Internal Bug Discovery – Security Now 693

Australia vs Encryption, Google+ Bugs Hasten its Demise
— Australia’s recently passed anti-encryption legislation
— Details of a couple more mega-breaches including a bit of Marriott follow-up
— A welcome call for legislation from Microsoft — A new twist on online advertising click fraud
— The DHS is interested in deanonymizing cryptocurrencies beyond Bitcoin
— The changing landscape of TOR funding
— An entirely foreseeable disaster with a new Internet IoT-oriented protocol
— Google finds bugs in Google+ and acts responsibly — again — what that suggests for everyone else
We invite you to read our show notes.

Hosts: Steve Gibson, Leo Laporte

This Week in Tech 673: The Prozac Dash Button

Reinventing Microsoft, Amazon’s push into healthcare, new Apple Maps, and more.

–Apple vs Samsung settled: our long international nightmare is over.
–A proposed US law has patent trolls jumping for joy.
–Amazon jumps into the healthcare business by buying online pharmacy PillPack.
–Foxcon’s new Wisconsin plant breaks ground.
–Yet another Facebook security breach, but this time a bug bounty program catches the leak.
–Twitter’s new Ad Transparency Center opens new avenues for journalists.
–The sky is falling in Fortnite.
–WPA3 could make Wi-Fi a lot more secure.
–California follows Europe down the data privacy road.
–Christina Warren knows all the Andromeda secrets, but she’s not talking.
–AOL Instant Messenger is reborn! –StumbleUpon is not. 🙁

This Week in Tech 640: Stand Clear of the Closing Doors

DOJ suggests that phone encryption kills people. Facebook wants to see you naked. Apple gets ready for its best holiday ever. Twitter gets 50 character names to go with its 280 character tweets. XBox One X is the best game system out there. Bill Gates will build his own city. Car ownership will be a thing of the past in 5 years. Intel and AMD team up. Alibaba sells $25 billion worth of stuff in one day while America’s retail sector is tanking.

Fix for WannaCry

Megan Morrone talks to Iain Thomson about a possible fix for those infected with the Wannacry ransomware. Researchers have found a fix to unlock affected computers. The tool called wannakiwi allows you to avoid paying the bitcoin ransom, but only if you’re running Windows XP, Windows 7, and Windows 2003 AND if you haven’t rebooted your PC since the attack. The key is not magic, its math that works by finding all the prime numbers that are stored in the ransomware’s code. A different tool called WannaKey was released yesterday but only worked on Windows XP and required a second app.

Spotty Android encryption is the story behind the story of Apple’s battle with the FBI

By | PCWorld

Savvy Android users know that Apple’s face-to-face with the FBI is only the beginning of the phone-encryption furor. Google CEO Sundar Pichai voiced his support for Apple and for strong and safe encryption, but he didn’t give specifics on how Google would deal with this situation if it were in Apple’s shoes.

That’s because if Syed Rizwan Farook, the San Bernardino shooter, had been using an older Android smartphone, we probably wouldn’t be having this discussion.

Encryption has so far lost out to openness in the Android ecosystem. It’s actually been supported since version 4.0 (KitKat), and the latest iterations of Google’s own Nexus devices have encryption on by default, but the rest of Android has been slower on the uptake, especially internationally.

“Android is different because the entire ecosystem is fragmented,” explained Mike Murray, VP of security research at Lookout. “The version of Android that Samsung installs on their phone is different than the version that Google installs on their phone and it’s way different than the third party aftermarket vendor who’s building low-end phones in India or China.”

It’s those smaller manufacturers making budget devices that have especially stymied Google. They fear that onboarding mandatory encryption will hamper their phones’ performance—for example, lower-end processors can struggle with the encrypt-and-decrypt process. But as standards for processors improve, there’s little reason why encryption could not become the norm when you got a new smartphone.

So many Android phones, so little encryption

Google tried again, making encryption mandatory across the board late last year with Android 6.0 Marshmallow. But there’s another flaw in this plan: Only 4.6% of the Android landscape is running Marshmallow (as of this writing), and the compulsory encryption rule applies only to new phones running 6.0, not older phones that have been upgraded (it’s optional in that case). Once again, Android is a patchwork.

On-by-default makes a huge difference in how a person uses a device or an app. Typically, people don’t change the settings much unless they have something specific in mind. By having encryption off by default, a large number of users likely remain unencrypted and oblivious of their vulnerability.

“Every company manufacturing devices that store sensitive data should be using full disk encryption by default,” said Evan Greer, campaign director Fight for the Future, which staged rallies in support of Apple. She added that corporations need to shoulder more of the responsibility in encrypting devices. “We need to build a movement to hold companies accountable and demand that they do everything technologically possible to protect our private information from hackers, and from illegal government surveillance.”

Google’s commitment to privacy is regularly challenged, whether it’s in the company’s expansive use of user data, or more specifically in a Manhattan DA report that claimed Google could remotely access most Android phones.

Android security boss Adrian Ludwig fired back, saying Google cannot access any device protected with a PIN, password, or fingerprint. “Google also does not have any mechanism to facilitate access to devices that have been encrypted,” he said.

Shut the back door

But could Ludwig’s claim be put to the test sooner rather than later? We know the San Bernardino case was never about just one iPhone or Apple. As Fight for the Future’s Greer reminds us, it’s about the FBI’s desire to set a “dangerous precedent” that would be felt for years to come. Enabling end-to-end encryption for all users is just one way of ensuring this doesn’t happen.

“Assuming Android improves their security and become harder to hack, it’s not a question of if the US or other governments will try to force them to weaken that security,” said Greer. “It’s a question of when.”