Keylogger Discovered on Hundreds of HP Laptops

You should fix this via a patch update if you’re affected. This is sadly not the first time that HP has been discovered to have shipped their computers with significant vulnerabilities either.

Hewlett Packard has issued an emergency patch to resolve a driver-level keylogger discovered on hundreds of HP laptops.

The bug was discovered by Michael Myng, also known as “ZwClose.” The security researcher was exploring the Synaptics Touchpad SynTP.sys keyboard driver and how laptop keyboards were backlit and stumbled across code which looked suspiciously like a keylogger.

In a blog post, ZwClose said the keylogger, which saved scan codes to a WPP trace, was found in the driver.

While logging was disabled by default, given the right permissions, it could be enabled through changing registry values and so should a laptop be compromised by malware, malicious code — including Trojans — could take advantage of the keylogging system to spy on users.

A Secret Kept for Decades: Daniel Ellsberg and Nuclear Weapons

It turns out that Pentagon Papers whistleblower Daniel Ellsberg has more secrets to reveal from his days as a high ranking U.S. government official. This time the secrets aren’t about the Vietnam War — they’re about nuclear weapons, the threats that represent the very real possibility of massive human annihilation.

“Keeping secrets was my career,” Daniel Ellsberg says. “I didn’t lose the aptitude for that when I put out the Pentagon Papers.” This might come as a shock, considering that the former Defense Department analyst is best known for leaking classified information nearly half a century ago, thus bringing about a landmark legal precedent in favor of press freedom and, indirectly, hastening the end of both the Vietnam War and the Nixon administration. But for many years, even as Ellsberg beat prosecution, became a peace activist, and wrote an autobiography titled Secrets, he still had something remarkable left to disclose.

It turns out that Ellsberg also took many thousands of pages of documents pertaining to another subject: nuclear war. Ellsberg, a prominent thinker in the field of decision theory, had worked on the military’s “mutual assured destruction” strategy during the Cold War. Once a believer in deterrence, he now says he was a collaborator in an “insane plan” for “retaliatory genocide.” He wanted to tell the world decades ago; with nuclear threat looming again, he’s put the whole story into a new book, The Doomsday Machine.

[…]

Ellsberg believed that his bureaucratic opponents — mainly the military brass — were not thinking through the consequences of nuclear war. Then, in 1961, he was allowed to see a piece of information previously unknown even to Kennedy, the death count the military projected for theoretical strikes: some 600 million, not including any Americans killed in counterattacks. (That was still an underestimate.) Ellsberg writes of being gripped with a feeling of revulsion, realizing that the document “depicted evil beyond any human project ever.” The planners weren’t heedless — they intended to inflict maximal civilian casualties. “The shock was to realize that the Joint Chiefs knew,” Ellsberg tells me. “I was working for people who were crazier than I had thought. I had thought that they had inadvertently constructed a doomsday machine, without knowing it.”

The better Ellsberg came to understand the workings of the nuclear command-and-control system, the more danger he felt. He writes that the idea that authority to launch a nuclear war rested solely with the president was a myth, and that the nuclear “football” carried by a military attaché to the president is just “theater.” Working for the Defense Department, Ellsberg traveled throughout Asia, where he discovered there were many plausible scenarios in which officers might feel authorized to launch a nuclear attack in the absence of presidential orders. Safeguards were easy to circumvent. (For decades, purportedly, the eight-digit code to launch a Minuteman missile was set at 00000000.) Visiting an air base on Okinawa, Ellsberg touched a hydrogen bomb, and noted the “bodylike warmth” of a device capable of killing millions.

“It did give me a feeling — an eerie, an uncanny feeling, a feeling of dread to some extent,” Ellsberg says. “But not the feeling that this should not exist.” That came later.

[…]

One of the documents in his safe, as the FBI surely knew, was a classified nuclear study commissioned by Kissinger. “It’s the same old Dr. Strangelove stuff: 90 million dead, 120 million dead,” Ellsberg says. “But I was going to put that out, of course.” Ellsberg stashed that memo, along with all the other nuclear materials, in a box and gave the lot to his brother, Harry, who later wrapped them in plastic and buried them in the compost pile behind his home in Hastings-on-Hudson. Harry, who is now dead, told his brother that the FBI came poking around the compost pile. But he had already moved the box to another hiding spot, beneath a big iron stove in the garbage dump in Tarrytown.

