Security

Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure 78

Posted by Soulskill
from the what-year-is-this dept.
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
Security

USBKill Transforms a Thumb Drive Into an "Anti-Forensic" Device 271

Posted by timothy
from the content-scrambling-system dept.
Orome1 writes with a snippet from a report at net-security.org; a hacker going by Hephaestos has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer to which it's plugged in. USBkill, as the programmer dubbed it, "waits for a change on your USB ports, then immediately kills your computer." The device would be useful "in case the police comes busting in, or steals your laptop from you when you are at a public library," Hephaestos explained.
Communications

WikiLeaks' Anonymous Leak Submission System Is Back After Nearly 5 Years 26

Posted by timothy
from the drop-'em-a-line dept.
Sparrowvsrevolution writes: On Friday, WikiLeaks announced that it has finally relaunched a beta version of its leak submission system after a 4.5 year hiatus. That file-upload site, which once served as a central tool in WIkiLeaks' leak-collecting mission, runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their identity from any network eavesdropper, and even from WikiLeaks itself. In 2010 the original submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers, including several who left to create their own soon-to-fail project called OpenLeaks. WikiLeaks founder Julian Assange says that the new system, which was delayed by his legal troubles and the banking industry blockade against the group, is the final result of "four competing research projects" WikiLeaks launched in recent years. He adds that it has several less-visible submission systems in addition to the one it's now revealed. "Currently, we have one public-facing and several private-facing submission systems in operation, cryptographically, operationally and legally secured with national security sourcing in mind," Assange writes.
Security

Once a Forgotten Child, OpenSSL's Future Now Looks Bright 76

Posted by samzenpus
from the shot-in-the-arm dept.
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.
Encryption

FBI Slammed On Capitol Hill For "Stupid" Ideas About Encryption 173

Posted by samzenpus
from the stupid-is-as-stupid-does dept.
blottsie writes: At a hearing in Washington, D.C., on Wednesday, the FBI endured outright hostility as both technical experts and members of Congress from both parties roundly criticized the law enforcement agency's desire to place so-called back doors into encryption technology. "Creating a technological backdoor just for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), a Stanford University computer science graduate. "That's just stupid. Our founders understood that an Orwellian overreaching government is one of the most dangerous things this world could have," Lieu said.
Crime

TeslaCrypt Isn't All That Cryptic 52

Posted by timothy
from the nelson-laugh dept.
citpyrc writes: TeslaCrypt, the latest-and-greatest ransomware branch off of the CryptoWall family, claims to the unwitting user that his/her documents are encrypted with "a unique public key generated for this computer". This coudn't be farther from truth. In actuality, the developers of this malware appear to have been lazy and implemented encryption using symmetric AES256 with a decryption key generated on the user's machine. If any of your machines are afflicted, Talos has developed a tool that can be used to generate the user's machine's symmetric key and decrypt all of the ransomed files.
Input Devices

Linux 4.1 Bringing Many Changes, But No KDBUS 232

Posted by samzenpus
from the latest-and-greatest dept.
An anonymous reader writes: The first release candidate of Linux 4.1 is now available. Linus noted, "The merge window is pretty normal in terms of what got merged too. Just eyeballing the size, it looks like this is going to fit right in — while 4.0 was a bit smaller than usual, 4.1 seems to be smack dab in the middle of the normal range for the last couple of years." There are numerous new features in Linux 4.1, like Xbox One controller force feedback support, better Wacom tablet support, Intel Atom SoC performance improvements, Radeon DisplayPort MST support, EXT4 file-system encryption, ChromeOS Lightbar support, and ACPI for 64-bit ARM, among other additions. However, KDBUS wasn't accepted for Linux 4.1.
Security

