Tag Archives: Encryption

Security News for the Week Ending October 29th, 2021

Smartphone Counterespionage Tips for Travellers

Most people say “who would be interested in me?” but the reality is that foreign governments track Americans for a variety of reasons, both good and bad. Read this article to find some tips that could keep you below the radar and your information safer.

Are Surveillance Cameras the Answer to Worker Productivity

ZDNet wrote a story this week about a boss who texted an employee at night about what the boss perceived was employee laziness. Apparently the boss was completely uninformed and when the employee pointed out what was really happening, the boss doubled down. The employee told the boss to take his job and shove it. That doesn’t mean that management should ignore what they think they see, but as we are seeing in this recovery after the pandemic shutdowns, employees seem a lot more empowered and your employees may tell you to shove it. Read the details here.

State Department Recreates Cybersecurity Effort After Trump Disbanded it

Cybersecurity will be a core part of the State Department’s mission with the new Bureau of Cyberspace and Digital Policy. Congress forced the issue by legally creating the department after Trump eliminated the position of cyber coordinator in State. State will also add 50% to it tech budget and new civil service positions. Credit: Dark Reading

Britain’s Privacy Commissioner Calls for More End to End Encryption

Britain’s privacy protection agency, the ICO, has called for video conferencing companies to implement end to end encryption at the same time that police and politicians are calling for the elimination of any secure end to end encryption. The ICO attempted to do some spin after the fact, but their statement still stands. Police say that having to get warrants to obtain information is inconvenient for them. This follows last year’s call by British, Canadian, Australian, Chinese, Swiss, Gibraltarian and Hong Kong data protection regulators also asking for end to end encryption. The police have vocally asked for a master decryption key because, of course, you can trust them. This week the master encryption key used to secure Covid passports in the EU was publicly exposed. Covid vaccine passports for Adolf Hitler and Mickey Mouse have been found and fake Covid passports signed with this key are now available on the web. Not to worry, if we give the thousands of police agencies access to these keys, I am sure this would never happen. Credit: The Register

Proton Wins Swiss Appeal Over Surveillance Rules

Weeks after Proton Mail was force to capture the IP address of a user after receiving a Swiss subpoena, they won a different court battle. Swiss courts had earlier ruled that companies like Whatsapp and Zoom were not Internet providers and did not have to maintain surveillance records of their users’ actions, but for some reason, the Swiss Post thinks that Proton does have to. The appeals court said no to that and remanded the case back to a lower court to “change their mind” so to speak. Credit: Cybernews

NIST Prepares Post-Quantum Encryption Standards

Long before quantum computing becomes “main stream”, state actors will have access to it. In part, because they command large budgets; in part because it is important to them.

Why do they care? Because, it will allow them to decrypt both communications that they intercept going forward and communications that they have intercepted in the past and stored. That is a game changer.

While we can make things more difficult with perfect forward secrecy (PFS), which requires each message to be separately decrypted, there are plenty of places were PFS is not being used.

NIST, the part of the Department of Commerce, is responsible for creating encryption standards used by most of the government (except for the spies) and all of the commercial sector, and has been working on this problem since 2016. They are not there yet, but this week they made an important announcement.

They plan to announce finalists for new standards roughly by the end of the year.

Then they have to document them as standards and put out the documents for public comment. Possibly, rinse and repeat.

They expect approved standards by 2024 – an 8 year process.


They have selected 8 algorithms as candidate standards.

And just to make sure that things don’t get away from them, they are also looking at 7 backup standards.

These standards use different strategies, not just different implementations of solving the same problem. (Like RSA encryption uses the hard problem of factoring large prime numbers. That is not quantum proof, but that is an example of one strategy). So we potentially have 15 different problems which NIST thinks will be hard for even quantum computers to break. If they are wrong about one, they have 14 more. Backups with backups to the backups.

Look for NIST to release draft proposals in a few months. Then we have more wait. But at least this seems like light at the end of the tunnel.

For software developers, that means work, documentation and testing. Plan to be doing that around 2024.

Credit: SC Magazine and NIST

How The Law Decrypts Your Phone’s Encryption

Law enforcement agencies around the world have been whining about the “going dark” problem at least since the early 1990s when they tried really hard to put Phil Zimmerman in jail for creating encryption that mere mortals could use. There is no question that bad folks use encryption to hide stuff, but good folks also do and it is going to be impossible to create a master key that will only be used by the good guys for good. Not going to happen.

So that leaves the police with the option of hacking your phone, which, is less impossible than they often claim.

