Security News Bites for the Week Ending September 14, 2018

How, Exactly, Would the Government Keep a Crypto Backdoor Secret?

The Five Eyes (US, Canada, Australia, New Zealand and Great Britain) countries issued a statement last week saying that if software makers did not voluntarily give them a back door into encrypted apps they may pursue forcing them to do that by law.  Australia and the UK already have bills or laws in place trying to mandate that (Source: Silicon Republic).

First, parental control/spyware app Family Orbit stored their private access key in a way that hackers were able to access 281 gigabytes of spied on photos in over 3,000 Amazon storage buckets.  This means that tens of millions of photos taken by kids and of kids are now on the loose.  All because parents wanted to keep tabs on what their kids were doing.  Now the hackers can keep tabs on their kids too (Source: Hackread).   Family Orbit shut down all services until they can fix the problem, but that won’t help recover the 281 gigabytes of data already stolen.

And, for the second time in three years, spyware maker mSpy leaked the data from a million customers including passwords, call logs, text messages, contact, notes and location data, among other information (Source: Brian Krebs).

So here, in one week, two companies who’s very existence is threatened by these leaks were hacked.  Somehow, hundreds of backdoors on major apps will be kept secret by the government.

Sure.  I believe that.  Not.

This is also a word of advice to parents who either are using spyware on their kids or are thinking about it.  The odds of that data getting hacked is higher than you might like.  Would it be a problem for you or your kids if all of their pictures, texts, contacts and passwords were made public?  Consider that before you give all of that data to ANY third party.

Popular Mac App Store App Has Been Sending User Data to China for Years

In a situation that you very rarely hear about, researchers have discovered that the 4th most popular paid app in the Mac app store, Adware Doctor, has been sending user browsing history to China for years.  Apparently, when you click on CLEAN, they take a very liberal view of the request, zip up your browsing history and send it to China. They are able to do this based on the permissions that the user gives it, reasonable permissions given the app.  In other words, they abused the trust that users gave them.

This was reported to Apple a month ago and Apple did nothing about it, but within hours of the news hitting the media, Apple yanked this very popular app from the store.  That, of course, does not protect anyone who has already downloaded it, but at least it will stop new people from becoming victims.

The power of the media!  Source: (Motherboard).

ISPs Try Hail Mary in Bid to Derail California’s Net Neutrality Bill

The California legislature is on a roll.  First the California Consumer Privacy Act (AB 375) – now law, then  the Security of Connected Devices Act (SB 327)- on the Governor’s desk and now The Internet Neutrality Act (SB 822) which would implement many of the requirements of the now repealed FCC Net Neutrality policy.  ISPs such as Frontier, have asked employees to contact the governor and tell him to veto the bill.  This was after AT&T bribed, err, technically “lobbied” an Assembly committee to gut the bill.  The industry then targeted robocalls at seniors saying the bill would cause their cell phone bill to go up by $30 a month and for their data to slow down (neither is true).  It is still on Governor Brown’s desk.  (Source: Motherboard).

Facebook is in the middle of an Apple-esque Fight Over Encryption with the Feds

While this case is under seal, a few details have surfaced.  In this case the feds are asking Facebook to comply with the wiretap act, a law passed in the 1960s, long before the Internet, which requires a phone company to tap a phone conversation after receiving a warrant.

In this case is Facebook Messenger even a phone call as defined in the Act?  Facebook, apparently, says that they do not have the means to do it;  that they do not have the keys.   Can the government force Facebook to rewrite it’s code to provide the keys to the government on request?  Even if they do, the conversations themselves do not go through Facebook’s network, so they could not capture the actual traffic, even if they wanted to.  The NSA could do that, but that is between the NSA and the FBI, not Facebook.

Can they force Facebook to completely rearchitect their system, at Facebook’s cost, to comply?  Even if they do, how long would that take?  What would be the operational impact to Facebook?

Since this is all under seal, we don’t really know and may, possibly, never know.

At this point it is not at all clear what will happen.  It is possible that the court will hold Facebook in contempt, at which point, I assume, Facebook will appeal, possibly all the way up to the Supreme Court.

Think San Bernadino all over again.  Source:  The Verge.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code