Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

DecryptorMax/CryptInfinite Ransomware Decrypted, No Need To Pay Ransom ( 48

An anonymous reader writes: Emsisoft has launched a new tool capable of decrypting files compromised by the DecryptorMax (CryptInfinite) ransomware. The tool is quite easy to use, and will generate a decryption key. For best results users should compare an encrypted and decrypted file, but the tool can also get the decryption key by comparing an encrypted PNG with a random PNG downloaded off the Internet.

Privacy Vulnerability Exposes VPN Users' Real IP Addresses ( 86

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

The First Online Purchase Was a Sting CD (Or Possibly Weed) ( 52

tedlistens writes: On August 11, 1994, 21-year-old Dan Kohn, founder of a pioneering, online commerce site, made his first web sale. His customer, a friend of his in Philadelphia, spent $12.48, plus shipping costs on Sting's CD "Ten Summoner's Tales," in a transaction protected by PGP encryption. "Even if the N.S.A. was listening in, they couldn't get his credit card number," Kohn told a New York Times reporter in an article about NetMarket the following day. According to a new short video about the history of online shopping, there were a few precedents, including a weed deal between grad students on the ARPANET and a 74-year-old British grandmother who in 1984 used a Videotex—essentially a TV connected to telephone lines—to order margarine, eggs, and cornflakes.

VTech Hack Exposes Data On 4.8 Million Adults, 200,000 Kids ( 65

New submitter lorenzofb writes: A hacker broke into the site of the popular toy company VTech and was able to easily get 4.8 million credentials, and 227k kids' identities using SQL injection. The company didn't find out about the breach until Motherboard told them. According to Have I Been Pwned, this is the fourth largest consumer data breach ever. "[Security specialist Troy Hunt] said that VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIs—so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws."

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks ( 290

JoeyRox points out that Glenn Greenwald has some harsh words for the CIA in an op-ed piece for the LA Times. From the article: "Decent people see tragedy and barbarism when viewing a terrorism attack. American politicians and intelligence officials see something else: opportunity. Bodies were still lying in the streets of Paris when CIA operatives began exploiting the resulting fear and anger to advance long-standing political agendas. They and their congressional allies instantly attempted to heap blame for the atrocity not on Islamic State but on several preexisting adversaries: Internet encryption, Silicon Valley's privacy policies and Edward Snowden."

Software Freedom Conservancy Asks For Supporters 43

paroneayea writes: Software Freedom Conservancy is asking people to join as supporters to save both their basic work and GPL enforcement. Conservancy is the steward of projects like Samba, Wine, BusyBox, QEMU, Inkscape, Selenium, and many more. Conservancy also does much work around GPL enforcement and needs 2,500 members to join in order to save copyleft compliance work. They list some of the past year's successes, too, including fighting for and successfully earning "an exemption from the Library of Congress in the DMCA review process to legally permit circumvention of encryption on Smart TVs, ensuring that you are free to hack on the devices that you legally own."

New IBM Tech Lets Apps Authenticate You Without Personal Data ( 27

itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.

Blackberry Offers 'Lawful Device Interception Capabilities' ( 137

An anonymous reader writes: Apple and Google have been vocal in their opposition to any kind of government regulation of cell phone encryption. BlackBerry, however, is taking a different stance, saying it specifically supports "lawful interception capabilities" for government surveillance. BlackBerry COO Marty Beard as much at a recent IT summit. He declined to explain how the interception works, but he denied the phones would contain "backdoors" and said governments would have no direct access to BlackBerry servers. The company may see this as a way to differentiate themselves from the competition.

TrueCrypt Safer Than Previously Thought ( 42

An anonymous reader writes: Back in September, members of Google's Project Zero team found a pair of flaws in the TrueCrypt disk encryption software that could lead to a system compromise. Their discovery raised concerns that TrueCrypt was unsuitable for use in securing sensitive data. However, the Fraunhofer Institute went ahead with a full audit of TrueCrypt's code, and they found it to be more secure than most people think. They correctly point out that for an attacker to exploit the earlier vulnerabilities (and a couple more vulnerabilities they found themselves), the attacker would already need to have "far-reaching access to the system," with which they could do far worse things than exploit an obscure vulnerability.

The auditors say, "It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure." For other uses, the software "does what it's designed for," despite its code flaws. Their detailed, 77-page report (PDF) goes into further detail.


ISIS Help Desk Assists In Covering Tracks ( 145

An anonymous reader writes: The ISIS terror group appears to have 5 to 6 members offering 24-hour support on how to encrypt communications, hide personal details and use apps like Twitter while avoiding surveillance. It's kind of like a 'help desk,' though not an actual call center hiding in the hills. It is a group of IT specialists answering questions from locations spread out all over the world, according to Aaron Brantly at the Combating Terrorism Center at West Point. It has been find out that the advice is largely being relayed on an ISIS channel on Telegram, a messaging app that has become popular among members of the group because it allows for special secret chats. The jihadi help desk has lengthy training manuals, and Brantly has reviewed over 300 pages of training documents and roughly 25 YouTube videos that provide tips to evade intelligence agencies and law enforcement.

