Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Encryption

Lavabit Is Relaunching (theintercept.com)

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.
Security

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org) 60

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
China

Viral Chinese Selfie App Meitu, Valued at Over $5 Billion, Phones Home With Personal Data (theregister.co.uk) 75

The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app, which has been featured on several popular outlets including the NYTimes, USA Today, and NYMag, harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. From a report: But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. The app, which was valued at over $5 billion last year due its popularity, seeks access to device and app history; accurate location; phone status; USB, photos, and files storage read and write; camera; Wifi connections; device ID & call information; full network access, run at startup, and prevent device from sleeping on Android phones.
Android

Trump Trades in Android Phone For Secret Service-Approved Device (cnet.com) 167

Who's got two thumbs and a Secret Service-approved phone to tweet from? On arriving in Washington on Thursday ahead of his inauguration, Donald Trump has handed in his Android device in exchange for an unidentified locked-down phone, according to Associated Press. From a report: The phone comes with a new number that is known only to a limited number of people. This marks a big change for Trump, who's frequently on the line with friends, business contacts, reporters, foreign leaders and politicians. Barack Obama was the first president to use a mobile device approved by security agencies because of hacking concerns. Initially he had a heavily modified BlackBerry and later switched to another phone that had most features totally disabled. He was not known to use it for making or receiving calls, but it was one of few devices that had access to the @POTUS Twitter account.
Security

ProtonMail Adds Tor Onion Site To Fight Risk Of State Censorship (techcrunch.com) 25

ProtonMail now has a home on the dark web. The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service. From a report: Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network -- in what it describes as an active measure aimed at defending against state-sponsored censorship. The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it's worried about an increased risk of state-level blocking of pro-privacy tools -- pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products. The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall -- with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief's expansive digital surveillance powers.
Botnet

Krebs Pinpoints the Likely Author of the Mirai Botnet (engadget.com) 95

The Mirai botnet caused serious trouble last fall, first hijacking numerous IoT devices to make a historically massive Distributed Denial-Of-Service (DDoS) attack on KrebsOnSecurity's site in September before taking down a big chunk of the internet a month later. But who's responsible for making the malware? From a report on Engadget: After his site went dark, security researcher Brian Krebs went on a mission to identify its creator, and he thinks he has the answer: Several sources and corroborating evidence point to Paras Jha, a Rutgers University student and owner of DDoS protection provider Protraf Solutions. About a week after attacking the security site, the individual who supposedly launched the attack, going by the username Anna Senpai, released the source code for the Mirai botnet, which spurred other copycat assaults. But it also gave Krebs the first clue in their long road to uncover Anna Senpai's real-life identity -- an investigation so exhaustive, the Krebs made a glossary of cross-referenced names and terms along with an incomplete relational map.
Desktops (Apple)

Malwarebytes Discovers 'First Mac Malware of 2017' (securityweek.com) 60

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."
United States

Russia Extends Edward Snowden's Asylum To 2020, To Offer Citizenship Next Year (cnn.com) 268

Whistleblower and former U.S. intelligence contractor Edward Snowden has been allowed to remain in Russia for another three years and will next year qualify to apply for Russian citizenship. From a report on CNN: Edward Snowden's leave to remain in Russia has been extended until 2020, Russia's Foreign Ministry spokeswoman Maria Zakharova has confirmed to CNN. Snowden, a former US National Security Agency contractor, sought asylum in Russia in June 2013 after leaking volumes of information on American intelligence and surveillance operations to the media. On Tuesday, Zakharova announced an extension of a "couple of years" in a Facebook post that criticized former CIA acting director Michael Morell for an opinion piece he wrote suggesting that Russian President Vladimir Putin should consider returning Snowden to the United States as "the perfect inauguration gift" to President-elect Donald Trump. Snowden settled in Moscow after initially traveling to Hong Kong following his 2013 public disclosure of classified information. The Russian government granted him asylum soon after. In August 2014, Snowden received a three-year extension to his leave to remain in Russia. That extension was due to expire this year.
Crime

Ukraine's Power Outage Was a Cyber Attack, Says Power Supplier (reuters.com) 59

A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday. From the report: When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine. Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters. "The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion," Ukrenergo said.
Crime

Dutch Developer Added Backdoor To Websites He Built, Phished Over 20,000 Users (bleepingcomputer.com) 122

