Chris explains in detils about Passkeys.

About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year. According to data compiled by SynSaber, a total of 670 ICS product flaws were reported via the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the first half of Attachments:

Source: Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023

A group of cybersecurity researchers has uncovered what they believe is an intentional backdoor in encrypted radios used by police, military, and critical infrastructure entities around the world. The backdoor may have existed for decades, potentially exposing a wealth of sensitive information transmitted across them, according to the researchers. While the researchers frame their discovery as a backdoor, the organization responsible for maintaining the standard pushes back against that specific term, and says the standard was designed for export controls which determine the strength of encryption. The end result, however, are radios with traffic that can be decrypted using consumer hardware like an ordinary laptop in under a minute. “There’s no other way in which this can function than that this is an intentional backdoor,” Jos Wetzels, one of the researchers from cybersecurity firm Midnight Blue, told Motherboard in a phone call. Do you know about other vulnerabilities in communications networks? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected]. The research is the first public and in-depth analysis of the TErrestrial Trunked RAdio (TETRA) standard in the more than 20 years the standard has existed. Not all users of TETRA-powered radios use the specific encryption algorithim called TEA1 which is impacted by the backdoor. TEA1 is part of the TETRA standard approved for export to other countries. But the researchers also found other, multiple vulnerabilities across TETRA that could allow historical decryption of communications and deanonymization. TETRA-radio users in general include national police forces and emergency services in Europe; military organizations in Africa; and train operators in North America and critical infrastructure providers elsewhere.  Midnight Blue will be presenting their findings at the upcoming Black Hat cybersecurity conference in August. The details of the talk have been closely under wraps, with the Black Hat website simply describing the briefing as a “Redacted Telecom Talk.” That reason for secrecy was in large part due to the unusually long disclosure process. Wetzels told Motherboard the team has been disclosing these vulnerabilities to impacted parties so they can be fixed for more than a year and a half. That included an initial meeting with Dutch police in January 2022, a meeting with the intelligence community later that month, and then the main bulk of providing information and mitigations being distributed to stakeholders. NLnet Foundation, an organization which funds “those with ideas to fix the internet,” financed the research. The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is. The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio. From there, they achieved code execution on the main application processor; they then jumped to the signals processor, which Wetzels described as something equivalent to a wifi or 3G chip, which handles the radio’s signals. On that chip, a secure enclave held the cryptographic ciphers themselves. The team finally found vulnerabilities in that which allowed them to extract the cryptography and perform their analysis. The team then reverse-engineered how TETRA implemented its cryp

Source: Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios

The Atlantic Council released a detailed commentary on the White House’s new “Implementation Plan for the 2023 US National Cybersecurity Strategy.” Lots of interesting bits. So far, at least three trends emerge: First, the plan contains a (somewhat) more concrete list of actions than its parent strategy, with useful delineation of lead and supporting agencies, as well as timelines aplenty. By assigning each action a designated lead and timeline, and by including a new nominal section (6) focused entirely on assessing effectiveness and continued iteration, the ONCD suggests that this is not so much a standalone text as the framework for an annual, crucially iterative policy process. That many of the milestones are still hazy might be less important than the commitment. the administration has made to revisit this plan annually, allowing the ONCD team to leverage their unique combination of topical depth and budgetary review authority. Second, there are clear wins. Open-source software (OSS) and support for energy-sector cybersecurity receive considerable focus, and there is a greater budgetary push on both technology modernization and cybersecurity research. But there are missed opportunities as well. Many of the strategy’s most difficult and revolutionary goals—­holding data stewards accountable through privacy legislation, finally implementing a working digital identity solution, patching gaps in regulatory frameworks for cloud risk, and implementing a regime for software cybersecurity liability—­have been pared down or omitted entirely. There is an unnerving absence of “incentive-shifting-focused” actions, one of the most significant overarching objectives from the initial strategy. This backpedaling may be the result of a new appreciation for a deadlocked Congress and the precarious present for the administrative state, but it falls short of the original strategy’s vision and risks making no progress against its most ambitious goals. Third, many of the implementation plan’s goals have timelines stretching into 2025. The disruption of a transition, be it to a second term for the current administration or the first term of another, will be difficult to manage under the best of circumstances. This leaves still more of the boldest ideas in this plan in jeopardy and raises questions about how best to prioritize, or accelerate, among those listed here.

Source: Commentary on the Implementation Plan for the 2023 US National Cybersecurity Strategy

This list was created by Chris Titus. Interesting how he has these grouped.

Source: Fast machines, slow machines – Julio Merino (jmmv.dev)

No protection without surveillance?

