Security

Self-Sovereign ID Tech Is Being Advanced By Security Failures, Privacy Breaches (computerworld.com) 27

Lucas123 writes: There is a growing movement among fintech companies, banks, healthcare services, universities and others toward disintermediating the control of online user identities in favor of supporting end-user controlled decentralized digital wallets based on P2P blockchain. Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without intervening administrative authorities. The wallets would carry encryption keys provided by third parties and could be used to digitally sign transactions or provide access to verifying information, everything from bank-issued credit lines to diplomas -- all of which are controlled by the user through public key infrastructure (PKI). The blockchain ledger and PKI technology is hidden behind user-friendly mobile applications. Currently, there are more proof-of-concept projects than production systems involving a small number of organizations. The pilots, being trialed in government, financial services, insurance, healthcare, energy and manufacturing, don't yet amount to an entire ecosystem, but they will grow over the next few years, according to Gartner.
Encryption

ProtonMail Takes Aim at Google With an Encrypted Calendar (venturebeat.com) 33

Encrypted email provider ProtonMail has officially launched its new calendar in public beta. The move is part of the Swiss company's broader push to offer privacy-focused alternatives to Google's key products. From a report: ProtonMail has been talking about its plans to launch an encrypted calendar for a while. But starting from today, all ProtonMail users on a paid plan will be able to access ProtonCalendar, and it will be opened to everyone when it exits beta in 2020. "Our goal is to create and make widely accessible online products [that] serve users instead of exploiting them," said ProtonMail CEO Andy Yen. ProtonMail hasn't set out to reinvent the wheel in terms of the features and format of ProtonCalendar. It sports a clean interface with views by month and day, color-coded event types, and so on. It is also tied to a user's ProtonMail email account.
The Internet

DNS Over HTTPS: Not As Private As Some Think? (sans.edu) 83

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.

Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."
The Almighty Buck

Visa Warns That Hackers Are Scraping Card Details From Gas Pumps (engadget.com) 88

Visa has issued a statement warning consumers that cybercriminals are actively exploiting a weakness in gas station point-of-sale (POS) networks to steal credit card data. Engadget reports: The company's fraud disruption teams are investigating several incidents in which a hacking group known as Fin8 defrauded fuel dispenser merchants. In each case, the attackers gained access to the POS networks via malicious emails and other unknown means. They then installed POS scraping software that exploited the lack of security with old-school mag stripe cards that lack a PIN code.

The hack doesn't appear to affect more secure chip-and-pin cards, but not all consumers have those, so service stations often work with mag stripe readers, too. The data is apparently sent in an unencrypted form to the vendor's main network, where the thieves have figured out how to intercept it. The other problem is that the POS systems aren't firewalled off from other, less critical parts of the network, allowing thieves to gain lateral access once the network is breached. There's not much cardholders can do to avoid the attacks, but Visa has advised fuel merchants to encrypt data while it's transferred or use a chip-and-PIN policy.

Encryption

Apple Used the DMCA to Take Down a Tweet Containing an iPhone Encryption Key (vice.com) 66

Security researchers are accusing Apple of abusing the Digital Millennium Copyright Act (DMCA) to take down a viral tweet and several Reddit posts that discuss techniques and tools to hack iPhones. Lorenzo Franceschi-Bicchierai, reporting for Vice: On Sunday, a security researcher who focuses on iOS and goes by the name Siguza posted a tweet containing what appears to be an encryption key that could be used to reverse engineer the Secure Enclave Processor, the part of the iPhone that handles data encryption and stores other sensitive data. Two days later, a law firm that has worked for Apple in the past sent a DMCA Takedown Notice to Twitter, asking for the tweet to be removed. The company complied, and the tweet became unavailable until today, when it reappeared. In a tweet, Siguza said that the DMCA claim was "retracted." Apple confirmed that it sent the original DMCA takedown request, and later asked Twitter to put the Tweet back online.

At the same time, Reddit received several DMCA takedown requests for posts on r/jailbreak, a popular subreddit where iPhone security researchers and hackers discuss techniques to jailbreak Apple devices, according to the subreddit's moderators. "Admins have not reached out to us in regards to these removals. We have no idea who is submitting these copyright claims," one moderator wrote.

Chrome

Chrome Now Warns You When Your Password Has Been Stolen (theverge.com) 49

Google is rolling out Chrome 79, and it includes a number of password protection improvements. The Verge reports: The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web.

You can control this new functionality in the sync settings in Chrome, and Google is using strongly hashed and encrypted copies of passwords to match them using multiple layers of encryption. This allows Google to securely match passwords using a technique called private set intersection with blinding. Alongside password warnings, Google is also improving its phishing protection with a real-time option. Google has been using a list of phishing sites that updates every 30 minutes, but the company found that fraudsters have been quickly switching domains or hiding from Google's crawlers. This new real-time protection should generate warnings for 30 percent more cases of phishing.

