Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Encryption

NSA Worried About Recruitment, Post-Snowden 225

Posted by Soulskill
from the should-have-thought-of-that-before-being-jerks dept.
An anonymous reader writes: The NSA employs tens of thousands of people, and they're constantly recruiting more. They're looking for 1,600 new workers this year alone. Now that their reputation has taken a major hit with the revelations of whistleblower Edward Snowden, they aren't sure they'll be able to meet that goal. Not only that, but the NSA has to compete with other companies, and they Snowden leaks made many of them more competitive: "Ever since the Snowden leaks, cybersecurity has been hot in Silicon Valley. In part that's because the industry no longer trusts the government as much as it once did. Companies want to develop their own security, and they're willing to pay top dollar to get the same people the NSA is trying to recruit." If academia's relationship with the NSA continues to cool, the agency could find itself struggling within a few years.
Firefox

Firefox 37 Released 150

Posted by Soulskill
from the onward-and-upward dept.
Today Mozilla began rolling out Firefox version 37.0 to release channel users. This update mostly focuses on behind-the-scenes changes. Security improvements include opportunistic encryption where servers support it and improved protection against site impersonation. They also disabled insecure TLS version fallback and added a security panel within the developer tools. One of the things end users will see is the Heartbeat feedback collection system. It will pop up a small rating widget to a random selection of users every day. After a user rates Firefox, an "engagement" page may open in the background, with links to social media pages and a donation page. Here are the release notes and full changelist.
United Kingdom

Europol Chief Warns About Computer Encryption 161

Posted by samzenpus
from the I-can't-read-this dept.
An anonymous reader writes The law enforcement lobbying campaign against encryption continues. Today it's Europol director Rob Wainwright, who is trying to make a case against encryption. "It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism," he explained. "It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore." This is the same man who told the European Parliament that Europol is not going to investigate the alleged NSA hacking of the SWIFT (international bank transfer) system. The excuse he gave was not that Europol didn't know about it, because it did. Very much so. It was that there had been no formal complaint from any member state.
Encryption

Generate Memorizable Passphrases That Even the NSA Can't Guess 263

Posted by timothy
from the exercise-for-the-reader dept.
HughPickens.com writes Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you'll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You'll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You'll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like "cap liz donna demon self", "bang vivo thread duct knob train", and "brig alert rope welsh foss rang orb". If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

After you've generated your passphrase, the next step is to commit it to memory.You should write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn't take more than two or three days before you no longer need the paper, at which point you should destroy it. "Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It's a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training."
Bug

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 23

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.
Australia

Draconian Australian Research Law Hits Scientists 149

Posted by Soulskill
from the blunder-down-under dept.
An anonymous reader writes: The Australian government is pushing ahead with a draconian law placing "dual use" science (e.g. encryption, biotechnology) under the control of the Department of Defence. The Australian ACLU, Civil Liberties Australia, warns the law punishes scientists with $400,000 fines, 10 years in jail and forfeiture of their work, just for sending an "inappropriate" e-mail.

Scientists — including the academics union — warn the laws are unworkable despite attempted improvements, and will drive researchers offshore (paywalled: mirror here).
Government

NZ Customs Wants Power To Require Passwords 200

Posted by samzenpus
from the papers-please dept.
First time accepted submitter Orange Roughy writes New Zealand customs are seeking powers to obtain passwords and encryption keys for travelers. Supposedly they will only act to obtain credentials if it was acting on 'some intelligence or observation of abnormal behaviour.' People who refuse to hand over credentials could face up to three months jail time. From the story: "Customs boss Carolyn Tremain has told MPs the department would only request travellers hand over passwords to their electronic devices if it had a reason to be suspicious about what was on them. The department unleashed a furore last week when it said in a discussion paper that it should be given unrestricted power to force people to divulge passwords to their smartphones and computers at the border. That would be without Customs officials having to show they had any grounds for suspicion."
Encryption

