The NSA has used the Internet data collected from their myriad of sources to track porn consumption among individuals in order to discredit "radicalizers," according to the latest leaked documents by whistleblower Edward Snowden. According to the Huffington Post
, an NSA program was designed to specifically target the "personal vulnerabilities" of specific targets, including the “viewing of sexually explicit material online" and "using sexually explicit persuasive language when communicating with inexperienced young girls."
The government notes that such activities are standard intelligence procedure to shame or even turn potential targets:
Stewart Baker, a one-time general counsel for the NSA and a top Homeland Security official in the Bush administration, said that the idea of using potentially embarrassing information to undermine targets is a sound one. "If people are engaged in trying to recruit folks to kill Americans and we can discredit them, we ought to," said Baker. "On the whole, it's fairer and maybe more humane" than bombing a target, he said, describing the tactic as "dropping the truth on them."
Others, however, note that many of the targets were simply activists not involved in terrorist plots, and groups like the ACLU worry that the broad collection of American citizen browsing habits allows for the potential for the broader abuse of such tactics against peaceful activists.
Security research firm Renesys has authored an interesting blog post
noting how they're seeing a significant uptick in the number of large-scale man in the middle attacks. What's more, insists the firm, these attacks are increasingly gobbling up a larger and larger share of overall Internet traffic without most people bothering to notice.
On the heels of companies like Google
rushing to encrypt server to server links after the ever-blooming NSA scandal, Techdirt
directs our attention to a new report card over at the EFF
that grades the Internet's largest companies on their use of encryption.
Just four companies: Dropbox, Google, SpiderOak and Sonic.net get a perfect score on all criteria measured, including encrypting server to server links, https support, https strict support, forward secrecy support, and STARTTLS support.
You'll of course note the dismal ranking of AT&T, Verizon and Comcast who handle traffic for all of these companies -- and then some.
A UK blogger calling himself DoctorBeat
claims to have discovered that certain connected LG Smart TVs are quietly tracking users viewing habits, then transmitting that data back unsecurely to LG via broadband. A setting on the TV supposedly allowing the user to turn this function off does nothing. "This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off." It's worth adding that a researcher recently found that the security on connected TVs
tends to be virtually nonexistent.
Google engineers, after recently having so not so nice words for the NSA
, announced they'd managed to encrypt the traffic running between their data centers in response to NSA snooping. Now in an announcement posted to their website
, Yahoo has announced they too will be encrypting all traffic running between their data centers by January 8. Yahoo also says they'll offer users the option to encrypt all data between themselves and Yahoo by the end of March. The move leaves Microsoft as a bit of a straggler, the company acknowledging before an EU parliamentary committee
last week that server to server data isn't encrypted.
AT&T's Digital Life
home automation and security platform has launched in six additional markets. According to an AT&T press release
, the service will go live on Friday in Bridgeport, Colorado Springs, Memphis, Mobile, New Haven and Pensacola, bringing their market total to 58. $30 a month and a $150 installation fee nets you the basic security setup that provides 24/7 home monitoring, while another $10 a month and an additional $100 installation fee provides up to three carbon monoxide and glass breaking sensors. A flurry of additional home automation features can be purchased for $10 each, ranging from sensors that can tell if you've got a water leak, to remotely-manageable thermostats.
We've discussed how both Lavabit
and Silent Circle
closed down their secure e-mail services, claiming that government pressure to hand over encryption keys for all users made operating those service untenable. Both companies were recently joined by Cryptoseal, who shuttered their VPN service
after claiming government demands to hand over encryption keys were both unreasonable and unconstitutional.
On the heels of growing outrage from last week that the NSA has been spying on numerous world leaders
(which isn't much of a revelation since it's clear now the NSA is spying on effectively everything, everywhere). Media reports had previously claimed Obama was briefed on the spying on foreign leaders in 2010 but allowed it to continue.
