Security News

Breaches, borders, and Barcelona — the week in security news

Avast Security News Team, 2 March 2018

From new revelations about one of the worst security breaches of all time to discovering that a key means of securing passports is not implemented by US officials. Barcelona hosted one of the technology industry’s biggest events.

Equifax reveals more victims of 2017 breach

The breach at credit-reporting agency Equifax was one of the worst not only of 2017, but of all time.

And not just for the sheer size of it – the records of at least 145 million US citizens, nearly half the US population, were exposed in the attack – but also for the impact the breach had on the organization’s customers around the world.

Social security numbers, driver’s license numbers, and credit card details were leaked. In her investigation into the attack, Senator Elizabeth Warren also alleged that passport numbers were among the details stolen, although Equifax has denied that passport numbers were compromised.

And then, just when you thought it couldn’t get much worse, on Thursday Equifax said that it had found a further 2.4 million Americans whose data had been exposed, taking the total to 147 million US citizens, as well as around 15 million British records and the data of 19,000 Canadians.

At the time, Equifax came under fire for its handling of the breach, as access to the stolen data meant that criminals could target their identity theft and phishing attempts more precisely, as the UK’s National Cyber Security Centre warned in October last year.

Equifax was further roundly criticized for the website it set up for customers to check if they were affected by the data breach, which wasn’t on its primary domain and which returned false positives. Researcher Troy Hunt said at the time that it was “basically useless.”

The anger at Equifax hasn’t abated much since last fall: Senator Warren told Marketplace earlier this week that the agency’s “cybersecurity apparatus was inadequate to protect American consumers,” adding, “Equifax may actually make money off this breach.”

If you’re an Equifax customer who wasn’t notified that your data was exposed last year, watch out for communication from the agency — they might well have included you in this re-assessment of the breach.

US border agents haven’t verified e-passports for more than 10 years

Do you have a passport with a chip containing biometric data? And have you been paying attention to President Trump’s moves that are supposed to protect American citizens by imposing restrictions on who can enter the USA?

You might therefore expect the US border patrol agents to verify the information stored on the e-passport chip of each arrival to make sure the holder of the passport is who they say they are. But it turns out that border patrol agents have been failing to take this measure because they don’t have the software to do so.

An e-passport is considered more secure than a passport without a chip because it contains a cryptographic signature that verifies the data stored on the chip. More than a hundred countries now issue passports with digital chips, and the US Visa Waiver Program requires anyone arriving in the country under that provision to have an e-passport.

The news that border agents weren’t verifying the identity data stored on the chip came in a letter sent last week by Senators Ron Wyden and Claire McCaskill to Kevin McAleenan, acting commissioner of the US Customs and Border Protection, asking that the agency “immediately act to utilize the anti-forgery and anti-tamper features in e-passports, which have gone unused by CBP since their implementation in 2007.”

It’s been known since 2010 that border agents didn’t have the ability to verify the cryptographic signatures on e-passports.

A report from the Government Accountability Office at the time called on the Department of Homeland Security to “design and implement the systems [sic] functionality and databases needed to fully verify electronic passport digital signatures at US ports of entry” and “develop and implement an approach to obtain the digital signatures necessary to validate the digital signatures on US and other nations’ electronic passports.”

As with all security measures, it’s not just the technology you choose, it’s how you implement it – or don’t implement it – that can really impact your safety.

This might be the Droid you’re looking for

The cellphone industry descended on Barcelona in Spain this week for the annual Mobile World Congress, where new devices, from the latest Samsung smartphones and a nostalgic reboot of a Nokia classic to yet more smart home devices, are launched in front of analysts, journalists, and enthusiasts.  

Amid the devices on display was a cellphone that is apparently designed to stop spy agencies and bad guys from eavesdropping on you.

The Katim phone, made by Middle Eastern company DarkMatter, might raise a few eyebrows among the cybersecurity community, as its operating system is based on Android – a platform that’s struggled with malware and spyware.

DarkMatter’s CEO Faisal Al Bannai told CNBC that the device’s “shield mode” is implemented with a button that turns off the phone’s microphone and camera, “which means that unless that super agency has a way of physically shifting that button back, there is no way that mic is turning on and listening to what you’re saying.”

Al Bannai also told Bloomberg that the company’s employees include former US NSA and CIA analysts.

Claiming a high degree of security for anything is often like a red rag to a bull  for the hacker community, so it remains to be seen if security researchers will verify the company’s claims about the Katim phone’s security. But with rising anxiety about surveillance and smartphones compromised with malware, a device that really is hardened against attack might prove to be interesting.