The sides are choosing up in the currently-raging encryption backdoor debate. Despite encryption playing little or no role in the recent Paris and San Bernadino attacks, that hasn’t stopped state lawmakers from submitting bills in both New York and California calling for backdoors in devices sold therein. Presidential candidates have weighed in on the subject, and Randall Stephenson, CEO of AT&T, declared that the best position for technology companies was, at best, supine.
However, it’s by no means a one-sided conversation. Stephenson was replying to strong pushback against government-imposed backdoors by Tim Cook of Apple (and a host of others), while the digital affairs minister of France blocked similar efforts, stating that weakening encryption “is not the right solution”. Even Admiral Mike Rogers said arguments for breaking encryption are “a waste of time to me” – and he’s head of a little talking shop called the National Security Agency.
STATUS: Well, you should know where we stand by now – with the forces of reality and math. Lest we forget, the Juniper Networks cluster-fiesta (which we wrote about at length last week) was a direct result of multiple (bad) decisions allowing backdoors in ScreenOS software. Magical thinking is fun, but don’t build your security on it.
This Week’s Hardcoded Backdoor News
Only a month after Juniper’s disclosure, hard-coded SSH passwords have been discovered in devices sold by security company Fortinet. These appear to have been in place since at least 2014, allow unauthorized access to a plethora of Fortinet products, and are described by that company, not as a “root backdoor that totally owns your box”, but as a “management authentication issue”.
Meanwhile, audiovisual devices from vendor AMX – used by clients from Lord’s Cricket Ground to the US military – turn out to have backdoor accounts created by folks who sure like their comic book heroes. As reported (entertainingly) by researchers at SEC Consult, the first mystery account discovered allowed access to a user named “Black Widow”. After much exchanging of emails, AMX replaced the username with another – “1MB@tMaN” – but left the account (and the associated security hole) in place.
STATUS: If you happen to be running Fortinet hardware, you’ll want to patch your firmware immediately – the good folks at the Internet Storm Center report a strong uptick in scanning for vulnerable devices (mostly from two IP addresses in China). Similarly, patch any AMX devices you’re using to get rid of that *cough* “debugging account”.
Mass Surveillance Declared Actually Illegal
Finally, British tech site The Register reports on a case decided by the European Court of Human Rights with big implications across that continent. Szabó and Vissy v. Hungary (warning: legalese) sharply narrowed the scope of a broadly-written Hungarian surveillance law to require a case-by-case determination “whether sufficient reasons for intercepting a specific individual’s communications exist”. The European Convention on Human Rights includes a specific right to privacy, and wide nets which scoop up internet data for later parsing tend to violate this – so they’re now illegal.
This is, of course, only applicable to Europe, but throws an axle-breaking stump in the path of surveillance laws the current UK government would dearly like to adopt. As El Reg notes, Parliament can pass any laws it chooses, but the proposals now on tap would immediately be challenged – and successfully – in Europe’s human rights courts.
STATUS: We do try to end on the upswing. Let’s just note a small victory for sanity in a faraway place to kick off our weekend, shall we?
As always, we appreciate your reading the SSL.com Security Roundup, and remind you what SSL.com truly believes – a safer internet is a better internet.