Encryption

Zoom To Roll Out End-to-End Encrypted (E2EE) Calls (zdnet.com) 31

Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week. From a report: E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants. These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won't be able to access or intercept any ongoing E2EE meetings. Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level. This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept. Further reading: Zoom Adds Ability To Open Apps Like Dropbox And Slack, Event-Hosting Tools As Part Of Push Beyond Video Meetings.
Security

Backdoor In Kids' Smartwatch Makes It Possible For Someone To Covertly Take Pictures, Record Audio (theregister.com) 16

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. The Register reports: This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora says. Exploiting this security hole is non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos. "The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch."

The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch. Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns.

With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot. Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices.

Security

Apple's T2 Security Chip Has an Unfixable Flaw (wired.com) 81

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. From a report: In general, the jailbreak community haven't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."

Encryption

Five Eyes Governments, India, and Japan Make New Call For Encryption Backdoors (zdnet.com) 129

Members of the intelligence-sharing alliance Five Eyes, along with government representatives for Japan and India, have published a statement over the weekend calling on tech companies to come up with a solution for law enforcement to access end-to-end encrypted communications. From a report: The statement is the alliance's latest effort to get tech companies to agree to encryption backdoors. The Five Eyes alliance, comprised of the US, the UK, Canada, Australia, and New Zealand, have made similar calls to tech giants in 2018 and 2019, respectively. Just like before, government officials claim tech companies have put themselves in a corner by incorporating end-to-end encryption (E2EE) into their products. If properly implemented, E2EE lets users have secure conversations -- may them be chat, audio, or video -- without sharing the encryption key with the tech companies. Representatives from the seven governments argue that the way E2EE encryption is currently supported on today's major tech platforms prohibits law enforcement from investigating crime rings, but also the tech platforms themselves from enforcing their own terms of service. Signatories argue that "particular implementations of encryption technology" are currently posing challenges to law enforcement investigations, as the tech platforms themselves can't access some communications and provide needed data to investigators.
Facebook

Facebook Opens New Fight With Apple Over Messaging (9to5mac.com) 59

Facebook executives have sharply ramped up their criticism of Apple in recent months, contesting the iPhone maker's restrictions on gaming apps and ad targeting, as well as its cut of in-app purchases. Now, emboldened by Apple software changes that suggest it is starting to bend, Facebook wants something else: the option to make its Messenger app the default messaging tool on iPhones [Editor's note: the link is paywalled; alternative source]. From a report: "We feel people should be able to choose different messaging apps and the default on their phone," Stan Chudnovsky, the Facebook vice president in charge of its Messenger app, told The Information. "Generally, everything is moving this direction anyway." Chudnovksy said Facebook has asked Apple over the years to consider opening up default messaging. Apple has never agreed. Apple's Messages app is a core feature of its mobile software that encourages people to keep buying its devices, and the app's encryption of messages is also a cornerstone of the company's privacy pitch to consumers. Google's rival Android mobile operating system already lets users choose their default messaging app.
Security

Ring's Latest Security Camera Is a Drone That Flies Around Inside Your House (theverge.com) 81

Ring's latest home security camera is an autonomous drone, called the Always Home Cam, that can fly around inside your home to give you a perspective of any room you want when you're not home. "Once it's done flying, the Always Home Cam returns to its dock to charge its battery," reports The Verge. "It is expected to cost $249.99 when it starts shipping next year." From the report: Jamie Siminoff, Ring's founder and "chief inventor," says the idea behind the Always Home Cam is to provide multiple viewpoints throughout the home without requiring the use of multiple cameras. In an interview ahead of the announcement, he said the company has spent the past two years on focused development of the device, and that it is an "obvious product that is very hard to build." Thanks to advancements in drone technology, the company is able to make a product like this and have it work as desired.

The Always Home Cam is fully autonomous, but owners can tell it what path it can take and where it can go. When you first get the device, you build a map of your home for it to follow, which allows you to ask it for specific viewpoints such as the kitchen or bedroom. The drone can be commanded to fly on demand or programmed to fly when a disturbance is detected by a linked Ring Alarm system. The charging dock blocks the camera's view, and the camera only records when it is in flight. Ring says the drone makes an audible noise when flying so it is obvious when footage is being recorded.
Ring also rolled out new hardware for the automotive market with three different devices focused on car owners: Ring Car Alarm, Car Cam, and Car Connect.

