An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."

Some of the world's leading photojournalists and filmmakers are calling on the manufacturers of the cameras they use to add encryption to their products, as the number of threats they face from having their devices seized is "literally too high to count." From a ZDNet report: Over 150 documentary makers and reporters signed an open letter by the Freedom of the Press Foundation, asking for camera makers -- including Nikon, Sony, and Canon -- to ensure that their work is protected while often "attempting to uncover wrongdoing in the interests of justice." "Documentary filmmakers and photojournalists work in some of the most dangerous parts of the world, often risking their lives to get footage of newsworthy events to the public," said Trevor Timm, the foundation's executive director. But, he said, "they face a variety of threats from border security guards, local police, intelligence agents, terrorists, and criminals when attempting to safely return their footage so that it can be edited and published." The filmmakers say that camera security has lagged behind the rest of the industry, leaving their work "dangerously vulnerable."

Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.

AnonymousCube shares this quote about China's new 'Social Credit Score' law from an insurance industry magazine: "Companies are also required to give government investigators complete access to their data if there is suspected wrong-doing, and Internet operators must cooperate in any national security or crime-related investigation."

Note that China has an extremely flexible definition of "national security". Additionally computer equipment will need to undergo mandatory certification, that could involve giving up source code, encryption keys, or even proprietary intellectual data, as Microsoft has been doing for some time.
The article suggests businesses like insurers "will likely see the cost of complying with this new action as a disincentive to conducting business in China."

Coisiche found a disturbing article from The Register about the U.K.'s new "Snoopers' Charter" law that has implications for tech companies around the world: Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the U.K. government to undermine encryption and demand surveillance backdoors... As per the final wording of the law, comms providers on the receiving end of a "technical capacity notice" will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing "electronic protection" on encrypted communications. Thus, by "technical capability," the government really means backdoors and deliberate security weaknesses so citizens' encrypted online activities can be intercepted, deciphered and monitored... At the end of the day, will the U.K. security services be able to read your email, your messages, your posts and private tweets, and your communications if they believe you pose a threat to national security? Yes, they will.
The bill added the Secretaries of State as a required signatory to the "technical capacity" notices, which "introduces a minor choke-point and a degree of accountability." But the article argues the law ultimately anticipates the breaking of encryption, and without customer notification. "The U.K. government can certainly insist that a company not based in the U.K. carry out its orders -- that situation is specifically included in the new law -- but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the U.K. market."

Stephen Shankland, writing for CNET: Mozilla is marshaling public support for political positions, like backing net neutrality, defending encryption and keeping government surveillance from getting out of hand, says Denelle Dixon-Thayer, Mozilla's chief legal and business officer. The organization is funding the efforts with revenue from Firefox searches, which has jumped since 2014 when it switched from a global deal with Google to a set of regional deals. Mozilla brought in $421 million in revenue last year largely through partnerships with Yahoo in the US, Yandex in Russia and Baidu in China, according to tax documents released alongside Mozilla's 2015 annual report on Thursday. Pushing policy work brings new challenges well beyond traditional Mozilla work competing against Google's Chrome browser and Microsoft's Internet Explorer. They include squaring off against the incoming administration of Donald Trump.

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.

An anonymous reader quotes Mashable: Manhattan District Attorney Cyrus Vance said Thursday that he wants Apple's encryption to go back to how it was in early 2014. Back then, police could basically extract any information they wanted after getting a warrant. "Doing nothing about this problem will perpetuate an untenable arms race between private industry and law enforcement," Vance said on Thursday. "Federal legislation is our only chance to lay these arms aside."

Vance said he's got 423 "lawfully-seized Apple devices" that his employees can't do anything with. Forty-two of those devices "pertain to homicide or attempted murder cases" according to the district attorney's office, and a similar number "relate to sex crimes." The argument, of course, is that the district attorney's office would have an easier time solving crimes if they had access to these phones... Apple believes being forced to hack into phones at the government's will is an unreasonable burden.
ZDNet adds that "the call for federal legislation could be given a popular boost by president elect Donald Trump, who previously called for a boycott on Apple products when it refused to help the FBI."

