter shows inadequate mindset to issues →
Net-Security.org have an interesting article. Typically, with announcements on topics that touch national security, the CEOs in the US are very selective in their wording. So, it makes sense to indeed look at the wording to find out, what they omit or which interpretation they leave open – and most probably that analysis points more to the truth. You might remember Jonathan Zdziarski has an analysis published, that claims Apple has built, extended and maintained backdoors to their iOS operating system. With iOS 8, Apple won’t be able to unlock… Read more Cook says, Apple won’t be able to unlock phones for the police anymore →
The roadmap looks too good to be true, but the developers seem to be serious. They have taken the approach through the first months, delivered on their promises and now are trying out how far they can venture. Mailpile Beta is now open for the general public. These are the goals, they have set for themselves: Basics: It should be safe, easy and convenient to read, write, search and organize your e-mail. People should be able to communicate privately. For e-mail that means: Delivery: Messages are delivered intact and in… Read more Mailpile: A bold approach for email privacy →
Matthew Green has a a Few Thoughts on Cryptographic Engineering: What’s the matter with PGP?. Most of the thoughts are pretty good. Some are a bit questionable, especially the necessary trust in the Google, Yahoo and Whatsapp/Facebook apps. Many of the voiced concerns are very valid, though and the blog posting worth a read.
Trojaner-Hersteller FinFisher wurde gehackt (heise security news-Foren) One of the commenter of the Heise article gives some juicy bits on the leaked data from Finfisher: “Ein Großteil der 40G sind leider verschlüsselt. Es gibt einen Ordner (www/FinFisher/), da scheinen Kundenspezifische Lösungen drin zu sein. Da sind alle Dateien mit GPG verschlüsselt. Ich glaube kaum, dass dazu die Privatekeys auftauchen. Anderseits nutzen einige Dateien auch “nur” die Zip interne verschlüsselung. Insebesondere das 30GB große Archiv www/FinFisher/Engineers7117/FinSpy/Images/FinSpy-PC+Mobile-2012-07-12 -Final.zip dass eine .tib enthält, das ist ein Acronis TrueImage Disk image. Auch gibt es zwei verschlüsselte Zips mit scheinbar geklauten privaten Fotos. Wer kennt einen guten Zip Passwort Bruteforcer? Auch interessant, in der Datenbank sind scheinbar alle Kundenpasswörter unverschlüsselt (aber überwiegend zufällige). Der Support hat einmal das Passwort “F1nF1sher4You” rausgegeben 🙂 Genauso wird in einer Datei “finfisher!@§$%” ich glaube als sowas wie ein Salt verwendet. Der Zufallszahlengenerator “realRand” wird mit der Uhrzeit geseeded. Übrigens speichern die Jede IP, die sich versucht ein oder auszuloggen.” That Finfisher has been exposed, even with sourcecode put up in github is hard enough. That potentially private photos are within the data file adds insult to injury. You can draw all kinds of conclusions from this leak (read this for more info) including a lot… Read more Trojaner-Hersteller FinFisher wurde gehackt →
Next Blackhat promises to be interesting: Hackers can break Tor Network Anonimity with USD 3000 | Security Affairs. as Pierluigi Paganini, a renowned expert in Information Security says: — I confess you to be very excited to see the presentation of the two experts, as they had anticipated, with a limited budget, it is possible to track users on Tor network, so let’s imagine the capabilities of a persistent attacker with much more computational capability and with a “couple gigabit links”. — Indeed, that would be some news for the information security… Read more Hackers can break Tor Network Anonimity with USD 3000 | Security Affairs →
It is not so easy to find ones way in the post-Snowden times. A myriad of thoughts, some well thought through, some less are surfacing giving the user mostly security theater (© Bruce Schneier, I would say) and some half cooked good ideas. Now here is something, that is still in-between, but could develop into something useful, if done right. If a service provider is lavabitten to hand over their data, it is very hard to say “nay”! Therefore, all the approaches that leave mail bits and pieces freely accessible… Read more Email and its discontents – leap.se offers safety on user- and provider level →