Face.com App Allowed Facebook, Twitter Account Hijacking

Ashkan Soltani

Israel-based facial recognition maker Face.com was the internet’s flavor for a day Monday when it announced it was acquired by Facebook. Rumors put the price in the $50 to $100 million range.

But what was not widely known was that Face.com’s mobile app, KLIK, which allows real-time face-tagging of Facebook pictures, recently suffered a giant vulnerability. A prominent researcher found that the app allowed anyone to hijack any KLIK user’s Facebook and Twitter accounts.

Independent researcher Ashkan Soltani said the app granted access to KLIK users’ private authentication tokens for users’ Facebook and Twitter accounts.

Soltani disclosed the revelation on his blog Monday and said he had shared the vulnerability with the companies before announcing it. It was patched before he publicized it on his site, he said.

Here’s what he found:

TECHNICAL DETAILS: Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.

Luckily for Face.com, the vulnerability was publicized after it was fixed. But users should be aware. Anytime you grant access to your Facebook, Google or Twitter accounts to an outside app, there’s always a hazard that your accounts could be at risk. Today might be a good day to go review which apps you have given permissions to, and which you no longer use.

Soltani said in an email that he was doing some coding and noticed the vulnerability “out of the corner of my eye.”

“Happens all the time,” he added. “I think developers have gotten used to a ‘security thru obscurity’ model on mobile devices that doesn’t exist on the web anymore. The thinking is ‘no one will see this.’”

Photo: LunaWeb/Flickr

Tags: , ,
Back to top

Report: US and Israel Behind Flame Espionage Tool

The United States and Israel are responsible for developing the sophisticated espionage rootkit known as Flame, according to anonymous Western sources quoted in a news report.

The malware was designed to provide intelligence about Iran’s computer networks and spy on Iranian officials through their computers as part of an ongoing cyberwarfare campaign, according to the Washington Post.

The program was a joint effort of the National Security Agency, the CIA and Israel’s military, which also produced the Stuxnet worm that is believed to have sabotaged centrifuges used for Iran’s uranium enrichment program in 2009 and 2010.

“This is about preparing the battlefield for another type of covert action,” a former high-ranking US intelligence official told the Post. “Cyber collection against the Iranian program is way further down the road than this.”

Flame was discovered last month by Russia-based antivirus firm Kaspersky Lab, following reports in Iran that malware aimed at computers belonging to that country’s oil industry had wiped data from the computers. In trying to investigate that issue, Kaspersky came across components of the Flame malware, which the researcher believed was not directly connected to the malware that wiped the Iranian computers clean but which they believed was created by the same nation states behind Stuxnet.

Kaspersky disclosed last week that Flame in fact contained some of the same code as Stuxnet, directly tying the two pieces of malware together.

According to the Post Flame was designed to infiltrate highly secure networks in order to siphon intelligence from them, including information that would help the attackers map a target network. Flame, as previously reported, can activate a computer’s internal microphone to record conversations conducted via Skype or in the vicinity of the computer. It also contains modules that log keyboard strokes, take screen shots of what’s occurring on a machine, extract geolocation data from images and turn an infected computer into a Bluetooth beacon to siphon information from Bluetooth-enabled phones that are near the computer.

Flame exploited a vulnerability in Microsoft’s terminal service system to allow the attackers to obtain a fraudulent Microsoft digital certificate to sign their code, so that it could masquerade as legitimate Microsoft code and be installed on a target machine via the Microsoft software update function.

Flame was developed at least five years ago as part of a classified program code-named Olympic Games, the same program that produced Stuxnet.

“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director who left office in 2009, told the Post.

It’s still unclear whether the malware used to attack computers in Iran’s oil ministry is the same malware now known as Flame. According to the Post, the attack on the oil ministry computers was directed by Israel alone, a matter which apparently caught US officials off guard, according to anonymous sources who spoke with the newspaper.

Back to top

WikiLeaks’ Assange Flees to Ecuadorian Embassy

With just nine days left before he is set to be extradited to Sweden, WikiLeaks founder Julian Assange has applied for political asylum with Ecuador.

Assange appeared in person at the Ecuadorian embassy in London on Tuesday seeking protection and will remain there until Ecuadorian authorities rule on his application for asylum, according to a statement from the embassy.

“The decision to consider Mr Assange’s application for protective asylum should in no way be interpreted as the Government of Ecuador interfering in the judicial processes of either the United Kingdom or Sweden,” the embassy said in the statement.

According to a separate statement from Ecuador’s foreign ministry, Assange asserted that Australia, his native country, appeared to have no plans to protect him, which put him in a state of “helplessness.” He was therefore asking Ecuador to provide him with asylum.

Ecuador is “evaluating the request of Mr. Julian Assange and any decision on it will take into account respect for the rules and principles of international law and the traditional policy of Ecuador to safeguarding human rights,” Ecuadorian officials said in the statement.

