In a rare advisory, NSA urges users to patch BlueKeep flaw

The National Security Agency has issued a rare advisory warning users to update their systems to protect against BlueKeep, a new security vulnerability with the capacity to rapidly spread between computers.

The “critical”-rated bug affecting computers running Windows XP and later, can be exploited to remotely run malware at the system level, which has full access to the computer. Because the bug is remotely exploitable, any unpatched computer connected to the internet may be at risk.

Only Windows 8 and Windows 10 are not vulnerable to the bug.

Microsoft released patches in May, yet about a million internet-facing computers and servers are still unprotected.

The intelligence agency urged computer owners to patch against the vulnerability “in the face of growing threats” amid concerns that a malicious actor could launch an attack, similar to the scale of the WannaCry ransomware attacks in 2017.

As of the time of writing, security researchers have only been able to develop proof-of-concept exploits that could remotely shut down affected computers — or so-called denial-of-service attacks. But they say it’s only a matter of time before these exploits could be used to deliver ransomware or data-stealing malware.

“NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches,” said the agency’s advisory.

It’s rare to see NSA intervene in matters of consumer cybersecurity. An NSA spokesperson noted that its BlueKeep advisory is the agency’s third cybersecurity notice this year. Where NSA often exploits vulnerabilities to carry out surveillance and espionage, typically it is Homeland Security that issues advisories on serious security flaws that could be exploited by hackers.

Two years ago, the agency was left red-faced following the theft of highly classified hacking tools, which hackers later published online. The leaked EternalBlue exploit worked like a master key, opening access to almost any of the billion-plus Windows computers on the internet. Hackers believed to be associated with North Korea used the leaked EternalBlue exploit to spread ransomware on a massive scale. The malware only stopped spreading after security researchers discovered a ‘kill switch’ that neutralized the malware.

NSA has never publicly acknowledged the theft.

A cynic might see the NSA is moving proactively to avoid another public relations disaster after one of its top secret exploits was leaked and used in a global ransomware attack. An optimist, however, might say the government is trying to warn users to prevent mass damage if an exploit is used or published.

For its part, NSA said patching against BlueKeep is “critical not just for NSA’s protection of national security systems but for all networks.”

Apple’s new ecosystem world order and the privacy economy

Apple’s splashy new product announcements at its annual Worldwide Developers Conference in San Jose also ushered in new rules of the road for its ecosystem partners that force hard turns for app makers around data ownership and control. These changes could fundamentally shift how consumers perceive and value control over the data they generate in using their devices, and that shift could change the landscape for how services are bought, consumed and sold.

A lot of privacy advocates have posited a future wherein we ascribe value to the data of individuals and potentially compensate people directly for its use. But others have also rightly pointed out than in isolation, a single individual’s data is precisely value-less, since it’s only in aggregate that this data is worth anything to the companies that currently harvest it to inform their marketing and drive their product decisions.

There are many reasons why it seems unlikely that any of the companies for which user data is a primary source of revenue or a crucial aspect of their business model would shift to a direct compensation model – not the least of which is that it’s probably much cheaper, and definitely much more scalable, to build products that provide them use value in exchange instead. But that doesn’t mean privacy won’t become a crucial lever in the information economy of the next wave of innovation and tech product development.

Perils of per datum pricing

As mentioned, the mechanics of directly selling your data to a company are problematic at best, and unworkable at worst.

One big issue with this is that there’s definitely bound to be a scale limit on any subscription paid product. In a world where that’s increasingly a preferred method for media companies, food and packaged goods delivery, and even car ownership alternatives, there’s clearly a cap on how much of their income consumers are willing to commit to these kinds of recurring costs.

iOS will soon disable USB connection if left locked for a week

In a move seemingly designed specifically to frustrate law enforcement, Apple is adding a security feature to iOS that totally disables data being sent over USB if the device isn’t unlocked for a period of 7 days. This spoils many methods for exploiting that connection to coax information out of the device without the user’s consent.

The feature, called USB Restricted Mode, was first noticed by Elcomsoft researchers looking through the iOS 11.4 code. It disables USB data (it will still charge) if the phone is left locked for a week, re-enabling it if it’s unlocked normally.

