Revoking Chinese CNNIC Root Certificate in Mac OS X
Earlier this month, Google and Firefox both dropped the Root Certificate of Chinese Certificate Authority CNNIC, after it was discovered that it had delegated its authority to an Egyptian intermediary to allow it to fraudulently sign SSL/TLS certificates for the google.com domain (presumably for the purposes of performing man-in-the-middle attacks and snooping on Egyptian internet traffic).
Apple, despite releasing Mac OS X 10.10.3 and iOS 8.3, has yet to remove this rogue CA. I hope that Apple joins in and revokes the CNNIC in an upcoming update, but in the meantime you can remove it from OS X yourself!
Simply run the following command in the Terminal and *poof*, another unnecessary and untrusted CA bites the dust:
sudo security delete-certificate -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain
It’s worth pointing out that a deleted Root CA cert may re-appear in a subsequent system update (I will check when 10.10.4 comes out). The alternative to this, which can only be achieved using Keychain Access (I believe), is to tell OS X to never trust a given Root CA certificate – a setting that shouldn’t be undone by future updates. To do this:
- Open Keychain Access
- Click on ‘System Roots’ on the left
- Right-click on the Root CA you don’t trust (ie. CNNIC ROOT) and select Get Info
- Expand the ‘Trust’ section
- Select ‘Never Trust’ from the “When using this certificate” dropdown
- Close the panel (OS X will probably ask for your password to authenticate the change)
- You should then see a red X icon next to the untrusted cert.
I personally think that our operating systems and browsers already trust far too many Root CAs, many of which are unnecessary, others are potentially malicious. OS X by default trusts around 204 Root CAs. I’m planning on cutting this down to a short list of CAs that are both (a) trusted and (b) necessary for normal day-to-day use of the Internet. I’ll report back on that when I get time.
Unfortunately, there is no mechanism in iOS to remove certificates from the Root CA store. The list of current trusted Root CAs in iOS can be found here.
Illinois Man Faces 75 Years in Prison for Recording Police
From BoingBoing: “42-year-old Michael Allison of Illinois could spend the rest of his life in prison for recording police in public. He faces five counts of eavesdropping, a class one felony”. That’s the equivalent of rape.
This is absolutely crazy. How law-abiding and tax-paying citizens (who pay for the police) can be harassed for wanting to make on-duty police officers accountable for their actions is beyond understanding. All one has to do is look at the sheer quantity of illegal police behaviour (and more), to see why the free recording of police officers is so absolutely necessary; both for the public’s protection and sometimes the police officers’.
The definition of eavesdropping is “to listen secretly to the private conversation of others”, in this case the police not only knew they were being recorded (edit: allegedly, if recent reports are true, officers were NOT aware they were being recorded, which is what landed Allison in hot water), but it was a conversation between them and Michael Allison. If police officers are allowed to record audio or video of the public with impunity, the public should be allowed to record the police going about their official duties. 75 years for recording on-duty police officers doesn’t even pass the guffaw test for me, a sensible jury will never convict him, if this ever even goes to court – END OF STORY.
[Updated 7/9/11] If recent reports are true, Michael Allison may also have been stupid as well as unlucky. Apparently he covertly recorded court proceedings (which is definitely illegal), and then lied about it to the judge (also illegal), which is how he ended up with all the additional counts of eavesdropping.
Watch the video below for the full story, it’s a great summary.
In a related story where a man was arrested for filming police in Massachusetts, a federal court ruled that videotaping police is an unambiguous and constitutionally protected right.
iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs
Following the recent over-hyped “location tracking scandal“, Apple has released iOS 4.3.3 which fixes bugs in the Location Services on iPhone and iPad devices that caused them to store excessive location information. As detailed by Apple’s Q&A on Location Data, the location data stored on iOS devices (and backed up by iTunes) are merely a subset of Apple’s crowd-sourced location database of Wifi hotspots and cell towers, used to facilitate Location Services when GPS is unavailable or unreliable. The bugs were causing iOS to download this location cache even if Location Services were turned off, and to store the cache indefinitely, instead of being regularly purged.
