More than a quarter century after its introduction, the failed rollout of hardware deliberately backdoored by the NSA is still having an impact on the modern encryption debate.
Known as Clipper, the encryption chipset developed and championed by the US government only lasted a few years, from 1993 to 1996. However, the project remains a cautionary tale for security professionals and some policy-makers. In the latter case, however, the lessons appear to have been forgotten, Matt Blaze, McDevitt Professor of Computer Science and Law at Georgetown University in the US, told the USENIX Enigma security conference today in San Francisco.
In short, Clipper was an effort by the NSA to create a secure encryption system, aimed at telephones and other gear, that could be cracked by investigators if needed. It boiled down to a microchip that contained an 80-bit key burned in during fabrication, with a copy of the key held in escrow for g-men to use with proper clearance. Thus, any data encrypted by the chip could be decrypted as needed by the government. The Diffie-Hellman key exchange algorithm was used to exchange data securely between devices.
On November 8, 2018, Amazon CEO Jeff Bezos received an unexpected text message over WhatsApp from Saudi Arabian leader Mohammed bin Salman. The two had exchanged numbers several months prior, in April, at a small dinner in Los Angeles, but weren’t in regular contact; Bezos had previously received only a video file from the crown prince in May that reportedly extolled Saudi Arabia’s economy. The November text had an attachment as well: an image of a woman who looked like Lauren Sanchez, with whom Bezos had been having an unreported affair.
That message appears to have been a taunt; American Media Inc., publisher of The National Inquirer, would several months later make details of the affair public. But it’s the initial contact, in May, that has set off another firestorm with MBS at the center. That video file was likely loaded with malware, investigators now say. The crown prince’s own account had been used to hack Bezos’ phone.
Such brazen targeting of a private citizen—the richest man in the world, no less—is alarming to say the least. It underscores the dangers of an unchecked private market for digital surveillance, and raises serious questions about other prominent US figures who have known relationships with the crown prince, like White House adviser Jared Kushner and President Donald Trump himself.
Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser.
In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.
Microsoft has today announced a data breach that affected one of its customer databases.
The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.
Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claims it was to the order of 250 million records containing “logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019“.
According to Comparitech, that same data was accessible on five Elasticsearch servers.
On Tuesday, a federal prosecutor in Brazil announced a denunciation of American journalist and Intercept co-founder Glenn Greenwald related to his work on a series of stories published on The Intercept and The Intercept Brasil. The denunciation is a criminal complaint that would open the door to further judicial proceedings. It alleges that Greenwald “directly assisted, encouraged and guided” individuals who reportedly obtained access to online chats used by prosecutors and others involved in Operation Car Wash, a yearslong, sprawling anti-corruption investigation that roiled Brazilian politics.
The denunciation will now go before a judge who can approve or deny the request for charges.
The Intercept and Greenwald both released statements Tuesday decrying the federal prosecutor’s accusation as an attack on Brazil’s free press in line with recent abuses by the government of far-right President Jair Bolsonaro. Abuses committed by Justice Minister Sergio Moro when he served as the presiding judge in Operation Car Wash were central to The Intercept’s reporting in the Brazil Secret Archive series.
This all might sound familiar: After a mass shooting, the Federal Bureau of Investigation wants Apple to build a tool that can unlock the attacker’s iPhones. But don’t expect round two of Apple versus the FBI to necessarily play out like the first. The broad outlines are the same, but the details have shifted precariously.
For all the FBI’s posturing, its attempt to force Apple to unlock the phone of one of the San Bernardino terrorists ultimately ended in a draw in 2016. The FBI dropped its lawsuit after the agency found a third-party firm to crack it for them. Now, the FBI claims that only Apple can circumvent the encryption protections on the two recovered iPhones of Mohammed Saeed Alshamrani, who killed three people and wounded eight in December at a naval air station in Pensacola, Florida. As it did four years ago, Apple has declined.
Apple’s central argument against helping the FBI in this way remains the same: creating a backdoor for the government also creates one for hackers and bad actors. It makes all iPhones less safe, full stop. Since the last Apple-FBI showdown, though, technological capabilities on both sides, the US political landscape, and global pressures have all substantially evolved.
A new year often starts with good resolutions. Some resolve to change a certain habit, others resolve to abandon an undesired trait. Mobile app makers, too, claim to have user behavior and their preferences at their heart. From dating to health to music, their promise is to add convenience to consumers’ lives or to offer support when needed. The bad news is that the ecosystem of the underlying ad tech industry has not changed and still does not respect user privacy. A new report published today by the Norwegian Consumer Council (NCC) looks at the hidden side of the data economy and its findings are alarming.
Hackers nowadays are seen using routers as botnets to launch cyber attacks on large companies and organizations. So, in such circumstances, here are some steps that will help secure a router from cyber attacks.