Friday News Bites for May 18, 2018
Signal Does it Right
Matt Green, the well known cryptographer and professor at Johns Hopkins said this about the encrypted messaging app Signal: “After reading the code, I literally discovered a line of drool running down my face. It’s really nice.” But even nice code isn’t perfect. Last Friday, researchers announced very serious bug in Signal’s Windows and Linux implementation and within hours, Signal had it fixed and available for download. I wish every vendor moved at this speed. Signal may not auto update, so make sure that you download the new version [1.10.1] (Source: The Hacker News).
Google Gets It RIght – Probably. Finally.
One of my big complaints about Android is the lack of consistent patching from vendor to vendor. Some vendors were even caught lying saying that they had patched software that was not patched. Google has announced that with Android P (version 9), OEMs will be required to release regular patches as part of their license agreement. Details are not out yet, so stay tuned, but this, if it happens, will close down a major security difference between Android and iOS (Source: The Hacker News).
Facebook isn’t the Only One Selling Your Data
The big 4 cell carriers – AT&T, Verizon, T-Mobile and Sprint – and others are selling your location data to data aggregators such as LocationSmart, who in turn sell it to companies like Securus, sometimes through distributors. Securus is the company who put its head in a noose by giving location data of judges and state police officers to a sheriff without a warrant and for reasons unknown. While this data is likely only accurate to a few hundred yards because it uses cell tower data rather than GPS data, it works perfectly even if you have location tracking turned off. And, of course, everyone makes money off the deal – the carriers, the aggregators and the distributors. Sounds like a win for everyone but you and me. They say that due to what may be sloppy drafting of the Electronic Communications Privacy Act, selling this data may not be illegal. While the Sheriff who used it should have had a warrant, private companies who buy the data just need to pay for it – no questions asked as to what or why. (Source: ZDNET).
Securus Attacked By Hackers
Securus (as in Secure Us), the incredibly unsecure company that gave a Missouri sheriff location information on state police and judges (that we can assume he did not like) with no judicial oversight, has been hacked. We also don’t know if the attacker was somehow thinking that they deserved it.
One example of the data stolen by the hacker and given to Motherboard was a spreadsheet with names, emails, phone numbers, weakly hashed passwords and security questions for over 2,500 law enforcement customers. Assuming this data makes it to the black market, it could be used as a hit list for cops – who already are being attacked on a daily basis.
We also don’t know what else the attacker took or what he plans to do with it.
Securus, who has a track record of poor security, says they are “investigating it” (Source: Motherboard).
For the Second Time in a Week – Another Critical Signal Bug
Right after I upgraded my copy of Signal for Windows to version 1.10.1 (see the first item in this post), I noticed that it upgraded itself to 1.11.1 . Yup! That means that they found another bug – a critical one – that could reveal data and even Windows passwords.
Does this mean that Signal is bad? Actually not, Think about the number of patches for Windows that Microsoft has released over the years. The number is likely in the tens of thousands. Signal has released 10. BUT, no software is perfect. Or invincible. So upgrade your copy of Signal and don’t assume that Signal is invincible. It is not. It is good, but that is different. (Source: The Hacker News).