Posts tagged ‘Privacy’

Errata Security: They are deadly serious about crypto backdoors

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Julian Sanchez (@normative) has an article questioning whether the FBI is serious about pushing crypto backdoors, or whether this is all a ploy pressuring companies like Apple to give them access. I think they are serious — deadly serious.

The reason they are only half-heartedly pushing backdoors at the moment is that they believe we, the opposition, aren’t serious about the issue. After all, the 4rth Amendment says that a “warrant of probable cause” gives law enforcement unlimited power to invade our privacy. Since the constitution is on their side, only irrelevant hippies could ever disagree. There is no serious opposition to the proposition. It’ll all work itself out in the FBI’s favor eventually. Among the fascist class of politicians, like the Dianne Feinsteins and Lindsay Grahams of the world, belief in this principle is rock solid. They have absolutely no doubt.

But the opposition is deadly serious. By “deadly” I mean this is an issue we are willing to take up arms over. If congress were to pass a law outlawing strong crypto, I’d move to a non-extradition country, declare the revolution, and start working to bring down the government. You think the “Anonymous” hackers were bad, but you’ve seen nothing compared to what the tech community would do if encryption were outlawed.

On most policy questions, there are two sides to the debate, where reasonable people disagree. Crypto backdoors isn’t that type of policy question. It’s equivalent to techies what trying to ban guns would be to the NRA.

So the FBI trundles along, as if the opposition were hippies instead of ardent revolutionaries.

Eventually, though, things will come to a head where the FBI pushes forward. There will eventually be another major terrorist attack in the United States, and the terrorist will have been using encrypted communications. At that point, we are going to see the deadly seriousness of the FBI on the issue, and the deadly seriousness of the opposition. And by “deadly” I mean exactly that — violence and people getting killed.

Julian Sanchez is probably right that at this point, the FBI isn’t pushing too hard, and is willing to just pressure companies to get what they want (recovered messages from iCloud backups), and to give populist activists like the EFF easy wins (avoiding full backdoors) to take the pressure off. But in the long run, I believe this issue will become violent.

Let's Encrypt - Free SSL/TLS Certificates: OVH Sponsors Let’s Encrypt

This post was syndicated from: Let's Encrypt - Free SSL/TLS Certificates and was written by: Let's Encrypt - Free SSL/TLS Certificates. Original post: at Let's Encrypt - Free SSL/TLS Certificates

We’re pleased to announce that OVH has become a Platinum sponsor of Let’s Encrypt.

According to OVH CTO and Founder Octave Klaba, “OVH is delighted to become a Platinum sponsor. With Let’s Encrypt, OVH will be able to set a new standard for security by offering end-to-end encrypted communications by default to all its communities.”

The Web is an increasingly integral part of our daily lives, and encryption by default is critical in order to provide the degree of security and privacy that people expect. Let’s Encrypt’s mission is to encrypt the Web and our sponsors make pursuing that mission possible.

OVH’s sponsorship will help us to pay for staff and other operation costs in 2016.

If your company or organization would like to sponsor Let’s Encrypt, please email us at sponsor@letsencrypt.org.

Errata Security: Policy wonks aren’t computer experts

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

This Politico story polls “cybersecurity experts” on a range of issues. But they weren’t experts, they were mostly policy wonks and politicians. Almost none of them have ever configured a firewall, wrote some code, exploited SQL injection, analyzed a compromise, or in any other way have any technical expertise in cybersecurity. It’s like polling a group of “medical experts”, none of which has a degree in medicine, or having a “council of economic advisers”, consisting of nobody with economics degrees, but instead representatives from labor unions and corporations.

As an expert, a real expert, I thought I’d answer the questions in the poll. After each question, I’ll post my answer (yes/no), the percentage from the Politico poll of those agreeing with me, and then a discussion.

Should the government mandate minimum cybersecurity requirements for private-sector firms?

No (39%). This question is biased because they asked policy wonks, most of which will answer “yes” to any question “should government mandate”. It’s also biases because if you ask anybody involved in X if we need more X, they’ll say “yes”, regardless of the subject you are talking about.

But the best answer is “no”, for three reasons.

Firstly, we experts don’t know what “minimum requirements” should be. The most common attacks on the Internet are SQL injection, phishing, and password reuse. We experts don’t know how to solve these problems. Even if everyone followed minimum requirements, it wouldn’t make a difference in hacking.

Secondly, “requirements” have a huge cost. The government already has a mandate for minimum requirements for government products, called “Common Criteria”. It costs millions of dollars to get a product certified and make no difference in cybersecurity.

