Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×
Government

Student Exposes Bad Police Encryption, Gets Suspended Sentence (podcrto.si) 168

An anonymous reader shares a story about Dejan Ornig, a security analyst in Slovenia who warned the Slovenian police department about vulnerabilities in their supposedly secure communication system TETRA in 2013. (Here's Google's English translation of the article, and the Slovenian original.) He discovered that the system, which was supposed to provide encrypted communication, was incorrectly configured. As a result lots of communication could be intercepted with a $25 piece of equipment and some software. To make matters worse, the system is not used just by the police, but also by the military, military police, IRS, Department of Corrections and a few other governmental institutions which rely on secure communications.

After waiting for more than two years for a reaction, from police or Ministry of Interior and getting in touch with security researchers at the prestigious institute Jozef Stefan, he eventually decided to go public with his story... The police and Ministry of interior then launched an internal investigation, which then confirmed Ornig's findings and revealed internal communications problems between the departments... Ornig has been subject to a house search by the police, during which his computers and equipment that he used to listen in on the system were seized. Police also found a "counterfeit police badge" during the investigation. All along Ornig was offering his help with securing the system.

On May 11th Ornig received a prison sentence of 15 months suspended for duration of three years, provided that he doesn't repeat any of the offenses for which he was found guilty (illegal access of the communications system). He can appeal this judgment.

Google

Don't Use Google Allo (vice.com) 127

At its developer conference on Wednesday, Google announced Allo, a chatbot-enabled messaging app. The app offers a range of interesting features such as the ability to quickly doodle on an image and get prompt responses. Additionally, it is the "first Google" product to offer end-to-end encryption, though that is not turned on by default. If you're concerned about privacy, you will probably still want to avoid Allo, says the publication. From the report: Allo's big innovation is "Google Assistant," a Siri competitor that will give personalized suggestions and answers to your questions on Allo as well as on the newly announced Google Home, which is a competitor to Amazon's Echo. On Allo, Google Assistant will learn how you talk to certain friends and offer suggested replies to make responding easier. Let that sink in for a moment: The selling point of this app is that Google will read your messages, for your convenience. Google would be insane to not offer some version of end-to-end encryption in a chat app in 2016, when all of its biggest competitors have it enabled by default. Allo uses the Signal Protocol for its encryption, which is good. But as with all other Google products, Allo will work much better if you let Google into your life. Google is banking on the idea that you won't want to enable Incognito Mode, and thus won't enable encryption.Edward Snowden also chimed in on the matter. He said, "Google's decision to disable end-to-end encryption by default in its new Allo chat app is dangerous, and makes it unsafe. Avoid it for now."
United States

Apple, Microsoft and Other US Tech Companies Undergoing 'Security Reviews' in China (neowin.net) 34

An anonymous reader writes: Chinese government is keeping an ever watchful eye on the companies doing business in the country, especially when foreign companies compete with local ones. To that end, the Chinese authorities have begun a security review among many different American technology companies like Apple and others. These, while mostly done out of the public sphere, seem to target issues like encryption and data storage. According to a report from the New York Times (paywalled; alternate source), government representatives have been questioning engineers and executives from different technology companies with regards to these issues for the last nine months. The so-called security reviews are being done by the Cyberspace Administration of China, with the government committee including experts tied to the country's military and security agencies.The Verge has more details.
It's funny.  Laugh.

John McAfee Tried to Trick Reporters Into Thinking He Hacked WhatsApp (gizmodo.com) 99

John McAfee, best known for creating McAfee security suite, apparently tried to trick journalists into believing that he is capable of breaking WhatsApp's end-to-end encryption and reading the private conversations. Gizmodo reports that McAfee tried to do so by sending journalists with compromised smartphones -- riddled with malicious tools such as keylogger. From the report: "[John McAfee was offering to a different couple of news organizations to mail them some phones, have people show up, and then demonstrate with those two phones that [McAfee] in a remote location would be able to read the message as it was sent across the phones," cybersecurity expert Dan Guido, who was contacted by a reporter trying to verify McAfee's claims said. "I advised the reporter to go out and buy their own phones, because even though they come in a box itâ(TM)s very easy to get some saran wrap and a hair dryer to rebox them."
Open Source

