Encryption

Ransomware Asks For High Score Instead of Money (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: Rensenware" forces players to get a high score in a difficult PC shoot-em-up to decrypt their files. As Malware Hunter Team noted yesterday, users on systems infected with Rensenware are faced with the usual ransomware-style warning that "your precious data like documents, musics, pictures, and some kinda project files" have been "encrypted with highly strong encryption algorithm." The only way to break the encryption lock, according to the warning, is to "score 0.2 billion in LUNATIC level" on TH12 ~ Undefined Fantastic Object. That's easier said than done, as this gameplay video of the "bullet hell" style Japanese shooter shows. As you may have guessed from the specifics here, the Rensenware bug was created more in the spirit of fun than maliciousness. After Rensenware was publicized on Twitter, its creator, who goes by Tvple Eraser on Twitter and often posts in Korean, released an apology for releasing what he admitted was "a kind of highly-fatal malware." The apology is embedded in a Rensenware "forcer" tool that Tvple Eraser has released to manipulate the game's memory directly, getting around the malware's encryption without the need to play the game (assuming you have a copy installed, that is). While the original Rensenware source code has been taken down from the creator's Github page, a new "cut" version has taken its place, showing off the original joke without any actually malicious forced encryption.
Encryption

Web Inventor Sir Tim Berners-Lee Slams UK and US Net Plans (bbc.com) 48

The web's creator has attacked any UK plans to weaken encryption and promised to battle any moves by the Trump administration to weaken net neutrality. From a report on BBC: Sir Tim Berners-Lee was speaking to the BBC following the news that he has been given the Turing Award. It is sometimes known as the Nobel Prize of computing. Sir Tim said moves to undermine encryption would be a "bad idea" and represent a massive security breach. Home Secretary Amber Rudd has said there should be no safe space for terrorists to be able to communicate online. But Sir Tim said giving the authorities a key to unlock coded messages would have serious consequences. "Now I know that if you're trying to catch terrorists it's really tempting to demand to be able to break all that encryption but if you break that encryption then guess what -- so could other people and guess what -- they may end up getting better at it than you are," he said. Sir Tim also criticised moves by legislators on both sides of the Atlantic, which he sees as an assault on the privacy of web users. He attacked the UK's recent Investigatory Powers Act, which he had criticised when it went through Parliament: "The idea that all ISPs should be required to spy on citizens and hold the data for six months is appalling." In the United States he is concerned that the principle of net neutrality, which treats all internet traffic equally, could be watered down by the Trump administration and the Federal Communications Commission. "If the FCC does move to reduce net neutrality I will fight it as hard as I can," he vowed.
United Kingdom

Britain Wants Tech Firms to Tackle Extremism (fortune.com) 137

Britain will tell Google, Facebook, Twitter, and Microsoft on Thursday to do more to stop extremists posting content on their platforms and using encrypted messaging services to plan attacks. From a report: Home Secretary Amber Rudd said on Sunday tech companies should stop offering a "secret place for terrorists to communicate," after British parliament attacker Khalid Masood was widely reported to have sent encrypted messages moments before he killed four people last week. Rudd has summoned the Internet companies to a meeting to urge them to do more to block extremist content from platforms like Facebook and Google's YouTube, but a government spokesman said encryption was also on the agenda. "The message is the government thinks there is more they can do in relation to taking down extremist and hate material and that is what they are going to be talking about this afternoon," the prime minister's spokesman said on Thursday.
Government

Will VPNs Protect Your Privacy? It's Complicated 141

From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.
IOS

Apple is Upgrading Millions of iOS Devices To a New Modern File System Today (theverge.com) 191

Apple today began rolling out iOS 10.3, the latest point update to its mobile operating system. iOS 10.3 brings with it several new features, chief among which is a new file system -- called the Apple File System (APFS). From a report: It's a file system that was originally announced at WWDC last year, and it's designed with the iPhone, iPad, Apple Watch, Mac, and Apple TV in mind. Apple has been using its 31-year-old Hierarchical File System (HFS) for iOS devices so far. It was originally designed for Macs with floppy or hard disks, and not for modern mobile devices with solid state storage. Even its successor, HFS+, still doesn't address the needs of these mobile devices enough. Apple's new APFS is designed to scale across these new types of devices and take advantage of flash or SSD storage. It's also engineered with encryption as a primary feature, and even supports features like snapshots so restoring files on a Mac or even an iOS device might get a lot easier in the future.
Encryption

