backdoor
Latest
Russia claims it can collect encryption keys
Russia now requires (or at least, appears to require) that local internet providers offer backdoor access to their customers' encrypted messages, and it conveniently has a way to make that happen. Its Federal Security Service now claims that it can collect encryption keys, giving it the chance to crack communications that would otherwise remain private. In theory, this means that even locked down messaging services like Telegram or WhatsApp aren't safe from prying eyes.
Russia set to pass bill requiring ISPs to eavesdrop on customer data
Most of the Russian government's attempts to wrangle the internet sound like humorous tirades -- for example, banning Wikipedia for an article on cannabis. But when they command Twitter and Facebook to store Russian users' data inside the country, we're reminded how much they want to keep tabs on their citizens and control their discourse. Yesterday, lawmakers took the first step in passing a measure into law that would require internet providers to give the government access to customer data.
Senate anti-encryption bill is effectively dead, for now
If you were worried that a possible Senate bill requiring encryption backdoors would get enough support to become law, you can relax... for a while, at least. Reuters' government tipsters claim that the proposal, drafted by Senators Richard Burr and Dianne Feinstein, has lost most of its support. It won't be introduced this year, the insiders say, and would have no real chance even if it did go up for a vote. The White House's reluctance to back the bill (in public, anyway) is the main factor, but even the CIA and NSA were "ambivalent" knowing that it could hurt their own encryption.
Facebook was the victim of a backdoor hack
Even a tech giant like Facebook isn't immune to significant security breaches. Devcore's Orange Tsai recently discovered that someone had installed a backdoor on one of Facebook's corporate servers (that is, not the social network itself) in a bid to swipe workers' login details. While it's not clear how successful the script-based exploit was, Tsai noted that the file transfer app hosted on the server had several vulnerabilities that effectively gave any intruder free rein. The attacker could have checked employee email, for instance, or even connected to Facebook's virtual private network to get access to the company's inner workings.
Lawsuit asks Justice Department to reveal decryption orders
Do you want to know whether or not US officials have ever forced a company to decrypt data to aid in an investigation? So does the Electronic Frontier Foundation. The civil liberties group has sued the Department of Justice to make it reveal whether or not it has ever used secret Foreign Intelligence Surveillance Court orders to make companies decrypt communications. The EFF had used a standard Freedom of Information Act request beforehand, but didn't get anything. FISC says that what "potentially responsive" documents it found are exempt from disclosure, since they were created before the USA Freedom Act took effect.
Ancient apps leave 3.2 million PCs open to ransomware attacks
Criminals are relying on some particularly insidious ways to spread ransomware. Cisco's Talos group has discovered that intruders are taking advantage of vulnerabilities in old versions of Follett library management software (specifically, the associated JBoss web servers) to install backdoors and slip in ransom code. The attack has 'only' put 2,100 backdoors in place, but about 3.2 million systems are known to be at risk -- many of them at grade schools. Suffice it to say that many educators don't want to pay a hefty sum just to regain access to their library data.
Read the full Senate bill requiring encryption backdoors
If you were skeptical that polticians would be so audacious as to propose a law effectively requiring encryption backdoors... well, you just got proof. The Senate has released a finished version of Richard Burr and Dianne Feinstein's Compliance with Court Orders Act, which demands that companies either produce data in a readable format when asked or else offer whatever help they can to make that data accessible. Despite the early uproar, little has changed between the draft and the finished bill -- the only big difference is that it explains which crimes can invoke the requirement. >Burr-Feinstein Encryption Bill by The Daily Dot
Congress to investigate US involvement in Juniper's backdoor
Congress announced plans on Friday to investigate the backdoor recently found in Juniper Networks software and whether it was intentionally placed there for the National Security Agency's benefit. The investigation is being led by the House Committee on Oversight and Government Reform, which has already sent more than two dozen letters to various agencies asking for documentation regarding their use of Juniper's ScreenOS software. The company announced in December that ScreenOS had been compromised using a technique that has widely been attributed to the NSA.
NSA director: 'Encryption is foundational to the future'
While the US government continues to argue the pros and cons of encryption, one official is actually defending the practice. NSA director Admiral Mike Rogers said Thursday encryption is "foundational to the future," and that we're wasting our time debating its use. Rather than arguing whether or not encryption should be commonplace, Rogers suggests it's not time to sacrifice privacy for security. Instead, there has to be a solution that tackles both, which will be a lot easier said than done.
16 states unveil privacy protection measures
While US lawmakers and Congress beg tech companies to give them encrypted user data access, many states are going in a different direction. With help from the American Civil Liberties Union (ACLU), sixteen of them including New York, Alabama, Illinois and Alaska are launching bills to protect residents' private data. The proposed laws differ from region to region, but focus on several areas. Most states want to prevent schools from gathering private student data, and Hawaii wants to ban employers from accessing workers' private social media info. Other measures are aimed at limiting "stingray" cellphone snooping and license plate data collection.
France doesn't think encryption backdoors are the answer
As the debate over whether or not government officials should have backdoor access to encrypted services rages on, one country doesn't think that's a good idea. France's deputy minister for digital affairs Axelle Lemaire rejected a proposed amendment that would require companies to enable government access. Lemaire was speaking on behalf of the French government when she called backdoors "the wrong solution."
