Videos and pictures of children being subjected to sexual abuse are being openly shared on Facebook's WhatsApp on a vast scale, with the encrypted messaging service failing to curb the problem despite banning thousands of accounts every day. From a report: Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp's automated systems. A report reviewed by TechCrunch from two Israeli NGOs details how third-party apps for discovering WhatsApp groups include "Adult" sections that offer invite links to join rings of users trading images of child exploitation. TechCrunch has reviewed materials showing many of these groups are currently active.

TechCrunch's investigation shows that Facebook could do more to police WhatsApp and remove this kind of content. Even without technical solutions that would require a weakening of encryption, WhatsApp's moderators should have been able to find these groups and put a stop to them. Groups with names like "child porn only no adv" and "child porn xvideos" found on the group discovery app "Group Links For Whats" by Lisa Studio don't even attempt to hide their nature.

Better manual investigation of these group discovery apps and WhatsApp itself should have immediately led these groups to be deleted and their members banned. While Facebook doubled its moderation staff from 10,000 to 20,000 in 2018 to crack down on election interference, bullying, and other policy violations, that staff does not moderate WhatsApp content. With just 300 employees, WhatsApp runs semi-independently, and the company confirms it handles its own moderation efforts. That's proving inadequate for policing at 1.5 billion user community. It's a similar problem that WhatsApp, used by more than a billion users, is facing in developing markets where its service is being used to spread false information.

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

An anonymous reader shares a report: The quantum internet is starting small, but growing. Researchers have created a network that lets four users communicate simultaneously through channels secured by the laws of quantum physics, and they say it could easily be scaled up. Soren Wengerowsky at the University of Vienna and his colleagues devised a network that uses quantum key distribution (QKD) to keep messages secure [the link is paywalled]. The general principle of QKD is that two photons are entangled, meaning their quantum properties are linked. Further reading: Nature.

Earlier today, Australia's House of Representatives passed the Assistance and Access Bill. The Anti-Encryption Bill, as it is known as, would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content agencies they want access to. "While the Bill can still be blocked by the Senate -- Australian Twitter has been quite vocal over today's proceedings, especially in regards to the [Australian Labor Party's] involvement," reports Gizmodo. ZDNet highlights the key findings from a report from the Parliamentary Joint Committee on Intelligence and Security (PJCIS): The threshold for industry assistance is recommended to be lifted to offenses with maximum penalties in excess of three years; Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) will be subjected to statutory time limits, as well as any extension, renewal, or variation to the notices; the systemic weakness clause to apply to all listing acts and things; and the double-lock mechanism of approval from Attorney-General and Minister of Communications will be needed, with the report saying the Communications Minister will provide "a direct avenue for the concerns of the relevant industry to be considered as part of the approval process."

The report's recommendations also call for a review after 18 months of the Bill coming into effect by the Independent National Security Legislation Monitor; TANs issued by state and territory police forces to be approved by the Australian Federal Police commissioner; companies issued with notices are able to appeal to the Attorney-General to disclose publicly the fact they are issued a TCN; and the committee will review the passed legislation in the new year and report by April 3, 2019, right around when the next election is expected to be called. In short: "Testimony from experts has been ignored; actual scrutiny of the Bill is kicked down the road for the next Parliament; Labor has made sure it is not skewered by the Coalition and seen to be voting against national security legislation on the floor of Parliament; and any technical expert must have security clearance equal to the Australia's spies, i.e. someone who has been in the spy sector." Further reading: Australia Set To Spy on WhatsApp Messages With Encryption Law.

UPDATE: The encryption bill has passed the Senate with a final vote of 44-12, with Labor and the Coalition voting for it. "Australia's security and intelligence agencies now have legal authority to force encryption services to break the encryptions, reports The Guardian. Story is developing...

An anonymous reader quotes a report from MIT Technology Review: The world relies on encryption to protect everything from credit card transactions to databases holding health records and other sensitive information. A new report from the U.S. National Academies of Sciences, Engineering, and Medicine says we need to speed up preparations for the time when super-powerful quantum computers can crack conventional cryptographic defenses. The experts who produced the report, which was released today, say widespread adoption of quantum-resistant cryptography "will be a long and difficult process" that "probably cannot be completed in less than 20 years." It's possible that highly capable quantum machines will appear before then, and if hackers get their hands on them, the result could be a security and privacy nightmare.

