Cherry Blossom: How the CIA can hack into your internet router


Sputnik

© Pixabay

Wi-Fi routers typically sit in dusty corners of homes and offices, quietly transmitting internet accessibility to computers, tablets and phones in its immediate vicinity. However, these unpretentious devices are a goldmine for hackers – and were specifically targeted by the US Central Intelligence Agency, the latest Wikileaks release has revealed.

The release is the latest instalment of Wikileaks’ “Vault7” series, which the group has been drip-feeding to the public since March. Previous trickles have revealed CIA attempts to hack office computers, televisions and phones, among many other shock exposures.

This time, the documents contain detailed information on the CIA’s router hacking “toolkit” — and how the Agency sought to leverage common vulnerabilities in routers sold by companies such as D-Link and Linksys. The techniques range from hacking network passwords to rewriting device firmware to remotely monitor traffic flowing across a target’s network.

While few may have stopped to consider a router’s attractiveness to a hacker, in truth the devices are an obviously attractive entry point — routers typically aren’t equipped with interfaces beyond on/off and reset buttons, and have no means of alerting users they have been compromised.

A router could be hacked for years, with a user’s every online action tracked and recorded, without anyone being any the wiser.

The CIA’s router-hacking approach begins with a tool — “Claymore” — which scans a network to identify devices and then launches two exploiters — “Tomato” and “Surfside” — the former is noted to target vulnerabilities in at least two routers sold by D-Link and Linksys, and steals those devices’ administrative passwords. Moreover, the documents state at least two other routers sold by Linksys could be targeted with “Tomato” after a mere few weeks of development.

“Surfside” is left largely unexplained, though the documents hint it may abuse a protocol called Universal Plug and Play. Oft dubbed UPNP, and embedded in around 7,000 different devices — including routers, printers, media players and smart TVs — tech security experts have long-warned it poses a potential risk.

As the documents date back to early 2016, it’s unclear whether D-Link or Linksys have identified and/or rectified these vulnerabilities — however, routers are difficult to manually update, and given their ubiquity, providers are reluctant to dispatch professional staff to do so, instead obliging consumers to do so themselves. Any vulnerability in a router can be left to smolder for years before correction, if at all — and the aforementioned lack of a “warning” system alerting users to threats, ala antivirus software, means users may never discover if their device is vulnerable.

Another means of access mentioned in the papers is the failure of users to change default admin passwords — often, individuals are simply unaware there is an admin password, and it can be amended. This likewise offers unbridled access to the contents of an individual’s router — after access, a hacker or CIA agent could then install custom firmware (the CIA’s is called Flytrap) on the router monitor a target’s browsing, strip SSL encryption from webpages visited, and even inject other exploits into their traffic, designed to offer access directly to the target’s PC or phone. Yet another piece of software, CherryTree, serves as a command-and-control system, allowing operators to monitor and update infected network devices from a browser-based interface called CherryWeb.

Nonetheless, while acknowledging the exposures are “alarming,” Matthew Hickey, Founder of Hacker House, isn’t shocked the CIA would target routers.

“The information security community has been warning about this risk since 2005, if not before. Still, while technically adept users likely won’t be impacted by the technique, it does potentially mean the CIA can access millions of web histories — and there’s the prospect of it easily being misused and abused in surveillance operations. The only Godsend is the CIA wouldn’t be able to do this remotely or in bulk — they need to be in the nearby vicinity of a router network to access it, from a car or van or similar,” Mr. Hickey told Sputnik.

Ultimately, given the evident insecurities ingrained in average Wi-Fi routers, it’s perhaps unsurprising the world’s most well-financed spying group has exploited them — and maybe still does. Wikileaks’ latest revelations serve as a palpable reminder to net users to update their routers regularly, and change their default admin passwords. Otherwise, potentially no private, internet-equipped home is safe from US surveillance.

Samsung Warns Customers To Think Twice About What They Say Near Smart TVs


Reblogged on February 15, 2016

Big Brother is Watching You T-Shirt

 

Jake Anderson
February 12, 2016

(ANTIMEDIA) In a troubling new development in the domestic consumer surveillance debate, an investigation into Samsung Smart TVs has revealed that user voice commands are recorded, stored, and transmitted to a third party. The company even warns customers not to discuss personal or sensitive information within earshot of the device.

This is in stark contrast to previous claims by tech manufacturers, like Playstation, who vehemently deny their devices record personal information, despite evidence to the contrary, including news that hackers can gain access to unencrypted streams of credit card information.