Finally, it would kill innovation. The industry is in a headlong rush to “IoT”, the “Internet of Things”, where every device in your home, including hair driers and Barbie dolls, are Internet enabled. I’ll be at the forefront pointing out the laughable security in these devices, and how they easily allow hackers into your home. But to force innovation to halt for the next decade while they addressed cybersecurity instead would be a travesty. A better model is for them to ship crap first, for us in the industry to laugh and mock them for their obvious bugs, and for them to fix it later.

Should companies provide a “back door” for law enforcement to gain access to a program or computer?

No (85%). This one is a no brainer. Even the most pro-law-enforcement among us recognize the problems with this one.

If passed, would the cybersecurity legislation under negotiation result in the appreciable reduction in cyber breaches of U.S. firms?

No (74%). This one surprised me, since most of the responses are from Washington D.C. policy wonks. But then the truth of CISA is that nobody cares whether it actually works — they want it firstly so that they appear to be addressing the problem, and secondly as a platform to stick amendments onto.

If passed, would the cybersecurity legislation under negotiation present a significant loss of privacy for Americans?

Yes (35%). Sadly, I’m in the minority. The reason is that policy wonks believe that the intention of CISA isn’t to invade privacy, so they’ll answer “no”. However, privacy invasion is an unintended consequence of information sharing, which is why privacy advocates answer “yes”.

Do you expect a major cyberattack against U.S. critical infrastructure to occur within the …

Century (0%). The only choices they gave were Next year (9%), Net five years (48%), and Next decade (43%). They are all morons. It’s roughly the same answer “experts” have been giving for the last 15 years, which has shown that they’ve been consistently wrong.

Hacking into a power company and causing a blackout is deceptively easy. A lot of these people are privy to “pen test” reports showing how hackers easily broke into a power grid and put their virtual fingers on the proverbial button to turn off the power.

But just because it’s possible doesn’t mean that people will do it. It’s equally possible for Al Qaeda, the North Koreans, or the French to send sleeper agents into the United States to create explosives from off-the-shelf ingredients, and then bomb key power distribution points to cause mass blackouts throughout the country. Attacking the grid with cyber is easy, but attacking it “kinetically” is still even easier. I’ve done pentests of the power grid. If you hired me to cause mass blackouts, I’d predominantly use explosives.

The biggest issue, though, is that the United States critical infrastructure is incredibly diverse, involving 10,000 different companies. Small, temporary blackouts are easy, but a “major” blackout affecting a large part of the grid is impractical, at least, unless you spent many years on the problem.

Eventually something might happen. But what we’ll see is a range of minor attacks against critical infrastructure long before we see a major attack. Those minor attacks haven’t happened yet, and until they do, we shouldn’t get worried about it.

Does working for the U.S. government now mean accepting that your personal information will be accessed by foreign governments?

Yes (77%), but really, it’s always been this way. Throughout the cold war, the biggest thing spies did was figure out everyone working for foreign intelligence agencies. It’s always been known that if you get clearance, you get put on a list that our adversaries (Russia, China, the French) would know about, meaning that even casually traveling to those countries as a tourist might get your hotel room bugged.

The OPM breach changes none of this. I suspect the OPM breach was by much lower level hackers, and they are finding it hard selling the information because all the potential buyers already have it.

Should the U.S. government pardon Edward Snowden?

No (91%), but not for the reasons you think.

I’m on the side who thinks Snowden is a hero. However, breaking your word should have consequences. I’d like to think given the same situation as Snowden, I’d’ve leaked that Verizon court order, but I would have stayed to face the consequences and go to jail.

Anybody in government who has taken solemn oaths (especially the military) is likely to agree with me, regardless of what they think about mass surveillance.

Is cybersecurity over-hyped as a problem?

Yes (19%), of course it is. It’s obvious the Internet is secure enough, or people wouldn’t be putting everything on the Internet. No matter the costs of hacking/insecurity, they are less than the benefits of the Internet.

For example, credit card fraud is the biggest cybersecurity problem today, but is so small that we get “cash back” from credit cards, because the amount of fraud is still less than the fees they charge designed to compensate for fraud.

Of course, this question has the same biases I mentioned above. If you ask anybody involved in X if the public needs more awareness of X, they’ll almost always say “yes”.

Has the U.S. military been too hesitant to conduct offensive cyber operations?

No (77%). The other 23% say “yes” because they’ve seen situations where we could’ve, but didn’t.

But “no” is the right answer. By itself, the mass global cyber surveillance uncovered by Snowden is evidence that we are the most aggressive actor in cyberspace. But beyond surveillance, we have a very active program of cyber-offensive.

Will we reach an agreement on international rules of the road in cyberspace?

Blerg (0%). That’s sort of a nonsense question. Will we reach agreements? Yes. That’s the sort of thing politicians do. Will they have any meaning? any teeth? Will countries abide by them? Probably not.