Security

New Plundervolt Attack Impacts Intel Desktop, Server, and Mobile CPUs (zdnet.com) 74

An anonymous reader quotes a report from ZDNet: Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs. Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave. They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software. Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available here. Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack [by allowing users to disable the energy management interface at the source of the attack, if not needed]. Proof-of-concept code for reproducing attacks will be released on GitHub.
Encryption

Facebook Tells US Attorney General It's Not Prepared To Get Rid Of Encryption On WhatsApp And Messenger (buzzfeednews.com) 109

Facebook said it would not weaken end-to-end encryption across its messaging apps, despite pressure from world governments, in a letter to US Attorney General Bill Barr and UK and Australian leaders. From a report: The letter, sent Monday, came in response to an October open letter from Barr, UK Home Secretary Priti Patel, Australian Minister for Home Affairs Peter Dutton, and then-acting US homeland security secretary Kevin McAleenan, which raised concerns that Facebook's continued implementation of end-to-end encryption on its WhatsApp and Messenger apps would prevent law enforcement agencies from finding illegal activity such as child sexual exploitation, terrorism, and election meddling. The US, UK, and Australian governments asked the social networking company to design a backdoor in its encryption protocols, or a separate way for law enforcement to gain access to user content. "It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it," wrote WhatsApp head Will Cathcart and Messenger head Stan Chudnovsky in Facebook's response. "People's private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do."
IT

Keybase Moves To Stop Onslaught of Spammers on Encrypted Message Platform (arstechnica.com) 13

From a report: Keybase started off as co-founder and developer Max Krohn's "hobby project" -- a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way. But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantry -- raising a chorus of complaints in Keybase's open chat channel. It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Keybase's leadership is promising to do something to fix the spam problem -- or at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly." But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

Software

Putin Signs Law Making Russian Apps Mandatory On Smartphones, Computers (reuters.com) 64

Russian President Vladimir Putin on Monday signed legislation requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software. Reuters reports: The law, which will come into force on July 1 next year, has been met with resistance by some electronics retailers, who say the legislation was adopted without consulting them. The law has been presented as a way to help Russian IT firms compete with foreign companies and spare consumers from having to download software upon purchasing a new device. The country's mobile phone market is dominated by foreign companies including Apple, Samsung and Huawei. The legislation signed by Putin said the government would come up with a list of Russian applications that would need to be installed on the different devices.
Communications

10 Years In, WhatsApp Still Needs True Multi-Device Support (venturebeat.com) 22

Paul Sawers, writing for VentureBeat: WhatsApp launched out of beta 10 years ago this month, and the messaging behemoth is now a completely different beast from the one that quietly arrived for iPhone users way back in November 2009. After Facebook shelled out around $20 billion to acquire the app in 2014, WhatsApp introduced voice calls, video calls, group calls, web and desktop apps, end-to-end encryption, and fingperprint unlocking. All the while, Facebook has been figuring out how to monetize its gargantuan acquisition by targeting businesses. However, there remains one glaring chink in WhatsApp's otherwise expansive armor -- namely, the lack of simultaneous multi-device support. Things could be about to change, however.

Given that WhatsApp is tethered to a user's mobile number and all messages are stored locally on devices, rather than on remote servers, syncing and accessing WhatsApp across devices poses something of a challenge. WhatsApp Web allows users to message from their desktop computer, but by essentially mirroring their mobile device -- one can't work without the other. Moreover, WhatsApp Web lacks many of the features of the mobile app, such as voice and video calling. Achieving true multi-device support -- without compromising security -- would be a big game changer for WhatsApp.

Security

Some Fortinet Products Shipped With Hardcoded Encryption Keys (zdnet.com) 21

Fortinet, a vendor of cyber-security products, took between 10 and 18 months to remove a hardcoded encryption key from three products that were exposing customer data to passive interception. From a report: The hardcoded encryption key was found inside the FortiOS for FortiGate firewalls and the FortiClient endpoint protection software (antivirus) for Mac and Windows. These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services. The hardcoded keys were used to encrypt user traffic for the FortiGuard Web Filter feature, FortiGuard AntiSpam feature, and FortiGuard AntiVirus feature. A threat actor in a position to observe a user or a company's traffic would have been able to take the hardcoded encryption keys and decrypt this weakly encrypted data stream.
Businesses

Mozilla's Annual Buyer's Guide Rates Amazon and Google Security Cameras 'Very Creepy' (which.co.uk) 40

"Be Smart. Shop Safe," warns Mozilla's annual buyer's guide for secure connected products. Based on their conversations with developers and dozens of privacy experts, they've awarded smiley faces with different expressions to rate products from "Not Creepy" up to "Super Creepy".

