Communications

Senate Advances Plan To Make Email and Social Sites Report Terror Activity 92 92

Advocatus Diaboli sends news that the Senate Intelligence Committee has unanimously approved draft legislation that would requires email providers and social media sites to report any suspected terrorist activities to the government. While the legislation itself is classified until it reaches the Senate floor, Committee chairman Richard Burr (R-NC) said, "America’s security depends on our intelligence community’s ability to detect and thwart attacks on the homeland, our personnel and interests overseas, and our allies. This year’s legislation arms the intelligence community with the resources they need, and reinforces congressional oversight of intelligence activities." The legislation is based on 2008's Protect Our Children Act, which required companies to report information about child porn to an agency that would act on it. One industry official told the Washington Post, "Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult."
Security

'Severe Bug' To Be Patched In OpenSSL 56 56

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.
Government

Eric Holder Says DoJ Could Strike Deal With Snowden; Current AG Takes Hard Line 146 146

cold fjord writes with the report at Yahoo that Former Attorney General Eric Holder said today that a "possibility exists" for the Justice Department to cut a deal with ... Edward Snowden that would allow him to return to the United States ... Holder said "we are in a different place as a result of the Snowden disclosures" and that "his actions spurred a necessary debate" that prompted President Obama and Congress to change policies ... "I certainly think there could be a basis for a resolution that everybody could ultimately be satisfied with. I think the possibility exists." A representative of current Attorney General Loretta Lynch, though, said that there has been no change in the government's position ("This is an ongoing case so I am not going to get into specific details but I can say our position regarding bringing Edward Snowden back to the United States to face charges has not changed."), Holder's musings aside. As the article points out, too, "any suggestion of leniency toward Snowden would likely run into strong political opposition in Congress as well as fierce resistance from hard-liners in the intelligence community."
United Kingdom

Theresa May Named UK's Internet Villain of the Year 58 58

An anonymous reader writes with news that Theresa May, the UK's Secretary of State for the Home Department, has been named the UK internet industry's villain of the year. She won this dubious honor for pushing the UK's controversial "snooper's charter" legislation, which would require ISPs to retain massive amounts of data regarding their subscribers for no less than a year. May championed the legislation without consulting the internet industry.

Conversely, "The MPs Tom Watson and David Davis were jointly named internet hero for their legal action against the Data Retention and Investigatory Powers Act. 'Surveillance has dominated both the hero and villain shortlists for number of years, and it was felt Davis and Watson were some of the best informed politicians on the subject,' the ISPA said."
Encryption

Cameron Asserts UK Gov't Will Leave No "Safe Space" For Private Communications 260 260

An anonymous reader writes with the story from Ars Technica that UK prime minister David Cameron "has re-iterated that the UK government does not intend to 'leave a safe space — a new means of communication — for terrorists to communicate with each other.'" That statement came Monday, as a response to Conservative MP David Bellingham, "who asked [Cameron, on the floor of the House of Commons] whether he agreed that the 'time has come for companies such as Google, Facebook and Twitter to accept and understand that their current privacy policies are completely unsustainable?' To which Cameron replied: 'we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on.'" This sounds like the UK government is declaring a blustery war on encryption, and it might not need too much war: some companies can be persuaded (or would be eager) to cooperate with the government in handing over all kinds of information. However, the bluster part may leave even the fiercest surveillance mostly show: as Ars writer Glyn Moody asks, what about circumstances "where companies can't hand over keys, or where there is no company involved, as with GnuPG, the open source implementation of the OpenPGP encryption system?" Or Tor?
United States

Federal Wiretaps Down Slightly, Encryption Impact Decreases 24 24

coondoggie writes: According to the 2014 Wiretap Report, released today by the Administrative Office of the United States Courts a total of a total of 3,554 wiretaps were reported as authorized, with 1,279 authorized by federal judges and 2,275 authorized by state judges. Compared to the applications approved during 2013, the number approved by federal judges decreased 13% in 2014 and the number approved by state judges increased 8%. One state wiretap application was denied in 2014, the report stated.
Security