We’ve already one instance, the Wassenaar agreement controlling “cyber weapons”, and it’s turning out horribly, not what anybody expected.

Are U.S. government officials too hesitant to publicly attribute cyberattacks to other countries?

No (39%). The reason policy wonks answer “yes” is that they can point to examples where the government was hesitant, such as that DDoS attack against GitHub that was clearly by the Chinese government.

But at the same time, we can point to many opposite cases where the government is too eager to attribute attacks to other countries, such as the Sony hack attributed to North Korea.

It’s hard to say which happens more often, but in my experience, attacks that are legitimate from “other countries” aren’t actually directed by those countries. Government foster an environment that makes attacking the U.S. easy, but don’t actually direct the attacks.

It’s like the terrorist attacks in Paris and San Bernadino. ISIS claims credit, but it’s unclear how much was directed and supported by ISIS, and how much the attacks were planned by locals in ISIS’s name. In much the same way, there are lots of cyberattacks from China and Russia against the United States, but I’m not sure how much they are directed by their respective governments.

Is the no-commercial cyberspying agreement between President Barack Obama and chinese President Xi Jinping likely to lead to a reduction in economic hacking by China?

No (60%). At most, it’ll stop the direct attacks from the Chinese Army, but hacking is rife in Chinese society, so I’m not sure how much that will stop. On the other hand, information about who in society is hacking percolates up the food chain, so it’s possible that the central government could crack down on those hackers if it wants. I imagine a situation where there’s this hacker who has been living in a mansion for a decade, selling secret’s he’s hacked with collusion from Chinese officials, to be surprised by the secret police showing up one day and arresting him.

Let's Encrypt: Entering Public Beta

This post was syndicated from: Let's Encrypt and was written by: Let's Encrypt. Original post: at Let's Encrypt

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt.

It’s time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

We’d like to thank everyone who participated in the Limited Beta. Let’s Encrypt issued over 26,000 certificates during the Limited Beta period. This allowed us to gain valuable insight into how our systems perform, and to be confident about moving to Public Beta.

We’d also like to thank all of our sponsors for their support. We’re happy to have announced earlier today that Facebook is our newest Gold sponsor.

We have more work to do before we’re comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We’ll be monitoring feedback from users closely, and making improvements as quickly as possible.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Let’s Encrypt Community Support is an invaluable resource for our community, we strongly recommend making use of the site if you have any questions about Let’s Encrypt.

Let’s Encrypt depends on support from a wide variety of individuals and organizations. Please consider getting involved, and if your company or organization would like to sponsor Let’s Encrypt please email us at sponsor@letsencrypt.org.

Darknet - The Darkside: VTech Hack – Over 7 Million Records Leaked (Children & Parents)

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

And once again, the messy technical flaws of a company are being exposed with the recent VTech hack – it’s really not looking good for them with account passwords ‘secured’ with unsalted md5 hashes and all kinds of private information being leaked includes parents addresses, kids birthdays, genders, secret answers and…

Read the full post at darknet.org.uk

Schneier on Security: A History of Privacy

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This New Yorker article traces the history of privacy from the mid 1800s to today:

As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late. The horse is out of the barn. The post office has opened your mail. Your photograph is on Facebook. Google already knows that, notwithstanding your demographic, you hate kale.

TorrentFreak: Copyright Industry Still Doesn’t Understand This Fight Isn’t About Money, But Liberty

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

copyright-brandedIn 2010, I got a prize from the Swedish IT Industry as “IT person of the year”, the year after I had led the Swedish and first Pirate Party into the European Parliament.

Their motivation for the prize was that I had finally, and through hard work, brought important IT issues to front row and center of the political establishment.

What we said then are the same things we say now. The Internet is the most important piece of infrastructure we have. More important than telco, than cable TV, than roads, than power, than… well, with the possible exception of tap water and sanitation infrastructure, I’ll allow the jury to confer a bit more on that one.

We were saying, and are saying, that it’s insane, asinine, repulsive and revolting to allow a cartoon industry (the copyright industry – mostly led by Disney in this regard) to regulate the infrastructure of infrastructures. To allow a cartoon industry to dismantle anonymity, the right to private correspondence and many more fundamental liberties just because they were worried about their profits.

There was some success in pushing back the worst. We didn’t get to go on the offense, but we did safeguard the most important of liberty.

Then, something very odd and unexpected happened. Spotify came on stage, praised The Pirate Bay for raising the bar for consumer expectations of what good service means, and swept the floor with consumption patterns of music. As did Pandora in the US. Pirates tend to be early adopters and Pandora was no exception: I am paying subscriber #110 there out of today’s tens of millions. As was always noted, the fight for liberty was never a fight about money.

