Security News This Week: WhatsApp Is Caught in Its Own Crypto War in Brazil
As Apple’s standoff with the FBI over its iPhone encryption continues, security news this week focused on that growing hot zone in the crypto cold war. A congressional hearing on the subject brought Apple and the FBI into the same room to make their cases to legislators, who may have the last word in this conflict. Fellow tech giants filed amicus briefs in support of Apple’s legal case, arguing that acceding to the FBI’s demand that Apple write software to help crack San Bernadino shooter Syed Farook’s phone would set a dangerous precedent. Several top iPhone hackers and security researchers weighed in to back Apple, too. WIRED broke down all the ways the government could actually pull data from locked iPhones without Apple’s help. And perhaps most importantly, a New York judge ruled that Apple didn’t have to decrypt a locked iPhone in another case across the country, punching a potential hole in the FBI’s legal theory that the 1789 All Writs Act can be used to compel companies to cooperate in this sort of intel-collection tactic.
Apple and FBI news aside, WIRED’s Kim Zetter brought to light disturbing new details in the hacker attack that took down a power grid in Ukraine. The Pentagon launched the federal government’s first “bug bounty” program. A security researcher demonstrated a method of hijacking a $35,000 police drone, which he says could be used to hack it from more than a mile away. And the privacy community discovered that Amazon had dropped encryption from its FireOS tablets, a development that seemed connected to the Apple FBI case, but wasn’t.
But as packed as that week sounds, there was more: Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
The mega-popular messaging service WhatsApp and its parent company Facebook are facing a crypto conflict of their own. In Brazil, Facebook vice president for Latin America Diego Dzodan was jailed on grounds of “non-compliance with court orders” after WhatsApp failed to provide messages demanded by prosecutors in a drug case. WhatsApp, after all, uses a crypto protocol created by the US. non-profit Open Whisper Systems to end-to-end encrypt all messages between Android phones so that even the company itself can’t access them. Dzodan was released a day later. But the case signals that there will be more legal clashes over user-controlled encryption, both in the US and abroad.
Despite the legal and political resources the FBI has devoted to getting into San Bernardino shooter Syed Farook’s locked iPhone, the agency hasn’t detailed what exactly it believes it can get from the encrypted device. But in a filing in the case Thursday, San Bernardino District Attorney Michael Ramos warned that the phone might contain evidence that “it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino’s infrastructure.” In less bizarre terminology, he seems to be suggesting that Farook may have infected the network of the San Bernardino County office where he worked with malware. But the prosecutor offered no evidence of that theory. And as iPhone forensics expert Jonathan Zdziarski pointed out, the district attorney might as well be suggesting that a “magical unicorn might exist on this phone.”
Researchers unveiled a serious new vulnerability they discovered in the transport layer encryption used in millions of HTTPS websites. Their proof of concept attack, which they called DROWN or Decrypting RSA with Obsolete and Weakened eNcryption, takes advantage of an old, insecure encryption protocol known as SSLv2 that’s nonetheless still supported by many web servers. The researchers found that they could connect to a vulnerable server with that protocol repeatedly to glean bits of information about the server’s private keys until a supposedly secure connection can be decrypted. The researcher released a tool to check if your website is vulnerable here. DROWN represents only the latest attack to pummel HTTPS encryption over the last several years, following a slew of other troubling attacks exposed by researchers, including the BEAST and Logjam attacks.
Hacking Team, the notorious spyware developer and government contractor whose ugly viscera were exposed in a massive hacker breach last July, seems to have returned to its old game. That’s the conclusion, at least, of researchers who found a new piece of Mac-focused malware that appears to install a copy of Hacking Team’s spy tools on victims’ computers. It’s worth noting that the hacker attack that spilled Hacking Team’s guts last summer did leak that spy code also, suggesting that someone else may have adopted the code. But the researchers point to advancements in the malware’s obfuscation techniques and an active server controlling the spy tools as recently as January as evidence that the finding is a real surveillance tactic with Hacking Team’s fingerprints on it.
The IRS has already acknowledged that the hacker attack that hit the agency last year was much worse than it initially admitted, affecting more than 700,000 people and leading to many victims’ tax returns being claimed by criminals. Now it seems that the protections it put in place to protect against that attack have themselves been broken. In response to the breach, the IRS had given millions of people a unique PIN to identify themselves. That extra measure is meant to protect tax filers from being impersonated by criminals seeking to nab their tax refund. But security blogger Brian Krebs reports that at least one victim has had her PIN also stolen by criminals, thanks to an insecure “PIN retrieval” feature on the IRS website for those who have forgotten the six-digit number. That PIN retrieval feature uses only security questions with guessable or publicly recorded answers, like previous addresses and loan amounts, to check the user’s identity.
The Wassenaar Arrangement, a 41-country agreement designed to restrict the export of dangerous goods to rogue nations, has been a topic of contention in the security industry: Last summer, the Commerce Department agreed to implement the agreement in the United States and expand it to cover “intrusion software,” in a bid to keep new surveillance techniques out of the hands of governments that would use them to spy on their citizens. But due to some overly broad language, security pros argued the same restrictions would also prevent the export of common security tools used for testing and research, isolating American firms and hurting international cybersecurity. Now the White House has listened, and filed a proposal Monday to eliminate those intrusion software controls.
Microsoft has long offered given away antivirus software and built “exploit mitigations” into Windows that are designed to make breaking a PC and infecting it with malware more difficult. Now it’s going a step further with Windows 10, building in a system to detect and spot unusual behavior on PCs that might be a sign of a hacker breach. Windows Defender Advanced Threat Protection, announced at the RSA conference, monitors what a Windows machine does and looks for signs that it’s being used maliciously, then reports any suspicious behavior to a network administrator. And with a billion Windows systems out there, it will have plenty of data to which it can compare that behavior to define what’s “normal” versus “suspicious.”
When passenger jet Malaysia Airlines flight MH17 was shot out of the sky over Eastern Ukraine in 2014, the world was horrified. Evidence suggested Russian-backed separatists used an ground-to-air missile launcher to shoot down the plane, carrying 298 people. Now, Motherboard reports that one hacker is getting revenge by targeting any and all Russian web sites for hacks. Calling himself Cyber Anakin, he tells Motherboard that he’s stolen data from at least two major sites, a news site and a game maker, compromising the data of up to 1.5 million people. “After the MH17 tragedy back in 2014, I made a promise to myself that I am going to revenge against Russians for what they did against the flight,” he told Motherboard.
One attack revealed at the RSA conference gives the phrase “software piracy” new meaning: A piracy operation compromised the server of a shipping firm to gain intel on which ships it should attack and what cargo it should steal. Verizon’s security researchers found that the pirates would use malware installed on the company’s network to identify valuable cargo containers and then board the ship, stealing that cargo alone and leaving the rest of the ship untouched. The thieves were better pirates than they were hackers, however, and made numerous errors that allowed their intrusion to be detected and blocked.