Tag Archives: Encryption

Security News Bites for the Week Ending July 17, 2020

Microsoft’s LinkedIn Sued for Abusing Clipboard Access

Apple’s Universal Clipboard allows you to share data between devices. According to the lawsuit, LinkedIn reads the data without notifying the user. However, LinkedIn is not alone. More than 50 apps, apparently, do that. Now that they have been sued, they are changing their app. Credit: Reuters

When is 10 million actually 140 million?

Apparently MGM resorts is not great at counting. In February ZDNet reported that hackers stole info on 10 million guests. Apparently the number is actually 142 million. How we know this is not because MGM said so but because a hacker is selling that much data. Credit: ZDNet

340 GDPR Fines Totaling 158 Million Euros Issued Since 2018

The smallest fine was 90 Euros. The largest fine was 50,000,000 Euros.

France, Italy and Germany represent 73% of all of the fines.

While fines issued by France total 51 million Euros, fines issued by the UK were just over a half million Euros.

While GDPR has been in force for around two years, that is just a blip when it comes to the legal world. Stay tuned for the next two years. Credit: Helpnet Security

The Same Senate That is Trying to Ban Encryption is Asking Why Twitter isn’t Encrypting DMs

While the Senate debates the EARNIT Act, which would require companies like Twitter to implement encryption back doors or the LEAD Act which FORCES judges to make companies decrypt data if the cops ask the judge to do it with no judicial descretion, that same body is asking why Twitter isn’t encrypting Direct Messages (DMs). Sounds kind of bizarre to me, but that is reality. Credit: Security Boulevard

Beware of VPNs That Keep No Logs

UFO VPN (first clue: based in Hong Kong) says this about their security practices:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform

Which makes it hard to explain how 894 GB of log data, including encryption keys, was stored on an elastic search server with no password. This represents 20 million users logs.

If you care about your privacy, check out any VPN provider that you plan to use carefully. Credit: Hack Read

Get Ready for Encryption Fireworks

Since the early 1990s, there has been a battle going on between the federal government and privacy advocates. Privacy advocates want strong encryption. The government wants weak encryption that it can break. Except of course for the encryption that they use.

They claim they need it is to hunt down terrorists, but that didn’t get any traction.

Then they claimed it was to hunt down pedophiles.

There are several bills in play right now and none of them really solve the problem. Not even a little bit.

One bill is the earnit act which, in typical Congressional fashion, kicks the can down the road. Since actually figuring out how to solve the problem of bad guys using encryption while at the same time protecting the rest of us, the earnit act proposes to create a commission to make recommendations to the Attorney General, who is not required to accept any of the recommendations and can create his own. Then if the tech community doesn’t accept whatever he says, they will lose the protection they have for content posted by users. Since Congress has like one person who understands tech out of 500, what they don’t seem to realize is that this will not achieve the goal that Republicans have getting more right wing content on the web. Instead what tech companies will have to do is dramatically restrict user posted content to make sure that they do not post any content from either side that would get them sued for helping pedophiles or promoting violence or whatever. Facebook will go back to what Zuckerberg originally planned it for – figuring out which girls he wanted to go out with or something slightly less PG than that. If they lose their immunity, they will restrict content.

If that happens, billions of dollars of investor capital value will go up in flames. I don’t have any Facebook or Twitter stock, but if you do and the bill passes, you should sell.

Sen. Graham introduced a new version of the bill to solve this problem. He wants to let the states decide. That way Twitter will have to comply with 50 state laws. That will definitely make things easier.

The Post says that legislators are far less sympathetic to tech companies and that may be true, but the President seems to like to use at least one tech company and if laws pass that remove protections, those companies are far more likely to censor him than they are now when they have immunity.

There are definitely two camps in Congress right now – those that want to protect people’s privacy and those that want to get rid of privacy because it is inconvenient to them.

Another bill, called the lead act, would literally ban strong encryption and make it a crime to use encryption that doesn’t have a backdoor.

Except, of course, crooks, how do I say this, DON’T CARE MUCH ABOUT THE LAW. So they will use strong encryption except for the dumb ones and we don’t really fix anything.

I am sure if the law requires a back door to private conversations, no crooks will ever discover how it works.

Kind of like how Apple tries to make it impossible to jailbreak their phones.

And their phones are typically jailbroken within 24-48 hours of a new software release.

I am not saying that there is not a problem. What I am saying is that there is no simple solution and rather than passing the buck to a committee or the states, figure out the answer. Even if it takes a couple of years. Figure out the right answer.

I must be thinking of a different organization than Congress. Credit: WaPo

Security News for the Week Ending June 26, 2020

Anonymous Gonna Rise Again. Question Mark?

A hacker or hackers claiming to be affiliated the non-group Anonymous has posted a million documents coming from over 200 police departments and other law enforcement agencies. While the documents do no purport to show illegal activities, they are likely both embarrassing and also confidential. The fact that the police could not protect their own information is probably not great for their reputations either. Credit: Wired

Republican Senators Create Bill to End Use of Warrant-proof Encryption

Senators Lindsey Graham, Tom Cotton and Marsha Blackburn say that they plan to introduce a bill that will require service providers and device manufacturers to insert backdoors into their software and devices so that cops can decrypt the devices when they want to.

They have not published the bill yet and we have no idea whether it will get any traction, so who knows, but the main issue is that there is nothing to stop bad actors from installing software from web sites in countries that don’t really case about what Mrs Graham and Cotton or Ms. Blackburn want. Sure you will catch stupid crooks, but we catch them anyway. Credit: ZDNet

Pentagon Creates List of Companies Controlled by Chinese PLA

There is a 1999 law that requires the Pentagon to produce a list of companies controlled by the Chinese military. Always prompt, 21 years later the Pentagon has produced that list. Huawei is one of those companies, of course. At this point it is not clear what the White House will do with that list, but we assume that it will be used to add pressure to China. Credit: Time

Feds Ask FCC to Deny China Access to New Fiber Optic Cable from US

Team Telecom, that federation of executive branch agencies that has been completely toothless in stopping China from compromising our telecom has finally decided that to feels its Wheaties. Renamed CAFPUSTSS, they say we should not drop an undersea fiber cable in Hong Kong for China to tap. The proposed cable would have a speed of 144 terabits per second, otherwise known as way fast. If the White House has its way, the cable will go from the U.S. to the Philippines and Taiwan and bypass Hong Kong. Google owns the Taiwan segment and Facebook owns the Philippines segment, but China owns the proposed Hong Kong segment. Credit: CSO Online

Hackers Use Captcha to Thwart Detection

Captcha, those annoying puzzles/questions/pictures that websites use to try and distinguish bots from humans, is now being used by the baddies. The hackers are putting their malware, like infected spreadsheets, on websites behind a captcha, likely to try and avoid detection by the good guys. If the good guys automated testing cannot complete the captcha, it won’t test the content behind it, leaving it available for victims to download and get infected. Credit: ARS Technica

Weekly Security News for the Week Ending December 20, 2019

Retailer LightInTheBox Exposes 1.6 Billion Customer Records

The challenge with today’s big data world is that the breaches are enormous.  LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration.   They effectively breached themselves.  The data was a web server log with dates from Aug  9 to Oct 11 of this year.   It appears that there was no payment data in the log files, which is a good thing.  Also, they did not figure it out;  a security researcher told them about it.  1.6 billion records will cause them some pain.  The good news is that this happened before CCPA went into effect.  This time next month and it would have been a much, much more expensive breach.  Source: SC Mag

Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation

Facebook and Twitter this week disabled a  global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks.  The accounts, they say, were associated with two media groups, the BL and Epoch Media.  They said that the accounts were suspended because of their tactics and not because of their content.

Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.

On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements.  Twitter deleted 700 accounts.

Some of these activities were linked to the countries of Georgia and Saudi Arabia.

It looks like 2020 election engineering activities have already begun.  Source: WaPo

Business Email Compromise Scams Google and Facebook out of $120 Million

While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents  like contracts.

One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million.  Source: The Register

While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read

At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal.  The reason?  They don’t want their messages to be intercepted.  Source: The Register

Credentials Can Now Be Extracted From iPhones

iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.