More people shifted toward streaming video as well with Netflix and similar services, again showing it was never about the money, but always about freedom.

After that, something even more unexpected happened. Pirates started fighting with the copyright industry, against the internet service providers, in the halls of policymaking. More specifically, pirates were siding with Microsoft against lots of old telco dinosaurs. Even more specifically, people were fighting for Net Neutrality – something that Microsoft was also fighting for, as the owner of Skype – against the mobile divisions of telco dinosaurs, who wanted to lock out competitors from their imaginary walled garden.

Of course, this is only unexpected if you thought it was about money in the first place. If you knew that it was always about liberty, about defending the infrastructure of infrastructures, about protecting the right to innovate and the freedom of speech, this comes as a no-brainer.

We care for permissionless innovation, we care for private correspondence, we care for sharing and the legacy of knowledge and culture. We do not care in the slightest for obsolete and outdated pre-internet distribution monopolies, nor do we care for pipes that want to be privileged, and we become outright hostile when the industries that benefit from old monopolies (not stakeholders, but beneficiaries!) assert a right to dismantle the liberties that our ancestors fought, bled, and died to give to us today.

“How will the authors get paid?” is an utterly uninteresting question in a market economy. The answer is equally utterly simple: “by making a sale”. There is no other way, and there should not be any other way. A much more relevant question today is “how do we protect the infrastructure of liberty against corporate encroachment and imaginary privileges of pre-internet monopolies”.

Oh, and the Swedish IT Industry Association also gives a prize to the IT Company of the year, not just the IT person of the year. The company to get that prize in the same year as me? Spotify.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Huge Security Flaw Can Expose VPN Users’ Real IP-Adresses

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

ip-addressFor the past several years interest in encrypted and anonymous communications has spread to a much wider audience.

VPN providers are particularly popular among BitTorrent users, who by default broadcast their IP-addresses to hundreds of people when downloading a popular file.

The goal of using a VPN is to hide one’s ISP IP-address, but a newly discovered vulnerability shows that this is easily bypassed on some providers.

The problem, uncovered by VPN provider Perfect Privacy (PP), is a simple port forwarding trick. If an attacker uses the same VPN as the victim the true IP-address can be exposed by forwarding traffic on a specific port.

The security flaw affects all VPN protocols including OpenVPN and IPSec and applies to all operating systems.

“Affected are VPN providers that offer port forwarding and have no protection against this specific attack,” PP notes.

For example, if an attacker activates port forwarding for the default BitTorrent port then a VPN user on the same network will expose his or her real IP-address.

The same is true for regular web traffic, but in that case the attacker has to direct the victim to a page that connects to the forwarded port, as Perfect Privacy explains in detail.

The vulnerability affected the setup of various large VPN providers, who were warned last week. This included Private Internet Access (PIA), Ovpn.to and nVPN, who have all fixed the issue before publication.

PIA informs TorrentFreak that their fix was relatively simple and was implemented swiftly after they were notified.

“We implemented firewall rules at the VPN server level to block access to forwarded ports from clients’ real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report,” PIA’s Amir Malik says.

In addition, PIA complimented Perfect Privacy for responsibly disclosing the vulnerability prior to making it public and awarded their competitor with a $5,000 bounty under its Whitehat Alert Security Program.

Not all VPN providers were tested so it is likely that many others are still vulnerable. Hopefully, these will address the issue in the near future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Darknet - The Darkside: Dell Backdoor Root Cert – What You Need To Know

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So a few days ago the Internet exploded with chatter about a Dell backdoor root cert AKA a rogue root CA, almost exactly like what happened with Lenovo and Superfish. It started with this Reddit thread – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish in the Technology […]

The post Dell Backdoor…

Read the full post at darknet.org.uk

Schneier on Security: Voter Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There hasn’t been that much written about surveillance and big data being used to manipulate voters. In Data and Goliath, I wrote:

Unique harms can arise from the use of surveillance data in politics. Election politics is very much a type of marketing, and politicians are starting to use personalized marketing’s capability to discriminate as a way to track voting patterns and better “sell” a candidate or policy position. Candidates and advocacy groups can create ads and fund-raising appeals targeted to particular categories: people who earn more than $100,000 a year, gun owners, people who have read news articles on one side of a particular issue, unemployed veterans…anything you can think of. They can target outraged ads to one group of people, and thoughtful policy-based ads to another. They can also fine-tune their get-out-the-vote campaigns on Election Day, and more efficiently gerrymander districts between elections. Such use of data will likely have fundamental effects on democracy and voting.

