FBI Changes Policy for Notifying States of Election Systems Cyber Breaches (wsj.com) 21

The Federal Bureau of Investigation will notify state officials when local election systems are believed to have been breached by hackers [the link may be paywalled], a pivot in policy that comes after criticism that the FBI wasn't doing enough to inform states of election threats, WSJ reported Thursday, citing people familiar with the matter. From a report: The FBI's previous policy stated that it notified the direct victims of cyberattacks, such as the counties that own and operate election equipment, but wouldn't necessarily share that information with states. Several states and members of Congress in both parties had criticized that policy as inadequate and one that stifled state-local partnerships on improving election security. Further reading: Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App.

Google Will Wind Down Chrome Apps Starting in June (pcworld.com) 25

Google said this week that it will begin to phase out traditional Chrome apps starting in June, and winding down slowly over two years' time. Chrome extensions, though, will live on. From a report: Google said Tuesday in a blog post that it would stop accepting new Chrome apps in March. Existing apps could continue to be developed through June, 2022. The important dates start in June of this year, when Google will end support for Chrome Apps on the Windows, Mac, and Linux platforms. Education and Enterprise customers on these platforms will get a little more time to get their affairs in order, until December, 2020.Google had actually said four years ago that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. The company appears to have waited longer than announced before beginning this process. The other platform that's affected by this, of course, is Google's own Chrome OS and Chromebooks, for which the apps were originally developed.
Wireless Networking

Bruce Schneier on 5G Security (schneier.com) 30

Bruce Schneier comments on the issues surrounding 5G security: [...] Keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards, the protocols and software for 5G, ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security. To be sure, there are significant security improvements in 5G over 4G in encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren't enough. The 5G security problems are threefold.

First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it. Second, there's so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems. Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.


Proof-of-Concept Exploits Published for the Microsoft-NSA Crypto Bug (zdnet.com) 23

Security researchers have published proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). From a report: The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher Tal Be'ery, "the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft's code." According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to: 1. Launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections. 2.Fake signatures for files and emails.3. Fake signed-executable code launched inside Windows.

The FBI Can Unlock Florida Terrorist's iPhones Without Apple (bloomberg.com) 110

The FBI is pressing Apple to help it break into a terrorist's iPhones, but the government can hack into the devices without the technology giant, according to experts in cybersecurity and digital forensics. From a report: Investigators can exploit a range of security vulnerabilities -- available directly or through providers such as Cellebrite and Grayshift -- to break into the phones, the security experts said. Mohammed Saeed Alshamrani, the perpetrator of a Dec. 6 terrorist attack at a Navy base in Florida, had an iPhone 5 and iPhone 7, models that were first released in 2012 and 2016, respectively. Alshamrani died and the handsets were locked, leaving the FBI looking for ways to hack into the devices. "A 5 and a 7? You can absolutely get into that," said Will Strafach, a well-known iPhone hacker who now runs the security company Guardian Firewall. "I wouldn't call it child's play, but it's not super difficult." That counters the U.S. government's stance. Attorney General William Barr slammed Apple on Monday, saying the company hasn't done enough to help the FBI break into the iPhones.

"We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements," President Donald Trump wrote on Twitter Tuesday. The comments add to pressure on Apple to create special ways for the authorities to access iPhones. Apple has refused to build such backdoors, saying they would be used by bad actors, too. Indeed, Strafach and other security experts said Apple wouldn't need to create a backdoor for the FBI to access the iPhones that belonged to Alshamrani.
Further reading: The FBI Got Data From A Locked iPhone 11 Pro Max -- So Why Is It Demanding Apple Unlock Older Phones?

iPhones Can Now Be Used To Generate 2FA Security Keys For Google Accounts (9to5google.com) 4

Most modern iPhones running iOS 13 can now be used as a built-in phone security key for Google apps. 9to5Google reports: A built-in phone security key differs from the Google Prompt, though both essentially share the same UI. The latter push-based approach is found in the Google Search app and Gmail, while today's announcement is more akin to a physical USB-C/Lightning key in terms of being resistant to phishing attempts and verifying who you are. Your phone security key needs to be physically near (within Bluetooth range) the device that wants to log-in. The login prompt is not just being sent over an internet connection.