Normally when an iPhone is plugged into another device, whether it’s the owner’s computer or another, there is an interchange of data where the phone and computer figure out if they recognize each other, if they’re authorized to send or back up data, and so on. This connection can be taken advantage of if the computer being connected to is attempting to break into the phone.

USB Restricted Mode likely a response to the fact that iPhones seized by law enforcement or by malicious actors like thieves essentially will sit and wait patiently for this kind of software exploit to be applied to them. If an officer collects a phone during a case, but there are no known ways to force open the version of iOS it’s running, no problem: just stick it in evidence and wait until some security contractor sells the department a 0-day.

But what if, a week after that phone was taken, it shut down its own Lightning port’s ability to send or receive data or even recognize it’s connected to a computer? That would prevent the law from ever having the opportunity to attempt to break into the device unless they move with a quickness.

On the other hand, had its owner simply left the phone at home while on vacation, they could pick it up, put in their PIN, and it’s like nothing ever happened. Like the very best security measures, adversaries will curse its name while users may not even know it exists. Really, this is one of those security features that seems obvious in retrospect and I would not be surprised if other phone makers copy it in short order.

Had this feature been in place a couple years ago, it would have prevented that entire drama with the FBI. It milked its ongoing inability to access a target phone for months, reportedly concealing its own capabilities the while, likely to make it a political issue and manipulate lawmakers into compelling Apple to help. That kind of grandstanding doesn’t work so well on a 7-day deadline.

It’s not a perfect solution, of course, but there are no perfect solutions in security. This may simply force all iPhone-related investigations to get high priority in courts, so that existing exploits can be applied legally within the 7-day limit (and, presumably, every few days thereafter). All the same, it should be a powerful barrier against the kind of eventual, potential access through undocumented exploits from third parties that seems to threaten even the latest models and OS versions.

Twitter has an unlaunched ‘Secret’ encrypted messages feature

Buried inside Twitter’s Android app is a “Secret conversation” option that if launched would allow users to send encrypted direct messages. The feature could make Twitter a better home for sensitive communications that often end up on encrypted messaging apps like Signal, Telegram or WhatsApp.

The encrypted DMs option was first spotted inside the Twitter for Android application package (APK) by Jane Manchun Wong. APKs often contain code for unlaunched features that companies are quietly testing or will soon make available. A Twitter spokesperson declined to comment on the record. It’s unclear how long it might be before Twitter officially launches the feature, but at least we know it’s been built.

The appearance of encrypted DMs comes 18 months after whistleblower Edward Snowden asked Twitter CEO Jack Dorsey for the feature, which Dorsey said was “reasonable and something we’ll think about.”

Twitter has gone from “thinking about” the feature to prototyping it. The screenshot above shows the options to learn more about encrypted messaging, start a secret conversation and view both your own and your conversation partner’s encryption keys to verify a secure connection.

reasonable and something we’ll think about

— jack (@jack) December 14, 2016

Twitter’s DMs have become a powerful way for people to contact strangers without needing their phone number or email address. Whether it’s to send a reporter a scoop, warn someone of a problem, discuss business or just “slide into their DMs” to flirt, Twitter has established one of the most open messaging mediums. But without encryption, those messages are subject to snooping by governments, hackers or Twitter itself.

Twitter has long positioned itself as a facilitator of political discourse and even uprisings. But anyone seriously worried about the consequences of political dissonance, whistleblowing or leaking should be using an app like Signal that offers strong end-to-end encryption. Launching encrypted DMs could win back some of those change-makers and protect those still on Twitter.

UK watchdog orders Cambridge Analytica to give up data in US voter test case

Another big development in the personal data misuse saga attached to the controversial Trump campaign-linked UK-based political consultancy, Cambridge Analytica — which could lead to fresh light being shed on how the company and its multiple affiliates acquired and processed US citizens’ personal data to build profiles on millions of voters for political targeting purposes.

The UK’s data watchdog, the ICO, has today announced that it’s served an enforcement notice on Cambridge Analytica affiliate SCL Elections, under the UK’s 1998 Data Protection Act.