An anonymous reader quotes a report from Motherboard: A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks. Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there's a browser open in the background. Kamkar explained how it works in a blog post published on Wednesday. And all a hacker has to do is plug it in and wait. PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it's plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar. Security experts that reviewed Kamkar's research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That's the key of PoisonTap's attacks -- once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.

msm1267 quotes a report from Threatpost: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data. Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they're likely vulnerable. Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria. According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs -- a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven't tested them yet. The report adds: "The problem stems from the incorrect handling of a password check when a partition is ciphered with LUKS, or Linux Unified Key Setup, a disk encryption specification that's standard for Linux. Assuming an attacker has access to the computer's console, when presented with the LUKS password prompt, they could exploit the vulnerability simply by pressing 'Enter' over and over again until a shell appears. The researchers say the exploit could take as few as 70 seconds. After a user exceeds the maximum number of three password tries, the boot sequence continues normally. Another script in the utility doesn't realize this, and drops a BusyBox shell. After carrying out the exploit, the attacker could obtain a root initramfs, or rescue shell. Since the shell can be executed in the initrd, or initial ram disk, environment, it can lead to a handful of scary outcomes, including elevation of privilege, information disclosure, or denial of service."

An anonymous reader quotes a report from Reuters: U.S. internet companies including Facebook Inc and Amazon Inc have sent President-elect Donald Trump a detailed list of their policy priorities, which includes promoting strong encryption, immigration reform and maintaining liability protections from content that users share on their platforms. The letter sent on Monday by the Internet Association, a trade group whose 40 members also include Alphabet's Google, Uber and Twitter, represents an early effort to repair the relationship between the technology sector and Trump, who was almost universally disliked and at times denounced in Silicon Valley during the presidential campaign. Some of the policy goals stated in the letter may align with Trump's priorities, including easing regulation on the sharing economy, lowering taxes on profits made from intellectual property and applying pressure on Europe to not erect too many barriers that restrict U.S. internet companies from growing in that market. Other goals are likely to clash with Trump, who offered numerous broadsides against the tech sector during his campaign. They include supporting strong encryption in products against efforts by law enforcement agencies to mandate access to data for criminal investigations, upholding recent reforms to U.S. government surveillance programs that ended the bulk collection of call data by the National Security Agency, and maintaining net neutrality rules that require internet service providers to treat web traffic equally. The association seeks immigration reform to support more high-skilled workers staying in the United States. While urging support for trade agreements, the letter does not mention the Trans Pacific Partnership, which Trump has repeatedly assailed with claims it was poorly negotiated and would take jobs away from U.S. workers. The technology sector supported the deal, but members of Congress have conceded since the election it is not going to be enacted.

An anonymous reader reports that Donald Trump's upcoming presidency raises a few concerns for the security industry: "Some of his statements that industry professionals find troubling are his calls for 'closing parts of the Internet', his support for mass surveillance, and demands that Apple should have helped the FBI break the encrypted communications of the San Bernardino shooter's iPhone," writes SC Magazine. One digital rights activist even used Trump's surprise victory as an opportunity to suggest President Obama begin "declassifying and dismantling as much of the federal government's unaccountable, secretive, mass surveillance state as he can -- before Trump is the one running it... he has made it very clear exactly how he would use such powers: to target Muslims, immigrant families, marginalized communities, political dissidents, and journalists."

Edward Snowden's lawyer says "I think many Americans are waking up to the fact we have created a presidency that is too powerful," and the Verge adds that Pinboard CEO Maciej Ceglowski is now urging tech sites to stop collecting so much data. "According to Ceglowski, the only sane response to a Trump presidency was to get rid of as much stored user data as possible. 'If you work at Google or Facebook,' he wrote on Pinboard's Twitter account, 'please start a meaningful internal conversation about giving people tools to scrub their behavioral data.'"
Could a Trump presidency ultimately lead to a massive public backlash against government surveillance?