Under Article 14 of the Universal Declaration of Human Rights, “everyone has the right to seek and to enjoy in other countries asylum from persecution.” However, the second clause of the article states that “the right may not be invoked in the case of prosecutions genuinely arising from non-political crimes or from acts contrary to the purposes and principles of the United Nations.”

Ecuador and the UK voted in favor of the UDHR, and it has the status of international law.

Assange, however, is not accused of political crimes. He is being sought for questioning in Sweden on rape and coercion allegations stemming from separate sexual relations he had with two women in that country in August 2010. One woman told police that Assange pinned her down to have sex with her and that she suspected he intentionally tore a condom he wore. The second woman reported that he had sex with her while she was initially asleep, failing to wear a condom despite repeated requests for him to do so. Assange was in the country applying for residency so that he might benefit from Sweden’s strong press protection laws.

Assange has denied any wrongdoing, asserting that the sex in both cases was consensual.

He was ordered to return to Sweden last week to face the allegations after the UK Supreme Court rejected a bid to re-open his appeal case there. The judges gave him a two-week reprieve before extradition proceedings would begin, saving him from being immediately ejected from the country.

It’s unclear whether his holding up in the Ecuadorian embassy would make him a fugitive triggering a warrant for his immediate arrest. A spokesman for the Metropolitan police reached late in the evening in London on Tuesday told Wired that authorities would likely be evaluating the situation in the morning.

“Generally speaking, if someone does breach their bail conditions, then they become liable to arrest,” spokesman Simon Fisher said. “It depends on if and when he breaches the parameters of his bail conditions.”

Assange was freed on $300,000 bail in Dec. 2010, with conditions. He had to surrender his passport, agree to travel restrictions, adhere to a curfew and wear an electronic tracking device. He is required to report into a local police station by 10pm each evening in Kent, the neighborhood where he has been living. It’s unclear, if he failed to report to police Tuesday evening after seeking refuge in the Ecuador embassy, if that would qualify as violating his bail conditions.

U.S. documentary filmmaker Michael Moore contributed $20,000 to Assange’s bail. British heiress Jemima Khan and other celebrities also reportedly offered to cover his bail at the time. It’s unclear what the status of that bail money would be if Assange is granted asylum in Ecuador. In a Twitter exchange with the deputy editor of the Guardian newspaper in London, Khan acknowledged she had put up some of Assange’s bail money and said that she had expected Assange “to face the allegations.”

“I am as surprised as anyone by this,” she wrote in a tweet.

Assange failed to make an appearance at a Supreme Court hearing two weeks ago when the court was scheduled to rule on his appeal. According to reports on Twitter from people who had spoken with him that morning, he said he was caught in traffic, prompting speculation that he might have been preparing to flee to avoid being taken into custody immediately by court authorities.

Assange’s defense team has claimed that the Swedish government is acting on behalf of the US to extradite Assange to Sweden so that he could be further extradited to the US to face criminal charges related to WikiLeaks’ publication of thousands of documents from the Afghan and Iraq wars, as well as US diplomatic cables.

But UK prosecutor Clare Montgomery, who was in an early court proceeding representing Swedish authorities, said that even if the US requested extradition of Assange from Sweden, no such extradition could take place without consent from UK authorities.

Sweden announced last week that Assange will be imprisoned after he is handed over to Swedish authorities and will have a court hearing four days after extradition from the United Kingdom to decide if he will stay in custody.

Update 5:20 pm EST:To add comment from Metropolitan Police spokesman.

Additional reporting by Juha Saarinen

Tags: ,
Back to top

House Committee Approves Sweeping, Warrantless Electronic Spy Powers

Rep. Lamar Smith (R-Texas) was a staunch supporter of the FISA Amendments Act. Photo: Wikipedia

A House committee on Tuesday reauthorized broad electronic eavesdropping powers that largely legalized the Bush administration’s warrantless wiretapping program.

The House Judiciary Committee, following the Senate Intelligence Committee’s lead last month, (.pdf) voted 23-11 to reauthorize the FISA Amendments Act. The legislation, expiring at year’s end, authorizes the government to electronically eavesdrop on Americans’ phone calls and emails without a probable-cause warrant so long as one of the parties to the communication is outside the United States. The communications may be intercepted “to acquire foreign intelligence information.”

Rep. Lamar Smith (R-Texas) and the committee’s chairman, said before the vote that “We have a duty to ensure the intelligence community can gather the intelligence they need to protect our country.” He said terrorists “are committed to the destruction of our country.”

The FISA Amendments Act, which the Obama administration said was its top intelligence priority, (.pdf) generally requires the Foreign Intelligence Surveillance Act Court to rubber-stamp terror-related electronic surveillance requests that ensnare Americans’ communications. The government does not have to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application. The court’s rulings are not public.

The House Subcommittee on Crime, Terrorism, and Homeland Security debated the measure last month and was clearly willing to side with the Obama administration’s demands that lawmakers re-authorize the bill, as the Senate Intelligence committee did. The Senate’s measure extends the powers until June 1, 2017.

