Censorship

As Elections Approach, Iran Uses "Far More Advanced" Internet Censorship (dailydot.com) 40

Patrick O'Neill writes: Election time in Iran means increased censorship for the country's tens of millions of Internet users. But this months parliamentary election, experts say, comes with a new level of aggressive censorship from a government notorious for authoritarianism in cyberspace. "What's happening [right now] is far more advanced than anything we've seen before," said Karl Kathuria, CEO of Psiphon Inc., the company behind the widely popular encryption and circumvention tool Psiphon. "It's a lot more concentrated attempt to stop these services from working."
Encryption

US Encryption Ban Would Only Send the Market Overseas (dailydot.com) 152

Patrick O'Neill writes: As U.S. legislatures posture toward legally mandating backdoored encryption, a new Harvard study suggests that a ban would push the market overseas because most encryption products come from over non-U.S. tech companies. "Cryptography is very much a worldwide academic discipline, as evidenced by the quantity and quality of research papers and academic conferences from countries other than the U.S.," the researchers wrote.
Encryption

Federal Bill Could Override State-Level Encryption Bans (thestack.com) 137

An anonymous reader writes: A new bill has been proposed in Congress today by Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Tex.) which looks to put a stop to any pending state-level legislation that could result in misguided encryption measures. The Ensuring National Constitutional Rights of Your Private Telecommunications Act of 2016 comes as a response to state-level encryption bills which have already been proposed in New York state and California. These near-identical proposals argued in favour of banning the sale of smartphones sold in the U.S. that feature strong encryption and cannot be accessed by the manufacturer. If these bills are passed, current smartphones, including iPhone and Android models, would need to be significantly redesigned for sale in these two states. Now Lieu and Farenthold are making moves to prevent the passing of the bills because of their potential impact on trade [PDF] and the competitiveness of American firms.
Censorship

FBI Gripes "We Can't Read Everyone's Secrets" (reuters.com) 171

New submitter rdukb writes: FBI Director James Comey told the Senate Intelligence Committee that investigators still can't access the phone contents of one of the San Bernadino killers. He went on to argue that the phenomenon of communications "going dark" due to more sophisticated technology and wider use of encryption is "overwhelmingly affecting" law enforcement operations, including, not only the San Bernadino murders, but also investigations into other murders, car accidents, drug trafficking and the proliferation of child pornography. This might increase pressure on Apple to loosen the backdoor restrictions. Will the industry relent and allow Government access to data from these devices?
Security

MIT Reveals "Hack-Proof" RFID Chip (thestack.com) 53

JustAnotherOldGuy writes: A group of researchers at MIT and Texas Instruments claim that they have developed a new radio frequency identification chip that may be impossible to hack. Traditional RFID chips are vulnerable to side-channel attacks, whereby a hacker can extract a cryptographic key from the chip. The new RFID chip runs a random-number generator that creates a new secret key after each transaction. The key can then be verified with a server to ensure that it is correct. The group at MIT also incorporated protection against a power-glitch attack, an attack that would normally leave a chip vulnerable to an interruption of the power source that would in turn halt the creation of a new secret key. Texas Instruments CTO Ahmad Bahai stated, "We believe this research is an important step toward the goal of a robust, lo-cost, low-power authentication protocol for the industrial internet." The question is, how long will it be before this "hack proof" chip is hacked?
Encryption

Socat Weak Crypto Draws Suspicions Of a Backdoor (threatpost.com) 50

msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. "The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p," the advisory said. "Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out." Socat said it has generated a new prime that is 2048 bits long; versions 1.7.3.0 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.
Communications

Harvard: No, Crypto Isn't Making the FBI Go Dark 59

Trailrunner7 writes: The FBI and other law enforcement and intelligence agencies have warned for years that the increased use of encryption by consumers is making surveillance and lawful interception much more difficult, impeding investigations. But a new study by a group of experts at Harvard's Berkman Center says those claims are largely overblown and that the IoT revolution will give agencies plenty of new chances for clear-channel surveillance.