Johns Hopkins cryptographer Matthew Green managed a team of experts to tear apart the secrets and see what they found.

They looked at available documentation and also did some hacking. They also reviewed all of the existing news that they could find about what the cops have done in the past to break in.

Green thought, going in, that security on Apple and Google phones was pretty good, but coming out he realized that almost nothing is protected as well as it could be.

The researchers figured that it would be really difficult to steal any of the many levels of encryption keys that iPhones use, but that turns out not to be the case.

If your iPhone was powered off and someone turned it on, the security would be pretty good – what Apple calls “Complete Protection”. But as soon as you log in, you move from “Complete Protection” to “Protected Until First User Authentication”. That is likely the state your phone is in 99.99% of the time.

The major difference between these two states is that in the after the first login, many of the keys are available in memory. At this point, if someone can exploit your phone, getting those keys and decrypting the data those keys protect is easy.

This is likely how all forensic tools like Cellebrite and Grayshift work.

Android works very similarly except while Apple has a way for apps to protect small bits of data more securely after first login – like a banking password – Android does not have a feature like that. That means that tools like Grayshift can grab more data once you have logged in.

Android also suffers from dozens of manufacturers and hundreds of models and many people who have not seen an upgrade or patch in years.

When the researchers explained what they had done to the folks at Apple, they basically said that they were concerned about protecting your stuff against street thieves and not well funded attackers and they chose user convenience over security (my words). From a marketing standpoint that makes sense, but they don’t really tell people that up front.

Google, like Apple, said these attacks require physical access (like what might happen when you cross the border and the customs person says “papers please” and “phone please”. They said it also requires these folks to know about bugs that have not been patched. Google said that you can expect to see additional hardening in the next release of Android.

If you think it is only the FBI or NSA that buys these Celebrite and similar tools, you are very wrong. Researchers found nearly 50,000 examples of police in all 50 states using these tools between 2015 and 2019 and that was just what they were able to uncover. Law enforcement has not exactly volunteered that they can hack your phone at the push of a button.

Given this, you might wonder why the police are complaining about going dark. I think it is because they can’t just snoop on anything, any time, any where, including over the air and unless they can do that, they will complain. Credit: Wired

Security News Bites for the Week Ending July 17, 2020

Microsoft’s LinkedIn Sued for Abusing Clipboard Access

Apple’s Universal Clipboard allows you to share data between devices. According to the lawsuit, LinkedIn reads the data without notifying the user. However, LinkedIn is not alone. More than 50 apps, apparently, do that. Now that they have been sued, they are changing their app. Credit: Reuters

When is 10 million actually 140 million?

Apparently MGM resorts is not great at counting. In February ZDNet reported that hackers stole info on 10 million guests. Apparently the number is actually 142 million. How we know this is not because MGM said so but because a hacker is selling that much data. Credit: ZDNet

340 GDPR Fines Totaling 158 Million Euros Issued Since 2018

The smallest fine was 90 Euros. The largest fine was 50,000,000 Euros.

France, Italy and Germany represent 73% of all of the fines.

While fines issued by France total 51 million Euros, fines issued by the UK were just over a half million Euros.

While GDPR has been in force for around two years, that is just a blip when it comes to the legal world. Stay tuned for the next two years. Credit: Helpnet Security

The Same Senate That is Trying to Ban Encryption is Asking Why Twitter isn’t Encrypting DMs

While the Senate debates the EARNIT Act, which would require companies like Twitter to implement encryption back doors or the LEAD Act which FORCES judges to make companies decrypt data if the cops ask the judge to do it with no judicial descretion, that same body is asking why Twitter isn’t encrypting Direct Messages (DMs). Sounds kind of bizarre to me, but that is reality. Credit: Security Boulevard

Beware of VPNs That Keep No Logs

UFO VPN (first clue: based in Hong Kong) says this about their security practices:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform

Which makes it hard to explain how 894 GB of log data, including encryption keys, was stored on an elastic search server with no password. This represents 20 million users logs.

If you care about your privacy, check out any VPN provider that you plan to use carefully. Credit: Hack Read

Get Ready for Encryption Fireworks

Since the early 1990s, there has been a battle going on between the federal government and privacy advocates. Privacy advocates want strong encryption. The government wants weak encryption that it can break. Except of course for the encryption that they use.

They claim they need it is to hunt down terrorists, but that didn’t get any traction.

Then they claimed it was to hunt down pedophiles.

There are several bills in play right now and none of them really solve the problem. Not even a little bit.

