Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere 80

Posted by Soulskill
from the just-in-case-you-were-feeling-safe-and-secure-today dept.
krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.

Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
Verizon

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor 166

Posted by Soulskill
from the part-and-parcel dept.
An anonymous reader sends this quote from TechDirt: As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.

Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world.
Security

POODLE Flaw Returns, This Time Hitting TLS Protocol 54

Posted by Soulskill
from the its-bite-is-worse-than-its-bark dept.
angry tapir writes: If you patched your sites against a serious SSL flaw discovered in October you will have to check them again. Researchers have discovered that the POODLE vulnerability also affects implementations of the newer TLS protocol. The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows attackers who manage to intercept traffic between a user's browser and an HTTPS website to decrypt sensitive information, like the user's authentication cookies.
Encryption

Neglecting the Lessons of Cypherpunk History 103

Posted by Soulskill
from the moore's-law-makes-liars-of-us dept.
Nicola Hahn writes Over the course of the Snowden revelations there have been a number of high profile figures who've praised the merits of encryption as a remedy to the quandary of mass interception. Companies like Google and Apple have been quick to publicize their adoption of cryptographic countermeasures in an effort to maintain quarterly earnings. This marketing campaign has even convinced less credulous onlookers like Glenn Greenwald. For example, in a recent Intercept piece, Greenwald claimed:

"It is well-established that, prior to the Snowden reporting, Silicon Valley companies were secret, eager and vital participants in the growing Surveillance State. Once their role was revealed, and they perceived those disclosures threatening to their future profit-making, they instantly adopted a PR tactic of presenting themselves as Guardians of Privacy. Much of that is simply self-serving re-branding, but some of it, as I described last week, are genuine improvements in the technological means of protecting user privacy, such as the encryption products now being offered by Apple and Google, motivated by the belief that, post-Snowden, parading around as privacy protectors is necessary to stay competitive."

So, while he concedes the role of public relations in the ongoing cyber security push, Greenwald concurrently believes encryption is a "genuine" countermeasure. In other words, what we're seeing is mostly marketing hype... except for the part about strong encryption.

With regard to the promise of encryption as a privacy cure-all, history tells a markedly different story. Guarantees of security through encryption have often proven illusory, a magic act. Seeking refuge in a technical quick fix can be hazardous for a number of reasons.
Communications

Ofcom Will Remove Mandatory Ham Callsign ID Interval, Allow Encryption For Some 57

Posted by Soulskill
from the slowly-but-surly dept.
product_bucket writes: The UK's radio regulator, Ofcom, today published changes in the licensing conditions that remove the mandatory 15-minute callsign ID interval on all allocated frequencies apart from 5MHz, where special conditions remain. In its place, a requirement for the station to be "clearly identifiable at all times" has been made, along with a requirement to transmit the station callsign "as frequently as is practicable" in a form consistent with the operating mode. The decision also permits the use of encryption (PDF) when the station is being used for, or on behalf of a user service such as St. John Ambulance. Unusually, no response to the consultation (PDF) has been made available, so there is at present no way to assess the extent to which the changes were based on actual responses.
Cellphones

Ron Wyden Introduces Bill To Ban FBI 'Backdoors' In Tech Products 109

Posted by Soulskill
from the stop-doing-the-thing-you-might-want-to-start-doing dept.
An anonymous reader sends this report from The Verge: Senator Ron Wyden (D-OR) is trying to proactively block FBI head James Comey's request for new rules that make tapping into devices easier. The Secure Data Act would ban agencies from making manufacturers alter their products to allow easier surveillance or search, something Comey has said is necessary as encryption becomes more common and more sophisticated. "Strong encryption and sound computer security is the best way to keep Americans' data safe from hackers and foreign threats," said Wyden in a statement. "It is the best way to protect our constitutional rights at a time when a person's whole life can often be found on his or her smartphone."
Businesses

Ask Slashdot: Convincing My Company To Stop Using Passwords? 247

Posted by timothy
from the you-forgot-duo dept.
gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
Encryption

The Cost of the "S" In HTTPS 238

Posted by timothy
from the not-insignificant dept.
An anonymous reader writes Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the "S" in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web. The paper pinpoints also the cost of encryption, that manifests itself through increases in the page loading time that go above 50%, and possible increase in battery usage. However, the major loss due to the "S" is the inability to offer any in-network value added services, that are offered by middle-boxes, such as caching, proxying, firewalling, parental control, etc. Are we ready to accept it? (Presentation can be downloaded from here.)
Math

