Decades-old PGP bug allowed hackers to spoof just about anyone’s signature

For their entire existence, some of the world’s most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. GnuPG, Enigmail, GPGTools, and python-gnupg have all been updated to patch the critical vulnerability. Enigmail and the Simple Password Store have also received patches for two related spoofing bugs.

Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can’t be detected as malicious without doing forensic analysis that’s beyond the ability of many users.

Backups and software updates affected, too

The flaw, indexed as CVE-2018-12020, means that decades’ worth of email messages many people relied on for sensitive business or security matters may have in fact been spoofs. It also has the potential to affect uses that went well beyond encrypted email.

Read 8 remaining paragraphs | Comments

Australia Prepares Laws Forcing Tech Companies to Help Police Access Encrypted Data of Criminals

Australia is gearing up to release new laws that will force Australian telecommunications companies and global tech companies to comply with law enforcement agencies, when such agencies ask for access to encrypted data on the smartphones of suspected criminals (via ABC News Australia). The laws are the latest in an ongoing global data battle that hit a fever pitch in the United States in early 2016 when the FBI asked Apple for a backdoor into the smartphone of one of the San Bernardino shooters.

Specifics in regards to the Australian laws have not yet been shared, but they are said to affect companies like Apple, Facebook, and Google, which would face “significant fines” if they choose not to comply with encrypted data requests. Australian telecommunications companies affected under the law include Telstra and Optus.



Cyber security minister of Australia Angus Taylor was asked if the laws would allow surveillance codes to be implanted into smartphones and “avoided directly answering,” stating a lack of preparation to get into technical details.

Notably, one detail Taylor did confirm is that the government would not ask companies to install a backdoor into their apps and equipment, nor would they be asked to “provide law enforcement agencies with an encryption key.” Because of this, it’s unclear exactly how the Australian government’s demands would need to be met by companies.

“There’s been ideas around for decades that you should create some kind of key that law enforcement can get access to, to access any data at any time — that’s not what we’re proposing here,” Mr Taylor said.

“But at the same time we must ensure that law enforcement doesn’t lose access to the data and the information they need to pre-empt terror attacks and crimes, and to hold criminals and terrorists to account.”

Taylor explained that the new proposals are an update to antiquated laws in Australia: “Those laws should be extended to a situation where messages are being sent through an app, or via any other means, in ways that the current laws hadn’t anticipated,” he said. “It’s not appropriate to have a world where we can do this for analogue data, analogue communication, but we can’t do it in the digital world.”

In the United States, last month an anti-surveillance coalition, including Apple, condemned recent proposals for backdoor access into electronic devices. The coalition previously published a core principle pledging to ensure device security through strong encryption and calling on governments to avoid taking actions that would require companies to “create any security vulnerabilities in their products and services.”

The news came as law enforcement officials were said to be revisiting proposals that would require tech companies to build backdoor access into devices for better access to data in criminal investigations. Apple continued enhancing user security in the recent iOS 12 beta, where a new setting was discovered that prevents USB accessories from connecting to the iPhone when it’s been more than an hour since the device was unlocked.

Law enforcement officials use USB access to iOS devices to connect accessories like the GrayKey box, a tool that plugs into the Lightning port of an iPhone and uses the data connection in an attempt to brute force a passcode. With the new setting, an iPhone’s Lightning port data connection will not work with the GrayKey box if it’s been more than an hour since a passcode was entered, rendering it effectively useless unless used immediately after an iPhone is obtained from a suspect.

In Australia, draft legislation of the new laws will be presented “in weeks” so more details about the plans should emerge soon. Ahead of the launch, Taylor said that the government is “very sympathetic to the concerns that the tech service providers have had” in regards to forced compliance with data gathering on electronic devices.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Discuss this article in our forums

The erosion of Web 2.0

It seems quaint to imagine now but the original vision for the web was not an information superhighway. Instead, it was a newspaper that fed us only the news we wanted. This was the central thesis brought forward in the late 1990s and prophesied by thinkers like Bill Gates – who expected a beautiful, customized “road ahead” – and Clifford Stoll who saw only snake oil. At the time, it was the most compelling use of the Internet those thinkers thought possible. This concept – that we were to be coddled by a hive brain designed to show us exactly what we needed to know when we needed to know it – continued apace until it was supplanted by the concept of User Generated Content – UGC – a related movement that tore down gatekeepers and all but destroyed propriety in the online world.

That was the arc of Web 2.0: the move from one-to-one conversations in Usenet or IRC and into the global newspaper. Further, this created a million one-to-many conversations targeted at tailor-made audiences of fans, supporters, and, more often, trolls. This change gave us what we have today: a broken prism that refracts humanity into none of the colors except black or white. UGC, that once-great idea that anyone could be as popular as a rock star, fell away to an unmonetizable free-for-all that forced brands and advertisers to rethink how they reached audiences. After all, on a UGC site it’s not a lot of fun for Procter & Gamble to have Downy Fabric Softener advertised next to someone’s racist rant against Muslims in a Starbucks .

