Forgot your password?
typodupeerror

Follow Slashdot stories on Twitter

Cloud

CloudFlare Announces Free SSL Support For All Customers 66

Posted by Soulskill
from the big-step-in-the-right-direction dept.
Z80xxc! writes: CloudFlare, a cloud service that sits between websites and the internet to provide a CDN, DDOS and other attack prevention, speed optimization, and other services announced today that SSL will now be supported for all customers, including free customers. This will add SSL support to approximately 2 million previously unprotected websites. Previously SSL was only available to customers paying at least $20/month for a "Pro" plan or higher.

Browsers connect to CloudFlare's servers and receive a certificate provided by CloudFlare. CloudFlare then connects to the website's server to retrieve the content, serving as a sort of reverse proxy. Different security levels allow CloudFlare to connect to the website host using no encryption, a self-signed certificate, or a verified certificate, depending on the administrator's preferences. CloudFlare's servers will use SNI for free accounts, which is unsupported for IE on Windows XP and older, and Android Browser on Android 2.2 and older.
Encryption

Tor Executive Director Hints At Firefox Integration 108

Posted by Soulskill
from the foxes-love-onions dept.
blottsie writes: Several major tech firms are in talks with Tor to include the software in products that can potentially reach over 500 million Internet users around the world. One particular firm wants to include Tor as a "private browsing mode" in a mainstream Web browser, allowing users to easily toggle connectivity to the Tor anonymity network on and off. "They very much like Tor Browser and would like to ship it to their customer base," Tor executive director Andrew Lewman wrote, explaining the discussions but declining to name the specific company. "Their product is 10-20 percent of the global market, this is of roughly 2.8 billion global Internet users." The product that best fits Lewman's description, by our estimation, is Mozilla Firefox, the third-most popular Web browser online today and home to, you guessed it, 10 to 20 percent of global Internet users.
Security

Security Collapse In the HTTPS Market 185

Posted by Soulskill
from the many-points-of-failure dept.
CowboyRobot writes: HTTPS has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents (such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed) have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations (notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale) have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
Businesses

How the NSA Profits Off of Its Surveillance Technology 82

Posted by Soulskill
from the i'm-guessing-ebay dept.
blottsie writes: The National Security Agency has been making money on the side by licensing its technology to private businesses for more than two decades. It's called the Technology Transfer Program, under which the NSA declassifies some of its technologies that it developed for previous operations, patents them, and, if they're swayed by an American company's business plan and nondisclosure agreements, rents them out. The products include tools to transcribe voice recordings in any language, a foolproof method to tell if someone's touched your phone's SIM card, or a version of email encryption that isn't available on the open market.
Encryption

FBI Chief: Apple, Google Phone Encryption Perilous 353

Posted by samzenpus
from the lock-it-down dept.
An anonymous reader writes The FBI is concerned about moves by Apple and Google to include encryption on smartphones. "I like and believe very much that we should have to obtain a warrant from an independent judge to be able to take the contents," FBI Director James Comey told reporters. "What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law." From the article: "Comey cited child-kidnapping and terrorism cases as two examples of situations where quick access by authorities to information on cellphones can save lives. Comey did not cite specific past cases that would have been more difficult for the FBI to investigate under the new policies, which only involve physical access to a suspect's or victim's phone when the owner is unable or unwilling to unlock it for authorities."
Encryption

Researchers Propose a Revocable Identity-Based Encryption Scheme 76

Posted by timothy
from the now-who-was-I? dept.
jd writes Identity-based public key encryption works on the idea of using something well-known (like an e-mail address) as the public key and having a private key generator do some wibbly-wobbly timey-wimey stuff to generate a secure private key out if it. A private key I can understand, secure is another matter. In fact, the paper notes that security has been a big hassle in IBE-type encryption, as has revocation of keys. The authors claim, however, that they have accomplished both. Which implies the public key can't be an arbitrary string like an e-mail, since presumably you would still want messages going to said e-mail address, otherwise why bother revoking when you could just change address?

Anyways, this is not the only cool new crypto concept in town, but it is certainly one of the most intriguing as it would be a very simple platform for building mostly-transparent encryption into typical consumer apps. If it works as advertised. I present it to Slashdot readers to engender discussion on the method, RIBE in general and whether (in light of what's known) default strong encryption for everything is something users should just get whether they like it or not.
Encryption

Wired Profiles John Brooks, the Programmer Behind Ricochet 49

Posted by timothy
from the bouncy-bouncy dept.
wabrandsma writes with this excerpt from Wired: John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the "to" and "from" headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he'd made Ricochet's code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others.
Encryption

TrueCrypt Gets a New Life, New Name 268

Posted by Soulskill
from the and-hopefully-won't-disappear-into-the-void dept.
storagedude writes: Amid ongoing security concerns, the popular open source encryption program TrueCrypt may have found new life under a new name. Under the terms of the TrueCrypt license — which was a homemade open source license written by the authors themselves rather than a standard one — a forking of the code is allowed if references to TrueCrypt are removed from the code and the resulting application is not called TrueCrypt. Thus, CipherShed will be released under a standard open source license, with long-term ambitions to become a completely new product.
Security

Home Depot Says Breach Affected 56 Million Cards 80

Posted by Soulskill
from the going-for-the-high-score dept.
wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. "Criminals used unique, custom-built malware to evade detection," the company said in a statement. The home improvement retail giant also that it has completed a "major payment security project" that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014.
Privacy

Apple's "Warrant Canary" Has Died 236

Posted by samzenpus
from the get-out-of-the-mine dept.
HughPickens.com writes When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Now Jeff John Roberts writes at Gigaom that Apple's warrant canary has disappeared. A review of the company's last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the "canary" language is no longer there suggesting that Apple is now part of FISA or PRISM proceedings.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request. This may also give some insight into Apple's recent decision to rework its latest encryption in a way that makes it almost impossible for the company to turn over data from most iPhones or iPads to police.
Encryption

