Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

Google announced today that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. ZDNet reports: The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of thwarting SMTP man-in-the-middle attacks. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails. For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server. This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails. Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferences, ensuring that emails sent to a company's server travel through an obligatory and properly encrypted channel -- or they don't arrive at all.

In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server's domain. Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.

A reader shares a report from Engadget: ASUS may have inadvertently pushed malware to some of its computers through its update tool, but it at least it has a fix ready to go. The PC maker has released a new version of its Live Update software for laptops that addresses the ShadowHammer backdoor attack. It also promised "multiple security verification mechanisms" to reduce the chances of further attacks, and started using an "enhanced end-to-end encryption mechanism." There are upgrades to the behind-the-scenes server system to prevent future attacks, ASUS added.

The company simultaneously reiterated the narrow scope of ShadowHammer, noting that the malware targeted a "very small and specific user group." It's believed to be an Advanced Persistent Threat -- that is, a state-backed assault against organizations rather than everyday users. Other ASUS devices weren't affected, according to a notice. While the fix is reassuring, it also raises questions as to why the systems weren't locked down earlier. Update tools are prime targets for hackers precisely because they're both trusted and have deep access to the operating system -- tight security is necessary to prevent an intruder from hijacking the process.

Freshly Exhumed writes: Rep. Elijah Cummings (D-MD), the chairman of the House Oversight Committee, has revealed that senior White House advisor Jared Kushner's lawyer admitted in December that his client "continues to use" WhatsApp to conduct official White House business. The chairman also said that a lawyer for Ivanka Trump and Mr. Kushner told the committee late last year that they additionally used private email accounts for official White House business in a way that may have violated federal records laws. Mr Kushner's lawyer, Abbe Lowell could not say whether his client used WhatsApp to share classified information. Regardless, Cummings says the communications raise questions about whether Kushner and other officials violated the Presidential Records Act, which requires the president and his staff "take all practical steps to file personal records separately from Presidential records." As for Ivanka's use of a personal email account to conduct official business, her lawyer says she sent the emails before she was briefed on the rules.

If you're not familiar with WhatsApp, here's what you should know about it: "As of January 2019, more than 1.5 billion users in over 180 countries use WhatsApp, created in 2009 as an alternative to text messaging," reports USA Today. "Facebook acquired WhatsApp in 2014 to make a bigger play in the rapidly-growing messaging market, along with its own Messenger platform, which also boasts 1.5 billion users." The service features end-to-end encryption, meaning the sender and recipient are the only ones who can view the messages.

The Homeland Security Department has issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients' homes and in-office programming computers used by doctors. From the report: Medtronic recommends that patients only use bedside monitors obtained from a doctor or from Medtronic directly, and to keep it plugged in so it can receive software updates, and that they maintain "good physical control" over the monitor. Implantable defibrillators are complex, battery-run computers implanted in patients' upper chests to monitor the heart and send electric pulses or high-voltage shocks to prevent sudden cardiac death and treat abnormal heart beats. The vulnerabilities announced Thursday do not affect Medtronic pacemakers.

The more serious of the two is a vulnerability that could allow improper access to data sent between a defibrillator and an external device like an at-home monitor. The system doesn't use formal authentication or authorization protections, which means an attacker with short-range access to the device could inject or modify data and change device settings, the advisory says. A second vulnerability allows an attacker to read sensitive data streaming out of the device, which could include the patient's name and past health data stored on their device. The system does not use data encryption, the advisory says. (Deploying encryption in medical devices is tricky because is increases computational complexity and therefore uses the battery faster.) The FDA isn't expected to issue a recall as the vulnerabilities are expected to be patched via a future software update.

The battle between PewDiePie, currently the most subscribed channel on YouTube, and T-Series, an Indian music label, continues to have strange repercussions. In recent months, as T-Series closes in on the gap to beat PewDiePie for the crown of the most subscribers on YouTube, alleged supporters of PewDiePie, in an unusual show of love, have hacked Chromecasts and printers to persuade victims to subscribe to PewDiePie's channel. Now ZDNet reports about a second strain of ransomware that is linked to PewDiePie. From the report: A second one appeared in January, and this was actually a fully functional ransomware strain. Called PewCrypt, this ransomware was coded in Java, and it encrypted users' files in the "proper" way, with a method of recovering files at a later date. The catch --you couldn't buy a decryption key, but instead, victims had to wait until PewDiePie gained over 100 million followers before being allowed to decrypt any of the encrypted files. At the time of writing, PewDiePie had around 90 million fans, meaning any victim would be in for a long wait before they could regain access to any of their files. Making matters worse, if T-Series got to 100 million subscribers before PewDiePie, then PewCrypt would delete the user's encryption key for good, leaving users without a way to recover their data.

While the ransomware was put together as a joke, sadly, it did infect a few users, ZDNet has learned. Its author eventually realized the world of trouble he'd get into if any of those victims filed complaints with authorities, and released the ransomware's source code on GitHub, along with a command-line-based decryption tool.

