Summary:
Brad Smith, the president of Microsoft, explained in an interview how Microsoft has been opposing some actions by the Justice Department. The issues are transparency of warrants and subpoenas and gag orders pertaining to them, and the legitimacy of subpoenas for data that is stored outside the US.

Summary:
As cybersecurity "incidents" become more serious and more common, the US Federal government has issued a directive about which agencies handle responses and how the severity of a breach is determined. There are 5 levels of severity, depending on how seriously the incident affects public health or safety, national security, economic security, foreign relations, civil liberties or public confidence.

Summary:
When WikiLeaks released emails from the Democratic National Committee, it began to seem as though party should abandon all hope of private communication and simply post all their thoughts on Twitter. The sources behind the hacking that collected the emails are unknown, but Russians are suspected in this and other breaches.

Summary:
One of the largest bitcoin exchanges in the world was seriously hacked, resulting in a loss of 119,756 bitcoins. Bitfinex in Hong Kong said it had reported the event to law enforcement, but it gave no further information.

Bitcoin customers lose 36% of their money after hack
CNN Money
Aug 8, 2016
by Jackie Wattles

Summary:
The Bitfinex bitcoin exchange stopped operating in the wake of a breach that resulted in a significant loss of value. They distributed the loss over the accounts of all customers. While the exchange still maintains the user accounts, it has ceased transactions.

Summary:
NIST has published a draft of SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash, today for public comment. The public comment period is from August 4, 2016 through Septmeber 30, 2016. Comments should be sent to: SP800-185@nist.gov

HTTP 2 Implementations Open DDOS Channels

Summary:
The HTTP/2 web communication protocol is an important revision to the long-time standard HTTP, and it offers ways to improve performance and to optimize communication. No good deed ever goes unpunished, though. The security vendor Imperva, looking at the protocol with an evil eye, found 4 ways in which implementation have introduced vulnerabilities that can result in simple ways to crash the servers. In one case, a client can advise the server on how size a compression table. As a result, it was possible to cause the server to allocate nearly a gigabyte of memory with only 14 streams.

Summary:
Proving that there is big money to be made from small businesses, the US Secret Service arrested a Russian traveling to the Maldives for hacking into the credit card systems of 3700 businesses, many of them pizza chains in the US. As many as 3 million credit card numbers were stolen.

Summary:

Developers are frequently hampered by security policies that are meant to secure the product they are working on. Apparently Microsoft engineers installed a special policy for the purpose of allowing them to boot development versions of the operating system. That policy might as well be called the "boot anything" policy. It passes all the security checks built into Secure Boot, but it will boot any operating system image provided by the user. While Microsoft's intention has been to prevent users from booting alternative OS's, this "Boot Anything" policy has been digitally signed by Microsoft, and there is probably no effective way to revoke it.

This adds some fuel to the fire over the FBI's constant lobbying for guaranteed law enforcement access to any digital device. Critics of the idea point out that it is difficult to assure that a backdoor won't be misused. This seems to be a case in point. [Ed. Does anyone remember DEBUG mode in sendmail in the late 1980's?]

TCP Sequence Numbers, The Once and Future Flaw

Summary:
In 1985 Robert T. Morris noted that TCP connections could be hijacked simply by guessing the sequence numbers in a current connection. Nearly 30 years later, a minor change to the Linux kernel managed to bypass all mitigations and widen the attack surface. The recognition of the problem is due to researchers at UC Riverside.

Summary:
An iPhone vulnerability that allowed total compromise through a crafted text message led Apple to fix three zero-day vulnerabilities. The software was produced by an Israeli company, the NSO Group. The software was used in this case to target a political activist.

Summary:
The NSO Group supplies software that hacks into smart phones and lets governments spy on the phone's owner. Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was restricted to authorized governments and that it was used solely for criminal and terrorist investigations. However, there are documented instances of use against non-criminal activists.

Summary:
Although we all recognize the risk of email attachments, the fact is that sometimes we have to open them. One political activist took a suspicious attachment to security lab, where they found that the Powerpoint contained malware that could turn an Android phone into a portal for cyberespionage. The phones microphone and camera could have been remotely controlled, and many messaging functions, even those using encryption, could have been relayed to remote users.

Researchers say that governments also have used Twitter to target activists.

Summary:
Speaking at a symposium sponsored by the Symantec Corporation in Washington, James Comey, FBI Director, presented his case for a "legislative fix" to the problems facing law enforcement when the want to get information from digital devices that have encryption protection. He said what he wants to do "is collect information this year so that next year we can have an adult conversation."

Summary: Speaking to the American Bar Association in San Francisco, FBI Director James Comey, said that in the past 10 months the agency was frustrated in its attempts to access data on more than 10% of the electronic devices it seized for investigations. He expects to start a discussion after the start of White House administration about how to mitigate the problems his agency faces.

Summary:
When the FBI said that it had unlocked an iPhone connected to the San Bernandino terrorists, the agency implied that it had paid a million dollars for the break. The vendor, the exact amount, and the method remain a mystery to the public. Under the US Freedom of Information Act, the Associated Press and other news organizations have asked for release of the details.