Still the Valley took these concepts and built monetized cesspools of self-expression. Facebook, Instagram, YouTube, and Twitter are the biggest beneficiaries of outrage culture and the eyeballs brought in by its continuous refreshment feed their further growth. These sites are Web 2.0 at its darkest epitome, a quiver of arrows that strikes at our deepest, most cherished institutions and bleeds us of kindness and forethought.

So when advertisers faced either the direct monetization of random hate speech or the erosion of customer privacy, they choose the latter. Facebook created lookalike audiences that let advertisers sell to a certain subset of humanity on a deeply granular level, a move that delivered us the same shoe advertisement constantly, from site to site, until we were all sure we had gone mad. In the guise of saving our sanity further we invited always-on microphones into our homes that could watch our listening and browsing habits and sell to us against them. We gave up our very DNA to companies like Ancestry and 23andMe, a decision that mankind may soon regret. We shared everything with everyone in the grand hope that our evolution into homo ligarus – the networked man – would lead us to become homo deus.

This didn’t happen.

And so the pendulum swings back. The GDPR, as toothless as it is, is a wake up call to every spammer that ever slammed your email or followed you around the web. Further, Apple’s upcoming cookie control software in Safari should make those omnipresent ads disappear, forcing the advertiser to sell to an undifferentiated mob rather than a single person. This is obviously cold comfort in an era defined by both the reification of the Internet as a font for all knowledge (correct or incorrect) and the genesis of an web-based political cobra that whips back to bite its handlers with regularity. But it’s a start.

We are currently in an interstitial period of technology, a cake baked of the hearty camaraderie and “Fuck the system” punk rock Gen X but frosted with millennial pragmatism and desire for the artisanal. As we move out of the era of UGC and Web 2.0 we will see the old ways cast aside, the old models broken, and the old invasions of privacy inverted. While I won’t go as far to say that blockchain will save us all, pervasive encryption and full data control will pave the way toward true control of our personal lives as well as the beginnings of a research-based minimum income. We should be able to sell our opinions, our thoughts, and even our DNA to the highest bidder and once the rapacious Web 2.0 vultures are all shooed away, we will find ourselves in an interesting new world.

As a technoutopianist I’m sure that were are heading in the right direction. We are, however, taking turns that none of us could have imagined in the era of Clinton and the fax machine and there are still more turns to come. Luckily, however, we are coming out of our last major skid.

 

Photo by George Fitzmaurice on Unsplash

Telegram CEO: Apple has “prevented” app updates globally since April

Russia officially banned the secure message app Telegram in April, and now it appears the app is facing problems in other regions. According to a message posted on Telegram by the company’s CEO Pavel Durov, Apple has been “preventing” Telegram iOS app updates since April.

The version of the app currently in the App Store is two months old, and Durov claims features such as stickers will not work properly in iOS 11.4 (which was pushed out earlier this week) due to the lack of updates.

This comes after Roskomnadzor, Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, ordered a block of the messaging app in the country in April. Russia’s Federal Security Service wanted access to Telegram’s users’ encrypted messages, saying it was necessary to monitor potential terrorists. Even after a Russian court ruled that the app should be blocked in Russian territories, Telegram refused to hand over encryption keys that would give Russian officials access to user data.

Read 3 remaining paragraphs | Comments

Russia Demands Apple Remove Telegram From Russian App Store

The Russian government has asked Apple to help it block Telegram, the secure messaging app that’s highly popular in the country, reports WCCFTech.

A Russian court in April ordered carriers and internet providers in the country to block Telegram back in April, after Telegram refused to provide Russia with backdoor access to user messages.



Telegram, for those unfamiliar with the app, offers end-to-end encryption for secure messaging purposes. With end-to-end encryption, no one, not even Telegram, can access the messages that are sent between users.

Despite issuing the block order back in April, Russia has only been able to disrupt Telegram’s operations in the country by 15 to 30 percent.

Given the government’s inability to block the app, Roskomnadzor, the division of the government that controls media and telecommunications, has demanded that Apple remove the Telegram app from the Russian App Store. The group first asked Apple to remove the app in April, but is appealing to Apple again.

“In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company’s further actions to resolve the problematic issue,” the regulator wrote.

Roskomnadzor has given Apple one month to remove the Telegram app from the App Store. Roskomnadzor’s director Alexander Zharov said he did not want to “forecast further actions” should Apple not comply with the request following the 30 day period.

The Russian government said that it needed access to Telegram to read messages and prevent future terror attacks in the country.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Discuss this article in our forums

The Week in Internet News: The FBI Has Fewer Unopened Encrypted Devices Than Reported

Going dark with encryption: The U.S. FBI, for years now, has complained about its inability to access encrypted information held on the smartphones and other devices owned by criminal suspects. But the agency may have been overstating this so-called “going dark” problem, the Washington Post reported this week. A programming error at the FBI led the agency to report that it has seized about 7,800 mobile devices that it cannot open, but the actual number may be less than 2,000, the story says.

AI as Big Brother: Artificial intelligence is being used to track down criminals by combing through data faster than humans can, reports The Telegraph. The story features AI startup Senzing, an IBM spinoff. Meanwhile, the government of China is increasingly using AI to assist its Great Firewall program, says Internet of Business.

