EU

European Parliament Committee Endorses End-To-End Encryption (tomshardware.com) 120

The civil liberties committee of the European Parliament has released a draft proposal "in direct contrast to the increasingly loud voices around the world to introduce regulations or weaken encryption," according to an anonymous Slashdot reader. Tom's Hardware reports: The draft recommends a regulation that will enforce end-to-end encryption on all communications to protect European Union citizens' fundamental privacy rights. The committee also recommended a ban on backdoors. Article 7 of the E.U.'s Charter of Fundamental Rights says that E.U. citizens have a right to personal privacy, as well as privacy in their family life and at home. According to the EP committee, the privacy of communications between individuals is also an important dimension of this right...

We've lately seen some EU member states push for increased surveillance and even backdoors in encrypted communications, so there seems to be some conflict here between what the European Parliament institutional bodies may want and what some member states do. However, if this proposal for the new Regulation on Privacy and Electronic Communications passes, it should significantly increase the privacy of E.U. citizens' communications, and it won't be so easy to roll back the changes to add backdoors in the future.

Security researcher Lukasz Olejnik says "the fact that policy is seriously considering these kind of aspects is unprecedented."
Privacy

Ask Slashdot: How Do You Prepare For The Theft Of Your PC? 262

A security-conscious Slashdot reader has theft insurance -- but worries whether it covers PC theft. And besides the hassles of recreating every customization after restoring from backups, there's also the issue of keeping personal data private. I currently keep important information on a hidden, encrypted partition so an ordinary thief won't get much off of it, but that is about the extent of my preparation... What would you do? Some sort of beacon to let you know where your stuff is? Remote wipe? Online backup?
There's a couple of issues here -- including privacy, data recovery, deterrence, compensation -- each leading to different ways to answer the question: what can you actually do to prepare for the possibility? So use the comments to share your own experiences. How have you prepared for the theft of your PC?
Yahoo!

Ask Slashdot: Advice For a Yahoo Mail Refugee 322

New submitter ma1wrbu5tr writes: Very shortly after the announcement of Verizon's acquisition of Yahoo, two things happened that caught my attention. First, I was sent an email that basically said "these are our new Terms of Service and if you don't agree to them, you have until June 8th to close your account". Subsequently, I noticed that when working in my mailbox via the browser, I kept seeing messages in the status bar saying "uploading..." and "upload complete". I understand that Y! has started advertising heavily in the webmail app but I find these "uploads" disturbing. I've since broken out a pop client and have downloaded 15 years worth of mail and am going through to ensure there are no other online accounts tied to that address. My question to slashdotters is this: "What paid or free secure email service do you recommend as a replacement and why?" I'm on the hunt for an email service that supports encryption, has a good Privacy Policy, and doesn't have a history of breaches or allowing snooping.
Government

US Intelligence Agencies Tried To Bribe Our Developers To Weaken Encryption, Says Telegram Founder (twitter.com) 135

In a series of tweets, Pavel Durov, the Russian founder of the popular secure messaging app Telegram has revealed that U.S. intelligence agencies tried twice to bribe his company's developers to weaken encryption in the app. The incident, Durov said, happened last year during the team's visit to the United States. "During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI," he said. "And that was just 1 week. It would be naive to think you can run an independent/secure cryptoapp based in the US."

Telegram is one of the most secure messaging apps available today, though researchers have pointed flaws in it as well.
Encryption

Germany Plans To Fingerprint Children and Spy On Personal Messages (fortune.com) 225

From a report: Germany is planning a new law giving authorities the right to look at private messages and fingerprint children as young as 6, the interior minister said on Wednesday after the last government gathering before a national election in September. Ministers from central government and federal states said encrypted messaging services, such as WhatsApp and Signal, allow militants and criminals to evade traditional surveillance. "We can't allow there to be areas that are practically outside the law," interior minister Thomas de Maiziere told reporters in the eastern town of Dresden.
Desktops (Apple)

Apple Mac Computers Are Being Targeted By Ransomware, Spyware (bbc.com) 54

If you are a Mac user, you should be aware of new variants of malware that have been created specifically to target Apple computers; one is ransomware and the other is spyware. "The two programs were uncovered by the security firms Fortinet and AlienVault, which found a portal on the Tor 'dark web' network that acted as a shopfront for both," reports BBC. "In a blog post, Fortinet said the site claimed that the creators behind it were professional software engineers with 'extensive experience' of creating working code." From the report: Those wishing to use either of the programs had been urged to get in touch and provide details of how they wanted the malware to be set up. The malware's creators had said that payments made by ransomware victims would be split between themselves and their customers. Researchers at Fortinet contacted the ransomware writers pretending they were interested in using the product and, soon afterwards, were sent a sample of the malware. Analysis revealed that it used much less sophisticated encryption than the many variants seen targeting Windows machines, said the firm. However, they added, any files scrambled with the ransomware would be completely lost because it did a very poor job of handling the decryption keys needed to restore data. The free Macspy spyware, offered via the same site, can log which keys are pressed, take screenshots and tap into a machine's microphone. In its analysis, AlienVault researcher Peter Ewane said the malicious code in the spyware tried hard to evade many of the standard ways security programs spot and stop such programs.
Encryption

Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN (eweek.com) 44

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.
United Kingdom

British PM Seeks Ban On Encryption After Terror Attack (boingboing.net) 340

"British Prime Minister Theresa May has used last Saturday's terrorist attack to again push for a ban on encryption," according to ITWire. Slashdot reader troublemaker_23 shared their article, which quotes this strong rebuttal from Cory Doctorow: Use deliberately compromised cryptography, that has a back door that only the "good guys" are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption... Theresa May doesn't understand technology very well, so she doesn't actually know what she's asking for. For Theresa May's proposal to work, she will need to stop Britons from installing software that comes from software creators who are out of her jurisdiction... any politician caught spouting off about back doors is unfit for office anywhere but Hogwarts, which is also the only educational institution whose computer science department believes in 'golden keys' that only let the right sort of people break your encryption.
Wikipedia

Wikipedia's Switch To HTTPS Has Successfully Fought Government Censorship (vice.com) 170

Determining how to prevent acts of censorship has long been a priority for the non-profit Wikimedia Foundation, and thanks to new research from the Harvard Center for Internet and Society, the foundation seems to have found a solution: encryption. From a report: HTTPS prevents governments and others from seeing the specific page users are visiting. For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square. Up until 2015, Wikipedia offered its service using both HTTP and HTTPS, which meant that when countries like Pakistan or Iran blocked the certain articles on the HTTP version of Wikipedia, the full version would still be available using HTTPS. But in June 2015, Wikipedia decided to axe HTTP access and only offer access to its site with HTTPS. [...] The Harvard researchers began by deploying an algorithm which detected unusual changes in Wikipedia's global server traffic for a year beginning in May 2015. This data was then combined with a historical analysis of the daily request histories for some 1.7 million articles in 286 different languages from 2011 to 2016 in order to determine possible censorship events. [...] After a painstakingly long process of manual analysis of potential censorship events, the researchers found that, globally, Wikipedia's switch to HTTPS had a positive effect on the number censorship events by comparing server traffic from before and after the switch in June of 2015.
Encryption

10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins (bleepingcomputer.com) 82

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.
Encryption

Hackers Unlock Samsung Galaxy S8 With Fake Iris (vice.com) 79

From a Motherboard report: Despite Samsung stating that a user's irises are pretty much impossible to copy, a team of hackers has done just that. Using a bare-bones selection of equipment, researchers from the Chaos Computer Club (CCC) show in a video how they managed to bypass the scanner's protections and unlock the device. "We've had iris scanners that could be bypassed using a simple print-out," Linus Neumann, one of the hackers who appears in the video. The process itself was apparently pretty simple. The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture. And, that's it. They're in.
Microsoft

Microsoft's New Surface Pro Features Faster Intel Kaby Lake Processor, 13.5 Hours of Battery Life (thurrott.com) 66

On the sidelines of Windows 10 China Government Edition release, Microsoft also announced a new Surface two-in-one laptop. The latest addition to company's hybrid computing line up, the "new Surface Pro" sports an improved design, and houses a newer processor from Intel. From an article: The new Surface Pro features the same 3:2 12.3-inch PixelSense display as its predecessor, providing a resolution of 2736 x 1824 (267 ppi) and 10 point multi-touch capabilities. Surface Pro is based on faster and more reliable Intel "Kaby Lake" chipsets in Core m3-7Y30 with HD Graphics 615, Core i5-7300U with HD Graphics 620, and Core i7-7660U with Iris Plus Graphics 640 variants, which should make for a better experience. As with the previous version, the Core m3 version of the new Surface Pro is fanless and thus silent. But this is new: The Core i5 versions of the new Surface Pro are also fanless and silent. And a new thermal design helps Microsoft claim that the i7 versions are quieter than ever, too. The new Surface Pro is rated at 13.5 hours of battery life (for video playback), compared to just 9 hours for Surface Pro 4. That's a 50 percent improvement. urface Pro can be had with 4, 8, or 16 GB of 1866Mhz LPDDR3 RAM. The new Surface Pro is built around the USB 3-based Surface Connect connector and features one full-sized USB 3 port and one miniDisplayPort port. Microsoft also announced a new Surface Pen (sold separately), and claims that the new pen is twice as accurate (compared to the previous version). No word on the pricing but it will be available in all major global markets in the "coming weeks." The new Surface ships with Windows 10 Pro. (Side note: Earlier Microsoft used to market the Surface Pro devices as tablets that could also serve as laptops. The company is now calling the Surface Pro laptops that are also tablets.)
Microsoft

Microsoft Announces 'Windows 10 China Government Edition', Lets Country Use Its Own Encryption (windows.com) 108

