The Defense and Advanced Research Projects Agency (DARPA) appears to be in the process of developing its own ultra secure communication platform. The program is called "Resilient Anonymous Communication for Everyone," or RACE, and it will be similar to WhatsApp in that it will be for everyone to use. Trusted Reviews reports: The objectives of the program are to create a distributed messaging system that can do three things: Exist completely within a network; Provide confidentiality, integrity and availability of messaging; and Preserve privacy to any participant in the system.

DARPA seem to be putting security front and center, and the description of the project claims that "compromised system data and associated networked communications should not be helpful for comprising any additional parts of the system," meaning that DARPA are keen that one breach shouldn't also give them a leg up on access to other parts of the system. So, will we soon be using a U.S government branded DARPA? Probably not, but the chances are that RACE will go some way to creating a messaging app that's resilient to attacks, with the protocol and security they find no doubt dripping through to consumer tech and features in the coming years.

Three Romanians ran a complicated online fraud operation -- along with a massive malware botnet -- for nine years, reports ZDNet, netting tens of millions of US dollars, but their crime spree is now over. But now they're all facing long prison sentences.

"The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities."

An anonymous Slashdot reader writes: The group started from simple eBay scams [involving non-existent cars and even a fake trucking company] to running one of the most widespread keylogger trojans around. They were considered one of the most advanced groups around, using PGP email and OTR encryption when most hackers were defacing sites under the Anonymous moniker, and using multiple proxy layers to protect their infrastructure. The group operated tens of fake websites, including a Yahoo subsidiary clone, conned and stole money from their own money mules, and were of the first groups to deploy Bitcoin crypto-mining malware on desktops, when Bitcoin could still be mined on PCs.

The Bayrob group was led by one of Romania's top IT students, who went to the dark side and helped create a malware operation that took nine years for US authorities and the FBI to track and eventually take down. Before turning hacker, he was the coach of Romania's national computer science team, although he was still a student, and won numerous awards in programming and CS contests.

Amazon reportedly employs thousands of people around the world to help improve its Alexa digital assistant. "The team listens to voice recordings captured in Echo owners' homes and offices," reports Bloomberg. "The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa's understanding of human speech and help it better respond to commands." From the report: The team comprises a mix of contractors and full-time Amazon employees who work in outposts from Boston to Costa Rica, India and Romania, according to the people, who signed nondisclosure agreements barring them from speaking publicly about the program. They work nine hours a day, with each reviewer parsing as many as 1,000 audio clips per shift, according to two workers based at Amazon's Bucharest office, which takes up the top three floors of the Globalworth building in the Romanian capital's up-and-coming Pipera district. The modern facility stands out amid the crumbling infrastructure and bears no exterior sign advertising Amazon's presence. The work is mostly mundane. One worker in Boston said he mined accumulated voice data for specific utterances such as "Taylor Swift" and annotated them to indicate the searcher meant the musical artist. Occasionally the listeners pick up things Echo owners likely would rather stay private: a woman singing badly off key in the shower, say, or a child screaming for help. The teams use internal chat rooms to share files when they need help parsing a muddled word -- or come across an amusing recording.

Sometimes they hear recordings they find upsetting, or possibly criminal. Two of the workers said they picked up what they believe was a sexual assault. When something like that happens, they may share the experience in the internal chat room as a way of relieving stress. Amazon says it has procedures in place for workers to follow when they hear something distressing, but two Romania-based employees said that, after requesting guidance for such cases, they were told it wasn't Amazon's job to interfere. [...] Amazon, in its marketing and privacy policy materials, doesn't explicitly say humans are listening to recordings of some conversations picked up by Alexa. "We use your requests to Alexa to train our speech recognition and natural language understanding systems," the company says in a list of frequently asked questions. In Alexa's privacy settings, the company gives users the option of disabling the use of their voice recordings for the development of new features. A screenshot reviewed by Bloomberg shows that the recordings sent to the Alexa auditors don't provide a user's full name and address but are associated with an account number, as well as the user's first name and the device's serial number. An Amazon spokesperson said in a statement to Bloomberg: "We take the security and privacy of our customers' personal information seriously. We only annotate an extremely small sample of Alexa voice recordings in order [to] improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone."

They added: "We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system. Employees do not have direct access to information that can identify the person or account as part of this workflow. All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption and audits of our control environment to protect it."

Further reading: How To Stop Amazon From Listening To Your Recordings

An anonymous reader quotes a report from Ars Technica: Mirai, the "botnet" malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 -- including one against the website of security reporter Brian Krebs -- has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

Researchers at Palo Alto Networks' Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors. The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

Google announced today that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. ZDNet reports: The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of thwarting SMTP man-in-the-middle attacks. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails. For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server. This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails. Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferences, ensuring that emails sent to a company's server travel through an obligatory and properly encrypted channel -- or they don't arrive at all.

In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server's domain. Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.

A reader shares a report from Engadget: ASUS may have inadvertently pushed malware to some of its computers through its update tool, but it at least it has a fix ready to go. The PC maker has released a new version of its Live Update software for laptops that addresses the ShadowHammer backdoor attack. It also promised "multiple security verification mechanisms" to reduce the chances of further attacks, and started using an "enhanced end-to-end encryption mechanism." There are upgrades to the behind-the-scenes server system to prevent future attacks, ASUS added.

