Photo Credit: Brandon Morgan

Top Security and Privacy News: Scrambled Bits Vol. 37

Kaspersky Run Out of Town, FBI Wins FOIA, Major Mexican Breach, and More.

This is the Scrambled Bits weekly newsletter, a quick summary of the week’s most interesting news at the intersection of security, privacy, encryption, technology, and law.

Top Stories

Equifoolish: What Not To Do

Equifax exposed personal data belonging to nearly every US adult with a credit card. The entire social security number system now has to be reconsidered, as do the regulations surrounding data broker companies like Equifax. This case is different from many breach cases; here, the data that was stolen wasn’t customer data. Equifax’s customers are companies. Instead, the victims of this breach are actually Equifax’s product.

The direct cause of the breach was Equifax’s failure to patch software that had a known and fixed vulnerability. Secondary to that was Equifax’s failure to properly encrypt the data, which allowed a vulnerability like this to lead to a wholesale compromise.

Equifax’s response since learning of the compromise might be more important than the actual breach itself. since learning of the compromise. The company seems intent on writing the book on what not to do in a data breach situation, and in the aftermath of the breach, they likely broke some laws.

FBI Running Kaspersky Out of Town

In a Binding Operational Directive published by the Department of Homeland Security, the US government banned Kaspersky products from Federal government computers. The effort to ban Kaspersky products was initiated months ago. There is no public evidence that Kaspersky shared data with the Russian Government, but Russia could theoretically compel Kaspersky to do so.

Kaspersky products must be off all government machines in the next 90 days.

The FBI is pressuring the private sector to drop Kaspersky as well. Best Buy is one of the first big box stores to comply. Keep an eye out for more US private companies to follow suit.

DNSSEC Root Key Update Delayed

DNS overseer ICANN has been working to replace the key signing key for the DNS root zone since May 2016. This impacts users of DNSSEC, the secure version of DNS, and will cause queries to fail for servers not ready for the change.

The problem is that the new security system would cause systems that are not up to date to throw errors. Given that the update could affect a fourth of the Internet’s users (roughly 750M people), this could be a huge problem indeed. Due to the magnitude of the potential impacts, ICANN elected to postpone the rollout.

Privacy

Walmart’s Creepy New Delivery Service

Walmart is piloting a service where customers with August smart locks can have their groceries delivered and put away in their refrigerator while they’re away. Delivery personnel are given a one-time access code to unlock the front door, which in turn provides them total access to the customer’s home. To us, giving strangers complete, unsupervised access to people’s most private spaces is an unbelievably terrible idea.

Warrantless Searches at the Border Challenged

The ACLU and the EFF are joining forces on behalf of 11 travelers to combat warrantless searches of electronic devices at the US border. The number of these devices have grown from just 8,503 last year to over 15,000 this year.

The plaintiffs have striking stories of misuse of authority, including physical abuse for refusal to turn over devices. One traveler said:

“This was my life, and a border officer held it in the palm of his hand. I joined this lawsuit because I strongly believe the government shouldn’t have the unfettered power to invade your privacy.”

In another case, border officers physically restrained a US citizen, choking him and holding his legs. They took his phone from his pocket and kept it for over an hour.

FBI Wins FOIA Fight

Rewind to December of 2015, immediately following the San Bernardino shootings. The Justice Department launched a lawsuit against Apple with the goal of decrypting information stored on one of the shooter’s Apple device. Apple responded that the encryption could not be broken, even by them. The FBI subsequently found another way to decrypt data on the device.

Media companies including Vice News, USA Today, and the Associated Press filed a Freedom of Information lawsuit to uncover the hack and its cost. A judge sided with the FBI in refusing to honor the request, saying that releasing the info would put a target on the back of the vendor who created the hacking tool.

Government

NSA Says, “Trust Us;” Crypto World Says, “Hell No”

The NSA is pushing a new encryption standard based on the Simon and Speck block ciphers. Unfortunately, the agency doesn’t have a compelling argument for why these new standards are needed. Because of the Snowden revelations and the NSA’s history of pushing weak crypto that they can crack, crypto experts and nations like Germany, Japan, and Israel, are pushing back on the proposed standard. At this point it seems unlikely to be adopted.

Bill Waives Accountability for Businesses

A bill making its way through the Senate would kill a rule that gives consumers the right to file class action suits against big businesses. The bill, if passed, would be, “equivalent to handing out a get-out-of-jail-free card to Wells Fargo and to Equifax” and would allow arbitration clauses to head off class action suits.

Turkish Crackdown Violates EU Human Rights Laws

In the aftermath of last year’s failed coup, the Turkish government cracked down. They arrested citizens just for downloading a popular encrypted messaging app. Lawyers, civil servants, judges, army officers, journalists, and authors are part of the group of 75,000 people arrested.

Lawyers in London contend this as a violation of the European Union convention on human rights. As a member of the Council of Europe, Turkey is obliged to adhere to the convention.

China Bans Initial Coin Offerings

Initial Coin Offerings (ICOs) have taken off in China, but they are no longer welcome. Most countries are waiting for ICOs to mature before regulating them, but China’s central bank is bypassing the regulation step and jumping straight to a ban on the practice.

Notable Vulnerabilities and Breaches

• Mexican Tax Refund Info Up For Grabs — It was recently discovered that a CouchDB database belonging to MoneyBack which held half a million customers’ passport details, credit card numbers, ticket information and more was left publicly accessible. That is 400GB of sensitive information including 455,038 scanned documents including 88,623 unique passport numbers left exposed.
• HP Software Update Will Reject 3rd-Party Ink — The software update is presented to users as a “security update” to entice users to install it, but in fact, it has little to do with security and will cost users who install the update money.
• Browser Ads Mine Cryptocurrency — Crooks are using ad campaigns to mine cryptocurrency, using JavaScript code executed inside the browser. Victims unknowingly give their CPU power to the crooks just by visiting a site with the malicious ads. The attack is gaining traction on Russian and Ukrainian gaming and video streaming sites.

Bottom of the News

• Windows App Permissions Finally Arrive — In the next major release of the Windows 10 operating system, Microsoft will now show a popup dialog when an app needs access to a user’s microphone, camera, calendar info, location data, messaging, email, and other devices and data.
• Virginia Votes to Count — Since hackers at DefCon cracked a room full of voting machines, Virgina’s State Board has taken action, mandating that 140 precincts replace their vulnerable electronic voting machines. These machines cover 190,000 of Virginia’s ~8.4m population.

If you liked this, please click the 👏 below. If you’re reading this in an email, please go to the article on the web first. Liking the article will help other people see it on Medium. You might also be interested in last week’s summary compliments of IronCore Labs.

Subscribe to our email digest to avoid missing another update.