Items from security-related news (E127.Jul-2015)
According to revelations from Edward Snowden, in 2012 the US
government approved warrantless surveillance of Internet traffic
crossing the US border. The purpose of the surveillance is to detect
cyberattacks originating from foreign government, and the NSA uses
patterns to detect malware and and access to "suspicious" websites.
The agency also sought permission to monitor related activities by
US citizens on US soil, but the recent revelations do not include
information about the outcome of that request.
The US Office of Personnel Management was the target of two phases an
apparently successful attack in 2015 to retrieve sensitive information
from its databases. The Office's inspector general had issued a
report in November of 2014 damning the poor security and even
recommending shutting down some systems because they were so
vulnerable. The intrusion into the Office's databases was attributed
to non-governemental Chinese hackers who might be sharing information
with the Chinese government. The attack might have been orchestrated
by the same group that infiltrated health care providers.
Ed.: one might wonder why the cross-border surveillance program did not detect this instrusion.
A partnership between Samsung and Swiftkey was meant
to keep Galaxy phone up-to-date with the latest word prediction
software. But researchers at NowSecure found that the update
procedure can be compromised, potentially giving hackers access to
core internals of the operating system. The hack can be carried out
over wifi networks and perhaps over cellular networks.
The MACOS operating system from Apple has an application that is a manager for all the cryptographic keys used to protect data on the system. The "keychain" app is an important party of Apple's security for MAC computers. Researchers found significant flaws in the app and showed how to exploit them to gain access to a user's personal data, wherever it was stored --- locally or in iCloud. Frustrated by Apple's slow pace in addressing the problem, the researchers went public with their discovery, spurring Apple to work with them on a daily basis to get the holes closed.
Governments are touchy about the use of encryption by their citizens,
today more so than ever. The NSA believes that it is possible to have
encryption that is perfectly secure but also allows the government,
under careful judicial control, to read the encrypted data without
contacting the person who did the encrypting. The descriptive phrase
for this is "exceptional access". It has raised a firestorm of
debate. A group of 14 security experts have published a paper
opposing the idea. "The government's proposals for exceptional access
are wrong in principle and unworkable in practice," said Ross
Anderson.
A US Federal Court has been asked to nullify an NSA program to collect bulk collection of calling information for US phones. The program was revealed by Edward Snowden, and it has been the subject of recent legislation and court challenges. Apparently the program is still in effect. The ACLU has petitioned the court to issue an injunction stopping the program. Also in question are the previously collected phone records.
Many recently manufactured Chrysler vehicles come with software that
connects them to the Internet. This wonderful capability is provided
by a wireless service Uconnect that connects these cars to the Sprint
cellphone network. Unfortunately, researchers have demonstrated that
it is possible for unauthorized users (i.e., hackers) to take control
of the car from the Internet. They can, for example, stop and start
the engine. All such cars the subject of a large recall.
Have you installed the latest versions of all your software? Do you
use a different password for everyone of your accounts? Do you use
two factor authentication? Then you might be a security expert. On
the other hand, if you rely on anti-virus software and change your
passwords frequently, you might not be an expert. These observations
were presented at the recent SOUPS conference, based on a survey carried
out by researchers at Google.
New York Times
By Charlie Savage, Julia Angwin, Jeff Larson and Henrik Moltke,
June 4, 2015
Summary:
New York Times
By David E. Sanger, Julie Hirschfeld Davis and Nicole Perlroth
June 5, 2015
Summary:
CNN Money
By Jose Pagliery
Jun. 17, 2015
Summary:
CNN Money
By Jose Pagliery
Jun. 18, 2015
Summary:
The New York Times
Nicole Perlroth
July 7, 2015
Summary:
Keys Under Doormats: Mandating
insecurity by requiring government
access to all data and communications
The New York Times
By Charlie Savage
July 14, 2015
Summary:
CNN Money
By Jose Pagliery
Jul 21, 2015
Summary:
The Washington Post
By Andrea Peterson
July 24, 2015
Summary: