News Bits

NewsBits, IEEE Cipher E134, E134.Sep-2016

Microsoft Fights Feds For User Privacy
  • Microsoft's president explains the company's quiet legal war for user privacy
    Washington Post
    By Andrea Peterson
    Jul 22, 2016

    Brad Smith, the president of Microsoft, explained in an interview how Microsoft has been opposing some actions by the Justice Department. The issues are transparency of warrants and subpoenas and gag orders pertaining to them, and the legitimacy of subpoenas for data that is stored outside the US.


    Federal Directive Clarifies Cyberattack Handling
  • In a major cyber hack, who do you call? The White House spells it out.
    Washington Post
    By Ellen Nakashima
    Jul 26, 2016

    As cybersecurity "incidents" become more serious and more common, the US Federal government has issued a directive about which agencies handle responses and how the severity of a breach is determined. There are 5 levels of severity, depending on how seriously the incident affects public health or safety, national security, economic security, foreign relations, civil liberties or public confidence.


    Democrats Made Transparent by Hackers
  • The anxiety for Democrats, Are more leaks to come?
    Washington Post
    By Tom Hamburger and Ellen Nakashima
    Jul 25, 2016

    When WikiLeaks released emails from the Democratic National Committee, it began to seem as though party should abandon all hope of private communication and simply post all their thoughts on Twitter. The sources behind the hacking that collected the emails are unknown, but Russians are suspected in this and other breaches.

    Bit By Stolen Bitcoin
  • Hackers steal bitcoins worth millions in attack on exchange
    CNN Money
    By Jethro Mullen
    Aug 3, 2016

    One of the largest bitcoin exchanges in the world was seriously hacked, resulting in a loss of 119,756 bitcoins. Bitfinex in Hong Kong said it had reported the event to law enforcement, but it gave no further information.

    Bitcoin customers lose 36% of their money after hack
    CNN Money
    Aug 8, 2016
    by Jackie Wattles

    The Bitfinex bitcoin exchange stopped operating in the wake of a breach that resulted in a significant loss of value. They distributed the loss over the accounts of all customers. While the exchange still maintains the user accounts, it has ceased transactions.



    NIST SHA-3 Derived Function
  • SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash
    NIST press release
    Aug 4, 2016

    NIST has published a draft of SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash, today for public comment. The public comment period is from August 4, 2016 through Septmeber 30, 2016. Comments should be sent to:


    HTTP 2 Implementations Open DDOS Channels

  • Black Hat: Be wary of HTTP/2 on Web servers
    Network World
    By Tim Greene
    Aug 3, 2016

    The HTTP/2 web communication protocol is an important revision to the long-time standard HTTP, and it offers ways to improve performance and to optimize communication. No good deed ever goes unpunished, though. The security vendor Imperva, looking at the protocol with an evil eye, found 4 ways in which implementation have introduced vulnerabilities that can result in simple ways to crash the servers. In one case, a client can advise the server on how size a compression table. As a result, it was possible to cause the server to allocate nearly a gigabyte of memory with only 14 streams.


    Pizza Hacker Convicted
  • Russian MP's son convicted of hacking scheme
    BBC news
    Aug 26, 2016

    Proving that there is big money to be made from small businesses, the US Secret Service arrested a Russian traveling to the Maldives for hacking into the credit card systems of 3700 businesses, many of them pizza chains in the US. As many as 3 million credit card numbers were stolen.


    Microsoft Shoots Itself in the Trusted Boot
  • Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea
    The Register
    By Chris Williams


    Developers are frequently hampered by security policies that are meant to secure the product they are working on. Apparently Microsoft engineers installed a special policy for the purpose of allowing them to boot development versions of the operating system. That policy might as well be called the "boot anything" policy. It passes all the security checks built into Secure Boot, but it will boot any operating system image provided by the user. While Microsoft's intention has been to prevent users from booting alternative OS's, this "Boot Anything" policy has been digitally signed by Microsoft, and there is probably no effective way to revoke it.

    This adds some fuel to the fire over the FBI's constant lobbying for guaranteed law enforcement access to any digital device. Critics of the idea point out that it is difficult to assure that a backdoor won't be misused. This seems to be a case in point. [Ed. Does anyone remember DEBUG mode in sendmail in the late 1980's?]


    TCP Sequence Numbers, The Once and Future Flaw

  • Serious security threat to many Internet users highlighted: Communications involving Linux and Android systems can be compromised quickly, easily and from anywhere
    Science Daily
    August 9, 2016

    In 1985 Robert T. Morris noted that TCP connections could be hijacked simply by guessing the sequence numbers in a current connection. Nearly 30 years later, a minor change to the Linux kernel managed to bypass all mitigations and widen the attack surface. The recognition of the problem is due to researchers at UC Riverside.

    Off-Path TCP Exploits: Global Rate Limit Considered Dangerous, by Yue Cao, et al.
    Morris 1985 paper.

    Repressive Governments Buy iPhone Spyware
  • Apple boosts iPhone security after powerful spyware targets an activist
    Los Angeles Times
    Aug 25, 2016

    An iPhone vulnerability that allowed total compromise through a crafted text message led Apple to fix three zero-day vulnerabilities. The software was produced by an Israeli company, the NSO Group. The software was used in this case to target a political activist.

    Related stories:
    How Spy Tech Firms Let Governments See Everything on a Smartphone The New York Times
    By Nicole Perlroth
    Sep 4, 2016

    The NSO Group supplies software that hacks into smart phones and lets governments spy on the phone's owner. Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations. However, there are documented instances of use against non-criminal activists.

    Something Wicked in that Powerpoint
  • How foreign governments spy using PowerPoint and Twitter
    Washington Post
    By Ron Deibert
    Aug 2, 2016

    Although we all recognize the risk of email attachments, the fact is that sometimes we have to open them. One political activist took a suspicious attachment to security lab, where they found that the Powerpoint contained malware that could turn an Android phone into a portal for cyberespionage. The phones microphone and camera could have been remotely controlled, and many messaging functions, even those using encryption, could have been relayed to remote users.

    Researchers say that governments also have used Twitter to target activists.


    Crypto Backdoor Socialization by FBI
  • Comey: FBI wants 'adult conversation' on device encryption
    AP story reported in the Deseret News
    By Eric Tucker, Associated Press
    Aug 30, 2016

    Speaking at a symposium sponsored by the Symantec Corporation in Washington, James Comey, FBI Director, presented his case for a "legislative fix" to the problems facing law enforcement when the want to get information from digital devices that have encryption protection. He said what he wants to do "is collect information this year so that next year we can have an adult conversation."

    Related story:
    FBI chief calls for national talk over encryption vs. safety
    Caribbean Business
    Aug 30, 2016
    AP story


    Summary: Speaking to the American Bar Association in San Francisco, FBI Director James Comey, said that in the past 10 months the agency was frustrated in its attempts to access data on more than 10% of the electronic devices it seized for investigations. He expects to start a discussion after the start of White House administration about how to mitigate the problems his agency faces.

    AP to FBI: Tell Us How You Hacked the iPhone
  • AP, other media sue FBI for details on iPhone hacking tool
    By Eric Tucker, Associated Press
    Sep 16, 2016

    When the FBI said that it had unlocked an iPhone connected to the San Bernandino terrorists, the agency implied that it had paid a million dollars for the break. The vendor, the exact amount, and the method remain a mystery to the public. Under the US Freedom of Information Act, the Associated Press and other news organizations have asked for release of the details.