The Register

Remember the Clipper chip? NSA’s botched backdoor-for-Feds from 1993 still influences today’s encryption debates

The Register

More than a quarter century after its introduction, the failed rollout of hardware deliberately backdoored by the NSA is still having an impact on the modern encryption debate.

Known as Clipper, the encryption chipset developed and championed by the US government only lasted a few years, from 1993 to 1996. However, the project remains a cautionary tale for security professionals and some policy-makers. In the latter case, however, the lessons appear to have been forgotten, Matt Blaze, McDevitt Professor of Computer Science and Law at Georgetown University in the US, told the USENIX Enigma security conference today in San Francisco.

In short, Clipper was an effort by the NSA to create a secure encryption system, aimed at telephones and other gear, that could be cracked by investigators if needed. It boiled down to a microchip that contained an 80-bit key burned in during fabrication, with a copy of the key held in escrow for g-men to use with proper clearance. Thus, any data encrypted by the chip could be decrypted as needed by the government. The Diffie-Hellman key exchange algorithm was used to exchange data securely between devices.

Full article

WIRED

Everything We Know About the Jeff Bezos Phone Hack

WIRED

Photograph: Andrew Harrer/Bloomberg/Getty Images

On November 8, 2018, Amazon CEO Jeff Bezos received an unexpected text message over WhatsApp from Saudi Arabian leader Mohammed bin Salman. The two had exchanged numbers several months prior, in April, at a small dinner in Los Angeles, but weren’t in regular contact; Bezos had previously received only a video file from the crown prince in May that reportedly extolled Saudi Arabia’s economy. The November text had an attachment as well: an image of a woman who looked like Lauren Sanchez, with whom Bezos had been having an unreported affair.

That message appears to have been a taunt; American Media Inc., publisher of The National Inquirer, would several months later make details of the affair public. But it’s the initial contact, in May, that has set off another firestorm with MBS at the center. That video file was likely loaded with malware, investigators now say. The crown prince’s own account had been used to hack Bezos’ phone.

Such brazen targeting of a private citizen—the richest man in the world, no less—is alarming to say the least. It underscores the dangers of an unchecked private market for digital surveillance, and raises serious questions about other prominent US figures who have known relationships with the crown prince, like White House adviser Jared Kushner and President Donald Trump himself.

Full article

The Register

Safari’s Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler

The Register

Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser.

In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.

Full article

Naked Security

Big Microsoft data breach – 250 million records exposed

Naked Security

Microsoft has today announced a data breach that affected one of its customer databases.

The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.

Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claims it was to the order of 250 million records containing “logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019“.

According to Comparitech, that same data was accessible on five Elasticsearch servers.

Full article

The Intercept

The Intercept Condemns Brazilian Criminal Complaint Against Glenn Greenwald as an Attack on Free Press

The Intercept

Photo: Ariel Zambelich/The Intercept

On Tuesday, a federal prosecutor in Brazil announced a denunciation of American journalist and Intercept co-founder Glenn Greenwald related to his work on a series of stories published on The Intercept and The Intercept Brasil. The denunciation is a criminal complaint that would open the door to further judicial proceedings. It alleges that Greenwald “directly assisted, encouraged and guided” individuals who reportedly obtained access to online chats used by prosecutors and others involved in Operation Car Wash, a yearslong, sprawling anti-corruption investigation that roiled Brazilian politics.

The denunciation will now go before a judge who can approve or deny the request for charges.

The Intercept and Greenwald both released statements Tuesday decrying the federal prosecutor’s accusation as an attack on Brazil’s free press in line with recent abuses by the government of far-right President Jair Bolsonaro. Abuses committed by Justice Minister Sergio Moro when he served as the presiding judge in Operation Car Wash were central to The Intercept’s reporting in the Brazil Secret Archive series.

Full article

WIRED

This Apple-FBI Fight Is Different From the Last One

WIRED

Photograph: Tom Brenner/Reuters

This all might sound familiar: After a mass shooting, the Federal Bureau of Investigation wants Apple to build a tool that can unlock the attacker’s iPhones. But don’t expect round two of Apple versus the FBI to necessarily play out like the first. The broad outlines are the same, but the details have shifted precariously.

For all the FBI’s posturing, its attempt to force Apple to unlock the phone of one of the San Bernardino terrorists ultimately ended in a draw in 2016. The FBI dropped its lawsuit after the agency found a third-party firm to crack it for them. Now, the FBI claims that only Apple can circumvent the encryption protections on the two recovered iPhones of Mohammed Saeed Alshamrani, who killed three people and wounded eight in December at a naval air station in Pensacola, Florida. As it did four years ago, Apple has declined.

Apple’s central argument against helping the FBI in this way remains the same: creating a backdoor for the government also creates one for hackers and bad actors. It makes all iPhones less safe, full stop. Since the last Apple-FBI showdown, though, technological capabilities on both sides, the US political landscape, and global pressures have all substantially evolved.

Full article

EFF

Top Apps Invade User Privacy By Collecting and Sharing Personal Data, New Report Finds

Electronic Frontier Foundation

A new year often starts with good resolutions. Some resolve to change a certain habit, others resolve to abandon an undesired trait. Mobile app makers, too, claim to have user behavior and their preferences at their heart. From dating to health to music, their promise is to add convenience to consumers’ lives or to offer support when needed. The bad news is that the ecosystem of the underlying ad tech industry has not changed and still does not respect user privacy. A new report published today by the Norwegian Consumer Council (NCC) looks at the hidden side of the data economy and its findings are alarming.

Full article

Cybersecurity Insiders

How to secure a router from Cyber Attacks

Cybersecurity Insiders

Hackers nowadays are seen using routers as botnets to launch cyber attacks on large companies and organizations. So, in such circumstances, here are some steps that will help secure a router from cyber attacks.

Full article

Miscellanious

Update Firefox now!

Within just a few days after the release of Firefox 72 an update to patch a zero-day vulnerability is available. You find more info about CVE-2019-17026 here.

Update to 72.0.1 now!