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org) 110

After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.
United Kingdom

London Terrorist Used WhatsApp, UK Calls For Backdoors (yahoo.com) 360

Wednesday 52-year-old Khalid Masood "drove a rented SUV into pedestrians on Westminster Bridge before smashing it into Parliament's gates and rushing onto the grounds, where he fatally stabbed a policeman and was shot by other officers," writes the Associated Press. An anonymous reader quotes their new report: Westminster Bridge attacker Khalid Masood sent a WhatsApp message that cannot be accessed because it was encrypted by the popular messaging service, a top British security official said Sunday. British press reports suggest Masood used the messaging service owned by Facebook just minutes before the Wednesday rampage that left three pedestrians and one police officer dead and dozens more wounded.... Home Secretary Amber Rudd used appearances on BBC and Sky News to urge WhatsApp and other encrypted services to make their platforms accessible to intelligence services and police trying to carrying out lawful eavesdropping. "We need to make sure that organizations like WhatsApp -- and there are plenty of others like that -- don't provide a secret place for terrorists to communicate with each other," she said...

Rudd also urged technology companies to do a better job at preventing the publication of material that promotes extremism. She plans to meet with firms Thursday about setting up an industry board that would take steps to make the web less useful to extremists.

Businesses

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites (bleepingcomputer.com) 250

BleepingComputer reports: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store... Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks... Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
Of course, some web browsers don't even check whether a certificate has been revoked. An anonymous reader writes: Browser makers are also to blame, along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.
AI

The First Practical Use For Quantum Computers: Chemistry (technologyreview.com) 42

"The first quantum computer to start paying its way with useful work in the real world looks likely to do so by helping chemists," writes MIT Technology Review, "trying to do things like improve batteries or electronics." An anonymous reader quotes their report: So far, simulating molecules and reactions is the use case for early, small quantum computers sketched out in most detail by researchers developing the new kind of algorithms needed for such machines... "From the point of view of what is theoretically proven, chemistry is ahead," says Scott Crowder, chief technology officer for the IBM division that today sells hardware including supercomputers and hopes to add cloud-hosted quantum computers to its product line-up in the next few years...

Researchers have long used simulations of molecules and chemical reactions to aid research into things like new materials, drugs, or industrial catalysts. The tactic can reduce time spent on physical experiments and scientific dead ends, and it accounts for a significant proportion of the workload of the world's supercomputers. Yet the payoffs are limited because even the most powerful supercomputers cannot perfectly re-create all the complex quantum behaviors of atoms and electrons in even relatively small molecules, says Alan Aspuru-Guzik, a chemistry professor at Harvard. He's looking forward to the day simulations on quantum computers can accelerate his research group's efforts to find new light-emitting molecules for displays, for example, and batteries suitable for grid-scale energy storage.

Microsoft is already focusing on chemistry and materials science in its quantum algorithm effort, saying a hybrid system combining conventional computers with a small quantum computer "has great promise for studying molecules." Meanwhile, the article argues that breaking encryption, "although a genuine threat, is one of the most distant applications of the technology, because the algorithms involved would require an extremely large quantum processor."
Encryption

Ask Slashdot: How Would You Implement Site-Wide File Encryption? 151

Recently-leaked CIA documents prove that encryption works, according to the Associated Press. But how should sys-admins implement site-wide file encryption? Very-long-time Slashdot reader Pig Hogger writes: If you decide to implement server-level encryption across all your servers, how do you manage the necessary keys/passwords/passphrases to insure that you have both maximum uptime (you can access your data if you need to reboot your servers), yet that the keys cannot be compromised... What are established practices to address this issue?
Keep in mind that you can't change your password once the server's been seized, bringing up the issue of how many people know that password. Or is there a better solution? Share you suggestions and experiences in the comments. How would you implement site-wide file encryption?
Security

