Archive for the ‘Technology’ Category
An example of complete incompetence in action, described at Motherboard by Lorenzo Franceschi-Bicchierai:
The US government’s human resources agency has suffered two large data breaches on its systems in large part because it failed to heed warnings from its own overseers, who had identified serious security issues for years. Now seems the Office of Personnel Management (OPM), whose breach hit at least 4.2 million government workers, can’t even deal with the aftermath of the hack the right way.
“Every aspect of the OPM breach is a case-study in how not to prepare for and respond to an intrusion,” Robert Lee, a security researcher who believes he may have been a victim of the breach, told Motherboard.
On Monday, June 8, the agency started sending emails to the victims to notify them of the breach and to offer free identity theft and credit monitoring services. But instead of sending the emails from an OPM.gov address, OPM outsourced this service toCSID, a fraud detection company.
As a result, many victims got suspicious.
“There was just concern, of course, with phishing attempts and things like that,” OPM spokesperson Samuel Schumach told Motherboard. “People were uncomfortable clicking on an enroll now button on an email.”
The Department of Defense even asked OPM to instruct CSID to stop sending notifications, because DoD members are trained not to click on links coming from emails they don’t recognize, the Washington Post reported.
Other government agencies were wary of the notifications too. Last week, an IT officer from the Department of Energy Oak Ridge National Laboratory sent an email to the lab’s staffers to warn them that OPM had hired a contractor to send the notification emails, and that they’d be coming from a @csid.com address rather than an @opm.gov one, according to a copy of an email obtained by Motherboard.
“As always we should be wary of unexpected messages from unknown entities,” the email from the IT officer at the Oak Ridge National Laboratory read.
This was a screw up, according to security experts.
“These emails absolutely look like phishing emails,” said Lee, who, as an Air Force Cyber Warfare Officer and a PhD candidate researching cyber security at Kings College in London, could have been a victim of the hack.
Worse, OPM waited a month to start telling victims that they had been hacked and used a contractor to do it—something that, according to Lee, is “beyond negligent.”
When asked why OPM didn’t send the emails itself, Schumach, the spokesperson, said that he “honestly didn’t know” the answer.
OPM could’ve done better in notifying victims, but it was also put in a tough, “catch-22” situation after it was hacked, according to Adrian Sanabria, a security analyst at at 451 Research. . .
Will the incompetents be replaced? Well, the oversight is provided by Congress (speaking of incompetents), so I would guess not.
Micah Lee reports at The Intercept:
Recently, I wrote a guide explaining how to encrypt your laptop’s hard drive and why you should do so. For the benefit of Windows users, I gave instructions for turning on BitLocker, Microsoft’s disk encryption technology.
This advice generated an immediate backlash in the comments section underneath the post, where readers correctly pointed out that BitLocker has been criticized by security experts for a number of real and potential shortcomings. For example, BitLocker’s source code is not available for inspection, which makes it particularly vulnerable to “backdoors,” security holes intentionally placed to provide access to the government or others. In addition, BitLocker’s host operating system, Microsoft Windows, provides an algorithm for generating random numbers, including encryption keys, that is known to have been backdoored by government spies, and which the company’s own engineers flagged as potentially compromised nearly eight years ago. BitLocker also lost a key component for hardening its encryption, known as the “Elephant diffuser,” in the latest major version of Windows. And Microsoft has reportedly worked hand-in-glove with the government to provide early access to bugs in Windows and to customer data in its Skype and Outlook.com products.
Even having known about these issues, I still believed BitLocker was the best of several bad options for Windows users; I’ll explain my reasoning on this later.
But in the meantime, something interesting has happened: Microsoft, after considerable prodding, provided me with answers to some longstanding questions about BitLocker’s security. The company told me which random number generator BitLocker uses to generate encryption keys, alleviating concerns about a government backdoor in that subsystem; it explained why it removed the Elephant diffuser, citing worries over performance and compatibility that will appease some, but certainly not all, concerned parties; and it said that the government-compromised algorithm it bundles with Windows to generate encryption keys is, by default, not used at all.
Significant questions remain about BitLocker, to be sure, and because the source code for it is not available, those questions will likely remain unanswered. As prominent cryptographer Bruce Schneier has written, “In the cryptography world, we consider open source necessary for good security; we have for decades.” Despite all of this, BitLocker still might be the best option for Windows users who want to encrypt their disks.