OpenSSL Security Update Less Critical Than Expected, Still Recommended 64

Posted by timothy
from the man-nips-dog dept.
An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.
Security

White House Proposal Urges All Federal Websites To Adopt HTTPS 155

Posted by Soulskill
from the moving-at-the-speed-of-government dept.
blottsie writes: In an effort to close security gaps that have resulted in multiple security breaches of government servers, the Obama administration on Tuesday introduced a proposal to require all publicly accessible federal websites to use the HTTPS encryption standard. "The majority of federal websites use HTTP as the as primary protocol to communicate over the public Internet," reads the proposal on the website of the U.S. Chief Information Officer. "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services."
Security

Researchers Find Same RSA Encryption Key Used 28,000 Times 132

Posted by timothy
from the well-if-it-workef-for-that-guy dept.
itwbennett writes In the course of trying to find out how many servers and devices are still vulnerable to the Web security flaw known as FREAK, researchers at Royal Holloway of the University of London found something else of interest: Many hosts (either servers or other Internet-connected devices) share the same 512-bit public key. In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key.
Yahoo!

Yahoo Debuts End-To-End Encryption Email Plugin, Password-Free Logins 213

Posted by Soulskill
from the from-one-end-of-the-internet-to-the-other dept.
An anonymous reader writes: Yahoo has released the source code for a plugin that will enable end-to-end encryption for their email service. They're soliciting feedback from the security community to make sure it's built properly. They plan to roll it out to users by the end of the year.

Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
Blackberry

BlackBerry's Latest Experiment: a $2,300 'Secure' Tablet 95

Posted by Soulskill
from the for-people-who-think-high-end-tablets-are-too-cheap dept.
An anonymous reader writes: After missing the boat on smartphones, BlackBerry has been throwing everything they can at the wall to see what sticks. From making square phones to insisting users want physical keyboards, their only standard is how non-standard they've become. Now they're expanding this strategy to the tablet market with a security-centric tablet that costs $2,300. And they're not doing it alone — the base device is actually a Samsung Galaxy Tab S 10.5. The tablet runs Samsung Knox boot tech, as well as software from IBM and encryption specialist Secusmart (which BlackBerry recently purchased). The device will be targeted at businesses and organizations who have particular need for secure devices.

"Organizations deploying the SecuTablet will be able to set policies controlling what apps can run on the devices, and whether those apps must be wrapped, said IBM Germany spokesman Stefan Hefter. The wrapping process—in which an app is downloaded from a public app store, bundled with additional libraries that encrypt its network traffic and intercept Android 'intents' for actions such as cutting or pasting data, then uploaded to a private app store—ensures that corporate data can be protected at rest, in motion and in use, he said. For instance, it can prevent data from a secure email being copied and pasted into the Facebook app running on the same device—yet allow it to be pasted into a secure collaboration environment, or any other app forming part of the same 'federation,' he said."
Government

Mass Surveillance: Can We Blame It All On the Government? 123

Posted by timothy
from the moral-amoral-immoral dept.
Nicola Hahn writes Yet another news report has emerged detailing how the CIA is actively subverting low-level encryption features in mainstream hi-tech products. Responding to the story, an unnamed intelligence official essentially shrugged his shoulders and commented that "there's a whole world of devices out there, and that's what we're going to do." Perhaps this sort of cavalier dismissal isn't surprising given that leaked classified documents indicate that government intelligence officers view iPhone users as 'Zombies' who pay for their own surveillance.