Some HTTPS Inspection Tools Actually Weaken Security (itworld.com) 102

America's Department of Homeland Security issued a new warning this week. An anonymous reader quotes IT World: Companies that use security products to inspect HTTPS traffic might inadvertently make their users' encrypted connections less secure and expose them to man-in-the-middle attacks, the U.S. Computer Emergency Readiness Team warns. US-CERT, a division of the Department of Homeland Security, published an advisory after a recent survey showed that HTTPS inspection products don't mirror the security attributes of the original connections between clients and servers. "All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected," US-CERT said in its alert.
Slashdot reader msm1267 quotes Threatpost: HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server... The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
Encryption

What The CIA WikiLeaks Dump Tells Us: Encryption Works (ap.org) 202

"If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works," writes the Associated Press, "and the industry should use more of it." An anonymous reader quotes their report: Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks. "We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago"... Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."
Crime

Federal Criminal Probe Being Opened Into WikiLeaks' Publication of CIA Documents (cnn.com) 236

A federal criminal investigation is being opened into WikiLeaks' publication of documents detailing alleged CIA hacking operations, CNN reports citing several U.S. officials. From the report: The officials said the FBI and CIA are coordinating reviews of the matter. The investigation is looking into how the documents came into WikiLeaks' possession and whether they might have been leaked by an employee or contractor. The CIA is also trying to determine if there are other unpublished documents WikiLeaks may have. The documents published so far are largely genuine, officials said, though they are not yet certain if all of them are and whether some of the documents may have been altered. One of the biggest concerns for the federal government is if WikiLeaks publishes critical computer code on how operations are conducted, other hackers could take that code and cause havoc overseas. Security expert Robert Graham, wrote on Tuesday: The CIA didn't remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There's no evidence of them doing so remotely over the Internet. The CIA didn't defeat Signal/WhatsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then, of course they can record audio and screenshots. Technically, this bypasses/defeats encryption -- but such phrases used by Wikileaks are highly misleading, since nothing related to Signal/WhatsApp is happening. [...] This hurts the CIA a lot. Already, one AV researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak. We can develop anti-virus and intrusion-detection signatures based on this information that will defeat much of what we read in these documents. This would put a multi-year delay in the CIA's development efforts. Plus, it'll now go on a witch-hunt looking for the leaker, which will erode morale.
Privacy

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org) 246

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
Businesses

China's ZTE Pleads Guilty, Will Pay $1.19 Billion For Violating US Trade Sanctions (reuters.com) 50

An anonymous reader quotes a report from Reuters: Chinese telecom equipment maker ZTE Corp will plead guilty and pay $1.19 billion ($892 million in the Iran case) to settle allegations it violated U.S. laws that restrict the sale of American-made technology to Iran and North Korea, the company and U.S. government agencies said on Tuesday. ZTE entered into an agreement to plead guilty to conspiring to violate the International Emergency Economic Powers Act, obstruction of justice and making a material false statement, the U.S. Justice Department said. The Commerce Department investigation followed reports by Reuters in 2012 that ZTE had signed contracts to ship millions of dollars worth of hardware and software from some of the best-known U.S. technology companies to Iran's largest telecoms carrier. Between January 2010 and January 2016, ZTE directly or indirectly shipped approximately $32 million of U.S.-origin items to Iran without obtaining the proper export licenses from the U.S. government. ZTE then lied to federal investigators during the investigation when it insisted that the shipments had stopped, Justice said. It also took actions involving 283 shipments of controlled items to North Korea, authorities said. Shipped items included routers, microprocessors and servers controlled under export regulations for security, encryption and anti-terrorism reasons.
Government

WikiLeaks Reveals CIA's Secret Hacking Tools and Spy Operations (betanews.com) 447

