From a report: Germany is planning a new law giving authorities the right to look at private messages and fingerprint children as young as 6, the interior minister said on Wednesday after the last government gathering before a national election in September. Ministers from central government and federal states said encrypted messaging services, such as WhatsApp and Signal, allow militants and criminals to evade traditional surveillance. "We can't allow there to be areas that are practically outside the law," interior minister Thomas de Maiziere told reporters in the eastern town of Dresden.

If you are a Mac user, you should be aware of new variants of malware that have been created specifically to target Apple computers; one is ransomware and the other is spyware. "The two programs were uncovered by the security firms Fortinet and AlienVault, which found a portal on the Tor 'dark web' network that acted as a shopfront for both," reports BBC. "In a blog post, Fortinet said the site claimed that the creators behind it were professional software engineers with 'extensive experience' of creating working code." From the report: Those wishing to use either of the programs had been urged to get in touch and provide details of how they wanted the malware to be set up. The malware's creators had said that payments made by ransomware victims would be split between themselves and their customers. Researchers at Fortinet contacted the ransomware writers pretending they were interested in using the product and, soon afterwards, were sent a sample of the malware. Analysis revealed that it used much less sophisticated encryption than the many variants seen targeting Windows machines, said the firm. However, they added, any files scrambled with the ransomware would be completely lost because it did a very poor job of handling the decryption keys needed to restore data. The free Macspy spyware, offered via the same site, can log which keys are pressed, take screenshots and tap into a machine's microphone. In its analysis, AlienVault researcher Peter Ewane said the malicious code in the spyware tried hard to evade many of the standard ways security programs spot and stop such programs.

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.

"British Prime Minister Theresa May has used last Saturday's terrorist attack to again push for a ban on encryption," according to ITWire. Slashdot reader troublemaker_23 shared their article, which quotes this strong rebuttal from Cory Doctorow: Use deliberately compromised cryptography, that has a back door that only the "good guys" are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption... Theresa May doesn't understand technology very well, so she doesn't actually know what she's asking for. For Theresa May's proposal to work, she will need to stop Britons from installing software that comes from software creators who are out of her jurisdiction... any politician caught spouting off about back doors is unfit for office anywhere but Hogwarts, which is also the only educational institution whose computer science department believes in 'golden keys' that only let the right sort of people break your encryption.

Determining how to prevent acts of censorship has long been a priority for the non-profit Wikimedia Foundation, and thanks to new research from the Harvard Center for Internet and Society, the foundation seems to have found a solution: encryption. From a report: HTTPS prevents governments and others from seeing the specific page users are visiting. For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square. Up until 2015, Wikipedia offered its service using both HTTP and HTTPS, which meant that when countries like Pakistan or Iran blocked the certain articles on the HTTP version of Wikipedia, the full version would still be available using HTTPS. But in June 2015, Wikipedia decided to axe HTTP access and only offer access to its site with HTTPS. [...] The Harvard researchers began by deploying an algorithm which detected unusual changes in Wikipedia's global server traffic for a year beginning in May 2015. This data was then combined with a historical analysis of the daily request histories for some 1.7 million articles in 286 different languages from 2011 to 2016 in order to determine possible censorship events. [...] After a painstakingly long process of manual analysis of potential censorship events, the researchers found that, globally, Wikipedia's switch to HTTPS had a positive effect on the number censorship events by comparing server traffic from before and after the switch in June of 2015.

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.