 

The new Samsung controversy stems from the discovery of a single haunting statement in the company’s “privacy policy,” which states:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

This sparked a back and forth between the Daily Beast and Samsung regarding not only consumer privacy but also security concerns. If our conversations are “captured and transmitted,” eavesdropping hackers may be able to use our “personal or other sensitive information” for identity theft or any number of nefarious purposes.

There is also the concern that such information could be turned over to law enforcement or government agencies. With the revelation of the PRISM program by which the NSA collected data from Microsoft, Google, and Facebook and other such NSA spying programs, neither the government nor the private sector has the benefit of the doubt in claiming tech companies are not conscripted into divulging sensitive consumer info under the auspices of national security.

Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at the NYU School of Law, stated:

“I do not doubt that this data is important to providing customized content and convenience, but it is also incredibly personal, constitutionally protected information that should not be for sale to advertisers and should require a warrant for law enforcement to access.”

Responding to the controversy, Samsung updated its privacy policy, named its third party partner, and issued the following statement:

“Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. The TV owner can also disconnect the TV from the Wi-Fi network.”

Under still more pressure, Samsung named its third party affiliate, Nuance Communications. In a statement to Anti-Media, Nuance said:

“Samsung is a Nuance customer. The data that Nuance collects is speech data. Nuance respects the privacy of its users in its use of speech data. Our use of such data is for the development and improvement of our voice recognition and natural language understanding technologies. As outlined in our privacy policy, third parties work under contract with Nuance, pursuant to confidentiality agreements, to help Nuance tailor and deliver the speech recognition and natural language service, and to help Nuance develop, tune, enhance, and improve its products and services.

“We do not sell that speech data for marketing or advertising. Nuance does not have a relationship with government agencies to turn over consumer data…..There is no intention to trace these samples to specific people or users.”

Nuance’s Wikipedia page mentions that the company maintains a small division for government and military system development, but that is not confirmed at this time.

Despite protestations from these companies that our voice command data is not being traced to specific users or, worse, stored for use by government or law enforcement agencies, it seems that when it comes to constitutional civil liberties, the end zone keeps getting pushed further and further down the field.

For years, technologists and smart device enthusiasts claimed webcam and voice recording devices did not store our information. While Samsung may be telling the truth about the use of that data, there are countless companies integrating smart technology who may not be using proper encryption methods and may have varying contractual obligations to government or law enforcement.

Is it really safe for us to assume that the now exceedingly evident symbiotic relationship between multinational corporations and government agencies does not still include a revolving door for the sharing of sensitive consumer data?

http://theantimedia.org/samsung-warns-customers-to-think-twice-about-what-they-say-near-smart-tvs/


This article (Samsung Warns Customers To Think Twice About What They Say Near Smart TVs) is free and open source. You have permission to republish this article under a Creative Commons license with attribution to Jake Anderson and theAntiMedia.org. Anti-Media Radio airs weeknights at 11pm Eastern/8pm Pacific. If you spot a typo, email edits@theantimedia.org.

The New WINDOWS 10 Could Send You To Jail! – No More PRIVACY WINDOWS 10 is SPYING on WHAT YOU DO


windows 10 logo
A new published article released on BGR but it’s saying that the new Microsoft Windows 10 will be fantastic and a great improvement over windows 8 which sounds like amazing news right? Well maybe so, but there is one thing also mentioned and that WINDOWS 10 will SPY on EVERYTHING that you do on your computer and on the internet!  you can read the full story here at BGR. They also have a solution to supposedly OPT out so make note of that!

But here’s the thing about this when doing further research.. someone said on a thread on GLP (you can follow the discussion for to see  replies by posters) the following.

“Microsoft says they’re reading and accessing all the content in your computer, mail, movies, data, audio,excel files,pictures,porn,pirated items,torrents,illegal speech, etc. and if they find something illegal,you will be acwindows 10 desktopcused as a criminal to FBI and local Police”

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.”

So there you have it.. more to come soon as we follow this story, please do you own research on this story and until then and please SHARE THIS STORY to make others aware that Microsoft will be doing this and maybe others will speak out against this if everyone can spread the word. Your PRIVACY is YOUR PRIVACY and should NEVER be invaded!

