Security News for the Week Ending March 12, 2021
Encrypted Phone Firm Sky ECC “Hacked” by Police
Police have arrested 48 people and confiscated 14 tons of Cocaine and over a million Euros, after decrypting a half billion messages and listening in on the bad guys for several weeks. The phone company said that they don’t think the encryption was cracked, but rather, they think the police seeded a bunch of phones with a fake version of the app which had a back door and then sold the phones as secure. Once they were able to seed these phones into the criminals hands, it was easy (relatively) to decrypt the messages. I don’t have any sympathy for the crooks and very clever on the part of the police. Credit: Vice
FBI Warns of Far-Right Extremists Infiltrating Law Enforcement
The FBI issued a private warning that far right extremists including neo-Nazis are infiltrating law enforcement agencies and even the military in Texas and around the nation. They are doing this for two reasons. One is to find out what intelligence has been gathered on their organizations and second to learn techniques and practices (tradecraft) to use against the police and military if they need to. Evidence that this can be seen by the arrests of law enforcement officers for participating in the Capitol insurrection in January. Credit: Dailykos
UK Proposes Law to let Police Hoover Up Your Phone – If They Ask Nicely
A new UK bill was introduce that would allow the police and others to vacuum up all the data in your phone if you hand it over voluntarily. This comes after a year when the police were accused of vacuuming up too much data from phones which were handed over. People who do let the police extract everything from their phones are given no protections whatsoever. The data can be kept for up to 100 years. They will also introduce a “code of practice”, which while legally binding, is much less binding than a law. Victims of rape are being told that the cops will not proceed with prosecuting the criminals if the victim doesn’t consent to a “digital strip search” . Interesting definition of voluntary. Credit: The Register
Microsoft Removes Proof Of Concept Attack Code Against Microsoft Product from Github
Researchers often share so-called proof of concept code for exploiting bugs. In this case, the code showed how to exploit Microsoft Exchange and Microsoft decided to remove it from GitHub, the public code repository. Surprisingly, Microsoft owns Github and Microsoft has never removed any other Proof of Concept code from GitHub before. The removal is stupid and ham-handed because the code is available at a dozen other repositories anyway and it makes Microsoft look like they are trying to protect their own ass. They said that while they had patched the 10+ year old bugs, finally, the patches had not been out long enough. That might make sense if the code wasn’t available at a lot of other places. Credit: The Register
AMCA Settle Breach Lawsuit with State AGs for $21 Million
Medical debt collection agency AMCA settled a multi-state lawsuit filed by multiple Attorneys General for $21 million, but since they are in bankruptcy, the fine is suspended. They filed for bankruptcy after the breach. They said they spent $4 million as a result of the breach and had to take out a $2.5 million loan from their CEO to pay for that. I gather from this that they had no insurance (really?). In the mean time, there are numerous other lawsuits, so this is far from over. Credit: Cyberscoop and HIPAA Journal