All posts in “Cybersecurity”

Apple and Facebook could be asked by Australia to build tools to get around encryption

Like the FBI, Australia has been finding ways to get past encryption, with big tech companies famously not making it easy for authorities.

In response, Australia’s government unveiled draft plans on Tuesday to make companies help intelligence and law enforcement agencies with access to encrypted messages and devices — but without building a backdoor.

In a new bill, the government argued encrypted messaging services and devices are being increasingly used by criminals to carry out activities like terrorism and drug trafficking. 

“95 percent of the Australian Security Intelligence Organisation’s (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications,” the government said.

The proposed laws target companies which provide any communications services in Australia, ranging from device manufacturers, messaging services like WhatsApp, to mobile carriers.

How the government plans to get access 

The Assistance and Access Bill gives Australian law enforcement and intelligence agencies three new powers.

These powers will allow authorities to ask or try to make providers cooperate by allowing access to devices or services, or remove security protection, if possible by the provider. Authorities will need a warrant or authorisation to use these powers.

The first, dubbed a Technical Assistance Request (TAR), allows agencies to ask providers for help, where they can voluntarily choose to assist or not.

If the provider has the ability to provide assistance, but chooses not to, they can be issued with a Technical Assistance Notice (TAN). This is a compulsory order, meaning that providers need to assist or be fined up to A$10 million (USD$7.2 million), or A$50,000 (USD$36,000) for an individual. 

The third power is the Technical Capability Notice (TCN). This means tech giants like Facebook and Apple could be asked to build tools which would allow law enforcement access to encrypted communications.

The TCN is issued by the Attorney-General, and providers have 28 days to explain whether the proposal is feasible or not.

Despite this, the government repeatedly stated it won’t make providers build a backdoor to their products, stating it has “no interest in undermining systems” designed to protect users.

“The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors,” the bill reads.

If issued with a request or notice, a provider is also legally required to keep those details secret, as to not jeopardise an investigation.

The bill also introduces a revised “computer access warrant,” which allows ASIO to covertly access information on a computer.

Leveling the playing field

Matthew Warren, a cybersecurity professor at Deakin University, said it was an attempt by the government to “try and level the playing field” with tech companies.

“What it highlights is the government realises they’re in a situation where they can’t intercept data,” he told Mashable. 

“The government is realising from a law enforcement/intelligence perspective, is that even if they can get access to data, they can’t actually use that data in a meaningful situation.”

Authorities could use these powers against tech companies like Facebook which have a presence in Australia — Facebook received more than 1,400 government requests in 2017. But Warren questions whether the government could do the same to a provider with no presence in the country.

“A lot of those messaging apps, those app developers won’t give backdoor access to Australian government because they’re based in China. Why would they give access?” he said.

Australian Greens Senator Jordon Steele-John said the proposed law “undermines the very principle of end-to-end-encryption,” and that it constitutes overreach by the government.

“Installing malware on people’s devices to read encrypted data is not a solution to catching criminals but it is weakening the defences of every single device that receives encrypted messages, therefore making it easier for criminals who want to steal data,” he said in a statement.

The Australian government has opened the bill to public feedback. Submit any comments by Sept. 10. We expect there’ll be a few.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86438%2f9a0bb365 b3a3 4728 a882 14f29f4278c3

Dozens of Vegas slots went offline simultaneously during a hacker convention

Doesn't look good.
Doesn’t look good.

Image: Screenshot/Matt Anderson

The casino is “pretty certain” it wasn’t hacked. 

The annual DEF CON hacking convention returned once again to Las Vegas this weekend, and with it came the typical good-natured mischief that’s bound to happen when thousands of cybersecurity professionals congregate in one spot. Early Saturday morning at the Linq casino, however, looked to be something else entirely.  

It was around 1:00 or 2:00 a.m. and DEF CON attendee Matt Anderson was hanging out at the Linq — a casino just across the street from Caesars Palace, the convention’s host — when it happened: Dozens of slot machines went down, all at once. 

“I talked to a pit boss about it who was kind of panicking,” Anderson told us. “No one else knew what was happening, but ALL slots were dead/errored out.”

