Government

Extreme Secrecy Eroding Support For Trans-Pacific Partnership 3

Posted by Soulskill
from the gee-that's-a-shame dept.
schwit1 writes with news that political support for the Trans-Pacific Partnership is drying up because of the secrecy involved in developing it. Members of Congress can read the bill if they want, but they need to be located in a single room within the basement of the Capitol Visitor Center, and they can't have their staff with them. They can't have a copy, they can't take notes, and they can only view one section at a time. And they're monitored while they read it. Unsurprisingly, this is souring many members of Congress on the controversial trade agreement.

"Administration aides say they can’t make the details public because the negotiations are still going on with multiple countries at once; if for example, Vietnam knew what the American bottom line was with Japan, that might drive them to change their own terms. Trade might not seem like a national security issue, they say, but it is (and foreign governments regularly try to hack their way in to American trade deliberations)."
Security

Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure 63

Posted by Soulskill
from the what-year-is-this dept.
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
Microsoft

Microsoft: No More 'Patch Tuesday' For Windows 10 Home Users 134

Posted by Soulskill
from the no-more-patchy-coverage dept.
citpyrc writes: According to the Register, Microsoft is making some changes to how it rolls out updates in Windows 10. Home users will receive updates as they come out, rather than queueing them all up on "patch Tuesday." Business users will have the option to set their own update cycle, so they can see if any of the patches accidentally break anything for home users before trying them out. There will also be an optional peer-to-peer updating mechanism for Windows 10. Microsoft announced a service called Advanced Threat Analytics, which employs various machine learning techniques to identify malware on a network. As a premium service, top-dollar customers can pay for Microsoft to monitor black-hat forums and alert the company if any of its employees' identities are stolen.
Security

USBKill Transforms a Thumb Drive Into an "Anti-Forensic" Device 246

Posted by timothy
from the content-scrambling-system dept.
Orome1 writes with a snippet from a report at net-security.org; a hacker going by Hephaestos has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer to which it's plugged in. USBkill, as the programmer dubbed it, "waits for a change on your USB ports, then immediately kills your computer." The device would be useful "in case the police comes busting in, or steals your laptop from you when you are at a public library," Hephaestos explained.
Security

Maritime Cybersecurity Firm: 37% of Microsoft Servers On Ships Are Vulnerable 50

Posted by samzenpus
from the protect-ya-neck dept.
colinneagle writes: A report from maritime cybersecurity firm CyberKeel claims that spot checks at 50 different maritime sites revealed that 37% of the servers running Microsoft were still vulnerable because they had not been patched. But what's most interesting is what happens when hackers can breach security in shipping environments, including one case in which "drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium's largest ports, after its hackers breached the port's IT network," said Rear Adm. Marshall Lytle, assistant commandant responsible for USCG Cyber Command.
Communications

WikiLeaks' Anonymous Leak Submission System Is Back After Nearly 5 Years 26

Posted by timothy
from the drop-'em-a-line dept.
Sparrowvsrevolution writes: On Friday, WikiLeaks announced that it has finally relaunched a beta version of its leak submission system after a 4.5 year hiatus. That file-upload site, which once served as a central tool in WIkiLeaks' leak-collecting mission, runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their identity from any network eavesdropper, and even from WikiLeaks itself. In 2010 the original submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers, including several who left to create their own soon-to-fail project called OpenLeaks. WikiLeaks founder Julian Assange says that the new system, which was delayed by his legal troubles and the banking industry blockade against the group, is the final result of "four competing research projects" WikiLeaks launched in recent years. He adds that it has several less-visible submission systems in addition to the one it's now revealed. "Currently, we have one public-facing and several private-facing submission systems in operation, cryptographically, operationally and legally secured with national security sourcing in mind," Assange writes.
Privacy

Hacking the US Prescription System 78

Posted by timothy
from the quite-a-dose-you're-taking dept.
An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.
Security

CareerBuilder Cyberattack Delivers Malware Straight To Employers 47

Posted by timothy
from the where-it-hurts dept.
An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.
Security

Researcher Bypasses Google Password Alert For Second Time 34

Posted by timothy
from the if-you-watch-everything-you-lose-perspective dept.
Trailrunner7 writes with this excerpt: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they're about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

"The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you've entered the correct password, Password Alert throws a warning advising the user to change their password," Moore said.
Security

Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines 180

Posted by timothy
from the just-where-you-least-expect-it dept.
An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.
Security

Chinese Security Vendor Qihoo 360 Caught Cheating In Anti-virus Tests 62

Posted by Soulskill
from the hand-in-the-virus-jar dept.
Bismillah writes: China's allegedly largest security vendor Qihoo 360 has fessed up to supplying custom versions of its AV for testing according to an investigation by Virus Bulletin, AV-Comparatives and AV-Test. "On requesting an explanation from Qihoo 360 for their actions (PDF), the firm confirmed that some settings had been adjusted for testing, including enabling detection of types of files such as keygens and cracked software, and directing cloud lookups to servers located closer to the test labs. After several requests for specific information on the use of thirdparty engines, it was eventually confirmed that the engine configuration submitted for testing differed from that available by default to users."
Mozilla

Mozilla Begins To Move Towards HTTPS-Only Web 321

Posted by Soulskill
from the driving-web-privacy dept.
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
Government

