Transcription

Julian Assange gets arrested, WPA3 has serious security holes, and Amazon employees are listening to audio clips from Echoes. All that coming up now on ThreatWire. Greetings, I'm Shannon Morse and this is ThreatWire for April 16, 2019. Your summary of the threats to our security, privacy, and internet freedom. Real quick, I would like to give a special shout out to my newest Patreon supporters this week, including Zach, LOD, Jeroen, Jim, Alexander, Derek, and Geeks Are Wired Podcast. I would also like to say thank you to everyone who contributes to my content on all of my alternative platforms. If you're not a big fan of Patreon, but you want to support ThreatWire, head up my website over at snubzzy.com slash support for a bunch of different ways you can support my free content and thank you to everyone who checks that out. I will put that link in the show notes and if you are interested in supporting ThreatWire on Patreon, head up patreon.com slash ThreatWire and now it's time for the news. Julian Assange is the 47-year-old founder of a website called Wikileaks, which brought us notable leaks of classified government documents such as official records, campaign emails, and ones that we have reported on here, government hacking tools, many of which went on to make headline news with large outlets. In London on Thursday, he was arrested and is currently in British custody after losing his asylum with the Ecuadorian embassy. He gained asylum with the Ecuadorian embassy in 2012 and has stayed there since then. His stay was not all that positive though. The embassy cut him off from internet in March of 2018 after he interfered with state affairs. Wikileaks appointed a new editor-in-chief at that time and the Ecuadorian embassy has been in talks with the British government since 2018 to withdraw his asylum. Wikileaks tweeted about the potential arrest about a week before it actually happened, citing a source within the Ecuadorian state. Assange's Wikileaks gained lots of notoriety when the site leaked video of a US military helicopter, which was later tied to then-US Army intelligence analyst Chelsea Manning. Wikileaks was also the site that leaked Clinton campaign emails in 2016 and later in 2017 published CIA hacking tool documents. All this arrest was not made due to the leaked documents. It was made because a US federal prosecutor charged Assange with conspiracy to hack a government computer in which conversations were documented to happen between himself and Manning to steal a password for a government system. In these conversations, Assange stated that he had been trying to crack a password but did not claim to have any success in doing so. This could be enough to charge him under the Computer Fraud and Abuse Act. London Metropolitan Police arrested him after he was found guilty of breaching bail many years ago, which could bring a prison sentence of up to 12 months on its own. But Assange and his lawyers are more concerned with the US's potential extradition due to the hacking charges. He could face up to five years in prison for the US's charge. Manning was also arrested and is currently being held in a US jail during an FBI investigation, though it's not certain if her current status is related to the Assange case because the US court has denied a Freedom of Information and Privacy Act request. While many believe that he should not be extradited because WikiLeaks is acting as a journalistic outlet, others believe that he should be because he is accused of committing crimes to obtain the documents. And to continue on this topic, any site that publishes classified materials is covered under journalistic intent, but the person committing a crime to steal those documents is not. Assange will appear in court on May 2nd. WPA3, which is the newest generation of Wi-Fi-protected access protocol, was released about 15 months ago, and at the time, it was revered as being very secure against password-based attacks. On Wednesday, two security researchers named Matthew Van Hulft and Eyo Ronan released a research paper detailing several attacks against WPA3 titled Dragonblood, a security analysis of WPA3's SAE handshake. WPA3 does have advantages over WPA2. It is more protected against offline dictionary attacks and enhanced forward secrecy, but it does come with many flaws as well. The research shows that the WPA3's simultaneous authentication of equals handshake, which is SAE for short, and also known as Dragonfly, is affected by password-partitioning attacks. These are very similar to dictionary attacks in that an attacker could recover a password by abusing timing or cache-based side-channel leaks. The researchers detail each of these attacks they were able to test as well as mitigation techniques and minor changes that can prevent most attacks in the future. This SAE handshake is an upgrade from the current WPA2 four-way handshake, which contains a hash of the network password and allows for in-range attacks. Dragonblood shows that many of the attacks that were used against WPA2 networks could similarly be used on WPA3. The researchers state in their paper that they had the Wi-Fi Alliance heeded advice early on about the password encoding for WPA3, then this would not have been an issue like it is now. But since the new protocol has also been put into effect and many vendors are already implementing it, now the best option is to mitigate the problem with patches. Extensible authentication protocol networks, which are also called EAP-PWD-enabled networks, are also vulnerable to Dragonblood attacks. However, enterprise networks that don't use EAP-PWD as an option are not vulnerable to any Dragonblood attacks. The first attack takes advantage of the backwards compatibility of WPA3, when devices don't support the new protocol. The attacker could use a man-in-the-middle attack against the network router when it's sending out wireless beacons so that it looks like it is only a WPA2 router. A four-way handshake is initiated