Linux Kernel 4.6 Officially Released (softpedia.com) 149

An anonymous coward writes: Just like clockwork, the Linux 4.6 kernel was officially released today. Details on the kernel changes for Linux 4.6 can be found via Phoronix and KernelNewbies.org. NVIDIA GeForce GTX 900 Maxwell support and Dell XPS 13 Skylake support are among the many hardware changes for 4.6. For Linux 4.7 there are already several new features to look forward to from new DRM display drivers to a new CPU scaling governor expected.
prisoninmate also writes: Linus Torvalds announced the final release of the anticipated Linux 4.6 kernel, which, after seven Release Candidate builds introduces features like "the OrangeFS distributed file system, support for the USB 3.1 SuperSpeed Plus (SSP) protocol, offering transfer speeds of up to 10Gbps, improvements to the reliability of the Out Of Memory task killer, as well as support for Intel Memory protection keys," [according to Softpedia].

"Moreover, Linux kernel 4.6 ships with Kernel Connection Multiplexor, a new component designed for accelerating application layer protocols, 802.1AE MAC-level encryption (MACsec) support, online inode checker for the OCFS2 file system, support for the BATMAN V protocol, and support for the pNFS SCSI layout."

Digital

DVDFab Has Ignored Court's Shut Down Order, AACS Says (torrentfreak.com) 167

An anonymous reader cites a report on TorrentFreak: DVDFab has failed to cease its operations in the U.S. and should be sanctioned, AACS says. The decryption licensing outfit founded by Warner Bros, Disney, Microsoft, Intel and others, informs a New York federal court that DVDFab's parent company has blatantly ignored a permanent injunction that was issued last year. In 2014 decryption licensing outfit AACS LA initiated a renewed crackdown on DRM-circumvention software. The company, founded by a group of movie studios and technology partners, sued the makers of popular DVD and Blu-Ray ripping software DVDFab in a New York federal court. After a brief legal battle the court ruled in favor of AACS, issuing an injunction based on the argument that the "DVDFab Group" violates the DMCA's anti-circumvention clause, since their software can bypass DVD and Bluray encryption. Among other things, the injunction barred DVDFab from distributing its software in public and allowed AACS to seize a wide range of domain names. The crippling injunction seemed to work, but not for long. In a new court filing, AACS notes that the software vendor briefly blocked U.S. purchases but went back to business as usual soon after (PDF).
Encryption

FBI Has Sights On Larger Battle Over Encryption After Apple Feud (bloomberg.com) 171

An anonymous reader writes from a report via Bloomberg: FBI Director James Comey said the FBI is exploring how to make broader use of the hack, used to access a San Bernardino terrorist's encrypted iPhone, while bracing for a larger battle involving encrypted text messages, e-mails and other data. The tool could "in theory be used in any case where there's a court order" to access data on an iPhone 5c running Apple's iOS 9 OS, Comey told reporters in Washington on Wednesday. However, accessing content on a phone, known as "data at rest," is only part of the challenge that encryption poses for U.S. investigators. Software applications and other services that encrypts texts, e-mails and other information in transit over the Internet, known as "data in motion," are "hugely significant," especially for national security investigations, Comey said. He said criminals are increasingly using services that encrypt data in motion, and he didn't rule out litigation against companies such as WhatsApp. "WhatsApp has over a billion customers, overwhelmingly good people," Comey said. "But in that billion customers are terrorists and criminals, and so that now ubiquitous feature of all WhatsApp products will affect both sides of the house." As for whether or not there will be litigation against WhatsApp down the road, Comey says, "I don't know." The FBI is trying to figure out how to allow "law enforcement around the country with court orders to be able to use our tool," Comey said. It's "tricky," he said, because using the tool to help state and local criminal investigations could mean that it would have to be revealed in a court preceding if there isn't a procedure in place to prohibit testimony about how it works.
Encryption