Today's cyberdefenses rely heavily on the fact that it would take even the most powerful classical supercomputers almost unimaginable amounts of time to unravel the cryptographic algorithms that protect our data, computer networks, and other digital systems. But computers that harness quantum bits, or qubits, promise to deliver exponential leaps in processing power that could break today's best encryption. The report cites an example of encryption that protects the process of swapping identical digital keys between two parties, who use them to decrypt secure messages sent to one another. A powerful quantum computer could crack RSA-1024, a popular algorithmic defense for this process, in less than a day. The U.S., Israel and others are working to develop standards for quantum-proof cryptographic algorithms, but they may not be ready or widely adopted by the time quantum computers arrive.

"[I]t will take at least a couple of decades to get quantum-safe cryptography broadly in place," the report says in closing. "If that holds, we're going have to hope it somehow takes even longer before a powerful quantum computer ends up in a malicious hacker's hands."

Australia is set to give its police and intelligence agencies the power to access encrypted messages on platforms such as WhatsApp, becoming the latest country to face down privacy concerns in the name of public safety. From a report: Amid protests from companies such as Facebook and Google, the government and main opposition struck a deal on Tuesday that should see the legislation passed by parliament this week. Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data.

Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.

An anonymous reader quotes a report from Ars Technica: Earlier this year, a federal judge in Fresno, California, denied prosecutors' efforts to compel Facebook to help it wiretap Messenger voice calls. But the precise legal arguments that the government made, and that the judge ultimately rejected, are still sealed. On Wednesday, the American Civil Liberties Union formally asked the judge to unseal court dockets and related rulings associated with this ongoing case involving alleged MS-13 gang members. ACLU lawyers argue that such a little-charted area of the law must be made public so that tech companies and the public can fully know what's going on.

In their new filing, ACLU lawyers pointed out that "neither the government's legal arguments nor the judge's legal basis for rejecting the government motion has ever been made public." The attorneys continued, citing a "strong public interest in knowing which law has been interpreted" and referencing an op-ed published on Ars on October 2 as an example. The ACLU argued that the case is reminiscent of the so-called "FBI v. Apple" legal showdown -- whose docket and related filings were public -- where the government made novel arguments in an attempt to crack the encryption on a seized iPhone. Those legal questions were never resolved, as the government said the day before a scheduled hearing that it had found a company to assist in its efforts. "Moreover, the sealing of the docket sheet in this case impermissibly prevents the public from knowing anything about the actions of both the judiciary and the executive in navigating a novel legal issue, which has the potential to reoccur in the future," the ACLU's attorneys continued.

"The case involves the executive branch's attempt to force a private corporation to break the encryption and other security mechanisms on a product relied upon by the public to have private conversations. The government is not just seeking information held by a third party; rather, it appears to be attempting to get this Court to force a communications platform to redesign its product to thwart efforts to secure communications between users."

Mozilla has released its second annual "Privacy Not Included" guide that rates 70 products to help give you an idea as to how secure or insecure they are. "We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet," says Ashley Boyd, vice president of advocacy at Mozilla. "These products are becoming really popular. And in some cases, it's easy to forget that they're even connected to the internet." Wired reports: Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn't take a PhD to parse. The most surprising result of Mozilla's testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the "Privacy Not Included" guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier.

On the other end of the scale, Mozilla highlighted seven products that may not hit the mark -- yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor. The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. "If you can't tell, that says that there's a problem of communication between manufacturers and consumers," says Boyd. "We would love for makers of these products to be more clear and more transparent about what they're doing and not doing. That's a big place we think change is needed."

Similar to Chrome, Apple's Safari browser is testing a warning system for when users visit websites that aren't protected by HTTPS encryption. "The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari," reports CNET. From the report: Apple didn't immediately respond to a request for comment on its plans for bringing the warning to mainstream Safari. Apple's browser does warn you already if you have an insecure connection to a very sensitive website for typing in passwords or credit card numbers.

