Tag Archive for: proves

Russia Hack Proves Privacy Hawks Weren’t Chicken Littles


Bob Barr

|

Posted: Dec 30, 2020 12:01 AM

The opinions expressed by columnists are their own and do not necessarily represent the views of Townhall.com.

The recent revelation of a historic hacking attack on U.S. businesses and government targets has put America’s national security apparatus in a conundrum. On one hand, the scale of the likely Russian sponsored attack is an excellent cudgel with which to press Congress for more power and money to fund secretive — and constitutionally problematic — national security programs. On the other, it proves that privacy hawks have been rightfully concerned about the state of America’s data security.

Earlier this month, reports surfaced that a major IT security company, SolarWinds, was hacked and its software corrupted to include a “back door” easily exploited by other hackers. This corrupt software was then unknowingly pushed by way of an “update” to an estimated 18,000 customers – including numerous Fortune 500 companies and several government agencies – which left the back door wide open to hackers for months prior to being discovered. Experts suggest we may never know the full scale of this attack, or the degree to which it imperils America’s national security. 

That the hack involved a malicious back door is an irony not lost on privacy hawks, who have for years warned against federal agencies (especially the ultra-secret National Security Agency) having the power to force private software providers, smart phone manufacturers, and social media giants to build back doors that allow for surreptitious government access to users of their products and to their companies’ databases. The resulting compromised security has been as regrettable as it was predictable. 

In 2015, for example, the Chinese government is suspected of hacking into the NSA itself, via an encryption back door the agency demanded of a major cybersecurity company. Even earlier than that, the NSA was involved in developing one of the most effective hacks of Microsoft systems, only to have this tool stolen by hackers and released to the public, where it is now accessible by criminals, foreign governments, and all manner of non-state actors.

It…

Source…

Twitter transgression proves why its flawed 2FA system is such a privacy trap

Cartoon image of a sperm whale being held aloft by balloons,

Enlarge (credit: Twitter)

If ever there was a surefire way to sour users against a two-factor authentication system that was already highly flawed, Twitter has found it. On Tuesday, the social media site said that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.

Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A working cell phone number is mandatory even when users’ 2FA protection is based solely on security keys or authenticator apps, which don’t rely on phone numbers to work. Deleting a phone number from a user’s Twitter settings immediately withdraws account from Twitter 2FA, as I confirmed just prior to publishing this post.

Security and privacy advocates have long grumbled about this requirement, which isn’t a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics a new reason to complain. The site said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to marketing lists provided by advertisers. Twitter didn’t say if the number of users affected by the blunder affected was in the hundreds or the millions or how long the improper targeting lasted.

Read 9 remaining paragraphs | Comments

Biz & IT – Ars Technica

Office 365 proves popular with phishers

With 180 million active users it’s no wonder that Microsoft Office 365 has caught the attention of online criminals.

Read more in my article on the Bitdefender Business Insights blog.

Graham Cluley

The Ultimate Bad Take: Bloomberg’s Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless

Bloomberg has really been on a roll lately with getting security stories hellishly wrong. Last fall it was its big story claiming that there was a supply chain hack that resulted in hacked SupermMicro chips being used by Amazon and Apple. That story has been almost entirely debunked, though Bloomberg still has not retracted the original. Then, just a few weeks ago, it flubbed another story, claiming that the presence (years ago) of telnet in some Huawei equipment was a nefarious backdoor, rather than a now obsolete but previously fairly common setup for lots of equipment for remote diagnostics and access.

The latest is an opinion piece, rather than reporting, but it’s still really bad. Following yesterday’s big revelation that a big security vulnerability was discovered in WhatsApp, opinion columnist Leonid Bersidsky declared it as evidence that end-to-end encryption is pointless. This is, to put it mildly, a really, really bad take. The whole article is a confused jumble of mostly nonsense, mixed with stuff that was already widely known and irrelevant:

The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: “End-to-end encryption” sounds nice — but if anyone can get into your phone’s operating system, they will be able to read your messages without having to decrypt them.

Um. Duh? The whole point of end-to-end encryption is that it protects messages in transit and not at rest. That’s the whole “end-to-end” bit. At the ends it’s decrypted. You can also encrypt content on a device — this is what the FBI is so annoyed about regarding Apple’s iPhone encryption — but to argue that end-to-end encryption is pointless because it doesn’t do what it’s not supposed to do in the first place is crazy.

It gets worse:

“End-to-end encryption” is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.

It is true that some people confuse “end-to-end encryption” with perfect security, which it is not. But it is simply wrong (laughably so) to say that it’s merely a “marketing device.” In actuality, end-to-end encryption is a hugely important part of what keeps your data protected when you communicate online. It provides real security for the conditions it’s designed to provide security for — and not other conditions, such as the one the hack takes advantage of.

Bershidsky complaining about on-device malware reading your WhatsApp messages as being evidence that end-to-end encryption is pointless is like arguing that you should never wear seatbelts because they won’t protect you if you drive off a cliff. Seatbelts protect you in lots of common scenarios, but might not protect you in extreme scenarios like driving off a cliff. And end-to-end encryption protects you in lots of messaging scenarios, but won’t protect you if someone can install something directly on your device.

The tug of war between tech firms touting end-to-end encryption as a way to avoid government snooping and state agencies protesting its use is a smokescreen. Government and private hackers are working feverishly on new methods to deploy malware with operating system-wide privileges.

It’s not a “smokescreen.” It’s dealing with one type of attack. It’s bizarre to suggest that end-to-end encryption is useless because there are some advanced ways that people can get around it, ignoring all the other ways that it helps protect most people. End-to-end encryption does much more to protect tons of people, and saying that we can ignore it just because it doesn’t stop all attacks is really dangerous.

Bloomberg should be ashamed to be publishing such dangerous nonsense. It is the equivalent of anti-vax nonsense, telling people not to protect themselves.

Permalink | Comments | Email This Story

Techdirt.