The company also said they've added opt-in end-to-end video encryption, as well as the option to completely disable the "Neighbors" feed, which allows users to view local crime in real time and discuss it with people nearby.
Security

Foreign Hackers Cripple Texas County's Email System, Raising Election Security Concerns (propublica.org) 51

Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. "Re: official precinct results," one subject line read. The text supplied passwords for an attached file. But Jackson didn't send the messages. From a report: Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson's three-person office, already grappling with the coronavirus pandemic, ground to a near standstill. "I've only sent three emails today, and they were emails I absolutely had to send," Jackson said Friday. "I'm scared to" send more, she said, for fear of spreading the malware. The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots. Although experts have repeatedly warned state and local officials to follow best practices for computer security, numerous smaller locales like Hamilton appear to have taken few precautionary measures.

U.S. Department of Homeland Security officials have helped local governments in recent years to bolster their infrastructure, following Russian hacking attempts during the last presidential election. But desktop computers used each day in small rural counties to send routine emails, compose official documents or analyze spreadsheets can be easier targets, in part because those jurisdictions may not have the resources or know-how to update systems or afford security professionals familiar with the latest practices. A ProPublica review of municipal government email systems in swing states found that dozens of them relied on homebrew setups or didn't follow industry standards. Those protocols include encryption to ensure email passwords are secure and measures that confirm that people sending emails are who they purport to be. At least a dozen counties in battleground states didn't use cloud-hosted email from firms like Google or Microsoft. While not a cure-all, such services improve protections against email hacks.

Security

Iranian Hackers Found Way Into Encrypted Apps, Researchers Say (nytimes.com) 28

An anonymous reader quotes a report from The New York Times: Iranian hackers, most likely employees or affiliates of the government, have been running a vast cyberespionage operation equipped with surveillance tools that can outsmart encrypted messaging systems -- a capability Iran was not previously known to possess, according to two digital security reports released Friday. The operation not only targets domestic dissidents, religious and ethnic minorities and antigovernment activists abroad, but can also be used to spy on the general public inside Iran, said the reports byCheck Point Software Technologies, a cybersecurity technology firm, andthe Miaan Group, a human rights organization that focuses on digital security in the Middle East.

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said. [...] According to the report by Check Point's intelligence unit, the cyberespionage operation was set up in 2014, and its full range of capabilities went undetected for six years. Miaan traced the first the operation to February 2018 from a malicious email targeting a Sufi religious group in Iran after a violent confrontation between its members and Iranian security forces. It traced the malware used in that attack and further attacks in June 2020 to a private technology firm in Iran's northeast city of Mashhad named Andromedaa. Miaan researchers determined that Andromedaa had a pattern of attacking activists, ethnic minority groups and separatist opposition groups but also had developed phishing and malware tools that could target the general public.

The hackers appeared to have a clear goal: stealing information about Iranian opposition groups in Europe and the United States and spying on Iranians who often use mobile applications to plan protests, according to the Miaan report. [...] According to Check Point, the hackers use a variety of infiltration techniques, including phishing, but the most widespread method is sending what appear to be tempting documents and applications to carefully selected targets. [...] The spyware enabled the attackers to gain access to almost any file, log clipboard data, take screenshots and steal information. According to Miaan, one application empowered hackers to download data stored on WhatsApp. In addition, the attackers discovered a weakness in the installation protocols of several encrypted applications including Telegram, which had always been deemed relatively secure, enabling them to steal the apps' installation files. These files, in turn, allow the attackers to make full use of the victims' Telegram accounts.
"Although the attackers cannot decipher the encrypted communications of Telegram, their strategy makes it unnecessary," the report adds. "Rather, they use the stolen installation files to create Telegram logins to activate the app in the victims' names on another device. This enables the attackers to secretly monitor all Telegram activity of the victims."
Crime

Encrochat Investigation Finds Corrupt Cops Leaking Information To Criminals (vice.com) 41

An anonymous reader quotes a report from Motherboard: After searching through some of the tens of millions of encrypted messages pulled from Encrochat devices, Dutch police have launched a new investigation team that will look specifically into corruption, the police force announced on Wednesday. In some cases authorities are looking to identify police who leaked information to organized criminals. The news broadens the scope of the Encrochat investigations, which have focused heavily on drug trafficking and organized crime more generally. Earlier this year, French authorities hacked into Encrochat phones en masse to retrieve message content, and then shared those communications with various other law enforcement agencies.

