News Bits
NewsBits, IEEE Cipher E134, E134.Sep-2016
Summary:
Brad Smith, the president of Microsoft, explained in an interview how
Microsoft has been opposing some actions by the Justice Department.
The issues are transparency of warrants and subpoenas and gag orders
pertaining to them, and the legitimacy of subpoenas for data that
is stored outside the US.
Summary:
As cybersecurity "incidents" become more serious and more common, the
US Federal government has issued a directive about which agencies
handle responses and how the severity of a breach is determined.
There are 5 levels of severity, depending on how seriously the
incident affects public health or safety, national security, economic
security, foreign relations, civil liberties or public confidence.
Summary:
When WikiLeaks released emails from the Democratic National Committee,
it began to seem as though party should abandon all hope of private
communication and simply post all their thoughts on Twitter. The sources
behind the hacking that collected the emails are unknown, but
Russians are suspected in this and other breaches.
Summary:
One of the largest bitcoin exchanges in the world was seriously hacked,
resulting in a loss of 119,756 bitcoins. Bitfinex in Hong Kong said it had
reported the event to law enforcement, but it gave no further information.
Bitcoin customers lose 36% of their money after hack
CNN Money
Aug 8, 2016
by Jackie Wattles
Summary:
The Bitfinex bitcoin exchange stopped operating in the wake of a breach
that resulted in a significant loss of value. They distributed the
loss over the accounts of all customers. While the exchange still
maintains the user accounts, it has ceased transactions.
Summary:
NIST has published a draft of SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash, today for public comment.
The public comment period is from August 4, 2016 through Septmeber 30, 2016. Comments should be sent to: SP800-185@nist.gov
Summary:
The HTTP/2 web communication protocol is an important
revision to the long-time standard HTTP, and it offers ways to improve
performance and to optimize communication. No good deed ever goes
unpunished, though. The security vendor Imperva, looking at the
protocol with an evil eye, found 4 ways in which implementation have
introduced vulnerabilities that can result in simple ways to crash the
servers. In one case, a client can advise the server on how size a
compression table. As a result, it was possible to cause the server
to allocate nearly a gigabyte of memory with only 14 streams.
Summary:
Proving that there is big money to be made from small businesses, the
US Secret Service arrested a Russian traveling to the Maldives for
hacking into the credit card systems of 3700 businesses, many of them
pizza chains in the US. As many as 3 million credit card numbers were
stolen.
Summary:
Developers are frequently hampered by security policies that are meant to secure the product they are working on. Apparently Microsoft engineers installed a special policy for the purpose of allowing them to boot development versions of the operating system. That policy might as well be called the "boot anything" policy. It passes all the security checks built into Secure Boot, but it will boot any operating system image provided by the user. While Microsoft's intention has been to prevent users from booting alternative OS's, this "Boot Anything" policy has been digitally signed by Microsoft, and there is probably no effective way to revoke it.
This adds some fuel to the fire over the FBI's constant lobbying for guaranteed law enforcement access to any digital device. Critics of the idea point out that it is difficult to assure that a backdoor won't be misused. This seems to be a case in point. [Ed. Does anyone remember DEBUG mode in sendmail in the late 1980's?]
Summary:
In 1985 Robert T. Morris noted that TCP connections could be hijacked
simply by guessing the sequence numbers in a current connection. Nearly
30 years later, a minor change to the Linux kernel managed to bypass
all mitigations and widen the attack surface. The recognition of the
problem is due to researchers at UC Riverside.
Summary:
An iPhone vulnerability that allowed total compromise through a
crafted text message led Apple to fix three zero-day vulnerabilities.
The software was produced by an Israeli company, the NSO Group. The
software was used in this case to target a political activist.
Summary:
The NSO Group supplies software that hacks into smart phones and lets
governments spy on the phone's owner. Zamir Dahbash, an NSO Group
spokesman, said that the sale of its spyware was restricted to
authorized governments and that it was used solely for criminal and
terrorist investigations. However, there are documented instances
of use against non-criminal activists.
Summary:
Although we all recognize the risk of email attachments, the fact is that
sometimes we have to open them. One political activist took a suspicious
attachment to security lab, where they found that the Powerpoint contained
malware that could turn an Android phone into a portal for cyberespionage.
The phones microphone and camera could have been remotely controlled, and
many messaging functions, even those using encryption, could have been
relayed to remote users.
Researchers say that governments also have used Twitter to target activists.
Summary:
Speaking at a symposium sponsored by the Symantec Corporation in
Washington, James Comey, FBI Director, presented his case for a
"legislative fix" to the problems facing law enforcement when the want
to get information from digital devices that have encryption
protection. He said what he wants to do "is collect information this
year so that next year we can have an adult conversation."
Summary: Speaking to the American Bar Association in San Francisco, FBI Director James Comey, said that in the past 10 months the agency was frustrated in its attempts to access data on more than 10% of the electronic devices it seized for investigations. He expects to start a discussion after the start of White House administration about how to mitigate the problems his agency faces.
Summary:
When the FBI said that it had unlocked an iPhone connected to the
San Bernandino terrorists, the agency implied that it had paid a million
dollars for the break. The vendor, the exact amount, and the method
remain a mystery to the public. Under the US Freedom of Information Act,
the Associated Press and other news organizations have asked for release
of the details.