Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Wireless Networking

Italy Quake Rescuers Ask Locals To Unlock Their Wi-Fi (bbc.com) 140

Rescue teams searching for earthquake survivors in central Italy have asked locals to unlock their Wifi passwords. The Italian Red Cross says residents' home networks can assist with communications during the search for survivors, reports BBC. From the report: On Wednesday a 6.2 magnitude earthquake struck central Italy and killed more than 240 people. More than 4,300 rescuers are looking for survivors believed to still be trapped in the rubble. On Twitter, the Italian Red Cross posted a step-by-step guide which explains how local residents can switch off their Wifi network encryption. Similar requests have been made by the National Geological Association and Lazio Region. A security expert has warned that removing encryption from a home Wifi network carries its own risks, but added that those concerns are trivial in the context of the rescue operation.
Encryption

How SSL/TLS Encryption Hides Malware (cso.com.au) 87

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

Botnet

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com) 82

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."
Canada

Canada's Police Chiefs Want New Law To Compel People To Reveal Passwords (www.cbc.ca) 209

Reader DaveyJJ writes: CBC is reporting that the Canadian Association of Chiefs of Police, has passed a resolution calling for a legal measure to unlock digital evidence, saying criminals increasingly use encryption to hide illicit activities. The chiefs are recommending new legislation that would force people to hand over their electronic passwords with a judge's consent. RCMP Assistant Commissioner Joe Oliver is using the usual scare tactics "child-molesters and mobsters live in the 'dark web'" in his statement today to drum up public support in his poorly rationalized privacy-stripping recommendation. A few years ago, Canada's Supreme Court ruled that police must have a judge's order to request subscriber and customer information from ISPs, banks and others who have online data about Canadians. I guess that ruling isn't sitting too well with law enforcement and Canada's domestic spy agencies.
Communications

Google Duo Video Chat App Arrives On iOS and Android With End-to-end Encryption (betanews.com) 114

An anonymous reader writes: Video chat should be simple, but it is not. The biggest issue is fragmentation. On iOS, for instance, Facetime is a wonderfully easy solution, but there is no Android client. While there are plenty of cross-platform third-party options to solve this, they aren't always elegant. Skype is a good example of an app that should bridge the gap, but ends up being buggy and clunky. Google is aiming to solve this dilemma with its 'Duo' video chat app. With it, the search giant is putting a heavy focus on ease of use. The offering is available for both Android and iOS -- the only two mobile platforms that matter (sorry, Windows 10 Mobile). Announced three months ago, it finally sees release today. There is no news about the Allo chat sister-app, sadly.
China

China Launches World's First Quantum Communications Satellite (theverge.com) 102

hackingbear quotes a report from The Verge: China's quantum network could soon span two continents, thanks to a satellite launched earlier today. Launched at 1:40pm ET, the Quantum Science Satellite is designed to distribute quantum-encrypted keys between relay stations in China and Europe. When working as planned, the result could enable unprecedented levels of security between parties on different continents. China's new satellite would put that same fiber-based quantum communication system to work over the air, utilizing high-speed coherent lasers to connect with base stations on two different continents. The experimental satellite's payload also includes controllers and emitters related to quantum entanglement. The satellite will be the first device of its kind if the quantum equipment works as planned. According to the Wall Street Journal, the project was first proposed to the European Space Agency in 2001 but was unable to gain funding.
Encryption

Serious Flaws In iMessage Crypto Allow For Message Decryption (onthewire.io) 43

Reader Trailrunner7 writes: New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on its iMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim's past iMessage texts. The iMessage system, like much of what Apple does, is opaque and its inner workings have not been made available to outsiders. One of the key things that is known about the system is that messages are encrypted from end to end and Apple has said that it does not have the ability to decrypt users' messages. The researchers at JHU, led by Matthew Green, a professor of computer science at the school, reverse engineered the iMessage protocol and discovered that Apple made some mistakes in its encryption implementation that could allow an attacker who has access to encrypted messages to decrypt them.The team discovered that Apple doesn't rotate encryption keys at regular intervals (most encryption protocols such as OTR and Signal do). This means that the same attack can be used on iMessage historical data, which is often backed up inside iCloud. Apple was notified of the issue as early as November 2015 and it rolled out a patch for the iMessage protocol in iOS 9.3 and OS X 10.11.4.
Security

EU Plans To Extend Some Telecom Rules To Web-Based Providers (reuters.com) 25

The European Union is planning to extend telecom rules covering security and confidentiality of communications to web services such as Microsoft's Skype and Facebook's WhatsApp which could restrict how they use encryption, reports Reuters. From the report: The rules currently only apply to telecoms providers such as Vodafone and Orange. According to an internal European Commission document seen by Reuters, the EU executive wants to extend some of the rules to web companies offering calls and messages over the Internet. Telecoms companies have long complained that web groups such as Alphabet Inc's Google, Microsoft and Facebook are more lightly regulated despite offering similar services and have called for the EU's telecoms-specific rules to be repealed. They have also said that companies such as Google and Facebook can make money from the use of customer data. Under the existing "ePrivacy Directive", telecoms operators have to protect users' communications and ensure the security of their networks and may not keep customers' location and traffic data.Reuters adds that the exact confidentiality obligations for web firms would still have to be defined.
Government