Today I’m going to dive deep into the concerns about BitLocker and into Microsoft’s new responses. I’m also going to explain why more open alternatives like TrueCrypt don’t resolve these concerns, and take a brief look at proprietary products like BestCrypt, which Schneier recommends.
This is going to be a fairly technical post. But it’s important to explore the current state of BitLocker because Windows remains the most popular operating system for personal computers and because interest in BitLocker has only grown in the wake of documents from NSA whistleblower Edward Snowden showing widespread U.S. government surveillance. At the same time, fears about BitLocker have also been stoked by the Snowden cache, which exposed a carefully orchestrated and apparently successful attemptby the National Security Agency to compromise international encryption-related standards, including one that’s part of Windows to this day.
Why people worry about BitLocker
If you can trust Microsoft, BitLocker has always been awesome. For example, Microsoft is well ahead of competitors like Apple in making BitLocker verify that an attacker hasn’t modified the software used to boot the computer. Without such protection, hackers can rewrite the boot-up code, impersonate the operating system, and trick people into unlocking the disk so malware can be installed, a technique known as an “evil maid” attack. Mac OS X and Linux’s disk encryption systems are entirely vulnerable to this attack, but Windows, when running BitLocker, is not.
Of course, a great many people, particularly in information security circles, do not trust Microsoft; these people worry that BitLocker’s advanced technology is meant to distract people from the company’s cozy relationship with the government, and that any data “secured” using BitLocker could be handed over to spy agencies or law enforcement.
Here are three more specific concerns those people have about BitLocker — concerns I have shared. With each, I’ve included Microsoft’s response. It should be noted that the company was not initially forthcoming with this information; a spokesperson responded to a set of questions based on these worries by saying the company had no comment. To Microsoft’s credit, the company later reversed this position. . .
Amazing. Adrian Chen writes in the NY Times Magazine:
Around 8:30 a.m. on Sept. 11 last year, Duval Arthur, director of the Office of Homeland Security and Emergency Preparedness for St. Mary Parish, Louisiana, got a call from a resident who had just received a disturbing text message. “Toxic fume hazard warning in this area until 1:30 PM,” the message read. “Take Shelter. Check Local Media and columbiachemical.com.”
St. Mary Parish is home to many processing plants for chemicals and natural gas, and keeping track of dangerous accidents at those plants is Arthur’s job. But he hadn’t heard of any chemical release that morning. In fact, he hadn’t even heard of Columbia Chemical. St. Mary Parish had a Columbian Chemicals plant, which made carbon black, a petroleum product used in rubber and plastics. But he’d heard nothing from them that morning, either. Soon, two other residents called and reported the same text message. Arthur was worried: Had one of his employees sent out an alert without telling him?
If Arthur had checked Twitter, he might have become much more worried. Hundreds of Twitter accounts were documenting a disaster right down the road. “A powerful explosion heard from miles away happened at a chemical plant in Centerville, Louisiana #ColumbianChemicals,” a man named Jon Merritt tweeted. The #ColumbianChemicals hashtag was full of eyewitness accounts of the horror in Centerville. @AnnRussela shared an image of flames engulfing the plant. @Ksarah12 posted a video of surveillance footage from a local gas station, capturing the flash of the explosion. Others shared a video in which thick black smoke rose in the distance.
Dozens of journalists, media outlets and politicians, from Louisiana to New York City, found their Twitter accounts inundated with messages about the disaster. “Heather, I’m sure that the explosion at the #ColumbianChemicals is really dangerous. Louisiana is really screwed now,” a user named @EricTraPPP tweeted at the New Orleans Times-Picayune reporter Heather Nolan. Another posted a screenshot of CNN’s home page, showing that the story had already made national news. ISIS had claimed credit for the attack, according toone YouTube video; in it, a man showed his TV screen, tuned to an Arabic news channel, on which masked ISIS fighters delivered a speech next to looping footage of an explosion. A woman named Anna McClaren (@zpokodon9) tweeted at Karl Rove: “Karl, Is this really ISIS who is responsible for #ColumbianChemicals? Tell @Obama that we should bomb Iraq!” But anyone who took the trouble to check CNN.com would have found no news of a spectacular Sept. 11 attack by ISIS. It was all fake: the screenshot, the videos, the photographs.