As of today Windows 10 was installed on 67 Million PCs!!!

http://www.intergalacticvault.com/shocking-the-new-windows-10-could-send-you-to-jail-no-more-privacy/

New Technology: Police Camera Ball (VIDEO)


Note: Just more high tech toys for the NSA and all other law enforcement agency’s determined on violating basic civil rights. A “camera ball”??? Really? Sounds like a waste of money that could have been diverted toward rehabilitation for training officers to be decent humans when dealing with the public, or countless other programs to reform law enforcement officers into public servants once again.

 

Thousands of Unsecured Security Cameras Could Be Giving Hackers a Peek Inside Your Home


Note: You can be certain these camera’s are being used by our fav alphabet agency’s to spy on unsuspecting citizens. On that note, I always keep tape over the camera lens on my laptop because it gave me the creeps knowing that someone may be watching…ewww! 
Jan. 29, 2013

Thousands of DVR Security Camera Systems Vulnerable to Hacking

Digital video recording (DVR) devices used for security purposes might actually be an open door — virtually — for hackers, according to the findings of a security blogger.

The writer going by the name “someLuser” on the blog Console Cowboy showed how at least 18 brands of security DVRs were vulnerable to hackers, specifically the Ray Sharp DVR platform. The security firm Rapid 7 did a little digging after someLuser’s blog post came out and found that this could leave about 58,000 systems in more than 150 countries exploitable.

Forbes explains in laymen’s terms how the vulnerability with the system works:

He found that commands sent to the device via a certain connection, port 9000, were accepted without any authentication. And worse, he was able to use that unprotected connection to retrieve the login credentials for the DVR’s web-based control panel. “Anyone who can connect to port 9000 on the device can send this request and retrieve that information,” said someLuser, who declined to reveal his real name when I reached him by instant message.

To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPNP) which maps the devices’ location to any local router that has UPNP enabled–a common default setting. That feature, designed to allow users to remotely access their video files via remote PC or phone, effectively cuts a hole in any firewall that would expose the device to attackers, too.

Basically, the flaws would allow hackers into security systems remotely where they could access or delete footage.

Products included for such a potential exploit are: Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos and J2000.

Although at least one manufacturer, Zmodo, told Forbes they have a firmware update for sale to correct the vulnerability, there is not really a simple fix for the problem.

A temporary work-around someLuser presents is to disable the universal plug and play (UPNP) on routers to prevent outside devices from using the Internet to access the system remotely.

DVR security systems are not the only remotely accessed systems that we’ve seen vulnerable to hacking. In 2011, we reported how something as unassuming as a home or office printer connected to the Internet could be hacked, even tampered with to the point where it could start a fire.

Last week, tech websites were reporting some computer webcams were insecure and letting peeping Toms see through them. The issue associated with TRENDnet webcams was first reported in early 2012 and a fix was provided. But as the interactive map  TRENDnetExposed received attention (the map has since been deactivated), it was clear some users of the webcams had not yet taken the necessary measures to secure their devices.

Watch this video from the Today show about criminals using unsecured webcams for spying:

VIDEO LINK:

http://www.theblaze.com/stories/2013/01/29/thousands-of-unsecured-security-cameras-could-be-giving-hackers-a-peek-inside-your-home/

 

7 Rules for Recording Police


 

Things you should and shouldn’t do when armed with a camera against the police.
April 8, 2012
LIKE THIS ARTICLE ?
Join our mailing list:

Sign up to stay up to date on the latest Civil Liberties headlines via email.

Last week the City of Boston agreed to pay Simon Glik $170,000 in damages and legal fees to settle a civil rights lawsuit stemming from his 2007 felony arrest for videotaping police roughing up a suspect. Prior to the settlement, the First Circuit Court of Appeals unanimously ruled that Glik had a “constitutionally protected right to videotape police carrying out their duties in public.” The Boston Police Department now explicitly instructs its officers not to arrest citizens openly recording them in public.

Slowly but surely the courts are recognizing that recording on-duty police is a protected First Amendment activity. But in the meantime, police around the country continue to intimidate and arrest citizens for doing just that. So if you’re an aspiring cop watcher you must be uniquely prepared to deal with hostile cops.

If you choose to record the police you can reduce the risk of terrible legal consequences and video loss by understanding your state’s laws and carefully adhering to the following rules.

Rule #1: Know the Law (Wherever You Are)

Conceived at a time when pocket-sized recording devices were available only to James Bond types, most eavesdropping laws were originally intended to protect people against snoops, spies, and peeping Toms. Now with this technology in the hands of average citizens, police and prosecutors are abusing these outdated laws to punish citizens merely attempting to document on-duty police.

