Security News for the Week Ending September 10, 2021
Signal Provides Customer IP Address to Swiss Police
While police all over the world complain about the universe going dark on them, that is only true to an extent. Proton maintains no logs, but they can capture data in real time. In this case they received an order from the Swiss Federal Department of Justice, which they complied with. I don’t have a lot of heartburn over this. If people break the law they should assume that cloud providers will not ignore that fact and pretend everything is okay. Note that they cannot provide any content in this case, so really it is a person’s IP address that was exposed. Smart crooks might access their mail via changing VPNs or Tor, but apparently, in this case, they were not smart enough to do that. One positive thing is that the suspects were required to be notified of the data being turned over, unlike in most countries. Credit: Proton Reddit
McDonalds in El Salvador (and Everyone Else) Now Accept Bitcoin
El Salvador’s Bitcoin law went into effect this week, requiring all businesses and government agencies to accept Bitcoin. Of course everyone needs to figure out how to do that. For large companies that can afford to spend millions, that can be done, even if it is clunky. For small business, that is a different story. That doesn’t protect any company from the huge swings in Bitcoin price. In one direction, the company is okay; in the other, not so much. We shall see if this is a trend, but I doubt it. Tesla was accepting Bitcoin for cars, but stopped after realizing that they might sell a car for $30,000 but only recover $20,000 when they cashed in the Bitcoin. Credit: Vice
Corporate Execs Fear That SEC Investigation Will Uncover Other Breaches They “Forgot” to Report
As the SEC investigates the reach of the SolarWinds attack, it is asking companies to turn over “any other” data breach or ransomware attack information since the start of the SolarWinds attack in 2019. This will likely turn over rocks that companies would prefer remain right side up. Companies could lie and say they don’t have anything, but if a whistleblower informs the SEC of the truth, or the SEC figures out the truth by itself, now companies have really big problems. A consultant working with some of these companies says that “most” companies have had unreported breaches and they don’t know how the SEC might deal with that. The SEC said that companies would not be penalized if they shared data about the SolarWinds attack voluntarily, but they didn’t say they would give companies amnesty for other breaches that they should have reported. Credit: Reuters
WhatsApp Promises End to End Encrypted Backups on iCloud
Apple’s backups on iCloud are readable by Apple and that fact has allowed Apple to turn over data to police and was the core of the Apple spying service that they recently postposed. Facebook (WhatsApp) says that they are about to roll out end to end encrypted WhatsApp backups to iCloud for iPhone users and Google Drive for Android users. Assuming they are correct, this is the first time that someone offered fully encrypted backups for two billion users. Credit: The Register