Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Network

Tor To Use Distributed RNG To Generate Truly Random Numbers (softpedia.com)

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.
AI

Researchers Teaching Robots To Feel and React To Pain (ieee.org) 32

An anonymous reader writes: Researchers from Leibniz University of Hannover in Germany are developing what they call an "artificial robot nervous system" that would allow robots to "feel" pain and react accordingly so they can avoid potential damages to their components. According to IEEE, the system uses a "nervous robot-tissue model that is inspired by the human skin structure" to measure different pain levels and move the robot in a way that prevents damaging interactions. [The model transmits pain information in repetitive spikes if the force exceeds a certain threshold, and the pain controller reacts after classifying the information into light, moderate, or severe pain.] Johannes Kuehn, one of the researchers, argues that in addition to avoiding potential damages to their components, robots will be protecting humans as well, since a growing number of them will be operating in close proximity to human workers. Kuehn, who worked on the project with Professor Sami Haddadin, reasoned that if our biological mechanisms to sense and respond to pain are so effective, why not devise a bio-inspired robot controller that mimics those mechanisms?
Piracy

The Pirate Bay Sails Back To Its .ORG Domain (cnet.com) 33

An anonymous reader writes: Following a report that the Swedish Court would seize the domain names 'ThePirateBay.se' and 'PirateBay.se,' The Pirate Bay is now sailing back to where it started in 2003, ThePirateBay.org. CNET reports: "The site is currently redirecting all traffic from the above two domains back to its .org home." In 2012, The Pirate Bay moved to the .se domain. It then moved to more secure domains, such as .sx and .ac, eventually returning to .se in 2015. Every alternative domain the site was using has been seized. Since the registry that manages the top level .org domains is based in Virginia, it's likely we'll see some legal action from the U.S. in response to the move. Meanwhile, Pirate Bay co-founder Fredrik Neij plans to appeal the Swedish's court's decision to seize the .se domains.
Open Source

CentOS Linux 6.8 Released (softpedia.com) 43

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.
Democrats

State Dept. IT Staff Told To Keep Quiet About Clinton's Server (computerworld.com) 184

dcblogs writes this report from Computerworld: Former U.S. Secretary of State Hillary Clinton's decision to use a private email server ran afoul of the government's IT security and record retention requirements, according to a report by the department's inspector general released today. This use of a private email server did not go unnoticed within the Department of State's IT department. Two IT staff members who raised concerns about Clinton's use of a private server were told not to speak of it. Clinton was secretary of state from 2009 to 2013 and during that period she used a private email server in her New York home. This report by the Department of State's Inspector General about Clinton's use of a private server makes clear that rules and regulations were not followed. It says that Clinton would not have received approval for this server had she sought it. According to the current CIO, the report said, "Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs." However, the report notes, according to these officials, The Bureau of Diplomatic Security and IRM (Bureau of Information Resource Management) "did not -- and would not -- approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM [Foreign Affairs Manual] and the security risks in doing so."
Android

Google Steps Up Pressure on Partners Tardy in Updating Android (bloomberg.com) 59

Google is actively tracking the time its partner OEMs take to release a new version of Android onto their devices. According to a Bloomberg report, the company is drawing up rankings that could shame some phone makers into better behavior. From the report: Google shared this list with Android partners earlier this year. It has discussed making it public to highlight proactive manufacturers and shame tardy vendors through omission from the list, two of the people said. [...] Google is making progress persuading phone makers and carriers to install security updates quicker "for the good of users," Android chief Hiroshi Lockheimer said. The same expedited process may then be used to send operating system updates to phones, he explained. The most challenging discussions are with carriers, which can be slow to approve updates because they test them thoroughly to avoid network disruption. The report adds that several OEMs are also stepping up their game to better comply with Google's new wishes. Motorola, for instance, is working on offering quarterly updates to its three years old devices.