A new report
by security researcher Prvsec claims that a vulnerability in the Verizon Wireless website exposed private SMS details for tens of millions of Verizon Wireless subscribers. According to Prvsec's findings, attackers with a subscriber-level login to the company's website could rather easily see who other Verizon users were texting and when, simply by plugging in that user's phone number. Prvsec shared the details of the vulnerability with Verizon Wireless privately in August, and the problem appears to have been fixed by Verizon Wireless last month.
AT&T has announced that the company will expand their Digital Life
home automation and security services to another seven markets. According to the AT&T statement
, AT&T users in Birmingham, Las Vegas, Louisville, Nashville, Raleigh, Richmond and Tucson can now sign up for the option.
A report by Reuters
notes that NSA boss Keith Alexander and his civilian deputy John Inglis will be stepping down in the Spring, though the NSA notes this has "nothing to do with" the Edward Snowden leaks that have embroiled the agency in scandal for much of the last year. While there's more than a few news outlets suggesting Alexander's departure might still be because of the leaks or could trigger a shift in the way the agency does business, Techdirt
points out that Alexander's retirement has been in the cards for some time, and that any substantive sea change in the NSA's modus operandi remains unlikely.
A back door has been found in the firmware for a number of later-model D-Link router models, allowing an intruder to bypass user authentication. The backdoor was first found by Craig Heffner, a vulnerability researcher with Tactical Network Solutions, who was tinkering with the 1.13 version of the firmware for the D-Link DIR-100 revA router. story continues..
You'll recall that back in August Lavabit, the secure e-mail provider used by NSA whistleblower Edward Snowden, announced they were shutting down operations
while ambiguously blaming Uncle Sam. At the time, Lavabit founder Ladar Levison stated his choice was either to be "complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit." He obviously chose the latter, but offered no hard details.
Earlier this month a Federal Appeals court ruled that Google could be held liable for their 2011 scandal in which Street View vehicles collected snippets of data from unsecured hotspots when passing by. The court's ruling was rather odd
in that to conclude Google violated the Wiretap Act, the court had to first declare that Wi-Fi isn't a radio communications (it is) and that unsecured open hotspots aren't readily available to the general public (they are).
Last month a widespread malware attack on the Tor network used a Firefox exploit to send the personal data of Tor users to an IP address in Reston, Virginia. While it was already believed that this IP address belonged to an FBI subcontractor
working on the FBI's "computer and internet protocol address verifier" (CIPAV) spyware iniatiative, a new Wired report
confirms that the FBI in court has acknowledged they controlled the servers behind that attack on the Tor network.
On the heels of last week's bombshell that the NSA has effectively bested most common types of encryption
, the New York Times has a follow up report that adds some interesting details. According to the Times report
, the NSA has specifically compromised the Dual EC DRBG standard -- with the help of Canada.
A report in Der Spiegel
claims that the NSA has the ability to "tap" most Apple and Android devices, and access the secure and encrypted Blackberry mail system. None of that is particularly surprising given full context and the recent revelations regarding encryption
, though the Blackberry reveal does suddenly pose a significant PR problem for the already-struggling Canadian company. Blackberry insists they did not provide the NSA with any backdoors to the service:
This could mark a huge setback for the company, which has always claimed that its mail system is uncrackable. In response to questions from SPIEGEL, BlackBerry officials stated, "It is not for us to comment on media reports regarding alleged government surveillance of telecommunications traffic." The company said it had not programmed a "'back door' pipeline to our platform."
Der Spiegel does point out that the hacking of these devices remotely has "not been a mass phenomenon" but instead was "targeted, in some cases in an individually tailored manner and without the knowledge of the smart phone companies." Update
: The magazine has released some additional details
regarding just how the NSA "taps" smartphones.
The latest Edward Snowden bombshell comes courtesy of the New York Times, who in a report this week notes that the NSA has managed to defeat most of the most common encryption schemes available
using a wide variety of tactics. According to the documents received by the Times, the NSA has spent decades using supercomputers, "technical trickery," backdoors, court orders and behind-the-scenes persuasion to undermine major encryption tools.
·more stories, story search, most popular ..
Recent news contributors
, Bill Neilson