Next Android To Enable Local Encryption By Default Too, Says Google 126

Posted by timothy
from the keep-it-to-yourself-bub dept.
An anonymous reader writes The same day that Apple announced that iOS 8 will encrypt device data with a local code that is not shared with Apple, Google has pointed out that Android already offers the same feature as a user option and that the next version will enable it by default. The announcements by both major cell phone [operating system makers] underscores a new emphasis on privacy in the wake of recent government surveillance revelations in the U.S. At the same time, it leaves unresolved the tension between security and convenience when both companies' devices are configured to upload user content to iCloud and Google+ servers for backup and synchronization across devices, servers and content to which Apple and Google do have access.
Encryption

Apple Will No Longer Unlock Most iPhones, iPads For Police 504

Posted by timothy
from the just-what-they-want-you-to-think-part-827398 dept.
SternisheFan writes with this selection from a story at the Washington Post: Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user data. The move, announced with the publication of a new privacy policy tied to the release of Apple's latest mobile operating system, iOS 8, amounts to an engineering solution to a legal dilemma: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that makes it almost impossible for the company – or anyone else but the device's owner – to gain access to the vast troves of user data typically stored on smartphones or tablet computers. The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails, recordings or other documents. Apple once kept possession of encryption keys that unlocked devices for legally binding police requests, but will no longer do so for iOS8, it said in a new guide for law enforcement. "Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data," Apple said on its Web site. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."
Government

Snowden's Leaks Didn't Help Terrorists 183

Posted by timothy
from the what-they-want-you-to-think dept.
HughPickens.com writes The Intercept reports that contrary to lurid claims made by U.S. officials, a new independent analysis of Edward Snowden's revelations on NSA surveillance that examined the frequency of releases and updates of encryption software by jihadi groups has found no correlation in either measure to Snowden's leaks about the NSA's surveillance techniques. According to the report "well prior to Edward Snowden, online jihadists were already aware that law enforcement and intelligence agencies were attempting to monitor them (PDF)." In fact, concerns about terrorists' use of sophisticated encryption technology predates even 9/11.

Earlier this month former NSA head Michael Hayden stated, "The changed communications practices and patterns of terrorist groups following the Snowden revelations have impacted our ability to track and monitor these groups", while Matthew Olsen of the National Counterterrorism Center would add "Following the disclosure of the stolen NSA documents, terrorists are changing how they communicate to avoid surveillance." Snowden's critics have previously accused his actions of contributing from everything from the rise of ISIS to Russia's invasion of the Ukraine. "This most recent study is the most comprehensive repudiation of these charges to date," says Murtaza Hussain. "Contrary to lurid claims to the contrary, the facts demonstrate that terrorist organizations have not benefited from the NSA revelations, nor have they substantially altered their behavior in response to them."
Networking

Why Is It Taking So Long To Secure Internet Routing? 85

Posted by Soulskill
from the adoption-is-driven-by-fear dept.
CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"
Cloud

Tim Cook Says Apple Can't Read Users' Emails, That iCloud Wasn't Hacked 191

Posted by timothy
from the our-cooperation-was-strictly-reluctant dept.
Apple CEO Tim Cook insists that Apple doesn't read -- in fact, says Cook, cannot read -- user's emails, and that the company's iCloud service wasn't hacked. ZDNet presents highlights from Cook's lengthy, two-part interview with Charlie Rose. One selection of particular interest: Apple previously said that even it can't access iMessage and FaceTime communications, stating that such messages and calls are not held in an "identifiable form." [Cook] claimed if the government "laid a subpoena," then Apple "can't provide it." He said, bluntly: "We don't have a key... the door is closed." He reiterated previous comments, whereby Apple has said it is not in the business of collecting people's data. He said: "When we design a new service, we try not to collect data. We're not reading your email." Cook went on to talk about PRISM in more detail, following the lead from every other technology company implicated by those now-infamous PowerPoint slides.
Security

Canon Printer Hacked To Run Doom Video Game 92

Posted by samzenpus
from the print-or-play dept.
wiredog writes Security researcher Michael Jordon has hacked a Canon's Pixma printer to run Doom. He did so by reverse engineering the firmware encryption and uploading via the update interface. From the BBC: "Like many modern printers, Canon's Pixma range can be accessed via the net, so owners can check the device's status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device. 'The web interface has no user name or password on it,' he said. That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found."
Networking

Ask Slashdot: Advice On Building a Firewall With VPN Capabilities? 238

Posted by timothy
from the thick-pipes-and-sturdy-valves dept.
An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."
United Kingdom

UK Ham Radio Reg Plans To Drop 15 min Callsign Interval and Allow Encryption 104

Posted by samzenpus
from the new-rules dept.
First time accepted submitter product_bucket writes A consultation published by the UK Radio Regulator Ofcom seeks views on its plan to remove the mandatory 15 minute callsign identifier interval for amateur radio licensees. The regulator also intends to permit the use of encryption by a single volunteer emergency communications organization. The consultation is open until 20th October, and views are sought by interested parties.
Iphone

Mining iPhones and iCloud For Data With Forensic Tools 85

Posted by Soulskill
from the security-through-panic-and-news-articles dept.
SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.

The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."
Security

Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure 20

Posted by Soulskill
from the everyone-was-equally-ignorant dept.
Trailrunner7 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations – perhaps the NSA – that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.

"For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods." That result also doesn't rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.

A holding company is a thing where you hand an accomplice the goods while the policeman searches you.

Working...