Newsletter from Kushal

Containing random links to read about privacy, security, programming and FOSS in general. Sometimes about life.

Last weekend I was in NULLCON at Goa. It is India's one of the largest security conferences. This year, Micah Lee was the keynote speaker, and he spoke about all the alleged whistleblowers who were prosecuted during the Trump era.

From the last year, the NULLCON organizers are also focused on a special track for media and activists, Micah also did the opening talk in the track, and after that, we had a panel (co-hosted with Hasgeek, organized by Zainab, Anwesha) on the “Anatomy of Internet Shutdowns”, the four panelists were Arjun Venkatraman, Prateek Waghre, Raman Jit Singh Chima, Shehla Rashid Shora. The panelists spoke about the situation in India (which has the world's highest number of shutdowns), and issues people face during the shutdowns.

After the panel, Saikat Datta talked about “Surveillance and journalism”, with many practical examples. The rest of the day, I had my “Digital Security workshop” for the journalists. We went through the basics and also answered the specific questions people had.

I want to especially thank Antriksh, and Prateek and the rest of organizers of NULLCON as they provided this safe space for the journalists and activists to meet, and discuss issues.

If you read the Caravan story about one of the activists from the Bhima-koregaon case you will see the kind of the environment (both legal and digital security-wise) our activists go through. There is a clear presence of malware, and the police decided to skip it altogether.

This also brings our attention to the fights for privacy, and online freedom, especially the Internet Freedom Foundation. We never had a similar organization in India, which works on digital rights and Internet era. To keep the fight on, the organization needs more regular donor members. To all of my Indian readers, if you can, please support the organization by becoming a donor member. The team there is doing an amazing job and needs our support in every way possible.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

I am writing this letter after more than a month. There are too many things I want to write about, but, I am going to keep this one very sort, and focused on attacks over mobile phones. From last night, the biggest news on the Internet is about crown prince of Saudi Arabia sending a malware to the richest person of the world, Jeff Bezos.

The story is on almost every news site. The incident happened using some kind of 0day attack via WhatsApp, and this is not the first time. CitizenLab records more than 100 new abuse cases.

Videos for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

As the news of two malicious Python packages in PyPI spread across the Internet, I started revisiting all the hours our team at Freedom of the Press Foundation spent to think about these exact kind of attacks the ways of mitigation. In this particular case, the attackers used typosquatting to get similar project names and sent in malware-ridden code via the same.

I gave a talk Building reproducible Python applications for secured environments at PyCon US this year on the mitigation processes we follow. In simple words, we verify every source code update by reading the changes manually (with human eyes+tools) and then build and store wheel files on our index. Everything also gets verified via GPG signatures and known sha256sums.

We also publish the verification results on a wiki page and mail to the diff-review mailing list. Feel free to join in there and also let others know.

Video for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.

Kushal

Sharing files securely to others over the network is always a big task. Which tool to use? Should I email or SCP or copy it over to some secret server? Onionshare is a solution which fits in most of the use cases and threat model. The tool works on Linux/Windows/Mac OS. You select the files, and then it will give you an .onion URL, using which your friend can download the files, and you can even mark it for a single time download only.

The infosec folks were talking about not using random USB ports to charge your phone for a long time. You must have seen those ports in the Airport lounge or in cafes. Now, the USA government agencies finally released advisories to let the people know that this is a risky step. Do not use any random cable/port to charge your phone. SyncStop is a small USB device that can help if you have to use ports in different places.

Videos for the week

The Intercept is running a series on the Iran Cables leaks.

You can find me in the fediverse https://toots.dgplug.org/@kushal. Feel free to ask me any questions or start a discussion over there.

Kushal

You have already seen how bad ICE can go, starting from letting children die, to torturing immigrants. Now, many Github employees started a campaign to make their company drop the contract with ICE. There are now transparent overlay images, which anyone can use in their Github profile images to support this cause.

In the last few days, it also came to light that the Indian Nuclear power plant was not the only target of the cyber attack. The attack also happened against ISRO while the critical Mars mission was ongoing.