Juniper will release another patch for its backdoored firewalls
A couple of weeks after announcing it found "unauthorized code" in firewalls that could've let someone spy on secure VPN traffic, Juniper Networks has another update on the issue. Despite the release of a patch that it says makes the firewalls secure, Juniper will go a step further with another update that swaps out the flawed Dual_EC random number generator in the affected ScreenOS software for newer technology, which will arrive in the first half of 2016. It has also completed an investigation of the source code for that product, and its newer Junos OS-powered devices, and have not found any evidence of similar code.
CNN: FBI is investigating the Juniper Networks security hole
Yesterday's news of "unauthorized code" that could enable untraceable backdoor access to VPN traffic on certain Juniper Networks firewalls is now being investigated by the FBI. That news comes from CNN, which said that a US government official described the vulnerability as "stealing a master key to get into any government building." There's no word yet on which government agencies or private companies may have been using the specific ScreenOS-powered devices affected, but that's what the Department of Homeland Security is now trying to find out.
Juniper Networks finds backdoor code in its firewalls
One of the reasons corporate users and the privacy-minded rely on VPNs is to control access to their networks and (hopefully) not expose secrets over insecure connections. Today Juniper Networks revealed that some of its products may not have been living up to that standard, after discovering "unauthorized code" in the software that runs on its NetScreen firewalls during a code review. Pointed out by security researcher "The Grugq," the backdoor has been present since late 2012 and can only be fixed by upgrading to a new version of software just released today.
Kazakhstan will require internet surveillance back doors
Want to know why it's a bad idea for the government to ask for back door access to your data? Here's why. As of January 1st, Kazakhstan will require the presence of a "national security certificate" on every internet-capable device in the country. The law will let the government spy on virtually any online traffic on devices with the certificate installed, whether or not it's encrypted. Carriers will have to keep tabs on users who don't install the code, too, so you can't count on slipping under the radar.
BlackBerry is leaving Pakistan over demands for backdoor access
BlackBerry has announced it's formally shutting down shop in Pakistan over demands from the country's Telecommunications Authority that backdoor access be granted to the company's encrypted services. Back in July, local carriers were ordered to shut off BlackBerry Enterprise Service from the end of November, because "security reasons." While the order has been pushed back to the end of the year, Pakistan's government isn't budging, leaving BlackBerry no other option but to abandon the country. As the company explains, "remaining in Pakistan would have meant forfeiting our commitment to protect our users' privacy. That is a compromise we are not willing to make."
Let's have an argument about encryption
Government officials have been vexed for quite some time now that they can't surveil communications that use end-to-end encryption. Never mind that to crack encrypted platforms open for one spy would mean to open them up for all spies. Just being able to roll WhatsApp, Telegram and iMessage into the Pentagon's bulk surveillance programs is good enough for them, thanks. Worrying about what that might mean to the intelligence gathering capabilities of their adversaries is apparently "not in their department."After the devastating attacks in Paris last Friday, U.S. officials wasted no time in using fear to insist that messaging apps using end-to-end encryption be "backdoored" for surveillance access, and rolled into the Pentagon's bulk surveillance programs.The internet, rather than treating the officials like children who want to smash the family piggy bank to collect copper pennies, has decided to argue with them.
DOJ: Apple owns your iPhone's software, so it should have a backdoor
The Department of Justice is trying to get Apple to unlock a defendant's iPhone. While Apple has stated that it can technically bypass the phone's passcode security, it has so far refused to do so for various reasons. So the DOJ has come up with a new strategy, force Apple to comply because it licenses the software on the phone. Because of that, the DOJ contends that the iPhone maker actually has a relationship with the phone that's currently evidence in a case. In a reply to Apple's response to the court order to unlock the phone, the government states, "Apple cannot reap the legal benefits of licensing its software in this manner and then later disclaim any ownership or obligation to assist law enforcement when that same software plays a critical role in thwarting execution of a search warrant." In other words, it's your software Apple, not the defendant's, unlock it.
The battle over backdoor government data access isn't over
Tech companies are more than a little happy that the US won't require backdoor data access, but you might not want to join the celebrations just yet. Firms talking to Bloomberg say it's a "big win" that could help privacy, but it might not stop a cycle where tech firms like Apple and Google push for tougher data safeguards in response to stronger calls for access. Remember, the US was making similar requests with the short-lived Clipper chip 20 years ago -- it may be just a matter of time before another administration decides that its security concerns override personal privacy.
The US government won't force backdoor access, but still wants it
Here's some good news: the government has decided not to push for a law that would force tech companies to include backdoors in their software. The move means that your encrypted communications from services like WhatsApp and iMessage, will remain unreadable to law enforcement officials. That said, it's not the win for privacy and freedom that you might hope it to be, since officials are still going to be ringing up CEOs to quell their resistance. The Washington Post quotes one spokesperson saying that the National Security Council is "actively engaged" with these firms to "ensure they understand" the risks that come from encrypted dick pics. This is probably the right time to remind everyone that, when asked, the FBI's director James Comedy couldn't name a single investigation that was hindered by encrypted data.