A new research paper looks at the trends:

Abstract: This paper surveys the various voter surveillance practices recently observed in the United States, assesses the extent to which they have been adopted in other democratic countries, and discusses the broad implications for privacy and democracy. Four broad trends are discussed: the move from voter management databases to integrated voter management platforms; the shift from mass-messaging to micro-targeting employing personal data from commercial data brokerage firms; the analysis of social media and the social graph; and the decentralization of data to local campaigns through mobile applications. The de-alignment of the electorate in most Western societies has placed pressures on parties to target voters outside their traditional bases, and to find new, cheaper, and potentially more intrusive, ways to influence their political behavior. This paper builds on previous research to consider the theoretical tensions between concerns for excessive surveillance, and the broad democratic responsibility of parties to mobilize voters and increase political engagement. These issues have been insufficiently studied in the surveillance literature. They are not just confined to the privacy of the individual voter, but relate to broader dynamics in democratic politics.

Krebs on Security: ISIS Jihadi Helpdesk Customer Log, Nov. 20

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

From NBC News come revelations that ISIS has its very own web-savvy, 24-hour Jihadi Help Desk manned by a half-dozen senior operatives to assist foot soldiers in spreading their message far and wide. My first reaction to this story was disbelief, then envy (hey, where the heck is my 24/7 support?). But soon enough I forgot about all that, my mind racing with other possibilities.

jihadihelpdeskImagine the epic trolling opportunities available to a bored or disgruntled Jihadi Help Desk operator. For this persona, we need to reach way back into the annals of Internet history to the Bastard Operator from Hell (BOFH) — a megalomaniacal system administrator who constantly toyed with the very co-workers he was paid to support. What might a conversation between a jihadi and the Bastard Jihadi Operator from Hell (BJOFH) sound like?

[RECORDED MESSAGE]: Thank you for contacting the ISIS Jihadi Help Desk. We are currently experiencing higher than normal call volume. Please wait and your inquiry will be answered in the order that it was received. This call may be monitored for customer service and Jihadi training purposes.

JIHADI: [audible sigh].

[MANY ISIS ANTHEMS RIFFING OFF OF BILLBOARD 100 HITS LATER…]

BJOFH: ISIS Jihadi Helpdesk, Mohammed speaking, how may I help you?

JIHADI: Finally! I thought someone would never answer! I’ve been sitting here sweating bullets and listening to the same infidel hold music over and over.

BJOFH: My sincerest apologies, sir. Someone hit “reply-all” on an operational email, and that really lit up our switchboard this morning. Also, most of the encrypted email services we use are under attack by some other terrorist group and are offline at the moment.

JIHADI: Too bad for them. Seriously, you guys call this 24/7 support?? I’ve been parked on this couch for hours waiting for some son-of-a-dog to answer!

BJOFH: [Pause. Deep breath.]…Well, you’ve got me now, sir. What can I do to…er…for you?

JIHADI: Right. So I’ve got a hardware problem. This itchy vest I have on..it keeps beeping, really loud. It’s getting super annoying, and I’ve got to have some quiet prayer…you know….me-time…pretty soon now, understand?

BJOFH: Yes, I see. Well, good news, brother! I think I can help you. Tell me…is there a mobile phone attached to the vest?

JIHADI: [inaudible…fumbling with receiver]….uh..yeah there is..Huh…feels like there’s one sewn into the left inside pocket.

BJOFH: So, I’m going to try something on my end. Sit tight, and I’ll  be right back.

JIHADI: [pause] Uh…okay. But don’t be gone so long this time!

BJOFH: [one minute later]…Thanks for holding. Yeah, looks like I’m going to have to go ahead and troubleshoot this issue a bit more. Can you do me a favor and call me from the vest phone?

JIHADI: Uh..wait, through the jacket, you mean?

BJOFH: Yes, sir. My desk line here is 1-866-GO-JIHAD.

JIHADI: Okay. But it’s kinda hard to reach the keypad. So many wires….

BJOFH: Totally fine, sir. Take your time. You should still be able to feel the phone’s keypad through the pocket fabric.

JIHADI: Okay yeah, I think I got it. So how do I send the call?

BJOFH:  If your vest is the model I think it is, the “Send Message” button should be the big one in the middle above the keypad.

JIHADI: [Fumbling with the phone] Okay, is it ringing?

BJOFH: [Line rings in background] Yep, got it, thanks. Okay, now I’m going to call you back.

JIHADI: Okay.

BJOFH: Great. Do me a favor and just wait until the phone rings at least once before answering, okay?

JIHADI: Fine, whatever. Just…today, maybe?

BJOFH: You bet. Go JIHAD!

JIHADI: Wait a second! how do I answer…[fumbling with the receiver]

[Vest phone rings. Line goes dead].

All satire aside, the jihadis take their security and privacy seriously, shouldn’t you? Wired.com has helpfully published a translated 34-page Opsec Guide (PDF), a document originally printed in Arabic and intended to introduce newbies to basic operational security measures, techniques and technologies. It’s not the easiest tutorial to read, but it does reference a great many resources worth investigating further.

