Summary:
The US and British governments jointly issued a warning about malware in computer routers and firewalls. The White House has said that there is "high confidence" that the malware is orchestrated by Russia and is part of a long-term campaign to infiltrate the Internet infrastructure for espionage purposes.

Summary:
A former director of the British electronic spying agency GCHQ said that the joint warning of the US and British governments about router malware was meant to serve as a warning to the Russians with the message "We know where you are pre-positioned and if something happens, we will know it is you." According to officials, the Russian efforts have been going on for at least 20 years, so the immediate urgency of responding to the malware is unclear. It may be a sort of civilian cyber emergency drill. We wonder if officials will check to see how many people actually reboot or factory reset their routers in response to the warning.

Summary:
The alert concerns vulnerabilities present in many router devices, including inexpensive ones that would be used in homes or small businesses, that are being exploited by malware. The malware seems to have come from Russia, and it is widespread. It depends on a website (reportedly shutdown prior to this alert), and the advice includes this statement: "... administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files."

Summary:
We think that this hack should win an award for cleverness. It shows that cryptography is not worth much without being used with well-defined security architecture. Read the article yourself to understand the exploit in depth, what follows here is a summary and opinion on what is missing in the use of cryptography in user applications.

The basic idea of the exploit is to construct a multi-part MIME message with encrypted parts that are cobbled together from ordinary html and ciphertext that had been previously received by the victim. After all the processing is completed, the parts together form an html document. When that is presented to a browser, it may fetch data from links in the html document. The attacker has constucted the document so that those url links name a website controlled by the attacker, and the remainder of url is the decryption of the old ciphertext. By examining the server logs, the attacker can read the decrypted text.

This problem arises because there is no clear definition of a security policy for encrypted email. In a formally specified system, encrypted data would be marked as sensitive, and it would not be used as part of unprotected communication to an untrusted website. But by blindly following the details of low-level crypto processing without considering the fact that the crypto was meant to provide confidentiality, the software engineers allowed an attacker turn crypto capability against the user.

Summary:
Joshua Adam Schulte worked for the CIA group that produced hacking tools. Those tools showed up in WikiLeaks in March 2017. Did Schulte use Tor to distribute the CIA tools to WikiLeaks? The US government has his computers, but has not formally charged him for the leak. Did Schulte, in an unrelated act, load child pornography onto a server? He sits in jail on that charge. Schulte claims innocence. He was critical of CIA management, and he was one of more than 50 people with access to the server; those facts, he says, have led the government to mistakenly suspect and charge him.

Summary:
Unbeknownst to most people, the location of most mobile telephones in the US was available with little in the way of secure authentication through the website of a company called LocationSmart. LocationSmart seemed to have been security dumb, despite statements saying that it took privacy and security seriously. A freely available demo on its webiste allowed anyone to request location data for any phone (apparently the user of the phone had to give permission via a text message for each access). LocationData is used by third parties: law enforcement, companies that give mobile phone to their employees, etc.