"We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow. Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will 'go dark' and beyond reach," the Berkman Center report says.
Communications

U.S. Forces Viewed Encrypted Israeli Drone Feeds (theintercept.com) 49

iceco2 links to The Intercept's report that the U.S. and UK intelligence forces have been (or at least were) intercepting positional data as well as imagery from Israeli drones and fighters, through a joint program dubbed "Anarchist," based on the island of Cyprus. Among the captured images that the Intercept has published, based on data provided by Edward Snowden, are ones that appear to show weaponized drones, something that the U.S. military is well-known for using, but that the IDF does not publicly acknowledge as part of its own arsenal. Notes iceco2: U.S. spying on allies is nothing new. It is surprising to see the ease with which encrypted Israeli communications were intercepted. As always, it wasn't the crypto which was broken -- just the lousy method it was applied. Ars Technica explains that open-source software, including ImageMagick was central to the analysis of the captured data.
Security

Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) 216

An anonymous reader writes: Permanent changes are planned for future Google Chrome releases, which will add a big shiny red cross in the URL bar if the website you're accessing is not using HTTPS. Google says it is planning to add this to Chrome by the end of 2016, after one of its developers proposed the idea back in December 2014. Many have argued that the web is predominantly unencrypted, so they're displaying a persistent and ambiguous error message for a large portion of the Internet. Since unencrypted content is not an error state, the Chrome team should use alternate iconography, because the default error message this will just confuse average people, and it will encourage error blindness.
Communications

The Widely Reported ISIS Encrypted Messaging App Is Not Real 113

blottsie writes: Despite widespread reports to the contrary, an app created for Islamic State militants to send private encrypted messages does not exist, a week-long Daily Dot investigation found. All of the media articles on the Alrawi app showed screenshots of a different app entirely, one that is a glorified RSS reader with a totally different name. The Defense One journalist who first reported on GSG's claims about the app told the Daily Dot that he hadn't seen any version of Alrawi at all, and the subsequent reports on the app largely relied on Defense One's reporting. The Daily Dot was the first media outlet to receive, on Jan. 18, what GSG claimed was the Alrawi encryption app. The app, called "Alrawi.apk," contained no ability to send or encrypt messages. It was created using MIT's App Inventor, a plug-and-play tool meant primarily for children.
Communications

OSINT Analysis of Militia Communications, Equipment and Frequencies (wordpress.com) 336

An anonymous reader writes: On January 2, 2016, the headquarters of the Malheur National Wildlife Refuge in Oregon, United States, were occupied by armed members of rump militias in one of the longest-running law enforcement standoff in American history. The Radiomasterreport blog, using publicly available information, wrote an OSINT Analysis of Militia Communications, Radio Equipment and Frequencies. The research results has astonishing conclusions: far-right patriot militas openly carrying +3000$ AR15 rifles and US military body armour also use cheap 30$ unsecure chinese Baofeng walkie talkie radios with no encryption whatsoever. Any simple ham radio operator , police scanner owner, or even some folks with a Software Defined Radio can receive those militia communications.
Security

Malware Operator Barters With Security Researcher To Remove Open Source Ransomware Code (softpedia.com) 34

An anonymous reader writes: The author of the Magic ransomware strain has agreed to release all decryption keys for free if Utku Sen, a Turkish security researcher, takes down his Hidden Tear open-source ransomware project from GitHub. Sen has released multiple open source ransomware projects, which contained backdoors and encryption flaws. The flaws disrupted the plans of several ransomware operators. This particular ransomware author is Russian, while Sen is Turkish, so just like Putin and Erdogan, the two struggled to come to an agreement. Utku Sen finally agreed to take down the Hidden Tear repository in three days, while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.
Firefox

Firefox 44 Arrives With Push Notifications (mozilla.org) 182

An anonymous reader writes: Mozilla today launched Firefox 44 for Windows, Mac, Linux, and Android. Notable additions to the browser include push notifications, the removal of RC4 encryption, and new powerful developer tools. Mozilla made three promises for push notifications: "1. To prevent cross-site correlations, every website receives a different, anonymous Web Push identifier for your browser. 2. To thwart eavesdropping, payloads are encrypted to a public / private keypair held only by your browser. 3. Firefox only connects to the Push Service if you have an active Web Push subscription. This could be to a website, or to a browser feature like Firefox Hello or Firefox Sync." Here are the full changelogs: Desktop and Android.
Open Source

Open-Source Ransomware Abused For the Second Time In Real-Life Infections (softpedia.com) 100

An anonymous reader writes: After the Hidden Tear (open-source) ransomware code was used to create the Cryptear.B ransomware, now the EDA2 open-source project was used in the same way to create the Magic ransomware. Both projects were created by the same guy. While he left an encryption flaw for Hidden Tear, he didn't for EDA2, relying on a backdoor in the ransomware's admin panel, which he planned to use to steal the encryption keys from the ransomware authors, if they ever used his tool. Unfortunately, the ransomware's C&C servers were on a free hosting service, and someone reported the account. All the data has been deleted from the servers, there's no backup, the backdoor account is useless, and victims have no way of recovering their files.
Encryption

