Daily Archives: February 4, 2020

Researchers Find ‘Anonymized’ Data Is Even Less Anonymous Than We Thought

Posted on by

Dasha Metropolitansky and Kian Attari, two students at the Harvard John A. Paulson School of Engineering and Applied Sciences, recently built a tool that combs through vast troves of consumer datasets exposed from breaches for a class paper they’ve yet to publish.

“The program takes in a list of personally identifiable information, such as a list of emails or usernames, and searches across the leaks for all the credential data it can find for each person,” Attari said in a press release.

They told Motherboard their tool analyzed thousands of datasets from data scandals ranging from the 2015 hack of Experian, to the hacks and breaches that have plagued services from MyHeritage to porn websites. Despite many of these datasets containing “anonymized” data, the students say that identifying actual users wasn’t all that difficult.

“An individual leak is like a puzzle piece,” Harvard researcher Dasha Metropolitansky told Motherboard. “On its own, it isn’t particularly powerful, but when multiple leaks are brought together, they form a surprisingly clear picture of our identities. People may move on from these leaks, but hackers have long memories.”

For example, while one company might only store usernames, passwords, email addresses, and other basic account information, another company may have stored information on your browsing or location data. Independently they may not identify you, but collectively they reveal numerous intimate details even your closest friends and family may not know.

“We showed that an ‘anonymized’ dataset from one place can easily be linked to a non-anonymized dataset from somewhere else via a column that appears in both datasets,” Metropolitansky said. “So we shouldn’t assume that our personal information is safe just because a company claims to limit how much they collect and store.”

The students told Motherboard they were “astonished” by the sheer volume of total data now available online and on the dark web. Metropolitansky and Attari said that even with privacy scandals now a weekly occurrence, the public is dramatically underestimating the impact on privacy and security these leaks, hacks, and breaches have in total.

Previous studies have shown that even within independent individual anonymized datasets, identifying users isn’t all that difficult.

In one 2019 UK study, researchers were able to develop a machine learning model capable of correctly identifying 99.98 percent of Americans in any anonymized dataset using just 15 characteristics. A different MIT study of anonymized credit card data found that users could be identified 90 percent of the time using just four relatively vague points of information.

Another German study looking at anonymized user vehicle data found that that 15 minutes’ worth of data from brake pedal use could let them identify the right driver, out of 15 options, roughly 90 percent of the time. Another 2017 Stanford and Princeton study showed that deanonymizing user social networking data was also relatively simple.

Individually these data breaches are problematic—cumulatively they’re a bit of a nightmare.

Metropolitansky and Attari also found that despite repeated warnings, the public still isn’t using unique passwords or password managers. Of the 96,000 passwords contained in one of the program’s output datasets—just 26,000 were unique.

The problem is compounded by the fact that the United States still doesn’t have even a basic privacy law for the internet era, thanks in part to relentless lobbying from a cross-industry coalition of corporations eager to keep this profitable status quo intact. As a result, penalties for data breaches and lax security are often too pathetic to drive meaningful change.

Harvard’s researchers told Motherboard there’s several restrictions a meaningful U.S. privacy law could implement to potentially mitigate the harm, including restricting data access to unauthorized employees, maininting better records on data collection and retention, and decentralizing data storage (not keeping corporate and consumer data on the same server).

Until then, we’re left relying on the promises of corporations who’ve repeatedly proven their privacy promises aren’t worth all that much.

Source: Researchers Find ‘Anonymized’ Data Is Even Less Anonymous Than We Thought – VICE

Firefox now shows what telemetry data it’s collecting about you (if any)

Posted on by

There is now a special page in the Firefox browser where users can see what telemetry data Mozilla is collecting from their browser.

Accessible by typing about:telemetry in the browser’s URL address bar, this new section is a recent addition to Firefox.

The page shows deeply technical information about browser settings, installed add-ons, OS/hardware information, browser session details, and running processes.

The information is what you’d expect a software vendor to collect about users in order to fix bugs and keep a statistical track of its userbase.

A Firefox engineer told ZDNet the page was primarily created for selfish reasons, in order to help engineers debug Firefox test installs. However, it was allowed to ship to the stable branch also as a PR move, to put users’ minds at ease about what type of data the browser maker collects from its users.

The move is in tune with what Mozilla has been doing over the past two years, pushing for increased privacy controls in its browser and opening up about its practices, in stark contrast with what other browser makers have been doing in the past decade.

Source: Firefox now shows what telemetry data it’s collecting about you | ZDNet

CIA Employee Accused Of Leaking Vault 7 cyber security tooling To WikiLeaks in 2017 Goes On Trial

Posted on by

The trial of a former Central Intelligence Agency software engineer who allegedly leaked thousands of pages of documents to WikiLeaks was set to begin Monday in federal court in New York. The leak has been described as one of the largest in the CIA’s history.