Can We Avoid Government Surveillance By Leaving The Grid? (counterpunch.org) 264

Slashdot reader Nicola Hahn writes: While reporters clamor about the hacking of the Democratic National Committee, NSA whistleblower James Bamford offers an important reminder: American intelligence has been actively breaching email servers in foreign countries like Mexico and Germany for years. According to Bamford documents leaked by former NSA specialist Ed Snowden show that the agency is intent on "tracking virtually everyone connected to the Internet." This includes American citizens. So it might not be surprising that another NSA whistleblower, William Binney, has suggested that certain elements within the American intelligence community may actually be responsible for the DNC hack.

This raises an interesting question: facing down an intelligence service that is in a class by itself, what can the average person do? One researcher responds to this question using an approach that borrows a [strategy] from the movie THX 1138: "The T-H-X account is six percent over budget. The case is to be terminated."

To avoid surveillance, the article suggests "get off the grid entirely... Find alternate channels of communication, places where the coveted home-field advantage doesn't exist... this is about making surveillance expensive." The article also suggests "old school" technologies, for example a quick wireless ad-hoc network in a crowded food court. Any thoughts?
Government

Under Fire, US Social Security Site Changes Security Policy Again (vortex.com) 37

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."
Government

America's NIST Seeks Public Comments on Cybersecurity and Cryptography (thehill.com) 55

An anonymous Slashdot reader writes: The National Institute of Standards and Technology has its own "Commission on Enhancing National Cybersecurity," and this week they issued a call for public comments on "current and future challenges" involving critical infrastructure cybersecurity, the concept of cybersecurity insurance, public awareness, and the internet of things (among other topics) for both the private and public sector.
Long-time Slashdot reader Presto Vivace quotes The Hill: it is specifically asking for projections on policies, economic incentives, emerging technologies, useful metrics and other current and potential solutions throughout the next decade... Comments will be due by 5 p.m. on September 9.
Internet services "have come under attack in recent years in the form of identity and intellectual property theft, deliberate and unintentional service disruption, and stolen data," writes NIST. "Steps must be taken to enhance existing efforts to increase the protection and resilience of the digital ecosystem, while maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity."

Separately, NIST is also requesting comments on a new process to "solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms... If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere... NIST plans to specify preliminary evaluation criteria for quantum-resistant public key cryptography standards."
Security

A New Wireless Hack Can Unlock Almost Every Volkswagen Sold Since 1995 (arstechnica.com) 115

Volkswagen isn't having the best of times. Tens of millions of vehicles sold by Volkswagen AG over the past 20 years are vulnerable to theft because keyless entry systems can be hacked using cheap technical devices, reports Wired (alternate source). Security experts of the University of Birmingham were able to clone VW remote keyless entry controls by eavesdropping nearby when drivers press their key fobs to open or lock up their cars. ArsTechnica reports: The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles. Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob -- obtained with a little electronic eavesdropping, say -- you have a functional clone that will lock or unlock that car. VW has apparently acknowledged the vulnerability, and Greenberg (writer at Wired) notes that the company uses a number of different shared values, stored on different components. The second affects many more makes, "including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot," according to Greenberg. It exploits a much older cryptographic scheme used in key fobs called HiTag2. Again it requires some eavesdropping to capture a series of codes sent out by a remote key fob. Once a few codes had been gathered, they were able to crack the encryption scheme in under a minute.
Crime

France Says Fight Against Messaging Encryption Needs Worldwide Initiative (reuters.com) 446

An anonymous reader shares a Reuters report: Messaging encryption, widely used by Islamist extremists to plan attacks, needs to be fought at international level, French Interior Minister Bernard Cazeneuve said on Thursday, and he wants Germany to help him promote a global initiative. He meets his German counterpart, Thomas de Maiziere, on Aug. 23 in Paris and they will discuss a European initiative with a view to launching an international action plan, Cazeneuve said. French intelligence services are struggling to intercept messages from Islamist extremists who increasingly switch from mainstream social media to encrypted messaging services, with Islamic State being a big user of such apps, including Telegram. "Many messages relating to the execution of terror attacks are sent using encryption; it is a central issue in the fight against terrorism," Cazeneuve told reporters after a government meeting on security. "France will make proposals. I have sent a number of them to my Germany colleague," he said.
Microsoft

Researchers Crack Microsoft Feature, Say Encryption Backdoors Similarly Crackable (thehill.com) 86

