When encryption is weak by design
New research reveals holes in GPRS-era mobile data encryption algorithm
In a “bombshell” revelation, a group of academics in Europe discovered that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, could allow hackers to eavesdrop on some internet traffic.
The group that designed the algorithm confirmed that the weakness was deliberately introduced, adding the weakness was put into place because the export regulations at the time did not allow for stronger encryption protections.
The algorithm was introduced in 1998 by the European Telecommunications Standards Institute (ETSI).
“In a million tries we never even got close to such a weak instance,” the researchers said, explaining how, in cryptanalyzing the encryption algorithm, the pseudo-random number generator used during encryption was found to be never as weak as the one actually used. “This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations.”
Although its successor, GEA-2, had a stronger design, the analysis revealed the cipher doesn’t offer a high enough security level for todays standards, urging telecom providers to implement more secure GPRS algorithms, starting with GEA-3.
“Since GEA-1 was designed to be exportable within the export restrictions in European countries in the late 1990s, this might be an indication that a security level of 40 bits was a barrier for cryptographic algorithms to obtain the necessary authorizations,” the researchers concluded.
“Because at the end of the day, all of the same incentives exist for governments to sabotage encryption standards,” Professor Matthew Green said in a Twitter thread. “We like to pretend that they’re too enlightened to do this anymore, or that we’re smart enough to catch them. Maybe. I doubt it.”
“In the late 2030s you should expect a team of researchers to be writing a paper just like this one, except it will be about the encryption you’re using today,” Green added.
What’s trending in security?
💲 Talk about taking gig economy to the next level. A new report from the Wall Street Journal revealed that San Francisco-based Premise Data Corp. employs a network of gig workers, many of them in the developing world, to complete basic tasks like taking photos and completing surveys for clients including the U.S. military and foreign governments in return for small payments. [Wall Street Journal]
🇪🇸 Controversial 75-year-old antivirus pioneer John McAfee was found dead in a Spanish prison of apparent suicide as he awaited extradition to the U.S. to face tax evasion and security charges. [The Hacker News]
🍪 Google’s sweeping proposals to deprecate third-party cookies in Chrome browser is going back to the drawing board after the company announced plans to delay the rollout from early 2022 to late 2023, pushing back the project by nearly two years. [The Hacker News]
🛡️ MITRE released a new framework called D3FEND, a knowledge graph, of cybersecurity countermeasure techniques. “In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality," MITRE said. [National Security Agency / MITRE]
🇫🇷 French authorities indicted four former executives of surveillance firm Nexa Technologies, previously known as Amesys, for complicity in torture and war crimes between 2007 and 2014. The firm is accused of selling spyware to Libya and Egypt. [WIRED]
💵 Cryptocurrency exchange service Binance revealed it played a central role in the recent arrests of Cl0p ransomware group partners, who laundered more than $500 million worth of cryptocurrency from ransomware payments originating from attacks carried out with the Cl0p and Petya strains. [The Hacker News]
🚨 Newly discovered vigilante malware has been uncovered as turning the tables on software pirates by distributing malware that prevents infected users’ computers from accessing pirated software sites in the future. [Sophos]
⚠️ The LV ransomware gang appears to have hijacked and modified the binary payload of the more infamous REvil group. “This overlap could indicate that the GOLD SOUTHFIELD cybercriminal threat group that operates REvil sold the source code, that the source code was stolen, or that GOLD SOUTHFIELD shared the code with another threat group as part of a partnership,” the researchers said. [Secureworks]
📣 Google announced it had expanded its Open Source Vulnerabilities (OSV) database to several critical open-source ecosystems, including Go, Rust, Python, and DWF. [Google Security Blog]
💪🏼 A vulnerability in the Peloton Bike+, which has already been addressed through a mandatory patch issued to affected devices worldwide, could have allowed an attacker to remotely spy on users. [McAfee]
🇳🇴 According to the Norwegian Police Security Service (PST), APT31, a cyber-espionage group operating on behalf of China, was responsible for a highly intrusive 2018 breach of the government’s IT network. [The Record]
🇨🇳 A Chinese software developer trawled Alibaba-owned popular Taobao shopping website for eight months, stealthily amassing more than 1.1 billion pieces of user information before Alibaba noticed the scraping, according to a Chinese court filing dated in May but released this month. The software developer passed the phone numbers he collected to his employer, who used the information to target clients and claim coupons from Taobao. [Wall Street Journal]
🇰🇵 Lazarus Group, the state-sponsored threat actor run by the North Korean government, has been linked to a string of destructive cyberattacks since they emerged on the threat landscape in 2009. Known for their ability to target and compromise a range of victims, including financial institutions as well as cryptocurrency exchanges, motivated primarily by financial gain as a method of circumventing long-standing sanctions against the regime.
Besides being attributed for the 2014 breach of Sony Pictures and the 2017 WannaCry ransomware outbreak, the collective has also been responsible for one of the most spectacular bank heists that involved an attempt to illegally transfer of close to $1 billion from Bangladesh's central bank to different accounts in Sri Lanka and the Philippines in a series of 35 transfers, 30 of which amounting to $850 million were blocked. Of the remaining $101 million, $20 million transferred to Sri Lanka has since been recovered, while only $18 million of the $81 million transferred to the Philippines has been tracked down. [BBC]
ℹ️ The fortnight in data breaches, leaks, and ransomware: ADATA, Carnival Cruise, CVS Health, Eggfree Cake Box, French Connection, Grupo Fleury, Mercedes Benz, NewsBlur, Reproductive Biology Associates, Tulsa Police Department, TurboTax, and Wegmans.
41%
That’s the percentage increase in ransomware attacks since the beginning of 2021, which has witnessed a 93% surge year-over-year, according to new research from Check Point. The weekly average of ransomware attacks jumped in May to 1,115; by the first half of June, that number hit 1,210. Industries seeing the highest spikes in ransomware attempts include education, which saw a 347% increase in weekly attacks, transportation (186%), retail/wholesale (162%), and healthcare (159%).
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you next week!