Mathematical Trick Helps Smash Record For the Largest Quantum Factorization 62

Posted by Soulskill
from the still-slower-than-a-12-year-old dept.
KentuckyFC writes: One of the big applications for quantum computers is finding the prime factors of large numbers, a technique that can help break most modern cryptographic codes. Back in 2012, a team of Chinese physicists used a nuclear magnetic resonance quantum computer with 4 qubits to factor the number 143 (11 x 13), the largest quantum factorization ever performed. Now a pair of mathematicians say the technique used by the Chinese team is more powerful than originally thought. Their approach is to show that the same quantum algorithm factors an entire class of numbers with factors that differ by 2 bits (like 11 and 13). They've already discovered various examples of these numbers, the largest so far being 56153. So instead of just factoring 143, the Chinese team actually quantum factored the number 56153 (233 x 241, which differ by two bits when written in binary). That's the largest quantum factorization by some margin. The mathematicians point out that their discovery will not help code breakers since they'd need to know in advance that the factors differ by 2 bits, which seems unlikely. What's more, the technique relies on only 4 qubits and so can be easily reproduced on a classical computer.
Communications

18th Century Law Dredged Up To Force Decryption of Devices 446

Posted by timothy
from the do-you-own-yourself dept.
Cognitive Dissident writes The Register has a story about federal prosecutors using a law signed by George Washington to force manufacturers to help law enforcement access encrypted data on devices they manufacture. The All Writs Act is a broad statute simply authorizing courts to issue any order necessary to obtain information within their jurisdiction. Quoting the Register article: "Last month, New York prosecutors successfully persuaded a judge that the ancient law could be used to force an unnamed smartphone manufacturer to help unlock a phone allegedly used in a credit card fraud case. The judge ordered the manufacturer to offer 'reasonable technical assistance' to make the phone's contents available." What will happen when this collides with Apple and Google deliberately creating encryption that they themselves cannot break?
Encryption

BlackBerry Clears Hurdle For Voice Crypto Acquisition 27

Posted by samzenpus
from the still-going dept.
angry tapir writes BlackBerry is now free to integrate German security vendor Secusmart's voice encryption technology in its smartphones and software, after the German government approved its acquisition of the company. BlackBerry CEO John Chen still wants his company to be the first choice of CIOs that want nothing but the best security as he works to turn around the company's fortunes.
Encryption

Another Hint For Kryptos 50

Posted by timothy
from the it's-about-where-to-get-local-donuts dept.
rastos1 writes Four years ago Jim Sanborn, the sculptor who created the wavy metal pane called Kryptos that sits in front of the CIA in Langley revealed a clue for breaking the last remaining part of the encrypted message on Kryptos. The clue was: BERLIN. But the puzzle resisted all all decryption efforts and is still unsolved. To honor the 25th anniversary of the Wall's demise and the artist's 69th birthday this year, Sanborn has decided to reveal a new clue to help solve his iconic and enigmatic artwork. It's only the second hint he's released since the sculpture was unveiled in 1990 and may finally help unlock the fourth and final section of the encrypted sculpture, which frustrated sleuths have been struggling to crack for more than two decades. The next word in the sequence is: "clock."
United States

Greenwald Advises Market-Based Solution To Mass Surveillance 157

Posted by samzenpus
from the you-get-what-you-demand dept.
Nicola Hahn writes In his latest Intercept piece Glenn Greenwald considers the recent defeat of the Senate's USA Freedom Act. He remarks that governments "don't walk around trying to figure out how to limit their own power." Instead of appealing to an allegedly irrelevant Congress Greenwald advocates utilizing the power of consumer demand to address the failings of cyber security. Specifically he argues that companies care about their bottom line and that the trend of customers refusing to tolerate insecure products will force companies to protect user privacy, implement encryption, etc. All told Greenwald's argument is very telling: that society can rely on corporate interests for protection. Is it true that representative government is a lost cause and that lawmakers would never knowingly yield authority? There are people who think that advising citizens to devolve into consumers is a dubious proposition.
Bitcoin

Tracking a Bitcoin Thief, Part II: Illustrating the Issue of Trust In Altcoins 46

Posted by timothy
from the sometimes-the-good-guys-win dept.
An anonymous reader writes The team over at the BITCOMSEC (Bitcoin Community Security) project released a second part to their 'Tracking a Bitcoin Thief' series in which they disclose what happened to a once-rising alternate crypto currency project that promised to place guaranteed value of its MidasCoins by backing it with actual Gold. Dealing with the reality of user compromise, the projects founder ups and runs away with all of the communities coins; cashing them out at an exchange for Bitcoins. A sobering tale of trust issues within the alternate crypto currency community. (The first part is interesting, too.)
Operating Systems