InfoWorld has identified "seven of the gnarliest corners of the programming world," which Slashdot reader snydeq describes as "worthy of large markers reading, 'Here be dragons.'" Some examples:

• Multithreading. "It sounded like a good idea," according to the article, but it just leads to a myriad of thread-managing tools, and "When they don't work, it's pure chaos. The data doesn't make sense. The columns don't add up. Money disappears from accounts with a poof. It's all bits in memory. And good luck trying to pin down any of it..."
• NP-complete problems. "Everyone runs with fear from these problems because they're the perfect example of one of the biggest bogeymen in Silicon Valley: algorithms that won't scale."

The other dangerous corners include closures, security, encryption, and identity management, as well as that moment "when the machine runs out of RAM." What else needs to be on a definitive list of the most dangerous "gotchas" in professional programming?

The Internet Association -- a group of 40 top internet companies including Airbnb, Amazon, Facebook, Google, LinkedIn, Netflix, Twitter, Uber and Yahoo -- issued an open letter on Monday that congratulates Donald Trump on his victory and offers a long list of policy positions they hope he'll consider during his time as president. From a report on CNET:That list includes:
Upholding Section 230 of the Communications Decency Act so internet companies can't get sued easily for things their users say or do online.
Upholding Section 512 of the Digital Millennium Copyright Act so internet companies can't get easily sued if they quickly remove copyrighted content that users upload (such as infringing photos and YouTube videos).
Reforming the 30-year-old Electronic Communications Privacy Act -- "Internet users must have the same protections for their inbox as they do for their mailbox," states the association. Supporting strong encryption (Trump called for a boycott of Apple when it refused to comply with an FBI order to unlock an iPhone linked to terror.)
Reforming Section 702 of the Foreign Intelligence Surveillance Act, which lets the NSA collect online communications without a warrant.
Providing similar copyright protections for companies that operate outside the US.
Reforming the US Patent Office to deter patent trolls, a term for companies that sue other companies based on patents without actually producing new products.Here's the full list.

Republican nominee Donald Trump has won the US Presidential election to become the country's 45th president. Now that he is going to run the government, it's a good time to look back on the kind of policies and changes he is likely to bring in the United States. From an article on ArsTechnica:Trump's presidency could bring big changes to regulation of Internet service providers -- but most of them are difficult to predict because Trump rarely discussed telecom policy during his campaign. The Federal Communications Commission's net neutrality rules could be overturned or weakened, however, if Trump still feels the same way he did in 2014. At the time, he tweeted, "Obama's attack on the internet is another top down power grab. Net neutrality is the Fairness Doctrine. Will target conservative media. [...] With Trump's win, it's still not clear what a Trump administration would do on the issues of cybersecurity and encryption. As Ars reported last month, Trump and his campaign team have been vague on many such details. During the presidential debates, he brushed off the intelligence community's consensus that the attacks against the Democratic National Committee were perpetrated or silently condoned by the Russian government. But Trump did call for a boycott of Apple -- a boycott of which he didn't even abide by -- during Cupertino's fight with federal prosecutors about whether Apple should be forced to help the authorities unlock a killer's encrypted iPhone. [...] Trump's presidency, by some accounts, is likely to be a disaster for science. Most analyses of his proposed budgets indicate they will cause deficits to explode, and a relatively compliant Congress could mean at least some of these cuts will get enacted. That will force the government to figure out how to cut, or at least limit, spending. Will science funding be preserved during that process? Trump's given no indication that it would. Instead, many of his answers about specific areas of science focus on the hard choices that need to be made in light of budget constraints. With the exception of NASA, Trump hasn't identified any areas of science that he feels are worth supporting. More generally, Trump has indicated little respect for the findings of science.The Silicon Valley top heads were largely upset with the outcome of the Presidential Election, to say the least.

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.

