Privacy

Let's Encrypt Hits New Milestone: Over 100,000,000 Certificates Issued (letsencrypt.org) 19

Josh Aas, the executive director of Internet Security Research Group (ISRG) writing for Let's Encrypt: Let's Encrypt, a free, automated, and open certificate authority has reached a milestone: we've now issued more than 100,000,000 certificates. This number reflects at least a few things: First, it illustrates the strong demand for our services. We'd like to thank all of the sysadmins, web developers, and everyone else managing servers for prioritizing protecting your visitors with HTTPS. Second, it illustrates our ability to scale. I'm incredibly proud of the work our engineering teams have done to make this volume of issuance possible. I'm also very grateful to our operational partners, including IdenTrust, Akamai, and Sumo Logic. Third, it illustrates the power of automated certificate management. If getting and managing certificates from Let's Encrypt always required manual steps there is simply no way we'd be able to serve as many sites as we do. The total number of certificates we've issued is an interesting number, but it doesn't reflect much about tangible progress towards our primary goal: a 100% HTTPS Web.
Security

Hacks Raise Fear Over NSA's Hold on Cyberweapons (nytimes.com) 40

Nicole Perlroth, and David Sanger, writing for The New York Times: Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States -- Britain and Ukraine. The N.S.A. has kept quiet, not acknowledging its role in developing the weapons (alternative source). White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands. On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.
Security

WikiLeaks Dump Reveals CIA Malware For Tracking Windows Devices Via WiFi Networks (bleepingcomputer.com) 63

WikiLeaks has published the documentation manual for an alleged CIA tool that can track users of Wi-Fi-capable Windows devices based on the Extended Service Set (ESS) data of nearby Wi-Fi networks. According to the tool's 42-page manual, the tool's name is ELSA. Bleeping Computer has an image embedded in its report that explains how the tool works. There are six steps that summarize the ELSA operation. Bleeping Computer reports: Step 1: CIA operative configures ELSA implant (malware) based on a target's environment. This is done using a tool called the "PATCHER wizard," which generates the ELSA payload, a simple DLL file.
Step 2: CIA operative deploys ELSA implant on target's Wi-Fi-enabled Windows machine. Because ELSA is an implant (malware), the CIA operator will likely have to use other CIA hacking tools and exploits to place the malware on a victim's PC.
Step 3: The implant begins collecting Wi-Fi access point information based on the schedule set by the operator. Data collection can happen even if the user is disconnected from a Wi-Fi network.
Step 4: When the target user connects to the Internet, ELSA will take the collected Wi-Fi data and query a third-party database for geolocation information.
Step 5: The CIA operative connects to the target's computer and fetches the ELSA log. This is done via the tools that allowed the operator to place ELSA on his system, or through other tools.
Step 6: The operator decrypts the log and performs further analysis on their target. Optionally, he can use the collected WiFi data to query alternate EES geo-location databases, if he feels they provide a better accuracy.

Earth

Mayors of 7,400 Cities Vow To Meet Obama's Climate Commitments (theguardian.com) 215

An anonymous reader quotes a report from The Guardian: Mayors of more than 7,400 cities across the world have vowed that Donald Trump's decision to withdraw from the Paris accord will spur greater local efforts to combat climate change. At the first meeting of a "global covenant of mayors," city leaders from across the US, Europe and elsewhere pledged to work together to keep to the commitments made by Barack Obama two years ago. Cities will devise a standard measurement of emission reductions to help them monitor their progress. They will also share ideas for delivering carbon-free transport and housing. Kassim Reed, the mayor of Atlanta, told reporters he had travelled to Europe to "send a signal" that US states and cities would execute the policies Obama committed to, whether the current White House occupants agreed or not. Reed, whose administration has promised that the city of Atlanta will use 100% renewable energy by 2035, said 75% of the US population and GDP lay in urban areas, where local leaders were committed to fighting climate change. "We have the ability to still achieve between 35% and 45% CO2 emission reductions without the involvement of the national government and it is why I chose to be here at this time to send a signal to 7,400 cities around the world that now should be a time of optimism, passion and action," he said.
Security

London Metropolitan Police's 18,000 Windows XP PCs Is a Disaster Waiting To Happen (mspoweruser.com) 192

According to MSPoweruser, the London Metropolitan Police are still using around 18,000 PCs powered by Windows XP, an operating system Microsoft stopped supporting in 2014. What's more is that the police force is upgrading its PCs from Windows XP to Windows 8.1, instead of Windows 10. Only 8 PCs at the police force are reportedly powered by the "most secure version of Windows right now." From the report: From the looks of things, the London Metropolitan Police will continue to upgrade their systems to Windows 8.1 at the moment. Windows 8.1 is still being supported by Microsoft, although the mainstream support for the OS is set to end on the 9 January 2018. Microsoft will offer extended support for the OS until 2023, which means Windows 8.1 is still a much more secure alternative for the Metropolitan Police than Windows XP. Windows 10 still would have been the best option in terms of security, however. Microsoft is releasing security updates for the OS every month, and the new advanced security features like Windows Defender Advanced Threat Protection makes PCs running Windows a whole lot more secure. The spokesman of the 0Conservative London Assembly said in a statement: "The Met is working towards upgrading its software, but in its current state it's like a fish swimming in a pool of sharks. It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications."
Government