For users with non-Nexus devices, it's really frustrating to wait for months, and in some cases, years, before their devices from Samsung, Xiaomi, Huawei, HTC and other manufacturers get upgraded to a newer version of Android. Another challenge for Google is to push its partners to actively release updates to affordable and mid-range smartphones. Many OEMs mostly worry about serving those users who have the flagship and high-end models.
Security

Genius' Web Annotations Undermined Web Security (theverge.com) 26

New reader BradyDale shares an article on the Verge: Until early May, when The Verge confidentially disclosed the results of my independent security tests, the "web annotator" service provided by the tech startup Genius had been routinely undermining a web browser security mechanism. The web annotator is a tool which essentially republishes web pages in order to let Genius users leave comments on specific passages. In the process of republishing, those annotated pages would be stripped of an optional security feature called the Content Security Policy, which was sometimes provided by the original version of the page. This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site. Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code. Vijith Assar dives deep into how Genius did this :The primary way Genius annotations are accessed on the web is by adding "genius.it" in front of any URL as a prefix. The genius.it server reads the original content behind the scenes, adds the annotations, and delivers the hybrid content. The Genius version of the page includes a few extra scripts and highlighted passages, but until recently it also eliminated the original page's Content Security Policy. The Content Security Policy is an optional set of instructions encoded in the header of the HTTP connection which tells browsers exactly which sites and servers should be considered safe -- any code which isn't from one of those sites can then be ignored.
Facebook

Facebook Could Be Eavesdropping On Your Phone Calls (news10.com) 160

An anonymous reader writes: Facebook is not just looking at user's personal information, interests, and online habits but also to your private conversations, revealed a new report. According to NBC report, this may be the case as Kelli Burns, a professor at University of South Florida states, "I don't think that people realize how much Facebook is tracking every move we're making online. Anything that you're doing on your phone, Facebook is watching." the professor said. Now how do you prove that? Professor Kelli tested out her theory by enabling the microphone feature, and talked about her desire to go on a safari, informing about the mode of transport she would take. "I'm really interested in going on an African safari. I think it'd be wonderful to ride in one of those jeeps," she said aloud, phone in hand. The results were shocking, as less than 60 seconds later, the first post on her Facebook feed was about a safari story out of nowhere, which was then revealed that the story had been posted three hours earlier. And, after mentioning a jeep, a car ad also appeared on her page. On a support page, Facebook explains how this feature works: "No, we don't record your conversations. If you choose to turn on this feature, we'll only use your microphone to identify the things you're listening to or watching based on the music and TV matches we're able to identify. If this feature is turned on, it's only active when you're writing a status update." I wonder how many people are actually aware of this.
Microsoft

Microsoft Is Laying Off 1,850 to Streamline Its Smartphone Business (theverge.com) 104

Microsoft is making more changes to its smartphone business. The company, which sold its feature phone business last week, on Wednesday announced that it is scaling back hardware -- laying off 1,850 staff and take a charge of $950 million including $200 million in severance payments in a memo to all employees. The company insists that "great new devices" are in the works. From Myerson's memo: Last week we announced the sale of our feature phone business. Today I want to share that we are taking the additional step of streamlining our smartphone hardware business, and we anticipate this will impact up to 1,850 jobs worldwide, up to 1,350 of which are in Finland. These changes are incredibly difficult because of the impact on good people who have contributed greatly to Microsoft. Speaking on behalf of Satya and the entire Senior Leadership Team, we are committed to help each individual impacted with our support, resources, and respect. For context, Windows 10 recently crossed 300 million monthly active devices, our Surface and Xbox customer satisfaction is at record levels, and HoloLens enthusiasts are developing incredible new experiences. Yet our phone success has been limited to companies valuing our commitment to security, manageability, and Continuum, and with consumers who value the same. Thus, we need to be more focused in our phone hardware efforts.
Government

TSA Replaces Security Chief As Tension Grows At Airports 256

HughPickens.com writes: Ron Nixon reports at the NYT that facing a backlash over long security lines and management problems, TSA administrator Peter V. Neffenger has shaken up his leadership team, replacing the agency's top security official Kelly Hoggan (Warning: source may be paywalled) and adding a new group of administrators at Chicago O'Hare International Airport. Beginning late that year, Hoggan received $90,000 in bonuses over a 13-month period, even though a leaked report from the Department of Homeland Security showed that auditors were able to get fake weapons and explosives past security screeners 95 percent of the time in 70 covert tests. Hoggan's bonus was paid out in $10,000 increments, an arrangement that members of Congress have said was intended to disguise the payments. During a hearing of the House Oversight Committee two weeks ago, lawmakers grilled Mr. Neffenger about the bonus, which was issued before he joined the agency in July. Last week and over the weekend, hundreds of passengers, including 450 on American Airlines alone, missed flights because of waits of two or three hours in security lines, according to local news reports. Many of the passengers had to spend the night in the terminal sleeping on cots. The TSA has sent 58 additional security officers and four more bomb-sniffing dog teams to O'Hare. Several current and former TSA employees said the moves to replace Hoggan and add the new officials in Chicago, where passengers have endured hours long waits at security checkpoints, were insufficient. "The timing of this decision is too late to make a real difference for the summer," says Andrew Rhoades, an assistant federal security director at Minneapolis-St. Paul International Airport who testified his supervisor accused him of "going native" after attending a meeting at a local mosque and that TSA's alleged practice of "directed reassignments," or unwanted job transfers were intended to punish employees who speak their minds. "Neffenger is only doing this because the media and Congress are making him look bad."
Java