Source: FBI: FISA Section 702 ‘absolutely critical’ • The Register

In 2013 and 2014, I wrote extensively about new revelations regarding NSA surveillance based on the documents provided by Edward Snowden. But I had a more personal involvement as well. I wrote the essay below in September 2013. The New Yorker agreed to publish it, but the Guardian asked me not to. It was scared of UK law enforcement, and worried that this essay would reflect badly on it. And given that the UK police would raid its offices in July 2014, it had legitimate cause to be worried. Now, ten years later, I offer this as a time capsule of what those early months of Snowden were like. It’s a surreal experience, paging through hundreds of top-secret NSA documents. You’re peering into a forbidden world: strange, confusing, and fascinating all at the same time. I had flown down to Rio de Janeiro in late August at the request of Glenn Greenwald. He had been working on the Edward Snowden archive for a couple of months, and had a pile of more technical documents that he wanted help interpreting. According to Greenwald, Snowden also thought that bringing me down was a good idea. It made sense. I didn’t know either of them, but I have been writing about cryptography, security, and privacy for decades. I could decipher some of the technical language that Greenwald had difficulty with, and understand the context and importance of various document. And I have long been publicly critical of the NSA’s eavesdropping capabilities. My knowledge and expertise could help figure out which stories needed to be reported. I thought about it a lot before agreeing. This was before David Miranda, Greenwald’s partner, was detained at Heathrow airport by the UK authorities; but even without that, I knew there was a risk. I fly a lot—a quarter of a million miles per year—and being put on a TSA list, or being detained at the US border and having my electronics confiscated, would be a major problem. So would the FBI breaking into my home and seizing my personal electronics. But in the end, that made me more determined to do it. I did spend some time on the phone with the attorneys recommended to me by the ACLU and the EFF. And I talked about it with my partner, especially when Miranda was detained three days before my departure. Both Greenwald and his employer, the Guardian, are careful about whom they show the documents to. They publish only those portions essential to getting the story out. It was important to them that I be a co-author, not a source. I didn’t follow the legal reasoning, but the point is that the Guardian doesn’t want to leak the documents to random people. It will, however, write stories in the public interest, and I would be allowed to review the documents as part of that process. So after a Skype conversation with someone at the Guardian, I signed a letter of engagement. And then I flew to Brazil. I saw only a tiny slice of the documents, and most of what I saw was surprisingly banal. The concerns of the top-secret world are largely tactical: system upgrades, operational problems owing to weather, delays because of work backlogs, and so on. I paged through weekly reports, presentation slides from status meetings, and general briefings to educate visitors. Management is management, even inside the NSA Reading the documents, I felt as though I were sitting through some of those endless meetings. The meeting presenters try to spice things up. Presentations regularly include intelligence success stories. There were details—what had been found, and how, and where it helped—and sometimes there were attaboys from “customers” who used the intelligence. I’m sure these are intended to remind NSA employees that they’re doing good. It definitely had an effect on me. Those were all things I want the NSA to be doing. There were so many code names. Everything has one: every program, every piece of equipment, every piece of software. Sometimes code names had their own code names. The biggest secrets seem to be the underlying real-world information: which particular company MONEYROCKET is; what software vulnerability EGOTISTICALGIRAFFE—really, I am not making that one up—is; how TURBINE works. Those secrets collectively have

Source: Snowden Ten Years Later

Even amid the cacophony of social media, most journalism is met with a shrug or a murmur. But ​one story the Guardian published 10 years ago today exploded with the force of an earthquake. The article revealed that the US National Security Agency (NSA) was collecting the phone records of millions of Verizon customers. In case anyone doubted the veracity of the claims, we were able to publish the top secret court order handed down by the foreign intelligence surveillance court (Fisa), which granted the US government the right to hold and scrutinise the metadata of millions of phone calls by American citizens. The document was marked TOP SECRET//SI//NOFORN – an extremely high level of classification which meant that it was not to be shared with any foreign governments, far less Guardian journalists or, God forbid, Guardian readers. Who knows the degree of panic that spread through the upper echelons of the US intelligence system as they tried to work out how such a sensitive document had found its way into the public domain. But that will have been nothing to the dawning realisation – in the UK as well as the US – that this was but the tip of a very large and ominous iceberg. Over the following weeks, the Guardian (joined by the Washington Post, New York Times and ProPublica) led the way in publishing dozens more documents disclosing the extent to which US, UK, Australian and other allied governments were building the apparatus for a system of mass surveillance that George Orwell could hardly have dared imagine when he wrote his dystopic novel Nineteen Eighty-Four. Within a few days, the source of the documents, Edward Snowden, unmasked himself on the Guardian website and for weeks thereafter the stories dominated the news around the world. It has since been memorialised in at least three films, stage dramas, books, numerous academic papers … and even an album. It led to multiple court actions in which governments were found to have been in breach of their constitutional and/or legal obligations. It led to a scramble by governments to retrospectively pass legislation sanctioning the activities they had been covertly undertaking. And it has led to a number of stable-door attempts to make sure journalists could never again do what the Guar

Source: Ten years ago, Edward Snowden warned us about state spying. Spare a thought for him, and worry about the future | Alan Rusbridger

All we want is your metadata. Bluffdale has plenty of room for you. Enjoy!