mdsolar quotes a report from Ars Technica: A surprisingly large number of critical infrastructure participants -- including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers -- rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage. Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices. Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:

-Reduced pumping flow rate
-Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
-Fire accidents in an unrestricted area and in an administration building
-Loss of redundancy
-People requiring off-site medical attention
-A control rod losing its position indication due to a data fault
-Nuclear contamination without personal damage Trend Micro researchers wrote in their report titled "Leaking Beeps: Unencrypted Pager Messages in Industrial Environments": "We were surprised to see unencrypted pages coming from industrial sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, semiconductor and commercial manufacturers, and HVAC. These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations. Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages. Though we are not well-versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information. The power generation sector is overseen by regulating bodies like the North American Electric Reliability Corporation (NERC). The NERC can impose significant fines on companies that violate critical infrastructure protection requirements, such as ensuring that communications are encrypted. Other similar regulations also exist for the chemical manufacturing sector."

Shanika Gunaratna, writing for CBS News: Snapchat and Skype are falling short in protecting users' privacy -- a failure that puts users' "human rights at risk," according to a report by the organization Amnesty International. Snapchat and Skype received dismal grades in a new set of rankings released by Amnesty that specifically evaluate how popular messaging apps use encryption to protect users' private communications. In the report, Amnesty is trying to elevate encryption as a human rights necessity, due to concerns that activists, opposition politicians and journalists in some countries could be put in grave danger if their communications on popular messaging apps were compromised. "Activists around the world rely on encryption to protect themselves from spying by authorities, and it is unacceptable for technology companies to expose them to danger by failing to adequately respond to the human rights risks," Sherif Elsayed-Ali, head of Amnesty's technology and human rights team, said in a statement. "The future of privacy and free speech online depends to a very large extent on whether tech companies provide services that protect our communications, or serve them up on a plate for prying eyes."Microsoft's Skype received 40 out of 100. WhatsApp fared at 73, and Apple scored 67 out of 100 for its iMessage and FaceTime apps. BlackBerry, Snapchat, and China's Tencent did 30 out of 100.

Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."

For the first time ever, secure HTTPS encryption was used for over half the pageloads served to Mozilla users, representing a big milestone for encryption. TechCrunch reports on the telemetry data tweeted by the Head of Let's Encrypt: Mozilla, which is one of the organizations backing Let's Encrypt, was reporting that 40% of page views were encrypted as of December 2015. So it's an impressively speedy rise...

The Let's Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to [co-founder Josh] Aas, Let's Encrypt added more than a million new active certificates in the past week -- which is also a significant step up. In the initiative's first six months (when still in beta) it only issued around 1.7 million certificates in all.
The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).

An anonymous reader writes from a report via Softpedia: Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone. By sending the "reboot-ftm" command to Android devices that contain Foxconn firmware, an attacker would authenticate via USB, and boot the device, running as root with SELinux disabled. There isn't a list of affected devices available yet, but Jon Sawyer, the researchers that discovered this hidden command, provides instructions on how to detect if a phone is affected. "Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer says.

An anonymous reader quotes a report from The Daily Dot: Signal, widely considered the gold standard of encrypted messaging apps, was put to the test earlier this year when a FBI subpoena and gag order that demanded a wide range of information on two users resulted in a federal grand jury investigation in Virginia. The makers of Signal, Open Whisper Systems, profoundly disappointed law enforcement. The app collects as little data as possible and therefore was unable to hand anything useful over to agents. "That's not because Signal chose not to provide logs of information," ACLU lawyer Brett Kaufman told the Associated Press. "It's just that it couldn't." "The Signal service was designed to minimize the data we retain," Moxie Marlinspike, the founder of Open Whisper Systems, told the New York Times. The subpoena came with a yearlong gag order that was successfully challenged by the American Civil Liberties Union. Signal's creators challenged the gag order as unconstitutional, "because it is not narrowly tailored to a compelling government interest." The challenge was successful. In addition to being popularly considered the best consumer encrypted messaging app available, Signal's technology is used by Facebook for Secret Conversations, WhatsApp for encrypted messages, and Google's Allo. Confronted with the subpoena, Marlinspike went to the ACLU for legal counsel. The ACLU responded with a letter saying that even though Signal did not have data the FBI sought, it still strenuously objected (PDF) to the fact the FBI wanted so much information.