Update, 5:12 p.m. ET: An earlier version of this article incorrectly attributed the source of the Opsec article referenced in the last paragraph.

AWS Security Blog: AWS Announces Successful SOC Assessment with 3 New Services in Scope

This post was syndicated from: AWS Security Blog and was written by: Chad Woolf. Original post: at AWS Security Blog

Today, I’m happy to announce the completion of another successful Service Organization Controls (SOC) assessment.

The AWS SOC program is an intense, period-in-time audit performed every six months. We have been releasing SOC Reports (or their SAS 70 predecessors) regularly since 2009, and we have, over the years, gradually built in more controls and added more services. These third-party assessments from Ernst & Young are mature and extensive, and attest to our alignment with the American Institute of Certified Public Accountants (AICPA) Security Trust Principles. The SOC programs continue to be a key component of our efforts to provide transparency to our customers in information security, confidentiality, and privacy.

The following 3 AWS services have been added to the scope of our SOC Reports:

This increases the number of services covered in our SOC Reports to 26, and with 34 AWS Edge Locations also in scope, AWS customers can satisfy a variety of use cases.

Our updated AWS SOC 1 and SOC 2 Security & Availability Reports cover the report period of April 1, 2015, through September 30, 2015, and will continue to be reaffirmed in a six-month cadence going forward. To request the latest SOC 1 or SOC 2 Reports, contact AWS Sales and Business Development. Alternatively, depending on your regulatory requirements, the SOC 3 Report is publically available for download via our AWS Compliance website, or you can view it directly.

Have additional questions about SOC reports? See our FAQ on the topic.

To see all publicly available certifications, see AWS Published Certifications, and to keep up with the latest AWS Compliance news, see AWS Compliance – Latest News.

– Chad Woolf, Director of AWS Risk and Compliance

LWN.net: Detectify: Chrome Extensions – AKA Total Absence of Privacy

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The “Detectify Labs” site has put up a
lengthy analysis
of the user tracking taking place in many Chrome
browser extensions. “Google, claiming that Chrome is the safest web
browser out there, is actually making it very simple for extensions to hide
how aggressively they are tracking their users. We have also discovered
exactly how intrusive this sort of tracking actually is and how these
tracking companies actually do a lot of things trying to hide it. Due to
the fact that the gathering of data is made inside an extension, all other
extensions created to prevent tracking (such as Ghostery) are completely
bypassed.
” At the end they note that the situation with Firefox is
not a whole lot better.

Schneier on Security: Ads Surreptitiously Using Sound to Communicate Across Devices

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is creepy and disturbing:

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Related: a Chrome extension that broadcasts URLs over audio.

Schneier on Security: On CISA

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They’re now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.)

Now that it’s pretty solid, I find that I don’t have to write anything, because Danny Weitzner did such a good job, writing about how the bill encourages companies to share personal information with the government, allows them to take some offensive measures against attackers (or innocents, if they get it wrong), waives privacy protections, and gives companies immunity from prosecution.

Information sharing is essential to good cybersecurity, and we need more of it. But CISA is a really a bad law.

This is good, too.

Schneier on Security: Refuse to Be Terrorized

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Paul Krugman has written a really good update of my 2006 esssay.

Krugman:

So what can we say about how to respond to terrorism? Before the atrocities in Paris, the West’s general response involved a mix of policing, precaution, and military action. All involved difficult tradeoffs: surveillance versus privacy, protection versus freedom of movement, denying terrorists safe havens versus the costs and dangers of waging war abroad. And it was always obvious that sometimes a terrorist attack would slip through.

Paris may have changed that calculus a bit, especially when it comes to Europe’s handling of refugees, an agonizing issue that has now gotten even more fraught. And there will have to be a post-mortem on why such an elaborate plot wasn’t spotted. But do you remember all the pronouncements that 9/11 would change everything? Well, it didn’t — and neither will this atrocity.

Again, the goal of terrorists is to inspire terror, because that’s all they’re capable of. And the most important thing our societies can do in response is to refuse to give in to fear.

Me:

But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show’s viewership.

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn’t make us any safer.

This crass and irreverent essay was written after January’s Paris terrorist attack, but is very relevant right now.

Linux How-Tos and Linux Tutorials: 11 Things To Do After Installing Ubuntu 15.10

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

ubuntu 15.10 updater

You’ve installed the latest iteration of one of the most popular Linux desktop distributions on the planet and will most likely find a platform ready to do nearly everything you need it to do.

Nearly.