British Hacker Love Wins Court Battle Over Encryption Keys (theintercept.com) 42

An anonymous reader writes: A judge in Westminster has ruled that alleged hacktivist Lauri Love cannot be forced to provide encryption keys to the National Crime Authority. This move has been called a "victory for all who use encryption in the UK" and a "great decision for privacy and personal freedom." The NCA's request was widely regarded as an attempt to circumvent the Regulatory of Investigative Powers Act of 2000, which specifically legislates police power to compel subjects to hand over encryption keys. The NCA originally tried to force Love to turn over encryption keys under RIPA in 2014 but were unsuccessful. So Love, whose property was seized two years ago, made an application to have it returned under the 1897 Police Property Act. In response, the NCA attempted to legally force decryption under the same act. The NCA argued, in the ruling documents, that they could only ascertain the contents of the devices if Love was forced to provide the encryption key. The district judge was not persuaded by this argument, saying, "The case management powers of the court are not to be used to circumvent specific legislation that has been passed in order to deal with the disclosure sought." Legal experts have noted that this case represents a civil action being put forth in a magistrate's court, which normally only deals with criminal issues.
Iphone

LAPD Hacked An iPhone 5s Before The FBI Hacked San Bernardino Terrorist's iPhone 5c (latimes.com) 47

According to recently released court papers, Los Angeles police investigators found a way to break into a locked iPhone 5s belonging to April Jace, the slain wife of "The Shield" actor Michael Jace. The detectives were able to bypass the security at around the same time period the FBI was demanding Apple unlock the iPhone 5c belonging to San Bernardino terrorist Syed Rizwan Farook. LAPD detective Connie Zych wrote on March 18, the department found a "forensic cellphone expert" who could "override the locked iPhone function," according to the search warrant. There's no mention of how the LAPD broke into the iPhone or what OS the iPhone was running (Note: iOS 8, which features improved encryption and security features, came out months after the killing). The information stored on the iPhone should help in the criminal case against Jace's husband, who is charged with the May 19, 2014, killing.
Google

Google Encrypts All Blogspot Domains With HTTPS 56

Reader Mickeycaskill writes: Google is continuing its crusade to encrypt the web by enabling an HTTPS version of every single domain hosted on Blogspot. The search giant started the rollout last September, but as an opt-in service. Now users can opt to visit an HTTPS version of a site without its participation, while administrators can turn on an automatic redirect so all visitors are sent to the encrypted version. "HTTPS is fundamental to internet security; it protects the integrity and confidentiality of data sent between websites and visitors' browsers," said Milanda Perera, security software engineer at Google. Google already encrypts its search results, Google Drive and Gmail, while it also ranks HTTPS-enabled sites higher in the search. Blogspot rival WordPress began rolling out HTTPS in 2014.
Ubuntu

Ubuntu Founder Pledges No Back Doors In Linux (eweek.com) 107

Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Encryption

Without Encryption, Everything Stops, Says Snowden (thehill.com) 144

An anonymous reader writes about Snowden's appearance on a debate with CNN's Fareed Zakaria: Edward Snowden defended the importance of encryption, calling it the "backbone of computer security." He said, "Encryption saves lives. Encryption protects property. Without it, our economy stops. Our government stops. Everything stops. Our intelligence agencies say computer security is a bigger problem than terrorism, than crime, than anything else," he noted. "[...] Lawful access to any device or communication cannot be provided to anybody without fatally compromising the security of everybody."
Censorship

WhatsApp Blocked in Brazil for 72 Hours Over Data Dispute (techcrunch.com) 52

An anonymous reader cites an article on TechCrunch: WhatsApp, Facebook's messaging service that recently rolled out end-to-end encryption to its users, will be blocked in Brazil for 72 hours, starting this afternoon. A Brazilian judge ordered telecom providers in the country to block WhatsApp today in a dispute over access to encrypted data. Judge Marcel Montalvao has ordered WhatsApp to turn over chat records related to a drug investigation, but WhatsApp has argued that it cannot access the chats in an unencrypted form and therefore cannot provide the required records to the court. [...] This isn't Montalvao's first clash with WhatsApp, which boasts more than 100 million Brazilian users. The judge ordered the arrest of Facebook's vice president for Latin America, Diego Dzodan, in March. Facebook has said that WhatsApp operates with relative independence and that Dzodan has no control over WhatsApp data.American lawyer and journalist Glenn Greenwald said: "WhatsApp shut down again in Brazil as of 1 pm ET today: used by 100m people, 91% of those online: all from 1 judge."
Crime

