Use GLONASS, Comrade

Whether we’re exploring a new city or directing autonomous drones, GPS has long been a staple of modern life. However, GPS spoofing research has progressed over recent years, demonstrating that someone with a few thousand dollars, the know-how and spare time can spoof GPS signals and redirect vehicles that rely on GPS for navigation.

Experts have speculated this trick was used by Iran to capture a U.S. UAV, and now they are raising the alarm over suspected Russian GPS spoofing in the Black Sea. In this incident, tanker ships approaching port in the Black Sea near Novorossiysk had their GPS units incorrectly indicate they were at an airport. Similar disruptions have been reported near the Kremlin.

With Putin’s travel itinerary matching up with the tanker GPS disruptions, experts have postulated that this is a test or deployment of anti-consumer-drone technology. Drone manufacturers implement geo-fencing to prevent their informed, responsible users from flying around airports, so convincing all nearby drones that they’re at an airport seems like a nice way to keep them on the ground.

However, it’s not all “Dude, where’s my drone?” Work is being done to secure GPS systems from both jamming and spoofing, using more powerful directed signals, and also exploring different cryptographic tools to secure signals.

But until these improvements are in orbit and our pockets, we may need to keep a paper map handy and wait until heads of state are out of the area before we fly a drone.

Signal Improves Private Contact Discovery

The private communication tool Signal is a favorite of privacy advocates for its security and ease of use. But, it’s constantly been critiqued for its reliance on phone numbers as identifiers, making it difficult to use anonymously, and making it possible for the tool’s infrastructure to discover a user’s contacts list.

While it’s possible to use Signal with a second phone number, there doesn’t seem to be a clever data structure or systems set up to shield a user’s contacts list from the Signal server within acceptable tradeoffs of performance, scalability and privacy.

However, the Signal engineers have been hard at work developing an improved system, recently publishing their code and findings. Using the security of Intel’s SGX Enclave from inspection by the OS, they have a reasonably private area to compute within.

Also, SGX offers remote attestation, so clients can verify the SGX enclave is running expected code. However, SGX enclaves are limited to 128MB of private RAM, and a malicious OS could potentially learn about a user’s contacts by observing memory accesses the SGX enclave makes, even if it can’t read the memory itself.

This led the Signal developers to combine inspiration and tricks from Oblivious RAM with linear memory accesses and constant-time operations to shield as much information from a potentially compromised OS and kernel as possible.

For those that aren’t rocket surgeons, the takeaway is that Signal engineers have designed a system to make contact discovery more private, allowing users to place less trust in the servers than before. It’s no silver bullet, but certainly an interesting improvement.

Humbly Hack Everything

The good folks at No Starch Press and Humble Bundle have caught the infosec community’s attention by yet again teaming up to sell e-books for charity. No Starch Press, known for their variety of technical books, has offered up a cornucopia of infosec-related titles ranging from The Smart Girl’s Guide to Privacy and The Car Hacker’s Handbook to The IDA Pro Book.

As always with Humble Bundles prices start at $1 in a pay-what-you-want scheme, with further titles unlocked at higher purchase levels, and a configurable donation to various charities including the Electronic Frontier Foundation and Action Against Hunger. Books for cheap while the money goes somewhere useful - what’s not to like?