Opera has added a free VPN service to its Android browser. The Norwegian browser maker, which went public last year, also addressed concerns about potential hidden costs of using its free VPN offering. From a report: As users become more cautious about their privacy, many have explored using VPN services. According to a GlobalWebIndex estimate, more than 650 million people worldwide use such tools to mask their identity online and fend off web trackers. Opera has long recognized this need; in 2016, it launched Opera VPN, a standalone VPN app for iOS and Android. A few months later, it baked that feature into its desktop browser. Last year, however, the company discontinued Opera VPN. Now, Opera is integrating the VPN service into its Android browser. Opera 51 for Android enables users to establish a private connection between their mobile device and a remote VPN server using 256-bit encryption. Users can pick a server of their choice from a range of locations. Unlike several other VPN apps, Opera's offering does not require an account to use the service.

Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.

He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.

An anonymous reader shares a report: WhatsApp is working on a major new feature to tackle the spread of misinformation on its service. The Facebook-owned chat app is internally testing a new option that would allow a user to quickly verify the legitimacy of images they have received on WhatsApp by checking if those images had ever appeared on the web before. [...] The unnamed feature relies on Google's reverse image search function to let WhatsApp users upload an image and find where it has appeared on the web. This is a clever solution by WhatsApp, which protects all messages and media content on its platform with end-to-end encryption. While hugely beneficial to end users, using encryption also significantly curtails WhatsApp's ability to scan the content of messages and media on its platform. In emerging markets, users are exhibiting a growing appetite for sharing information through images. In places like India, WhatsApp's largest market and where the service is grappling with the spread of false information, the feature could potentially help many users quickly verify facts and get more context about the image they have received.

physburn writes: The Register has spoken to some experts to get a better understanding of the risk quantum computers present to the existing encryption systems we have today. Richard Evers, cryptographer for a Canadian security biz called Kryptera, argues that media coverage and corporate pronouncements about quantum computing have left people with the impression that current encryption algorithms will soon become obsolete. But they will not be ready for at least 10 years, he said. As an example, Evers points to remarks made by Arvind Krishna, director of IBM research, at The Churchill Club in San Francisco last May, that those interested in protecting data for at least ten years "should probably seriously consider whether they should start moving to alternate encryption techniques now." In a post Evers penned recently with his business partner Alastair Sweeny, he contends, "The hard truth is that widespread beliefs about security and encryption may prove to be based on fantasy rather than fact." And the reason for this, he suggests, is the desire for funding and fame.

On the occasion of the web's 30th anniversary, its creator, Tim Berners-Lee, has given some interviews and shared his thoughts on some challenges that the web faces today. He spoke with Medianama, an Indian outlet, on some of the relatively unique challenges that the government over there has been pushing lately. Some of these challenges include government's push to have Silicon Valley companies store data of Indians in India itself; a nudge to WhatsApp to put an end to its encryption (On a side note: The Australian government recently passed a law to do this exact thing); and frequent shutdowns in the nation.

On data localisation and data as a national resource : That's one of the things that the Web Foundation has always been concerned about: the balkanisation of the Internet. If you want to balkanise it, that's a pretty darn effective way of doing it. If you say that Indian people's data can't be stored outside India, that means that when you start a social network which will be accessed by people all over the world, that means that you will have to start 152 different companies all over the world. It's a barrier to entry. Facebook can do that. Google can do that.

When an Indian company does it, and you'll end up with an Indian company that serves only Indian users. When people go abroad, they won't be able to keep track of their friends at home. The whole wonderful open web of knowledge, academic and political discussions would be divided into country groups and cultural groups, so there will be a massive loss of richness to the web.

In 2017, Mozilla experimented with a service that let you transfer 1GB files by sharing a web address with the recipient. Firefox Send is now out of testing and boasts a magnified 2.5GB file-size limit if you log into your Firefox account. From a report: Firefox Send is handy for those moments when you need to share video, audio or photo files that can be too big to squeeze into an email attachment. [...] Firefox Send, which will also be available as an Android app, illustrates one of Mozilla's efforts to diversify beyond the Firefox browser. Mozilla touts Firefox Send as focusing on privacy and uses encryption to protect files. Firefox Send files are available for up to seven days and can be password-protected. You can also limit the number of times they're downloaded.

An anonymous reader quotes a report from TechCrunch: Russia has told internet providers to enforce a block against encrypted email provider ProtonMail, the company's chief has confirmed. The block was ordered by the state Federal Security Service, formerly the KGB, according to a Russian-language blog, which obtained and published the order after the agency accused the company and several other email providers of facilitating bomb threats. Several anonymous bomb threats were sent by email to police in late January, forcing several schools and government buildings to evacuate.