Ellsberg intended to arrange for the nuclear papers to be leaked after his trial in Los Angeles, where he was sure he would be convicted. But then he was vindicated through a chain of events he calls a “miracle.” The Watergate investigation revealed the activities of Nixon’s plumbers, including the burglary of Ellsberg’s psychiatrist’s office. The case against him was dismissed. Afterward, though, Harry gave him some bad news: A tropical storm had flooded the dump in 1971. The nuclear papers were lost.

“It was unbearable to me,” Ellsberg says. It is afternoon, and the softening light is filtering through redwoods out his office window. “That was a shadow over the next 40 years, thinking I fucked up, you know?” I ask whether it was possible that Harry, out of fear for himself or his brother, might have actually destroyed the documents. “No,” Ellsberg replies, firmly. “It was very clear that he was anguished by it. Later in his life, before he died, he said that had been something agonizing at him for all this time.”

The Doomsday Machine represents Ellsberg’s attempt to reconstruct, via his memories and now-declassified documents, the knowledge that was washed away. The book examines many close brushes with nuclear war. He says that at least twice during the Cold War — once aboard a Soviet submarine during the Cuban Missile Crisis, once inside an air defense bunker outside Moscow in 1983 — a single individual came close to triggering a nuclear war because of a false alarm. “There is a chance that somebody will be a circuit breaker,” Ellsberg says. “What I conclude is that we’re lucky, very lucky.”

Daniel Ellsberg also did an interview with Democracy Now… It really is a relevant issue to cover with nuclear catastrophe being totally possible. The Doomsday Clock is almost ominously standing at 2.5 minutes to midnight, which is the closest its been to midnight since thermonuclear weapons were detonated in 1953. Some respected analysts have even said that the risk of nuclear war today is higher than it was during the Cold War.

 

Germany Will Possibly Enact Law That Requires Device Manufacturers to Put in Dangerous Backdoors

Backdoors in technology are a problem because they are vulnerable to being exploited by more than just “good” people — they are also vulnerable to exploitation by malicious adversaries. With this reasoning in mind, backdoors (security flaws that are designed in) being required to be built in would make the German public much more at risk of harm to criminal threats. So this proposal to mandate backdoors is dangerous and should be opposed, as it’s a policy of horrible security.

German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.

Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND).

[…]

Furthermore, the new law would also give German officials powers akin to the “Hack Back” bill proposed in the US, allowing authorities the power to hack any remote computer. The Minister says this is important to “shut down private computers in the event of a crisis,” such as is the case with botnet takedowns.

But privacy advocates who also read the new law proposal say the text also contains verbiage that would allow the German state to intercept any traffic on the Internet [1, 2], effectively setting up a surveillance state with full snooping powers over everyone’s online communications. Experts called for caution before approving the new law, which could be abused in its current state.

German authorities anticipated such reaction and said that any access to such data would be allowed only after law enforcement have obtained a court order. But the problem with encryption backdoors is not how you access them, but that they exist in the first place and that they could be abused by ill-intent actors as well.

The law proposal is not a surprise for people who’ve been keeping an eye on such things. There are concerted efforts going on in Germany, France, and the UK to introduce legislation for mandatory encryption backdoors. In fact, de Maizière and his French counterpart even signed a joint letter they sent to the European Commission that supported encryption backdoors.

Apple Mac OS High Sierra Vulnerability Grants Admin Access Without a Password

The vulnerability gives admin access without a password through repeatedly clicking the login button. This is a serious security flaw not only because of that level of access, but also due to the simplicity of its execution. Affected users should apply the security updates when they’re available.

This security flaw also serves as a useful reference point for when intelligence agencies whine about needing “responsible” (i.e. encryption with insecure backdoors) encryption. There are plenty of software flaws for intelligence agencies to take advantage of already.

There seems to be a major flaw in Apple’s macOS High Sierra operating system that allows anyone with physical access to a Mac to gain system administrator access without so much as entering a password.

The vulnerability was publicly disclosed on Twitter this afternoon; it’s not clear whether the problem was privately reported to Apple ahead of time, which is the encouraged practice when security vulnerabilities are uncovered. (The company maintains an invite-only bug bounty program.) Despite its incredibly alarming simplicity, The Verge is not reproducing the steps to bypass High Sierra’s login screen here.