and captured. If the attacker already knows the SSID of the network, which by all means is very easy to get just by sniffing 2.4GHz with ready-made pen testing tools, they could also create a spoof network of the same name, at which time clients could connect to their WPA2 network instead of the ready-made and real WPA3 one. The downgrade attacks do not even stop there. The researchers were also able to jam and forge the Dragonfly handshake so that its encryption algorithm is forced to use a weaker option. These downgrade attacks work on many devices from many different manufacturers too. Side-channel leaks were also possible, and these attacks use malicious applications or scripts to steal information about the network password during handshakes. Another similar attack steals timing-based information from the handshake to track the password encoding iterations. Both of these could help an attacker brute-force the password with very little time needed. And lastly, the researchers could also run a denial-of-service attack against the WPA3 network, which would keep devices from connecting to them at all. Each of these attacks were responsibly disclosed to providers, and they all have CVEs on file. The Wi-Fi Alliance has also posted a security bulletin detailing the issues and their identifiers, and recommends updating devices. So to fix these problems, manufacturers will need to implement patches and software updates for their devices. Manufacturers should update their firmware ASAP and ensure that they are using strong passwords. Before we hit story number three, I want to say thank you so much to my Patreon supporters. If you are interested in getting access to a slew of extras and a whole ton of perks, even if it's just one or two bucks a month, hit that button to become a Patreon supporter because it all helps, and it shows me that you appreciate the work that I'm putting in for this show each and every week. And also a big thanks to our Hushpuppi perk-level patrons for sending in their furbaby photos. I love them. They're adorable. Make sure to keep them coming. In a recent report by Bloomberg, Amazon is reported to employ thousands of humans worldwide whose job is to improve the ALEXA digital assistant by listening to voice recordings, transcribing them, and annotating the data, then feeding that data back into the software. They're working to improve the assistant's understanding of speech and dialects so that it improves recognition and responses over time. The process was described by several people close to the matter, explaining that both contractors and full-time employees work on the transcribing. The team has offices all around the globe, and all of them sign NDAs barring them from talking about it publicly, which apparently they did anyway with Bloomberg. Shifts are 9 hours long, listening to up to 1,000 audio clips per shift. Teams generally find the work mundane, but they use an internal chat to share files for the walls or for help figuring out what a user said. Workers stated that even if they hear something disturbing, they can't really do anything about it and Amazon doesn't have any guidance on how to react. According to an Amazon spokesperson, privacy is taken very seriously, and very small samples of echo data are actually annotated. They have a zero-tolerance policy for abuse of the system, and they have safeguards in place like no direct access to identifying information or account info, and multi-factor authentication for restricted access, encryption, and audits. The echo privacy settings allow you to disable voice recordings from being used to develop new features, but they could still be used in this human analyzation. The recordings do not have full names or addresses attached to them, but they do include a first name, an account number, and a device serial number, all of which could be used to remove anonymity to the recording. Since echo devices often seem to record or wake up without signaling them with their wake-up word, this team is supposed to help the algorithm learn and become better at understanding the human voice data. But there is no information as to how long these audio recordings are actually stored. Apple's assistant recordings are stored for six months with a random identifier, at which time recordings can be stripped of any data and stored to improve the recognition. Google's assistant is also reviewed, but is not associated with personally identifiable details and the audio is distorted. However, how long it is stored is up for debate. If you want to erase your data from your account, you can do so by opening the Amazon Assistant ALEXA app and then going into your history. You can also toggle privacy options under the My Account Privacy Manage menu, where specifically you can disable the Improved Transcription Accuracy option. Due to this article, the Illinois State Senate passed the Keep Internet Devices Safe Act on April 10th, barring manufacturers from collecting audio from connected devices without disclosure to users. This bill lost its teeth after lobbying by the Internet Association, which is backed by, you guessed it, Amazon and Google. The bill still has to pass the Illinois State of Reps, though, but originally the bill did state that collection of audio would be unlawful under the Computer Fraud and Deceptive Business Practices Act and carry fines of up to $50,000 per case. But because of the lobbying group, the Internet Association, they balked at this, stating that it could allow for frivolous case action litigation in Illinois and the company terms of service would be unenforceable even if failure to disclose recordings was accidental. So while the bill was passed, it does not include any enforcement provisions, just that the Attorney General can enforce it. Just no information there. Users would not even be able to launch class action lawsuits. And with that, I'm Shannon Morse, don't forget to like and subscribe, and I'll see you next time on the Internet.