News Bits

NewsBits, IEEE Cipher E135, E135.Nov-2016

Really secure messaging meets the US govmt
  • This app promises privacy through encrypted messaging, but a U.S. subpoena puts it to test
    Associated Press
    LA Times
    Oct 4, 2016

    Open Whisper Systems produces a messaging app that uses end-to-end encryption. All the keys and usage information are contained in the user devices --- the company collects no information from them. The secrecy of the communication has been put to the test by a subpoena from the US government demanding information about one of its users. The ACLU is representing the small company in the matter. The company does not have the information that the government wants because the app is designed with user privacy in mind.

    Related stories:
  • Moxie Marlinspike: The Coder Who Encrypted Your Texts
    By Danny Yadron
    July 9, 2015

    If you missed out on the genesis of the Whisper app and its creator Moxie Marlingspike, this is a good synopsis of the story of a peculiar coder. The story is behind a paywall, but if you are a subscriber, it's worth perusing.

  • How Hillary Clinton Helped Build WhatsApp's State-of-the-Art Encryption
    Foreign Policy
    By Elias Groll
    April 6, 2016

    It was a different world back in 2010 when Secretary of State Hillary Clinton started an initiative to use the Internet to help foster political change in countries with severe political censorship. After some twists and turns in funding authorities, an agency called Radio Free Asia created the Open Technology Fund. From that fund, Moxie Marlinspike got $2.3 million dollars to develop an end-to-end encrypted messaging app, the same technology that now underlies WhatsApp, a company that was acquired by Facebook for $22 billion dollars in 2014.

    We Don't Need No Stinkin' Jurisdiction
  • A rule change to make it easier to catch pedophiles will lead to government mass hacking, critics say
    The Washington Post
    Sep 30, 2016
    by Ellen Nakashima and Rachel Weiner

    An amendment to Rule 41 of the Federal Rules of Criminal Procedure is set to go into effect in December, and it will dramatically change how the government obtains warrants that allow it to hack computers in the course of criminal investigations. The warrants will not be bound to a particular jurisdiction if the government cannot identify the location of the computers. Instead, any judge will be able to issue a warrant that will apply regardless of jurisdiction. The government argues that it cannot investigate computer crimes without this tool, critics say it may violate the Fourth Amendment.

    Cyber Spy or Hoarder?
  • N.S.A. Contractor Arrested in Possible New Theft of Secrets
    The New York Times
    by By Jo Becker, Adam Goldman, Michael S. Schmidt and Matt Apuzzo
    Oct 5, 2016

    A former NSA contractor was charged with stealing classified information from the agency over a period of years, but the purpose of the the theft remains unclear. The many terabytes of information taken by Harold T. Martin might contain the NSA's "hacking tools" which were mysteriously revealed this year.

    NSA's Hacking Tools Taken by Hoarding Contractor?
  • Trove of Stolen Data Is Said to Include Top-Secret U.S. Hacking Tools
    The New York Times
    By Scott Shane, Matt Apuzzo and Jo Becker
    Oct. 19, 2016

    The former NSA contractor accused of copying a massive amount of classified data apparently had the hacker tools produced by NSA and released onto the Internet by an anonymous group in August. His motive in taking the information remains unknown, as does his possible sharing of the information with the anonymous group.

    Yahoo Surveillance: All of the Emails All of the Time
  • Yahoo scanned all of its users' incoming emails on behalf of U.S. intelligence officials
    The Washington Post
    by Andrea Peterson
    Oct 5, 2016

    Yahoo complied with a US government subpoena by scanning all email in real time and reporting the results to the government. A staff attorney for the ACLU called the demand "unprecedented and unconstitutional." According to insiders, Yahoo's CEO did not consult the security staff when ordering the reconfiguration of the company's email servers. The solution that was implemented may have made all of Yahoo's email vulnerable to hackers.

    From Spam Filters to Terrorist Detectors
  • Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter
    The New York Times
    By Charlie Savage and Nicole Perlroth
    Oct 5, 2016

    The US government demanded that Yahoo search all email for a digital pattern that it associated with foreign terrorist organizations, and the company complied by adapting a filter that it had developed for detecting child pornography. The subpoena was issued by the secret Foreign Intelligence Court. Yahoo cannot disclose any information about the matter, but Apple commented that it received nearly 600 "gag orders" related to government data collection in the first several months of 2016.

    No Room for Security in Computer Science
  • Most Top Computer Science Programs Skip Cybersecurity
    IEEE - The Institute
    by Monica Rozenfeld
    Oct 11, 2016

    Two Boston area experts, Roy Wattanasin and Ming Chow, are trying to raise awareness of the fragmented state of cybersecurity education in computer science curricula. No school in the Boston area seems to offer a course that focuses primarily on cybersecurity, and there is no agreement on the skill set that should be taught. They gave a presentation about their survey findings at the Hackers on Planet Earth (HOPE) conference in July of this eyar.