The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com) 224

schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"

Iphone

FBI Bought $1M iPhone 5C Hack, But Doesn't Know How It Works (theguardian.com) 77

An anonymous reader writes: The FBI has no idea how the hack used in unlocking the San Bernardino shooter's iPhone 5C works, but it paid a sum less than $1m for the mechanism, according to a report. Reuters, citing several U.S. government sources, note that the government intelligence agency didn't pay a value over $1.3m for purchasing the hack from professional hackers, as previously reported by many outlets. The technique can also be used as many times as needed without further payments, the report adds. The FBI director, James Comey, said last week that the agency paid more to get into the iPhone 5C than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost more than $1.3m, based on his annual salary.
Encryption

Top Security Experts Say Anti-Encryption Bill Authors Are 'Woefully Ignorant' (dailydot.com) 90

blottsie writes from a report on the Daily Dot: In a Wall Street Journal editorial titled "Encryption Without Tears," Sens. Richard Burr and Dianne Feinstein pushed back on widespread condemnation of their Compliance with Court Orders Act, which would require tech companies to provide authorities with user data in an "intelligible" format if served with a warrant. But security experts Bruce Schneir, Matthew Green, and others say the lawmakers entirely misunderstand the issue. "On a weekly basis we see gigabytes of that information dumped to the Internet," Green told the Daily Dot. "This is the whole problem that encryption is intended to solve." He added: "You can't hold out the current flaws in the Internet as a justification for why the Internet shouldn't be made secure." "These criticisms of Burr and Feinstein's analogy emphasize an important point about digital security: The differences between the levels of encryption protecting certain types of data -- purchase records on Amazon's servers versus photos on an iPhone, for example -- lead to different levels of risk," writes Eric Geller of the Daily Dot.
Crime

Child Porn Suspect Jailed Indefinitely For Refusing To Decrypt Hard Drives (arstechnica.com) 796

An anonymous reader quotes a report from Ars Technica: A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order. The government successfully cited a 1789 law known as the All Writs Act to compel (PDF) the suspect to decrypt two hard drives it believes contain child pornography. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple.
Encryption

A Complete Guide To The New 'Crypto Wars' (dailydot.com) 68

blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.
Encryption

Millions Of Waze Users Can Have Their Movements Tracked By Hackers (fusion.net) 55

An anonymous reader quotes a report from Fusion: Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of "ghost drivers" that can monitor the drivers around them -- an exploit that could be used to track Waze users in real-time. Here's how the exploit works. Waze's servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze's computers are really talking to a Waze app on someone's smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze's back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of "ghost cars" -- cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them. You can read the full paper detailing the researchers' findings here. Is there a solution to not being tracked? Yes. If you're a Waze user, you can set the app to invisible mode. However, Waze turns off invisible mode every time you restart the app so beware.
Security

FBI Director Suggests iPhone Hacking Method May Remain Secret (reuters.com) 110

An anonymous reader quotes a report from Reuters: FBI Director James Comey said on Tuesday that his agency was still assessing whether a vulnerability used to unlock an iPhone linked to one of the San Bernardino killers would go through a government review to determine if it should be disclosed to Apple or the public. "We are in the midst of trying to sort that out," Comey said. "The threshold (for disclosure) is, are we aware of the vulnerability, or did we just buy a tool and don't have sufficient knowledge of the vulnerability to implicate the process?" The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public. Although officials say the process leans toward disclosure, it is not set up to handle or reveal flaws that are discovered and owned by private companies, sources have told Reuters, raising questions about the effectiveness of the so-called Vulnerabilities Equities Process.

Slashdot Top Deals