This update contains changes to the iOS crowd-sourced location database cache including:
- Reduces the size of the cache
- No longer backs the cache up to iTunes
- Deletes the cache entirely when Location Services is turned off
It’s nice to see Apple resolve this issue so swiftly, and these changes will help improve the privacy of iPhone and iPad users, regardless of whether they use Location Services. The only thing I would have added if I were Apple, is the ability for the user to clear the location cache in the device settings. It’s a button that could be easily added in Settings > Location Services. Just sayin’!
Everything You Need to Know About the iPhone Tracking ‘Scandal’ [Updated]
Seeing as I cover OSX/iOS security and privacy, I figured it’s about time I weighed in on this whole iPhone/iPad tracking ‘scandal’. I have to admit I was surprised when I first heard of the iPhone storing location data, especially that it does so with Location Services turned off. This issue is not new, however, and was described in a fair amount of depth by Alex Levinson several months ago. What has made it so popular this month is the release of the iPhoneTracker app, developed by Pete Warden and Alasdair Allan, that creates a visual map of your visited locations. I promptly tested iPhoneTracker, and sure enough it showed a bunch of areas that I’d visited. Upon closer inspection, however, I noticed that it didn’t specifically geolocate me in two places where I’d spent a lot of time; namely home and work. On top of that, there were a number of locations I’d never even been to.
[Updated] According to the info recently published by Apple, this stored location data is not the location of the iPhone itself, but rather a subset of crowd-sourced location information for local cell towers and wifi networks, which is only used to rapidly provide the user with location information. Full details at the bottom of this post. Read more
The Slippery Slope of Civil and Human Rights at Toronto’s G20 Protests
Every year, representatives from the G20 (top 20 economic countries) get together to discuss issues pertaining to international finance. Every year, people from all political and sociological beliefs get together to protest (most of them peacefully) for their particular cause. Last year, at Toronto’s G20 summit in June 2010, it all went horribly wrong; and for the first time that I can remember, a developed and democratic western country revealed just how easily civil and human rights can be swept away, and police be used to control innocent civilians.
The video below, entitled Under Occupation, provides real and shocking accounts of the events that transpired that week. Watch it.
Researchers Extract iPhone Data and Passwords in Minutes
A group of German security researchers from the Fraunhofer Institute for Secure Information Technology have discovered a way of extracting personal information and stored credentials from a locked iPhone, by way of a jailbreak. By gaining physical access to an iPhone (or iPad/iTouch), an attacker is able to reboot it into recovery mode, thus allowing them to upload their own jailbroken firmware onto the device. As part of this process SSH is enabled and a script can then be uploaded to the device which uses built-in system calls to extract encrypted data (including credentials in the keychain) from the device. See the video below for a demo of their attack, which can take as little as six minutes.
This attack would not be possible without existing jailbreak mechanisms, which effectively bypass the iPhone’s sandbox and allow unsigned code to be executed. The second issue is the way that iOS handles stored data and credentials, allowing any application to request the information. This is actually a prime example of the dangers of having a jailbroken iPhone or iPad, as it makes it much easier for an attacker to execute malicious code on your device.
These kinds of issues are not isolated to iOS devices, and the same would exist on other devices that could be made to run custom scripts. This will be a tricky issue for Apple to resolve, as much of its security relies on a strong sandbox. Their best chance is to try to identify and patch as many of the vulnerabilities that could be used for a jailbreak. They will also need to review the way iOS handles encrypted data, and ensure that data cannot be extracted by arbitrary applications.
Luckily there is not yet a publicly available automated tool to perform this attack, so it is unlikely that a random thief will be obtaining your data. If you’re really worried, you can use Apple’s free Find My iPhone service to remotely wipe your iOS device should it be lost or stolen. Check out my article on protecting and recovering your iPhone from loss and theft for more information.
The team’s original research paper is available here (PDF).