Pastejacking Attack Appends Malicious Terminal Commands To Your Clipboard (softpedia.com) 81

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."
Security

Elderly Use More Secure Passwords Than Millennials, Says Report (qz.com) 147

An anonymous reader writes from a report via Quartz: A report released May 24 by Gigya surveyed 4,000 adults in the U.S. and U.K. and found that 18- to 34-year-olds are more likely to use bad passwords and report their online accounts being compromised. The majority of respondents ages 51 to 69 say they completely steer away from easily cracked passwords like "password," "1234," or birthdays, while two-thirds of those in the 18-to-34 age bracket were caught using those kind of terms. Quartz writes, "The diligence of the older group could help explain why 82% of respondents in this age range did not report having had any of their online accounts compromised in the past year. In contrast, 35% of respondents between 18 and 34 said at least one of their accounts was hacked within the last 12 months, twice the rate of those aged 51 to 69."
Security

Beware Of Keystroke Loggers Disguised As USB Phone Chargers, FBI Warns (arstechnica.com) 49

An anonymous reader cites an article on Ars Technica: FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification (PDF) comes more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices."If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
Microsoft

Windows 10 Upgrade Activates By Clicking Red X Close Button In Prompt Message (bbc.co.uk) 554

Reader Raging Bool writes: In a move guaranteed to annoy many people, Microsoft has "jumped the shark" on encouraging users to upgrade to Windows 10. Microsoft has faced criticism for changing the pop-up box encouraging Windows users to upgrade to Windows 10. Clicking the red cross on the right hand corner of the pop-up box now activates the upgrade instead of closing the box. And this has caused confusion as typically clicking a red cross closes a pop-up notification. The upgrade could still be cancelled, when the scheduled time for it to begin appeared, Microsoft said The change occurred because the update is now labelled "recommended" and many people have their PCs configured to accept recommended updates for security reasons. This means dismissing the box does not dismiss the update.Brad Chacos, senior editor at the PC World wrote about this incident over the weekend, and described it as a "nasty trick".
Government

FBI Wants Biometric Database Hidden From Privacy Act (onthewire.io) 81

Trailrunner7 quotes a report from onthewire.io: The FBI is working to keep information contained in a key biometric database private and unavailable, even to people whose information is contained in the records. The database is known as the Next Generation Identification System (NGIS), and it is an amalgamation of biometric records accumulated from people who have been through one of a number of biometric collection processes. That could include convicted criminals, anyone who has submitted records to employers, and many other people. The NGIS also has information from agencies outside of the FBI, including foreign law enforcement agencies and governments. Because of the nature of the records, the FBI is asking the federal government to exempt the database from the Privacy Act, making the records inaccessible through information requests. From the report: "The bureau says in a proposal to exempt the database from disclosure that the NGIS should be exempt from the Privacy Act for a number of reasons, including the possibility that providing access 'could compromise sensitive law enforcement information, disclose information which would constitute an unwarranted invasion of another's personal privacy; reveal a sensitive investigative technique; could provide information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, and witnesses.'" RT released a similar report on the matter.
Government

How the Pentagon Punished NSA Whistleblowers (theguardian.com) 133

10 years before Edward Snowden's leak, an earlier whistle-blower on NSA spying "was fired, arrested at dawn by gun-wielding FBI agents, stripped of his security clearance, charged with crimes that could have sent him to prison for the rest of his life, and all but ruined financially and professionally," according to a new article in The Guardian. "The only job he could find afterwards was working in an Apple store in suburban Washington, where he remains today... The supreme irony? In their zeal to punish Drake, these Pentagon officials unwittingly taught Snowden how to evade their clutches when the 29-year-old NSA contract employee blew the whistle himself."