In St. Mary Parish, Duval Arthur quickly made a few calls and found that none of his employees had sent the alert. He called Columbian Chemicals, which reported no problems at the plant. Roughly two hours after the first text message was sent, the company put out a news release, explaining that reports of an explosion were false. When I called Arthur a few months later, he dismissed the incident as a tasteless prank, timed to the anniversary of the attacks of Sept. 11, 2001. “Personally I think it’s just a real sad, sick sense of humor,” he told me. “It was just someone who just liked scaring the daylights out of people.” Authorities, he said, had tried to trace the numbers that the text messages had come from, but with no luck. (The F.B.I. told me the investigation was still open.)
The Columbian Chemicals hoax was not some simple prank by a bored sadist. It was a highly coordinated disinformation campaign, involving dozens of fake accounts that posted hundreds of tweets for hours, targeting a list of figures precisely chosen to generate maximum attention. The perpetrators didn’t just doctor screenshots from CNN; they also created fully functional clones of the websites of Louisiana TV stations and newspapers. The YouTube video of the man watching TV had been tailor-made for the project. A Wikipedia page was even created for the Columbian Chemicals disaster, which cited the fake YouTube video. As the virtual assault unfolded, it was complemented by text messages to actual residents in St. Mary Parish. It must have taken a team of programmers and content producers to pull off.
And the hoax was just one in a wave of similar attacks during the second half of last year. On Dec. 13, two months after a handful of Ebola cases in the United States touched off a minor media panic, many of the same Twitter accounts used to spread the Columbian Chemicals hoax began to post about an outbreak of Ebola in Atlanta. The campaign followed the same pattern of fake news reports and videos, this time under the hashtag #EbolaInAtlanta, which briefly trended in Atlanta. Again, the attention to detail was remarkable, suggesting a tremendous amount of effort. A YouTube video showed a team of hazmat-suited medical workers transporting a victim from the airport. Beyoncé’s recent single “7/11” played in the background, an apparent attempt to establish the video’s contemporaneity. A truck in the parking lot sported the logo of the Hartsfield-Jackson Atlanta International Airport.
On the same day as the Ebola hoax, a totally different group of accounts began spreading a rumor that an unarmed black woman had been shot to death by police. They all used the hashtag #shockingmurderinatlanta. Here again, the hoax seemed designed to piggyback on real public anxiety; that summer and fall were marked by protests over the shooting of Michael Brown in Ferguson, Mo. In this case, a blurry video purports to show the shooting, as an onlooker narrates. Watching it, I thought I recognized the voice — it sounded the same as the man watching TV in the Columbian Chemicals video, the one in which ISIS supposedly claims responsibility. The accent was unmistakable, if unplaceable, and in both videos he was making a very strained attempt to sound American. Somehow the result was vaguely Australian.
Who was behind all of this? When I stumbled on it last fall, I had an idea. I was already investigating a shadowy organization in St. Petersburg, Russia, that spreads false information on the Internet. It has gone by a few names, but I will refer to it by its best known: the Internet Research Agency. The agency had become known for employing hundreds of Russians to post pro-Kremlin propaganda online under fake identities, including on Twitter, in order to create the illusion of a massive army of supporters; it has often been called a “troll farm.” The more I investigated this group, the more links I discovered between it and the hoaxes. In April, I went to St. Petersburg to learn more about the agency and its brand of information warfare, which it has aggressively deployed against political opponents at home, Russia’s perceived enemies abroad and, more recently, me.
Seven months after the Columbian Chemicals hoax, I was in a dim restaurant in St. Petersburg, peering out the window at an office building at 55 Savushkina Street, the last known home of the Internet Research Agency. . .
Take a look at this column by Andrea Peterson in the Washington Post. It turns out that if you deliberately weaken encryption, it doesn’t work well. Huh.
Another week, another dire warning about the technology used to secure online communications. Internet security researchers are warning about apreviously undisclosed vulnerability that affected all modern Web browsers — a weakness that could allow an attacker to snoop or even change communications thought to be secure.
The origins of the problem can be traced to the 1990s, when the government waged a policy debate known as the “Crypto Wars” over the digital technologies now widely used to keep online communications safe. But the debate, once counted as a win by privacy advocates, is now raging again — and technologists warn it could have similarly dire consequences.
The government classified encryption — a process that scrambles up information so that only those authorized can decode it — as a munition and tried to limit the spread of the most robust forms outside the United States through strict export rules on military technologies. But even though the United States reversed course by the end of the decade, the rules were so ingrained in technologies that make the Web run, they’re still causing problems today.
“The original goal of export controls was to keep strong encryption inside the U.S. — the hope was that by forcing the software industry to use weak encryption we could keep strong security out of the hands of bad guys,” said Alan Davidson, who worked on the issue at the Center for Democracy & Technology during the ’90s and was the director of New America’s Open Technology Institute when interviewed. (He just accepted a position as digital economy director at the Commerce Department.)