NSA Reform Bill Backed By Both Parties Set To Pass House of Representatives 121

Posted by Soulskill
from the don't-stop-yelling dept.
HughPickens.com writes: The NY Times reports that after more than a decade of wrenching national debate over the intrusiveness of government intelligence agencies, a bipartisan wave of support has gathered to sharply limit the federal government's sweeps of phone and Internet records. A bill that would overhaul the Patriot Act and curtail the metadata surveillance exposed by Edward Snowden overwhelmingly passed the House Judiciary Committee by a vote of a 25-2, and is heading to almost certain passage in the House of Representatives. An identical bill in the Senate — introduced with the support of five Republicans — is gaining support over the objection of Senate Majority Leader Mitch McConnell, who is facing the prospect of his first policy defeat since ascending this year to majority leader. "The bill ends bulk collection, it ends secret law," says Rep. Jim Sensenbrenner, the original author of the Patriot Act who has now helped author the Freedom Act. "It increases the transparency of our intelligence community and it does all this without compromising national security."

The Patriot Act is up for its first reauthorization since the revelations about bulk data collection. The impending June 1 deadline for reauthorization, coupled with an increase of support among members of both parties, pressure from technology companies and a push from the White House, have combined to make changes to the provisions more likely. The Snowden disclosures, along with data breaches at Sony Pictures, Target and the insurance giant Anthem, have unsettled voters and empowered those in Congress arguing for greater civil liberties protection — who a few years ago "could have met in a couple of phone booths," says Senator Ron Wyden. The Freedom Act very nearly passed both chambers of Congress last year, but it failed to garner the 60 votes to break a filibuster in the Senate. It fell short by two votes.

However some say the bill doesn't go far enough. The bill leaves intact surveillance programs conducted by the Drug Enforcement Agency and levies high penalties against those offering "material support" to terrorists. It also renews the expiring parts of the Patriot Act through 2019. "This bill would make only incremental improvements, and at least one provision – the material-support provision – would represent a significant step backwards," says American Civil Liberties Union Deputy Legal Director Jameel Jaffer. "The disclosures of the last two years make clear that we need wholesale reform."
Security

Once a Forgotten Child, OpenSSL's Future Now Looks Bright 76

Posted by samzenpus
from the shot-in-the-arm dept.
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.
Encryption

FBI Slammed On Capitol Hill For "Stupid" Ideas About Encryption 172

Posted by samzenpus
from the stupid-is-as-stupid-does dept.
blottsie writes: At a hearing in Washington, D.C., on Wednesday, the FBI endured outright hostility as both technical experts and members of Congress from both parties roundly criticized the law enforcement agency's desire to place so-called back doors into encryption technology. "Creating a technological backdoor just for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), a Stanford University computer science graduate. "That's just stupid. Our founders understood that an Orwellian overreaching government is one of the most dangerous things this world could have," Lieu said.
Bug

Tattoos Found To Interfere With Apple Watch Sensors 399

Posted by timothy
from the clashing-hipsterisms dept.
An anonymous reader writes: A number of early Apple Watch adopters have complained that their tattoos cause interference with many of the new product's key features. According to multiple tattooed sources, inked wrists and hands can disrupt communication with the wearable's sensors installed in the underside of the device leading to malfunction. Owners of Apple Watch have taken to social media to voice their frustration using the hashtag #tattoogate and sharing their disappointment over the newly discovered Apple flaw. One user reported that the Watch's lock system did not disable as it should when the device was placed on a decorated area of skin – forcing those affected to constantly enter their security pins. A further source suggested that notification alerts would fail to 'ping' as they are supposed to, and that heart rate monitoring differed significantly between tattooed and non-tattooed wrist readings.
Google

Google Announces "Password Alert" To Protect Against Phishing Attacks 71

Posted by samzenpus
from the protect-ya-neck dept.
HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.
Bug

RealTek SDK Introduces Vulnerability In Some Routers 35

Posted by Soulskill
from the won't-fix dept.
jones_supa writes: SOHO routers from manufacturers including at least Trendnet and D-Link allow attackers anywhere in the world to execute malicious code on the devices, according to a security advisory issued over the weekend. The remote command-injection vulnerability resides in the "miniigd SOAP service" as implemented by the RealTek SDK. Before someone asks, there is no comprehensive list of manufacturers or models that are affected. Nerds may be able to spot them by using the Metasploit framework to query their router. If the response contains "RealTek/v1.3" or similar, the device is likely vulnerable. For now, the vulnerable routers should be restricted to communicate only with trusted devices. HP's Zero Day Initiative reported the bug confidentially to RealTek in August 2013, but the issue was disclosed 20 months later as no fix has been provided.
Encryption

Why Crypto Backdoors Wouldn't Work 105

Posted by Soulskill
from the because-math dept.
An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.

Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
Robotics

Researchers Mount Cyberattacks Against Surgery Robot 55

Posted by Soulskill
from the backseat-aortic-bypass dept.
An anonymous reader writes: A group of researchers from University of Washington have tested the security of a teleoperated robotic surgery system created by their colleagues, and have found it severely lacking. "Teleoperated surgical robots will be expected to use a combination of existing publicly available networks and temporary ad-hoc wireless and satellite networks to send video, audio and other sensory information between surgeons and remote robots. It is envisioned these systems will be used to provide immediate medical relief in under-developed rural terrains, areas of natural and human-caused disasters, and in battlefield scenarios," the researchers noted, and asked: "But what if these robotic systems are attacked and compromised?"