"Criminal investigations into possible corruption are currently underway and there are likely to be more in the near future. In addition to investigations into drug trafficking and money laundering, investigations into corruption are also given top priority," Chief of Police Henk van Essen said in a Politie press release.

Encrochat was an encrypted phone company that took base Android units, made physical alterations to them, and added its own software. Encrochat devices sent messages with end-to-end encryption, meaning only the intended recipient was supposed to be able to read them. The phones also had a remote wipe feature, letting users destroy communications if they lost physical control of the device, as well as a dual-boot system that let users open an innocuous looking operating system, or the second one containing their more sensitive information. The phones were particularly popular with criminals, including drug traffickers and hitmen. There are indications Encrochat may have had legitimate users too, however. Other Encrochat customers are allegedly those involved in corruption, including police themselves, the press release suggests.

Power

GM Can Manage an EV's Batteries Wirelessly -- and Remotely (ieee.org) 72

An anonymous reader quotes a report: IEEE Spectrum got an exclusive look at General Motors' wireless battery management system. It's a first in any EV anywhere (not even Tesla has one). The wireless technology, created with Analog Devices, Inc., will be standard on a full range of GM EVs, with the company aiming for at least 1 million global sales by mid-decade. Those vehicles will be powered by GM's proprietary Ultium batteries, produced at a new US $2.3 billion plant in Ohio, in partnership with South Korea's LG Chem. Unlike today's battery modules, which link up to an on-board management system through a tangle of orange wiring, GM's system features RF antennas integrated on circuit boards. The antennas allow the transfer of data via a 2.4-gigahertz wireless protocol similar to Bluetooth but with lower power. Slave modules report back to an onboard master, sending measurements of cell voltages and other data. That onboard master can also talk through the cloud to GM.

The upshot is cradle-to-grave monitoring of battery health and operation, including real-time data from drivers in wildly different climates or usage cases. That all-seeing capability includes vast inventories of batteries -- even before workers install them in cars on assembly lines. GM can essentially plug-and-play battery modules for a vast range of EVs, including heavy-duty trucks and sleek performance cars, without having to redesign wiring harnesses or communications systems for each. That can help the company speed models to market and ensure the profitability that has eluded most EV makers. GM engineers and executives said they've driven the cost of Ultium batteries, with their nickel-cobalt-manganese-aluminum chemistry, below the $100 per kilowatt-hour mark -- long a Holy Grail for battery development. And GM has vowed that it will turn a profit on every Ultium-powered car it makes.
The system features end-to-end encryption and the software and battery nodes can be reprogrammed over-the-air.

"Repurposing partially spent batteries also gets easier because there's no need to overhaul the management system or fiddle with hard-to-recycle wiring," the report adds. "Wireless packs can go straight into their new roles, typically as load-balancing workhorses for the grid."
Space

Trump Administration Issues Directive Aimed At Enhancing Cybersecurity In Space (theverge.com) 42

An anonymous reader quotes a report from The Verge: Today, the Trump administration released its fifth Space Policy Directive, this one designed to come up with a list of best practices for the space industry on how to protect their spacecraft from cyber threats. The goal is to encourage the government and space industry to create their space vehicles with cybersecurity plans in place, incorporating tools like encryption software and other protections when designing, building, and operating their vehicles. [...] To combat these threats, Space Policy Directive 5 lays out guidelines that companies should try to adhere to as they launch satellites and other vehicles to space. The administration is recommending operators use various types of software to ensure that the data they receive from their spacecraft is encrypted. The directive also encourages companies to use trusted supply chains and oversee the safety of their ground systems -- the facilities they use to send signals and retrieve data from their spacecraft. The report also recommends protecting against jamming and spoofing of satellites. "Sometimes the jamming can be fairly crude; other cases, some of the spoofing can be fairly sophisticated if somebody's trying to get on board," one official said. "So there's a whole range of things that you need to look at kind of end-to-end."

