Archive for January 14, 2020

The Latest Apple v. FBI Fight Shows That We Need A Middle Ground For Situations Like This

Posted in Commentary with tags , , on January 14, 2020 by itnerd

Yesterday a story hit news that the FBI via US Attorney General William Barr is demanding the help of Apple to unlock the phone of a Saudi citizen who went on a deadly shooting last month at a naval air station in Pensacola, Fla. that killed three and wounded eight.

“This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence,” Mr. Barr said. He called on technology companies to find a solution and complained that Apple had provided no “substantive assistance,” a charge that the company strongly denied on Monday night, saying it had been working with the F.B.I. since the day of the shooting.

Here’s what Apple said in response:

In a statement Monday night, Apple said the substantive aid it had provided law enforcement agencies included giving investigators access to the gunman’s iCloud account and transaction data for multiple accounts.

The company’s statement did not say whether Apple engineers would help the government get into the phones themselves. It said that “Americans do not have to choose between weakening encryption and solving investigations” because there are now so many ways for the government to obtain data from Apple’s devices — many of which Apple routinely helps the government execute.

So it seems like we are headed towards another FBI v. Apple fight. But let’s be clear. What this is all about is to ensure that the FBI or any other law enforcement agency or government can access any smart phone for any reason any time they want. While I understand that the FBI among others wants to protect people from any threat that exists, I don’t believe that this gives them the right to say that the rights of citizens get over-ridden because of this. I say that because if you look at Attorney General Barr’s statement, he wants technology companies to “find a solution” to allow him and those underneath him to get whatever it is they want at will. And it’s safe to say that they want backdoors into iOS, Android, or whatever OS they see fit that gets them past whatever security or encryption that the device in question has. Giving any government a backdoor into any OS is a bad idea as governments tend to have pretty poor track records of keeping stuff like that out of the wrong hands. Which means when the backdoor leaks out, we’re all screwed. This is on top of the potential privacy issues that could be at play.

Thus here’s my ask of everyone that is involved. Tech companies and governments need to find some sort of middle ground for situations like this. One where the needs of both sides are represented and nobody, especially you and I, loses. Because having each of them at their respective extreme ends of the spectrum isn’t working for either party. And as a result this fight will simply keep going on and on with no real resolution. Or worse yet, a government will simply take some draconian action to get what they want and inadvertently affect their citizens in a negative way. And neither of those are desirable outcomes.


Today Is One Patch Tuesday That You May Want To Take Seriously… Microsoft May Be About To Patch A Serious Flaw In Windows [UPDATED]

Posted in Commentary with tags on January 14, 2020 by itnerd

To be honest, every Patch Tuesday should be taken seriously as the bugs that are fixed on Patch Tuesday are usually exploited by hackers 24 hours later with the targets being those who have not updated on Patch Tuesday. Having said that, today’s Patch Tuesday may be more important than usual because of this discovery by Brian Krebs:

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

If this is true, this is a big deal and you should patch all the things the second that this fix becomes available. Because based on the above description, any exploit that leverages this flaw will be serious and highly damaging. Assuming exploits aren’t already out there. I’ll update this post as soon as I get more info on this.

UPDATE: This is likely the first of many updates on this story. The NSA just held a press briefing and according to the Washington Post they confirmed that they found a flaw that matches the description that Brian Krebs reported and alerted Microsoft. That’s a major shift for the NSA as they tend not to report such flaws and instead weaponize them. That officially makes this a big deal and you should patch all your Windows computers the second this becomes available.

UPDATE #2: I posted this Tweet with a link to the Microsoft write up about this issue a few minutes ago:

But as informational as that is, what you actually want to read is the CERT document on this. I had a look and this bug is incredibly bad. This summary has all you need to know:

The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains.

In English, that means that an attacker can use a fake certificate to look at data that should be encrypted at all times. Thus I will reiterate what I said earlier in this post. As soon as the patch comes out, patch all the things.