New Javascript Attack Lets Websites Spy On the CPU's Cache 134

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes: Bruce Upbin at Forbes reports on a new and insidious way for a malicious website to spy on a computer. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. The exploit, which the researchers are calling "the spy in the sandbox," is a form of side-channel attack. Side channel attacks were previously used to break into cars, steal encryption keys and ride the subway for free, but this is the first time they're targeted at innocent web users. The attack requires little in the way of cost or time on the part of the attacker; there's nothing to install and no need to break into hardened systems. All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker.
Television

In New Zealand, a Legal Battle Looms Over Streaming TV 106

Posted by timothy
from the why-consider-this-pen-your-honor dept.
SpacemanukBEJY.53u writes After a threat from a law firm, two New Zealand ISPs have withdrawn services that let their customers navigate to content sites outside the country that world normally be geo-blocked. Using VPNs or other services to access content restricted by region isn't specifically outlawed in either New Zealand or in neighboring Australia, but it appears the entertainment industry is prepared to go to court to try and argue that such services can violate copyright law. Intellectual property experts said the situation in New Zealand, if it goes to court, could result in the first test case over the legality of skirting regional restrictions.
Encryption

Turing Manuscript Sells For $1 Million 44

Posted by samzenpus
from the compensation-game dept.
itwbennett writes A 56-page notebook manuscript by Alan Turing, the English mathematician considered to be the father of modern computer science, was sold at auction Monday for $1.025 million. Turing apparently wrote in the notebook in 1942 when he was working in Bletchley Park, England, trying to break German military code. “It gives us insight into how Alan Turing tackles problems. Sadly it shows us what he never got to finish,” said Cassandra Hatton, senior specialist at Bonhams.
Cellphones

The NSA Wants Tech Companies To Give It "Front Door" Access To Encrypted Data 212

Posted by samzenpus
from the let-us-in dept.
An anonymous reader writes The National Security Agency is embroiled in a battle with tech companies over access to encrypted data that would allow it to spy (more easily) on millions of Americans and international citizens. Last month, companies like Google, Microsoft, and Apple urged the Obama administration to put an end to the NSA's bulk collection of metadata. "National Security Agency officials are considering a range of options to ensure their surveillance efforts aren't stymied by the growing use of encryption, particularly in smartphones. Key among the solutions, according to The Washington Post, might be a requirement that technology companies create a digital key that can open any locked device to obtain text messages or other content, but divide the key into pieces so no one group could use it without the cooperation of other parties."
Encryption

U.S. Gov't Grapples With Clash Between Privacy, Security 134

Posted by Soulskill
from the politicians-who-don't-know-which-way-the-wind-is-blowing dept.
schwit1 writes: WaPo: "For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee U.S. government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?"

NSA director Adm. Michael S. Rogers wants to require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it. But progress is nonexistent:

"The odds of passing a new law appear slim, given a divided Congress and the increased attention to privacy in the aftermath of leaks by former NSA contractor Edward Snowden. There are bills pending to ban government back doors into communications devices. So far, there is no legislation proposed by the government or lawmakers to require Internet and tech firms to make their services and devices wiretap-ready."
Encryption

'Let's Encrypt' Project Strives To Make Encryption Simple 116

Posted by Soulskill
from the reaching-for-peak-encryption dept.
jones_supa writes: As part of an effort to make encryption a standard component of every application, the Linux Foundation has launched the Let's Encrypt project (announcement) and stated its intention to provide access to a free certificate management service. Jim Zemlin, executive director for the Linux Foundation, says the goal for the project is nothing less than universal adoption of encryption to disrupt a multi-billion dollar hacker economy. While there may never be such a thing as perfect security, Zemlin says it's just too easy to steal data that is not encrypted. In its current form, encryption is difficult to implement and a lot of cost and overhead is associated with managing encryption keys. Zemlin claims the Let's Encrypt project will reduce the effort it takes to encrypt data in an application down to two simple commands. The project is being hosted by the Linux Foundation, but the actual project is being managed by the Internet Security Research Group. This work is sponsored by Akamai, Cisco, EFF, Mozilla, IdenTrust, and Automattic, which all are Linux Foundation patrons. Visit Let's Encrypt official website to get involved.
Encryption