Ultimately, the directive says that government agencies should work with commercial companies to further refine what these best cybersecurity practices should be, especially since many in the space industry already implement these strategies when building and launching vehicles. [...] SPD-5 is the latest policy directive from the Trump administration designed to shape the U.S. space agenda. Trump's first directive instructed NASA to send humans back to the Moon, while other directives have focused on coming up with a way to oversee space traffic and streamlining regulations for space licenses.

Privacy

Bridgefy, the Messenger Promoted For Mass Protests, Is a Privacy Disaster (arstechnica.com) 80

Bridgefy, a popular messaging app for conversing with one another when internet connections are heavily congested or completely shut down, is a privacy disaster that can allow moderately-skilled hackers to take a host of nefarious actions against users, according to a paper published on Monday. The findings come after the company has for months touted the app as a safe and reliable way for activists to communicate in large gatherings. Ars Technica reports: By using Bluetooth and mesh network routing, Bridgefy lets users within a few hundred meters -- and much further as long as there are intermediary nodes -- to send and receive both direct and group texts with no reliance on the Internet at all. Bridgefy cofounder and CEO Jorge Rios has said he originally envisioned the app as a way for people to communicate in rural areas or other places where Internet connections were scarce. And with the past year's upswell of large protests around the world -- often in places with hostile or authoritarian governments -- company representatives began telling journalists that the app's use of end-to-end encryption (reiterated here, here, and here) protected activists against governments and counter protesters trying to intercept texts or shut down communications.

[R]esearchers said that the app's design for use at concerts, sports events, or during natural disasters makes it woefully unsuitable for more threatening settings such as mass protests. They wrote: "Though it is advertised as 'safe' and 'private' and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application's security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon."

The researchers are: Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Marekova from Royal Holloway, University of London. After reverse engineering the app, they devised a series of devastating attacks that allow hackers -- in many cases with only modest resources and moderate skill levels -- to take a host of nefarious actions against users. The attacks allow for: deanonymizing users; building social graphs of users' interactions, both in real time and after the fact; decrypting and reading direct messages; impersonating users to anyone else on the network; completely shutting down the network; and performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well.
"The key shortcoming that makes many of these attacks possible is that Bridgefy offers no means of cryptographic authentication, which one person uses to prove she's who she claims to be," the report adds. "Instead, the app relies on a user ID that's transmitted in plaintext to identify each person. Attackers can exploit this by sniffing the ID over the air and using it to spoof another user."

The app also uses PKCS #1, an outdated way of encoding and formatting messages so that they can be encrypted with the RSA cryptographic algorithm. "This encoding method, which was deprecated in 1998, allows attackers to perform what's known as a padding oracle attack to derive contents of an encrypted message," reports Ars.
China

Did A Chinese State-Sponsored Group Breach Taiwan's Semiconductor Industry? (arstechnica.com) 15

At the Black Hat security conference, researchers from the Taiwanese cybersecurity firm CyCraft revealed at least seven Taiwanese chip firms have been breached over the past two years, reports Wired: The series of deep intrusions — called Operation Skeleton Key due to the attackers' use of a "skeleton key injector" technique — appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company's new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom. "This is very much a state-based attack trying to manipulate Taiwan's standing and power," says Chad Duffy, one of the CyCraft researchers who worked on the company's long-running investigation...

The researchers found that, in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous....

Perhaps the most remarkable of those new clues came from essentially hacking the hackers. CyCraft researchers observed the Chimera group exfiltrating data from a victim's network and were able to intercept an authentication token from their communications to a command-and-control server. Using that same token, CyCraft's analysts were able browse the contents of the cloud server, which included what they describe as a "cheat sheet" for the hackers, outlining their standard operating procedure for typical intrusions. That document was notably written in simplified Chinese characters, used in mainland China but not Taiwan...

"It's possible that what they're seeing is just a small fragment of a larger picture," says the director of Kaspersky's Global Research & Analysis Team, who tells Wired the group has also attacked telecoms, tech firms, and a broad range of other Taiwanese companies.

But in the same article one of CyCraft's researchers argues the group could be looking for even more exploits. "If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released."
Bitcoin

The Quest To Liberate $300,000 of Bitcoin From an Old ZIP File (arstechnica.com) 38

A few quintillion possible decryption keys stand between a man and his cryptocurrency. From a report: In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys -- and wanted Stay's help getting his $300,000 back. It wasn't a total surprise that The Guy, as Stay calls him, had found the former Google security engineer. Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in. In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.