"The HTTP-over-QUIC experimental protocol will be renamed to HTTP/3 and is expected to become the third official version of the HTTP protocol, officials at the Internet Engineering Task Force (IETF) have revealed," writes Catalin Cimpanu via ZDNet. "This will become the second Google-developed experimental technology to become an official HTTP protocol upgrade after Google's SPDY technology became the base of HTTP/2." From the report: HTTP-over-QUIC is a rewrite of the HTTP protocol that uses Google's QUIC instead of TCP (Transmission Control Protocol) as its base technology. QUIC stands for "Quick UDP Internet Connections" and is, itself, Google's attempt at rewriting the TCP protocol as an improved technology that combines HTTP/2, TCP, UDP, and TLS (for encryption), among many other things. Google wants QUIC to slowly replace both TCP and UDP as the new protocol of choice for moving binary data across the Internet, and for good reasons, as test have proven that QUIC is both faster and more secure because of its encrypted-by-default implementation (current HTTP-over-QUIC protocol draft uses the newly released TLS 1.3 protocol).

In a mailing list discussion last month, Mark Nottingham, Chair of the IETF HTTP and QUIC Working Group, made the official request to rename HTTP-over-QUIC as HTTP/3, and pass it's development from the QUIC Working Group to the HTTP Working Group. In the subsequent discussions that followed and stretched over several days, Nottingham's proposal was accepted by fellow IETF members, who gave their official seal of approval that HTTP-over-QUIC become HTTP/3, the next major iteration of the HTTP protocol, the technology that underpins today's World Wide Web.

An anonymous reader quotes Fortune: New chip-enabled credit cards, which were rolled out to U.S. consumers starting in 2015, were supposed to put an end to rampant credit card fraud. So much for that. A new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology...

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant's point-of-sale terminal... But while the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems, according to a Gemini Advisory executive who spoke with Fortune... The upshot is that criminals have been able to insert themselves into the transaction data steam, either by hacking into merchant networks or installing skimmer devices in order to capture card information... The report concludes by noting that big merchants have begun to tighten up their implementation of the EMV system, which will make them less of a target. Instead, criminals are likely to begin focusing on smaller businesses.
The report estimates that in just the last twelve months, 41.6 million records have been stolen from chip-enabled cards.

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

An anonymous reader writes: Researchers have found flaws that can be exploited to bypass hardware encryption in well known and popular SSD drives. Master passwords and faulty standards implementations allow attackers access to encrypted data without needing to know the user-chosen password.

SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user's knowledge. More in the research paper.

An anonymous reader quotes a report from ProPublica: As recently as Monday, computer servers that powered Kentucky's online voter registration and Wisconsin's reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky's was accessible from other Eastern European countries.

The service, known as FTP, provides public access to files -- sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server's operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states' infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica's inquiries. Kentucky left its password-free service running and said ProPublica didn't understand its approach to security. "FTP is a 40-year-old protocol that is insecure and not being retired quickly enough," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. "Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change."

Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes. From a report: The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba. Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data. Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core. [...] Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology, Intel's proprietary implementation of SMT.

US prosecutors are preparing new charges against a former CIA coder who was indicted earlier this year in June for leaking classified CIA material to WikiLeaks, in what later become known as the Vault7 leaks. From a report: According to new court documents filed late Wednesday, October 31, US prosecutors plan to file three new charges against Joshua Schulte for allegedly leaking more classified data while in detention at the New York Metropolitan Correctional Center (MCC). Prosecutors say they first learned of Schulte's behavior back in May, when they found out that "Schulte had distributed the Protected Search Warrant Materials to his family members for purposes of dissemination to other third parties, including members of the media." The prosecution held a court hearing in May and initially warned the suspect about his actions, a warning they found Schulte ignored. The US government says that "in or about early October 2018, the Government learned that Schulte was using one or more smuggled contraband cellphones to communicate clandestinely with third parties outside of the MCC." A search of his housing unit performed by FBI agents revealed "multiple contraband cellphones (including at least one cellphone used by Schulte that is protected with significant encryption); approximately 13 email and social media accounts (including encrypted email accounts); and other electronic devices."