The law in 38 states plainly allows citizens to record police, as long as you don’t physically interfere with their work. Police might still unfairly harass you, detain you, or confiscate your camera. They might even arrest you for some catchall misdemeanor such as obstruction of justice or disorderly conduct. But you will not be charged for illegally recording police.

Twelve states—California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington—require the consent of all parties for you to record a conversation.

However, all but 2 of these states—Massachusetts and Illinois—have an “expectation of privacy provision” to their all-party laws that courts have ruled does not apply to on-duty police (or anyone in public). In other words, it’s technically legal in those 48 states to openly record on-duty police.

Rule #2 Don’t Secretly Record Police

In most states it’s almost always illegal to record a conversation in which you’re not a party and don’t have consent to record. Massachusetts is the only state to uphold a conviction for recording on-duty police, but that conviction was for a secret recording where the defendant failed to inform police he was recording. (As in the Glik case, Massachusetts courts have ruled that openly recording police is legal, but secretly recording them isn’t.)

Fortunately, judges and juries are soundly rejecting these laws. Illinois, the state with the most notorious anti-recording laws in the land, expressly forbids you from recording on-duty police. Early last month an Illinois judge declared that law unconstitutional, ruling in favor of Chris Drew, a Chicago artist charged with felony eavesdropping for secretly recording his own arrest. Last August a jury acquitted Tiawanda Moore of secretly recording two Chicago Police Internal Affairs investigators who encouraged her to drop a sexual harassment complaint against another officer. (A juror described the case to a reporter as “a waste of time.”) In September, an Illinois state judge dropped felony charges against Michael Allison. After running afoul of local zoning ordinances, he faced up to 75 years in prison for secretly recording police and attempting to tape his own trial.

The lesson for you is this: If you want to limit your legal exposure and present a strong legal case, record police openly if possible. But if you videotape on-duty police from a distance, such an announcement might not be possible or appropriate unless police approach you.

Rule #3: Respond to “Shit Cops Say” 

When it comes to police encounters, you don’t get to choose whom you’re dealing with. You might get Officer Friendly, or you might get Officer Psycho. You’ll likely get officers between these extremes. But when you “watch the watchmen,” you must be ready to think on your feet.

In most circumstances, officers will not immediately bull rush you for filming them. But if they aren’t properly trained, they might feel like their authority is being challenged. And all too often police are simply ignorant of the law. Part of your task will be to convince them that you’re not a threat while also standing your ground.

“What are you doing?”

Police aren’t celebrities, so they’re not always used to being photographed in public. So even if you’re recording at a safe distance, they might approach and ask what you are doing. Avoid saying things like “I’m recording you to make sure you’re doing your job right” or “I don’t trust you.”

Instead, say something like “Officer, I’m not interfering. I’m asserting my First Amendment rights. You’re being documented and recorded offsite.”

Saying this while remaining calm and cool will likely put police on their best behavior. They might follow up by asking, “Who do you work for?” You may, for example, tell them you’re an independent filmmaker or a citizen journalist with a popular website/blog/YouTube show. Whatever you say, don’t lie—but don’t let police trick youinto thinking that the First Amendment only applies to mainstream media journalists. It doesn’t.

“Let me see your ID.”

In the United States there’s no law requiring you to carry a government ID. But in 24 states police may require you to identify yourself if they have reasonable suspicionthat you’re involved in criminal activity.

But how can you tell if an officer asking for ID has reasonable suspicion? Police need reasonable suspicion to detain you, so one way to tell if they have reasonable suspicion is to determine if you’re free to go. You can do this by saying “Officer, are you detaining me, or am I free to go?”

If the officer says you’re free to go or you’re not being detained, it’s your choice whether to stay or go. But if you’re detained, you might say something like, “I’m not required to show you ID, but my name is [your full name].” It’s up to you if you want to provide your address and date of birth if asked for it, but I’d stop short of giving them your Social Security number.

“Please stop recording me. It’s against the law.”

Rarely is it advisable to educate officers about the law. But in a tense recording situation where the law is clearly on your side, it might help your case to politely present your knowledge of state law.

For example, if an insecure cop tries to tell you that you’re violating his civil liberties, you might respond by saying “Officer, with all due respect, state law only requires permission from one party in a conversation. I don’t need your permission to record so long as I’m not interfering with your work.”