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code 107 107

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.
Privacy

Surveillance Court: NSA Can Resume Bulk Surveillance 161 161

An anonymous reader writes: We all celebrated back in May when a federal court ruled the NSA's phone surveillance illegal, and again at the beginning of June, when the Patriot Act expired, ending authorization for that surveillance. Unfortunately, the NY Times now reports on a ruling from the Foreign Intelligence Surveillance Court, which concluded that the NSA may temporarily resume bulk collection of metadata about U.S. citizens's phone calls. From the article: "In a 26-page opinion (PDF) made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said that the Second Circuit was wrong, too. 'Second Circuit rulings are not binding' on the surveillance court, he wrote, 'and this court respectfully disagrees with that court's analysis, especially in view of the intervening enactment of the U.S.A. Freedom Act.' When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying that it would be prudent to see what Congress did as Section 215 neared its June 1 expiration."
Security

Stanford Starts the 'Secure Internet of Things Project' 77 77

An anonymous reader writes: The internet-of-things is here to stay. Lots of people now have smart lights, smart thermostats, smart appliances, smart fire detectors, and other internet-connect gadgets installed in their houses. The security of those devices has been an obvious and predictable problem since day one. Manufacturers can't be bothered to provide updates to $500 smartphones more than a couple years after they're released; how long do you think they'll be worried about security updates for a $50 thermostat? Security researchers have been vocal about this, and they've found lots of vulnerabilities and exploits before hackers have had a chance to. But the manufacturers have responded in the wrong way.

Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
Privacy

When a Company Gets Sold, Your Data May Be Sold, Too 92 92

An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out.
Encryption

NIST Updates Random Number Generation Guidelines 64 64

An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
Government

Editor of 'Reason' Discusses Federal Subpoena To Unmask Commenters 144 144

mi points out an article from Nick Gillespie, editor of libertarian website Reason, who was recently asked by the federal government to provide identifying information on anonymous commenters from one of the site's blog posts. Not only was Reason issued a subpoena for the commenters's identities, but they were also placed under a gag order, preventing them from even mentioning it to somebody who wasn't their lawyer. Gillespie says the comments in question were "hyperbolic, in questionable taste–and fully within the norms of Internet commentary." He continues: To the extent that the feds actually thought these were serious plans to do real harm, why the hell would they respond with a slow-moving subpoena whose deadline was days away? By spending five minutes doing the laziest, George Jetson-style online "research" (read: Google and site searches), they would have found publicly available info on some of the commenters. I'm talking things like websites and Google+ pages. One of the commenters had literally posted thousands of comments at Reason.com, from which it is clear that he (assuming it is a he) is not exactly a threat to anyone other than common decency."
Privacy

ICANN Seeks Comment On Limiting Anonymized Domain Registration 86 86

angry tapir writes: Privacy advocates are sounding the alarm over a potential policy change (PDF) that would prevent some people from registering website addresses without revealing their personal information. ICANN, the regulatory body that oversees domain names, has asked for public comment on whether it should prohibit the private registration of domains which are "associated with commercial activities and which are used for online financial transactions."
Government

France, Up In Arms Over NSA Spying, Passes New Surveillance Law 80 80

An anonymous reader writes: French President Francois Hollande held an emergency meeting with top security officials to respond to WikiLeaks documents that say the NSA eavesdropped on French presidents. The documents published in Liberation and investigative website Mediapart include material that appeared to capture current president, François Hollande; the prime minister in 2012, Jean-Marc Ayrault; and former presidents Nicolas Sarkozy and Jacques Chirac, talking candidly about Greece's economy and relations with Germany. The Intercept reports: "Yet also today, the lower house of France's legislature, the National Assembly, passed a sweeping surveillance law. The law provides a new framework for the country's intelligence agencies to expand their surveillance activities. Opponents of the law were quick to mock the government for vigorously protesting being surveilled by one of the country's closest allies while passing a law that gives its own intelligence services vast powers with what its opponents regard as little oversight. But for those who support the new law, the new revelations of NSA spying showed the urgent need to update the tools available to France's spies."