Etcetera writes: Fresh on the heels of the IBM purchase announcement, Red Hat released RHEL 7.6 today. Business press release is here and full release notes are here. It's been a busy week for Red Hat, as Fedora 29 also released earlier this morning. No doubt CentOS and various other rebuilds will begin their build cycles shortly. The release offers improved security, such as support for the Trusted Platform Module (TPM) 2.0 specification for security authentication. It also provides enhanced support for the open-source nftables firewall technology.

"TPM 2.0 support has been added incrementally over recent releases of Red Hat Enterprise Linux 7, as the technology has matured," Steve Almy, principal product manager, Red Hat Enterprise Linux at Red Hat, told eWEEK. "The TPM 2.0 integration in 7.6 provides an additional level of security by tying the hands-off decryption to server hardware in addition to the network bound disk encryption (NBDE) capability, which operates across the hybrid cloud footprint from on-premise servers to public cloud deployments."

An anonymous reader quotes a report from TechCrunch: Buried in Apple's latest range of MacBooks -- including the MacBook Pro out earlier this year and the just-announced MacBook Air -- is the new T2 security chip, which helps protect the device's encryption keys, storage, fingerprint data and secure boot features. Little was known about the chip until today. According to its newest published security guide, the chip comes with a hardware microphone disconnect feature that physically cuts the device's microphone from the rest of the hardware whenever the lid is closed. "This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed," said the support guide. The camera isn't disconnected, however, because its "field of view is completely obstructed with the lid closed." Apple said the new feature adds a "never before seen" level of security for its Macs, without being quite so blunt as to say: Macs get malware too.

Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier. From a story: Security experts have been talking about the potential security vulnerabilities in Trump's cellphone use since he became president. And President Barack Obama bristled at -- but acquiesced to -- the security rules prohibiting him from using a "regular" cellphone throughout his presidency. Three broader questions obviously emerge from the story. Who else is listening in on Trump's cellphone calls? What about the cellphones of other world leaders and senior government officials? And -- most personal of all -- what about my cellphone calls?

There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet's major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing "target selectors": phone numbers the NSA searches for and records. These included senior government officials of Germany -- among them Chancellor Angela Merkel -- France, Japan, and other countries.

Other countries don't have the same worldwide reach that the NSA has, and must use other methods to intercept cellphone calls. We don't know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a U.S. congressman's phone live on camera in 2016. Back in 2005, unknown attackers targeted the cellphones of many Greek politicians by hacking the country's phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company. Alternatively, an attacker could intercept the radio signals between a cellphone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don't think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.

An anonymous reader shares a report: Factorising numbers into their constituent primes may sound esoteric, but the one-way nature of the problem -- and of some other, closely related mathematical tasks -- is the foundation on which much modern encryption rests. Such encryption has plenty of uses. It defends state secrets, and the corporate sort. It protects financial flows and medical records. And it makes the $2trn e-commerce industry possible. Nobody, however, is certain that the foundation of all this is sound. Though mathematicians have found no quick way to solve the prime-factors problem, neither have they proved that there isn't one. In theory, any of the world's millions of professional or amateur mathematicians could have a stroke of inspiration tomorrow and publish a formula that unravels internet cryptography -- and most internet commerce with it.

In fact, something like this has already happened. In 1994 Peter Shor, a mathematician then working at Bell Laboratories, in America, came up with a quick and efficient way to find a number's prime factors. The only catch was that for large numbers his method -- dubbed Shor's algorithm -- needs a quantum computer to work. Quantum computers rely on the famous weirdness of quantum mechanics to perform certain sorts of calculation far faster than any conceivable classical machine. Their fundamental unit is the "qubit", a quantum analogue of the ones and zeros that classical machines manipulate. By exploiting the quantum-mechanical phenomena of superposition and entanglement, quantum computers can perform some forms of mathematics -- though only some -- far faster than any conceivable classical machine, no matter how beefy.