NSA Chief: Arguing Against Encryption Is a Waste of Time (theintercept.com) 184

An anonymous reader writes: On Thursday, NSA director Mike Rogers said, "encryption is foundational to the future." He added that it was a waste of time to argue that encryption is bad or that we ought to do away with it. Rogers is taking a stance in opposition to many other government officials, like FBI director James Comey. Rogers further said that neither security nor privacy should be the imperative that drives everything else. He said, "We've got to meet these two imperatives. We've got some challenging times ahead of us, folks."
Communications

California Bill Would Require Phone Crypto Backdoors 251

Trailrunner7 writes with this except from On The Wire: A week after a New York legislator introduced a bill that would require smartphone vendors to be able to decrypt users' phones on demand from law enforcement, a California bill with the same intent has been introduced in that state's assembly. On Wednesday, California Assemblyman Jim Cooper submitted a bill that has remarkably similar language to the New York measure and would require that device manufacturers and operating system vendors such as Apple, Samsung, and Google be able to decrypt users' devices. The law would apply to phones sold in California beginning Jan. 1, 2017. Of course, "smartphone vendors" wouldn't be able to decrypt voice calls sent using VoIP software that was encrypted outside their domain of influence.
Security

New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio (drweb.com) 130

An anonymous reader writes: Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users: the Linux.Ekoms.1 trojan. It includes functionality that allows it to take screenshots and record audio. While the screenshot activity is working just fine, Dr.Web says the trojan's audio recording feature has not been turned on, despite being included in the malware's source code. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data. The Trojan exchanges data with the server using AbNetworkMessage."
Encryption

UK Voice Crypto Standard Built For Key Escrow, Mass Surveillance (benthamsgaze.org) 66

Trailrunner7 writes: The U.K. government's standard for encrypted voice communications, which already is in use in intelligence and other sectors and could be mandated for use in critical infrastructure applications, is set up to enable easy key escrow, according to new research. The standard is known as Secure Chorus, which implements an encryption protocol called MIKEY-SAKKE. The protocol was designed by GCHQ, the U.K.'s signals intelligence agency, the equivalent in many ways to the National Security Agency in the United States. MIKEY-SAKKE is designed for voice and video encryption specifically, and is an extension of the MIKEY (Multimedia Internet Keying) protocol, which supports the use of EDH (Ephemeral Diffie Hellman) for key exchange.

"MIKEY supports EDH but MIKEY-SAKKE works in a way much closer to email encryption. The initiator of a call generates key material, uses SAKKE to encrypt it to the other communication partner (responder), and sends this message to the responder during the set-up of the call. However, SAKKE does not require that the initiator discover the responder's public key because it uses identity-based encryption (IBE)," Dr. Steven Murdoch of University College London's Department of Computer Science, wrote in a new analysis of the security of the Secure Chorus standard. "By design there is always a third party who generates and distributes the private keys for all users. This third party therefore always has the ability to decrypt conversations which are encrypted using these private keys," Murdoch said by email. He added that the design of Secure Chorus "is not an accident."

Bug

Serious Linux Kernel Vulnerability Patched (threatpost.com) 85

msm1267 writes: A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added. An attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device. The vulnerability is a reference leak that lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. Here's Perception Point's explanation of the problem.
Encryption

Clinton Hints At Tech Industry Compromise Over Encryption (huffingtonpost.co.uk) 345

An anonymous reader writes: At the Democratic presidential debate last night, Marques Brownlee asked the candidates a pointed question about whether the government should require tech companies to implement backdoors in their encryption, and how we should balance privacy with security. The responses were not ideal for those who recognize the problems with backdoors. Martin O'Malley said the government should have to get a warrant, but skirted the rest of the issue. Bernie Sanders said government must "have Silicon Valley help us" to discover information transmitted across the internet by ISIS and other terrorist organizations. He thinks we can do that without violating privacy, but didn't say how. But the most interesting comment came from Hillary Clinton. After mentioning that Obama Administration officials had "started the conversation" with tech companies on the encryption issue, one of the moderators noted that the government "got nowhere" with its requests. Clinton replied, "That is not what I've heard. Let me leave it at that." The implications of that small comment are troubling.

Slashdot Top Deals