An anonymous reader writes: Researchers who uncovered a security key that protects Windows devices as they boot up say their discovery is proof that encryption backdoors do not work. The pair of researchers, credited by their hacker nicknames MY123 and Slipstream, found the cryptographic key protecting a feature called Secure Boot. They believe the discovery highlights a problem with requests law enforcement officials have made for technology companies to provide police with some form of access to otherwise virtually unbreakable encryption that might be used by criminals. "Microsoft implemented a 'secure golden key' system. And the golden keys got released from [Microsoft's] own stupidity," wrote the researchers in their report, in a section addressed by name to the FBI.
Security

Aggressive Hackers Are Targeting Rio's Olympics (fastcompany.com) 71

The Daily Dot is warning about fake wi-fi hubs around Rio, but also networks which decrypt SSL traffic. And Slashdot reader tedlistens writes: Steven Melendez at Fast Company reports on the cybercrime threat in Rio, and details a number of specific threats, from ATMs to promotional USB sticks to DDoS attacks [on the networks used by Olympic officials]... "Last week, a reporter for a North Carolina newspaper reported that his card was hacked immediately after using it at the gift shop at the IOC press center. And on Friday, two McClatchy reporters in Rio said their cards had been hacked and cloned soon after arrival."
Even home viewers will be targeted with "fraudulent emails and social media posts" with links to video clips, games, and apps with malware, as well as counterfeit ticket offers -- but the threats are worse if you're actually in Rio. "In an analysis last month of over 4,500 unique wireless access points around Rio, Kaspersky found that about a quarter of them are vulnerable or insecure, protected with an obsolete encryption algorithm or with no encryption at all."
Security

Microsoft Researchers Reveal Remote Encryption-Bypassing 'Evil Butler' Exploit (softpedia.com) 29

A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device." An anonymous Slashdot reader writes: Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.

The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.

The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."
Crime

32 States Offer Online Voting, But Experts Warn It Isn't Secure (bostonglobe.com) 182

Long-time Slashdot reader Geoffrey.landis writes: According to the Washington Post, 32 states have implemented some form of online voting for the 2016 U.S. presidential election -- even though multiple experts warn that internet voting is not secure. In many cases, the online voting options are for absentee ballots, overseas citizens or military members deployed overseas. According to Verified Voting, "voted ballots sent via Internet simply cannot be made secure and make easy and inviting targets for attackers ranging from lone hackers to foreign governments seeking to undermine US elections."
And yet 39% of this year's likely voters said they'd choose to vote online if given the option, according a new article in the Boston Globe, noting that "All 50 states and D.C. send ballots to overseas voters electronically," with Alabama even allowing them to actually cast their ballots through a special web site. "Security is exponentially increased over any other kind of voting because each ballot, as well as the electronic ballot box, has military-grade encryption," argues the founder of the software company that assures the site's security. "She also claims that Web voting is more accurate," reports the Boston Globe. "No more hanging chads or marks on a paper ballot that may be difficult to interpret. Web systems can also save money and can be upgraded or reconfigured as laws change..."
Privacy

GhostMail Closes in September, Leaves Users Searching For Secure Email Alternatives (zdnet.com) 158

On September 1, "GhostMail will no longer provide secure email services unless you are an enterprise client," reports ZDNet. "According to the company, it is 'simply not worth the risk.'" GhostMail provided a free and anonymous "military encrypted" e-mail service based in Switzerland, and collected "as little metadata" as possible. But this week on its home page, GhostMail told its users "Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people... In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment."

GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?
Cloud

Google Cloud Now Allows Customer-Generated Encryption (thestack.com) 19

An anonymous Slashdot reader quotes The Stack: The Google cloud platform, Google Compute Engine, now allows customers to create their own encryption keys as an alternative to the Google-provided default encryption. Google Compute Engine automatically encrypts all data at rest, managing customer data encryption as a part of the Compute Engine service. However, some customers prefer to manage and control cloud encryption internally, to further tighten data security.

Google has released a comprehensive set of instructions for a customer to create their own encryption key. The Customer-Supplied Encryption Key (CSEK) is then used to protect the Google-generated keys that are used automatically for data encryption. The CSEK is an additional layer of protection for data stored in the cloud. Using an internally-generated encryption key also allows customers to control data encryption without using third-party providers, whose services are available at an additional cost.

United Kingdom

BBC To Deploy Detection Vans To Snoop On Internet Users (telegraph.co.uk) 212

product_bucket writes: The BBC has been given permission to use a new technology to detect users of the iPlayer who do not hold a TV license. Researchers at University College London have apparently developed a method to identify specially crafted "packets" of data over an encrypted Wi-Fi link without needing to break the underlying encryption itself. TV Licensing (the fee-collecting arm of the BBC) has said the practice is under regular scrutiny by independent regulators, but declined to elaborate on how the technique works. Dr Miguel Rio, a computer network expert who helped to oversee the doctoral thesis, said: "They actually don't need to decrypt traffic, because they can already see the packets. They have control over the iPlayer, so they can ensure that it sends packets at a specific size, and match them up. They could also use directional antennae to ensure they are viewing the Wi-Fi operating within your property." The BBC has been given such authority through the Regulation of Investigatory Powers Act.

Slashdot Top Deals