Mark Wilson, writing for BetaNews: WikiLeaks has unleashed a treasure trove of data to the internet, exposing information about the CIA's arsenal of hacking tools. Code-named Vault 7, the first data is due to be released in serialized form, starting off with "Year Zero" as part one. A cache of over 8,500 documents and files has been made available via BitTorrent in an encrypted archive. The plan had been to release the password at 9:00am ET today, but when a scheduled online press conference and stream came "under attack" prior to this, the password was released early. Included in the "extraordinary" release are details of the zero day weapons used by the CIA to exploit iPhones, Android phones, Windows, and even Samsung TVs to listen in on people. Routers, Linux, macOS -- nothing is safe. WikiLeaks explains how the "CIA's hacking division" -- or the Center for Cyber Intelligence (CCI) as it is officially known -- has produced thousands of weaponized pieces of malware, Trojans, viruses and other tools. It's a leak that's essentially Snowden 2.0. In a statement, WikiLeaks said CIA has tools to bypass the encryption mechanisms imposed by popular instant messenger apps Signal, Confide, WhatsApp (used by more than a billion people), and Telegram.
Encryption

Google Open Sources Encrypted Email Extension For Chrome (onthewire.io) 44

Last week Google released E2EMail, "a Gmail client that exchanges OpenPGP mail." Google's documentation promises that "Any email sent from the app is also automatically signed and encrypted... The target is a simple user experience -- install app, approve permissions, start reading or send sending messages." Trailrunner7 quotes On The Wire: People have been trying to find a replacement for PGP almost since the day it was released, and with limited success. Encrypted email is still difficult to use and painful to implement in most cases, but Google has just released a Chrome plugin designed to address those problems. The new E2EMail extension doesn't turn a user's Gmail inbox into an encrypted mail client. Rather, it is a replacement that gives users a separate inbox for encrypted messages. The system is built on Google's end-to-end encryption library, and the company has released E2EMail as an open-source project.
Wired quotes a web security researcher who calls the open sourcing "a telltale sign the project isn't going anywhere. This is a way for them to get their work out there but to absolve themselves of future obligations." But Google's privacy and security product manager responds that they're tackling some very thorny issues like secure key handling, and "The reason we want to put this into the open source community is precisely because everyone cares about this so much. We don't want everyone waiting for Google to get something done."
Social Networks

Are Your Slack Conversations Really Private and Secure? (fastcompany.com) 68

An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."

The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.

Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?
Google

Google Releases Open Source File Sharing Project 'Upspin' On GitHub (betanews.com) 58

BrianFagioli quotes a report from BetaNews: Today, Google unveiled yet another way to share files. Called "Upspin," the open source project aims to make sharing easier for home users. With that said, the project does not seem particularly easy to set up or maintain. For example, it uses Unix-like directories and email addresses for permissions. While it may make sense to Google engineers, I am dubious that it will ever be widely used. "Upspin looks a bit like a global file system, but its real contribution is a set of interfaces, protocols, and components from which an information management system can be built, with properties such as security and access control suited to a modern, networked world. Upspin is not an "app" or a web service, but rather a suite of software components, intended to run in the network and on devices connected to it, that together provide a secure, modern information storage and sharing network," says Google. The search giant adds: "Upsin is a layer of infrastructure that other software and services can build on to facilitate secure access and sharing. This is an open source contribution, not a Google product. We have not yet integrated with the Key Transparency server, though we expect to eventually, and for now use a similar technique of securely publishing all key updates. File storage is inherently an archival medium without forward secrecy; loss of the user's encryption keys implies loss of content, though we do provide for key rotation."
Security

Netflix Just Announced a User Focused Security Application (netflix.com) 43

Moving beyond movies and TV shows (and their DVDs), Netflix announced on Tuesday Stethoscope, its "first project following a User Focused Security approach." From a company's blog post: The notion of "User Focused Security" acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it's one of the core principles driving our approach to corporate information security. [...] Stethoscope is a web application that collects information for a given user's devices and gives them clear and specific recommendations for securing their systems. If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement. The company says Stethoscope tracks disk encryption, firewall, automatic updates, up-to-date OS/software, screen lock, jailbroken/rooted status, security software stack configurations of the device.

Slashdot Top Deals