An anonymous reader quotes a report from BleepingComputer: A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built. According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions. The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek. According to Dutch police, the 35-years-old suspect was hired to build e-commerce sites for various companies. After doing his job, the developer also left backdoors in those websites, which he used to install various scripts that allowed him to collect information on the site's users. Police say that it's impossible to determine the full breadth of his hacking campaign, but evidence found on his laptop revealed he gained access to over 20,000 email accounts. Authorities say the hacker used his access to these accounts to read people's private email conversations, access their social media profiles, sign-up for gambling sites with the victim's credentials, and access online shopping sites to make purchases for himself using the victim's funds.
Android

Low-Cost Android One Phones Coming To The US, Says Report (theverge.com) 91

The Android One platform is a program designed by Google to provide budget-friendly Android smartphones to developing markets. The phones are attractive because they contain no bloatware, competing services, and a lack of software and security updates -- the stuff that most low-end smartphones contain. According to a report from The Information, the program is about to make its way to the U.S. market. The Verge reports: Android One phones have historically been produced by companies you probably haven't heard of, like Micromax, Cherry, and QMobile. Originally Google had a direct hand in detailing what components would go into the phone, but apparently became more flexible over time and eventually expanded the program beyond India to parts of Africa, Spain, and Portugal. Android One may not have been the rousing worldwide success Google was hoping for, but it's still an important initiative for the company. Especially at the low end, there's a lot of incentive for manufacturers to pile on extra software in a bid to make those devices more profitable -- but that could cut against Google's efforts to make its own services more pervasive and popular. If Google really does put some real effort behind Android One, it could make its plans for Android a little clearer. Google itself has taken a stand that it wants to make its own hardware at the high-end of the smartphone market with the Pixel, and if The Information's report is accurate, it wants to ensure that its services are not cut out from the low end.
The Almighty Buck

Blockchain Technology Could Save Banks $12 Billion a Year (silicon.co.uk) 109

Mickeycaskill quotes a report from Silicon.co.uk: Accenture research has found Blockchain technology has the potential to reduce infrastructure costs by an average of 30 percent for eight of the world's ten biggest banks. That equates to annual cost savings of $8-12 billion. The findings of the "Banking on Blockchain: A Value Analysis for Investment Banks" report are based on an analysis of granular cost data from the eight banks to identify exactly where value could be achieved. A vast amount of cost for today's investment banks comes from complex data reconciliation and confirmation processes with their clients and counterparts, as banks maintain independent databases of transactions and customer information. However, Blockchain would enable banks to move to a shared, distributed database that spans multiple organizations. It has become increasingly obvious in recent months that blockchain will be key to the future of the banking industry, with the majority of banks expected to adopt the technology within the next three years.
Government

President Obama Commutes Chelsea Manning's Sentence (theverge.com) 788

The New York Times is reporting that President Obama has commuted Chelsea Manning's sentence. What this translates to is a reduced sentence for Manning, from 35 years to just over seven years. Since Manning has already served a majority of those years, she is due to be released from federal custody on May 17th. The Verge reports: While serving as an intelligence analyst in Iraq, Manning leaked more than 700,000 documents to Wikileaks, including video of a 2007 airstrike in Baghdad that killed two Reuters employees. In 2013, Manning was sentenced to 35 years in prison for her role in the leak and has been held at the U.S. Disciplinary Barracks at Fort Leavenworth for the past three years. Julian Assange, who has long been sought by U.S. and EU authorities for extradition on Swedish rape charges, had previously pledged to surrender himself to U.S. authorities if Manning was pardoned. Born Bradley Manning, Chelsea announced her gender transition the day after the verdict was handed down. "I am Chelsea Manning. I am a female," she said in a statement. "Given the way that I feel, and have felt since childhood, I want to begin hormone therapy as soon as possible." Obtaining the resulting medical treatments was extremely difficult for Manning, and was the subject of significant and sustained activism. After a lawsuit, Manning was approved for hormone therapy in 2015. In September 2016, she launched a hunger strike, demanding access to gender reassignment surgery; the military complied five days later.
The Military

