Security This Week: The Government Really Doesn’t Seem to Like Encryption
This week, Andy Greenberg and Gwern Branwen uncovered the probable identity of Bitcoin creator Satoshi Nakamoto—but then again, he might be a hoaxer. We took a look at malvertising, the hack that can infect your computer even if you don’t click anything. And Anonymous announced it’s launching an online operation against national embarrassment/presidential candidate Donald Trump. The Tor Project got a new executive director, who knows a thing or two about defending digital privacy. And meanwhile, the war against encryption raged on.
Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
Cryptographers, civil libertarians, and privacy advocates have spoken loud and clear about how weakening encryption will make online communications and e-commerce more vulnerable (and make tech companies less competitive economically). But the war against crypto rages on in the wake of terrorist attacks in Paris and San Bernardino. President Obama is calling on tech companies to work with law enforcement in the case of “activist terrorist plotting,” and he’s hinting at a push to weaken encryption. Senator Dianne Feinstein has been working with Judiciary Committee Chairman Richard Burr on a bill that could undermine strong encryption, and FBI director James Comey called for tech companies offering end-to-end encryption to reconsider their business model. Homeland Security House Committee chair Mike McCaul called for the creation of a commission to address security and technology challenges. He plans to introduce a bill calling for the creation of this commission in January, a House Committee on Homeland Security spokesperson told Motherboard. The Obama administration responded to a We the People petition asking the administration to stand up for strong encryption by seeking further comment, and has indicated that it plans to formally respond by the holidays.
In the wake of deadly attacks in Paris, the French government contemplated banning the Tor anonymity network and limiting public Wi-Fi. This was originally reported in the French newspaper Le Monde. Luckily, French authorities may have decided against it, Prime Minister Manuel Valls announced Wednesday. However, it’s worth noting that the final text of the bill has yet to be released. Meanwhile, legislators for the European Union are rushing through a counter-terrorism bill that European data protection supervisor Giovanni Buttarelli described as “the first large-scale and indiscriminate collection of personal data in the history of the European Union.” The bill could not only undermine privacy and freedom of movement, but may not be effective in its stated objective of tracking down potential terrorists.
The internet’s 13 DNS root name servers, which play a role in converting website server names into network numbers, were hit with a massive DDoS attack for four hours on November 30th and December 1st, sending close to a trillion (bogus) requests. Although this resulted in some timeouts, several DNS root name servers remained intact for the entire duration of the attack. This isn’t the first attack of its kind: root name servers were similarly DDoSed in October 2002 and February 2007.
House and Senate members have been meeting secretly to merge language in two complementary bills (including CISA) focusing on information sharing between companies and the government. Unfortunately, it’s looking like the final language of the bill will include the worst aspects of both versions, gutting even the minimal privacy protections the surveillance bill had to protect sensitive data from the NSA.
A South American cyber-espionage group has been targeting journalists, dissidents, and political figures in Latin America in a long-running campaign, according to a report released by internet watchdog group Citizen Lab. The hacker team, which has been active for seven years, has used spyware, malware, and phishing attacks to target activists, dissidents, and independent journalists in Ecuador and Argentina, as well as parliamentarians, and even dissatisfied members of the Ecuadorian state police. Argentine prosecutor Alberto Nisman, who tried to bring criminal charges against the country’s president, was found dead of a gunshot wound last January. Spyware from this shadowy group was found on his smartphone. The operation has been dubbed Packrat by Citizen Lab due to its use of remote access trojans (RATs). Packrat created fake political organizations and websites to seed phishing attacks and malware, and targeted journalists and political figures with phishing attacks via email and SMS. The group, which is likely sponsored by one or more governments in the region, has also been active in Venezuela and Brazil.
Buried near the end of a 2,000-word Washington Post profile of FBI science and technology division head Amy Hess is the first on-the-record acknowledgement that the bureau uses zero-day exploits to take advantage of previously undiscovered software flaws. This leaves all consumers who use that software vulnerable. Hess, who ACLU’S principal technologist Christopher Soghoian referred to as the “queen of domestic surveillance,” also discussed the use of stingray surveillance technology, which simulates cell phone towers to trick mobile phones in a given area to connect to them. In addition to revealing the phones’ locations, the controversial cell site simulators also record calls and intercept voice and text communications of all cellphones in an area, including those belonging to innocent bystanders. An investigation by the North Star Post concluded that presence of this cell phone surveillance technology was deployed against Black Lives Matter protesters at the Fourth Precinct in Minneapolis, as detected by the open source app SnoopSnitch. An ACLU map documents which agencies are known to be using the controversial tracking devices, although the actual use is likely much higher.
People didn’t think this private cop tool would end up in the hands of the public, but now, all you need is an IP-enabled security camera and some free open source software, and you’ve got yourself an automated license plate reader. Collecting license plate data is legal in most states because drivers don’t have a reasonable expectation of privacy while driving on public roads. As its use by private citizens becomes more prevalent, it’ll be interesting to see if that changes.
Former Secret Service agent Shaun Bridges was sentenced to 71 months in prison for stealing Bitcoin from Silk Road while investigating the site. He was also ordered to forfeit $475,000. Bridge previously pled guilty to money laundering and obstruction of justice charges. Bridges apparently sent text messages to another Baltimore IRS task force member to discuss Bitcoin, even while he was guarding First Lady Michelle Obama, according to Assistant United States Attorney Kathryn Haun’s court statements.
Both Microsoft and Adobe issued a boatload of software updates to patch critical bugs in their software. Microsoft’s patches fix 71+ flaws (including 30 Internet Explorer flaws and 15 in the newer Microsoft Edge browser), while Adobe’s patch addressed 78 Flash Player vulnerabilities.