Reader Trailrunner7 writes: After years of encouraging site owners to transition to HTTPS by default, Google officials say that the effort has begun to pay off. The company's data now shows that more than half of all pages loaded by Chrome on desktop platforms are served over HTTPS. Google has been among the louder advocates for the increased use of encryption across the web in the last few years. The company has made significant changes to its own infrastructure, encrypting the links between its data center, and also has made HTTPS the default connection option on many of its main services, including Gmail and search. And Google also has been encouraging owners of sites of all shapes and sizes to move to secure connections to protect their users from eavesdropping and data theft. That effort has begun to bear fruit in a big way. New data released by Google shows that at the end of October, 68 percent of pages loaded by the Chrome browser on Chrome OS machines were over HTTPS. That's a significant increase in just the last 10 months. At the end of 2015, just 50 percent of pages loaded by Chrome on Chrome OS were HTTPS. The numbers for the other desktop operating systems are on the rise as well, with macOS at 60 percent, Linux at 54 percent, and Windows at 53 percent.

A new radio transmitter "seizes complete control of nearby drones as they're in mid-flight," reports Ars Technica: From then on, the drones are under the full control of the person with the hijacking device. The remote control in the possession of the original operator experiences a loss of all functions, including steering, acceleration, and altitude... Besides hijacking a drone, the device provides a digital fingerprint that's unique to each craft. The fingerprint can be used to identify trusted drones from unfriendly ones and potentially to provide forensic evidence for use in criminal or civil court cases...

Hijacks could allow law-enforcement officers to safely seize control of vulnerable drones that are endangering or interfering with first responders. The hacks could also provide ordinary citizens with a less-draconian way of disabling a drone they believe is impinging on their property or privacy... A patchwork of federal and state laws makes it unclear if even local authorities have the legal authority to shoot or hack an aircraft out of the sky.
XKCD once proposed solving the problem with butterfly nets, but instead this new attack is exploiting unencrypted DSMx radio signals.

"Please know that Apple will continue its work with law enforcement," reads an email from Apple's vice president of Environment, Policy and Social Initiatives, who reports directly to CEO Tim Cook, according to new documents this week on WikiLeaks. An anonymous reader writes: In the email the Apple executive writes "we work closely with authorities to comply with legal requests for data that have helped solve complex crimes. Thousands of times every month, we give governments information about Apple customers and devices, in response to warrants and other forms of legal process. We have a team that responds to those requests 24 hours a day." The email was addressed to Clinton campaign chairman John Podesta.

But the context is missing, and could show a larger attempt to soften Hillary Clinton's position on encryption. While Jackson writes that at Apple, "We share law enforcement's concerns about the threat to citizens," she later writes "Strong encryption does not eliminate Apple's ability to give law enforcement meta-data or any of a number of other very useful categories of data."
The email also compliments Clinton for her "principled and nuanced stance" on encryption in a December debate against Bernie Sanders. Clinton had said "maybe the backdoor is the wrong door, and I understand what Apple and others are saying about that. But I also understand, when a law enforcement official charged with the responsibility of preventing attack...well, if we can't know what someone is planning, we are going to have to rely on the neighbor... I just think there's got to be a way, and I would hope that our tech companies would work with government to figure that out."

An anonymous reader shares an Engadget report: Researchers from the Google Brain deep learning project have already taught AI systems to make trippy works of art, but now they're moving on to something potentially darker: AI-generated, human-independent encryption. According to a new research paper, Googlers Martin Abadi and David G. Andersen have willingly allowed three test subjects -- neural networks named Alice, Bob and Eve -- to pass each other notes using an encryption method they created themselves. As the New Scientist reports, Abadi and Andersen assigned each AI a task: Alice had to send a secret message that only Bob could read, while Eve would try to figure out how to eavesdrop and decode the message herself. The experiment started with a plain-text message that Alice converted into unreadable gibberish, which Bob could decode using cipher key. At first, Alice and Bob were apparently bad at hiding their secrets, but over the course of 15,000 attempts Alice worked out her own encryption strategy and Bob simultaneously figured out how to decrypt it. The message was only 16 bits long, with each bit being a 1 or a 0, so the fact that Eve was only able to guess half of the bits in the message means she was basically just flipping a coin or guessing at random.ArsTechnica has more details.