Saturday, January 31, 2015

New computer vulnerabilities for y'all to be aware of. Airgap is no longer king!

D-link and TP-Link DSL routers have a big fat hole in them.

A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users' traffic. The issue might also affect other devices because it is located in a popular firmware used by different manufacturers, according to a security researcher.

More fun, disconnecting your computers from the internet  is no longer a guarantee of computer privacy.

Hacked has a piece about Georgia Institute of Technology researchers keylogging from a distance using the electromagnetic radiation of CPUs. They can reportedly do this from up to 6 meters away. In this video, using two Ubuntu laptops, they demonstrate that keystrokes are easily interpreted with the software they have developed.

This has been done before

The main idea behind the research is to use radio frequencies in order to transmit the secret data from the computer to the mobile phone. Mobile phones usually come equipped with FM radio receivers and it is already known that software can intentionally create radio emissions from a video display unit. Yes, from the computer screen. Still, this is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer. AirHopper demonstrates how textual and binary data can be exfiltrated from physically a isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second). Enough to steal a secret password.

Thus, none of your data is secure. At all.

The government's response is interesting.

Tuesday, the federal government continued its offensive against default consumer encryption enabled by Apple and Google and anonymity tools like Tor, saying that greater privacy and security has created a "zone of lawlessness" that law enforcement is having trouble cracking.

Leslie Caldwell, an assistant attorney general at the Justice Department, said that the department is "very concerned" by the Google's and Apple's decision to automatically encrypt all data on Android and iOS devices. Her comments aren't entirely surprising, considering that FBI Director James Comey previously said that the agency would push Congress to make automatic encryption illegal, and President Obama has also expressed concern with the development.

The problem that privacy and security advocates have pointed out is that the US government doesn't really seem to understand what it's asking for. Caldwell was being interviewed as a part of the annual State of the Net Conference in Washington, DC. One minute, she was vilifying encryption; the next, she was sending a message to the country's citizens and companies that they need to be "more conscious of cybersecurity."

"They need to be assuming they are vulnerable, assuming their data can be taken," she said.

The government of the United States, as well as the government of Canada, and those of Europe and so forth, are very happy with the current state of affairs. They can read pretty much anything they like on YOUR computers.

Bear it in mind, my friends. And vote accordingly.

2 comments:

Occam said...

At this point Phantom, I don't think how you vote matters -

- unless you are wise(seasoned) enough to understand that party-brokerage politics have led us to the surveillance state.

ALL governments are paranoid and want to know what we really think about their criminal activity and they way their patronage clients have disproportionate rights, privilege and legislative influence than we do. This is the natural reaction of thieves and liars to their patsies waking up and turning on them.

When voters awaken to the fact that +50% of their productive life force is confiscated from them under threat of death or imprisonment to support a lush sinecure populated by electorate-loathing pathocrats/kleptocrats , perhaps they will then make the connection that the party system is the core of this power structure which revitalizes the kleptocratic system with each new cycle.

When they start putting their own independent candidates in the ring and voting them into power - when government consists of 100% un-connected citizens unbeholden to any party cronies or special interests, only their constituents - when statesmanship replaces "politics", when they understand that responsible government transcends party politics - THEN we can talk about voting having an impact on public policy which respects the population instead of plundering and spying on them. - not before.

Anonymous said...

This stuff's been going on for a while.

http://en.wikipedia.org/wiki/Tempest_%28codename%29

http://en.wikipedia.org/wiki/Van_Eck_phreaking

And this is all sourced from the non-spook world, going back 30+ years.

I remember wondering, years ago, whether the lower voltages and power consumption of LCD flatscreen monitors, as compared with the old glass-tube monitors that aren't in such common use any more, might reduce the vulnerabilities inherent in such systems. I guess not.