ISIS Is Dropping Bombs With Drones In Iraq (popsci.com) 199

In addition to rifles, mortars, artillery and suicidal car bombs, ISIS has recently added commercial drones, converted into tiny bombs, into the mix of weapons it uses to fight in Iraq. In October, The New York Times reported that the Islamic State was using small consumer drones rigged with explosives to fight Kurdish forces in Iraq. Two Kurdish soldiers died dismantling a booby-trapped ISIS drone. Several months later and it appears the use of drones on the battlefield is becoming more prevalent. Popular Science reports: Previously, we've seen ISIS scratch-build drones, and as Iraqi Security Forces retook parts of Mosul, they discovered a vast infrastructure of workshops (complete with quality control) for building standardized munitions, weapons, and explosives. These drone bombers recently captured by Iraqi forces and shared with American advisors appear to be commercial, off-the-shelf models, adapted to carry grenade-sized payloads. "It's not as if it is a large, armed UAV [unmanned aerial vehicle] that is dropping munitions from the wings -- but literally, a very small quadcopter that drops a small munition in a somewhat imprecise manner," [Col. Brett] Sylvia, commander of an American military advising mission in Iraq, told Military Times. "They are very short-range, targeting those front-line troops from the Iraqis." Because the drones used are commercial models, it likely means that anti-drone weapons already on hand with the American advisors are sufficient to stop them. It's worth noting that the bomb-dropping drones are just a small part of how ISIS uses the cheap, unmanned flying machines. Other applications include scouts and explosive decoys, as well as one-use weapons. ISIS is also likely not the first group to figure out how to drop grenades from small drones; it's a growing field of research and development among many violent, nonstate actors and insurgent groups. Despite the relative novelty, it's also likely not the deadliest thing insurgents can do with drones.
Microsoft

Microsoft: Windows 7 Does Not Meet the Demands of Modern Technology; Recommends Windows 10 (neowin.net) 500

In a blog post, Microsoft says that continued usage of Windows 7 increases maintenance and operating costs for businesses. Furthermore, time is needlessly wasted on combating malware attacks that could have been avoided by upgrading to Windows 10. A report on Neowin adds: Microsoft also says that many hardware manufacturers do not provide drivers for Windows 7 any longer, and many developers and companies refrain from releasing programs on the outdated operating system. Markus Nitschke, Head of Windows at Microsoft Germany, had the following to say about Windows 7: "Today, it [Windows 7] does not meet the requirements of modern technology, nor the high security requirements of IT departments. As early as in Windows XP, we saw that companies should take early steps to avoid future risks or costs. With Windows 10, we offer our customers the highest level of security and functionality at the cutting edge.
Google

Google Reveals Its Servers All Contain Custom Security Silicon (theregister.co.uk) 118

Google has published an Infrastructure Security Design Overview that explains how it secures the cloud it uses for its own operations and for public cloud services. From a report on The Register: The document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so than the disclosure that: "We also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level." That silicon works alongside cryptographic signatures employed "over low-level components like the BIOS, bootloader, kernel, and base operating system image." "These signatures can be validated during each boot or update," the document says, adding that "the components are all Google-controlled, built, and hardened. With each new generation of hardware we strive to continually improve security: for example, depending on the generation of server design, we root the trust of the boot chain in either a lockable firmware chip, a microcontroller running Google-written security code, or the above mentioned Google-designed security chip."
China

China Orders App Stores To Join Register (bbc.com) 23

China's internet regulator has ordered mobile app stores to register themselves with it immediately. The Cyberspace Administration of China (CAC) said the move would help "promote the healthy and orderly development of the mobile internet." From a report on BBC: Most smartphones in the country run Android, but Google does not operate its Play Store locally, meaning users go elsewhere to add software. A report last year linked this to the spread of malware. Cheetah Mobile Security -- a Beijing-based firm -- reported that more than 1.4 million Chinese users' mobile devices had been struck by infections as of January 2016, making it the worst afflicted nation. India and Indonesia were in second and third place. This follows previous efforts to censor what appears online, including a recent demand that Apple remove the New York Times from the Chinese version of its iOS App Store. The US newspaper was the first to report the watchdog's move outside of China itself. Because of the Play store's absence, Android users in China typically go to stores operated by local tech giants including Tencent, Xiaomi, Baidu and Huawei.
Microsoft

Microsoft's Security Bulletins Will End In February (computerworld.com) 39

Remember how Microsoft switched to cumulative updates? Now Computerworld points out that that's bringing another change. An anonymous reader quotes their report: Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches... A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG. The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE identifier, and the numerical label of the KB, or "knowledge base" support document.
Redmond Magazine reports that Microsoft still plans to continue to issue its security advisories, and to issue "out-of-band" security update releases as necessary.
Privacy

Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com) 144

Long-time Slashdot reader t0qer writes: I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.

"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
Debian

Debian 8.7 Released (debian.org) 124

Debian 8.7 has been released. An anonymous reader quotes Debian.org: This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available. Please note that this update does not constitute a new version of Debian 8 but only updates some of the packages included.

There is no need to throw away old "jessie" CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated. Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

86 packages have been updated -- including some fixes for systemd. ("Rework logic to determine when we decide to add automatic deps for mounts; various ordering fixes for ifupdown; systemctl: Fix argument handling when invoked as shutdown...")

Slashdot Top Deals