Security News This Week: Tim Cook Demands That the White House Defend Encryption
This week, Ross Ulbricht’s defense team dropped a brief appealing for a new trial, arguing that the court erroneously suppressed information about the corrupt federal agents investigating Silk Road. Using a clue from leaked Hacking Team files, researchers at Kaspersky Lab found a valuable zero-day exploit attacking a vulnerability in Microsoft’s Silverlight software. A researcher found a way for hackers to remotely burn industrial motors. Oh, and Netflix is cracking down on VPNs with the goal of acquiring global content rights for its movies and shows.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
Looks like Tim Cook hasn’t changed his stance on encryption. During the delegation called by the White House to discuss counterterrorism issues with tech leaders, the Apple CEO apparently lashed out at Obama administration officials for not issuing a public statement defending the use of encryption without backdoors, according to two people briefed on the meeting who relayed the information to The Intercept. The meeting was attended by the White House Chief of Staff, Attorney General, and Secretary of Homeland Security, as well as NSA Director Michael Rogers, FBI Director James Comey, and Director of National Intelligence James Clapper.
A new post by the Spamhaus Project, an international non-profit organization fighting spam and cybercrime, says that Verizon is “currently by far the largest single source of snowshoe spam in operation today,” with more than 4 million spam IP addresses being routed through its network. (Snowshoe spam is a term for a technique used to get around spam filters and regulations, wherein spammers strategically send out their emails from a wide range of IP addresses, so that if one IP address gets caught, others may still get through.) Spamhaus Project claims that spammers are forging authorization documents alleging permission to use large IP blocks, and that Verizon is routing traffic based on those documents, even after being informed that the IP addresses were illegally obtained by spammers.
The Department of Homeland Security is rolling out a so-called “Safe Action Project,’ in which it is asking hotel and hospitality staff to look at warnings of sex trafficking. The only problem is that the so-called red flags are broad enough to sweep up unsuspecting hotel patrons. Among other things, they include paying for rooms with cash or a rechargeable credit card, refusing maid service for several days, having “suspicious tattoos,” or photography equipment, or “excessive sex paraphernalia”—or too few personal possessions, trash cans with a lot of used condoms, or even the presence of multiple computers and devices.
Crackas with Attitude is back again—after hacking into CIA director John Brennan’s email account last October, and accessing online tools and portals used by law enforcement agencies, one of the group’s hackers, Cracka, has targeted Director of National Intelligence James Clapper. Cracka told Motherboard he accessed Clapper’s home phone and internet accounts, personal email account, and his wife’s email account. The teenage hacker had calls to Clapper’s home phone number forwarded to the Free Palestine Movement. He also sent Motherboard call logs to Clapper’s home number. The Office of the Director of National Intelligence confirmed the hack.
The Graduate Center at the City University of New York has begun purging its older interlibrary loan records to protect the privacy of its patrons, deleting the date before the government can demand it. Although the Graduate Center’s chief librarian Polly Thistlethwaite told the Guardian that there was “nothing burning that prompted” the change, she described being approached by an NYPD officer while she was working at a different library. He was looking for users who’d checked out astrological books while looking for the Zodiac killer. The Graduate Center currently plans to keep all interlibrary loan requests dating back to 2013, but eventually hopes to keep a rolling record of only a year or less.
The details are murky, but police in the Netherlands and in Canada have claimed that they can access deleted emails and read encrypted email messages on BlackBerry PGP devices, which are sold by resellers like GhostPGP who customize the devices with PGP encryption. Their technique requires physical access to the device.
When responding to 911 calls, police operators in Fresno have been consulting the threat-scoring software Beware, which analyzes people’s potential for violence using a series of data points such as arrest reports, social media posts, commercial databases, and property records. The software generates a color-coded threat level for an address and each resident. Only Beware’s manufacturer, Intrado, knows how threat scores are calculated, since it considers this a trade secret. Critics point out that these tools have little public oversight, have enormous potential for error, are intrusive, and have potential to be misused. After a November Fresno City Council hearing in which residents expressed concern, Fresno’s police chief said he’s working with Intrado to turn off the color-coded rating system.
According to Defense One and the unnamed Ghost Security sources it spoke with, ISIS has its own new Android-based app, Alrawi.apk, for encrypted communication. This is in addition to the previously discovered Amaq Agency app, which GhostSec says is used primarily for distributing propaganda.
Activists from 42 countries have signed an open letter demanding an end to global government efforts to coerce software companies to weaken encryption via backdoors. The letter was created by digital rights group Access now, and was posted in 10 different languages to SecuretheInternet.org. 195 experts, civil society groups, and companies, including United Nations special rapporteur for freedom of opinion and expression David Kaye, signed the letter.