Trailrunner7 quotes a report from On the Wire: Credential theft is one of the more persistent and troubling threats in security, and researchers have been trying to come up with answers to it for decades. A team at the University of Washington has developed a system that can prevent attackers from intercepting passwords and keys sent over the air by sending them through users' bodies instead. The human body is a good transmission mechanism for certain kinds of waves, and the UW researchers were looking for a way to take advantage of that fact to communicate authentication information from a user's phone directly to a target device, such as a door knob or medical device. In order to make that idea a reality, they needed to develop a system that could be in direct contact with the user's body, and could produce electromagnetic signals below 10 MHz. And to make the system usable for a mass audience, the team needed widely available hardware that could generate and transmit the signals. So the researchers settled on the fingerprint sensor on iPhones and the touchpad on Lenovo laptops, as well as a fingerprint scanner and a touchpad from Adafruit. The concept is deceptively simple: generate an electromagnetic signal from the fingerprint sensor or touchpad and transmit that through the user's body to the target device. The signal can carry a typical password or even an encryption key, the researchers said. "We show for the first time that commodity devices can be used to generate wireless data transmissions that are confined to the human body. Specifically, we show that commodity input devices such as fingerprint sensors and touchpads can be used to transmit information to only wireless receivers that are in contact with the body," the researchers, Mehrdad Hessar, Vikram Iyer, and Shyamnath Gollakota, of UW said in their paper, "Enabling On-Body Transmissions With Commodity Devices."

Apple CEO Tim Cook has once again defended his company's hardline approach to security. At Utah Tech Tour event while taking questions from the audience, Cook said, (via BusinessInsider):"This is one of the biggest issues that we face. Encryption is what makes the public safe. As you know, there are people kept alive because the grid is up. If our grid goes down, if there was a grid attack, the public's safety is at risk" -- hence the need for encryption to protect it. "You can imagine defence systems need encryption, because there are a few bad actors in the world who might like to attack those. [...] Some people have tried to make it out to be bad," the chief executive told the audience at the Utah question-and-answer session. "Encryption is inherently great, and we would not be a safe society without it. So this is an area that is very, very important for us... as you can tell from our actions earlier this year, we throw all of ourselves into this." he added. "We're very much standing on principle here."

An anonymous reader quotes a report from Ars Technica: Two lawyers and legal researchers based at Stanford University have formally asked a federal court in San Francisco to unseal numerous records of surveillance-related cases, as a way to better understand how authorities seek such powers from judges. This courthouse is responsible for the entire Northern District of California, which includes the region where tech companies such as Twitter, Apple, and Google, are based. According to the petition, Jennifer Granick and Riana Pfefferkorn were partly inspired by a number of high-profile privacy cases that have unfolded in recent years, ranging from Lavabit to Apple's battle with the Department of Justice. In their 45-page petition, they specifically say that they don't need all sealed surveillance records, simply those that should have been unsealed -- which, unfortunately, doesn't always happen automatically. The researchers wrote in their Wednesday filing: "Most surveillance orders are sealed, however. Therefore, the public does not have a strong understanding of what technical assistance courts may order private entities to provide to law enforcement. There are at least 70 cases, many under seal, in which courts have mandated that Apple and Google unlock mobile phones and potentially many more. The Lavabit district court may not be the only court to have ordered companies to turn over private encryption keys to law enforcement based on novel interpretations of law. Courts today may be granting orders forcing private companies to turn on microphones or cameras in cars, laptops, mobile phones, smart TVs, or other audio- and video-enabled Internet-connected devices in order to conduct wiretapping or visual surveillance. This pervasive sealing cripples public discussion of whether these judicial orders are lawful and appropriate."

grcumb writes: Peruvian mathematician Harald Helfgott made his mark on the history of mathematics by solving Goldbach's weak conjecture, which states that every odd number greater than 7 can be expressed as the sum of three prime numbers. Now, according to Scientific American, he's found a better solution to the sieve of Eratosthenes: "In order to determine with this sieve all primes between 1 and 100, for example, one has to write down the list of numbers in numerical order and start crossing them out in a certain order: first, the multiples of 2 (except the 2); then, the multiples of 3, except the 3; and so on, starting by the next number that had not been crossed out. The numbers that survive this procedure will be the primes. The method can be formulated as an algorithm." But now, Helfgott has found a method to drastically reduce the amount of RAM required to run the algorithm: "Now, inspired by combined approaches to the analytical 100-year-old technique called the circle method, Helfgott was able to modify the sieve of Eratosthenes to work with less physical memory space. In mathematical terms: instead of needing a space N, now it is enough to have the cube root of N." So what will be the impact of this? Will we see cheaper, lower-power encryption devices? Or maybe quicker cracking times in brute force attacks? Mathematician Jean Carlos Cortissoz Iriarte of Cornell University and Los Andes University offers an analogy: "Let's pretend that you are a computer and that to store data in your memory you use sheets of paper. If to calculate the primes between 1 and 1,000,000, you need 200 reams of paper (10,000 sheets), and with the algorithm proposed by Helfgott you will only need one fifth of a ream (about 100 sheets)," he says.