The company simultaneously reiterated the narrow scope of ShadowHammer, noting that the malware targeted a "very small and specific user group." It's believed to be an Advanced Persistent Threat -- that is, a state-backed assault against organizations rather than everyday users. Other ASUS devices weren't affected, according to a notice. While the fix is reassuring, it also raises questions as to why the systems weren't locked down earlier. Update tools are prime targets for hackers precisely because they're both trusted and have deep access to the operating system -- tight security is necessary to prevent an intruder from hijacking the process.

Freshly Exhumed writes: Rep. Elijah Cummings (D-MD), the chairman of the House Oversight Committee, has revealed that senior White House advisor Jared Kushner's lawyer admitted in December that his client "continues to use" WhatsApp to conduct official White House business. The chairman also said that a lawyer for Ivanka Trump and Mr. Kushner told the committee late last year that they additionally used private email accounts for official White House business in a way that may have violated federal records laws. Mr Kushner's lawyer, Abbe Lowell could not say whether his client used WhatsApp to share classified information. Regardless, Cummings says the communications raise questions about whether Kushner and other officials violated the Presidential Records Act, which requires the president and his staff "take all practical steps to file personal records separately from Presidential records." As for Ivanka's use of a personal email account to conduct official business, her lawyer says she sent the emails before she was briefed on the rules.

If you're not familiar with WhatsApp, here's what you should know about it: "As of January 2019, more than 1.5 billion users in over 180 countries use WhatsApp, created in 2009 as an alternative to text messaging," reports USA Today. "Facebook acquired WhatsApp in 2014 to make a bigger play in the rapidly-growing messaging market, along with its own Messenger platform, which also boasts 1.5 billion users." The service features end-to-end encryption, meaning the sender and recipient are the only ones who can view the messages.

The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data.

While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

Opera has added a free VPN service to its Android browser. The Norwegian browser maker, which went public last year, also addressed concerns about potential hidden costs of using its free VPN offering. From a report: As users become more cautious about their privacy, many have explored using VPN services. According to a GlobalWebIndex estimate, more than 650 million people worldwide use such tools to mask their identity online and fend off web trackers. Opera has long recognized this need; in 2016, it launched Opera VPN, a standalone VPN app for iOS and Android. A few months later, it baked that feature into its desktop browser. Last year, however, the company discontinued Opera VPN. Now, Opera is integrating the VPN service into its Android browser. Opera 51 for Android enables users to establish a private connection between their mobile device and a remote VPN server using 256-bit encryption. Users can pick a server of their choice from a range of locations. Unlike several other VPN apps, Opera's offering does not require an account to use the service.

Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.

He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.

An anonymous reader shares a report: WhatsApp is working on a major new feature to tackle the spread of misinformation on its service. The Facebook-owned chat app is internally testing a new option that would allow a user to quickly verify the legitimacy of images they have received on WhatsApp by checking if those images had ever appeared on the web before. [...] The unnamed feature relies on Google's reverse image search function to let WhatsApp users upload an image and find where it has appeared on the web. This is a clever solution by WhatsApp, which protects all messages and media content on its platform with end-to-end encryption. While hugely beneficial to end users, using encryption also significantly curtails WhatsApp's ability to scan the content of messages and media on its platform. In emerging markets, users are exhibiting a growing appetite for sharing information through images. In places like India, WhatsApp's largest market and where the service is grappling with the spread of false information, the feature could potentially help many users quickly verify facts and get more context about the image they have received.

physburn writes: The Register has spoken to some experts to get a better understanding of the risk quantum computers present to the existing encryption systems we have today. Richard Evers, cryptographer for a Canadian security biz called Kryptera, argues that media coverage and corporate pronouncements about quantum computing have left people with the impression that current encryption algorithms will soon become obsolete. But they will not be ready for at least 10 years, he said. As an example, Evers points to remarks made by Arvind Krishna, director of IBM research, at The Churchill Club in San Francisco last May, that those interested in protecting data for at least ten years "should probably seriously consider whether they should start moving to alternate encryption techniques now." In a post Evers penned recently with his business partner Alastair Sweeny, he contends, "The hard truth is that widespread beliefs about security and encryption may prove to be based on fantasy rather than fact." And the reason for this, he suggests, is the desire for funding and fame.

On the occasion of the web's 30th anniversary, its creator, Tim Berners-Lee, has given some interviews and shared his thoughts on some challenges that the web faces today. He spoke with Medianama, an Indian outlet, on some of the relatively unique challenges that the government over there has been pushing lately. Some of these challenges include government's push to have Silicon Valley companies store data of Indians in India itself; a nudge to WhatsApp to put an end to its encryption (On a side note: The Australian government recently passed a law to do this exact thing); and frequent shutdowns in the nation.

