Daily Archives: April 12, 2019

Sonos finally blasted in complaint to UK privacy watchdog – lets hope they do something with it

Posted on by

Sonos stands accused of seeking to obtain “excessive” amounts of personal data without valid consent in a complaint filed with the UK’s data watchdog.

The complaint, lodged by tech lawyer George Gardiner in a personal capacity, challenges the Sonos privacy policy’s compliance with the General Data Protection Regulation and the UK’s implementation of that law.

It argues that Sonos had not obtained valid consent from users who were asked to agree to a new privacy policy and had failed to meet privacy-by-design requirements.

The company changed its terms in summer 2017 to allow it to collect more data from its users – ostensibly because it was launching voice services. Sonos said that anyone who didn’t accept the fresh Ts&Cs would no longer be able to download future software updates.

Sonos denied at the time that this was effectively bricking the system, but whichever way you cut it, the move would deprecate the kit of users that didn’t accept the terms. The app controlling the system would also eventually become non-functional.

Gardiner pointed out, however, that security risks and an interest in properly maintaining an expensive system meant there was little practical alternative other than to update the software.

This resulted in a mandatory acceptance of the terms of the privacy policy, rendering any semblance of consent void.

“I have no option but to consent to its privacy policy otherwise I will have over £3,000 worth of useless devices,” he said in a complaint sent to the ICO and shared with The Register.

Users setting up accounts are told: “By clicking on ‘Submit’ you agree to Sonos’ Terms and Conditions and Privacy Policy.” This all-or-nothing approach is contrary to data protection law, he argued.

Sonos collects personal data in the form of name, email address, IP addresses and “information provided by cookies or similar technology”.

The system also collects data on room names assigned by users, the controller device, the operating system of the device a person uses and content source.

Sonos said that collecting and processing this data – a slurp that users cannot opt out of – is necessary for the “ongoing functionality and performance of the product and its ability to interact with various services”.

But Gardiner questioned whether it was really necessary for Sonos to collect this much data, noting that his system worked without it prior to August 2017. He added that he does not own a product that requires voice recognition.

Source: Turn me up some: Smart speaker outfit Sonos blasted in complaint to UK privacy watchdog • The Register

I am in the exact same position – suddenly I had to accept an invasive change of privacy policy and earlier in March I also had to log in with a Sonos account in order to get the kit working (it wouldn’t update without logging in and the app only showed the login and update page). This is not what I signed up for when I bought the (expensive!) products.

Two out of three hotels accidentally leak guests’ personal data to third parties

Posted on by

Two out of three hotel websites inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec Corp on Wednesday.

The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history.

Symantec said Marriott was not included in the study.

Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, Symantec said.

“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” said Candid Wueest, the primary researcher on the study.

The research showed compromises usually occur when a hotel site sends confirmation emails with a link that has direct booking information. The reference code attached to the link could be shared with more than 30 different service providers, including social networks, search engines and advertising and analytics services.

Source: Two out of three hotels accidentally leak guests’ personal data: Symantec – Reuters

Increase Your Privacy in Windows 10 With ‘O&O ShutUp10’

Posted on by

You might not even know what options you can tweak (or turn off) in your operating system, which is where the cleverly named O&O ShutUp10 application comes in to play. It’s a simple application that makes it incredibly easy to tweak various aspects of Windows 10 that are normally buried or otherwise inaccessible to regular people. More importantly, the app comes with some helpful warnings so you don’t accidentally disable something you shouldn’t (like automatic updates)

To get started, all you have to do is download the app and run it. That’s it. There’s no installation to speak of, which already makes me thrilled. When the app loads, it’ll look like this:

Illustration for article titled Increase Your Privacy in Windows 10 With 'O&O ShutUp10'
Screenshot: David Murphy (O&O ShutUp10)

You’ll see a bunch of different options you can turn on and off—some might already be enabled—as well as a handy “recommend” column that gives you a little more advice as to whether you should really mess with that setting or not. What I love about O&O ShutUp10, though, is that you can get even more information about what each setting means by simply hovering your mouse over each line and clicking, like so:

Illustration for article titled Increase Your Privacy in Windows 10 With 'O&O ShutUp10'
Screenshot: David Murphy

While you probably shouldn’t just go through and enable everything that’s recommended en masse, I would use that little green checkmark as a guide while you explore the app. Enable any related setting and you’re probably fine. Once you start getting into the yellow “limited” category, however, it gets a bit dicier. You might not want to, for example, disable all apps from accessing your microphone or camera—or maybe you do. Just remember you toggled that setting the next time you’re about to hop on a video conference.

Source: Increase Your Privacy in Windows 10 With ‘O&O ShutUp10’

Assange Charges Finally Reveal Why Chelsea Manning Is Sitting in Jail

Posted on by

Charges announced by the Justice Department on Thursday against WikiLeaks founder Julian Assange provide fresh insight into why federal prosecutors sought to question whistleblower Chelsea Manning last month before a federal grand jury in the Eastern District of Virginia.

Manning, convicted in 2013 of leaking classified U.S. government documents to WikiLeaks, was jailed in early March as a recalcitrant witness after refusing to answer the grand jury’s questions. After her arrest, she was held in solitary confinement in a Virginia jail for nearly a month before being moved into its general population—all in an attempt to coerce her into answering questions about conversations she allegedly had with Assange at the time of her illegal disclosures, according to court filings.