One bill is the earnit act which, in typical Congressional fashion, kicks the can down the road. Since actually figuring out how to solve the problem of bad guys using encryption while at the same time protecting the rest of us, the earnit act proposes to create a commission to make recommendations to the Attorney General, who is not required to accept any of the recommendations and can create his own. Then if the tech community doesn’t accept whatever he says, they will lose the protection they have for content posted by users. Since Congress has like one person who understands tech out of 500, what they don’t seem to realize is that this will not achieve the goal that Republicans have getting more right wing content on the web. Instead what tech companies will have to do is dramatically restrict user posted content to make sure that they do not post any content from either side that would get them sued for helping pedophiles or promoting violence or whatever. Facebook will go back to what Zuckerberg originally planned it for – figuring out which girls he wanted to go out with or something slightly less PG than that. If they lose their immunity, they will restrict content.

If that happens, billions of dollars of investor capital value will go up in flames. I don’t have any Facebook or Twitter stock, but if you do and the bill passes, you should sell.

Sen. Graham introduced a new version of the bill to solve this problem. He wants to let the states decide. That way Twitter will have to comply with 50 state laws. That will definitely make things easier.

The Post says that legislators are far less sympathetic to tech companies and that may be true, but the President seems to like to use at least one tech company and if laws pass that remove protections, those companies are far more likely to censor him than they are now when they have immunity.

There are definitely two camps in Congress right now – those that want to protect people’s privacy and those that want to get rid of privacy because it is inconvenient to them.

Another bill, called the lead act, would literally ban strong encryption and make it a crime to use encryption that doesn’t have a backdoor.

Except, of course, crooks, how do I say this, DON’T CARE MUCH ABOUT THE LAW. So they will use strong encryption except for the dumb ones and we don’t really fix anything.

I am sure if the law requires a back door to private conversations, no crooks will ever discover how it works.

Kind of like how Apple tries to make it impossible to jailbreak their phones.

And their phones are typically jailbroken within 24-48 hours of a new software release.

I am not saying that there is not a problem. What I am saying is that there is no simple solution and rather than passing the buck to a committee or the states, figure out the answer. Even if it takes a couple of years. Figure out the right answer.

I must be thinking of a different organization than Congress. Credit: WaPo

Security News for the Week Ending June 26, 2020

Anonymous Gonna Rise Again. Question Mark?

A hacker or hackers claiming to be affiliated the non-group Anonymous has posted a million documents coming from over 200 police departments and other law enforcement agencies. While the documents do no purport to show illegal activities, they are likely both embarrassing and also confidential. The fact that the police could not protect their own information is probably not great for their reputations either. Credit: Wired

Republican Senators Create Bill to End Use of Warrant-proof Encryption

Senators Lindsey Graham, Tom Cotton and Marsha Blackburn say that they plan to introduce a bill that will require service providers and device manufacturers to insert backdoors into their software and devices so that cops can decrypt the devices when they want to.

They have not published the bill yet and we have no idea whether it will get any traction, so who knows, but the main issue is that there is nothing to stop bad actors from installing software from web sites in countries that don’t really case about what Mrs Graham and Cotton or Ms. Blackburn want. Sure you will catch stupid crooks, but we catch them anyway. Credit: ZDNet

Pentagon Creates List of Companies Controlled by Chinese PLA

There is a 1999 law that requires the Pentagon to produce a list of companies controlled by the Chinese military. Always prompt, 21 years later the Pentagon has produced that list. Huawei is one of those companies, of course. At this point it is not clear what the White House will do with that list, but we assume that it will be used to add pressure to China. Credit: Time

Feds Ask FCC to Deny China Access to New Fiber Optic Cable from US

Team Telecom, that federation of executive branch agencies that has been completely toothless in stopping China from compromising our telecom has finally decided that to feels its Wheaties. Renamed CAFPUSTSS, they say we should not drop an undersea fiber cable in Hong Kong for China to tap. The proposed cable would have a speed of 144 terabits per second, otherwise known as way fast. If the White House has its way, the cable will go from the U.S. to the Philippines and Taiwan and bypass Hong Kong. Google owns the Taiwan segment and Facebook owns the Philippines segment, but China owns the proposed Hong Kong segment. Credit: CSO Online

Hackers Use Captcha to Thwart Detection

Captcha, those annoying puzzles/questions/pictures that websites use to try and distinguish bots from humans, is now being used by the baddies. The hackers are putting their malware, like infected spreadsheets, on websites behind a captcha, likely to try and avoid detection by the good guys. If the good guys automated testing cannot complete the captcha, it won’t test the content behind it, leaving it available for victims to download and get infected. Credit: ARS Technica