"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."

Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:

- Have automatic security updates, so they're protected against the newest threats

- Use encryption, meaning bad actors can't just snoop on your data

- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible

- Require users to change the default password (if applicable), because that makes devices far harder to access

- Privacy policies -- ones that relate to the product specifically, and aren't just generic

Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?

There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.

To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.

"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.

But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."
Google

Google Will Pay Bug Hunters Up To $1.5M if They Can Hack Its Titan M Chip (zdnet.com) 21

Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.
Transportation

Uber To Allow Audio Recording of Rides, Aiming To Launch Feature In US (theguardian.com) 26

An anonymous reader quotes a report from the Associated Press: Uber will allow passengers and drivers in Brazil and Mexico to record audio of their rides as it attempts to improve its safety record and image, and eventually it hopes to launch the feature into other markets including the United States. The ride-hailing company plans to pilot the feature in cities in both countries in December, although it has no timeline for possible expansion in the US and other markets.

The feature will allow customers to opt into recording all or select trips. Recordings will be stored on the rider or driver's phone and encrypted to protect privacy, and users will not be able to listen to them. They can later share a recording with Uber, which will have an encryption key, if they want to report a problem. Whether the recording feature will deter violent behavior to help riders and drivers is unknown. But Uber stands to benefit because the recordings could help the company mitigate losses and rein in liability for incidents that flare up between drivers and passengers.

Windows

Microsoft Announces Plan To Support DoH In Windows (microsoft.com) 97

New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

Google

Google's Rollout of RCS Chat for all Android Users in the US Begins Today (theverge.com) 84

Google is announcing that today, a year and a half after it first unveiled RCS chat as Android's primary texting platform, it is actually making RCS chat Android's primary texting platform. That's because it is rolling out availability to any Android user in the US who wants to use it, starting today. From a report: RCS stands for "rich communication services," and it's the successor to SMS. Like other texting services, it supports read receipts, typing indicators, improved group chats, and high-quality images. Unlike several texting apps, like iMessage or Signal, it does not offer end-to-end encryption as an option. RCS is based on your phone number, so when you are texting with somebody who also has it, it should just turn on automatically in your chat. To get RCS, you simply need to use Android Messages as your default texting app on your Android phone. Many Android phones do that already by default, but Samsung users will need to head to the Google Play Store to download it and then switch to it as their default. Further reading: The Four Major Carriers Finally Agree To Replace SMS With a New RCS Standard.
Databases

Unusual New 'PureLocker' Ransomware Is Going After Servers (zdnet.com) 22

Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. They're calling it PureLocker because it's written in the PureBasic programming language. ZDNet reports: It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. "Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.

Intel

Intel Fixes a Security Flaw It Said Was Repaired 6 Months Ago (nytimes.com) 27

An anonymous reader quotes a report from The New York Times: Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company's computer processors, Intel implied that all the problems were solved. But that wasn't entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found. It would be another six months before a second patch, publicly disclosed by the company on Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.

The public message from Intel was "everything is fixed," said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. "And we knew that was not accurate." While many researchers give companies time to fix problems before the researchers disclose them publicly, the tech firms can be slow to patch the flaws and attempt to muzzle researchers who want to inform the public about the security issues. Researchers often agree to disclose vulnerabilities privately to tech companies and stay quiet about them until the company can release a patch. Typically, the researchers and companies coordinate on a public announcement of the fix. But the Dutch researchers say Intel has been abusing the process. Now the Dutch researchers claim Intel is doing the same thing again. They said the new patch issued on Tuesday still doesn't fix another flaw they provided Intel in May. The Intel flaws, like other high-profile vulnerabilities the computer security community has recently discovered in computer chips, allowed an attacker to extract passwords, encryption keys and other sensitive data from processors in desktop computers, laptops and cloud-computing servers.
Intel says the patches "greatly reduce" the risk of attack, but don't completely fix everything the researchers submitted.

The company's spokeswoman Leigh Rosenwald said Intel was publishing a timeline with Tuesday's patch for the sake of transparency. "This is not something that is normal practice of ours, but we realized this is a complicated issue. We definitely want to be transparent about that," she said. "While we may not agree with some of the assertions made by the researchers, those disagreements aside, we value our relationship with them."
Security

Boeing's Poor Information Security Threatens Passenger Safety, National Security, Says Researcher (csoonline.com) 21

itwbennett writes: Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing's networks, email system, and website. "[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security," writes JM Porup for CSO online.

The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware.

For its part, Boeing says that the vulnerabilities Kubecka reported are "common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day" and that the company has "no indication of a compromise in any aviation system or product that Boeing produces." What Porup's reporting and Kubecka's research clearly shows, however, is how poor information security practices can become aviation security risks.

Slashdot Top Deals