This week, A Crypto Flaw in Yubico Security Keys, Facebook’s Lawyers say You Have No Right to Privacy, Two Cloud Services, PCM and Attunity, Have Breaches, and Two Florida Cities Pay Over $1M in Ransomware Attacks in Less Than a Week! Jason Wood joins us for expert commentary on Trump Officials Weighing a Crackdown on End-to-End Encryption!
- Yubico Security Keys with a Crypto Flaw – Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 have a reduced randomness of the cryptographic keys it generates. Security keys with ECDSA signatures are in particular danger since 80 bits of the 256 bits that generate the key remain static. The security keys in question are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords.
- Vulnerability in Medtronic insulin pumps allow hacking devices – Medtronic and the US government have warned that some Medtronic MiniMed insulin pumps are vulnerable to cyber attacks. The flaw, known as CVE-2019-10964, is an improper access control issue that could be exploited by an attacker to inject, replay, modify, and/or intercept data by having adjacent access to one of the vulnerable insulin pumps to interfere with the wireless RF (radio frequency) communications to or from the product. According to FDA, Medtronic has identified 4,000 patients who are potentially using insulin pumps affected by the flaw. The fix is providing an alternate insulin pump, which is more secure, to patients.
- New Exploit for Microsoft Excel Power Query – Proof-of-concept, which allows remote code execution, is latest to exploit Dynamic Data Exchange (DDE) and is another reminder why organizations must ensure Office settings are secure. Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query, a feature that lets users connect their spreadsheets with other structured and unstructured data sources, to remotely drop and run malware on a user’s system to escalate privileges and other malicious activity. For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page.
- You Have No Right to Privacy – Mark Zuckerberg declares that privacy is a core and fundamental part of Facebook’s vision, but we are now discovering that its lawyers state that Facebook users have no right to privacy. Representing Facebook before U.S. District Judge Vince Chhabria was Orin Snyder of Gibson Dunn & Crutcher, who claimed that the plaintiffs’ charges of privacy invasion were invalid because Facebook users have no expectation of privacy on Facebook. The simple act of using Facebook, Snyder claimed, negated any user’s expectation of privacy. This is why I do not use Facebook. In a related story, Italy Fines Facebook Over Cambridge Analytica Case. Italy’s data protection watchdog slammed Facebook with a fine of one million euros ($1.1 million) for violating privacy laws over the Cambridge Analytica scandal. Facebook’s controversy will continue…
- Senate Report Shows Decade-Long Failure of Gov Agencies to Protect Personal Data – And it looks like Facebook is not alone. A new report from the U.S. Senate’s Committee on Homeland Security and Governmental Affairs has revealed the decade-long failure of several important federal agencies to secure their systems and protect sensitive and personal information. According to the report, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration all failed to ensure adequate protection for personal information. According to Rob Portman, chairman of the Permanent Subcommittee on Investigations, “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”
- Cloud computing giant PCM hacked – A hacking group has gained access to the internal infrastructure of large cloud services provider PCM. Discovered in mid-May, the attackers stole administrative credentials for Office 365 accounts. After compromising a system, the group would use a custom version of Mimikatz to collect usernames and passwords from memory for organizations dealing in gift cards. That information would be used for money transfer services, payment processing services, and clearing houses to conduct gift card fraud. According to PCM, “no consumers’ personal information was accessed or acquired by an unauthorized party” and “[the] impact to its systems was limited, and the matter has been remediated.”
- Attunity data leak: Netflix, Ford, TD Bank data exposed by Open AWS Buckets – Attunity data integration and big data management firm , now owned by Qlik, exposed a significant amount of sensitive data through unprotected Amazon S3 buckets. The data leak was discovered on May 13 by UpGuard. According to UpGuard, “The total size is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups.” The cause, a misconfiguration in Amazon S3, not a new problem, but one that AWS has added more visibility into. Yet another reason to manage your configurations, especially in the cloud.
- $1.1 million in two weeks – Florida cities pay out big to ransomware gangs – Less than a week after the city of Riviera Beach, 80 miles from Miami, unanimously voted to pay US $600,000 worth of Bitcoins to an extortionist who had locked their IT systems with ransomware, Lake City has come to the same decision. The small Northern Florida city will pay US $460,000 worth of Bitcoin to hackers in order to regain control of its email systems and servers. Fortunately, insurance is expected to pay all but US $10,000. With recent ransomware payouts, all cities and municipalities need to be prepared to defend against these attacks, including secure offsite backups of their systems and data.
Expert Commentary: – Jason Wood, Paladin Security
Last year we covered several updates on Australia’s encryption bill that was finally signed into law in early December 2018. The law enables Australian police to force technology companies to create a master key (if you will) to decrypt communications between people without anyone knowing it occurred. In response to concerns about weakening the effectiveness of encryption, there is a “safeguard” written into the law that would prevent a change being made if it created a “systemic weakness” to the encryption; whatever that means.
It appears that it is now the US’ turn to consider weakening end to end encryption. According to Politco, Trump officials met last week to discuss requesting legislation that prevents tech companies from using encryption that law enforcement cannot break. The debate was focused on whether to give a statement on the administration’s position on encryption or actually seek legislation from Congress.
According to Politico, the debate is largely between the DOJ/FBI and Commerce/State departments. The DOJ and FBI feel that strong encryption is a big enough threat that weakening encryption and enabling electronic crime is worth the benefits of being able to catch criminals and terrorists. The Commerce and State departments are not onboard with this idea, citing economic impacts, security, and consequences in the realm of diplomacy. The Department of Homeland Security is divided on the issue. The spilt there is between the Cybersecurity and Infrastructure Security Agencies versus Immigration Customs Enforcement and the Secret Service. Again, law enforcement wants to get encryption out of their way and are willing to accept the risks of enabling criminals so they can catch them easier.
Previous attempts at legislation have been squashed fairly quickly. While both the Obama and Trump administrations appear to want legislation to weaken encryption, Congress does not appear to support it at this point. In a rare occurrence, there appears to be bipartisan opposition to the idea of this type of legislation. Regardless, it appears that this idea will be getting more attention in the future.
I’ve been fairly open with my opinion on this topic in the past. I do not have confidence in encryption where this is a master key of some sort to unlock communications. Key management is already one of the more difficult parts of encryption. Any such key (or keys) would immediately become a target for attackers. Someone will inevitably make a mistake and leave keys unprotected or at least in a weakened state of protection. We already have a history in the US collecting massive amounts of online activity by government agencies. While I do not believe their intentions are to be malicious, I do believe the kind of access will increase temptations for abuse and mission creep.
Regardless, the days of strong encryption being available to the general population may be limited. The agencies and people who want the ability to unlock all encryption have not changed their mind and are continuing to push for it. With time and effort, they will attempt to chip away at these technologies to weaken them to a level they find acceptable. To prevent this, concerned individuals and companies need to be as consistent in their defense. Keep your eyes on the news, because we may be getting another push against encryption starting in the US.
Jason Wood – Founder; Primary Consultant, Paladin Security.