In all, 26 internet addresses were blocked by the order, including several servers used to scramble the final connection for users of Tor, an anonymity network popular for circumventing censorship. Internet providers were told to implement the block "immediately," using a technique known as BGP blackholing, a way that tells internet routers to simply throw away internet traffic rather than routing it to its destination. But the company says while the site still loads, users cannot send or receive email. The way the KGB blocked ProtonMail is "particularly sneaky," ProtonMail chief executive Andy Yen said. "ProtonMail is not blocked in the normal way, it's actually a bit more subtle. They are blocking access to ProtonMail mail servers. So Mail.ru -- and most other Russian mail servers -- for example, is no longer able to deliver email to ProtonMail, but a Russian user has no problem getting to their inbox."

"That's because the two ProtonMail servers listed by the order are its back-end mail delivery servers, rather than the front-end website that runs on a different system," adds TechCrunch.

Facebook will increasingly shift its focus away from public posts to encrypted, ephemeral communications on its trio of messaging apps, CEO Mark Zuckerberg said today in a significant new blog post. From a report: In a 3,200-word missive, Zuckerberg says that encryption will be one of the keys to Facebook's future -- and that the company is willing to be banned in countries that refuse to let it operate as a result. "As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today's open platforms," Zuckerberg writes. "Today we already see that private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication." [...] "I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won't stick around forever," Zuckerberg says. "This is the future I hope we will help bring about."

An anonymous reader quotes a report from CNET: Encryption should have limits. That's the message FBI Director Christopher Wray had for cybersecurity experts Tuesday. The technology that scrambles up information so only intended recipients can read it is useful, he said, but it shouldn't provide a playground for criminals where law enforcement can't reach them. "It can't be a sustainable end state for there to be an entirely unfettered space that's utterly beyond law enforcement for criminals to hide," Wray said during a live interview at the RSA Conference, a major cybersecurity gathering in San Francisco. His comments are part of a back-and-forth between government agencies and security experts over the role of encryption technology in public safety. Agencies like the FBI have repeatedly voiced concerns like Wray's, saying encryption technology locks them out of communications between criminals. Cybersecurity experts say the technology is crucial for keeping data and critical computer systems safe from hackers. Letting law enforcement access encrypted information just creates a backdoor hackers will ultimately exploit for evil deeds, they say.

Wray, a former assistant attorney general in the U.S. Department of Justice who counts among his biggest cases prosecutions against Enron officials, acknowledged Tuesday that encryption is "a provocative subject." As the leader of the nation's top law enforcement agency, though, he's focused on making sure the government can carry out criminal investigations. Hackers in other countries should expect more investigations and indictments, Wray said. "We're going to follow the facts wherever they lead, to whomever they lead, no matter who doesn't like it," he said. To applause, he added, "I don't really care what some foreign government has to say about it."

An anonymous reader writes: Linus Torvalds has released Linux 5.0 in kicking off the kernel's 28th year of development. Linux 5.0 features include AMD FreeSync support, open-source NVIDIA Turing GPU support, Intel Icelake graphics, Intel VT-d scalable mode, NXP PowerPC processors are now mitigated for Spectre Variant Two, and countless other additions. eWeek adds: Among the new features that have landed in Linux 5.0 is support for the Adiantum encryption system, developed by Google for low power devices. Google's Android mobile operating system and ChromeOS desktop operating system both rely on the Linux kernel. "Storage encryption protects your data if your phone falls into someone else's hands," Paul Crowley and Eric Biggers, Android Security and Privacy Team at Google wrote in a blog post. "Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted. Memory management in Linux also gets a boost in the 5.0 kernel with a series of improvements designed to help prevent memory fragmentation, which can reduce performance.

An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.

To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.

An anonymous reader shares a report: Email provider FastMail says it has lost customers and faces "regular" requests to shift its operations outside Australia following the passage of anti-encryption laws. The Victorian company, which offers ad-free email services to users in 150 countries, told a senate committee that the now-passed laws were starting to bite.

"The way in which [the laws] were introduced, debated, and ultimately passed ... creates a perception that Australia has changed - that we are no longer a country which respects the right to privacy," FastMail CEO Bron Gondwana said. "We have already seen an impact on our business caused by this perception. Our particular service is not materially affected as we already respond to warrants under the Telecommunications Act." "Still, we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice. We are [also] regularly being asked by customers if we plan to move."

Slashdot reader krenaud tipped us off to this story from The Next Web: The audio recordings of 2.7 millions calls made to 1177 Vardguiden -- Sweden's healthcare hotline -- were left exposed to anyone online, according to Swedish tech publication Computer Sweden. The 170,000 hours of incredibly sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information completely exposed for anyone with a web browser....

The calls included sensitive information about patients' diseases and ailments, medication, and medical history. Some examples had people describing their children's symptoms and giving their social security numbers. Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers' personal numbers, making it easy to match information with a particular person.
When reached for comment, the CEO of the subcontractor receiving the calls "denied it happened."

An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.

The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."