TrueCrypt Alternatives Step Up Post-Cryptanalysis 83

Posted by Soulskill
from the rebuilding-with-confidence dept.
msm1267 writes: What's next for TrueCrypt now that a two-phase audit of the code and its cryptography uncovered a few critical vulnerabilities, but no backdoors? Two alternative open source encryption projects forked TrueCrypt once its developers decided to abandon the project in early 2014, giving rise to VeraCrypt and CipherShed — and both are ready to accelerate growth, compatibility and functionality now that the TrueCrypt code has been given a relatively clean bill of health.
Security

Research Finds Shoddy Security On Connected Home Gateways 88

Posted by timothy
from the junction-box-is-open dept.
chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.
Firefox

Mozilla Rolls Back Firefox 37's Opportunistic Encryption Over Security Issue 42

Posted by Soulskill
from the generates-too-many-opportunities dept.
darthcamaro writes: Barely a week ago, Mozilla released Firefox 37, which had a key new feature called opportunistic encryption. The basic idea is that it will do some baseline encryption for data that would have otherwise been sent by a user via clear text. Unfortunately, Mozilla has already issued Firefox 37.0.1, which removes opportunistic encryption. A security vulnerability was reported in the underlying Alternative Services capability that helps to enable opportunistic encryption. "If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle, replacing the original certificate with their own." They plan to re-enable opportunistic encryption when this issue is investigated and fixed.
Encryption

The Problem With Using End-to-End Web Crypto as a Cure-All 89

Posted by Soulskill
from the nobody-reads-the-not-so-fine-print dept.
fsterman writes: Since the Snowden revelations, end-to-end web encryption has become trendy. There are browser add-ons that bolt a PGP client onto webmail and both Yahoo and Google are planning to support PGP directly. They attempt to prevent UI spoofing with icons similar to the site-authentication banks use to combat phishing.

The problem is that a decade of research shows that users habituate to these icons and come to ignore them. An attacker can pull off UI spoofing with a 90%+ success rate.
Android

Popular Android Package Uses Just XOR -- and That's Not the Worst Part 277

Posted by timothy
from the ightray-onyay-ethay-urfacesay dept.
siddesu writes A popular "encryption" package for Android that even charges a yearly subscription fee of $8 actually does nothing more than give a false sense of security to its users. Not only is the app using a worthless encryption method, it also uses weak keys and "encrypts" only a small portion of the files. One wonders how much snake oil flows through the app stores, from "battery savers" to "antivirus." What is the most worthless app purchase you made? Did you ask for a refund?
Communications

The Unlikely Effort To Build a Clandestine Cell Phone Network 42

Posted by Soulskill
from the can't-stop-the-signal dept.
Lashdots writes: Electronic surveillance has raised concerns among Americans and pushed an estimated 30% of them to protect their privacy in some form. Artist Curtis Wallen has taken that effort to dramatic lengths, documenting how to create a "clandestine communications network" using pre-paid phones, Tor, Twitter, and encryption. The approach, which attempts to conceal any encryption that could raise suspicions, is "very passive" says Wallen, so "there's hardly any trace that an interaction even happened." This is not easy, of course. In fact, as he discovered while researching faulty CIA security practices, it's really, comically hard. "If the CIA can't even keep from getting betrayed by their cell phones, what chance do we have?" he says. Still, he believes his system could theoretically keep users' activities hidden, and while it's hard, it's not impossible.
Encryption

TrueCrypt Audit: No NSA Backdoors 142

Posted by Soulskill
from the assuming-you-can-trust-the-auditors dept.
Mark Wilson writes: A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group (PDF) for the Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised. However, the software was found to contain a few other security vulnerabilities, including one relating to the use of the Windows API to generate random numbers for master encryption key material. Despite this, TrueCrypt was given a relatively clean bill of health with none of the detected vulnerabilities considered severe enough to lead "to a complete bypass of confidentiality in common usage scenarios."