Joshua Schulte has pleaded not guilty to 11 criminal counts, including illegal transmission of unlawfully possessed national defense information and theft of government property.

WikiLeaks started publishing the documents, which it called “Vault 7,” in March 2017. Many of the documents are highly technical, and appear to describe agency practices for hacking a number of different targets.

As NPR’s Camila Domonoske and Greg Myre reported at the time, the documents are said to be to be internal guides to creating and using many kinds of hacking tools, “from turning smart TVs into bugs to designing customized USB drives to extract information from computers.”

Schulte’s lawyers did not respond to NPR’s requests for comment about the case.

In court filings ahead of the trial, they have expressed frustration at the pace with which they are required to review materials surfaced during the discovery process.

Some of the charges against Schulte stem from the Espionage Act, and defense lawyers say they are unconstitutionally overbroad and vague. They also said the law was intended to be used to prosecute those who transmit government secrets to foreign governments, and that it shouldn’t apply to leaking to WikiLeaks. The judge rejected those arguments.

“As alleged, Schulte utterly betrayed this nation and downright violated his victims,” William F. Sweeney Jr., the assistant director-in-charge of the FBI’s New York Field Office, said in a statement when the charges were announced. “As an employee of the CIA, Schulte took an oath to protect this country, but he blatantly endangered it by the transmission of Classified Information.”

Prosecutors have said that when Schulte was working at the CIA, he developed classified cyber tools, including tools to covertly gather data from computers.

The leak allegedly happened during a time of rising tension between Schulte and his CIA colleagues.

In the summer of 2015, according to prosecutors, Schulte started having “significant problems” in his group that stemmed from a feud with one of his colleagues. The feud deepened after the colleague reportedly complained about Schulte to management. Prosecutors say Schulte accused the employee of making a death threat against him and eventually filed a protective order against that person. They were reassigned to different teams.

Because of his reassignment, Schulte’s access to previous projects was revoked. But prosecutors say he reinstated his own administrative privileges. Management at the Center for Cyber Intelligence discovered it, and they attempted to revoke privileges and change passwords. But they missed credentials for one computer network, according to prosecutors, and in April 2016, Schulte allegedly stole vast quantities of information from the network and passed the data along to WikiLeaks.

The judge has granted measures to protect the anonymity of certain witnesses from the CIA who are expected to testify. During those sessions, the courtroom will be closed to press, except for two pool reporters who have agreed not to disclose the physical characteristics of these witnesses. Other reporters in an adjoining courtroom will be able to see a video feed that won’t show images of the witnesses.

Federal prosecutors originally indicted Schulte in 2017 on charges of receiving and possessing child pornography. They said they discovered more than 10,000 images and videos of child pornography encrypted on Schulte’s personal computer.

One of the prosecutors, Matthew Laroche, said at a hearing in 2017 that Schulte is “someone who’s shown himself to condone sexually dangerous behavior and has shown a proclivity to collect thousands of images of child pornography.”

In July 2019, the court severed the child pornography-related charges from the rest of the case, meaning that those accusations will be addressed at a separate trial.

Source: Ex-CIA Employee Accused Of Leaking Documents To WikiLeaks Goes On Trial : NPR

Twitter Helps Spread Disinformation During Iowa Caucuses

Posted on by

The Washington Post’s Tony Romm reported on Monday night that Twitter has decided it will allow certain right-wing accounts to spread disinformation about the Iowa Democratic Caucuses, including tweets that suggest the results are being “rigged.”

Trump campaign manager Brad Pascal tweeted on Monday, “Quality control = rigged?,” citing a second Trump campaign official who had used the hashtag #RiggedElection.

There is no evidence of vote tampering in Iowa and the Trump campaign’s claims are entirely baseless. (Technical issues with an app used by election officials have caused delays in tallying the results.)

Twitter’s decision would seem to provide political fraudsters with a clear message: deceiving voters into believing U.S. election results have been falsified is an acceptable use of Twitter’s platform.

Twitter did not respond to Gizmodo’s request for comment.

Earlier in the day, Charlie Kirk, the leader of a college-focused conservative group called Turning Point USA, tweeted that Iowa election officials were involved in “voter fraud” citing a debunked report by the right-wing activist group Judicial Watch.

The Judicial Watch report falsely claimed that the number of registered voters in Iowa exceeded the number of voting-age residents in each county. Judicial Watch’s fake figures were quickly shot down by Iowa’s Republican secretary of state, Paul D. Pate.