On data localisation and data as a national resource : That's one of the things that the Web Foundation has always been concerned about: the balkanisation of the Internet. If you want to balkanise it, that's a pretty darn effective way of doing it. If you say that Indian people's data can't be stored outside India, that means that when you start a social network which will be accessed by people all over the world, that means that you will have to start 152 different companies all over the world. It's a barrier to entry. Facebook can do that. Google can do that.

When an Indian company does it, and you'll end up with an Indian company that serves only Indian users. When people go abroad, they won't be able to keep track of their friends at home. The whole wonderful open web of knowledge, academic and political discussions would be divided into country groups and cultural groups, so there will be a massive loss of richness to the web.

In 2017, Mozilla experimented with a service that let you transfer 1GB files by sharing a web address with the recipient. Firefox Send is now out of testing and boasts a magnified 2.5GB file-size limit if you log into your Firefox account. From a report: Firefox Send is handy for those moments when you need to share video, audio or photo files that can be too big to squeeze into an email attachment. [...] Firefox Send, which will also be available as an Android app, illustrates one of Mozilla's efforts to diversify beyond the Firefox browser. Mozilla touts Firefox Send as focusing on privacy and uses encryption to protect files. Firefox Send files are available for up to seven days and can be password-protected. You can also limit the number of times they're downloaded.

An anonymous reader quotes a report from TechCrunch: Russia has told internet providers to enforce a block against encrypted email provider ProtonMail, the company's chief has confirmed. The block was ordered by the state Federal Security Service, formerly the KGB, according to a Russian-language blog, which obtained and published the order after the agency accused the company and several other email providers of facilitating bomb threats. Several anonymous bomb threats were sent by email to police in late January, forcing several schools and government buildings to evacuate.

In all, 26 internet addresses were blocked by the order, including several servers used to scramble the final connection for users of Tor, an anonymity network popular for circumventing censorship. Internet providers were told to implement the block "immediately," using a technique known as BGP blackholing, a way that tells internet routers to simply throw away internet traffic rather than routing it to its destination. But the company says while the site still loads, users cannot send or receive email. The way the KGB blocked ProtonMail is "particularly sneaky," ProtonMail chief executive Andy Yen said. "ProtonMail is not blocked in the normal way, it's actually a bit more subtle. They are blocking access to ProtonMail mail servers. So Mail.ru -- and most other Russian mail servers -- for example, is no longer able to deliver email to ProtonMail, but a Russian user has no problem getting to their inbox."

"That's because the two ProtonMail servers listed by the order are its back-end mail delivery servers, rather than the front-end website that runs on a different system," adds TechCrunch.

Facebook will increasingly shift its focus away from public posts to encrypted, ephemeral communications on its trio of messaging apps, CEO Mark Zuckerberg said today in a significant new blog post. From a report: In a 3,200-word missive, Zuckerberg says that encryption will be one of the keys to Facebook's future -- and that the company is willing to be banned in countries that refuse to let it operate as a result. "As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today's open platforms," Zuckerberg writes. "Today we already see that private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication." [...] "I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won't stick around forever," Zuckerberg says. "This is the future I hope we will help bring about."

An anonymous reader quotes a report from CNET: Encryption should have limits. That's the message FBI Director Christopher Wray had for cybersecurity experts Tuesday. The technology that scrambles up information so only intended recipients can read it is useful, he said, but it shouldn't provide a playground for criminals where law enforcement can't reach them. "It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said during a live interview at the RSA Conference, a major cybersecurity gathering in San Francisco. His comments are part of a back-and-forth between government agencies and security experts over the role of encryption technology in public safety. Agencies like the FBI have repeatedly voiced concerns like Wray's, saying encryption technology locks them out of communications between criminals. Cybersecurity experts say the technology is crucial for keeping data and critical computer systems safe from hackers. Letting law enforcement access encrypted information just creates a backdoor hackers will ultimately exploit for evil deeds, they say.

Wray, a former assistant attorney general in the U.S. Department of Justice who counts among his biggest cases prosecutions against Enron officials, acknowledged Tuesday that encryption is "a provocative subject." As the leader of the nation's top law enforcement agency, though, he's focused on making sure the government can carry out criminal investigations. Hackers in other countries should expect more investigations and indictments, Wray said. "We're going to follow the facts wherever they lead, to whomever they lead, no matter who doesn't like it," he said. To applause, he added, "I don't really care what some foreign government has to say about it."

An anonymous reader writes: Linus Torvalds has released Linux 5.0 in kicking off the kernel's 28th year of development. Linux 5.0 features include AMD FreeSync support, open-source NVIDIA Turing GPU support, Intel Icelake graphics, Intel VT-d scalable mode, NXP PowerPC processors are now mitigated for Spectre Variant Two, and countless other additions. eWeek adds: Among the new features that have landed in Linux 5.0 is support for the Adiantum encryption system, developed by Google for low power devices. Google's Android mobile operating system and ChromeOS desktop operating system both rely on the Linux kernel. "Storage encryption protects your data if your phone falls into someone else's hands," Paul Crowley and Eric Biggers, Android Security and Privacy Team at Google wrote in a blog post. "Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted. Memory management in Linux also gets a boost in the 5.0 kernel with a series of improvements designed to help prevent memory fragmentation, which can reduce performance.