When Google first unveiled its Allo messaging app, the company said it would not keep a log of chats you have with people when in incognito mode. The company released Allo for iOS and Android users last night, and it seems it is reneging on some of those promises. The Verge reports:The version of Allo rolling out today will store all non-incognito messages by default -- a clear change from Google's earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app. Users can also avoid the logging by using Alo's Incognito Mode, which is still fully end-to-end encrypted and unchanged from the initial announcement. Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google's algorithms. According to Google, the change was made to improve the Allo assistant's smart reply feature, which generates suggested responses to a given conversation. Like most machine learning systems, the smart replies work better with more data. As the Allo team tested those replies, they decided the performance boost from permanently stored messages was worth giving up privacy benefits of transient storage.

An anonymous reader writes: Google has officially launched their long-awaited messaging app for iOS and Android, called Google Allo. There are several unique features associated with this app that Google hopes will win you over. Smart Reply lets you respond to messages with just a tap, so you can send a quick "yup" in response to a friend asking "Are you on your way?" It will also suggest responses for photos. For example, if you send a picture of a dog, Smart Reply might suggest a heart emoji or "Super cute!" message, which you can select and send with a tap. Google says Smart Reply will improve over time and adjust to your style. You can also send large or small text and emojis, as well as draw on pictures. There's an incognito mode that will activate end-to-end encryption, discreet notifications, and message expiration on your chats. Arguably best of all is the Google Assistant that can be added to your chats to automatically cater useful information to you depending on what is being conversed in the chat. For example, it can deliver news, weather, traffic, sports or your upcoming flight status to your chat. You can also ask your Assistant to "share that funny YouTube video or play games with friends right in your group chat." Google Allo is rolling out to Android and iOS starting today.

"If the PC is tampered with, it will trigger an alert and erase the PC's encryption key, making the data totally inaccessible." Last month Design SHIFT began crowdfunding an elaborate "open source, physically secure personal computer" named ORWL (after George Orwell). "Having exceeded its $25,000 funding goal on Crowd Supply, the super-secure PC is in production," reports PC World, in an article shared by Slashdot reader ogcricket about the device which tries to anticipate every possible attack: The encryption key to the drive is stored on a security microcontroller instead of the drive... The ORWL's makers say the wire mesh itself is constantly monitored... Any attempts to trick, bypass, or short the wire mesh will cause the encryption key to be deleted. The unit's security processor also monitors movement, and a user can select a setting that will wipe or lock down the PC's data if it is moved to another location... The RAM is soldered to the motherboard and can't be easily removed to be read elsewhere...

Your ORWL unlocks by using a secure NFC and Bluetooth LE keyfob. Pressing it against the top of the ORWL and entering a password authenticates the user. Once the user has been authenticated, Bluetooth LE is then ensures that the user is always nearby. Walk away, and the ORWL will lock.

"Remember the San Bernardino killer's iPhone, and how the FBI maintained that they couldn't get the encryption key without Apple providing them with a universal backdoor?" Slashdot reader LichtSpektren quotes Bruce Schneier: Many of us computer-security experts said that they were wrong, and there were several possible techniques they could use. One of them was manually removing the flash chip from the phone, extracting the memory, and then running a brute-force attack without worrying about the phone deleting the key. The FBI said it was impossible. We all said they were wrong. Now, Sergei Skorobogatov has proved them wrong.
Sergei's new paper describes "a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9." The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts... Although the process can be improved, it is still a successful proof-of-concept project.

The University of Texas at Austin and Cornell University are saying blurred or pixelated images are not as safe as they may seem. As machine learning technology improves, the methods used to hide sensitive information become less secure. Quartz reports: Using simple deep learning tools, the three-person team was able to identify obfuscated faces and numbers with alarming accuracy. On an industry standard dataset where humans had 0.19% chance of identifying a face, the algorithm had 71% accuracy (or 83% if allowed to guess five times). The algorithm doesn't produce a deblurred image -- it simply identifies what it sees in the obscured photo, based on information it already knows. The approach works with blurred and pixelated images, as well as P3, a type of JPEG encryption pitched as a secure way to hide information. The attack uses Torch (an open-source deep learning library), Torch templates for neural networks, and standard open-source data. To build the attacks that identified faces in YouTube videos, researchers took publicly-available pictures and blurred the faces with YouTube's video tool. They then fed the algorithm both sets of images, so it could learn how to correlate blur patterns to the unobscured faces. When given different images of the same people, the algorithm could determine their identity with 57% accuracy, or 85% percent when given five chances. The report mentions Max Planck Institute's work on identifying people in blurred Facebook photos. The difference between the two research is that UT and Cornell's research is much more simple, and "shows how weak these privacy methods really are."