“It’s unfortunate this organization continues to put out inaccurate data regarding voter registration, and it’s especially disconcerting they chose the day of the Iowa Caucus to do this,” Pate said in a statement.

Pate continued: “My office has told this organization, and others who have made similar claims, that their data regarding Iowa is deeply flawed and their false claims erode voter confidence in elections. They should stop this misinformation campaign immediately and quit trying to disenfranchise Iowa voters.”

The Iowa secretary of state’s office pointed to “actual data” from the U.S. Census Bureau to say Judicial Watch’s claims about Iowa’s population are “greatly underestimated.”

Nevertheless, the tweet by Kirk invoking the debunked claim had over 42,500 retweets at press time.

Twitter spokesman Brandon Borrman told the Washington Post that the company would take no action against users working to sow mistrust in the official election results, which were not expected until Tuesday.

“The tweet is not in violation of our election integrity policy as it does not suppress voter turnout or mislead people about when, where, or how to vote,” Borrman told the Post, regarding tweets by prominent conservatives claiming the Democratic caucuses were “rigged.”

Twitter’s claim that such tweets do not “suppress voter turnout” is unlikely to go unchallenged by federal lawmakers who view this particular form of deception as an attempt to discourage participation in a “rigged” election.

The underlying message being propagated by the Trump campaign, Judicial Watch, and Turning Point USA seems an obvious one: Your vote doesn’t count, so why bother?

Source: Twitter Helps Spread Disinformation During Iowa Caucuses

 

Twitter had a flaw allowing the discovery of phone numbers attached to accounts en masse. And it’s been used in the wild multiple times.

Posted on by

Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization.

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter’s contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone’s address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic’s probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

In other words, this Twitter security hole was a giant intelligence gathering opportunity,

Twitter says that it initially only saw one person “using a large network of fake accounts to exploit our API and match usernames to phone numbers,” and suspended the accounts. But it soon realized the problem was more widespread: “During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.”

For what it’s worth Twitter apologized for its self-imposed security cock-up: “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

It’s worth noting that users who did not add their phone number to their Twitter account or not allow it to be discovered via the API were not affected. Which points to a painfully obvious lesson: don’t trust any company with more personal information than they need to have.

Source: Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits • The Register

F-35: a $400 Billion Stealth Fighter That Can’t Climb, accellerate, shoot straight or be resupplied using the mandatory software

Posted on by

Here’s something the public didn’t know until today: If one of the U.S. military’s new F-35 stealth fighters has to climb at a steep angle in order to dodge an enemy attack, design flaws mean the plane might suddenly tumble out of control and crash.

Also, some versions of the F-35 can’t accelerate to supersonic speed without melting their own tails or shedding the expensive coating that helps to give the planes their radar-evading qualities.

The Pentagon’s $400-billion F-35 Joint Strike Fighter program, one of the biggest and most expensive weapons programs in history, has come under fire, so to speak, over more than a decade for delays, rising costs, design problems and technical glitches.

But startling reports by trade publication Defense News on Wednesday revealed flaws that previously only builder Lockheed Martin, the military, and the plane’s foreign buyers knew about.

[…]

The test reports Defense News obtained also reveal a second, previously little-known category 1 deficiency in the F-35B and F-35C aircraft. If during a steep climb the fighters exceed a 20-degree “angle of attack”—the angle created by the wing and the oncoming air—they could become unstable and potentially uncontrollable.

To prevent a possible crash, pilots must avoid steeply climbing and other hard maneuvers. “Fleet pilots agreed it is very difficult to max perform the aircraft” in those circumstances, Defense News quoted the documents as saying.

Source: America Is Stuck With a $400 Billion Stealth Fighter That Can’t Fight

Add a gun that can’t shoot straight to the problems that dog Lockheed Martin Corp.’s $428 billion F-35 program, including more than 800 software flaws.

The 25mm gun on Air Force models of the Joint Strike Fighter has “unacceptable” accuracy in hitting ground targets and is mounted in housing that’s cracking, the Pentagon’s test office said in its latest assessment of the costliest U.S. weapons system.

The annual assessment by Robert Behler, the Defense Department’s director of operational test and evaluation, doesn’t disclose any major new failings in the plane’s flying capabilities. But it flags a long list of issues that his office said should be resolved — including 13 described as Category 1 “must-fix” items that affect safety or combat capability — before the F-35’s upcoming $22 billion Block 4 phase.

The number of software deficiencies totaled 873 as of November, according to the report obtained by Bloomberg News in advance of its release as soon as Friday. That’s down from 917 in September 2018, when the jet entered the intense combat testing required before full production, including 15 Category 1 items. What was to be a year of testing has now been extended another year until at least October.