The company has been ordered to give up all the data it holds on one US academic within 30 days — with the ICO warning that: “Failure to do so is a criminal offence, punishable in the courts by an unlimited fine.”

The notice follows a subject access request (SAR) filed in January last year by US-based academic, David Carroll after he became suspicious about how the company was able to build psychographic profiles of US voters. And while Carroll is not a UK citizen, he discovered his personal data had been processed in the UK — so decided to bring a test case by requesting his personal data under UK law.

Carroll’s complaint, and the ICO’s decision to issue an enforcement notice in support of it, looks to have paved the way for millions of US voters to also ask Cambridge Analytica for their data (the company claimed to have up to 7,000 data points on the entire US electorate, circa 240M people — so just imagine the class action that could be filed here… ).

The Guardian reports that Cambridge Analytica had tried to dismiss Carroll’s argument by claiming he had no more rights “than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan”. The ICO clearly disagrees.

Important development. @ICOnews agrees with our complaint and orders full disclosure to @profcarroll following findings of non-cooperation by Cambridge Analytica / SCL. We look forward to full disclosure within 30 days. Decision here: https://t.co/X5g1FY95j0 https://t.co/ZsonQhPsKQ

— Ravi Naik (@RaviNa1k) May 5, 2018

Cambridge Analytica/SCL Group responded to Carroll’s original SAR in March 2017 but he was unimpressed by the partial data they sent him — which ranked his interests on a selection of topics (including gun rights, immigration, healthcare, education and the environment) yet did not explain how the scores had been calculated.

It also listed his likely partisanship and propensity to vote in the 2016 US election — again without explaining how those predictions had been generated.

So Carroll complained to the UK’s data watchdog in September 2017 — which began sending its own letters to CA/SCL, leading to further unsatisfactory responses.

“The company’s reply refused to address the ICO’s questions and incorrectly stated Prof Caroll had no legal entitlement to it because he wasn’t a UK citizen or based in this country. The ICO reiterated this was not legally correct in a letter to SCL the following month,” the ICO writes today. “In November 2017, the company replied, denying that the ICO had any jurisdiction or that Prof Carroll was legally entitled to his data, adding that SCL did “.. not expect to be further harassed with this sort of correspondence”.”

In a strongly worded statement, information commissioner Elizabeth Denham further adds:

The company has consistently refused to co-operate with our investigation into this case and has refused to answer our specific enquiries in relation to the complainant’s personal data — what they had, where they got it from and on what legal basis they held it.

The right to request personal data that an organisation holds about you is a cornerstone right in data protection law and it is important that Professor Carroll, and other members of the public, understand what personal data Cambridge Analytica held and how they analysed it.

We are aware of recent media reports concerning Cambridge Analytica’s future but whether or not the people behind the company decide to fold their operation, a continued refusal to engage with the ICO will potentially breach an Enforcement Notice and that then becomes a criminal matter.

Since mid-March this year, Cambridge Analytica’s name (along with the names of various affiliates) has been all over headlines relating to a major Facebook data misuse scandal, after press reports revealed in granular detail how an app developer had used the social media’s platform’s 2014 API structure to extract and process large amounts of users’ personal data, passing psychometrically modeled scores on US voters to Cambridge Analytica for political targeting.

But Carroll’s curiosity about what data Cambridge Analytica might hold about him predates the scandal blowing up last month. Although journalists had actually raised questions about the company as far back as December 2015 — when the Guardian reported that the company was working for the Ted Cruz campaign, using detailed psychological profiles of voters derived from tens of millions of Facebook users’ data.

Though it was not until last month that Facebook confirmed as many as 87 million users could have had personal data misappropriated.

Carroll, who has studied the Internet ad tech industry as part of his academic work, reckons Facebook is not the sole source of the data in this case, telling the Guardian he expects to find a whole host of other companies are also implicated in this murky data economy where people’s personal information is quietly traded and passed around for highly charged political purposes — bankrolled by billionaires.

“I think we’re going to find that this goes way beyond Facebook and that all sorts of things are being inferred about us and then used for political purposes,” he told the newspaper.

