Author: Sean Gallagher

The MYK-78 "Clipper" chip, the 1990's version of the "golden key."

In the face of a Federal Bureau of Investigation proposal requesting backdoors into encrypted communications, a noted encryption expert urged Congress not to adopt the requirements due to technical faults in the plan. The shortcomings in question would allow anyone to easily defeat the measure with little technical effort.

Please note, the testimony referenced above was delivered on May 11, 1993. However, that doesn't change its applicability today. In fact, current pressure being applied by law enforcement and intelligence officials over end-to-end encrypted communications appears eerily reminiscent of a similar battle nearly 25 years ago.

Last week, FBI Director James Comey again pushed forward arguments for law enforcement "backdoors" into encrypted communication applications. Comey claimed that the gunmen who attempted to attack a Texas anti-Muslim cartoon event used encrypted communications several times on the day of the attack to contact an overseas individual tied to terrorism. The revelation is part of a renewed lobbying effort to get technology providers to provide what Comey once described as a "golden key" to access encrypted communications. Though the FBI director reluctantly dropped his lobbying efforts for such a backdoor this summer, the attacks in Paris and San Bernardino have raised the issue again. Even President Obama recently asked for technology companies to help give the government access to communications over messaging applications and social media.

A voyage data recorder recovery capsule aboard a container ship. Some VDRs may be an easy target for hackers--or crew members who don't want what they've done to be recorded. (credit: Hervé Cozanet)

When the freighter El Faro was lost in a hurricane on October 1, one of the goals of the salvage operation was to recover its voyage data recorder (VDR)—the maritime equivalent of the "black box" carried aboard airliners. The VDR, required aboard all large commercial ships (and any passenger ships over 150 gross tons), collects a wealth of data about the ship's systems as well as audio from the bridge of the ship, radio communications, radar, and navigation data. Writing its data to storage within a protective capsule with an acoustic beacon, the VDR is an essential part of investigating any incident at sea, acting as an automated version of a ship's logbook.

Sometimes, that data can be awfully inconvenient. While the data in the VDR is the property of the ship owner, it can be taken by an investigator in the event of an accident or other incident—and that may not always be in the ship owner's (or crew's) interest. The VDRs aboard the cruise ship Costa Concordia were used as evidence in the manslaughter trial of the ship's captain and other crewmembers. Likewise, that data could be valuable to others—especially if it can be tapped into live.

It turns out that some VDRs may not be very good witnesses. As a report recently published by the security firm IOActive points out, VDRs can be hacked, and their data can be stolen or destroyed.

(credit: CyberHades)

Today, Microsoft issued three new security advisories and a dozen new patches in the company’s monthly round of security updates. And one of the advisories was apparently the result of a security fumble by Microsoft's internal IT team—the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.

The certificate, which was used for Microsoft's xboxlive.com domain, has been revoked on Microsoft's Certificate Trust list, but it could potentially be used to attack systems that haven't been updated in man-in-the-middle attacks that "spoof" the Xbox Live network. Microsoft isn't saying how the certificate was "inadvertently disclosed", but it's likely that the "wildcard" certificate was accidentally shared with a partner. It's unlikely that the certificate will be used for an attack now that it's been revoked, but systems that don't regularly get their certificate trust lists updated might still be vulnerable.

System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated "critical" by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a "specially-crafted" Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.

Attorney General Loretta Lynch, China's State Councilor and Minister of Public Security Guo Shengkun, and US Secretary of Homeland Security Jeh Johnson pose for a photo at the first US-China cyber coordination meeting in Washington on December 1. (credit: news.cn)

Update 12/3/15 2:15 ET: China has apparently made arrests in the case. The Washington Post reports that a group of hackers arrested by the Chinese government in September were in fact the people behind the OPM breach. The hackers were targeted based on intelligence provided by the US, and China had previously reported that Americans believed these hackers, whose identity has not been revealed, were involved in state-sponsored industrial espionage. It's not clear if the group was connected in some way to the Chinese military or had other government connections, but the arrests were made as part of the deal struck between the US and China in September. This led to President Obama dropping the threat of economic sanctions against China. (Our original story on the situation appears below.)

An official Chinese report claims that US and Chinese representatives "yielded positive outcomes" at the first meeting of a bilateral cyber security coordination group. The group was set up under the provisions of an agreement signed off on by President Barack Obama and Chinese President Xi Jinping in September. At the meeting in Washington, China acknowledged that the long-running penetration and theft of data from the systems of the Office of Personnel Management did originate from within China—but not from a state-sponsored attacker. "Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyber attack as the US side has previously suspected," the report from China's Xinhaunet on the meeting claimed.

