compromise

Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.

That's according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.

Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.

In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.

The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.

What's more, Trump weighed in on the biggest showdown in the past decade between law enforcement and the tech industry, telling crowds that they should boycott Apple over its refusal to bypass its own security and grant the FBI access to a locked phone that belonged to San Bernardino shooter Syed Farook.

Risk

Both Rosenthal and Cohn acknowledged that the likelihood of the executive branch of the US government pushing for a backdoor into encryption was "significantly greater" under the Trump Administration.

Although both offered some consolation: Rosenthal said there still remained forces within the executive branch that would argue for the value of strong encryption and the importance of privacy; Cohn promises that the EFF will continue to fight – as it has for decades – to prevent government overreach.

But while both agreed in general, Rosenthal and Cohn represented two very different viewpoints, themselves reflecting two very different attitudes on the East and West Coasts of the United States.

Both agreed that the bill put forward by Senators Dianne Feinstein and Richard Burr in April was a horrible piece of legislation (it eventually died, but not without significant effort being made to kill it).

Rosenthal warned, however, that if the tech industry rules out working on ways to open up access to encrypted data, it may find itself left out the conversation when the "inevitable" next terrorist attack hits the United States and the government reacts to it with new laws.

Cohn stuck with well-worn arguments about the mathematics of encryption: weakened encryption is weak for everyone, and a backdoor is a backdoor as much for bad actors as for law enforcement.

She also warned that if the US government pushes a law to undermine encryption, it sends a signal to the rest of the world's governments, and makes it impossible for tech companies to stand up to other, inevitable demands from across the world.

Déjà vu

This is not the first time this debate has played out – for months this year the back-and-forth over encryption turned into fixed positions.

Rosenthal fell back on flattering the West Coast as being "much smarter" and urging tech companies to figure out a way to make breakable encryption possible. In response, Cohn offered the logic of math and argued that everyone has access to prime numbers. She shook her head at the Washington, DC policy process of finding a middle ground between opposing sides: there is no middle ground on encryption – it works or it doesn't.

Fortunately, neither fed into the familiar insults traded between the coasts – but they did reference them: Silicon Valley doesn't care about terrorism; Washington, DC doesn't care about its citizens' privacy.

Rosenthal thinks that Apple should feel an obligation to be a "good citizen"; Cohn notes that law enforcement agencies should be obliged to follow the law and run all requests for information through the legal process – "because companies are not always in the best position to evaluate requests or know if the system is being misused."

In short, despite the best efforts of two very knowledgeable individuals actively looking to find some common ground, nothing new was uncovered.

It's also notable that neither Cohn nor Rosenthal currently possess government or tech industry roles. It is, of course, possible that there are lots of positive conversations going on behind closed doors between DC and Silicon Valley. But it seems unlikely.

What seems even more unlikely is that the conversation will start with the arrival of the Trump Administration. Trump's stated policies are in many ways antithetical to both the politics and the finances of Silicon Valley.

Trouble ahead

When that inevitable next terrorist attack does come, we can expect to see the Apple versus FBI argument return – but this time with much greater odds and carried out in much louder voices. Just as with the election itself, there is increasingly less room for compromise. One side will win, and one side will lose.

Where will it fall? It will come down to Trump and whether he can persuade Congress to enact a new law. The Obama Administration was split on the issue and the President very publicly sat on the fence. That is far less likely to happen with the President-elect.

If there is a large terrorist attack, as Rosenthal noted, the people's concerns about privacy will fall away if they are offered a firm hand and a clearly stated solution.

And while Tim Cook has taken a principled stance on privacy and encryption, and Google and Facebook and many other tech companies have said they support that view – no one has ever said they will ignore the law of the land. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona).

CVE-2016-6662

One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted. This could lead to total compromise of the server running the vulnerable MySQL version.

“The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,” Golunski has explained in an advisory published on Monday.

“Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”

So far, Oracle – who acquired the software company that developed MySQL in 2010 – has yet to push out a fix for this and other issues. Golunski reported them to Oracle and the vendors of other affected forks in late July, and Percona and MariaDB vendors have already pushed out new releases that plugged CVE-2016-6662.

As these new releases were accompanied by details about the vulnerability, and Oracle’s next Critical Patch Update is scheduled for 18 October 2016, Golunski has decided to start disclosing the vulnerabilities he found, so that users can do everything in their power to minimize risk of exploitation until patches are made available.

The advisory also contains a limited PoC exploit. A full exploit and details about CVE-2016-6663, the flaw that allows low-privileged attackers to effect the same attack, will be published soon.

“As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,” Golunski advised, but stressed that applying official vendor patches as soon as they become available will be the ultimate solution for this issue.


Help Net Security

In their quest to compromise WordPress installations and prevent site owners from discovering it and cleaning up the website, blackhat SEO spammers have turned to modifying core WordPress files.

core WordPress files compromise

The content management system’s popularity and the fact it is used by many site owners and admins that are not that tech savvy make WordPress sites an easy target for attackers.

The initial compromise usually happens due to the use of weak passwords, malware, and outdated WP installations, themes or plugins with exploitable vulnerabilities.

The scammers then usually add malicious scripts to the theme files (such as header.php or footer.php) or modify files in the root of the WordPress install (i.e. index.php, wp-load.php), and that’s where site owners are bound to look first when looking for malicious content.

Infecting core WordPress files

But in a situation encountered by Sucuri analyst Luke Leal, SEO scammers injected one core WordPress file (./wp-includes/load.php) with a trigger that forces the loading of a second file (./wp-admin/includes/class-wp-text.php) that was added to the core install.

“A website owner contacted us worried about pornographic content showing in Google results for their site. As you can imagine, he was eager to have it removed from his business site. They were already losing countless potential customers and damaging existing relationships,” Leal explained.

The ./wp-admin/includes/class-wp-text.php file was able to identify whether the visitor is a search bot or a human, and to accordingly serve different content. The latter would see a normal site, while the bot would see pornographic spam data that was pulled from a malicious URL that can be easily modified by the attackers whenever they want.

“This particular SEO spam not only created bogus meta-data for the main text link and description, it also changed the sitelink snippets (short descriptions of secondary page content) below the client’s initial hyperlinks,” the analyst shared, and noted that such a compromise can have an extreme negative impact.

“This harms the website’s reputation with visitors and will lead to a warning on the search engine results page claiming ‘This Site May Be Hacked’. This warning will undoubtedly lower your incoming traffic by a significant amount and affect your ranking position if nothing is done about it.”

Tips for keeping WordPress secure

Leal offered advice for keeping your WP-based site(s) free of infection:

  • Use strong passwords
  • Minimize the number of WP admins
  • Keep WP, themes and plugins updated
  • Remove unused software
  • Use WP hardening techniques.

But, if all fails and your site gets compromised, a file monitoring solution is a great way to detect it almost instantly.

“File monitoring does exactly what it sounds like. It forms a baseline of your current environment and then alerts you to any changes to that baseline (ie: new files, modified files, deleted files, etc.),” he explained.


Help Net Security