A bad year for security: This year is shaping up to be a terrible year for cybersecurity, due in part to poor Internet of Things security, reports Security Boulevard. In addition to the IoT concerns, 85 percent security executives surveyed worry their countries will experience a crucial infrastructure attack in the next five years.

Banking on blockchain and AI: Banks’ use of blockchain, AI, and cloud computing are supposedly challenging traditional views of risk and risk management, reports Internet of Business. A U.K. research paper suggests banks’ increasing use of cloud-based data storage and experimental applications of AI and blockchain could create new risks for them.

Fake laws: A proliferation of laws against the spreading of fake news aren’t the answer to the problem, says a column at Bloomberg.com. Social media is too valuable to leave in the hands of government, the columnist writes.

No Internet for you: The southern India state of Tamil Nadu ordered the suspension of Internet services in parts of three regions to “prevent spread of rumors through social media and help bring public tranquility,” reports the Times of India. The government blamed social media for violence during a massive protest against a copper plant.

Read the Internet Society’s Artificial Intelligence and Machine Learning policy paper and explore how it might impact the Internet’s future.

The post The Week in Internet News: The FBI Has Fewer Unopened Encrypted Devices Than Reported appeared first on Internet Society.

FBI reportedly overestimated inaccessible encrypted phones by thousands

The FBI seems to have been caught fibbing again on the topic of encrypted phones. FBI director Christopher Wray estimated in December that it had almost 7,800 phones from 2017 alone that investigators were unable to access. The real number is likely less than a quarter of that, The Washington Post reports.

Internal records cited by sources put the actual number of encrypted phones at perhaps 1,200 but perhaps as many as 2,000, and the FBI told the paper in a statement that “initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.” Supposedly having three databases tracking the phones led to devices being counted multiple times.

Such a mistake would be so elementary that it’s hard to conceive of how it would be possible. These aren’t court notes, memos or unimportant random pieces of evidence, they’re physical devices with serial numbers and names attached. The idea that no one thought to check for duplicates before giving a number to the director for testimony in Congress suggests either conspiracy or gross incompetence.

The latter seems more likely after a report by the Office of the Inspector General that found the FBI had failed to utilize its own resources to access locked phones, instead suing Apple and then hastily withdrawing the case when its basis (a locked phone from a terror attack) was removed. It seems to have chosen to downplay or ignore its own capabilities in order to pursue the narrative that widespread encryption is dangerous without a backdoor for law enforcement.

An audit is underway at the Bureau to figure out just how many phones it actually has that it can’t access, and hopefully how this all happened.

It is unmistakably among the FBI’s goals to emphasize the problem of devices being fully encrypted and inaccessible to authorities, a trend known as “going dark.” That much it has said publicly, and it is a serious problem for law enforcement. But it seems equally unmistakable that the Bureau is happy to be sloppy, deceptive or both in its advancement of a tailored narrative.

The Week in Internet News: Email Encryption Has Efail Moment

Encryption fails: A couple of stories in the news this past week demonstrated problems with encryption, or at least, problems with deployment of encryption. One researcher demonstrated an exploitable loophole he called Efail in PGP/GPG and S/Mime software used by email clients, reports Engadget. Efail abuses the active content of HTML emails to access plain text. In addition, a malware called Telegrab is targeting the encrypted Telegram messaging service. Telegrab steals encryption keys and cache data from Telegram running on the desktop, Tom’s Hardware says.

Artificial investment: The Chinese city of Tianjin is getting serious about funding artificial intelligence projects, with an investment of about US$16 billion, reports Reuters via the Straits Times. Yes, that’s billion with a “b.” It’s part of a Chinese push to be the leading nation in AI development.

AI knows nudes: In other AI news, Facebook has released stats on the numbers of hate speech posts and posts containing nudity that its technology removed in the first quarter of 2018. In short, the social media provider’s AI is much better at flagging nudity than hate speech, reports CNBC. About 60 percent of hate speech taken down on Facebook required human intervention.

DNS attacks on the rise: The cost and number of DNS-based attacks are both rising at a significant rate, according to DarkReading.com. The average cost of a DNS attack has risen to US$715,000, a 57 percent increase from 2017. Organizations surveyed faced an average of seven DNS attacks in the previous year.

NIST eyes IoT security: The U.S. National Institute of Standards and Technology has started down the road toward defining Internet of Things encryption standards, reports GCN.com. The agency is seeking comments on the best way to evaluate new encryption standards for small computing devices.

Blockchain goes to the weeds: Blockchain payments platform Alt Thirty Six wants to help the fledgling cannabis industry in the United States process electronic payments. The company thinks it can assist marijuana retailers accept payments when many banks have refused to do business with them, Forbes says.

A tiny, little blockchain in your phone: HTC is planning to sell a blockchain-enabled smartphone that would feature a built-in cryptocurrency wallet, reports Alphr.com. The Android device would come with a universal wallet and hardware support for major cyrptocurrencies, including Bitcon.

The future of IoT is one of possibility, but only if we secure it. Here’s what you can do.

The post The Week in Internet News: Email Encryption Has Efail Moment appeared first on Internet Society.