Manhattan DA Pressures Google and Apple To Kill Zero Knowledge Encryption ( 291

An anonymous reader writes: In a speech to the 6th Annual Financial Crimes and Cybersecurity Symposium, New York County District Attorney for Manhattan Cyrus Vance Jr. has appealed to the tech community — specifically citing Google and Apple — to "do the right thing" and end zero-knowledge encryption in mobile operating systems. Vance Jr. praised FBI director James Comey for his 'outspoken' and 'fearless' advocacy against zero knowledge encryption, and uses the recent attacks on Paris as further justification for returning encryption keys to the cloud, so that communications providers can once again comply with court orders.

Carnegie Mellon Denies FBI Paid For Tor-Breaking Research ( 79

New submitter webdesignerdudes writes with news that Carnegie Mellon University now implies it may have been subpoenaed to give up its anonymity-stripping technique, and that it was not paid $1 million by the FBI for doing so. Wired reports: "In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder. But it instead implied that the research may have been accessed by law enforcement through the use of a subpoena. 'In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,' the statement reads. 'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"

Police Find Paris Attackers Coordinate Via Unencrypted SMS ( 202

schwit1 writes: In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied in the amount of hallucination involved, the New York Times even having to pull one such report offline. Other claims the attackers had used encrypted Playstation 4 communications also wound up being bunk.
The Internet

US Rep. Joe Barton Has a Plan To Stop Terrorists: Shut Down Websites ( 275

Earthquake Retrofit writes: In an FCC oversight hearing, U.S. Representative Joe Barton (R-TX) asked Chairman Tom Wheeler if it's possible to shut down websites used by ISIS and other terrorist groups. He said, "Isn't there something we can do under existing law to shut those Internet sites down, and I know they pop up like weeds, but once they do pop up, shut them down and then turn those Internet addresses over to the appropriate law enforcement agencies to try to track them down? I would think that even in an open society, when there is a clear threat, they've declared war against us, our way of life, they've threatened to attack this very city our capital is in, that we could do something about the Internet and social media side of the equation." Wheeler pointed out that the legal definition of "lawful intercept" did not support such actions, but added that Congress could expand the law to validate the concept. Meanwhile, the Senate Intelligence Committee is exploring the idea of using the recent terror attacks in France as ammunition to force tech companies away from end-to-end encryption. "Lawmakers said it was time to intensify discussions over what technology companies such as Apple and Google could do to help unscramble key information on devices such as iPhones and apps like WhatsApp, where suspected terrorists have communicated."

NYT Quietly Pulls Article Blaming Encryption In Paris Attacks 259 writes: Inside Sources reports that the NY Times has quietly pulled a story from its website alleging the attackers used encrypted technology. The original piece, which has since been removed, can be found on the Internet Archive. It stated, "The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption."

A link to the NY Times article now redirects readers to a separate, general article on the attacks, which does not contain the word "encrypt." The Times later posted a second article citing an anonymous "European counterterrorism official" who was quoted saying authorities' "working assumption is that these guys were very security aware," but clarified officials "offered no evidence."
United Kingdom

UK PM Wants To Speed Up Controversial Internet Bill After Paris Attacks ( 167

An anonymous reader writes: Less than three days after the attacks in Paris, UK prime minister David Cameron has suggested that the process of review for the controversial Draft Investigatory Powers Bill should be accelerated. The controversial proposal, which would require British ISPs to retain a subset of a user's internet history for a year and in effect outlaw zero-knowledge encryption in the UK, was intended for parliamentary review and ratification by the end of 2016, but at the weekend ex-terrorist watchdog Lord Carlile was in the vanguard of demands to speed the bill into law by the end of this year, implicitly criticizing ex-NSA whistleblower Edward Snowden for having 'shown terrorists ways to hide their electronic footprints'.

Microsoft To Provide New Encryption Algorithm For the Healthcare Sector 85

An anonymous reader writes: The healthcare sector gets a hand from Microsoft, who will release a new encryption algorithm which will allow developers to handle genomic data in encrypted format, without the need of decryption, and by doing so, minimizing security risks. The new algorithm is dubbed SEAL (Simple Encrypted Arithmetic Library) and is based on homomorphic encryption, which allows mathematical operations to be run on encrypted data, yielding the same results as if it would run on the cleartext version. Microsoft will create a new tool and offer it as a free download. They've also published the theoretical research. For now, the algorithm can handle only genomic data.

Self-Encrypting Drives Hardly Any Better Than Software-Based Encryption ( 73

itwbennett writes: The main security benefit of Self-Encrypting Drives (SEDs) is that the encryption key is not stored in the OS memory, but on the disk itself, which makes it less exposed to theft. However, some attacks that work against software-based encryption products also affect SEDs, including evil maid attacks and those that bypass Windows authentication. Once a SED is unlocked, it remains in that state until the power to it is cycled or a deauthentication command is sent. When the laptop is put in sleep mode the drive state is locked, but when it resumes from sleep, the pre-boot management software, which is already loaded in memory, unlocks the drive. [A team of] researchers devised three attacks to take advantage of this situation.

Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users 108

An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service. From the article: "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.

Linux Ransomware Has Predictable Key, Automated Decryption Tool Released ( 78

itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.