On the sidelines of Windows 10 China Government Edition release, Microsoft also announced a new Surface two-in-one laptop. The latest addition to company's hybrid computing line up, the "new Surface Pro" sports an improved design, and houses a newer processor from Intel. From an article: The new Surface Pro features the same 3:2 12.3-inch PixelSense display as its predecessor, providing a resolution of 2736 x 1824 (267 ppi) and 10 point multi-touch capabilities. Surface Pro is based on faster and more reliable Intel "Kaby Lake" chipsets in Core m3-7Y30 with HD Graphics 615, Core i5-7300U with HD Graphics 620, and Core i7-7660U with Iris Plus Graphics 640 variants, which should make for a better experience. As with the previous version, the Core m3 version of the new Surface Pro is fanless and thus silent. But this is new: The Core i5 versions of the new Surface Pro are also fanless and silent. And a new thermal design helps Microsoft claim that the i7 versions are quieter than ever, too. The new Surface Pro is rated at 13.5 hours of battery life (for video playback), compared to just 9 hours for Surface Pro 4. That's a 50 percent improvement. urface Pro can be had with 4, 8, or 16 GB of 1866Mhz LPDDR3 RAM. The new Surface Pro is built around the USB 3-based Surface Connect connector and features one full-sized USB 3 port and one miniDisplayPort port. Microsoft also announced a new Surface Pen (sold separately), and claims that the new pen is twice as accurate (compared to the previous version). No word on the pricing but it will be available in all major global markets in the "coming weeks." The new Surface ships with Windows 10 Pro. (Side note: Earlier Microsoft used to market the Surface Pro devices as tablets that could also serve as laptops. The company is now calling the Surface Pro laptops that are also tablets.)

At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.

French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims' computers first infected a week ago. From a report: WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection. A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed. The researchers warned that their solution would only work in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently. Also see: Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom.

An anonymous reader quotes The Guardian: The human rights group Cage is preparing to mount a legal challenge to UK anti-terrorism legislation over a refusal to hand over mobile and laptop passwords to border control officials at air terminals, ports and international rail stations... The move comes after its international director, Muhammad Rabbani, a UK citizen, was arrested at Heathrow airport in November for refusing to hand over passwords. Rabbani, 35, has been detained at least 20 times over the past decade when entering the UK, under schedule 7 of terrorism legislation that provides broad search powers, but this was the first time he had been arrested... On previous occasions, when asked for his passwords, he said he had refused and eventually his devices were returned to him and he was allowed to go. But there was a new twist this time: when he refused to reveal his passwords, he was arrested under schedule 7 provisions of the terrorism act and held overnight at Heathrow Polar Park police station before being released on bail. He expects to be charged on Wednesday.
Rabbani "argues that the real objective...is not stopping terrorists entering the UK, but as a tool to build up a huge data bank on thousands of UK citizens." And his position drew support from Jim Killock, executive director of the UK-based Open Rights Group. "Investigations should take place when there is actual suspicion, and the police should be able to justify their actions on that basis, rather than using wide-ranging powers designed for border searches."

The UK government is planning to push greater surveillance powers that would force internet providers to monitor communications in near-realtime and install backdoor equipment to break encryption, according to a leaked document. From a report on ZDNet: A draft of the proposed new surveillance powers, leaked on Thursday, is part of a "targeted consultation" into the Investigatory Powers Act, brought into law last year, which critics called the "most extreme surveillance law ever passed in a democracy." Provisions in proposals show that the government is asking for powers to compel internet providers to turn over the realtime communications of a person "in an intelligible form," including encrypted content, within one working day. To that end, internet providers will be forced to introduce a backdoor point on their networks to allow intelligence agencies to read anyone's communications.

An anonymous reader writes: Earlier this week, AV-TEST evaluated 19 security suites and found that only three of them seemed to be well protected from savvy potential hackers. First, some context about the tests: The first test measured how well each program uses address space layout randomization (ASLR) and data execution prevention (DEP). Briefly, ASLR randomizes a computer's memory allocation, making it harder for an attacker to target a particular process in a program; DEP is a Windows protocol that designates some memory as non-executable space (other operating systems do this under different names), making it harder (or impossible) for unauthorized programs to run in that space. The second test measured whether the AV programs digitally signed their software-update files. Signing is a way of determining a file's origin and authenticity; unsigned files could be more easily substituted with malicious ones. The final test was the simplest, and determined whether an AV manufacturers delivered its software updates via the encrypted HTTPS web protocol. Lack of encryption makes it easy for an attacker to stage a man-in-the-middle attack by intercepting the data transmission, altering the data and then sending the data back on its way. Of the 19 programs tested, only three succeeded on all counts: Bitdefender Internet Security 2017, ESET Internet Security 10 and Kaspersky Internet Security 17.0. It's difficult to rank the rest of the programs, as each one succeeded and failed to varying degrees.