However, The Verge has been able to confirm the major security issue remains present as of MacOS 10.13.1, the current release of High Sierra. When the problem is exploited, the user is authenticated into a “System Administrator” account and is given full ability to view files and even reset or change passwords for pre-existing users on that machine. Apple ID email addresses tied to users on the Mac can be removed and altered, as well. There are likely many more ways that someone taking advantage of the issue could wreak havoc on a Mac desktop or laptop.

The level of unbridled access this security hole permits — and it abruptly being made public — will almost certainly prompt Apple to move fast in releasing an update for its Mac operating system.

Until that happens, the best way to protect your Mac against the issue reported today is by ensuring that you’ve set a root password. To do that, go to System Preferences > Users & Groups > Login Options > Join > Open Directory Utility > Edit. Enable the Root User if you haven’t already and then choose Change Root Password.

More Than 400 of the World’s Most Popular Websites Try to Record Your Every Keystroke

This is significant work done by Princeton researchers. It’s honestly a pretty damning indictment of the world’s most visited websites.

Most people who’ve spent time on the internet have some understanding that many websites log their visits and keep record of what pages they’ve looked at. When you search for a pair of shoes on a retailer’s site for example, it records that you were interested in them. The next day, you see an advertisement for the same pair on Instagram or another social media site.

The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server.

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings. If you accidentally paste something into a form that was copied to your clipboard, it’s also recorded. Facebook users were outraged in 2013 when it was discovered that the social network was doing something similar with status updates—it recorded what users they typed, even if they never ended up posting it.

These scripts, or bits of code that websites run, are called “session replay” scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions.

[…]

Most troubling is that the information session replay scripts collect can’t “reasonably be expected to be kept anonymous,” according to the researchers. Some of the companies that provide this software, like FullStory, design tracking scripts that even allow website owners to link the recordings they gather to a user’s real identity. On the backend, companies can see that a user is connected to a specific email or name. FullStory did not return a request for comment.

[…]

Companies that sell replay scripts do offer a number of redaction tools that allow websites to exclude sensitive content from recordings, and some even explicitly forbid the collection of user data. Still, the use of session replay scripts by so many of the world’s most popular websites has serious privacy implications.

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” the researchers wrote in their post.

Passwords are often accidentally included in recordings, despite that the scripts are designed to exclude them. The researchers found that other personal information was also often not redacted, or only redacted partially, at least with some of the scripts. Two of the companies, UserReplay and SessionCam, block all user inputs by default (they just track where users are clicking), which is a far safer approach.

[…]

Finally, the study’s authors are worried that session script companies could be vulnerable to targeted hacks, especially because they’re likely high-value targets. For example, many of these companies have dashboards where clients can playback the recordings they collect.

[…]

It’s not just session scripts that are following you around the internet. A study published earlier this year found that nearly half of the world’s 1,000 most popular websites use the same tracking software to monitor your behavior in various ways.

If you want to block session replay scripts, popular ad-blocking tool AdBlock Plus will now protect you against all of the ones documented in the Princeton study. AdBlock Plus formerly only protected against some, but has now been updated to block all as a result of the researchers’ work.

Pentagon Web-Monitoring Operation Exposed

The Pentagon has been violating U.S. federal law since the 1990s by failing to provide an audit to the GAO, making it the only federal agency that has failed to do this. Its incompetence — and ties with the military-industrial complex — has been exposed again after it was noticed that they were insecurely using third party servers to store their monitoring of the Internet.

A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.

The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard’s Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.

The scrapings were left in three Amazon Web Servers S3 cloud storage buckets that were configured to allow access to anyone with a freely available AWS account. It’s only the latest trove of sensitive documents left unsecured on Amazon.

Canadian Agency Similar to the NSA Releases a Malware Analysis Tool to the Public

Acts like this are what intelligence agencies such as the CSE and the NSA are supposed to be about — defending the public. They have often worked against the public — especially since the year 2000 — by spying on them using mass surveillance, however.

Canada’s electronic spy agency says it is taking the “unprecedented step” of releasing one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats.

The Communications Security Establishment (CSE) rarely goes into detail about its activities — both offensive and defensive — and much of what is known about the agency’s activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years.

But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government’s sprawling infrastructure each day.