US, UK, and other governments asks tech companies to build backdoors into encrypted devices

The US, UK, and three other governments have called on tech companies to build backdoors into their encrypted products, so that law enforcement will always be able to obtain access. If companies don’t, the governments say they “may pursue technological, enforcement, legislative, or other measures” in order to get into locked devices and services.

Their statement came out of a meeting last week between nations in the Five Eyes pact, an intelligence sharing agreement between the US, UK, Canada, Australia, and New Zealand. The nations issued a statement covering a range of technology-related issues they face, but it was their remarks on encryption that stood out the most.

In their memo, the governments stress that these backdoors would only be for “lawful” access to a device, such as in a criminal investigation. And they plan to start by encouraging tech companies to voluntarily add them. But the backdoors would only be voluntary to a point, because the governments say that they might mandate a way in if they “continue to encounter impediments” to accessing encrypted data.

At this point, their request for a backdoor is more of a wish than a command or a threat. But the statement speaks to the growing movement against encryption by governments and lawmakers, who see it as an impediment to law enforcement. As encryption grows more and more accessible in the coming years, these requests are only likely to grow — and could eventually lead to action.

Tech companies have also been wary to comply. Adding a backdoor into their products would inherently mean that their promise of data privacy is broken. It would also open them up to similar requests from other countries, which could use the backdoor access for spying in inappropriate circumstances.

In addition to touching on encryption, the nations also issued a memo on keeping online spaces free from child predators, terrorists, and other bad actors. They asked tech companies to build tools that could prevent illegal content from “ever being uploaded,” while reiterating familiar requests like using humans and automated tools to remove existing content and collaborating across the industry to ID bad content so that it can’t spread.

Trump signs bill banning government use of Huawei and ZTE tech

Huawei and ZTE technology will largely be banned from use by the US government and government contractors. The ban was signed into placed by President Trump today as a component of the much larger Defense Authorization Act.

This caps off months of will-they-won’t-they from Republicans, many of whom view the two major Chinese telecoms as national security threats. In June, the Senate overwhelmingly passed an amendment that would have reinstated a trade ban on ZTE, potentially shutting down the company. The House, however, did not, and the big question was how the two chambers would find a compromise — or if they would drop the matter entirely.

In the end, Congress decided on a measure that will essentially ban the US government or anyone that wants to work with the US government from using components from Huawei, ZTE, or a number of other Chinese communications companies. The ban goes into effect over the next two years.

The ban covers the use of Huawei and ZTE components or services that are “essential” or “critical” to the system they’re used in. Some components from these companies are still allowed, so long as they cannot be used to route or view data. The bill also instructs several government agencies, including the Federal Communications Commission, to prioritize funding to assist businesses that will have to change their technology as a result of the ban.

In an emailed statement, Huawei called the ban a “random addition” to the defense bill that was “ineffective, misguided, and unconstitutional.” Huawei said the ban would increase costs for consumers and businesses, and that it failed to “identify real security risks or improve supply chain security.” Huawei didn’t immediately say that it would challenge the law.

It was unclear which direction Congress would go with this, particularly because Trump did not want to reinstate the trade ban on ZTE — and even worked to lift it. The Commerce Department has already negotiated a deal and lifted the ban, and it was unclear if Trump would sign a bill reversing those decisions.

Huawei and ZTE have long been in the crosshairs of US law- and policymakers. Both companies were called a national security threat by a 2012 House report, while heads of US security agencies have recommended against using both companies’ products. While this bill doesn’t outright ban either company from US infrastructure, it could have a major impact by forcing the many, many companies that want to work with the government to pick other suppliers and remove the Huawei and ZTE components they’re already using.

FBI warns of potential ATM bank heist that could steal millions globally

The FBI has warned banks that ATMs will likely face a global attack by criminals in the “coming days.” The FBI was tipped off that these cybercriminals would hack payment card processors or banks and use ATMs all over the world to withdraw millions of dollars over the course of a few hours, as reported by cybersecurity blog Krebs on Security.

Krebs on Security says that the FBI shared a confidential alert with banks last Friday, stating, “The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days.”

The criminals would compromise a bank or card processor with malware so that they gain access to bank users’ card numbers. They’d also use their access to alter ATM withdrawal limits and account balances, allowing them to withdraw as much money as each ATM possesses, according to Krebs on Security.

Then, the criminals would send the card data to accomplices who would imprint the data onto reusable magnetic strip cards “such as gift cards purchased at retail stores,” the FBI wrote in its alert. At a coordinated time, the accomplices would withdraw funds from ATMs around the globe using these fake cards.

The timing would likely fall on a weekend, just when banks start closing. For instance, between 2016 and 2017, $2.4 million was pilfered from a bank in Virginia after hackers phished the bank system and withdrew cash from ATMs in two separate withdrawals, Krebs reported. The first withdrawal was timed during the Memorial Day holiday, and the second fell on a Saturday.

The FBI pointed out that previous attacks usually targeted “small-to-medium size financial institutions” that likely had smaller budgets, weaker cybersecurity, and perhaps third-party vendor vulnerabilities.

The alert continued, “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.” As security countermeasures, banks should be asking users for strong passwords and enabling two-factor authentication through a physical token (and not via SMS, which can easily be hijacked).

Idaho prison inmates exploited tablet vulnerability to steal $225,000 in credits

A group of 364 prison inmates housed across a series of Idaho corrections facilities collectively stole nearly $225,000 worth of digital credits by exploiting a vulnerability in tablets provided by a company called JPay, according to the Associated Press. JPay is a private company that provides digital services like email, music, games, and money transfer to prison inmates.

JPay provides inmates with access to the outside world, and prisons often adopt its services to help with rehabilitation and education. It does not appear to use taxpayer money to fund any of its services, nor does any of its revenue from digital sales typically go to the state. Instead, JPay will either let family members or friends of inmates purchase the tablet for them, or it will foot the bill for the device itself, as it did for 53,000 inmates in the New York State prison system earlier this year.

Image: JPlay

The company appears to earn revenue in part by charging inmates for email use and digital media downloads, using a credit system to do so. “Having one of these tablets helps your loved ones pass the time, keep engaged and stay connected to you,” reads the company’s product page for the JP5 tablet.

By “intentionally exploiting a vulnerability within JPay to improperly increase their JPay account balances,” hundreds of inmates were able to credit their own accounts, Idaho Department of Correction spokesman Jeff Ray explained in a statement.

It’s not immediately clear what the vulnerability was, or how so many different inmates were able to exploit it, though presumably there was some form of clandestine communication about the hack being passed between inmates across various facilities. JPay has recovered around $65,000 worth of the credits, and it has suspended inmates’ ability to use those credits to download music and mobile games until the company has been compensated for its losses. Inmates are still allowed to use email, the report states.

According to the AP, most inmates gave themselves $1,000 in credits, while the largest amount was just under $10,000 worth. “This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Ray added.