Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Encryption

FREAK Attack Threatens SSL Clients 69

Posted by Soulskill
from the another-day-another-vuln dept.
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
Android

Google Backs Off Default Encryption on New Android Lollilop Devices 119

Posted by Soulskill
from the give-the-people-what-the-government-wants dept.
An anonymous reader writes: Although Google announced in September 2014 that Android 5.0 Lollipop would require full-disk encryption by default in new cell phones, Ars Technica has found otherwise in recently-released 2nd-gen Moto E and Galaxy S6. It turns out, according to the latest version of the Android Compatibility Definition document (PDF), full-disk encryption is currently only "very strongly recommended" in anticipation of mandatory encryption requirements in the future. The moral of the story is: don't be lazy — check that your full-disk encryption is actually enabled.
Communications

Jolla Partners With SSH To Create Sailfish Secure 30

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter muckracer writes Finnish mobile company Jolla will be working with Finland's SSH Communications to offer another version of its SailfishOS platform with stronger security credentials. The partnership was announced today at Jolla's press conference in Barcelona at the Mobile World Congress trade show. SSH will be providing comms encryption and key management to Sailfish Secure.
Businesses

Under US Pressure, PayPal Stops Working With Mega 136

Posted by Soulskill
from the you-wouldn't-download-a-car dept.
New submitter seoras sends news that PayPal is now refusing to handle payments for Mega, Kim Dotcom's cloud storage service. A report (PDF) issued in September of last year claimed Mega and other "cyberlocker" sites made a great deal of illicit money off piracy. Mega disputes this, of course, and says the report caused U.S. Senator Patrick Leahy to pressure credit card companies to stop working with Mega. Those companies then pressured PayPal to stop as well. The hosting company claims, "MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA."
Encryption

BlackPhone, In Wake of Gemalto Fallout, Receives $50 Million In Funding 59

Posted by timothy
from the small-steps dept.
An anonymous reader writes The BlackPhone, a $600-plus encrypted Android handset designed to keep the prying eyes of criminals and the government out of mobile communications, is now fully owned by Silent Circle thanks to the company raking in investment cash. Terms of the buyout deal with Spanish smartphone maker Geeksphone, the phone's hardware manufacturer, were not disclosed. Silent Circle said Thursday that it has raised $50 million and plans on showing off an encrypted 'enterprise privacy ecosystem' at World Mobile Congress next week. A BlackPhone tablet is on the way, too.
Security

OPSEC For Activists, Because Encryption Is No Guarantee 89

Posted by Soulskill
from the protect-yourself-before-somebody-wrecks-yourself dept.
Nicola Hahn writes: "In the wake of the Snowden revelations strong encryption has been promoted by organizations like The Intercept and Freedom of the Press Foundation as a solution for safeguarding privacy against the encroachment of Big Brother. Even President Obama acknowledges that "there's no scenario in which we don't want really strong encryption."

Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.

The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
Encryption

Gemalto: NSA and GCHQ Probably Hacked Us, But Didn't Get SIM Encryption Keys 99

Posted by Soulskill
from the hand-in-the-encrypted-cookie-jar dept.
An anonymous reader writes: Last week The Intercept published a report saying agents from the NSA and GCHQ penetrated the internal computer network of Gemalto, the world's largest maker of SIM cards. Gemalto has done an internal investigation, and surprisingly decided to post its results publicly. The findings themselves are a bit surprising, too: Gemalto says it has "reasonable grounds to believe that an operation by NSA and GCHQ probably happened."

They say the two agencies were trying to intercept encryption keys that were being exchanged between mobile operators and the companies (like Gemalto) who supplied them with SIM cards. The company said it had noticed several security incidents in 2010 and 2011 that fit the descriptions in The Intercept's documents. Gemalto had no idea who was behind them until now. They add, "These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks." They claim proper use of encryption and isolation of different networks prevented attackers from getting the information they were after.
Encryption