There are still some tasks you can tackle to make that environment even more efficient, more productive, and more enjoyable. Best of all, these to-do (which some might consider “must-do”) items are all very simple to undertake. Within a short span of time, you’ll have a masterful Ubuntu desktop, ready to do your bidding with ease and aplomb.

Before we dive into this, understand that not every idea laid out here will apply to every user. I will try to make this as universal as possible, but sometimes specificity might get in the way.

With that said, let’s get to work.

1. Update.

Even though you might have checked the box for downloading and installing updates during the installation, more than likely there will still be updates to be had right out of the gate. Don’t even bother to wait for the update manager to pop up and remind you there are updates. Open the dash (either click on the Ubuntu logo icon in the upper left corner or click the Super key on your keyboard), search for updates, and click the Software Updater launcher. When the updater runs (Figure 1, above), okay any updates that are available. Bug fixes tend to happen frequently soon after the release.  

2. Install AppGrid

Although the Ubuntu Software Center is a great tool in theory, in practice it falls a wee bit short. First and foremost, the thing is slow…far too slow for most. Second, it’s interface has never been remotely close to best in breed. Because of this, I highly recommend installing AppGrid (Figure 2). Not only does it make finding software a lot easier, it’s incredibly fast. Installing AppGrid on Ubuntu is simple, just follow these steps: 

  1. Click [Ctrl]+[Alt]+[t] to open a terminal window

  2. Add the necessary repository with the command sudo add-apt-repository ppa:appgrid/stable

     

  3. When prompted, click Enter

  4. Update apt’s sources with the command sudo apt-get update

  5. Install AppGrid with the command sudo apt-get install appgrid 

That’s it. You should now have a much more efficient means of finding and installing software.

Figure 2: AppGrid is a much better package manager frontend for Ubuntu.

3. Install proper graphics drivers

ubuntu 15.10 video driver updateIf you plan on doing any Steam gaming, watching movies, editing video or any other graphics-intensive work, you will want to make use of the latest versions of graphics drivers better suited for the task. To do this, follow these steps:

  1. Open the Dash and type software

  2. Click to open the Software & Updates tool

  3. Click on the Additional Drivers tab

  4. Should any additional drivers be found, select the available driver that best suits your needs (Figure 3)

  5. Click Apply changes

  6. If prompted, reboot your machine so the changes will take effect 

It is important to make sure you install the proper driver for your card…so you will want to know which card you have on your machine. An easy way to find out what card you have is to open up System Settings and then click on Details. You will see make and model of your chipset listed there. 

4. Install additional media codecs

Remember what I said about having to install updates, even though you checked to have them installed during installation? There’s also a check box for installing additional media codecs. Guess what? That step won’t always download and install everything you want…and the last thing you want to do is struggle to get your media files to play. So, in order to get all the additional media codecs necessary, follow these steps:

  1. Open up AppGrid (or the Ubuntu Software Center if you so choose)

  2. Search for Ubuntu restricted extras 

  3. Click Install

  4. Allow the installation to complete 

5. Install tweak tools

ubuntu Unity tweak toolI still cannot figure out why there are no tweak tools installed by default. Well, they’re not and you’ll want them. With Tweaks you can customize your desktop with far more flexibility than you can with the default options. There are two outstanding tweak tools you will want to add: unity-tweak-tool and gnome-tweak-tool. Both of these apps can be installed from the standard repositories like so:

  1. Open a terminal window

  2. Issue the command sudo apt-get install unity-tweak-tool gnome-tweak-tool

  3. Type your sudo password and hit Enter

  4. Allow the installation to complete

Oddly enough, you won’t find entries for either tool in the Dash, so you have to run them from the terminal. The apps are run with the following commands:

  •  unity-tweak-tool 

  •  gnome-tweak-tool 

With each tool you’ll gain significant control over the look and feel of your desktop (Figure 5). 

6. Adjust your menus

I’ve been a fan of Unity’s global menu system for a long time now. However, some users prefer a more standard menu system. With Ubuntu 15.10 you can switch between having the menus in the window’s title bar or in the main menu bar (the panel at the top of the window). Here’s how:

  1. Open System Settings

  2. Go to Appearance > Behavior

  3. Select the menu type you want from the Show the menus for a window section (Figure 6).

Figure 6: Switching where Unity displays app menus in Ubuntu 15.10. 

7. Install a better audio player

Ubuntu 15.10 defaults to Rhythmbox as its music player. For many, many users, this won’t be satisfactory. There are plenty of options available, but the one I always turn to is Clementine. Not only does Clementine offer superior playlists (Figure 7), but it has a built-in EQ and you can even connect it to streaming sources like Spotify.