Has AACS 2.0 encryption used to protect UHD Blu-ray discs been cracked? While the details are scarce, a cracked copy of a UHD Blu-ray disc surfaced on the HD-focused BitTorrent tracker UltraHDclub. TorrentFreak reports: The torrent in question is a copy of the Smurfs 2 film and is tagged "The Smurfs 2 (2013) 2160p UHD Blu-ray HEVC Atmos 7.1-THRONE." This suggests that AACS 2.0 may have been "cracked" although there are no further technical details provided at this point. UltraHDclub is proud of the release, though, and boasts of having the "First Ultra HD Blu-ray Disc in the NET!" Those who want to get their hands on a copy of the file have to be patient though. Provided that they have access to the private tracker, it will take a while to download the entire 53.30 GB disk. TorrentFreak reached out to both the uploader of the torrent and an admin at the site hoping to find out more, but thus far we have yet to hear back. From the details provided, the copy appears to be the real deal although not everyone agrees.

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.
Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.
Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."

An anonymous reader writes: A Wall Street engineer was arrested for planting credentials-logging malware on his company's servers. According to an FBI affidavit, the engineer used these credentials to log into fellow employees' accounts. The engineer claims he did so only because he heard rumors of an acquisition and wanted to make sure he wouldn't be let go. In reality, the employee did look at archived email inboxes, but he also stole encryption keys needed to access the protected source code of his employer's trading platform and trading algorithms.

Using his access to the company's Unix network (which he gained after a promotion last year), the employee then rerouted traffic through backup servers in order to avoid the company's traffic monitoring solution and steal the company's source code. The employee was caught after he kept intruding and disconnecting another employee's RDP session. The employee understood someone hacked his account and logged the attacker's unique identifier. Showing his total lack of understanding for how technology, logging and legal investigations work, the employee admitted via email to a fellow employee that he installed malware on the servers and hacked other employees.

An anonymous reader shares a report: According to federal lobbying disclosures filed Thursday, Facebook and Apple set their all-time record high for spending in a single quarter. Facebook spent $3.2 million lobbying the federal government in the first months of the Trump era. During the same period last year, Facebook spent $2.8 million (about 15% less). The company lobbied both chambers of Congress, the White House, and six federal agencies on issues including high-tech worker visas, network neutrality, internet privacy, encryption, and international taxation. Facebook was the 12th-highest spender out of any company and second-highest in tech. [...] Apple spent $1.4 million, which is just $50,000 more than during the final months of the Obama presidency, when it set its previous record, but the most it has ever spent in a single quarter. Apple lobbied on issues including government requests for data, the regulation of mobile health apps, and self-driving cars. Google, once again, outspent every other technology company. It was 10th overall, tallying $3.5 million.

chicksdaddy quotes a report from The Security Ledger: Cyber criminals lurk in the dark recesses of the internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint. Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms. The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft's Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform's lack of end-to-end encryption or forward secrecy features and evidence, courtesy of NSA hacker Edward Snowden, that U.S. spies may have snooped on Skype video calls in recent years, The Security Ledger reports. The conclusion: while security is a priority amongst thieves, it isn't the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business. "These cyber criminals have a lot of different options that they're juggling and a lot of factors that weigh on their options," said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. "We might suspect that cyber criminals use the most secure means of communication all the time, that's not what our research showed."

An anonymous reader quotes a report from Ars Technica: Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files. As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows. As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware." The apology is embedded in a Rensenware "forcer" tool that Tvple Eraser has released to manipulate the game's memory directly, getting around the malware's encryption without the need to play the game (assuming you have a copy installed, that is). While the original Rensenware source code has been taken down from the creator's Github page, a new "cut" version has taken its place, showing off the original joke without any actually malicious forced encryption.