At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.
Security

French Researchers Find Last-ditch Cure To Unlock WannaCry Files (reuters.com) 36

French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims' computers first infected a week ago. From a report: WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection. A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed. The researchers warned that their solution would only work in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently. Also see: Windows XP PCs Infected By WannaCry Can Be Decrypted Without Paying Ransom.
Cellphones

UK Group Fights Arrest Over Refusing To Surrender Passwords At The Border (theguardian.com) 284

An anonymous reader quotes The Guardian: The human rights group Cage is preparing to mount a legal challenge to UK anti-terrorism legislation over a refusal to hand over mobile and laptop passwords to border control officials at air terminals, ports and international rail stations... The move comes after its international director, Muhammad Rabbani, a UK citizen, was arrested at Heathrow airport in November for refusing to hand over passwords. Rabbani, 35, has been detained at least 20 times over the past decade when entering the UK, under schedule 7 of terrorism legislation that provides broad search powers, but this was the first time he had been arrested... On previous occasions, when asked for his passwords, he said he had refused and eventually his devices were returned to him and he was allowed to go. But there was a new twist this time: when he refused to reveal his passwords, he was arrested under schedule 7 provisions of the terrorism act and held overnight at Heathrow Polar Park police station before being released on bail. He expects to be charged on Wednesday.
Rabbani "argues that the real objective...is not stopping terrorists entering the UK, but as a tool to build up a huge data bank on thousands of UK citizens." And his position drew support from Jim Killock, executive director of the UK-based Open Rights Group. "Investigations should take place when there is actual suspicion, and the police should be able to justify their actions on that basis, rather than using wide-ranging powers designed for border searches."
Privacy

Leaked Document Reveals UK Plans For Wider Internet Surveillance (zdnet.com) 92

The UK government is planning to push greater surveillance powers that would force internet providers to monitor communications in near-realtime and install backdoor equipment to break encryption, according to a leaked document. From a report on ZDNet: A draft of the proposed new surveillance powers, leaked on Thursday, is part of a "targeted consultation" into the Investigatory Powers Act, brought into law last year, which critics called the "most extreme surveillance law ever passed in a democracy." Provisions in proposals show that the government is asking for powers to compel internet providers to turn over the realtime communications of a person "in an intelligible form," including encrypted content, within one working day. To that end, internet providers will be forced to introduce a backdoor point on their networks to allow intelligence agencies to read anyone's communications.
Security

How Good is Antivirus Software at Protecting Itself? (tomsguide.com) 73

An anonymous reader writes: Earlier this week, AV-TEST evaluated 19 security suites and found that only three of them seemed to be well protected from savvy potential hackers. First, some context about the tests: The first test measured how well each program uses address space layout randomization (ASLR) and data execution prevention (DEP). Briefly, ASLR randomizes a computer's memory allocation, making it harder for an attacker to target a particular process in a program; DEP is a Windows protocol that designates some memory as non-executable space (other operating systems do this under different names), making it harder (or impossible) for unauthorized programs to run in that space. The second test measured whether the AV programs digitally signed their software-update files. Signing is a way of determining a file's origin and authenticity; unsigned files could be more easily substituted with malicious ones. The final test was the simplest, and determined whether an AV manufacturers delivered its software updates via the encrypted HTTPS web protocol. Lack of encryption makes it easy for an attacker to stage a man-in-the-middle attack by intercepting the data transmission, altering the data and then sending the data back on its way. Of the 19 programs tested, only three succeeded on all counts: Bitdefender Internet Security 2017, ESET Internet Security 10 and Kaspersky Internet Security 17.0. It's difficult to rank the rest of the programs, as each one succeeded and failed to varying degrees.
Encryption

'First Pirated Ultra HD Blu-Ray Disk' Appears Online (torrentfreak.com) 260

Has AACS 2.0 encryption used to protect UHD Blu-ray discs been cracked? While the details are scarce, a cracked copy of a UHD Blu-ray disc surfaced on the HD-focused BitTorrent tracker UltraHDclub. TorrentFreak reports: The torrent in question is a copy of the Smurfs 2 film and is tagged "The Smurfs 2 (2013) 2160p UHD Blu-ray HEVC Atmos 7.1-THRONE." This suggests that AACS 2.0 may have been "cracked" although there are no further technical details provided at this point. UltraHDclub is proud of the release, though, and boasts of having the "First Ultra HD Blu-ray Disc in the NET!" Those who want to get their hands on a copy of the file have to be patient though. Provided that they have access to the private tracker, it will take a while to download the entire 53.30 GB disk. TorrentFreak reached out to both the uploader of the torrent and an admin at the site hoping to find out more, but thus far we have yet to hear back. From the details provided, the copy appears to be the real deal although not everyone agrees.
Security

A Sophisticated Grey Hat Vigilante Protects Insecure IoT Devices (arstechnica.com) 143

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.

Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"
Encryption

Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone (indiatimes.com) 143

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.

Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."

Slashdot Top Deals