The House Judiciary Committee’s action on Tuesday sends the measure, (.pdf) which extends the spy powers until Dec. 31, 2017, to the House floor for a full vote.

An amendment by Rep. John Conyers (D-Michigan) to reauthorize until June 1, 2015, failed on a 12-12 vote for lack of a majority. An amendment proposed by Rep. Jerold Nadler (D-New York) to require the attorney general to provide a redacted version of FISA Court rulings related to the act failed 14-17.

“The public does not have an adequate understudying of any adverse impact this has had on the privacy of American citizens,” Conyers said. “Neither the act nor the bill provides adequate safeguards.” Rep. Dan Lungren (R-California) blasted back: “What evidence is there that it is being used to spy on Americans?”

Rep. Sheila Jackson-Lee (D-Texas) offered an amendment requiring the government to disclose how many times — or at least an “estimate” of times — that the act captured the communications of Americans without warrants. That amendment failed 11-20.

Attorney General Eric Holder said the FISA Amendment's Act passage was a top priority. Photo: Wikipedia

On the Senate side, Sen. Ron Wyden (D-Oregon) took Jackson-Lee’s concerns to another level.

The House Judiciary’s vote came a day after Wired disclosed that the National Security Agency told lawmakers that it would be a violation of Americans’ privacy to disclose how the measure is being used in practice. Two lawmakers, Wyden and Sen. Mark Udall (D-Colorado) had asked the government how many persons inside the United States have been spied upon under the FISA Amendments Act.

The National Security Agency responded that the “NSA leadership agreed that an IG (Inspector General) review of the sort suggested would further violate the privacy of US persons.”

Because of the government has declined to say how the law is being used in practice, Wyden has barred the Senate from a routine vote using a little-used legislative power — called a hold — to block Senate lawmakers from taking a procedural consent vote. Instead, he demands a floor debate that can draw out the approval process indefinitely via the filibuster.

Wyden did the same thing a year ago with the Protect IP Act. That legislation, which would have dramatically increased the government’s legal power to disrupt and shutter websites “dedicated to infringing activities,” subsequently died a loud death in January amid a turbulent internet backlash.

No date has been set for a floor vote in either legislative chamber.

That original bill at issue was signed into law in July 2008 as a way to legalize the Bush administration’s warrantless wiretapping program that President George W. Bush adopted, without congressional consent, in the wake of the 2001 terror attacks. It expires Dec. 31.

At the time, then-senator and presidential candidate Barack Obama voted for the measure, though he said the bill was flawed and that he would push to amend it if elected. Instead, Obama, as president, simply continued the Bush administration’s legal tactics aimed at crushing any judicial scrutiny of the wiretapping program, and his administration is now demanding that federal lawmakers extend the legislation for five years.

Tags: , ,
Back to top

Open Letter to Internet Companies: Tell Us How Much We Are Being Surveilled

Google just unveiled the latest figures in its Transparency Report, which explains how often the company gives your private data to the government. Despite our criticism of the report’s lack of “transparency,” we applaud it nevertheless.

That’s right, for about two years, the Mountain View, California technology giant has been releasing the number of government requests for user data, and other numbers. The figures aren’t pretty, and they paint a picture of growing government surveillance.

But that is only a fraction of the surveillance puzzle.

We need not wear a tinfoil hat to understand that today we live in a digital world where paper is so yesterday, where most of our data and effects reside on the servers (the cloud) of internet companies. So it is time that these companies — Amazon, Apple, AT&T, Comcast, Facebook, Foursquare, Microsoft, MySpace, Skype, Sprint, Twitter, Verizon, Yahoo, and others — step up to the plate and follow Google’s lead.

Tell us, the public — your customers who often entrust our private thoughts in you — how often the government demands our private data. A survey by the Electronic Frontier Foundation, shown at right, says you don’t make that public. Why not?

And go a step bigger than Google. Tell us how often the data is demanded without a probable-cause warrant. No company does that.

Google said the United States sought user data 6,321 times for the six months ending December 2011, data that includes email communications, documents, and, among other things, browsing activity and even IP addresses used to create an account.

Google didn’t say whether the government had probable-cause warrants to get the data. We have repeatedly urged it to do so.

We are riled up on this issue because the law does not always require a warrant for companies to hand over your deepest online thoughts to the government.

The 1986 Electronic Communications Privacy Act allows the government to acquire email or other stored content from an internet service provider without showing probable cause that a crime was committed, as long as the content has been stored on a third-party server for 180 days or more. Under ECPA, the government only needs to show that it has “reasonable grounds to believe” the information would be useful in an investigation.

The act was adopted at a time when email wasn’t stored on servers for a long time, but instead was held there briefly on its way to the recipient’s inbox. In the 1980s, email more than 6 months old was assumed abandoned, and therefore ripe for the taking without a probable-cause warrant.

Continue Reading “Open Letter to Internet Companies: Tell Us How Much We Are Being Surveilled” »

Tags: , ,
Back to top
« OLDER POSTS