Moxie Marlinspike: GPG Has Run Its Course 308

Posted by Soulskill
from the end-to-end-before-the-ends-moved dept.
An anonymous reader writes: Security researcher Moxie Marlinspike has an interesting post about the state of GPG-encrypted communications. After using GPG for much of its lifetime, he says he now dreads getting a GPG-encrypted email in his inbox. "Instead of developing opinionated software with a simple interface, GPG was written to be as powerful and flexible as possible. It's up to the user whether the underlying cipher is SERPENT or IDEA or TwoFish. The GnuPG man page is over sixteen thousand words long; for comparison, the novel Fahrenheit 451 is only 40k words. Worse, it turns out that nobody else found all this stuff to be fascinating. Even though GPG has been around for almost 20 years, there are only ~50,000 keys in the "strong set," and less than 4 million keys have ever been published to the SKS keyserver pool ever. By today's standards, that's a shockingly small user base for a month of activity, much less 20 years." Marlinspike concludes, "I think of GPG as a glorious experiment that has run its course. ... GPG isn't the thing that's going to take us to ubiquitous end to end encryption, and if it were, it'd be kind of a shame to finally get there with 1990's cryptography."
Encryption

NSA Director Wants Legal Right To Snoop On Encrypted Data 406

Posted by Soulskill
from the you-can-trust-us dept.
jfruh writes: This may not come as a huge shock, but the director of the NSA doesn't believe that you have the right to encrypt your data in a way that the government can't access it. At a cybersecurity policy event, Michael Rogers said that the U.S. should be able to craft a policy that allows the NSA and law enforcement agencies to read encrypted data when they need to.
Encryption

NSA, GHCQ Implicated In SIM Encryption Hack 155

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter BlacKSacrificE writes Australian carriers are bracing for a mass recall after it was revealed that a Dutch SIM card manufacturer Gemalto was penetrated by the GCHQ and the NSA in an alleged theft of encryption keys, allowing unfettered access to voice and text communications. The incident is suspected to have happened in 2010 and 2011 and seems to be a result of social engineering against employees, and was revealed by yet another Snowden document. Telstra, Vodafone and Optus have all stated they are waiting for further information from Gemalto before deciding a course of action. Gemalto said in a press release that they "cannot at this early stage verify the findings of the publication" and are continuing internal investigations, but considering Gemalto provides around 2 billion SIM cards to some 450 carriers across the globe (all of which use the same GSM encryption standard) the impact and fallout for Gemalto, and the affected carriers, could be huge.
Security

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps 113

Posted by timothy
from the keeps-on-giving dept.
Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."
Censorship

Iran Allows VPNs To Make Millions In Profit 57

Posted by timothy
from the have-cake-and-eat-it-too dept.
New submitter Patrick O'Neill writes with this excerpt from The Daily Dot: Anti-censorship technology is de jure illegal in Iran, but many VPNs are sold openly, allowing Iranians to bounce around censorship and seemingly render it ineffective. Nearly 7 in 10 young Iranians are using VPNs, according to the country's government, and a Google search for "buy VPN" in Persian returns 2 million results. Iran's Cyber Police (FATA) have waged a high-volume open war against the VPNs, but it's still very easy to find, buy, and use the software. It's so easy, in fact, that you can use Iran's government-sanctioned payment gateways (Pardakht Net, Sharj Iran, Jahan Pay & Baz Pardakht) to buy the tools that'll beat the censors. To use these gateways, however, customers have to submit their Iranian bank account and identity, all but foregoing hopes of privacy or protection from authorities."
Encryption

TrueCrypt Audit Back On Track After Silence and Uncertainty 112

Posted by Soulskill
from the cryptic-silence dept.
itwbennett writes: In October 2013 Cryptography professor Matthew Green and security researcher Kenneth White launched a project to perform a professional security audit of TrueCrypt, partly prompted by the leaks from Edward Snowden that suggested the NSA was engaged in efforts to undermine encryption. Their report, published in April 2014, covered the first phase of the audit. Phase two was supposed to involve a formal review of the program's encryption functions, with the goal of uncovering any potential errors in the cryptographic implementations—but then the unexpected happened. In May 2014, the developers of TrueCrypt, who had remained anonymous over the years for privacy reasons, abruptly announced that they were discontinuing the project and advised users to switch to alternatives. Now, almost a year later, the project is back on track.
Cellphones

How NSA Spies Stole the Keys To the Encryption Castle 192

Posted by timothy
from the thanks-fellas-really-you've-done-enough dept.
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
Encryption