[...] "If we find the password successfully, I will thank you," The Guy wrote with a smiley face. After an initial analysis, Stay estimated that he would need to charge $100,000 to break into the file. The Guy took the deal. After all, he'd still be turning quite the profit. "It's the most fun I've had in ages. Every morning I was excited to get to work and wrestle with the problem," says Stay, who today is the chief technology officer of the blockchain software development firm Pyrofex. "The zip cipher was designed decades ago by an amateur cryptographer -- the fact that it has held up so well is remarkable." But while some zip files can be cracked easily with off-the-shelf tools, The Guy wasn't so lucky. That's partly why the work was priced so high. Newer generations of zip programs use the established and robust cryptographic standard AES, but outdated versions -- like the one used in The Guy's case -- use Zip 2.0 Legacy encryption that can often be cracked. The degree of difficulty depends on how it's implemented, though. "It's one thing to say something is broken, but actually breaking it is a whole different ball of wax," says Johns Hopkins University cryptographer Matthew Green.

Privacy

TikTok Tracked User Data Using Tactic Banned By Google (marketwatch.com) 46

An anonymous reader quotes a report from MarketWatch: TikTok skirted a privacy safeguard in Google's Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found. The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn't disclosed to TikTok users. TikTok ended the practice in November, the Journal's testing showed.

The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users' data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage. In a statement, a spokesperson said the company is "committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges." The company said "the current version of TikTok does not collect MAC addresses."

Encryption

Zoom Sued By Consumer Group For Misrepresenting Its Encryption Protections (washingtonpost.com) 11

A consumer advocacy group is suing Zoom and seeking millions of dollars in damages, accusing the company of misleading its users about the strength of its encryption protections. From a report: The nonprofit group Consumer Watchdog is also accusing the videoconferencing company of deceiving users about the extent of its links with China and the fact that some calls between people in North America were routed through servers in China. That raises the danger Beijing could steal or demand access to the contents of those calls, according to a copy of the lawsuit, which was shared exclusively with The Cybersecurity 202.

Those phony claims "lull[ed] consumers and businesses into a false sense of security" and helped Zoom to soar in popularity during the early months of the pandemic, according the lawsuit, which was filed late yesterday in Washington D.C. Superior Court. The consumer group fears that if Zoom isn't punished, other companies will be incentivized to make false claims about their security and privacy protections to attract users and stand out against competitors.

Cloud

Countering Google, Microsoft Promises Its Own Open Source Service Mesh for the CNCF (infoworld.com) 13

"As controversy rages over the governance of Google's Istio service mesh, Microsoft has seen an opportunity to offer a simple and truly open alternative," reports InfoWorld: Microsoft has announced that it will release its own open source service mesh — called Open Service Mesh (OSM) — and transfer it to the Cloud Native Computing Foundation (CNCF) as soon as possible. This sets the Redmond-based company apart from its cloud rival Google, which recently announced that its own Istio service mesh will no longer be part of the vendor-neutral CNCF and will instead sit under Google's own Open Usage Commons foundation.

The service mesh has quickly become a vital part of the modern cloud native computing stack, as it essentially enables communication, monitoring, and load balancing between disparate parts of today's microservices-based architecture. This differs from the popular container orchestration service Kubernetes in its level of granularity. When run in tandem with Kubernetes, a service mesh enables deeper security policy and encryption enforcement and automated load balancing and circuit breaking functionality...

With this launch Microsoft is not only aligning itself with the open governance side of the debate which has been raging through the open source software community for the past few months, but is also looking to solve a customer pain point.

China

China Is Now Blocking All Encrypted HTTPS Traffic That Uses TLS 1.3 and ESNI (zdnet.com) 103

China's Great Firewall "is now blocking HTTPS connections set up via the new TLS 1.3 encryption protocol and which use ESNI (Encrypted Server Name Indication)," reports ZDNet: The block has been in place for more than a week, according to a joint report authored by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report. ZDNet also confirmed the report's findings with two additional sources — namely members of a U.S. telecommunications provider and an internet exchange point (IXP) — using instructions provided in a mailing list...

The reason for the ban is obvious for experts. HTTPS connections negotiated via TLS 1.3 and ESNI prevent third-party observers from detecting what website a user is attempting to access. This effectively blinds the Chinese government's Great Firewall surveillance tool from seeing what users are doing online.