Under mounting political, legal and public pressure, Cambridge Analytica claimed to be shutting down this week — but the move appears more like a rebranding exercise, as parent entity, SCL Group, maintains a sprawling network of companies and linked entities. (Such as one called Emerdata, which was founded in mid-2017 and is listed at the same address as SCL Elections, and has many of the same investors and management as Cambridge Analytica… But presumably hasn’t yet been barred from social media giants’ ad platforms, as its predecessor has.)

Closing one of the entities embroiled in the scandal could also be a tactic to impede ongoing investigations, such as the one by the ICO — as Denham’s statement alludes, by warning that any breach of the enforcement notice could lead to criminal proceedings being brought against the owners and operators of Cambridge Analytica’s parent entity.

In March ICO officials obtained a warrant to enter and search Cambridge Analytica’s London offices, removing documents and computers for examination as part of a wider, year-long investigation into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors. And last month the watchdog said 30 organizations — including Facebook — were now part of that investigation.

The Guardian also reports that the ICO has suggested to Cambridge Analytica that if it has difficulties complying with the enforcement notice it should hand over passwords for the servers seized during the March raid on its London office – raising questions about how much data the watchdog has been able to retrieve from the seized servers.

SCL Group’s website contains no obvious contact details beyond a company LinkedIn profile — a link which appears to be defunct. But we reached out to SCL Group’s CEO Nigel Oakes, who has maintained a public LinkedIn presence, to ask if he has any response to the ICO enforcement notice.

Meanwhile Cambridge Analytica continues to use its public Twitter account to distribute a stream of rebuttals and alternative ‘facts’.

Google’s Advanced Protection program now allows access from Apple’s mobile apps, too

Last October, Google launched its Advanced Protection Program for users who want to ensure the highest degree of protection for the data they store in services like Gmail, Google Calendar and Drive. Users who need that kind of protection can opt into this program, but, in return, they have to use security keys for the two-step verification and can only access their Google data from Google’s own web and mobile apps.

Today, Google is opening up this last restriction a bit by allowing access through Apple’s own native iOS apps like Mail, Calendar and Contacts. Users in the Advanced Protection program can now choose to give those apps access to their data, too.

“Our goal is to make sure that any user-facing an increased risk of online attacks enrolls in the Advanced Protection Program,” Dario Salice, Google’s product manager for this services, writes. “Today, we’ve made it easier for our iOS users to be in the program, and we’ll continue our work to make the program more easily accessible to users around the globe.”

Like before, the program is meant mostly for those users who are most likely to become the victim of a sophisticated attack, including journalists, activists, politicians and business leaders. By supporting Apple’s own native apps, the service will likely be attractive to a wider audience now. For some reason, not everybody loves Google’s own mobile apps, after all.

Columbus Collaboratory’s Jeff Schmidt talks about the future of security

In this episode of Technotopia I talk to Jeff Schmidt of the Columbus Collaboratory. He is well-versed in the future of security and our conversation ranged from the rise of the midwest to the future of cyberattacks.

The Columbus Collaboratory is a unique think tank dedicated to building security and system solutions for major clients. It’s a sort of Delta Force for major corporations headquartered in Columbus, and Schmidt has a lot to say about the value of a good security plan.

Technotopia is a podcast by John Biggs about a better future. You can subscribe in Stitcher, RSS or iTunes and listen the MP3 here.

Chinese government admits collection of deleted WeChat messages

Chinese authorities revealed over the weekend that they have the capability of retrieving deleted messages from the almost universally used WeChat app. The admission doesn’t come as a surprise to many, but it’s rare for this type of questionable data collection tactic to be acknowledged publicly.

As noted by the South China Morning Post, an anti-corruption commission in Hefei province posted Saturday to social media that it has “retrieved a series of deleted WeChat conversations from a subject” as part of an investigation.

The post was deleted Sunday, but not before many had seen it and understood the ramifications. Tencent, which operates the WeChat service used by nearly a billion people (including myself), explained in a statement that “WeChat does not store any chat histories — they are only stored on users’ phones and computers.”

The technical details of this storage were not disclosed, but it seems clear from the commission’s post that they are accessible in some way to interested authorities, as many have suspected for years. The app does, of course, comply with other government requirements, such as censoring certain topics.

