Top Security and Privacy News: Scrambled Bits Vol. 28
Cyber-war Testing Grounds, EMF Hacks, FBI Inaction, Surveillance of Activists, and More.
This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.
Top Stories
2 of 3 Voting Americans’ Data Leaked
A GOP voting analytics company accidentally exposed 198 million Americans’ data including birthdates, home addresses, party affiliations, and other collected data. They also exposed the GOP’s assumptions about likely voting patterns based on analysis of social media and other sources.
The exposure was the result of carelessness uploading data to Amazon’s S3 which instead of keeping the data private, made it public.
EU’s New Counter-Cyber Toolbox
28 EU nations announced that they will work together to combat cyber warfare through the construction of a “cyber diplomacy toolbox.” The toolbox includes economic sanctions, trade bans, asset freezes, and blanket bans against identified attackers. “The key principle here is proportionality,” said one EU official.
The agreement comes on the heels of Russian meddling in the U.S. and French elections and just ahead of elections in Germany. In theory, this could bring greater economic consequences for Russia if it continues to hack European elections.
Standing Surveillance
By February 22nd, activists at Standing Rock had mostly left the scene and moved on to other things. But that didn’t stop pipeline supporters from following them home.
A private surveillance company was contracted to monitor the protesters, which included the physical infiltration, aerial surveillance, and electronic eavesdropping. And that surveillance of individual protesters continued after they left and went home.
Government
FBI: Internet Crime Report Shows Big Problems and Little Action
The FBI says that it received 298,728 complaints about Internet crimes in 2016, representing $1.33 billion in victim losses. According to the report, these numbers likely represent less than 15% of total Internet crimes.
For the first time in years, the FBI added a section about prosecutions to show how they’re responding to these reports. Unfortunately, they could only cite two prosecutions. The first was for real estate fraud and the second for wire fraud.
So why does the FBI lobby for crypto backdoors that weaken desperately needed security measures? We speculate that the FBI is driven by fear. The specter of a terror attack is more important than the online crime epidemic affecting millions of Americans almost daily.
European Parliament Endorses End-to-End Encryption
There’s hope in the world, after all. Draft legislation in Europe would ban backdoors in encrypted messaging apps and would encourage privacy and end-to-end encryption.
“The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, email, internet phone calls and personal messaging provided through social media,” the draft proposal says.
If passed, the proposal would amend the EU’s Charter of Fundamental Rights to add online privacy, but it must first overcome some hurdles and votes before a celebration is in order.
Ukraine is the Canary in the Cyberwar Coalmine
Wired did some fantastic reporting on the Russian cyber attacks against Ukraine. Unlike Russia’s attacks on other countries, which have been about the theft and strategic release of data (and fake news), the attacks on Ukraine are more direct and aggressive.
We’ve reported before about the attacks on Ukraine’s power grid that caused massive blackouts in the dead of winter, but it turns out that’s just the tip of the iceberg.
A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions.
The result is a barely functioning government and a blueprint for how cyber warfare will look in the future.
Privacy
Overreaching Overseas: Subpoenas Without Borders
Must a U.S. company comply with a subpoena for data on a non-U.S. citizen, if that data is stored overseas? If so, it would be nearly impossible for a U.S. company to do business in Germany and in other countries that assert ownership over their citizens’ data and require that data to stay within the country.
Microsoft won a court case on this point, but other cases have gone the other way, and as of Friday, the Microsoft case has been appealed to the Supreme Court.
The murkiness of the current rules is bad for business, and Google is pressing Congress for clarity — hopefully of the kind that doesn’t destroy U.S. software companies selling abroad.
(Fake) AMBER Alert: Abuse of Commercial Cyber Weapons
Don’t open that text — the one ostensibly from the Embassy of the United States or supposedly an AMBER alert. It’s more likely a directed attack that will lead to the compromise of your phone or computer.
The devices of dozens of Mexican journalists, lawyers, anti-corruption advocates, and one child were infected with commercially produced spyware called Pegasus. Each of the targeted people was engaged in fighting Government corruption.
The seller of the spyware, NSO Group, the same group that unlocked the San Bernardino iPhone, claims that its software is only used to fight crime and terror. That claim is obviously bogus. The Pegasus spyware gets sold to Governments like Mexico (and The United Arab Emirates) and uses zero-day exploits to infect targeted individuals. The spyware enables Governments (including corrupt people within them) to take screenshots, capture audio, read email, and exfiltrate data from the devices of their targets.
Google Will Stop Scanning The Contents Of Gmail Messages for Ads
Google has changed its policies for the consumer version of Gmail to align with its business version. Google will no longer use the content of users’ emails to generate relevant ads. Now they’ll just use the already massive amount of information they know about browsing and shopping habits instead.
Notable Vulnerabilities and Breaches
- Microsoft Windows Source Code Leaked — Terabytes of proprietary source code have been stolen and leaked online. This could lead to everything from malicious pirated Windows builds to new exploits based on source code analysis.
- Hand Waving Hack — Secure Boot protection has been defeated wirelessly (from 3mm away) using a well-timed electromagnetic pulse (EMP) to cause a glitch in the startup process and dump an attacker into debug mode.
- OpenVPN Patches Four Critical Flaws — These flaws were missed in recent code audits but found by a security researcher using automated fuzzing software. All four vulnerabilities require a user to be successfully logged in first.
- Inexpensive Wireless Side-channel Attack on AES — “Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one meter (3.3 feet) — using €200 (~US$224) worth of parts obtained from a standard electronics store — just by measuring electromagnetic radiation.”
- Serious Flaw in Avaya Aurora — Avaya’s widely used VOIP and unified communications software has a serious flaw that should be patched immediately.
Bottom of the News
- $ git add NSA — The NSA has released 32 open source projects on Github. With names like
lemongrenade,the projects sound more exciting than they are. The organization has zero members, and the most popular language is Python. - No Drone Zone Blown — A Russian business helps drone owners hack their drones to remove no-fly zone restrictions. The controversial software pits principles of safety against property rights.
- Gonna Keep Crying? — WannaCry, the ransomware that infected over 230,000 computers in over 150 countries is still making people cry. In Australia, WannaCry infected 55 speed and red-light cameras, and in Japan, a Honda manufacturing plant screeched to a halt after the ransomware hit its network.
- UK Government Now Serving Phish and Chips — In another case of cybersecurity gone haywire, the UK government’s free program for assessing business security readiness suffered a breach that coughed up user data. Those users are now at increased risk of phishing attacks.
If you liked this, please click the 💚 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in our last scrambled bits volume compliments of IronCore Labs.
Subscribe to our email digest to avoid missing another update.