The past year or so of revelations paints a pretty damning portrait of the NSA and CIA. But if you read the Intercept's coverage of the CIA's subversion projects carefully you'll notice mention of Lockheed Martin. And this raises a question that hasn't received much attention: what role does corporate America play in all of this? Are American companies simply hapless pawns of a runaway national security state? Ed Snowden has stated that mass surveillance is "about economic spying, social control, and diplomatic manipulation. They're about power." A sentiment which has been echoed by others. Who, then, stands to gain from mass surveillance?
Encryption

OpenSSL To Undergo Massive Security Audit 69

Posted by timothy
from the cracking-down-on-cracking-down dept.
rjmarvin writes Now that its codebase is finally viewed as stable, OpenSSL is getting a good top-to-bottom once-over in the form of a sweeping audit. As part of the Linux Foundation's Core Infrastructure Initiative, the foundation and the Open Crypto Audit Project are sponsoring and organizing what may arguably be the highest-profile audit of a piece of open-source software in history. The audit itself will be conducted by the information assurance organization NCC Group, and its security research arm, Cryptography Services, will carry out the code review of OpenSSL's 447,247 line codebase over the next several months.
Transportation

Lawsuit Claims Major Automakers Have Failed To Guard Against Hackers 107

Posted by Soulskill
from the maybe-they'll-listen-when-lawyers-say-it dept.
Lucas123 writes: A Dallas-based law firm has filed a class-action lawsuit in the U.S. District Court for the Northern District of California claiming Ford, GM and Toyota all ignored basic electronic security measures that leave vehicles open to hackers who can take control of critical functions and endanger the safety of the driver and passengers. The suit, filed on behalf of three vehicle owners and "all others similarly situated" is seeking unspecified damages and an injunction that would force automakers to install proper firewalls or encryption in vehicle computer bus systems, which connect dozens of electronic control units. "Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers," attorney Marc Stanley said. The lawsuit cites several studies revealing security flaws in vehicle electronics. A 2013 study by the Defense Advanced Research Projects Agency found researchers could make vehicles "suddenly accelerate, turn, [and] kill the brakes." A study released last month by Sen. Edward Markey (D-Mass.) also claims automakers have fallen far short in their responsibility to secure their vehicles' electronics.
Cellphones

CIA Tried To Crack Security of Apple Devices 119

Posted by timothy
from the hey-fellas-we-were-expecting-you dept.
According to a story at The Guardian passed on by an anonymous reader, The CIA led sophisticated intelligence agency efforts to undermine the encryption used in Apple phones, as well as insert secret surveillance back doors into apps, top-secret documents published by the Intercept online news site have revealed. he newly disclosed documents from the National Security Agency's internal systems show surveillance methods were presented at its secret annual conference, known as the "jamboree."
Encryption

UK Parliament: Banning Tor Is Unacceptable and Technologically Impossible 98

Posted by Soulskill
from the moments-of-clarity dept.
An anonymous reader writes: Months after UK prime minister David Cameron sought to ban strong encryption, a new parliamentary briefing contradicts that, at least when it comes to Tor. The briefing says, "there is widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK. Even if it were, there would be technical challenges." The briefing cites Tor's ability to circumvent such censorship in countries like China as well as looking at both legal and illegal uses of Tor.
Encryption

Kali Linux On a Raspberry Pi (A/B+/2) With LUKS Disk Encryption 37

Posted by samzenpus
from the check-it-out dept.
An anonymous reader writes With the advent of smaller, faster ARM hardware such as the new Raspberry Pi 2 (which now has a Kali image built for it), we've been seeing more and more use of these small devices as 'throw-away computers'. While this might be a new and novel technology, there's one major drawback to this concept – and that is the confidentiality of the data stored on the device itself. Most of the setups do little to protect the sensitive information saved on the SD cards of these little computers.
Encryption

Tor Project Aims To Eclipse US Government Funding 53

Posted by timothy
from the not-the-entire-government's-funding dept.
An anonymous reader writes Developed by the U.S. Navy and the recipient of millions of dollars of government grants, the Tor Project is now aiming to ween itself off dependence of U.S. government funds "including setting a goal of 50 percent non-U.S. government funding by 2016." The initiative comes after months of discussion over what some vocal critics deemed a contradiction in funding and purpose.
Encryption

FREAK Attack Threatens SSL Clients 89

Posted by Soulskill
from the another-day-another-vuln dept.
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.