There are still plenty of questions, the answers to which would help explain user vulnerability: Are messages effectively encrypted at rest? Does retrieval require the user’s password and login, or can it be forced with a “master key” or backdoor? Can users permanently and totally delete messages on the WeChat platform at all?

Fears over Chinese government access to data held or handled by Chinese companies has led to a global backlash against those companies, including some countries (including the U.S.) banning Chinese-made devices and services from sensitive applications or official use altogether.

Facebook is trying to block Schrems II privacy referral to EU top court

Facebook’s lawyers are attempting to block a High Court decision in Ireland, where its international business is headquartered, to refer a long-running legal challenge to the bloc’s top court.

The social media giant’s lawyers asked the court to stay the referral to the CJEU today, Reuters reports. Facebook is trying to appeal the referral by challenging Irish case law — and wants a stay granted in the meanwhile.

The case relates to a complaint filed by privacy campaigner and lawyer Max Schrems regarding a transfer mechanism that’s currently used by thousands of companies to authorize flows of personal data on EU citizens to the US for processing. Though Schrems was actually challenging the use of so-called Standard Contractual Clauses (SCCs) by Facebook, specifically, when he updated an earlier complaint on the same core data transfer issue — which relates to US government mass surveillance practices, as revealed by the 2013 Snowden disclosures — with Ireland’s data watchdog.

However the Irish Data Protection Commissioner decided to refer the issue to the High Court to consider the legality of SCCs as a whole. And earlier this month the High Court decided to refer a series questions relating to EU-US data transfers to Europe’s top court — seeking a preliminary ruling on a series of fundamental questions that could even unseat another data transfer mechanism, called the EU-US Privacy Shield, depending on what CJEU judges decide.

An earlier legal challenge by Schrems — which was also related to the clash between US mass surveillance programs (which harvest data from social media services) and EU fundamental rights (which mandate that web users’ privacy is protected) — resulted in the previous arrangement for transatlantic data flows being struck down by the CJEU in 2015, after standing for around 15 years.

Hence the current case being referred to by privacy watchers as ‘Schrems II’. You can also see why Facebook is keen to delay another CJEU referral if it can.

According to comments made by Schrems on Twitter the Irish High Court reserved judgement on Facebook’s request today, with a decision expected within a week…

Irish #HighCourt reserves judgement on stay for #SCC / #PrivacyShield reference to @EUCourtPress – judgement expected within a week. DPC and we argued against a stay. Facebook wants to stop the reference. #IfYouCantWinDelay https://t.co/U4ITKEBAEg

— Max Schrems (@maxschrems) April 30, 2018

Facebook’s appeal is based on trying to argue against Irish case law — which Schrems says does not allow for an appeal against such a referral, hence he’s couching it as another delaying tactic by the company:

#Facebook now appeals the #HighCourt decision to refer to the @EUCourtPress on the #SCCs and #PrivacyShield – challenging Irish case law (Campus Oil) that no such appeal exists in Ireland.. 🙄😂#Pay2Delay #5yearsSincePRISMcomplaint #PRISM #NSA pic.twitter.com/5J0jZpEKyR

— Max Schrems (@maxschrems) April 30, 2018

We reached out to Facebook for comment on the case. At the time of writing it had not responded.

In a statement from October, after an earlier High Court decision on the case, Facebook said:

Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

This ruling will have no immediate impact on the people or businesses who use our services. However it is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.

Say hello to the new Gmail with self-destructing messages, email snoozing and more

Today, Google is launching the biggest revamp of Gmail in years. The company is bringing to the flagship Gmail service many (but not all) of the features it trialed in Inbox for Gmail, and adding a few new ones, too. With those new features, which we first reported earlier this month, the company is also introducing a refreshed design for the service, though if you’ve used Gmail before, you’ll feel right at home.

If you’ve followed along with the leaks in recent weeks, none of the new features will surprise you. It’s also not a huge surprise that Google is bringing some features from Inbox over to Gmail. What did surprise me while trying out the new service ahead of today’s launch, though, is that some features that didn’t get a lot of attention in the leaks, including the new consistent sidebar with its built-in Google Calendar, Tasks and Keep integration, are maybe among the most useful of the additions here.