    Turning Number Theory to the Evil Side
  • How the NSA Could Put Undetectable Trapdoors in Millions of Crypto Keys
    Ars Technicha
    by Dan Goodin
    October 11, 2016

    Researchers have called into question the security of the prime numbers underlying some commonly used implementations of the Diffie-Hellman protocol. The numbers are secure if the associated discrete logarithm problem is hard to solve, but not all prime numbers lead to hard problems. If a nefarious party (or NSA) chooses a prime for which he has secret information that makes discrete logarithms relatively easy, then the resulting communication protocol will be easy for him to decipher. This distressing fact has no silver lining because there is no simple way to determine if a given prime is easy. The details of the number field sieve algorithm provide the mathematical underpinning to the weakness.

    Metadata: the Apple to Law Enforcement Pipeline
  • Report: Apple Shares Unencrypted iMessage Metadata With Cops
    CRM Buyer, E-Commerce Times, ECT News Network
    By David Jones
    Oct 5, 2016

    Although Apple has asserted that it does not collect or share data about its users private information, that protection does not cover the "metadata" of iMessage conversations. Documents obtained from the Florida Department of Law Enforcement's Electronic Surveillance Support Team show that information about contacts, IP addresses, and the dates and times of conversations are share with law enforcement.

    Who Leaked Stuxnet?
  • Former Joint Chiefs of Staff vice chairman to plea to false statements in classified leak, court files show
    The Washington Post
    By Spencer S. Hsu and Ellen Nakashima
    Oct 17, 2016

    The New York Times broke a story in 2012 about secret malware that delayed Iran's nuclear development program. The apparent source of that story, retired four-star Marine Corps general James E. “Hoss” Cartwright, pleaded guilt to lying to FBI in an investigation into a leak of classified information. Cartwright denies being the source of the New York Times story, but acknowledges that he mislead the FBI about his conversations with reporters. The story was about the the Stuxnet virus, and its exact origin remains a mystery.

    Your Webcam Unleashed: the Massive Internet Attack
  • Why Twitter, Spotify and other major online services are down
    The Washington Post
    By Andrea Peterson
    Oct 21, 2016

    A denial-of-service attack brought parts of the Internet to its knees for a day, and the source of the traffic was a surprise. Someone had harnassed perhaps millions of "Internet ready" devices such as webcams and thermostats for the purpose of inundating a major DNS provider, Dyn, with useless traffic that prevented it from dealing with real requests. Because many "Internet of Things" devices are shipped with little or no security, they are easy targets for hackers.

    The Little Logic Flaw That Undermined Linux Security
  • Dirty COW explained: Get a moooo-ve on and patch Linux root hole
    By Shaun Nichols
    Oct 24, 2016

    Eleven years ago Linus Torvalds noticed an obscure kernel bug in the Linux operating system. Being the "kernel boss" and the figure credited with the creation of Linux in the first place, he was the natural person to both notice the bug and to fix it. Because it was had to trigger the bug, he felt it was a low priority problem. But Linux has changed a lot in the last decade, and with one thing and another, the bug became easier to trigger, and the consequences could be a complete compromise of security. The "copy-on-write" feature of the kernel had a timing problem that would allow a user to overwrite privileged executables. A patch was issued quickly, but there are Linux systems in so many devices that it is unrealistic to think that they will all be upgraded immediately.

    Cyberwarfare, It's Here, It's There, It's Everywhere
  • Under the Din of the Presidential Race Lies a Once and Future Threat: Cyberwarfare
    The New York Times
    by David E. Sanger
    Nov. 6, 2016

    There were surprises in the US elections this year, one of them being that international cyberhacking figured heavily in the speculations about leaks and social media influence. David Rothkopf, the chief executive and editor of Foreign Policy, who has written two histories of the National Security Council, comments that "Most of the biggest stories of this election cycle have had a cybercomponent to them — or the use of information warfare techniques that the Russians, in particular, honed over decades." The specter of information theft and information manipulation will hang over us for a long time to come.

    Free translation service? Some Android phones send all text messages to China
  • Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say
    The New York Times
    By Matt Apuzzo and Michael S. Schmidt
    Nov. 15, 2016

    A Chinese company wrote software that was installed on many Android phones, and that software deliberately sent copies of text messages to a server in China. The security firm Kryptowire discovered the communication inadvertantly when company executive noticed that a phone he had recently bought seemed to have unexplained network activity. The "feature" was not disclosed to users. The Chinese company, Adups, said it was all a configuration control problem. The software was not supposed to be installed on American phones. It was intended to help a Chinese customer provide better customer support.

    Odd DNS Footprints and Speculation about the Trump Organization
  • Was a server registered to the Trump Organization communicating with Russia's Alfa Bank?
    By Frank Foer
    Nov 15, 2016

    Some DNS experts thought to help out with the security of the US election by looking for patterns of suspicious activity associated with accessing Internet sites associated with the parties, the candidates, and other information sites. They found some puzzling patterns for a server associated with Trump enterprises. That server seemed to be communicating with Alfa Bank, an entity located in Russia that operates in the West. Because the DNS information does not in itself prove that the two companies communicated, there is no accusation of collaboration. Nonetheless, in the view of some experts, the pattern is consistent with an uncommon sort of communication channel.