Though Manning confessed to leaking more than 725,000 classified documents to WikiLeaks following her deployment to Iraq in 2009—including battlefield reports and five Guantanamo Bay detainee profiles—she was charged with leaking portions of only a couple hundred documents, including dozens of diplomatic cables that have since been declassified.

British authorities on Thursday removed Assange from the Ecuadorian embassy in London, his home for nearly seven years, following Ecuador’s decision to rescind his asylum. The U.S. government has requested that he be extradited to the United States to face a federal charge of conspiracy to commit computer crimes.

Source: Assange Charges Finally Reveal Why Chelsea Manning Is Sitting in Jail

EU Tells Internet Archive That Much Of Its Site Is ‘Terrorist Content’, shows how it will censor the internet with no recourse

Posted on by

We’ve been trying to explain for the past few months just how absolutely insane the new EU Terrorist Content Regulation will be for the internet. Among many other bad provisions, the big one is that it would require content removal within one hour as long as any “competent authority” within the EU sends a notice of content being designated as “terrorist” content. The law is set for a vote in the EU Parliament just next week.

And as if they were attempting to show just how absolutely insane the law would be for the internet, multiple European agencies (we can debate if they’re “competent”) decided to send over 500 totally bogus takedown demands to the Internet Archive last week, claiming it was hosting terrorist propaganda content.

In the past week, the Internet Archive has received a series of email notices from Europol’s European Union Internet Referral Unit (EU IRU) falsely identifying hundreds of URLs on archive.org as “terrorist propaganda”. At least one of these mistaken URLs was also identified as terrorist content in a separate take down notice from the French government’s L’Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication (OCLCTIC).

And just in case you think that maybe the requests are somehow legit, they are so obviously bogus that anyone with a browser would know they are bogus. Included in the list of takedown demands are a bunch of the Archive’s “collection pages” including the entire Project Gutenberg page of public domain texts, it’s collection of over 15 million freely downloadable texts, the famed Prelinger Archive of public domain films and the Archive’s massive Grateful Dead collection. Oh yeah, also a page of CSPAN recordings. So much terrorist content!

And, as the Archive explains, there’s simply no way that (1) the site could have complied with the Terrorist Content Regulation had it been law last week when they received the notices, and (2) that they should have blocked all that obviously non-terrorist content.

The Internet Archive has a few staff members that process takedown notices from law enforcement who operate in the Pacific time zone. Most of the falsely identified URLs mentioned here (including the report from the French government) were sent to us in the middle of the night – between midnight and 3am Pacific – and all of the reports were sent outside of the business hours of the Internet Archive.

The one-hour requirement essentially means that we would need to take reported URLs down automatically and do our best to review them after the fact.

It would be bad enough if the mistaken URLs in these examples were for a set of relatively obscure items on our site, but the EU IRU’s lists include some of the most visited pages on archive.org and materials that obviously have high scholarly and research value.

Those are the requests from Europol, who unfortunately likely qualify as a “competent” authority under the law. The Archive also points out the request from both Europol and the French computer crimes unit targeting a page providing commentary on the Quran as being terrorist content. The French agency told the Archive it needed to take down that content within 24 hours or the Archive may get blocked in France.

Source: EU Tells Internet Archive That Much Of Its Site Is ‘Terrorist Content’ | Techdirt

Serious flaws found in WPA3’s wifi Handshake

Posted on by

because WPA2 is more than 14 years old, the Wi-Fi Alliance recently announced the new and more secure WPA3 protocol. One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it’s near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the network. This allows the adversary to steal sensitive information such as credit cards, password, emails, and so on, when the victim uses no extra layer of protection such as HTTPS. Fortunately, we expect that our work and coordination with the Wi-Fi Alliance will allow vendors to mitigate our attacks before WPA3 becomes widespread.

The Dragonfly handshake, which forms the core of WPA3, is also used on certain Wi-Fi networks that require a username and password for access control. That is, Dragonfly is also used in the EAP-pwd protocol. Unfortunately, our attacks against WPA3 also work against EAP-pwd, meaning an adversary can even recover a user’s password when EAP-pwd is used. We also discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password. Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly.

The technical details behind our attacks against WPA3 can be found in our detailed research paper titled Dragonblood: A Security Analysis of WPA3’s SAE Handshake. The details of our EAP-pwd attacks are explained on this website.

[…]

The discovered flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups. All attacks are against home networks (i.e. WPA3-Personal), where one password is shared among all users. Summarized, we found the following vulnerabilities in WPA3:

  • CERT ID #VU871675: Downgrade attack against WPA3-Transtition mode leading to dictionary attacks.
  • CERT ID #VU871675: Security group downgrade attack against WPA3’s Dragonfly handshake.
  • CVE-2019-9494: Timing-based side-channel attack against WPA3’s Dragonfly handshake.
  • CVE-2019-9494: Cache-based side-channel attack against WPA3’s Dragonfly handshake.
  • CERT ID #VU871675: Resource consumption attack (i.e. denial of service) against WPA3’s Dragonfly handshake.

[…]

We have made scripts to test for certain vulnerabilities:

  • Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
  • Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3’s SAE handshake.
  • Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
  • Dragonforce: this is an experimental tool which takes the information recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

Source: Dragonblood: Analysing WPA3’s Dragonfly Handshake