58264039
submission
alphatel writes:
It was revealed in December that the NSA paid RSA $10 million to insert a random number generator with a deceptive NSA backdoor built-in.
A group of professors have found that a second tool, known as the "Extended Random" extension, could help crack a version of RSA's software tens of thousands of times faster.
RSA Chief Technologist Sam Curry declined to say if the government had paid RSA to incorporate Extended Random in its BSafe security kit. An NSA spokeswoman declined to comment on the study or the intelligence agency's motives in developing Extended Random.
58094949
submission
Hugh Pickens DOT Com writes:
Ever wondered what made MS-DOS tick or what the code looks like that captured almost the entire market for PC word processors from WordPerfect? Roy Levin, distinguished engineer and managing director for Microsoft Research, reports that Microsoft is making the source code for MS-DOS 1.1 and 2.0 and Word for Windows 1.1a available to the public for the first time. The released code will be part of an ongoing project by the Computer History Museum to collect and preserve some of the most widely used software of the early days of computing, and make them accessible to developers. Developers are getting a huge teaching tool with the release of this source code, but museums are also winning big says Valentina Palladino. "It's not easy for an institution to gain original source code: MOMA's senior curator of architecture and design Paola Antonelli explained in her TED talk last year that while she worked hard to bring installations of Pac-Man and other video games to the museum, the endgame will always be to preserve the code." Technology companies are often very skeptical about handing out the source code for any program, and it can take years of work and discussion between the companies and museums before the code is released. To download the source code you will first need to agree to use it for non-commercial purposes, and not to post up the code anywhere on the Internet. Could early versions of Windows be next?
58091421
submission
Trailrunner7 writes:
The long shadow cast by the use of surveillance technology and so-called lawful intercept tools has spread across much of the globe and has sparked a renewed push in some quarters for restrictions on the export of these systems. Politicians and policy analysts, discussing the issue in a panel Monday, said that there is room for sensible regulation without repeating the mistakes of the Crypto Wars of the 1990s.
“There’s virtually no accountability or transparency, while he technologies are getting faster, smaller and cheaper,” Marietje Schaake, a Dutch member of the European Parliament, said during a panel discussion put on by the New America Foundation. “We’re often accused of over-regulating everything, so it’s ironic that there’s no regulation here. And the reason is that the member states [of the EU] are major players in this. The incentives to regulate are hampered by the incentives to purchase.
“There has been a lot of skepticism about how to regulate and it’s very difficult to get it right. There are traumas from the Crypto Wars. Many of these companies are modern-day arms dealers. The status quo is unacceptable and criticizing every proposed regulation isn’t moving us forward.”
58089627
submission
McGruber writes:
Former United States President Jimmy Carter defended the disclosures by fugitive NSA contractor Edward Snowden on Monday, saying revelations that U.S. intelligence agencies were collecting meta-data of Americans' phone calls and e-mails have been "probably constructive in the long run."
"I think it's wrong," President Carter said of the NSA program. "I think it's an intrusion on one of the basic human rights of Americans, is to have some degree of privacy if we don't want other people to read what we communicate."
58086913
submission
Gunkerty Jeb writes:
A visually stunning representation of global threats as detected (in real time) by Kaspersky Lab's security network.
57914461
submission
Trailrunner7 writes:
Perhaps no company has been as vocal with its feelings about the revelations about the NSA’s collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users’ sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections.
The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user’s machine to the time they leave Google’s infrastructure. This makes life much more difficult for anyone–including the NSA–who is trying to snoop on those Gmail sessions.
57833723
submission
Trailrunner7 writes:
In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and public reexamination of intelligence community practices”.
In the letter sent Monday to Obama and Congress, several former advisers to and members of the Church committee, including the former chief counsel, said that the current situation involving the NSA bears striking resemblances to the one in 1975 and that the scope of what the NSA is doing today is orders of magnitude larger than what was happening nearly 40 years ago.
“The need for another thorough, independent, and public congressional investigation of intelligence activity practices that affect the rights of Americans is apparent. There is a crisis of public confidence. Misleading statements by agency officials to Congress, the courts, and the public have undermined public trust in the intelligence community and in the capacity for the branches of government to provide meaningful oversight,” the letter says.
57663129
submission
Trailrunner7 writes:
A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS.
“The Early Random PRNG in iOS 7 is surprisingly weak,” said Tarjei Mandt senior security researcher at Azimuth Security. “The one in iOS 6 is better because this one is deterministic and trivial to brute force.”
The Early Random PRNG is important to securing the mitigations used by the iOS kernel.
“All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,” Mandt said. “It must provide sufficient entropy and non-predictable output.”
57631453
submission
Trailrunner7 writes:
Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he’s revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they’ve accumulated in the last decade, they’re never giving them back.
Whatever your feelings are about Snowden, listening to him speak about why he did what he did, what he hoped to accomplish and how he feels about the public reaction is informative. He spoke Monday for about an hour from an undisclosed location in Moscow and, while he touched on many subjects, Snowden returned several times to the idea that the NSA and other government agencies have hijacked the Internet for their own purposes, all in the name of protecting us fromsomething.
Given those abilities, and more importantly, the legal authority to use them, the NSA is, of course, going to do so. If you have a Ferrari, you don’t leave it sitting in the garage, you drive the hell out of it. Technology advances, regardless of our desire for it to slow down sometimes, and, as Bruce Schneier often says, attacks only get better, not worse. And the NSA is the apex predator of this environment. The agency hasn’t abandoned its defensive mission, not by a long shot, but offense is sexy and provides tangible results to show the higher-ups.
Offense is the present and it’s also the future. And, to borrow a phrase, the future will retire undefeated.
57626067
submission
Advocatus Diaboli writes:
Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process. The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.
57626051
submission
harrymcc writes:
It's well known that the World Wide Web originated in Tim Berners-Lee's 1989 proposal for an information-management system for his employer, CERN. That document turns 25 today, and there's no better way to celebrate the web's birthday than to celebrate it. What Berners-Lee proposed was simple, expandable, social, compatible and distributed — so smart an approach to sharing information that it's easy to envision it going strong generations from now. Over at TIME.com, I posted an appreciation.
57587791
submission
Trailrunner7 writes:
Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.
Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year.
57161689
submission
Trailrunner7 writes:
As more Web-based services are encrypted, privacy advocates are concerned the next wave of aggressive surveillance activity could target automated update services that essentially provide Internet companies root access to machines.
Chris Soghoian, principal technologist with the American Civil Liberties Union, said today at TrustyCon that current malware delivery mechanisms such as phishing schemes and watering hole attacks could soon be insufficient for intelligence agencies and law enforcement such as the NSA and FBI.
“The FBI is in the hacking business. The FBI is in the malware business,” Soghoian said. “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.”
56957069
submission
Trailrunner7 writes:
The certificate-validation vulnerability that Apple patched in iOS yesterday also affects Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS.
Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found.
Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable.
56932327
submission
Trailrunner7 writes:
Apple on Friday quietly pushed out a security update to iOS that restores some certificate-validation checks that had apparently been missing from the operating system for an unspecified amount of time.
“Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,” the Apple advisory says.
The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim’s network would be able to read supposedly secure communications. It’s not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8.
