Tag Archives: Encryption back door

Security News for the Week Ending October 16, 2020

5 Eyes Ask For Crypto Backdoor – Again

Law enforcement does not like it if they cannot snoop whenever they want. It has been a problem since encryption started to be used by the masses. The CIA, for example, even went to go so far as to BUY the Swiss encryption company Crypto AG, insert backdoors into their hardware and sell it to both our allies and our adversaries for decades before circumstances changed and made that hardware less important. They didn’t tell our allies that we were snooping on them. Part of the game.

So it is no surprise that when consumer products contain decent crypto, these same folks are not happy and they have been fighting the battle ever since.

Now they are saying that these companies should allow them to snoop on everyone – which they will do responsibly, of course – is a matter of public safety and protecting children.

And, of course, unlike the TSA, NSA, CIA and others before them who lost control of those secrets, these secret backdoors that companies should provide will not get into the wild. Trust us! credit: SCMagazine

Apple Releases New 5G Phones That Use Non-Existent 5G Service

Okay, this is not a cybersecurity issue, but it is a hot button for me. You can now buy an iPhone 12 Max with Apple care for $1700+ with 5G support.

I guess if you want to spend your money and help the economy, go for it, but if you think that you will be able to surf the web on your phone 10 times faster than today as they claim, you can. But you will have to wait around 10 years.

The problem is that none of the carriers have FAST 5G infrastructure. Verizon, does have some fast 5G – it covers about one percent of the US population. So, if you want to have a new iPhone and be one of the cool kids, go for it. Just don’t expect to surf the web any faster than you do today. Credit: Cybernews

Microsoft Takes Down TrickBot Network

On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure.  There is a concern that the bot network, which has connections to Russia and has compromised at least a million computers may be used in an attempt by Russia to impact the U.S. Presidential elections.

That takedown lasted two days. The network is back operational again, causing mischief. This just points to the challenge of permanently stopping hackers who are living in unfriendly countries like Russia. Even with the best efforts of Microsoft and Cyber Command, it only stopped them for 2 days. Credit: ZDNet and Security Week.

And You Thought TSA was the Only Non-Secure Part of Flying? Wrong!

The aviation industry uses a system called ACAS internationally or TCAS in the U.S. It is a collision avoidance system which tells a pilot that there is another plane nearby and tells each pilot how to avoid a collision (up, down, left, right, fast, slow, etc.). Except that TCAS has no security in it and it can be spoofed by a bad guy to crash the plane. There is a new version coming out soon called ACAS X and it too can be fooled. So much for the basics of security. Credit: The Register

800,000 Sonicwall Appliances Can be Hacked by a Kid

The patch, which affects 800,000 Internet facing VPN servers, was released on Monday. The details were disclosed two days later, on Wednesday. In its simplest form, a kid can either crash the device or just make it not respond to commands. Worst case, a more skilled hacker may be able to execute arbitrary code, including bypassing login requirements. Sonicwall says that they are not AWARE OF any customers impacted YET. If I was running a Sonicwall appliance, I would treat this as an emergency and patch it as soon as possible. Credit: ZDNet

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

Australia Introduces Bill Requiring Tech Companies Worldwide to Include Encryption Back Doors in their Software

This could get interesting.  The Australian Telecommunications and other Legislation Amendment (Assistance and Access) Bill 2018 would require tech companies to decrypt communications on request and even require tech companies to build back doors into their software if they don’t already have them.

Of course, like all governments (think GDPR), the bill does not stop at Australia’s border and would, in theory, require companies worldwide to comply.  It is not clear what leverage they have against a company that does not have a legal entity in Australia.

It is not clear how they would get Hamas or ISIS to obey their law, so while the law, if enacted, would weaken protections for law abiding citizens worldwide and would possibly allow them to intercept the communications of dumb terrorists, it will do nothing to protect us against smart terrorists – the ones we really need to be concerned about.

The bill defines a designated communications provider as any foreign or domestic communications providers, device manufacturers, component manufacturers, application providers and traditional carriers and carriage service providers.

That means that everything from your email to a physical device that supports encryption is up for grabs.

In explaining the bill the government mentions companies like Facebook, Instagram, Signal, Telegram and even web site logins.

The bill calls for three levels of hacking to be provided on demand:

  1. Technical assistance request – this one is voluntary.  If a company wants to, it can cooperate.
  2. Technical assistance notice – this one requires a company to decrypt stuff that they have the technical ability to decrypt.
  3. Technical capability notice – this one requires the company to build a new back door into the security of their product and somehow secretly get the user to install the new hacked version of the software.  However, the bill says that this back door cannot remove encryption.  HUH?!

The first two are not a big deal.  The last one is a killer.

Australia’s Minister for Law Enforcement and Cyber Security said that this bill would allow law enforcement to access your data without compromising the security of the network.

The Minister did not want to go anywhere near the words encryption back door, but technically that is the only way to accomplish what they are asking for.  The Minister said that tech companies would be able to provide access without weakening security,  He didn’t suggest how this is possible.  It is not.