“But even then the notion of making strong encryption a thing for people in the U.S. that couldn’t be accessed by those outside of the U.S. didn’t make sense,” Davidson said. It created a double standard that left innocent Internet users abroad less secure, he said, and once the encryption genie was out of the bottle, it was impossible to shove back in.
And even now, long after the most restrictive export rules on encryption have been lifted, the legacy of that policy is still leaving Internet users around the world less secure, experts say.
“You mandate people do certain things that are insecure, you’re going to have a lot of nasty unintended consequences that last for a long time,” said Matt Green, one of the authors of the report that revealed the latest vulnerability, dubbed “LogJam,” and a computer science professor at Johns Hopkins University. . .
And Andrea Peterson has another column on the UN’s position that encryption (strong encryption) is important for human rights, and backdoors undermine it:
A new report from the United Nation’s Office of the High Commissioner for Human Rights says digital security and privacy are essential to maintaining freedom of opinion and expression around the world — and warns that efforts to weaken security tools in some countries may undermine it everywhere.
The report written by special rapporteur David Kaye says that encryption — the process of digitally scrambling information so that only authorized persons can access it — and anonymity tools “provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age.” The report will be presented to the U.N. Human Rights Council next month.
It comes amid a growing debate in the U.S. about how to best balance personal privacy rights and national security. Since former government contractor Edward Snowden’s revelations about National Security Agency surveillance programs, tech companies have scrambled to encrypt more of their products.
Now, some U.S. law enforcement officials are pushing to have tech companies build ways for the government to access secure content passing through their products — so-called “backdoors.” . . .
Italians will love it, eh? :) The story by Hayley Tsukayama is here, but watch this video:
The example interactions are fascinating.
The United Nations does not agree with US Federal law-enforcement officials (James Comey of FBI, Loretta Lynch of DoJ, et al.). The Federal LEOs all believe that encryption and online anonymity are creations of the devil and must now be allowed, since citizens in a free democracy have no right of privacy at all. The Feds oppose encryption—at least, secure encryption. Jason Koebler reports in Motherboard:
The ability to anonymize yourself online and encrypt your data and communications is fundamental to free expression and should be a protected human right, a United Nations report said Thursday. The agency added that the tools are “necessary for the exercise of the right to freedom of opinion and expression in the digital age.”
The world’s most important intergovernmental organization finally weighed in on the encryption debate that’s been raging over the last year or so. Last year, Apple and Google both announced plans to make encryption default on their mobile operating systems, meaning only users with a passkey would be able to access data stored on their devices. The FBI, NSA, and intelligence groups in the United Kingdomhe FBI, NSA, and intelligence groups in the United Kingdom immediately said that such a move would make tracking criminals more difficult, and rallied against it.
Since then, the FBI has repeatedly waged a public relations campaign asking politicians and hardware manufacturers to work on making encryption crackable by the government in certain instances, a move that essentially everyone in the security field has said would ruin encryption altogether, creating vulnerabilities that could be exploited by authoritarian governments or hackers.
Meanwhile, the Department of Justice has said that anonymizing software such as Tor, which can be used to access hidden services, have created a “zone of lawlessness” used by criminals.
The UN, in a report from the body’s Human Rights Council’s special rapporteur, said that any attempt to undermine encryption must be looked at as an affront to human rights.
“Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age,” the report said. “Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity.”
In the 21 page report (embedded below), the body repeatedly outlines why encryption and anonymity are important, and why any attempt to break it could threaten those living under an authoritarian government. It further stated that groups such as the FBI who have proposed “backdoor access” have not proven that encryption puts up additional barriers for law enforcement to do their job.
The UN’s take on the issue aligns closely with what human rights groups and security experts in the United States have been saying repeatedly: that it’s impossible to give a “back door” to the FBI or NSA without also creating a vulnerability for hackers to exploit.
“It is a seemingly universal position among technologists that there is no special access that can be made available only to government authorities, even ones that, in principle, have the public interest in mind,” the report said. “Intentionally compromising encryption, even for arguably legitimate purposes, weakens everyone’s security online.”
Experts have also noted that encryption makes people safer from crime overall, even if there are a few bad actors who use it to commit and conceal crimes. . .
Congress should make it clear that US citizens have an absolute right to encrypt their data.
Already present with iOS Kindle apps; coming to the Kindle itself by Sept 22.