Juniper backdoor mystery, NSA are at least partly to blame
Last week, tech company Juniper Networks who sell corporate networking solutions, disclosed that they had discovered two unauthorised encryption backdoors in their firewalls. Encryption backdoors will immediately grab attention as one of the surveillance methods the NSA had at one point suggested as allowing them to access encrypted communications. So naturally, they were immediately implicated in this discovery. Now the dust has settled and researchers have examined Juniper’s discoveries, the evidence seems to point to an NSA tool having been customised, possibly by a third party ally such as the UK or Israel. Or more worryingly, perhaps Russia or China. The FBI are reportedly investigating.
Their method exploited a flaw in the Dual-EC algorithm, in a way which the security community warned about as far back as 2007. Those responsible for the backdoor had managed to access the source code and change one of the constants in the random number generator. This shouldn’t have been sufficient as the system was designed to then run a second generator, however a bug meant this was not taking place. The backdoors have reportedly been in place since as early as 2012 and serve to demonstrate how backdoors can be exploited should they fall into the wrong hands.
BBC website becomes first major target of new hacking group
On Christmas Eve the BBC became the latest target of hackers in what is believed to be a DDoS attack which sent its websites down for most of the morning. By lunchtime the site was operating normally again and the culprits have now come forward. Claiming to be a new hacking collective dubbed ‘New World Hacking’, the group said the attack was a test of strength and that terrorist groups such as ISIS are their main targets. They also released some details of how the attack was carried out, including the use of Amazon servers. They also claimed involvement in revealing KKK members, which has us wondering if they’re linked to Anonymous.
Steam attacked, 34,000 user details leaked
The very next day, gaming platform Steam received their own Christmas gift in the form of a DOS attack. The attack apparently caused cached pages containing personal information to be shown to other users. An estimated 34,000 users were affected and once Steam knew about the attack they took the platform down completely until it was mitigated. Steam is a constant target for attackers and admit that around 77,000 accounts are hijacked each month.
Apple speak out against proposed UK surveillance bill
Apple have formally come out in opposition to the proposed UK surveillance bill released last month. The ‘Draft Investigatory Powers Bill’ to give it its proper name, would force some UK and tech companies to remove encryption. In an eight page letter submitted at the close of the comment period Apple pointed out that any such methods to aid surveillance would automatically also aid attackers ‘The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too.’ Opposition to the bill has also come from other tech giants such as Yahoo, Facebook and Microsoft, who now will have to wait to consider any amendments made to the bill.
Microsoft to inform users who become subject of state-sponsored surveillance
Customers using Microsoft’s online email and storage solutions are now to be informed if their data is accessed by any state-sponsored hackers, in a new move by Microsoft. Outlook.com and OneDrive users are already being informed if they are hacked, in efforts to help them secure their accounts. The difference now is that they will be told specifically if the attack appears to have come from a state-sponsored source. This idea is not a new one, other companies such as Google, Facebook and Twitter have been giving similar alerts since as early as 2012.
Yet more Flash patching
Yet another updated version of Flash was released a couple of weeks ago and unsurprisingly it contained a number of patches. 19 vulnerabilities were fixed in total including one which is known to already have been exploited in the wild in ‘targeted’ attacks. Users are advised to update as soon as possible or to be completely safe, discontinue the use of Flash altogether.
US Voter registration records leaked
A rather chilling revelation was made a few days ago, by security researcher Chris Vickery. In a public post, he revealed that he had been able to access millions of voter records, so many that he believed it to be the entire electoral register. He said that the insecure database was completely open, with no authorisation or password required whatsoever. To check if any sensitive professions were excluded, he even searched for several of his local police officers and found their data included. The unencrypted, 300GB data of 191 millions records remains open for all to access and the issue has been reported by Forbes. Information includes full names, addresses, dates of birth and even voting history dating back to 2000.
Dutch government says no to encryption backdoors
A position paper just released by the Dutch government may have given the strongest stance yet against the weakening of encryption, in stark contrast to proposals from other international governments. While also donating $500,000 dollars to Open SSL, the paper states that ‘the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.’
The paper was released after the Paris attacks led to pressure on the government to state their position on encryption and while they admit that encryption presents an obstacle in anti-terrorism surveillance activities, they have moved forward with giving a strong position against the weakening of encryption saying ‘These are fundamental rights and freedoms; security and economic interests stand to benefit.’