Skip to main content
banner image
venafi logo

Huawei Trains African Surveillance, African Government Officials Spied On [Encryption Digest 9]

Huawei Trains African Surveillance, African Government Officials Spied On [Encryption Digest 9]

huawie encryption troubles
August 22, 2019 | Katrina Dobieski

 

We’d love to put ourselves out of a job and not have any more breaches, bungles or bad actors to report on. But until we all have secure cyber strategies and capable machine identity management, we’re happy to raise the warning voice to help us all encrypt safely.  A Capital One breach shakeout shows how status quo encryption may no longer be enough, and we’ve got a few airplanes and lava lamps thrown in. Plus, why the Bahamas should turn a special eye to government cybersecurity—now—and how Uganda’s government is probably misusing theirs.



 

 

Capital One Breach: What’s (Left) In Your Wallet? 
 


 

As we report yet another casualty in the ongoing cyber war, we go back to the scene of the crime to try to unpick which cryptographic protections were (or were not) in place leading up to the Capital One breach. 

 

"the encryption strategy, whatever it was, wasn't up to par"

 

The simple answer is one of two things: failing to use strong enough encryption or failing to properly store the decryption keys. The simplest answer is the encryption strategy, whatever it was, wasn’t up to par. Many times, this can be due to a certificate-related outage essentially “knocking out the power” on one part of the crypto-electric fence and allowing hackers a temporary pass-through. This is not uncommon 

 

It took a 33 year old female hacker to game the system

 

Full details remain unclear, but however it was carried out, it took a 33-year-old female hacker to game the cybersecurity posture of this major US bank. Previously a systems engineer at Amazon Web Services (which hosted the Capital One account), she was knowledgeable, but no professional hacker. She exfiltrated millions of users’ records, then chatted about the haul online. Not interested in the cache, she left a link on GitHub and stated she “didn’t want it around.” 

 

Whoever might have gotten to the private stash of data in the three months it was posted is still an uncomfortable thought. 

 

It’s not that companies don’t encrypt. Capital One stated that encryption for them is a “standard”, but that the hacker had found a way to “decrypt” the data.  

 

Extra: A data breach affects your bottom line. It’s estimated the debacle will cost up to $150M in the early stages.

 

How many CIOs have left their enterprise vulnerable because of a certificate outage? It’s surprising. 
 

Related Posts 

 

 

 

Remote controlled...Boeing 787’s? 
 


One airplane security enthusiast’s Google search lead him to find flaws in encryption that could potentially crash your party.  
 

After downloading publicly available flight coding (who knew?) for a couple of Boeing commercial jets, security researcher Ruben Santamarta did some digging and discovered a few areas of weak encryption that could cause some industry turbulence. Left unchecked, those flaws could be jockeyed by bad actors to infiltrate anything from in-flight movies to mission-critical flight sensors. 
 

"Those flaws could be jockeyed to infiltrate movies to mission-critical flight sensors"

 

The findings were presented at Black Hat 2019. Codemaker Honeywell vetted the vulnerabilities and inconclusive evidence of fatal capabilities prompted Boeing’s statement that “Boeing is confident that its airplanes are safe from cyberattack.” 
 

However, “the flaws uncovered in the 787's code nonetheless represent a troubling lack of attention to cybersecurity.” This isn’t the first time Samartana has uncovered encryption flaws in flight. He's punched holes in a few lines of aviation code before, but his findings were classified as “technical errors.” 
 

Is it time TSA issue a pat-down on aviation cryptography? 
 

Bullet-Proof Code: What to do to make sure your (or your airline’s) code hasn’t been fiddled with? Well, you could rent a $250M jet and run the tests yourself, or you could sign your code. What is code signing? It’s a notarized signature, if you will, signifying that once you’ve touched it, nobody else has.  
 
See how Venafi signs their code – and get what they use

 

Related Posts 

 

 

Huawei Teaches Ugandan Officials To Bypass Encryption, Spy on Political Opponents  

 

 

 

Remember Huawei? They (and all their subsidiaries) were banned by congress from doing business with any American government-related tech firm, and possibly for good reason.  
 

Wall Street Journal report uncovered allegations of them using cell networks, local politics and overseas training to aid the Ugandan government in spying on its political foes. In what were apparently top-level surveillance courses, African intelligence operatives were coached on how to bypass encrypted chats and locate government officials through the Huawei network.  
 

Huawei taught African government agents to bypass encrypted chats

In an ironic twist of trade, French publication Le Monde reported that the Chinese government had been using those same tactics to spy on African leaders themselves, and potentially tens of millions of their citizens. According to the article, microphones and other cyber espionage tools were found in an African Union building sweep by Ethiopian cybersecurity experts, assumed to be planted by Chinese entities contracted to install the in-office tech. The AU will now configure its own servers and run official communications via wire, not wi-fi.     

 

 

 

Huawei: "We didn't do it"

Said Huawei, “Our internal investigation shows clearly that Huawei and its employees have not been engaged in any of the activities alleged.” 
 

That’s a relief. 
 
Related Posts 

 

 

Shaken, not Stirred: Bahamian Bonds Set to Go Digital   

 

Forget the timeshare. All the Bahamians want is a chance to trade bonds online.  

 

“We are getting ready to list over 200 government bonds, which (at the time of press) represents the entire portfolio of outstanding securities going back to 1999” announced Deputy Prime Minister and Minister of Finance, Peter Turnquest. 

 

Keeping pace with the digital transformation, they are set to modernize and transition to a paperless registry, using digital certificates for government bonds and ushering in electronic trading for state securities. 

 

Bahamian cybersecurity is now really - really - important

Now it is more important than ever to ensure a strong cryptographic posture and agile machine identity management strategy, especially across government data stores. We all know what happens to resulting market shares when entities don’t, and we’re wishing the Bahamas all the best on this one. 

 

Know your Acronyms: The Bahamas Government Registered Stocks (BGRS) are going to be listed on the Bahamas International Securities Exchange (BISX). In the process, they will be launching the Bahamas Government Registered Stock Depository (BGSD). That’s no BS, straight from the BS (Bahamas). 

 

Will the Bahamian Government Have Full Visibility of All Keys And Certificates? See the trend

 

Related Posts 

 

 

Crypto and a Quantum Solve for Machine Identities

Right now, protecting the number of machine identities (ATMs, servers, IoT devices) is like juggling 10 balls at a time. Post-quantum, it will be like juggling 10,000 balls at a time.
CRYPTO4A is working on a solve. 

 

 

 

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more