But today The Guardian reveals a new story about John Crane, a senior official at the Department of Defense "who fought to provide fair treatment for whistleblowers such as Thomas Drake -- until Crane himself was forced out of his job and became a whistleblower as well..." Crane told me how senior Defense Department officials repeatedly broke the law to persecute whistleblower Thomas Drake. First, he alleged, they revealed Drake's identity to the Justice Department; then they withheld (and perhaps destroyed) evidence after Drake was indicted; finally, they lied about all this to a federal judge...

Crane's failed battle to protect earlier whistleblowers should now make it very clear that Snowden had good reasons to go public with his revelations... if [Crane's] allegations are confirmed in court, they could put current and former senior Pentagon officials in jail. (Official investigations are quietly under way.)

Meanwhile, George Maschke writes: In a presentation to a group of Texas law students, a polygraph examiner for the U.S. Department of Defense revealed that in the aftermath of Edward Snowden's revelations, the number of polygraphs conducted annually by the department tripled (to over 120,000). Morris also conceded that mental countermeasures to the polygraph are a "tough thing."
Government

Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si) 171

An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.) He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.

After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.

On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.

United States

Civil Liberties Expert Argues Snowden Was Wrong (usnews.com) 208

An anonymous reader writes that in 2014, Geoffrey Stone was given access to America's national security apparatus as a member of the President's Review Group on Intelligence and Communications Technologies. Last week Stone, a staunch civil liberties supporter, moderated a live discussion with Edward Snowden from Russia, and this week he actually praised the NSA in a follow-up interview: "The more I worked with the NSA, the more respect I had for them as far as staying within the bounds of what they were authorized to do. And they were careful and had a high degree of integrity... I came to the view that [the programs] were well intentioned, that they were designed in fact to collect information for the purpose of ferreting out potential terrorist plots both in the U.S. and around the world and that was their design and purpose...

"I don't doubt that Snowden was courageous and did what he did for what he thought were good reasons. But I think he was unduly arrogant, didn't understand the limitations of his own knowledge and basically decided to usurp the authority of a democracy."

Meanwhile, a new documentary about Julian Assange opened at the Cannes film festival this week, revisiting how Wikileaks warned Apple that iTunes could be used as a backdoor for spies to infiltrate computers and phones.
Media

TV Journalists Try Buying AK-47 On Dark Web, Fail (deepdotweb.com) 87

An anonymous reader writes: "It was supposed to be a great story about terrorism, uncertainty and the evils of the DarkNet," writes Deep Dot Web, describing an investigative report titled "Fear of Terror -- How Endangered is Germany?" After interviewing security experts, federal investigators, and a survivor of the Paris terrorist attack, a TV news crew in Germany attempted to buy an AK-47 on the dark web -- only to be scammed out of $800. "If he had done a little research he could have known that most weapon dealers on the DarkNet are actually scams," the article points out, adding that German customs officers say they would have intercepted any AK-47 had a delivery been attempted.
Motherboard reported in November that the high number of scams -- some of which are undercover agents -- prompted several dark web markets to stop offering guns altogether, though they suggest the German news crew was trying to recreate the purchases of "disabled" weapons which were then converted back into their original form.
Microsoft

Terrorists No Longer Welcome On OneDrive, Outlook, Xbox Live (betanews.com) 81

Microsoft has updated its anti-terrorism policies. In a blog post, the Redmond, Washington-based company said that it would remove "terrorist content" from a fleet of its services including OneDrive, Outlook and Xbox Live, reports BetaNews. For its search engine Bing, however, Microsoft says that it would only remove links when it is required by local law, citing free expression for all. The company adds that it would fund research for a tool that could help it better scan such content and flag image, audio and video. From company's blog post: There is no universally accepted definition of terrorist content. For purposes of our services, we will consider terrorist content to be material posted by or in support of organizations included on the Consolidated United Nations Security Council Sanctions List that depicts graphic violence, encourages violent action, endorses a terrorist organization or its acts, or encourages people to join such groups. The UN Sanctions List includes a list of groups that the UN Security Council considers to be terrorist organizations.

Slashdot Top Deals