With an update to the Google Smart Lock app on iOS this week, "you can now set up your phone's built-in security key." According to one Googler today, the company is leveraging the Secure Enclave found on Apple's A-Series chips. Storing Touch ID, Face ID, and other cryptographic data, it was first introduced on the iPhone 5s, though that particular device no longer supports iOS 13. Anytime users enter a Google Account username and password, they'll be prompted to open Smart Lock on their nearby iPhone to confirm a sign-in. There's also the option to cancel with "No, it's not me." This only works when signing-in to Google with Chrome, while Bluetooth on both the desktop computer and phone needs to be enabled as the devices are locally communicating the confirmation request and verification.


Microsoft Launches Chromium Edge for Windows 7, Windows 8, Windows 10, and macOS (venturebeat.com) 57

Microsoft today launched its new Edge browser based on Google's Chromium open source project. You can download Chromium Edge now for Windows 7, Windows 8, Windows 10, and macOS directly from microsoft.com/edge in more than 90 languages. From a report: Business features aside, there's also support for Chrome-based extensions, 4K streaming, Dolby audio, inking in PDF, and privacy tools. For the last one, it's worth noting that tracking prevention is on by default and offers three levels of control, like Firefox's tracking protection. Chrome extension support is probably the most important feature for most users. By default, extensions that have been ported over to Edge can be downloaded from the Microsoft Store. Chromium Edge also has an option to "Allow extensions from other stores" to get Chrome extensions from the Chrome Web Store. There are still a few features missing from Chromium Edge, most notably history sync and extension sync. Microsoft is working on these and some other inking functionality that it still wants to port from legacy Edge, as Microsoft is calling it. Microsoft also claims that Chromium Edge is "twice as fast as legacy Edge." Curiously, the team isn't making any claims against other browsers -- at least not yet.

CNCF, Google, and HackerOne Launch Kubernetes Bug Bounty Program4

An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.

Microsoft Patches Major Windows 10 Vulnerability After NSA Warning (cnbc.com) 38

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday:"Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

Open Source

How Digital Sleuths Unravelled the Mystery of Iran's Plane Crash (wired.co.uk) 170

Open-source intelligence proved vital in the investigation into Ukraine Airlines flight PS752. Then Iranian officials had to admit the truth. From a report: [...] In the days after the Ukraine Airlines plane crashed into the ground outside Tehran, Bellingcat and The New York Times have blown a hole in the supposition that the downing of the aircraft was an engine failure. The pressure -- and the weight of public evidence -- compelled Iranian officials to admit overnight on January 10 that the country had shot down the plane "in error." So how do they do it? "You can think of OSINT as a puzzle. To get the complete picture, you need to find the missing pieces and put everything together," says Lorand Bodo, an OSINT analyst at Tech versus Terrorism, a campaign group. The team at Bellingcat and other open-source investigators pore over publicly available material. Thanks to our propensity to reach for our cameraphones at the sight of any newsworthy incident, video and photos are often available, posted to social media in the immediate aftermath of events. "Open source investigations essentially involve the collection, preservation, verification, and analysis of evidence that is available in the public domain to build a picture of what happened," says Yvonne McDermott Rees, a lecturer at Swansea University.

Some of the clips in this incident surfaced on Telegram, the encrypted messaging app popular in the Middle East, while others were sent directly to Bellingcat. "Because Bellingcat is known for our open source work on MH17, people immediately thought of us. People started sending us links they'd found," says Eliot Higgins of Bellingcat. "It was involuntary crowdsourcing." OSINT investigators then utilise metadata, including EXIF data -- which is automatically inserted into videos and photos, showing everything from the type of camera used to take the images to the precise latitude and longitude of where the taker was standing -- to validify that the footage is legitimate. They'll also try and identify who took the footage, and whether it's practical for them to have been where they claim to have been at the time. However, for this instance, they couldn't use EXIF data. "People would share photos and videos on Telegram which strip the metadata, and then someone else would find that and share it on Twitter," says Higgins. "We were really getting a second-hand or third-hand version of these images. All we have to go on is what's visible in the photograph." So instead they moved onto the next step.