If you live in one of the 12 all party record states, you might say something like “Officer, I’m familiar with the law, but the courts have ruled that it doesn’t apply to recording on-duty police.”

If protective service officers harass you while filming on federal property, you may remind them of a recently issued directive informing them that there’s no prohibition against public photography at federal buildings.

“Stand back.”

If you’re approaching the scene of an investigation or an accident, police will likely order you to move back. Depending on the circumstances, you might become involved in an intense negotiation to determine the “appropriate” distance you need to stand back to avoid “interfering” with their work.

If you feel you’re already standing at a reasonable distance, you may say something like, “Officer, I have a right to be here. I’m filming for documentation purposes and not interfering with your work.” It’s then up to you to decide how far back you’re willing to stand to avoid arrest.

Rule #4: Don’t Share Your Video with Police

Read more here:

http://www.alternet.org/rights/154898/7_Rules_for_Recording_Police/?page=entire

Are You Being Tracked? 8 Ways Your Privacy Is Being Eroded Online and Off


By David Rosen, AlterNet
Posted on December 28, 2011, Printed on December 30, 2011
http://www.alternet.org/story/153592/are_you_being_tracked_8_ways_your_privacy_is_being_eroded_online_and_off

In a recent hearing before the Senate Judiciary Committee, Sen. Al Franken reminded his fellow Americans, “People have a fundamental right to control their private information.” At the hearing, Franken raised an alarm about Carrier IQ’s software, CIQ.

Few people have ever heard about CIQ. Running under the app functions, CIQ doesn’t require the user’s consent (or knowledge) to operate. On Android phones, it can track a user’s keystrokes, record telephone calls, store text messages, track location and more. Most troubling, it is difficult to impossible to disable.

Carrier IQ, located in Mountain View, CA, was founded in 2005 and is backed by a group of venture capitalists. Its software is installed on about 150 million wireless devices offered through AT&T, HTC, Nokia, RIM (BlackBerry), Samsung, Sprint and Verizon Wireless. It runs on a variety of operating systems, including the Apple OS and Google’s Android (but not on Microsoft Windows).

At the hearing, Sen. Franken questioned FBI director Robert Muller about the FBI’s use of CIQ software. Muller assured the senator that FBI agents “neither sought nor obtained any information” from Carrier IQ.

Following Muller’s Senate testimony, Andrew Coward, Carrier IQ’s VP of marketing, told the Associated Press that the FBI is the only law enforcement agency to contact them for data. The FBI has yet to issue a follow-up “clarification.”

CIQ is emblematic of a growing number of ongoing battles that delineate the boundary of what, in the digital age, is personal, private life and information. In this era of 0s and 1s, of globalization and instantaneous communications, what it means to be a person seems to be both expanding and contracting. The battle over personal privacy is as old as the nation and as contemporary as the latest tech innovation. Eight fronts in this battle delineate personal privacy in the digital age.

1. Tracking

The Carrier IQ controversy exposed the long-festering problem of the Unique Device Identifiers (UDID), 40-digit-long strings of letters and numbers that distinguish one device from another. Most troubling, it cannot be blocked or removed by a user. (A report by the Electronic Freedom Foundation details how CIQ works.) Continue reading

FBI: Carrier IQ files used for “law enforcement purposes”


The spook in your pocket

by Michael Morisy on Dec. 12, 2011, 2:30 p.m.

A recent FOIA request to the Federal Bureau of Investigation for “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ” was met with a telling denial. In it, the FBI stated it did have responsive documents – but they were exempt under a provision that covers materials that, if disclosed, might reasonably interfere with an ongoing investigation.

Carrier IQ came under fire after a security researcher demonstrated that the previously little-known company had software installed on a variety of phones on a variety of networks that could track user locations, keystrokes, encrypted Internet traffic and more, some of which was or could be sent back to either the cell phone owner’s service provider or Carrier IQ’s own servers.

What is still unclear is whether the FBI used Carrier IQ’s software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both – not unlikely given the recent uproar over the practice coupled with the U.S. intelligence communities reliance on third-party vendors. The response would seem to indicate at least the former, since the request was specifically for documents related directly to accessing and analyzing Carrier IQ data.

I plan to appeal the blanket denial in hopes of answering that question.

Here is the full denial of the request:

http://www.muckrock.com/news/archives/2011/dec/12/fbi-carrier-iq-files-used-law-enforcement-purposes/

Thanks to Kevin for sharing this great find!

%d bloggers like this: