Encryption

What Would Happen If All Encryption Could Be Broken? (wikipedia.org) 316

"What would happen, or what should happen, if tomorrow a trivial method was discovered for Prime Factorization?" asks Slashdot reader medv4380: By trivial I mean an algorithm that runs in relatively constant time that could factor a number like 2737631357921793461914298938174501291 relatively instantly on most modern hardware today. And that even increasing the bit length wouldn't slow it down much. How much chaos would result if such a method were revealed tomorrow with little warning?

Keeping it a secret only means that others may have long ago exploited the method at the expense of others. Should proof be presented without revealing the method, to reduce the impact, and who should be told first if at all?

Slashdot reader Shikaku sees a real possibility of this actually happening when quantum computers are developed, adding that quantum-resistant encryption "is an ongoing experiment."

But if development lags -- what would happen if all encryption could be broken?
Encryption

Is Facebook Already Working On An Encryption Backdoor? (forbes.com) 79

Horst Seehofer, Germany's federal interior minister, wants to require encryption companies to provide the government with plain text transcripts. One security expert says Facebook is already working on a way to make it happen.

An anonymous reader quotes his remarks in Forbes: The reality is that at its annual conference earlier this month, Facebook previewed all of the necessary infrastructure to make Germany's vision a reality and even alluded to the very issue of how Facebook's own business needs present it with the need to be able to covertly access content directly from users' devices that have been protected through end-to-end encryption...

While it was little noticed at the time, Facebook's presentation on its work towards moving AI-powered content moderation from its data centers directly onto users' phones presents a perfect blueprint for Seehofer's vision. Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines. This would actually allow a government like Germany to proactively prevent unauthorized speech before it is ever uttered, by using court orders to force Facebook to expand its censorship list for German users of its platform.

Even more worryingly, Facebook's presentation alluded to the company's need to covertly harvest unencrypted illicit messages from users' devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content. While it stopped short of saying it was actively building such a backdoor, the company noted that when edge content moderation flagged a post in an end-to-end encrypted conversation as a violation, the company needed to be able to access the unencrypted contents to further train its algorithms, which would likely require transmitting an unencrypted copy from the user's device directly to Facebook without their approval.

Could this be the solution Germany has been searching for?

The article warns that by "sparking the idea of being able to silently harvest those decrypted conversations on the client side, Facebook is inadvertently telegraphing to anti-encryption governments that there are ways to bypass encryption while also bypassing the encryption debate."
EU

A German Minister Wants To Ban End-to-End Chat Encryption (thenextweb.com) 159

An anonymous reader quotes the Next Web: According to Spiegel Online, the country's Federal Interior Minister, Horst Seehofer, wants encrypted messaging services like WhatsApp and Telegram to provide chat logs in plain text to the authorities. Since these services come with end-to-end encryption, the companies will have to break the encryption and provide a backdoor to give access to the texts.
Wired adds that "This is obviously incompatible with end-to-end encryption, used by services such as Signal, WhatsApp and Telegram and, if passed, such a law would effectively ban secure encryption for instant messaging." Some commenters on Bruce Schneier's site suggest this is just political grandstanding.

An analysis from the Carnegie Endowment for International Peace, a foreign policy think tank, argues that this would be a major change from Germany's stance on encryption over the last two decades: Instead of focusing on regulating encryption itself, Germany has worked to enable its security agencies to conduct hacking. It has even passed a legal framework tailored to government hacking operations...

The legal debate eventually led to a landmark supreme court ruling emphasizing the government's responsibility for the integrity of information technology systems. The conversation is far from over, with some supreme court cases still pending in regard to recent legislation on the lawful hacking framework.

Encryption

Apple, Google and WhatsApp Condemn GCHQ Proposal To Eavesdrop on Encrypted Messages 103

Tech giants, civil society groups and Ivy League security experts have condemned a proposal from Britain's eavesdropping agency as a "serious threat" to digital security and fundamental human rights. From a report: In an open letter to GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp have jointly urged the U.K. cybersecurity agency to abandon its plans for a so-called "ghost protocol." It comes after intelligence officials at GCHQ proposed a way in which they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users.