Videos to watch

I want to specially mention Rust in Motion video tutorials; I think these are the best online training material available for anyone to learn Rust programming language.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal I am also doing a digital security office hour today (13th November) at 14:30 UTC; feel free to ask any question you have over Mastodon with a hashtag #securityofficehour and tagging me in the question.

Kushal

In my last newsletter, I wrote about WhatsApp based targeted attacks. This story suddenly became a big thing in India when it was made public that many Indian lawyers, activists were also targeted. It is also very clear that the attack was directed by some government agency focusing on selected Indian citizens. Now many Indian news sites are talking about digital security, but not many are asking questions to the government. Without any law related to data protection and privacy of Indian citizens, this kind of surveillance by the government will only increase with time.

If you also remember the cyber attack on the Indian Nuclear power plant, now a group of South Korean malware analysts are claiming North Korea was behind the attack. The power plant though first denied any issues and then later had to admit about the attack.

Videos to watch

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Also, please share about the newsletter in your favorite social media as this is still a very new thing from me.

Kushal

Critical infrastructure is generally not connected to the public Internet. And then, there are too many wrong configurations in productions sometimes just because someone thought that it is a good idea to mine bitcoins on a nuclear weapon facility.

Yesterday Pukhraj Singh did a tweet saying:

So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.

Yup, you read it right, a nuclear power plant was hit, using a static username password combination over SMB. Following the standard Indian Government style about dealing with problems, the plant released a note saying there was no problem. Sadly just denying that there were no issues does not cover up the truth, and today a story on Indian Express confirms the breach.

One another big news, Citizen Lab published a report on NSO Group’s attack over WhatsApp, which points out that now WhatsApp officially filed a complaint in a U.S. federal court against NSO group. WashingtoPost has a detailed report. WhatsApp also messaged around 1400 users who might have been impacted by this attack.

Videos to watch

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Also, please share about the newsletter in your favorite social media as this is still a very new thing from me.

Note: I think I managed to break the formatting, sorry for the trouble in reading.

Kushal

Twitter has become one of the primary news sources for many (including me). It has also enabled a large number of folks to ask questions, which are not always easier to ask otherwise. But, the algorithms which decide which all tweets to show in the timeline behave based on the mood of the company. They can decide what kind of information you can see and what you can not. For example, it stopped showing almost any tweets related to infosec in my timeline.

Recently following orders from the Indian Government, Twitter decided to remove more than a million tweets related to Kashmir. In case you don't know what is going on, Kashmir is under siege from August 5, and all sorts of human rights violation happening there. The state still does not have any Internet connection due to the forced shutdown by the government.

Videos to watch

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel.

Kushal

Facial recognition is a new weapon in the hands of regimes. China is already leading on how to use this as a tool of oppression, and other countries are getting excited and slowly following China. Thankfully activists around the world are also organizing the resistance against it. Cities like San Francisco, Okland, Somerville, Massachusetts, already banned the use of facial recognition.

Sadly, for the Indians, the current regime is doubling their effort to use bio-metrics and facial recognition in every possible way. Airports like Hyderabad are using them to allow boarding to flights, and they will spread them to other cities very soon. India is also creating a national facial recognition system. Details can be found here and here

New releases for this week

Talks for the week

The L0pht video is a classic and must watch for every one of you. The second talk is a personal favorite.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel.

Kushal

I keep reading random things over the Internet, and I feel a few of those will make sense to others too. But, posting those links into the primary blog does not make sense. That is the reason I am starting up this newsletter. I will try to make at least one post every week.

  • Pushing left like a boss In this long series of posts Tanya Janca explains the idea behind application security and how that has to be thought from the very beginning of the development process.

  • Blood money and Gitlab Gitlab said that they are okay to take money from any client, this brings back the memory of IBM doing business with Nazi Germany.

  • Just in case you are interested in connected Urinals, check this tweet

  • The FinFisher malware authors used legal threats against a German newsmedia

Book suggestion

Both book are amazing reads, and full of previously unknown details. If you want to discuss about any of the these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel.

Kushal

Enter your email to subscribe to updates.