Sean Gallagher, writing for ArsTechnica: Another major site breach from four years ago has resurfaced. Today, LeakedSource revealed that it had received a copy of a February 2012 dump of the user database of Rambler.ru, a Russian search, news, and e-mail portal site that closely mirrors the functionality of Yahoo. The dump included usernames, passwords, and ICQ instant messaging accounts for over 98 million users. And while previous breaches uncovered by LeakedSource this year had at least some encryption of passwords, the Rambler.ru database stored user passwords in plain text -- meaning that whoever breached the database instantly had access to the e-mail accounts of all of Rambler.ru's users. The breach is the latest in a series of "mega-breaches" that LeakedSource says it is processing for release. Rambler isn't the only Russian site that has been caught storing unencrpyted passwords by hackers. In June, a hacker offered for sale the entire user database of the Russian-language social networking site VK.com (formerly VKontakte) from a breach that took place in late 2012 or early 2013; that database also included unencrypted user passwords, as ZDNet's Zach Whittaker reported.

"Tor hasn't changed, it's the world that's changed," says Aaron Johnson, the lead researcher on a 2013 paper which reported that 80% of Tor users could be de-anonymized within six months, and that today's users may want protection from different threats. An anonymous Slashdot reader quotes Ars Technica: The most probable future we face is a world in which Tor continues to offer a good-but-not-perfect, general-purpose anonymity system, while new anonymity networks arrive offering stronger anonymity optimised for particular use-cases, like anonymous messaging, anonymous filesharing, anonymous microblogging, and anonymous voice-over-IP. Nor is the Tor Project standing still. Tor today is very different from the first public release more than a decade ago, [Tor project cofounder Nick] Mathewson is quick to point out. That evolution will continue.

"It's been my sense for ages that the Tor we use in five years will look very different from the Tor we use today," he says. "Whether that's still called Tor or not is largely a question of who builds and deploys it first. We are not stepping back from innovation. I want better solutions than we have today that are easier to use and protect people's privacy."
The article lists five projects that are "breaking new ground in developing stronger anonymity systems," including the Dissent Project, the Aqua and Herd projects (for filesharing and voice over IP), Vuvuzela/Alpenhorn (for anonymous chat), Riffle (filesharing), and Riposte (anonymous microblogging). Tor project cofounder Nick Mathewson is urging anonymity developers to begin using their own software. "What you learn about software from running it is like what you learn from food by tasting it... You can't actually know whether you've made a working solution for humans unless you give it to humans, including yourself."

The New York Times continues their coverage of the commercial spytech industry, noting its services "are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects... For the last six years, the NSO Group's main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones -- including iPhones, Androids, and BlackBerry and Symbian systems -- without leaving a trace...to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations." Slashdot reader turkeydance quotes their article: That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like -- just check out the company's price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user's location and personal contacts. These tools can even turn the phone into a secret recording device...

The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate mission statement is "Make the world a safe place"... An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies....
One of the services offered by the NSO group is "over the air stealth installation," though they can also install their spying software through Wi-Fi hot spots. One critic argues "They can say they're trying to make the world a safer place, but they are also making the world a more surveilled place."

River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."

SonicSpike quotes a report from ABC News: FBI Director James Comey warned again Tuesday about the bureau's inability to access digital devices because of encryption and said investigators were collecting information about the challenge in preparation for an "adult conversation" next year. Widespread encryption built into smartphones is "making more and more of the room that we are charged to investigate dark," Comey said in a cybersecurity symposium. The remarks reiterated points that Comey has made repeatedly in the last two years, before Congress and in other settings, about the growing collision between electronic privacy and national security. "The conversation we've been trying to have about this has dipped below public consciousness now, and that's fine," Comey said at a symposium organized by Symantec, a technology company. "Because what we want to do is collect information this year so that next year we can have an adult conversation in this country." The American people, he said, have a reasonable expectation of privacy in private spaces -- including houses, cars and electronic devices. But that right is not absolute when law enforcement has probable cause to believe that there's evidence of a crime in one of those places, including a laptop or smartphone. "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception. He said it's not the role of the FBI or tech companies to tell the American people how to live and govern themselves. "We need to understand in the FBI how is this exactly affecting our work, and then share that with folks," Comey said, conceding the American people might ultimately decide that its privacy was more important than "that portion of the room being dark." Comey made his remarks to the 2016 Symantec Government Symposium. The Daily Dot has another take on Comey's remarks, which you can read here.