Video he shot and sent to Mashable shows practically every single machine in sight either offline completely or showing some form of error message. The silence on the casino floor is eerie. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2018%2f8%2fcfb87c9e 0f25 4581%2fthumb%2f00001

And he wasn’t the only one who noticed. One person, whose Twitter bio lists her as being an anthropology major at Arizona State, tweeted about the experience. 

A Linq spokesperson told us the casino is investigating the incident, and while the cause isn’t yet known, he said they viewed the outage coinciding with one of the world’s largest hacker conventions happening literally across the street is “purely coincidental.”

“We were monitoring what happened when the Linq slots machines went down,” spokesperson Rich Broom explained Sunday afternoon over the phone. “No evidence whatsoever that there was a hack or [it was] cybersecurity related.”

And yet, even Broom admitted that the situation was — shall we say — atypical. 

“Machines periodically, although not very often, do go down,” he said. When we asked exactly how many machines went down at the Linq Saturday morning, Broom was unable to tell us. 

We’re guessing the number, whatever it is, is substantially higher than what’s typical. Although, if another outage just so happens to coincidentally coincide with next year’s DEF CON, we may have to revise that statement. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85470%2fa5d2abe8 2500 49f1 b018 2be409f7c7cc

Hacker convention in Vegas is full of tin-foil hats. Literally.

That stylish paranoia.
That stylish paranoia.

Image: Jack Morse/mashable

What if they really are out to get you. 

If you spend enough time walking the Las Vegas casino floors, you’re sure to come across some unique sights. But scores of people sporting all shapes and sizes of literal tin-foil hats? Welcome to DEF CON.

The annual hacker convention currently underway in the Nevada desert draws a diverse crowd of professional and hobbyist security researchers from around the world. And, for the most part, they all share one defining characteristic: the desire to stick it to The Man. 

Which, well, that specific proclivity just might end up making you a target.

Enter the Tin Foil Hat Contest. Founded by a gentleman named Flirzan, the tin-foil hat building competition was first conceived four DEF CONs ago. 

“It all came out of a drunken night at the Rio,” Flirzan told us. He explained that he saw an old man strolling through the casino and had a moment of inspiration: There need to be more tin-foil hats at DEF CON.

This is the second year of the official contest, which has participants build tin-foil hats and then test them to see how well they block signals emanating out of a mannequin’s head. 

Reading your thoughts.

Reading your thoughts.

Image: jack morse/mashable

It’s quite eerie, but in a great way.

“What with aliens and the NSA, a hacker can’t always tell who’s listening (or who’s transmitting…),” reads the contest description. “Show us your skills by building a tin foil hat to shield your subversive thoughts.”

And so, of course, your intrepid reporter had to try it out. I dutifully grabbed my four sheets of foil and went to work.  

Thinking dangerous thoughts.

Thinking dangerous thoughts.

Image: mashable

I clearly still have a lot learn when it comes to keeping Big Brother out of my brain.

When we tested my hat out for signal leakage, it managed to make it into the top 10 of high performers (number 10 to be exact, but still). However, Flirzan did confirm that his readings might not be exactly 100 percent scientific. 

Style points.

Style points.

Image: Jack Morse/mashable

But, in some ways, that part of the contest is secondary. It’s really all about style — which, thankfully, the Tin Foil Hat Contest officially recognizes and encourages by having judges rate hats based on how fly they are (bribes are accepted and encouraged). 

And yes, they are fly. 

Luna Moth is free to fly and think free thoughts.

Luna Moth is free to fly and think free thoughts.

Image: Jack Morse/mashable

Don't forget to protect your badge!

Don’t forget to protect your badge!

Image: Jack Morse/mashable

The entire thing is a welcome light-hearted change of pace from the frequently stress-inducing talks that tend to dominate DEF CON. It’s fun, relatively inexpensive to organize, and has a low barrier to entry. 

And, as a plus, it might just keep the NSA out of your brain. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85602%2f68351b5e b049 4363 94aa 3fb799f48542

Android devices are stunningly vulnerable if you’re a careless power-user

The robot needs a retooling.
The robot needs a retooling.

Image: Omar Marques/SOPA Images/LightRocket via Getty Images

Don’t chuck your Android phone across the room in fear just yet.

A report from the security firm Kryptowire, via Wired, shows that many Android phones are stunningly vulnerable thanks to Android’s open operating system. But while this report is concerning, the real-world threat it poses to actual Android phone users might not be that big of a deal.