US Imposes Stricter Security Screenings At Foreign Airports, But Won't Expand Laptop Ban Yet (theverge.com) 59

An anonymous reader quotes a report from The Verge: The United States will require foreign airports to implement stricter security practices and screenings for any passengers headed to the U.S. John Kelly, the U.S. secretary of Homeland Security, announced today that the new measures were being put in place. Though he didn't go into specifics, Kelly said the new requirements would include further screenings of electronics, more thorough vetting of passengers, and measures meant to stop "insider attacks." The U.S. is also encouraging the use of more bomb-detecting dogs, "advanced checkpoint screening technology," and the addition of "preclearance" locations, which station U.S. customs officers overseas, allowing them to screen passengers before boarding instead of after they land. One thing Kelly didn't announce was an expansion of the tablet and laptop ban, which is currently in effect on flights from 10 airports in the Middle East and North Africa. If airports don't comply with the new screening rules, Kelly said, they may be subject to additional electronics bans. But for the time being, it sounds like the ban will be kept to those 10 locations. According to Reuters, airlines have 21 days to comply with the new rules for explosives screenings and four months to comply with everything else.
The Courts

Equal Rights Center Sues Uber For Denying Equal Access To People Who Use Wheelchairs (techcrunch.com) 175

The Equal Rights Center is suing Uber, alleging that the company has chosen not to include wheelchair-accessible cars as an option in its standard UberX fleet of vehicles, and excludes people who use wheelchairs in Washington, D.C. According to the lawsuit, Uber is in violation of Title 3 of the Americans with Disabilities Act and the D.C. Human Rights Act. TechCrunch reports: After conducting its own investigation of Uber's services for people in wheelchairs, the ERC found that passengers had to wait an average of eight times longer for an accessible car to arrive. They also had to pay twice as much in fares, according to the ERC's study. Ultimately, the ERC wants Uber to integrate wheelchair accessible cars into its UberX fleet so that people who use wheelchairs don't have to wait longer and pay more to use the car service. Uber said in a statement provided to TechCrunch: "We take this issue seriously and are committed to continued work with the District, our partners, and stakeholders toward expanding transportation options and freedom of movement for all residents throughout the region."
Security

The Petya Ransomware Is Starting To Look Like a Cyberattack in Disguise (theverge.com) 156

Further research and investigation into Petya ransomware -- which has affected computers in over 60 countries -- suggest three interesting things: 1. Ukraine was the epicentre of the attack. According to Kaspersky, 60 percent of all machines infected were located within Ukraine. 2. The attackers behind the attack have made little money -- around $10,000. Which leads to speculation that perhaps money wasn't a motive at all. 3. Petya was either "incredibly buggy, or irreversibly destructive on purpose." An anonymous reader shares a report: Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program's decryption failure in a post today, Comae's Matthieu Suiche concluded a nation state attack was the only plausible explanation. "Pretending to be a ransomware while being in fact a nation state attack," Suiche wrote, "is in our opinion a very subtle way from the attacker to control the narrative of the attack." Another prominent infosec figure put it more bluntly: "There's no fucking way this was criminals." There's already mounting evidence that Petya's focus on Ukraine was deliberate. The Petya virus is very good at moving within networks, but initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.
Businesses

More Than 40 ISPs Across the Country Tell Chairman Pai to Not Repeal Network Neutrality (eff.org) 61

An anonymous reader shares a report: One excuse FCC Chairman Ajit Pai regularly offers to explain his effort to gut net neutrality protections is the claim that open Internet rules have harmed ISPs, especially small ones. During a speech earlier this year, he stressed that 22 small ISPs told him that the 2015 Open Internet Order hurt their ability to invest and deploy. In reality, though, many more ISPs feel very differently. Today, more than 40 ISPs told the FCC that they have had no problem with the Open Internet Order (PDF) and that it hasn't hurt their ability to develop and expand their networks. What is more, that they want the FCC to do its job and address the problem Congress created when it repealed the broadband privacy rules in March.
Google

Google Must Delete Search Results Worldwide, Supreme Court of Canada Rules (fortune.com) 236

The Supreme Court of Canada ruled against Google on Wednesday in a closely-watched intellectual property case over whether judges can apply their own country's laws to all of the internet. From a report: In a 7-2 decision, the court agreed a British Columbia judge had the power to issue an injunction forcing Google to scrub search results about pirated products not just in Canada, but everywhere else in the world too. Those siding with Google, including civil liberties groups, had warned that allowing the injunction would harm free speech, setting a precedent to let any judge anywhere order a global ban on what appears on search engines. The Canadian Supreme Court, however, downplayed this objection and called Google's fears "theoretical." "This is not an order to remove speech that, on its face, engages freedom of expression values, it is an order to de-index websites that are in violation of several court orders. We have not, to date, accepted that freedom of expression requires the facilitation of the unlawful sale of goods," wrote Judge Rosalie Abella.
Government

