Top Security and Privacy News: Scrambled Bits Vol. 31
FCC Awoke the Giants, Chinese Caught in the Act, Turnbull Demands the Impossible, and More.
This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.
Top Stories
Web Giants Take Action in the Name of Net Neutrality
Net Neutrality is under siege. On Wednesday some of the biggest names on the web, including Facebook, Google, Reddit, Twitter, Spotify, and even IronCore Labs bonded together for a day of action. Many blocked their websites with a message conveying the far-reaching effects the repeal of net neutrality will have on web users. Here’s what you need to know:
- Net neutrality guards fairness on the internet by prohibiting ISPs from manipulating a user’s experience on a website based on their business interests and partnerships.
- The discussion focuses predominately on internet speed, but net neutrality protects other factors as well, such as content manipulation, which can have a censoring effect on internet content.
- Two years after its implementation, net neutrality is now on the chopping block. Why now? The FCC’s leadership recently shifted to a group that is much more aligned with the interests of the large ISPs and telecommunications companies.
- What now? The FCC is currently accepting public comments on its neutrality repeal proposal, which is open through mid-August, and will come to a decision on the issue later this year.
Stay tuned; we will keep you posted.
Officials Push Back on Joint US-Russia Security Unit
Is Russia to be trusted? President Trump discussed the creation of a cyber security unit with the Russian President. Other officials expressed extreme skepticism, particularly in the wake of a Washington Post report stating that recent hacks into US nuclear power plants were carried out by hackers employed by the Russian government.
Trump has since backtracked on the proposal, saying that he doesn’t necessarily “think it can happen.”
Turnbull Passes Encryption Problem to Tech Companies
The onus to allow spying on their users is now on technology companies, Prime Minister Malcolm Turnbull of Australia says. He has put out a call for companies that provide or might provide end-to-end encryption to voluntarily weaken their security. Now he promised that by the end of the year, there will be legislation that requires backdoors.
Turnbull took his poor knowledge of cryptography to new levels when he said, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.” Beware of the slippery slope. Who knows, next, the laws of gravity, inertia, and conservation of energy may also be outlawed.
Government
China is Adding Bricks to the Great Firewall by Blocking VPNs
China set out to strengthen their Great Firewall; this time, their weapon of choice is to shut down access to virtual private networks (VPNs). VPNs skirt censorship restrictions by routing web traffic through an encrypted tunnel that’s hard to monitor and censor.
Unfortunately, VPNs are standard operating procedure for businesses and basic security. But effective February 1st, 2018, the ban on VPNs will apply to businesses and individuals alike. Businesses will still be able to use leased lines to bypass the Great Firewall but must register their usage with the Chinese Government.
Breach Denied — Will it Prompt Changes to Indian Law?
The count of customers who had their data leaked by telecom company Reliance Jio is up to 100 million. They denied the breach six ways to Sunday (and straight through into Monday, too).
While still denying the breach publicly, Reliance Jio filed a complaint regarding illegal access to its systems. Although the company’s actions are deceitful and unethical, they have not done anything illegal. In fact, India has no laws that require a company to disclose breaches.
This situation could spark reform of India’s breach disclosure laws.
Hackers Get Licensed
Singapore is currently ranked number one on the Global Cybersecurity Index, and the country is maintaining its edge. They are the first country to require that ethical hackers who conduct penetration tests or do forensic analysis, get licensed by the recently created National Cybersecurity Agency. The penalty for hacking without a license is two years in jail and up to $50,000.
Elsewhere, ethical hackers can optionally get certified with courses like the “Certified Ethical Hacker” course by the International Council of Electronic Commerce Consultants. But this certification is voluntary and used for resumes, not as a license to practice.
Technology and Innovation
Keep Your Keys — Apple is Taking the Advice
In response to constricting Chinese laws requiring that Chinese data be stored on Chinese soil, Apple is now working with a third-party service provider who will run their data center in Guizhou and handle Government requests for data.
Apple said, however, that it would retain the encryption keys for the data stored at its center and that Guizhou-Cloud Big Data would not have access, meaning it would not be able to see what photos or documents were stored in iCloud without Apple’s permission.
Certificate Transparency Catches StartCom in the Act
The certificate transparency initiative created by Google has led to major consequences for WoSign and subsidiary StartCom, who were caught cheating on certificate dates and issuing fraudulent Github certificates last year.
Mozilla and Google teamed up together to bring consequences to the Chinese company, but suddenly invalidating a certificate authority is a difficult step that could break legitimate websites. Instead, the companies have slowly stripped trust away until finally, in the coming months, all WoSign certificates will be untrusted and cause warnings to appear in Chrome and Firefox.
Certificate transparency has really shown its value.
Notable Vulnerabilities and Breaches
- Misconfiguration Strikes Again — This Time Verizon is to Blame — Once again, misconfiguration is responsible for a huge data breach. A third-party vendor uploaded sensitive information to a cloud storage area and incorrectly set the storage preferences. The mistake led to the exposure of over 14 million Verizon customer records.
- Hackers Plunder Trump Hotels — Trump Hotels is the latest corporation to report a breach introduced by its reliance on Sabre, a widely used reservation management service, that was breached. This instance was more than revealing, exposing payment information and, in some cases Social Security, passport, and driver’s license numbers.
- Don’t Trust that USB! — Blue Cross/Blue Shield sent out USB cards accompanied by instructions to insert said cards into computers. But USB is a common way to infect computers with viruses, which sets us up for a new wave of attacks with mailed USB keys claiming to be from a big company.
- BUPA Breach: Internal attacks happen, too — This week, health insurance data from about 108,000 insurance policies covering over 547,000 people was stolen. The cause? An insider physically copied policy information.
Bottom of the News
- Attacks Don’t Deter — Thousands are Still Vulnerable to Eternal Blue — Some 60,000 hosts are still vulnerable to the NSA exploit known as Eternal Blue, which has repeatedly been abused by viruses like WannaCry in recent weeks. After scanning over 8 Million IP addresses, researchers found that one out of nine hosts is still vulnerable to these attacks. All Windows users should update immediately and disable file sharing via SMB.
- 100 Bitcoin to Decrypt Files. Can You Trust It? — The apparent creator of NotPetya is offering decryption of individual files for 100 bitcoin. But don’t send off the approximately US$24,000 just yet. There’s no way to ensure that the author will uphold her end of the bargain and the money would likely just line the criminal’s pockets.
- Madison Finally Settles — Remember the website targeted toward adulterers — Ashley Madison? The website leaked personal data of their users back in 2015. Two years later, the owner settled outstanding lawsuits for $11.2 million.
- Lottery Winner or Hacker? — One of the biggest lottery scammers in history pleaded guilty at the end of last month. Eddie Tipton was formerly the information security director for a lottery systems company when he loaded custom malware onto a secure server. He was one of only five people who had access.
If you liked this, please click the 💚 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.
Subscribe to our email digest to avoid missing another update.