“Although the program office is working to fix deficiencies, new discoveries are still being made, resulting in only a minor decrease in the overall number” and leaving “many significant‘’ ones to address, the assessment said.

Cybersecurity ‘Vulnerabilities’

In addition, the test office said cybersecurity “vulnerabilities” that it identified in previous reports haven’t been resolved. The report also cites issues with reliability, aircraft availability and maintenance systems.

The assessment doesn’t deal with findings that are emerging in the current round of combat testing, which will include 64 exercises in a high-fidelity simulator designed to replicate the most challenging Russian, Chinese, North Korean and Iranian air defenses.

Despite the incomplete testing and unresolved flaws, Congress continues to accelerate F-35 purchases, adding 11 to the Pentagon’s request in 2016 and in 2017, 20 in fiscal 2018, 15 last year and 20 this year. The F-35 continues to attract new international customers such as Poland and Singapore. Japan is the biggest foreign customer, followed by Australia and the U.K.

[…]

Brett Ashworth, a spokesman for Bethesda, Maryland-based Lockheed, said that “although we have not seen the report, the F-35 continues to mature and is the most lethal, survivable and connected fighter in the world.” He said “reliability continues to improve, with the global fleet averaging greater than 65% mission capable rates and operational units consistently performing near 75%.”

Still, the testing office said “no significant portion” of the U.S.’s F-35 fleet “was able to achieve and sustain” a September 2019 goal mandated by then-Defense Secretary Jim Mattis: that the aircraft be capable 80% of the time needed to perform at least one type of combat mission. That target is known as the “Mission Capable” rate.

“However, individual units were able to achieve the 80% target for short periods during deployed operations,” the report said. All the aircraft models lagged “by a large margin” behind the more demanding goal of “Full Mission Capability.”

The Air Force’s F-35 model had the best rate at being fully mission capable, while the Navy’s fleet “suffered from a particularly poor” rate, the test office said. The Marine Corps version was “roughly midway” between the other two.

[…]

the Air Force model’s gun is mounted inside the plane, and the test office “considers the accuracy, as installed, unacceptable” due to “misalignments” in the gun’s mount that didn’t meet specifications.

The mounts are also cracking, forcing the Air Force to restrict the gun’s use.

Source: F-35’s Gun That Can’t Shoot Straight Adds to Its Roster of Flaws – Bloomberg

The F-35’s problematic Autonomic Information Logistics System, or ALIS, will be replaced by a new system starting later this year, which it is hoped will be more user-friendly, more secure, and less prone to error. It’s also to be re-branded as ODIN, for Operational Data Integrated Network.

ODIN “incorporates a new integrated data environment,” according to the F-35 Joint Program Office, which put out a release about the change Jan. 21, just a few days after Pentagon acquisition and sustainment czar Ellen Lord told reporters about it outside a Capitol Hill hearing. The system will be “a significant step forward to improve the F-35 fleet’s sustainment and readiness performance,” the JPO said. ODIN is intended to reduce operator and administrator workload, increase F-35 mission readiness rates, and “allow software designers to rapidly develop and deploy updates in response” to operator needs.

The first “ODIN-enabled” hardware will be delivered to the various F-35 fleets late in 2020, with full operational capability planned by December, 2022, the JPO said, “pending coordination with user deployment schedules.” Some ALIS systems being used on aircraft carriers or with deployed units at that time may not get ODIN until they return.

ALIS is the vast information-gathering system that tracks F-35 data in-flight, relaying to maintainers on the ground the performance of various systems in near-real time. It’s meant to predict part failures and otherwise keep maintainers abreast of the health of each individual F-35. By amassing these data centrally for the worldwide F-35 fleet, prime contractor Lockheed Martin expected to better manage spare parts production, detect trends in performance glitches and the longevity of parts, and determine optimum schedules for servicing various elements of the F-35 engine and airframe. However, the system was afflicted by false alarms—leading to unnecessary maintenance actions—laborious data entry requirements and clumsy interfaces. The system also took long to boot up and be updated, and tablets used by maintainers were perpetually behind the commercial state of the art.

[…]

The Government Accountability Office published a number of reports faulting ALIS for adding unnecessary man-hours and complexity to the F-35 enterprise, saying in a November, 2019 report that USAF maintainers in just one unit reported “more than 45,000 hours per year performing additional tasks and manual workarounds because ALIS was not functioning” the way it was supposed to.

In early versions, ALIS also proved vulnerable to hacking and data theft, another reason for the overhaul of the system, to meet new cyber security needs.

Source: F-35 Program Dumps ALIS for ODIN – Air Force Mag