There is a myth surrounding HTTPS connections that network observers (such as internet service providers) cannot see what users are doing. This is technically incorrect. While HTTPS connections are encrypted and prevent network observers from viewing/reading the contents of an HTTPS connection, there is a short period before HTTPS connections are established when third-parties can detect to what server the user is connecting. This is done by looking at the HTTPS connection's SNI (Server Name Indication) field.

In HTTPS connections negotiated via older versions of the TLS protocol (such as TLS 1.1 and TLS 1.2), the SNI field is visible in plaintext.

Medicine

Bill Gates Weighs In on US Pandemic Response, Encryption, and Grilling Tech Executives (arstechnica.com) 86

Bill Gates gave a wide-ranging new interview to Wired's Steven Levy (also republished at Ars Technica.) The interview's first question: as a man who'd been warning about a pandemic for years, are you disappointed with the response of the United States? Bill Gates: Yeah. There's three time periods, all of which have disappointments. There is 2015 until this particular pandemic hit. If we had built up the diagnostic, therapeutic, and vaccine platforms, and if we'd done the simulations to understand what the key steps were, we'd be dramatically better off. Then there's the time period of the first few months of the pandemic, when the U.S. actually made it harder for the commercial testing companies to get their tests approved, the CDC had this very low volume test that didn't work at first, and they weren't letting people test. The travel ban came too late, and it was too narrow to do anything. Then, after the first few months, eventually we figured out about masks, and that leadership is important... [America's Centers for Disease Control and Prevention] have basically been muzzled since the beginning. We called the CDC, but they told us we had to talk to the White House a bunch of times. Now they say, "Look, we're doing a great job on testing, we don't want to talk to you." Even the simplest things, which would greatly improve this system, they feel would be admitting there is some imperfection and so they are not interested.

Wired: Do you think it's the agencies that fell down or just the leadership at the top, the White House?

Bill Gates: We can do the postmortem at some point. We still have a pandemic going on, and we should focus on that....

Wired: At this point, are you optimistic?

Bill Gates: Yes. You have to admit there's been trillions of dollars of economic damage done and a lot of debts, but the innovation pipeline on scaling up diagnostics, on new therapeutics, on vaccines is actually quite impressive. And that makes me feel like, for the rich world, we should largely be able to end this thing by the end of 2021, and for the world at large by the end of 2022. That is only because of the scale of the innovation that's taking place...

This disease, from both the animal data and the phase 1 data, seems to be very vaccine preventable.

Gates also believes the government shouldn't allow encryption to hide "lies or fraud or child pornography" on apps like Facebook Messenger or WhatsApp -- prompting the interviewer to ask whether he's talked to his friend Mark Zuckerberg about it. "After I said this publicly, he sent me mail. I like Mark, I think he's got very good values, but he and I do disagree on the trade-offs involved there..."

Gates also thought today's tech executives got off easy with five hours of testifying before a Congressional subcommittee as a group of four. "Jesus Christ, what's the Congress coming to? If you want to give a guy a hard time, give him at least a whole day that he has to sit there on the hot seat by himself! And they didn't even have to get on a plane...!"

Gates added later that "there are a lot of valid issues, and if you're super-successful, the pleasure of going in front of the Congress comes with the territory."
Encryption

Garmin Reportedly Paid Millions To Obtain Decryption Key, Resolve Recent Ransomware Attack (digitaltrends.com) 61

Garmin has reportedly paid a ransom to receive a decryption key to recover its files, after they were hit by the WastedLocker Ransomware last month. Digital Trends reports: [BleepingComputer] found that the attackers used the WastedLocker Ransomware and reported that they demanded $10 million as a ransom. Now, it also uncovered that Garmin is using a decryption key to regain access to its files, suggesting that the company may have paid that ransom demand or some other amount. The WastedLocker software uses encryption which has no known weaknesses, so the assumption is that to break it, the company must have paid the attackers for the decryption key. [...] The company reassured customers that no customer data was stolen, and that no payment information from the Garmin Pay payment system was accessed or stolen either.

On Twitter, the company announced last week, "We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation. Some features still have temporary limitations while all of the data is being processed."

Slashdot Top Deals