He said that we are ensuring we don’t break the encryption systems of the company;  so we are only asking them to do what they are capable of doing.  Item 3 above tells companies to do what is not currently possible, so either he has not read the bill, doesn’t understand the bill or is lying.  Take your pick.   The Minister of Magic is convinced that he can do that without breaking the encryption of the technology companies.

On the other side, the tech companies like Apple, Facebook and Google danced around the conversation giving it a wide berth.  They do have a challenge since they don’t want to appear to support terrorists while, at the same time, they know what the government is asking is impossible without compromising the security and privacy of their customers worldwide.  If they give this capability to Australia, what is their justification for not giving it to China or Russia or any other country that asks?

The Australian Prime Minister, Malcolm Turnbull said “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”  Apparently, he thinks the laws of physics are optional in his country.

Currently, this is only a bill, so who knows what will happen, but if passed, companies will need to make some very uncomfortable decisions.

Since Australia is a small market, one option for bold companies would be to block the use of their services to residents of that continent.  Remember that there are fewer people in Australia than, say, in Canada or even in just the sate of Texas and a little more than half the population of California.  That being said, businesses rarely like to turn away customers, even if it means violating their core principals, so it will be interesting to see what companies like Apple choose to do.

Information for this post came from CNet.

 

Justice Department Continues Push To Get Rid Of Encryption

The Justice Department continues to push for the ability to bypass encryption (see here). Leslie Caldwell, one of the assistant AGs said that the DoJ is very concerned that Apple and Google have turned on encryption by default.  I guess that must point to the fact that if people have to do something to turn it on, they won’t, which makes eavesdropping that much easier for them.

FBI Director Comey has said before that he wants to push Congress to make automatic encryption illegal – again pointing to the fact that many people won’t bother to encrypt if it requires an extra click or two.

On the other hand, the government is saying that we have to be more concerned about cyber security – it seems like they are trying to have it both ways.  Encryption is one of the easiest and simplest ways to make it harder for the bad guys to do you in.  It also makes it harder for the FBI and NSA to vacuum up massive amounts of data to look for the needle that they want to find in the data haystack.

Caldwell actually said that encryption makes data too safe.  Really?  Too safe?  Isn’t that kind of like being too rich?  Or too happy?  Seems a bit self serving.

Caldwell also said that she hopes that companies will build a back door (‘cuz if they do, certainly the Chinese won’t figure that out) so that the FBI can mail the phone to Apple or Google to decrypt.  Really.  MAIL THE PHONE.  I think she is a bit out of touch with the digital age.

Some people have gotten hung up on the term back door, meaning an intentionally introduced mechanism that allows someone who knows about it to compromise the encryption.  Lets assume that what they really mean is that they want a copy of your encryption keys and they promise to keep them safe.  Is that really possible for them to keep safe?  And what about the data vacuuming that the agencies are doing – doesn’t that require them to use those keys every time you get online?  How, exactly, do you keep that secure.

If I have the key and they want it, then they have to go to a judge and get a warrant and I can disagree and try to convince the judge that they shouldn’t get it.  And, I can change the key so that sharing that key won’t compromise my future conversations.  Key escrow or back doors don’t allow any of that to occur.

The DoJ is also not happy with the TOR network.  They say they are making some progress at hacking it, but I *think* mostly they are taking advantage of people’s poor personal security hygiene (people make mistakes and the feds capitalize on that).

Clearly, encryption and TOR and similar tools can be used for bad purposes, but so can hammers and I don’t see a demand to outlaw hammers.

I am quite sure that encryption makes it harder for the government to do massive data collection and correlation, but we managed to track down criminals before and we can continue to track down criminals after.

Three thoughts and I will allow you to draw your own conclusion –

1. Are bad guys likely to use encryption software that has a back door vs. software that is available for free on the black market that does not have a back door?  Or software that is created by developers in any other country that doesn’t require them to add a back door.  Surely the dumb ones will and you may therefore catch them, but what about the really dangerous ones?

2. What is the financial impact on the U.S. economy if the rest of the world (RoW) knows that the U.S. government can look at their stuff without them knowing about it.  eWeek reported that U.S. Cloud providers said their business could shrink by 25 percent as a result of the NSA data collection. That could be a direct loss to the U.S. economy of $25-$100 billion over three years depending on who you believe.  That doesn’t include secondary effects (if the providers sell less services, they will buy less computers and hire fewer people, for example).  If the RoW thinks that the U.S. has a crypto back door, how many U.S. jobs will that cost and how many billions in business will we lose.

3. A lot of the crypto is controlled by service providers (like SSL and Facebook), but much more of it is controlled by the end users.  If Joe and I are talking to each other, we share a secret that only we know and that is used as the key.  The fact that the key is secret is what makes it secure.  If that key gets out, then all traffic past, present and future, that was protected with that key, is compromised.  And the feds would like businesses to give that to them freely.  I don’t think that is going to happen.  I have been known to be wrong before.  I think I was once in 1997.  Or maybe 1998.

The government has been trying to build back doors into encryption since at least 1993 when they came out with the idea of the Clipper chip.  It didn’t sell then and it is not likely to sell now.  My two cents.

Mitch