Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs


In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Send us news
9 Comments

SpaceX Starlink satellite streaks now present in nearly fifth of all astronomical images snapped by Caltech telescope

Annoying, maybe – but totally ruining science, no

SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

Continue reading

AI tool finds hundreds of genes related to human motor neuron disease

Breakthrough could lead to development of drugs to target illness

A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

Continue reading

Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

Exploit, vulnerability discussion online can offer useful signals

Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

Continue reading

Sniff those Ukrainian emails a little more carefully, advises Uncle Sam in wake of Belarusian digital vandalism

NotPetya started over there, don't forget

US companies should be on the lookout for security nasties from Ukrainian partners following the digital graffiti and malware attack launched against Ukraine by Belarus, the CISA has warned.

In a statement issued on Tuesday, the Cybersecurity and Infrastructure Security Agency said it "strongly urges leaders and network defenders to be on alert for malicious cyber activity," having issued a checklist [PDF] of recommended actions to take.

"If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic," added CISA, which also advised reviewing backups and disaster recovery drills.

Continue reading

Version 7 of WINE is better than ever at running Windows apps where they shouldn't

Improved graphics card, multi-monitor, Direct3D, and 64-bit support

Version 7 of the WINE compatibility tool for running Windows programs on various *nix operating systems is here, bringing notably improved 64-bit support.

WINE has come a long way. It took 18 years to get to version 1.0 and another nine years to get to version 2, but since version 3 in 2018, it's averaged roughly one major release per year. The project is now mature, stable, and quite functional. A lot of Windows programs work fine that formerly didn't. It's not limited to Linux – it also supports macOS and FreeBSD, and Linux relatives ChromeOS and Android.

This may in part be due to its corporate backing. The project has had several business sponsors over the decades, including Corel, which invested substantial effort to help port WordPerfect Office, and later Google, which did the same so that the now-cancelled Picasa would work better on Linux.

Continue reading

Vulnerabilities and censorship tools among hot new features in Beijing's Olympics app

Visitors have to install it 14 days prior to arrival in China until their departure

Toronto-based Citizen Lab has warned that an app required by Beijing law to attend the 2022 Olympics contains vulnerabilities that can leak calls and data to malicious users, as well as the potential to subject the user to scanning for censored keywords.

"To support the successful delivery of the Games and the safety of all Games participants, Beijing 2022 has developed the 'My 2022' application, which includes information provided by the Organising Committee, the City of Beijing and also general information," reads the International Olympic Committee's Beijing 2022 playbooks.

The playbooks [PDF], which are documents that serve as info guides for Olympics-goers, instruct international visitors to download the app and use it to monitor health for 14 days prior to their departure for China.

Continue reading

Party on Semiconductor Street as worldwide 2021 revenues top record half a trillion dollars

Gartner reports 25.1% growth off the back of supply chain pain

Semiconductor giants enjoyed soaring revenues in 2021 as global sales topped the half-trillion-dollar mark for the first time against a backdrop of squeezed supply chains.

Preliminary numbers by tech analyst Gartner put revenues at $583.5bn for 2021, a jump of 25.1 per cent on the previous year with demand and raw material costs pushing up average selling prices (ASPs).

There was also change at the top as Intel's crown was snatched back by Samsung. The US chipmaker's revenues were almost static, growing by a mere half a per cent (the lowest among the top 25 vendors) to $73.1bn. Sammy, on the other hand, leapt by 31.6 per cent to $75.95bn.

Continue reading

Japan solves 5G airliner conundrum: Keep mobe masts 200m from airport approach paths. That's it

(And maintain a guard band.) US airliners melt down as rest of world moves on

American aviation regulators have banned the use of autoland at some of their country's airports as the local debate about 5G phone mast emissions and airliners continues – while Japan claims to have solved the problem a year ago.

This morning Emirates, the largest airline of the United Arab Emirates, declared it was suspending flights to nine US airports as mobile network operators in the States said they were suspending their planned switch-on of 5G services. It follows Japan's All Nippon Airways (ANA), Japan Airlines and Air India, according to the Daily Mail.

Yet in Japan itself the solution was straightforward, with local scientists telling the International Civil Aviation Organisation last year: "To avoid the blocking of radio altimeters, the location of the high-power 5G base station should be avoided within 200m from the approaching route of aircraft."

Continue reading

UK data watchdog slaps Ministry of Justice with Enforcement Notice for breaking GDPR law

ICO threatens £17.5m fine over late processing of subject access requests

The UK's data watchdog has issued the Ministry of Justice with an Enforcement Order [PDF] after the government department broke data protection laws by failing to process thousands of subject access requests (SARs) without undue delay.

The Information Commissioner's Office (ICO) said it was made aware of the backlog by the MoJ – the data controller – in January 2019 and spoke to the ministry over the course of the year, mulling potential action. Then the pandemic hit, leading to a change in the ICO's approach to regulatory action, and it paused the probe.

By October 2020, the ICO asked for an update on the number of outstanding SARs, but the MoJ said it too was struggling under the COVID-19 outbreak and had sought to prioritise requests that were "urgent" due to legal proceedings like immigration hearings or police investigations.

Continue reading

Fire in Berlin factory won't 'significantly' impact output, says ASML

Dutch semiconductor lithography bigwig reports net sales up by a third

ASML – the outfit that oufits the chipmakers with chipmakers – believes the recent fire at its Berlin factory on 2 January will not have a "significant impact" on its output in 2022.

Continue reading

Microsoft sends HoloLens 2 into a care home... Nope, not a headline gag about retiring the tech. They actually did this

Hands-free kit a 'game changer' for doctors assessing residents during pandemic

Microsoft has bragged about how its HoloLens 2 is being used by doctors to assess care home residents in a COVID-safe way.

One might wonder if the elderly haven't suffered enough during the pandemic without throwing Microsoft's Augmented Reality technology into the mix. However, with rules and guidance making in-person appointments a little tricky, having a staffer don the goggles while a doctor looks on remotely is not a terrible option.

Microsoft unveiled the follow-up to its clunkier predecessor in 2019. At the time there was much rejoicing concerning 3D models and collaboration. Recent events have made that remote collaboration pitch seem somewhat prescient.

Continue reading