Ask Slashdot: Workaday Software For BSD On the Desktop? 267

Posted by timothy
from the clever-little-devil dept.
An anonymous reader writes So for a variety of reasons (some related to recent events, some ongoing for a while) I've kinda soured on Linux and have been looking at giving BSD a shot on the desktop. I've been a Gentoo user for many years and am reasonably comfortable diving into stuff, so I don't anticipate user friendliness being a show stopper. I suspect it's more likely something I currently do will have poor support in the BSD world. I have of course been doing some reading and will probably just give it a try at some point regardless, but I was curious what experience and advice other slashdot users could share. There's been many bold comments on slashdot about moving away from Linux, so I suspect I'm not the only one asking these questions. Use-case wise, my list of must haves is: Minecraft, and probably more dubiously, FTB; mplayer or equivalent (very much prefer mplayer as it's what I've used forever); VirtualBox or something equivalent; Firefox (like mplayer, it's just what I've always used, and while I would consider alternatives, that would definitely be a negative); Flash (I hate it, but browsing the web sans-flash is still a pain); OpenRA (this is the one I anticipate giving me the most trouble, but playing it is somewhat of an obsession).

Stuff that would be nice but I can live without: Full disk encryption; Openbox / XFCE (It's what I use now and would like to keep using, but I could probably switch to something else without too much grief); jackd/rakarrack or something equivalent (currently use my computer as a cheap guitar amp/effects stack); Qt (toolkit of choice for my own stuff).
What's the most painless way to transition to BSD for this constellation of uses, and which variety of BSD would you suggest?
Communications

WhatsApp To Offer End-to-End Encryption 93

Posted by timothy
from the trend-worth-extending dept.
L-One-L-One (173461) writes In a surprise move, nine months after being bought by Facebook, WhatsApp has begun rolling out end-to-end encryption for its users. With true end-to-end encryption data becomes unaccessible to admins of WhatsApp or law enforcement authorities. This new feature first proposed on Android only has been developed in cooperation with Open Whisper Systems, based on TextSecure. With hundreds of million users, WhatsApp becomes by far the largest secure messaging application. FBI Director James Comey might not be pleased. Do you have a current favorite for encrypted online chat?
Encryption

Launching 2015: a New Certificate Authority To Encrypt the Entire Web 212

Posted by Soulskill
from the respect-their-authority dept.
Peter Eckersley writes: Today EFF, Mozilla, Cisco, and Akamai announced a forthcoming project called Let's Encrypt. Let's Encrypt will be a certificate authority that issues free certificates to any website, using automated protocols (demo video here). Launching in summer 2015, we believe this will be the missing piece that deprecates the woefully insecure HTTP protocol in favor of HTTPS.
Communications

81% of Tor Users Can Be De-anonymized By Analysing Router Information 136

Posted by timothy
from the keep-him-on-the-line dept.
An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods [] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'
United States

Department of Justice Harvests Cell Phone Data Using Planes 202

Posted by samzenpus
from the we-can-hear-you-now dept.
Tyketto writes The US Department of Justice has been using fake communications towers installed in airplanes to acquire cellular phone data for tracking down criminals, reports The Wall Street Journal. Using fix-wing Cessnas outfitted with DRT boxes produced by Boeing, the devices mimic cellular towers, fooling cellphones into reporting "unique registration information" to track down "individuals under investigation." The program, used by the U.S. Marshals Service, has been in use since 2007 and deployed around at least five major metropolitan areas, with a flying range that can cover most of the US population. As cellphones are designed to connect to the strongest cell tower signal available, the devices identify themselves as the strongest signal, allowing for the gathering of information on thousands of phones during a single flight. Not even having encryption on one's phone, like found in Apple's iPhone 6, prevents this interception. While the Justice Department would not confirm or deny the existence of such a program, Verizon denies any involvement in this program, and DRT (a subsidiary of Boeing), AT&T, and Sprint have all declined to comment.
The Internet

After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly 86

Posted by Soulskill
from the enjoy-the-calm-before-your-storm dept.
apexcp writes: A week ago, Silk Road 2.0 was theatrically shut down by a global cadre of law enforcement. This week, the dark net is realigning. "In the wake of the latest police action against online bazaars, the anonymous black market known as Evolution is now the biggest Dark Net market of all time. Today, Evolution features 20,221 products for sale, a 28.8 percent increase from just one month ago and an enormous 300 percent increase over the past six months."

Those who can, do; those who can't, write. Those who can't write work for the Bell Labs Record.

Working...