Kryptowire analyzed 10 Android devices supported by U.S. carriers, and found that bugs in the firmware — the permanent pre-loaded software responsible for running the phones — left them open to attack by a malicious app.

“Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase,” an overview of the report reads.

Kryptowire conducted the study under a grant from the Department of Homeland Security. That’s notable because some of the phones it analyzed come from Chinese firm ZTE. The federal government has prohibited military employees from using ZTE and Huawei phones, and the intelligence community has also advised that they could pose a broad national security risk, if used by China to spy on U.S. citizens.

According to Kryptowire, if a ZTE ZMax phone user downloads a malicious app, the app could do everything from gain total control of the phone — sending text messages or wiping it clean — to mine it for user data. Other affected phones came from Vivo, Sony, and Sky, among others. 

The vulnerability is what Wired describes as a “byproduct” of the Android OS business strategy: it lets third-party companies like ZTE modify the code. That ability to modify, which is what makes Android an attractive OS for phone makers, is also what’s responsible for the cracks that might allow a malicious app to take over. 

While all this sounds alarming, there’s one important thing to remember: Bad actors don’t have the ability to exploit these vulnerabilities unless a phone user downloads an app. Apps that go through the Google Play store are subject to stringent review that should prevent a malicious app from even seeing the light of day.

So unless you’re already downloading apps directly from their makers, or using a non-Google verified app service, your Android phone *should* be secure. The popular game Fortnite has been in the news because it will be available directly through Epic Games’ website. 

This has raised all sorts of questions about the merits of an app developer stepping away from Google Play. Doing so allows the developer to skirt around Google’s 30 percent cut, but this Kryptowire report reinforces security concerns we were already thinking about. Downloading the street meat of apps already makes you vulnerable, we know that — Kryptowire’s revelations just make that possibility a little worse. 

Phone makers need to address the issues that Kryptowire brought to light. But fear not, Android users: Chinese hackers probably won’t be taking over your phone any time soon.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86412%2f5ec5abec c35a 43f8 8a91 cd373a02dd13

These stoner hackers want machine learning to save us from sick weed

Nothing harshes a good mellow like sick buds. Thankfully, there may one day be an app for that. 

Hidden from the hazy Friday afternoon of Las Vegas, tucked away in the basement of the Flamingo casino, a group of likeminded hackers and security researchers gathered to explore “DIY cannabis tech” at DEF CON’s Cannabis Village. One researcher in particular, Harry Moreno, told the rather laid-back crowd that he believed that machine learning could one day solve a huge problem for home-grow enthusiasts: determining whether or not, and in what capacity, a marijuana plant is sick.

That’s right, he’s using machine learning to build a classification tool for weed.

Taking inspiration from computer scientists at Stanford who taught AI to identify skin cancer, Moreno figured he could do something similar for weed. Enter chronicsickness.com, a website which, in its current form, allows you to upload a picture of your buds and get a health score back. 

“Chronic sickness is a project to create a human-level diagnosis tool for Cannabis plants,” reads an explainer on his site. 

We ran a photo of marijuana through Chronic Sickness, specifically the Getty photo above, and received — with a .81 confidence level — the good news: That bud is healthy. 

That Getty image weed pictured above is certified dank.

That Getty image weed pictured above is certified dank.

Image: screenshot/chronic sickness

Right now the Chronic Sickness model only works with 80 percent accuracy, but Moreno blames that on the size of his training dataset — he only started with 3,000 images. One day, he told the crowd, he hopes his model will not only be able to tell if a plant is sick but what specifically is the sickness in question.

You got mold? How about spider mites? Chronic Sickness will hopefully be able to answer those burning questions.  

Monero envisions someone in a field or a basement simply snapping a picture of their plant with a smartphone, uploading that photo to chronicsickness.com, and getting a diagnosis back in seconds. 

“Let’s make a free predictive model for cannabis disease,” he implored those gathered. And if anyone in attendance just so happened to have a huge dataset of labeled marijuana photos, well, Moreno very much wanted to speak with you. 

After all, Monero can’t do this alone. Changing the way we diagnose sick marijuana plants for the betterment of stoner mankind takes a (cannabis) village.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85972%2fc5230dd0 2fda 4674 bc69 9f2b54f7d244