Organizations that handle user data can rely on a new document that lays out the principles of collecting and protecting that data. The newly released here is here: NIST's Privacy Framework V1.0

When the perpetrator of a mass shooting leaves behind an iPhone, the tensions over digital privacy escalate in the aftermath. In the case of the Pensacola shooter, the US government has resumed an argument that it largely lost after the San Bernadino killings. The Department of Justice wants Apple to unlock a phone, but Apple does not have a "backdoor" that allows it. Apple might be able to develop a special operating system and convince the phone to install it, but Apple says that is a dangerous path that could undermine the security of all its phones. In the meantime, private security firms have exploits that will break the security of any iPhone. Indeed, a privately developed hacking method was what the FBI used on the San Bernadino phone. Apple says that has given gigabytes of data to DoJ from the cloud storage of the Pensacola phone. DoJ maintains that Apple is uncooperative. [Ed. Did the FBI ever mention getting any data that was useful to its investigation from the San Bernadino phone?]

Elliptic curve cryptography is based on interesting mathematics and has implementation advantages for signatures of the type that are needed for certificates of trust. NSA found a pernicious bug in the implemenation of that cryptography Microsoft's CryptoAPI. Rather than hoarding it for themselves, they decided to let Microsoft know about the problem (see the NSA advisory).

As a result, users of Internet Explorer really should install the patch immediately. Although it takes some setup activity for an attacker to deploy it, the victim user can be diverted to a fake website despite reassurance from the browser that the website has been properly, cryptographically, verified.

The NSA advisory warns: "Certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts."

The Amazon Ring security cameras for home use are very popular, but there have been reports of hacker access to the devices. Some users are suing the company for not putting enough security into the devices. For example, multiple unsuccessful login attempts do not result in any warnings to the account owner. The response from Ring, without giving any specific examples, is that users are to blame for reusing passwords from other systems. There's some suspicion that the passwords aren't the problem.

End-to-end encryption is taken for granted for web services today. It is easy to use TLS with a web server, browsers support it, and there is a reasonable certificate infrastructure to support it. Shouldn't IoT have the same open standards and open source implementations? The company Tesserakt proposes to do just that, as explained here E4 Product Sheet. The algorithms are designed for low energy devices, and the protocol should support a Very Large Number of connected devices.

A carefully crafted packet can open a Citrix VPN gateway to unauthorized code execution, but Citrix has a patch for that. The problem is, there are tens of thousands of vulnerable sites, and they have been slow to install the patches. Government agencies, businesses, and some US military sites are affected.

The difficulty of protecting election equipment and data was highlighted by discovery of malware used on a server machine at Kennesaw Universiity. Back in 2016, the state of Georgia used the services of the "Center for Election Systems" to program the state's voting machines (that relationship ended in 2017). Because of some problem with the servers in 2016 (see a timeline of anomalies), there has been an ongoing forensic analysis of those servers. This recent announcement says that one of the servers was accessed using the "ShellSh0ck" malware. The hacker seems to have successfully erased the history of the session, and there is no way to know if the hacking affected the election.

Russia's cybercrime unit has been implicated in a series of disruptive hacking attacks against businesses and infrastructure in Ukraine. If it did hack the oil company Burisma, then the pattern would indicate that documents reflecting badly on the Ukraine company will start appearing.

[Ed. Greenberg is the author of the recent book "Sandworm". This follows the twisted tale of specific exploits that are belived to have originated in Russia and directed at Ukraine. The software mutated, diverged, acquired misleading add-ons, but the purpose always seemed to be to hurt Ukraine, even if collateral damage to other targets, some in Russia, occurred. The telling evidence is probably the use of specific command and control servers tied to Russia cyberwarfare units.]