But let’s start from the beginning. The new Gmail comes with a slew of new features. The first you’ll likely notice is the ability to take actions on emails right from the Inbox itself. Just like in Inbox, when you hover over an email without clicking into it, you’ll now see icons to archive and delete a message, as well as mark it as read (without ever reading it). There’s also a link to the new ‘snooze’ feature here.

When you try to snooze an email, Gmail gives you the option to resurface it later in the day, tomorrow, later this week, on the weekend or next week. If you’re a fan of a clean inbox, that’s a good way to keep your inbox empty and still rest assured that an important email that you want to take care of later will pop back up into your queue. Oddly enough, the snooze feature is only available from the inbox. There’s no way to get to it when you’re actually reading an email.

If you are more like me and don’t really care about how messy your inbox is, then the new “nudging” feature will come in handy. Here, Google uses its AI smarts to figure out that a message is probably important to you and resurfaces it to remind you to follow up or reply.

Google is now also using these same AI smarts to bring to the web its smart replies feature, which you are probably familiar with from the Gmail mobile apps.

The other major new feature in this update is “confidential mode.” The idea here is simple: When you write an email, you can select for how long the recipient will be able to read the email. Recipients will not be able to forward, copy and paste, download or print the content. You can’t stop anybody from taking a picture of the screen of course, but what’s maybe more important here is that if anybody ever hacked the recipient’s account, that email with your confidential information will be long gone. For added security, you can also add a second-factor authentication here, where the recipient will have to receive an SMS message with a Google-generated passcode to read the email.

Other new features in Gmail include high-priority notifications, which will only notify you of a new email if Google deems it to be really, really important, and unsubscribe suggestions, which nudges you to unsubscribe when it looks like you stopped reading messages from a given newsletter (low open rates are the bane of newsletter publishers, after all, so they’ll be okay if you leave).

But wait, there’s more (did I mention this is a major update?). Gmail is also getting a new built-in offline mode since it’s now a fully fledged progressive web app. You can store up to 90 days of emails and search through them, for example. This new capability will launch in the coming weeks.

Maybe my favorite new feature — and something that isn’t available in Inbox — is the new right sidebar, which comes pre-populated with a clever Google Calendar widget that gives you a view of a single day’s events and lets you add new events right from your inbox.

The sidebar also features Google Keep for note taking (though sadly, it doesn’t look like you can attach notes to emails or even drop them into a note) and Google Tasks. Tasks actually has a bit of a connection to your emails since you can drag and drop emails into the sidebar to create new tasks. Personally, I use the Trello add-on for this (and all regular Gmail add-ons will still work with the new Gmail), but I’m sure people will find plenty of uses for this.

All of those new features are supported by the new design, which itself feels more like a refresh than a revolution. Like before, you can choose between three density settings: default, comfortable and compact. The default setting is the most interesting option because it comes with a new feature, too: attachment clips. Instead of simply showing you the standard paperclip in your inbox to signify that an email chain includes an attachment, the new Gmail now highlights the attachments right underneath the message preview in the inbox view.

Unlike in Inbox by Gmail, you won’t get a full preview of an image here, but you will be able to click right into the attachment without opening up the email.

It’s worth pointing out that many standard Gmail features aren’t going anywhere. You can still use the Priority Inbox and star messages, for example. You can still sort and filter emails into different folders/categories. If you like Google’s automatic filters for promotional emails, social media updates, newsletters, etc., then you can still use those, too. And even though nobody actually understands what Google’s plans for Hangouts really is, it’s still right there in your inbox.

Sadly, one of my favorite Inbox features, the automatic grouping of travel emails (think flight confirmations, car and hotel reservations etc.) into a single bundle, has not made the move to Gmail (yet). Maybe that’ll come later.

The new design is now rolling out to regular Gmail users. As usual, you’ll be able to switch back and forth at first. Then, at some point in the future, Google will switch all users to the new design. For business users, the G Suite admin will have to enable these new features by enrolling in the G Suite Early Adopter Program.