FBI Interviews Employees of Russia-Linked Cyber Security Firm Kaspersky Lab (nbcnews.com) 41

FBI agents on Tuesday paid visits to at least a dozen employees of Kaspersky Lab, a Russia-based cyber-security company, asking questions about that company's operations as part of a counter-intelligence inquiry, multiple sources familiar with the matter told NBC News. From a report: In a classic FBI investigative tactic, agents visited the homes of the employees at the end of the work day at multiple locations on both the east and west coasts, the sources said. There is no indication at this time that the inquiry is part of Special Counsel Robert Mueller's investigation into Russian election meddling and possible collusion. Kaspersky has long been of interest to the U.S. government. Its cyber-security software is widely used in the United States, and its billionaire owner, Eugene Kaspersky, has close ties to some Russian intelligence figures, according to U.S. officials.
Businesses

Toshiba Sues Western Digital For $1 Billion in Damages (bloomberg.com) 25

Toshiba has raised the stakes in an embittered legal row with its joint venture partner, suing Western Digital for a $1bn in damages and hoping Japanese courts will quash the US firm's interference in the sale of its memory chip business. From a report: The litigation, filed Wednesday in Tokyo District Court, seeks to stop Western Digital from making ownership claims over the enterprise that Toshiba is trying to sell. The Japanese company said in a statement that Western Digital's employees improperly obtained proprietary information. The relationship between Toshiba and Western Digital has gotten more acrimonious, as Toshiba moves toward a sale of the flash-memory division. Last month, Western Digital invoked an arbitration clause in their business agreement, seeking to block Toshiba's transfer of ownership of the unit to a separate legal entity in preparation for a sale. Toshiba, which has since reversed that transfer, then had its lawyers send a letter demanding that the U.S. company stop its "harassment" as Toshiba tries to sell the business.
Businesses

President Trump Attacks Amazon, Incorrectly Claiming That It Owns The Washington Post For Tax Purposes (recode.net) 385

The Washington Post, which has been critical of Donald Trump and his administration in its coverage, has become the latest victim in Trump's Twitter tirade. On Wednesday, he accused Amazon of not "paying internet taxes (which they should)," adding that the company is using The Washington Post "in a scheme to dodge" the taxes. Quick fact check: Amazon doesn't own The Washington Post, Jeff Bezos -- in his personal capacity -- does. At any rate, Trump's furious tweets come a day after The Washington Post reported that a fake issue of Time magazine with Trump on the cover was hanging in some of the president's golf clubs. The timing of this is also awkward because just last week the president met with Bezos and other top executives to discuss ways the White House can modernize government and aid the tech industry. But the two have a long history. As Recode reminds: Meanwhile, Amazon is about to embark on what could be a lengthy government antitrust review of its bid to buy Whole Foods. Already looming large over the roughly $14 billion deal are the president's own comments: He has previously attacked Bezos and claimed the Post is a tax-dodging scheme for Amazon. "He thinks I'll go after him for antitrust," Trump said at one point during his campaign. "Because he's got a huge antitrust problem, because he's controlling so much, Amazon is controlling so much of what they are doing." Months later, Trump charged: "Believe me, if I become president, oh, do they have problems, they are going to have such problems." Meanwhile, Bezos isn't one to shy about his anti-Trump views either. At one point during the election, Bezos tweeted that he'd save a seat for Trump on his Blue Origin spacecraft, with the hashtag "sendDonaldtospace."
Security

Contractors Lose Jobs After Hacking CIA's In-House Vending Machines (techrepublic.com) 184

An anonymous reader quotes a report from TechRepublic: Today's vending machines are likely to be bolted to the floor or each other and are much more sophisticated -- possibly containing machine intelligence, and belonging to the Internet of Things (IoT). Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the U.S. Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, "Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents... ." This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released. The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine's network cable allows purchases to be made using unfunded FreedomPay cards.
United Kingdom

Britain's Newest Warship Runs Windows XP, Raising Cyber Attack Fears (telegraph.co.uk) 295

Chrisq shares a report from The Telegraph: Fears have been raised that Britain's largest ever warship could be vulnerable to cyber attacks after it emerged it appears to be running the outdated Microsoft Windows XP. A defense source told The telegraph that some of the on-board hardware and software "would have been good in 2004" when the carrier was designed, "but now seems rather antiquated." However, he added that HMS Queen Elizabeth is due to be given a computer refit within a decade. And senior officers said they will have cyber specialists on board to defend the carrier from such attacks.

Slashdot Top Deals