They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix.  If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on.  In theory, they only sell to good guys, but that definition is probably a bit loose.  Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes.  Source: 9to5Mac

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week

 

Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register

 

vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.

 

Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.

 

Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

The Feds Take Another Run At Getting Rid of Encryption

O P I N I O N

This is not really an opinion piece, but some people might think it is, so I will go for over disclosure and call it that.

The Feds really don’t like encryption.  It gets in their way when they want to do mass surveillance or even targeted surveillance.

For hundreds of years the Feds could listen in to any conversation that they wanted to, whether it was planting someone in the local pub to overhear your conversation, tapping your phone or more recently reading your email.

In concept, when done appropriately, this is a necessary evil.  I would not say it is a good thing, but there are bad people out there and you have to keep them in check.

In the 1990s a guy named Phil Zimmerman invented a piece of software called PGP.  It was free and it brought encryption to a lot more people than had it before.  It was far from easy to use, so most people didn’t use it, but still the government didn’t like it.  For five years the government tried to get Zimmerman locked up for inventing it (technically, they said that encryption was governed by the International Traffic in Arms Regulation (ITAR) and so you could not export it and since it was available on the Internet, he was exporting it).  The public never bought the argument and finally, in 1996, the government gave up.

Once the government realized that they could not put Phil’s genie back in the bottle, they came up with another idea called the Clipper chip.  The Clipper chip had a built in backdoor so the feds could decrypt anything that was encrypted using it.  People realized that encryption done that way wasn’t really private and never signed on to buying clipper chips.

In the mid 1990s the Feds noticed that phone companies were implementing digital central office phone switches and they could come into a phone company office and put a couple of alligator clips on your home phone line to listen to the mob, so Congress passed CALEA in 1994.  CALEA gave the phone companies billions of dollars (literally) to install digital back doors in their central offices.

Things got sort of quiet after that  with the FBI complaining to anyone who would listen, but Congress never listened for some reason.

Part of the logic might have been if encryption is so bad, crime must be going crazy, but that wasn’t true.  For the most part, in general, crime was level or maybe even going down a little – of course there were exceptions, but nothing massive to indicate that crooks were really smart and hiding all of their actions.

Over the last ten years or so, the FBI and various Justice Department folks said that we needed to put a back door in encryption to find terrorists.  For whatever reason, people still didn’t believe them and Congress has been unwilling to mandate an encryption backdoor.

All during this time, encryption was becoming more and more ubiquitous, including encrypted phones, both Apple and Google.  They said that the world was going dark because of all of this encryption, yet they continue to find and arrest cyber criminals and terrorists.  Maybe not all of them, but a lot of them.

But the Feds are not giving up.  They want Facebook, Google, Apple and others to build in back doors to their messaging applications.

The reason they now want to add encryption back doors?  Its the children.  Poor. Defenseless.  Children.  After all the child molesters and kiddie porn freaks – surely they must be using encryption.  I guess they are.  I mean, what if they catch a kiddie porn pervert and his phone is encrypted.  Surely he will get off Scot free.

Well it turns out that even that isn’t quite true.  The New York City District Attorney signed a deal about two years ago with the Israeli company Cellebrite.  Cellebrite claims to be able to get the data off almost any phone, Android or iPhone.  Probably pretty accurate.  Now it has come out that New York is offering this phone-hacking-as-a-service to other law enforcement agencies as well.  But this is not as easy as vacuuming up all of the data from everyone and looking for anything that seems interesting.

Still the government does have tools.  Raytheon makes a box called a Stingray.  Originally it was designed for the Military to use in the Middle East and other hot spots to watch terrorists, but money wins out and Raytheon will sell it to law enforcement everywhere.  Recently, we have been watching a spy vs. spy game as it has come out that people have found numerous Stingray or Stingray-like devices all over DC, including around the White House.

That is the problem with stuff.  You can’t keep the genie in the bottle.  If we create an encryption back door and say that only the cops can use it, that will last for at least a few months before the secret is no  longer secret.

If you think we have all of this cyber crime now, with all of this encryption, you can’t imagine what it might be like if we don’t have secure encryption.  And this is definitely a genie that you will not be able to get back in the bottle.

Just my opinion.