Cookies Track You Across the Internet. Google Plans To Phase Them Out (nbcnews.com) 89

Google has announced plans to limit the ability of other companies to track people across the internet and collect information about them, a significant change that has widespread ramifications for online privacy as well as the digital economy. From a report: The company said Tuesday that it plans to phase out the use of digital tools known as tracking cookies, which other companies use to identify people online and learn more about them. The move is meant to offer users greater control over their digital footprints and enhance user privacy, according to Google. But the move could also provide Google with even greater control over the online advertising market, which the company already dominates. Google said the change will come to its Chrome web browser and be rolled out over two years. Google did not announce any changes to its own data collection methods.

Google also said that a previously announced change to make third-party cookies more secure and precise in their abilities will be rolled out in February. Justin Schuh, director of engineering for trust and safety for Google's Chrome, said the search giant needs time to enact changes because it is working with advertisers and publishers to address the need for cookies to remember sign-ins, embed third-party services such as weather widgets and deliver targeted advertising. But he did not downplay the significance of Google's announcement. "We want to change the way the web works," he said in an interview.


Google To Phase Out User-Agent Strings in Chrome (zdnet.com) 114

Google has announced plans today to phase out the usage of user-agent strings in its web browser Chrome. From a report: UA strings have been developed part of the Netscape browser in the 90s, and have been in use ever since. For decades, websites have used UA strings to fine-tune features based on a visitor's technical specifications. But now, Google says that this once-useful mechanism has become a constant source of problems, on different fronts. For starters, UA strings have been used by online advertisers as a way to track and fingerprint website visitors. "On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites) , and sites (including Google properties) being broken in some browsers for no good reason," said Yoav Weiss, a Google engineer working on the Chrome browser.

To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.


Apple Responds To AG Barr Over Unlocking Pensacola Shooter's Phone: 'No.' (inputmag.com) 233

On Monday, Attorney General William Barr called on Apple to unlock the alleged phone of the Pensacola shooter -- a man who murdered three people and injured eight others on a Naval base in Florida in December. Apple has responded by essentially saying: "no." From a report: "We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said. "It was not until January 8th that we received a subpoena for information related to the second iPhone, which we responded to within hours," Apple added, countering Barr's characterization of the company being slow in its approach to the FBI's needs. However, it ends the statement in no uncertain terms: "We have always maintained there is no such thing as a backdoor just for the good guys." Despite pressure from the government, Apple has long held that giving anyone the keys to users' data or a backdoor to their phones -- even in cases where terrorism or violence was involved -- would compromise every user. The company is clearly standing by those principles.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday (krebsonsecurity.com) 37

Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."

City of Las Vegas Said It Successfully Avoided Devastating Cyberattack (zdnet.com) 20

An anonymous reader quotes a report from ZDNet: Officials from the city of Las Vegas said they narrowly avoided a major security incident that took place on Tuesday, January 7. According to a statement published by the city on Wednesday, the compromise took place on Tuesday, at 4:30 am, in the morning. The city said IT staff immediately detected the intrusion and took steps to protect impacted systems. The city responded by taking several services offline, including its public website, which is still down at the time of writing.

City officials have not disclosed any details about the nature of the incident, but local press reported that it might have involved an email delivery vector. In a subsequent statement published on Twitter on Wednesday, the city confirmed it "resumed full operations with all data systems functioning as normal." "Thanks to our software security systems and fast action by our IT staff, we were fortunate to avoid what had the potential to be a devastating situation," it said. "We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications," the city also added.