As part of the September agreement, China has pledged not to conduct economic espionage against the US. Last month, China joined the Group of 20 nations (the 20 most wealthy nations in the world) during the Ankara summit in pledging not to conduct any economic cyber-espionage against each other. Prior to these agreements, the Chinese leadership (and most of the other nations in the world) had not made any distinctions between economic espionage and spying on other governments.

The Internet of Things. A tempest in a teapot?

The US Department of Homeland Security has announced that its Silicon Valley Office (SVO)—the agency's liaison point with the technology industry—will hold an event on December 10 to kick off a recruiting drive for startups and "non-traditional small businesses" interested in latching onto government funding. The Industry Day, being held at the Menlo Park, California, offices of SRI International, will be focused on the current leading source of worry for DHS officials: the "Internet of Things" (IoT).

The DHS posting describes the three-hour event as a time to:

1)Describe the homeland security challenges associated with IoT

2) Describe the benefits of the SVO Innovation Program to startups

3) Show you how to apply for funding

And IoT is high on the DHS' funding list. Earlier this year, the agency's Science and Technology Directorate launched a Cyber Physical Systems Security (CPSSEC) program intended to spur development of security measures as part of the design process for IoT devices. In an amendment to a DHS five-year procurement program, the S&T Directorate described the crux of the problem: the "cyber physical" systems hitting the market now have largely "not been subjected to comprehensive threat analyses, have both known and unknown vulnerabilities, and lack security as an integral part of design." The more IoT devices that are deployed, the bigger the problem will be, DHS officials noted.

The forecast: hot, with a chance of severe data breaches.

According to a government official quoted by the Australian Broadcasting Corporation, China is responsible for a breach at the Bureau of Meteorology, which may have allowed attackers to gain access to sensitive national security data. The Australian weather bureau hosts a high-performance computing center used by multiple government agencies and has network connections to Australia's Department of Defence.

The breach was described as "massive" by the unnamed government official, who told ABC News that he was certain "it was China" that breached the systems. He added that fixing the Bureau of Meteorology's network to close the holes used to gain access would cost millions of dollars.

There has been no official statement on the breach. Australia's Federal Police would not comment on the ABC report, and the government has made it a policy not to speak about specific computer security events. A spokesperson for China's Foreign Ministry has said the report contains "groundless accusations."

In response to a demand for backdoor access to its enterprise messaging products, BlackBerry is completely pulling out of the Pakistan market. The announcement comes as a ban on providing BlackBerry Enterprise Services over mobile networks in Pakistan was due to take effect today.

The Pakistan Telecommunications Authority's ban on BlackBerry Enterprise Services (BES) was issued this summer, and it was planned to become effective on November 30, as Ars reported in July. "Security reasons" were cited as the cause of the ban. But just before the restriction was announced, Privacy International issued a report that warned of the Pakistani Inter-Services Intelligence (ISI) agency's efforts to gain network surveillance capabilities within the country that rival those of the National Security Agency.

While the government has pushed back the effective date of that order to December 30, BlackBerry COO Marty Beard announced today that the company would exit the Pakistani market completely rather than meet government demands for unfettered access to the service's message traffic.

On November 25, General John F. Campbell, the commander of US Forces in Afghanistan, announced the findings of an initial investigation into the air strike by an Air Force AC-130 gunship that hit a Médecins Sans Frontières (MSF, or Doctors Without Borders) trauma center in Kunduz, Afghanistan on October 3. The strike—in which the AC-130 attacked using its onboard cannon, killing 30 patients and members of the MSF hospital staff and injuring another 34—lasted nearly a half-hour.

Campbell called the strike "a tragic, but avoidable accident caused primarily by human error." But among the secondary factors cited in the report, he noted, there were several contributing technical failures, including a networking failure that could have provided information that would have prevented the mistaken targeting of the hospital. Furthermore, information systems available to the command responsible for the aircraft failed to alert those on duty in the operations center that the target selected by the aircraft was on a no-strike list.

Spooky action at a distance

The sensor suite of an AC-130U "Spooky" operating at night. Infrared cameras are a primary part of the targeting system.

4 more images in gallery

The aircraft responsible for the errant attack on the hospital was an AC-130U "Spooky" gunship, a 20-year-old aircraft that carries a five-barreled 25 millimeter Gatling gun, a 40mm Bofors cannon, and a 105mm howitzer. The airplane is a veritable flying artillery battery that "orbits" its targets while firing upon them with high-explosive rounds. (The Air Force has also deployed the AC-130W "Stinger," a modified version of the special operations transport the MC-130W "Dragon Spear," to Afghanistan. These aircraft carry a 30mm automatic cannon and launch tubes for Griffin and Hellfire missiles and laser-guided glide bombs.)