IEEE Computer Society Cipher --- Items from security-related news (E144)

  • There's a Russian in my router
    U.S., British governments warn businesses worldwide of Russian campaign to hack routers
    The Washington Post
    By Ellen Nakashima
    April 16, 2018

    The US and British governments jointly issued a warning about malware in computer routers and firewalls. The White House has said that there is "high confidence" that the malware is orchestrated by Russia and is part of a long-term campaign to infiltrate the Internet infrastructure for espionage purposes.

  • U.S.-U.K. Warning on Cyberattacks Includes Private Homes
    The New York Times
    By David D. Kirkpatrick and Ron Nixon
    Apr 16, 2018

    A former director of the British electronic spying agency GCHQ said that the joint warning of the US and British governments about router malware was meant to serve as a warning to the Russians with the message "We know where you are pre-positioned and if something happens, we will know it is you." According to officials, the Russian efforts have been going on for at least 20 years, so the immediate urgency of responding to the malware is unclear. It may be a sort of civilian cyber emergency drill. We wonder if officials will check to see how many people actually reboot or factory reset their routers in response to the warning.

  • Official Warning re Network Infrastructure Devices
    Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
    US-CERT, United States Computer Emergency Readiness Tream
    April 20, 2018

    The alert concerns vulnerabilities present in many router devices, including inexpensive ones that would be used in homes or small businesses, that are being exploited by malware. The malware seems to have come from Russia, and it is widespread. It depends on a website (reportedly shutdown prior to this alert), and the advice includes this statement: "... administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files."

  • PGP Mime, decryption through invisible html
    Decade-old Efail attack can decrypt previously obtained encrypted emails
    Ars Technica
    By Dan Goodin
    May 14, 2018

    We think that this hack should win an award for cleverness. It shows that cryptography is not worth much without being used with well-defined security architecture. Read the article yourself to understand the exploit in depth, what follows here is a summary and opinion on what is missing in the use of cryptography in user applications.

    The basic idea of the exploit is to construct a multi-part MIME message with encrypted parts that are cobbled together from ordinary html and ciphertext that had been previously received by the victim. After all the processing is completed, the parts together form an html document. When that is presented to a browser, it may fetch data from links in the html document. The attacker has constucted the document so that those url links name a website controlled by the attacker, and the remainder of url is the decryption of the old ciphertext. By examining the server logs, the attacker can read the decrypted text.

    This problem arises because there is no clear definition of a security policy for encrypted email. In a formally specified system, encrypted data would be marked as sensitive, and it would not be used as part of unprotected communication to an untrusted website. But by blindly following the details of low-level crypto processing without considering the fact that the crypto was meant to provide confidentiality, the software engineers allowed an attacker turn crypto capability against the user.

  • Did he or didn't he? Only Tor knows ...
    U.S. identifies suspect in major leak of CIA hacking tools
    The Washington Post
    By Shane Harris
    May 15, 2018

    Joshua Adam Schulte worked for the CIA group that produced hacking tools. Those tools showed up in WikiLeaks in March 2017. Did Schulte use Tor to distribute the CIA tools to WikiLeaks? The US government has his computers, but has not formally charged him for the leak. Did Schulte, in an unrelated act, load child pornography onto a server? He sits in jail on that charge. Schulte claims innocence. He was critical of CIA management, and he was one of more than 50 people with access to the server; those facts, he says, have led the government to mistakenly suspect and charge him.

  • Your Location Data, Free to the World
    Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site
    Krebs On Security
    May 17, 2018

    Unbeknownst to most people, the location of most mobile telephones in the US was available with little in the way of secure authentication through the website of a company called LocationSmart. LocationSmart seemed to have been security dumb, despite statements saying that it took privacy and security seriously. A freely available demo on its webiste allowed anyone to request location data for any phone (apparently the user of the phone had to give permission via a text message for each access). LocationData is used by third parties: law enforcement, companies that give mobile phone to their employees, etc.