Darkleaks: an Online Black Market For Selling Secrets 44

Posted by timothy
from the hey-bub-psssst dept.
An anonymous reader writes Whistleblowers and those individuals that are simply out to make a buck out of any confidential and valuable information, can now offer it for sale on Darkleaks, a decentralized, anonymous black market on the Internet. The Darkleaks project is built on top of the Bitcoin blockchain, and can be used by downloading this software package (source code is open).
Bug

Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk 114

Posted by timothy
from the vewy-vewy-quiet dept.
alphadogg (971356) writes A setup mistake has apparently left hundreds of thousands of home routers running the SSH (Secure Shell) remote access tool with identical private and public keys. John Matherly, founder of a specialized search engine company whose technology is used for querying Internet-connected devices, found more than 250,000 devices that appear to be deployed by Telefónica de España sharing the same public SSH key. A different search found another 150,000 devices, mostly in China and Taiwan, that have the same problem. Matherly said in a phone interview on Wednesday it is possible the manufacturers copied the same operating system image to all of the routers.
Encryption

Samsung Smart TVs Don't Encrypt the Voice Data They Collect 153

Posted by samzenpus
from the even-worse dept.
itwbennett writes A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung's own privacy policy those words can in some cases include personal or sensitive information. Following the incident, David Lodge, a researcher with a U.K.-based security firm called Pen Test Partners, intercepted and analyzed the Internet traffic generated by a Samsung smart TV and found that Samsung does send captured voice data to a remote server using a connection on port 443, a port typically associated with encrypted HTTPS, but that the data was not encrypted. "It's not even HTTP data, it's a mix of XML and some custom binary data packet," said Lodge in a blog post.
Encryption

Obama Says He's 'A Strong Believer In Strong Encryption' 220

Posted by Soulskill
from the except-when-it-helps-the-terrists dept.
An anonymous reader writes: U.S. President Barack Obama spoke with Re/code recently on a variety of topics relating to technology. The talk included the president's thoughts on encryption, which has been a controversial subject in tech circles lately after government officials (including Obama himself) have publicly complained about default encryption in modern communication tools. In the interview, he says he's a "strong believer in strong encryption," adding, "I lean probably further on side of strong encryption than some in law enforcement." Obama puts it another way, more bluntly: "There's no scenario in which we don't want really strong encryption." However, the president says the public itself is driving concern for leaving law enforcement a way in: "The first time that an attack takes place in which it turns out that we had a lead and we couldn't follow up on it, the public's going to demand answers."
Programming

Ask Slashdot: What Portion of Developers Are Bad At What They Do? 809

Posted by Soulskill
from the very-small-shell-scripts dept.
ramoneThePoolGuy writes: We are looking to fill a senior developer/architect position in our firm. I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us. For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue. I asked another applicant a similar question: "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?" The person started off by asking me if it was an excel file, a PDF, etc. In general, I'm finding that an overwhelming number of developers I've interviewed have poor understanding of key concepts, especially when it comes to securing data. Are other firms experiencing this same dilemma in finding qualified applicants? (Quite frankly it scares me that some of these developers are building sites that need to be secure)"
Encryption

New Encryption Method Fights Reverse Engineering 215

Posted by Soulskill
from the with-many-obfuscations,-all-bugs-are-deep dept.
New submitter Dharkfiber sends an article about the Hardened Anti-Reverse Engineering System (HARES), which is an encryption tool for software that doesn't allow the code to be decrypted until the last possible moment before it's executed. The purpose is to make applications as opaque as possible to malicious hackers trying to find vulnerabilities to exploit. It's likely to find work as an anti-piracy tool as well. To keep reverse engineering tools in the dark, HARES uses a hardware trick that’s possible with Intel and AMD chips called a Translation Lookaside Buffer (or TLB) Split. That TLB Split segregates the portion of a computer’s memory where a program stores its data from the portion where it stores its own code’s instructions. HARES keeps everything in that “instructions” portion of memory encrypted such that it can only be decrypted with a key that resides in the computer’s processor. (That means even sophisticated tricks like a “cold boot attack,” which literally freezes the data in a computer’s RAM, can’t pull the key out of memory.) When a common reverse engineering tool like IDA Pro reads the computer’s memory to find the program’s instructions, that TLB split redirects the reverse engineering tool to the section of memory that’s filled with encrypted, unreadable commands.