Details of the initiative were first published in an essay by two of the U.K.'s highest cybersecurity officials in November 2018. Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis (the technical term for codebreaking), put forward a process that would attempt to avoid breaking encryption. The pair said it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call."
Power

Samsung's New Chips Support 100W USB-C Fast Charging (bgr.com) 96

Samsung on Tuesday announced the launch of two new chips that it says will support secure, fast-charging USB-C power delivery controllers. "One of them, the SE8A, is what the company calls the industry's first solution that combines a power delivery controller and Secure Element in a single chip, offering new protections like security key storage," reports BGR. "Another result of the development of these new power delivery controllers is that Samsung's power chargers will now be able to support up to a 100W capacity: A 10x improvement over the 10W of a general smartphone charger." From the report: Samsung said the MM101 supports a symmetric encryption algorithm called the Advanced Encryption Standard that enables product authentication and includes moisture sensing capabilities to ensure safer charging conditions. The SE8A supports USB Type-C Authentication, the certificate-based authentication program for USB-C chargers and devices. "With enhanced security," Samsung explained in the announcement, "the SE8A opens possibilities for new kinds of content and services that may be exclusive to a certain brand, location or event."

Today's announcement is also significant because Samsung says the new power delivery controllers meet the most recent USB specs for fast-charging which addresses things like compatibility and efficiency challenges across mobile devices and other electronics. Those challenges can have effects like causing a device to, for example, charge slower than usual in addition to compromising the battery's life cycle.

Businesses

'The Future of Work is Remote' (venturebeat.com) 186

An anonymous reader shares a report: Facebook's F8 2019 developer conference dominated last week, with talk of AI and AR/VR and privacy. But the news and reactions were all largely expected, and frankly, I was disappointed there was no detail on end-to-end encryption messaging across Messenger, Instagram, and WhatsApp. No, what really stood out for me this week was last night's Stripe announcement: Its fifth engineering hub will be remote. Stripe has decided that hiring 100 remote engineers makes more sense than hiring 100 engineers in one place. Housing and relocation certainly played a role in the decision, but not enough to just choose a location with a low cost of living. Stripe would rather hire the best 100 engineers, regardless of where they are in the world.

That's huge. It's also inevitable. Remote work is happening everywhere you look. Coffee shops and restaurants, temporary offices and co-working spaces, train stations and airports -- private and public spaces are full of people doing their job remotely. I've been thinking a lot about this, and not just because VentureBeat's editorial team is almost all remote workers. In my personal life, I've noticed a clear pattern. All my friends, and their friends, choose to "work from home" every chance they get. If their job allows once a month, they work from home once a month. If the maximum is once a week, they do exactly that. If their boss is on vacation or traveling for work, they work from home for as many days as the office environment permits. Whatever the maximum is, that's what they do.

Facebook

Facebook CEO Mark Zuckerberg Says the 'Future is Private' (theverge.com) 153

Facebook CEO Mark Zuckerberg says he's committed to turning his company around. Onstage at Facebook's F8 developer conference, the chief executive said that privacy will be the defining pillar of his social network's sprawling empire going forward. From a report: His opening statements build on the massive shift in Zuckerberg's vision for the company that he first outlined early last month when he announced that Facebook would transition away from the News Feed and public posts and toward a "privacy-focused communications platform" that unified its messaging products around concepts like ephemerality and encryption. "The future is private," Zuckerberg told the crowd, noting that Facebook's most dominant vision over the last decade was to build global communities that would bring the world together, for better or worse. "Over time, I believe that a private social platform will be even more important to our lives than our digital town squares. So today, we're going to start talking about what this could look like as a product, what it means to have your social experience be more intimate, and how we need to change the way we run this company in order to build this."
Businesses

Slack Warns Investors It's a Target For Nation-State Hacking (vice.com) 57

Slack said it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors" in an S-1 securities registration form published online Friday. An anonymous reader shares this report from Motherboard: The document says that these threats from organized crime and nation-states actors and affiliates are alongside "threats from traditional computer 'hackers', malicious code (such as malware, viruses, worms, and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing, and denial-of-service attacks."

These threats are impossible to entirely mitigate, according to the document.

The S-1 filing does not claim that an attack from organized crime, nation-state, or nation-state affiliate actually happened. Rather, it just says that threats from these actors present an active risk to the company. Slack was breached in March 2015, as the company points out in its S-1 filing. For four days, an unknown person or group of people had access to Slack information that included "user names, email addresses, encrypted passwords, and information" and phone numbers stored by the company. Slack introduced two-factor authentication to its services following the incident.

The article also points out that Slack doesn't have end-to-end encryption, and that "in some cases, it's possible for your boss to download and read your entire Slack history without your knowledge."
The Internet

Ask Slashdot: Would a Separate, Walled-Off 'SafeNet' Help Reduce Cybercrime? 284

dryriver writes: Imagine for a second that a second, smaller internet infrastructure is built parallel to, but separate from, the regular internet. Lets call this the SafeNet. The SafeNet, which does not allow anonymous use, is not intended for general purpose use like watching Youtube videos, downloading a Steam game, or going on Facebook. Rather, it is a safer, more policed mini-internet that you access through a purpose-built terminal device and use for security critical tasks like online banking, stock trading, medical data transfer and sending confidential business emails, text messages or documents or other things that you don't trust the general internet with.

For example, if you are buying a $250,000 home for your family, you would issue the payments and documents side of this via the SafeNet with a SafeNet terminal device, not over the internet, with a generic computing device. SafeNet requires every user to be government photo-ID registered -- you cannot use SafeNet anonymously like the internet. The network knows who you are, where you are, and you can't hide behind VPNs, proxies or other anonymizers on this network. SafeNet also has a police force that can be alerted if you are hacked, tricked or scammed in any way. Would an internet alternative -- a smaller, separate parallel network -- like this reduce Cybercrime? Again, you wouldn't use the SafeNet for everyday crap like ordering pizza, buying movie tickets, or arguing over something on an internet forum. SafeNet would be used in situations where you are concerned that hackers, cybercriminals or other malevolent agents could get hold of your personal data, steal money from you, impersonate you, or snoop into your confidential communications. Other uses would include letting minors communicate with each other in a controlled fashion without exposing them to the big bad internet itself. Basically, in many situations where you deem performing a task over the larger internet as risky or dangerous, you could perform that task over a SafeNet terminal instead. Shouldn't an "alternative internet" like this exist in some form by now?
Android

Security Flaw Lets Attackers Recover Private Keys From Qualcomm Chips (zdnet.com) 44

Devices using Qualcomm chipsets, and especially smartphones and tablets, are vulnerable to a new security bug that can let attackers retrieve private data and encryption keys that are stored in a secure area of the chipset known as the Qualcomm Secure Execution Environment (QSEE). From a report: Qualcomm has deployed patches for this bug (CVE-2018-11976) earlier this month; however, knowing the sad state of Android OS updates, this will most likely leave many smartphones and tablets vulnerable for years to come. The vulnerability impacts how the Qualcomm chips (used in hundreds of millions of Android devices) handles data processed inside the QSEE.
Encryption

French Government Releases In-house IM App To Replace WhatsApp and Telegram Use (zdnet.com) 37

A year ago, the French government unveiled its plan to build its own encrypted messenger service to ease fears that foreign entities could spy on private conversations between top officials. That app, named Tchap, is now official for Android handsets and the iPhone. From a report: A web dashboard is also in the works. Only official French government employees can sign-up for an account; however, the French government also open-sourced Tchap's source code on GitHub so other organizations can roll out their own versions of Tchap for internal use as well. Work on the app started in July 2018, and the app itself is based on Riot, a well-known open-source, self-hostable, and secure instant messaging client-server package. The app was officially developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), under the supervision of ANSSI, France's National Cybersecurity Agency.
Encryption

DARPA Wants To Make a Better, More Secure Version of WhatsApp (trustedreviews.com) 93

The Defense and Advanced Research Projects Agency (DARPA) appears to be in the process of developing its own ultra secure communication platform. The program is called "Resilient Anonymous Communication for Everyone," or RACE, and it will be similar to WhatsApp in that it will be for everyone to use. Trusted Reviews reports: The objectives of the program are to create a distributed messaging system that can do three things: Exist completely within a network; Provide confidentiality, integrity and availability of messaging; and Preserve privacy to any participant in the system.

DARPA seem to be putting security front and center, and the description of the project claims that "compromised system data and associated networked communications should not be helpful for comprising any additional parts of the system," meaning that DARPA are keen that one breach shouldn't also give them a leg up on access to other parts of the system. So, will we soon be using a U.S government branded DARPA? Probably not, but the chances are that RACE will go some way to creating a messaging app that's resilient to attacks, with the protocol and security they find no doubt dripping through to consumer tech and features in the coming years.

Crime

The Rise and Fall of the Bayrob Malware Gang (zdnet.com) 54

Three Romanians ran a complicated online fraud operation -- along with a massive malware botnet -- for nine years, reports ZDNet, netting tens of millions of US dollars, but their crime spree is now over. But now they're all facing long prison sentences.

"The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities."

An anonymous Slashdot reader writes: The group started from simple eBay scams [involving non-existent cars and even a fake trucking company] to running one of the most widespread keylogger trojans around. They were considered one of the most advanced groups around, using PGP email and OTR encryption when most hackers were defacing sites under the Anonymous moniker, and using multiple proxy layers to protect their infrastructure. The group operated tens of fake websites, including a Yahoo subsidiary clone, conned and stole money from their own money mules, and were of the first groups to deploy Bitcoin crypto-mining malware on desktops, when Bitcoin could still be mined on PCs.

The Bayrob group was led by one of Romania's top IT students, who went to the dark side and helped create a malware operation that took nine years for US authorities and the FBI to track and eventually take down. Before turning hacker, he was the coach of Romania's national computer science team, although he was still a student, and won numerous awards in programming and CS contests.

Privacy

Amazon Workers Are Listening To What You Tell Alexa (bloomberg.com) 137

Amazon reportedly employs thousands of people around the world to help improve its Alexa digital assistant. "The team listens to voice recordings captured in Echo owners' homes and offices," reports Bloomberg. "The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa's understanding of human speech and help it better respond to commands." From the report: The team comprises a mix of contractors and full-time Amazon employees who work in outposts from Boston to Costa Rica, India and Romania, according to the people, who signed nondisclosure agreements barring them from speaking publicly about the program. They work nine hours a day, with each reviewer parsing as many as 1,000 audio clips per shift, according to two workers based at Amazon's Bucharest office, which takes up the top three floors of the Globalworth building in the Romanian capital's up-and-coming Pipera district. The modern facility stands out amid the crumbling infrastructure and bears no exterior sign advertising Amazon's presence. The work is mostly mundane. One worker in Boston said he mined accumulated voice data for specific utterances such as "Taylor Swift" and annotated them to indicate the searcher meant the musical artist. Occasionally the listeners pick up things Echo owners likely would rather stay private: a woman singing badly off key in the shower, say, or a child screaming for help. The teams use internal chat rooms to share files when they need help parsing a muddled word -- or come across an amusing recording.

Sometimes they hear recordings they find upsetting, or possibly criminal. Two of the workers said they picked up what they believe was a sexual assault. When something like that happens, they may share the experience in the internal chat room as a way of relieving stress. Amazon says it has procedures in place for workers to follow when they hear something distressing, but two Romania-based employees said that, after requesting guidance for such cases, they were told it wasn't Amazon's job to interfere. [...] Amazon, in its marketing and privacy policy materials, doesn't explicitly say humans are listening to recordings of some conversations picked up by Alexa. "We use your requests to Alexa to train our speech recognition and natural language understanding systems," the company says in a list of frequently asked questions. In Alexa's privacy settings, the company gives users the option of disabling the use of their voice recordings for the development of new features. A screenshot reviewed by Bloomberg shows that the recordings sent to the Alexa auditors don't provide a user's full name and address but are associated with an account number, as well as the user's first name and the device's serial number.
An Amazon spokesperson said in a statement to Bloomberg: "We take the security and privacy of our customers' personal information seriously. We only annotate an extremely small sample of Alexa voice recordings in order [to] improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone."

They added: "We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system. Employees do not have direct access to information that can identify the person or account as part of this workflow. All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption and audits of our control environment to protect it."

Further reading: How To Stop Amazon From Listening To Your Recordings
Botnet

New Variants of Mirai Botnet Detected, Targeting More IoT Devices (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: Mirai, the "botnet" malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 -- including one against the website of security reporter Brian Krebs -- has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

Researchers at Palo Alto Networks' Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors. The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

The Internet

IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com) 296

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

Encryption

Gmail Becomes First Major Email Provider To Support MTA-STS, TLS Reporting (zdnet.com) 25

Google announced today that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. ZDNet reports: The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of thwarting SMTP man-in-the-middle attacks. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails. For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server. This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails. Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferences, ensuring that emails sent to a company's server travel through an obligatory and properly encrypted channel -- or they don't arrive at all.

In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server's domain. Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.

Privacy

ASUS Releases Fix For ShadowHammer Malware Attack (engadget.com) 63

A reader shares a report from Engadget: ASUS may have inadvertently pushed malware to some of its computers through its update tool, but it at least it has a fix ready to go. The PC maker has released a new version of its Live Update software for laptops that addresses the ShadowHammer backdoor attack. It also promised "multiple security verification mechanisms" to reduce the chances of further attacks, and started using an "enhanced end-to-end encryption mechanism." There are upgrades to the behind-the-scenes server system to prevent future attacks, ASUS added.

The company simultaneously reiterated the narrow scope of ShadowHammer, noting that the malware targeted a "very small and specific user group." It's believed to be an Advanced Persistent Threat -- that is, a state-backed assault against organizations rather than everyday users. Other ASUS devices weren't affected, according to a notice. While the fix is reassuring, it also raises questions as to why the systems weren't locked down earlier. Update tools are prime targets for hackers precisely because they're both trusted and have deep access to the operating system -- tight security is necessary to prevent an intruder from hijacking the process.

Social Networks

Jared & Ivanka: Couple 'Continues To Use' Private Messaging For White House Business, Top Democrat Says (thedailybeast.com) 252

Freshly Exhumed writes: Rep. Elijah Cummings (D-MD), the chairman of the House Oversight Committee, has revealed that senior White House advisor Jared Kushner's lawyer admitted in December that his client "continues to use" WhatsApp to conduct official White House business. The chairman also said that a lawyer for Ivanka Trump and Mr. Kushner told the committee late last year that they additionally used private email accounts for official White House business in a way that may have violated federal records laws. Mr Kushner's lawyer, Abbe Lowell could not say whether his client used WhatsApp to share classified information. Regardless, Cummings says the communications raise questions about whether Kushner and other officials violated the Presidential Records Act, which requires the president and his staff "take all practical steps to file personal records separately from Presidential records." As for Ivanka's use of a personal email account to conduct official business, her lawyer says she sent the emails before she was briefed on the rules.

If you're not familiar with WhatsApp, here's what you should know about it: "As of January 2019, more than 1.5 billion users in over 180 countries use WhatsApp, created in 2009 as an alternative to text messaging," reports USA Today. "Facebook acquired WhatsApp in 2014 to make a bigger play in the rapidly-growing messaging market, along with its own Messenger platform, which also boasts 1.5 billion users." The service features end-to-end encryption, meaning the sender and recipient are the only ones who can view the messages.
Medicine

750,000 Medtronic Defibrillators Vulnerable To Hacking (startribune.com) 54

The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.)
The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

Slashdot Top Deals