Forgot your password?
typodupeerror
Cellphones

Mysterious, Phony Cell Towers Found Throughout US 2

Posted by Soulskill
from the can-you-hear-me-now dept.
Trachman writes: Popular Science magazine recently published an article about a network of cell towers owned not by telecommunication companies but by unknown third parties. Many of them are built around U.S. military bases. "Interceptors vary widely in expense and sophistication – but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. ... Some interceptors are limited, only able to passively listen to either outgoing or incoming calls. But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example."
Firefox

Firefox 32 Arrives With New HTTP Cache, Public Key Pinning Support 67

Posted by Soulskill
from the cache-money dept.
An anonymous reader writes: Mozilla today officially launched Firefox 32 for Windows, Mac, Linux, and Android. Additions include a new HTTP cache for improved performance, public key pinning support, and easy language switching on Android. The Android version is trickling out slowly on Google Play. Changelogs are here: desktop and mobile.
Communications

Tox, a Skype Replacement Built On 'Privacy First' 171

Posted by Soulskill
from the pet-rock-also-built-on-privacy-first dept.
An anonymous reader writes: Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it's not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement. Because of these issues, a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy. "The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down."
Bitcoin

Hal Finney, PGP and Bitcoin Pioneer, Dies At 58 38

Posted by timothy
from the that's-a-legacy dept.
New submitter brokenin2 writes Hal Finney, the number two programmer for PGP and the first person to receive a Bitcoin transaction, has passed away. From the article on Coindesk: "Shortly after collaborating with Nakamoto on early bitcoin code in 2009, Finney announced he was suffering from ALS. Increasing paralysis, which eventually became near-total, forced him to retire from work in early 2011."
Firefox

Mozilla To Support Public Key Pinning In Firefox 32 90

Posted by Soulskill
from the pin-the-key-on-the-fox dept.
Trailrunner7 writes: Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla's own sites, all of the sites pinned in Google Chrome and several Twitter sites. Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user's browser encounters a site that's presenting a certificate that isn't included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
United Kingdom

UK Prisons Ministry Fined For Lack of Encryption At Prisons 74

Posted by Unknown Lamer
from the not-like-prisoners-are-people-anyway dept.
Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.
Transportation

It's Easy To Hack Traffic Lights 144

Posted by Soulskill
from the looking-forward-to-the-mobile-app dept.
An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.
Security

Heartbleed To Blame For Community Health Systems Breach 89

Posted by Soulskill
from the bet-you-wish-you'd-patched dept.
An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.
China

Apple Begins Storing Chinese User Data On Servers In China 92

Posted by timothy
from the eat-local-and-store-data-there-too dept.
An anonymous reader writes Reuters reported on Friday that Apple "has begun keeping the personal data of some Chinese users on servers in mainland China." Apple has claimed that the move is meant "to improve the speed and reliability of its iCloud service", but given China's track record with censorship and privacy, the explanation rings hollow for some skeptics. Nevertheless, Apple assures its Chinese users that their personal data on China Telecom is encrypted and that the encryption keys will be stored offshore. Only time will tell if Apple will be able to resist Chinese government requests to access its China-based servers.
Security

Watch a Cat Video, Get Hacked: the Death of Clear-Text 166

Posted by Soulskill
from the internet-doomed dept.
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
Security

Study: Firmware Plagued By Poor Encryption and Backdoors 141

Posted by Soulskill
from the how-the-sausage-is-made dept.
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.
Yahoo!

Yahoo To Add PGP Encryption For Email 175

Posted by Unknown Lamer
from the gpg-for-grandma dept.
Bismillah (993337) writes Yahoo is working on an easy to use PGP interface for webmail, the company's chief information security officer Alex Stamos said at Black Hat 2014. This could lead to some interesting standoffs with governments and law enforcement wanting to read people's messages. From the article: "'We are working to design a key server architecture that allows for automatic discovery of public keys within Yahoo.com and other participating mail providers and to integrate encryption into the normal mail flow,' Stamos said."
Businesses