Invading Privacy Using Information Scraps
I’ve just stumbled across this post on the Attack Vector blog where the author, Matt, gets back at a spammer by digging up a whole bunch of personal info about him and his family, and posting it online. The post itself is from May 2010, but I felt it reflected the importance of being aware of one’s privacy on the internet.
Using only the spammer’s email address and IP address, he describes the process of gradually digging up information in WHOIS records, Google, Facebook, and other information mining sites, in order to obtain a fairly descriptive profile. I highly recommend reading it for anyone who’s interesting in online privacy or information gathering.
I also recommend using the following Venn diagram when considering the effects of the internet on your privacy:
There is no overlap. Diagram by Dave Hoffman.
Phil Mocek Acquitted on TSA’s No-ID and Recording Charges
In November 2009, Phil Mocek (@pmocek) was arrested by Albuquerque Police at Albuquerque Airport for not providing a piece of identification, and recording the TSA process on camera (video below). In the US, one’s right to fly is guaranteed by Federal Laws and the Constitution, and as long as you do not break any other laws, local or state police cannot legally prevent you from flying.
Mocek was charged with things like criminal trespass, refusing to obey an officer, concealing his identity, and disorderly conduct. On 21 January 2011, he was acquitted on all charges by a jury without the defense having to call any witnesses or provide any evidence. The prosecution’s case simply did not stand up.
In a previous court case against another man who refused to show ID, the TSA admitted that there is actually no law that requires travelers to present ID in order to be able to fly. In the US, it is also perfectly legal to record video in public areas of the airport, despite what signs, staff or police may claim.
This case is reminiscent of John Tyner, who was thrown out of San Diego Airport for refusing the new TSA (grope) patdown. Note that you may want to familiarise yourself with the relevant laws regarding ID and recording in your own country.
Full details are available here. Well done to Phil for protecting his rights, and in the process, all of ours as well. Speaking of TSA security measures, I thought this recent Dilbert comic was particularly fitting.
OpenLeaks Website Goes Live
The website for the independent whistleblowing platform, OpenLeaks, has gone live. The concept behind OpenLeaks is to provide a secure document delivery dropbox and storage method for would-be whistleblowers. On the receiving end, news organisations, human rights groups, and others will be able to access the files and make them public should they feel it necessary.
Unlike Wikileaks, OpenLeaks plays no part in the actual editorial and publication process, it is a content distribution method that bridges the gap between leakers and publishers.
Check out the video below for their introduction to OpenLeaks:
UK Scale Back Anti-Terrorism Laws
In what can only be described as a small win for freedom and privacy activists fighting an uphill battle in the UK, the government has decided to scale back some of their anti-terrorism laws, which have been one of the most stringent in the western world. Since 9/11, the UK government has had the right to hold terror suspects for up to 28 days before charging or releasing them. The only problem being that the definition of ‘terror suspect’ becoming increasingly wide over the past few years. Following the changes, announced by British Home Secretary Theresa May, the police can now only hold terror suspects for 14 days. The U.S. authorities only have 7, and the French 6 days.
The British police are also no longer allowed to perform random (read: profiled) searches of the public, and can’t prevent people from taking pictures of landmarks on the suspicion of being potential terrorists. The changes also include a proposed reform of the house-arrest style (and Big Brother sounding) Control Orders, which originally imposed a curfew of up to 16 hours with an anklet, limited contact with other people, and banned an individual from using the Internet or traveling abroad. The new renamed plan will enforce an 8-10 hour curfew with anklet, prevent Internet access from a mobile phone, and enforce limited (and presumably monitored) access to websites from a home computer. Suspects could still be banned from meeting with specific individuals, and visiting certain buildings or streets.
Despite the changes, human rights groups are seeing this as a betrayal from the new government that took office in May 2010 after having pledged to restore civil liberties in the UK. There are also a number of other overpowered laws, such as the Regulation of Investigatory Powers Act (2000), that are repeatedly abused to monitor and police normal citizens.