Tag Archive for: ‘Bad

Good News, Bad News for Security Researchers: Feds Are Less Likely to Charge You, States Are Another Thing

/in


A talk at a security conference in Washington offered a little long-awaited reassurance to security researchers: Federal prosecutors just aren’t that into you anymore. 

In a talk at ShmooCon(Opens in a new window) Friday evening, Venable LLP cybersecurity lawyer Harley Geiger(Opens in a new window) told attendees that two laws long considered harmful by information-security types have grown less toxic because of recent actions in Washington.

“The Computer Fraud and Abuse Act and the Digital Millennium Copyright Act have evolved in favor of hackers,” he said at the start of his “Hacker Law for Hackers” presentation. 

The CFAA, passed in 1986 after growing alarm over the risks of hacks (catalyzed to some degree(Opens in a new window) by the 1983 classic WarGames), criminalizes access to a computer system “without authorization” or that “exceeds authorized access.” The DMCA, enacted in 1998 at the behest of Hollywood, makes it a crime to disable security measures that control access to copyrighted material. Both measures have been used to threaten and harass security researchers.

But in 2021, the Supreme Court held (PDF(Opens in a new window)) that the CFAA does not cover unauthorized use of “information that is otherwise available” to a person. That essentially took terms-of-service violations out of the law’s scope. As Geiger put it, “that may be a violation of a contract, but it is not a federal hacking crime.”

In May 2022, the Justice Department went further, announcing that it would no longer prosecute good-faith security research under the CFAA. “That is a big deal,” Geiger said. 

He sounded a little less cheery about the DMCA and its Section 1201(Opens in a new window) ban on circumventing copyright-protection systems. Change has come to that statute mainly through the Library of Congress’s Copyright Office, which can grant and renew public-interest exceptions to the anti-circumvention provision every three years.

In 2021, the office renewed and expanded(Opens in a new window) a “1201” exemption on breaking copyright protection for security research. It still, however, prohibits distributing those circumvention tools, which Geiger called an…

Source…

Bad News Confirmed For 1.3 Billion Apple iMessage Users

/in


Yes, Apple’s iPhone is materially more secure than Android and yes, Apple still leads the way when it comes to your privacy. But there is a huge exception to the Cupertino giant’s security- and privacy-first approach, one that impacts a billion-plus iPhone and iPad users. And we had stark confirmation this week that Apple is stubbornly refusing to step up to the plate and fix it.

We’re talking iMessage—Apple’s ubiquitous messaging platform. We all know that texting between iPhones and Androids is a pretty awful throwback to the early days of SMS. “It’s not about the color of the bubbles,” Google says. “It’s the blurry videos, broken group chats, missing read receipts and typing indicators, no texting over Wi-Fi, and more.”

But as fun as all these features would be, there’s a much more serious issue lurking in the background. iMessage has been central to Apple’s wider security challenges over the last year. Sophisticated (read national security level) cyber attacks have been found exploiting its architecture, and Apple has hardened the platform as a result. But there’s a much bigger problem that still hasn’t been fixed.

As much as we read about nation state level attacks, these impact just handfuls of users. You might be better protected from Chinese cyber-spies, but if you reuse passwords, click on dangerous links and casually open email attachments, then you, your data, your bank balance are far more at risk.

And so it is with iMessage. While Apple has sandboxed messages, plugging high-risk gaps, its end-to-end security only protects you while you stay enclosed within its ecosystem. As soon as those blue bubbles turn green, as soon as you text someone with an Android device in their hand, all bets are off.

Until fairly recently, there was no solution to this. Google had no real alternative to iMessage. The carriers were slowly deploying SMS v2, known as RCS or Rich Communication Services, but that still relied on the archaic SMS architecture that bounced from carrier to carrier, exposing data to all along the way. Google stepped in to fix this. First by taking over responsibility for driving RCS adoption across its user base. And then,…

Source…

Hack Post-Quantum Cryptography Now So That Bad Actors Don’t Do It Later

/in


In February, a researcher sent a shock wave through the cryptography community by claiming that an algorithm that might become a cornerstone of the next generation of internet encryption can be cracked mathematically using a single laptop. This finding may have averted a massive cybersecurity vulnerability. But it also raises concerns that new encryption methods for securing internet traffic contain other flaws that have not yet been detected. One way to build trust in these new encryption methods—and to help catch any other weaknesses before they are deployed—would be to run a public contest to incentivize more people to look for weaknesses in these new algorithms.

 The new encryption algorithm that was just cracked was designed to be secure against quantum computers. A large-scale quantum computer may eventually be able to quickly break the encryption used to secure today’s internet traffic. If internet users don’t take any countermeasures, then anyone in possession of such a computer might be able to read all secure online communications—such as email, financial transactions, medical records, and trade secrets—with potentially catastrophic impacts for cybersecurity that the U.S. National Security Agency has described as “devastating to … our nation.”

 One defense against this future threat is post-quantum cryptography or PQC—a set of new cryptography algorithms that are expected to resist attacks from quantum computers. Since 2015, the U.S. National Institute for Standards and Technology (NIST) has been evaluating algorithms to design a new standard for this type of cryptography, which will likely be adopted eventually by communication systems worldwide. Although quantum computers powerful enough to threaten encryption are unlikely to arrive before 2030, upgrading to PQC will take years and cost billions of dollars. The U.S. government considers the swift and comprehensive adoption of PQC across its own communication systems to be an important national security imperative: Over the past two months, the White House has issued a National Security Memorandum directing all federal agencies to begin preparing for the transition. And related bills have

Source…

Unity: IronSource malware came from “bad actors who abused the platform”

/in


Engine provider responds to backlash over merger, says IronSource desktop business was “spun off several years ago”

Unity has responded to criticism concerning its merger with IronSource, which has labelled a malware provider by various developers via social media.

As discussed in today’s This Week In Business, the $4.4 billion deal has sparked complaints stemming from an incident where IronSource’s first product was classified as malware.

InstallCore was an installation program for internet-based applications launched in 2010, but within a few years it has been blocked by software such as Malwarebytes and even Microsoft’s Windows platform for installing unwanted programs.

The program was later discontinued, but developers have shared their frustration of Unity bringing a company associated with malware into the fold.

In a statement to GamesIndustry.biz, a Unity spokesperson assured that IronSource no longer delivers such a program.

“We are seeing developers talking negatively about IronSource’s involvement in malware campaigns or being behind malware spreading, referencing old articles about a historical desktop activity that was deprecated and spun off several years ago,” the company said.

“Like any large-scale desktop advertising platform, despite monitoring and enforcement, the desktop platform occasionally suffered from ‘bad actors’ who tried to abuse the platform.

“IronSource has long focused on developing products for mobile game and app developers and doesn’t operate any desktop software distribution platforms today.”

The merger was announced on Wednesday, and is expected to close in Q4 2022.

Source…