Facebook Acquires Server-Focused Security Startup 18

Posted by samzenpus
from the answering-the-acquisition-request dept.
wiredmikey writes In a move to bolster the security of its massive global server network, Facebook announced on Thursday it was acquiring PrivateCore, a Palo Alto, California-based cybersecurity startup. PrivateCore describes that its vCage software transparently secures data in use with full memory encryption for any application, any data, anywhere on standard x86 servers. "I'm really excited that Facebook has entered into an agreement to acquire PrivateCore," Facebook security chief Joe Sullivan wrote in a post to his own Facebook page. "I believe that PrivateCore's technology and expertise will help support Facebook's mission to help make the world more open and connected, in a secure and trusted way," Sullivan said. "Over time, we plan to deploy PrivateCore's technology directly into the Facebook server stack."
Encryption

Google Will Give a Search Edge To Websites That Use Encryption 148

Posted by timothy
from the bit-of-an-incentive dept.
As TechCrunch reports, Google will begin using website encryption, or HTTPS, as a ranking signal – a move which should prompt website developers who have dragged their heels on increased security measures, or who debated whether their website was “important” enough to require encryption, to make a change. Initially, HTTPS will only be a lightweight signal, affecting fewer than 1% of global queries, says Google. ... Over time, however, encryption’s effect on search ranking [may] strengthen, as the company places more importance on website security. ... While HTTPS and site encryption have been a best practice in the security community for years, the revelation that the NSA has been tapping the cables, so to speak, to mine user information directly has prompted many technology companies to consider increasing their own security measures, too. Yahoo, for example, also announced in November its plans to encrypt its data center traffic.
Encryption

The FBI Is Infecting Tor Users With Malware With Drive-By Downloads 182

Posted by timothy
from the for-the-good-of-society dept.
Advocatus Diaboli (1627651) writes For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement's knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it's also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants.
Books

Book Review: Introduction To Cyber-Warfare: A Multidisciplinary Approach 27

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes Cyberwarfare is a controversial topic. At the 2014 Infosec World Conference, Marcus Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again. Whether it was the topic or just Marcus being Marcus, about a third of the participants left within the first 15 minutes. They should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic. In Introduction to Cyber-Warfare: A Multidisciplinary Approach, authors Paulo Shakarian, Jana Shakarian and Andrew Ruef provide an excellent overview of the topic. The book takes a holistic, or as they call it multidisciplinary, approach. It looks at the information security aspect of cyberwarfare, as well the military, sociological and other aspects. Keep reading for the rest of Ben's review.
IOS

Private Data On iOS Devices Not So Private After All 101

Posted by timothy
from the it's-totally-intuitive dept.
theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.
Encryption

Russia Posts $110,000 Bounty For Cracking Tor's Privacy 98

Posted by Soulskill
from the what-happens-in-siberia-stays-in-siberia dept.
hypnosec writes: The government of Russia has announced a ~$110,000 bounty to anyone who develops technology to identify users of Tor, an anonymising network capable of encrypting user data and hiding the identity of its users. The public description (in Russian) of the project has been removed now and it only reads "cipher 'TOR' (Navy)." The ministry said it is looking for experts and researchers to "study the possibility of obtaining technical information about users and users' equipment on the Tor anonymous network."
Encryption

New SSL Server Rules Go Into Effect Nov. 1 92

Posted by Soulskill
from the encrypt-your-calendars dept.
alphadogg writes: Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple. The problem today is that network managers often give their servers names like 'Server1' and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Trend Micro's Chris Bailey.
Security

Dropbox Head Responds To Snowden Claims About Privacy 176

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter Carly Page writes When asked for its response to Edward Snowden's claims that "Dropbox is hostile to privacy", Dropbox told The INQUIRER that users concerned about privacy should add their own encryption. The firm warned however that if users do, not all of the service's features will work. Head of Product at Dropbox for Business Ilya Fushman says: "We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you'll find many client-side encryption apps....It's hard to do things like rich document rendering if they're client-side encrypted. Search is also difficult, we can't index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can't then help them recover those files."

It is surely a great calamity for a human being to have no obsessions. - Robert Bly

Working...