Clementine can be found in the default repositories, so just open up either AppGrid or the Ubuntu Software Center, search for clementine, and click to install.

ubuntu 15.10 clementine

8. Set privacy to suit your needs

Ubuntu was under fire for a long time about privacy. Out of the box, Unity would allow online searches from the Dash…something many considered to be a security risk. I was always one to make good use of the online searching. If, however, you would prefer to not include online searching, you can easily turn it off. To do this, open up System Settings and go to Security & Privacy. Click on the Search tab and then disable online search results (Figure 8).

Figure 8: Enable or disable online search results for Unity’s Dash.

9. Get themes

Ubuntu has only shipped with two themes for a long time…neither of which are really all that appealing. You can always install new themes…there are plenty of them out there. The best way to do this is search for Ubuntu themes and only install those that offer an updated ppa that can be added. One of my favorite themes for Unity is the Arc theme. You will need to first have the Unity Tweak Tool installed (so you can actually switch to a third-party theme). Installing the Arc theme is simple:

  1. Open up a terminal window

  2. Add the necessary ppa with the command sudo sh -c “echo ‘deb http://download.opensuse.org/repositories/home:/Horst3180/xUbuntu_15.10/ /’ >> /etc/apt/sources.list.d/arc-theme.list” 

  3. Download the repository key with the command wget http://download.opensuse.org/repositories/home:Horst3180/xUbuntu_15.10/Release.key

  4. Add the key with the command  sudo apt-key add – < Release.key 

  5. Update apt with the command sudo apt-get update 

  6. Install the theme with the command sudo apt-get install arc-theme

  7. Now open the Ubuntu Tweak Tool, click on Theme, and then select Arc under the Theme tab (Figure 9).

Figure 9: Selecting the Arc theme in the Unity Tweak Tool.

10. Set up your cloud connections

Naturally you will want to connect your desktop to whatever cloud account you use. Many cloud accounts now have Linux clients and some (such as Dropbox) can be installed from within the package manager. For example, open up AppGrid and search for Dropbox. You will be greeted with a listing for Dropbox that is actually just the Nautilus integration component. However, after you install this app, you will be prompted to restart Nautilus and then start Dropbox. This process will then download and install the newest official Dropbox client (Figure 10).

11. Get to know the new network device naming scheme

For the first time in the Ubuntu lifespan, stateless, persistent network names are now used for network devices. This means the old naming scheme of eth0/eth1/wlan0/wlan1 is no more. In its place will be more descriptive names (such as wlp4s0 ). If you issue the command ifconfig you will see the stateful names for your devices…use these instead of the old standbys you’ve been using for years. This will take some time to get used to, so start getting familiar with this new naming scheme now. Anyone making use of older networking scripts will need to modify those scripts to reflect this new naming scheme. 

At this point, Ubuntu should be a gorgeous, efficient platform ready to do your bidding. Yes, there may well be other apps you need to install, but those are mostly just an AppGrid or Ubuntu Software Center away.

Enjoy Ubuntu 15.10!

Let's Encrypt: Public Beta: December 3, 2015

This post was syndicated from: Let&#039;s Encrypt and was written by: Let's Encrypt. Original post: at Let's Encrypt

Let’s Encrypt will enter Public Beta on December 3, 2015. Once we’ve entered Public Beta our systems will be open to anyone who would like to request a certificate. There will no longer be a requirement to sign up and wait for an invitation.

Our Limited Beta started on September 12, 2015. We’ve issued over 11,000 certificates since then, and this operational experience has given us confidence that our systems are ready for an open Public Beta.

It’s time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

We have more work to do before we’re comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We’ll be monitoring feedback from users closely, and making improvements as quickly as possible.

Let’s Encrypt depends on support from a wide variety of individuals and organizations. Please consider getting involved, and if your company or organization would like to sponsor Let’s Encrypt please email us at sponsor@letsencrypt.org.

Krebs on Security: The Lingering Mess from Default Insecurity

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks.  This story examines one contributor to the problem, and asks whether we should demand better security from ISPs, software and hardware makers.

armyThese attacks are fueled in part by an explosion in the number of Internet-connected things that are either misconfigured or shipped in a default insecure state. In June I wrote about robot networks or “botnets” of hacked Internet routers that were all made and shipped by networking firm Ubiquiti. Attackers were able to compromise the routers because Ubiquiti shipped them with remote administration switched on by default and protected by a factory default password pair (ubnt/ubnt or no password at all).

That story followed on reports from security firm Imperva (see Lax Security Opens the Door for Mass-Scale Hijacking of SOHO Routers) which found a botnet of tens of thousands of hijacked Ubiquiti routers being used to launch massive ransom-based denial-of-service attacks. Imperva discovered that those tens of thousands of hacked devices were so easy to remotely control that each router was being exploited by several different extortion groups or individual criminal actors. The company also found those actors used the hacked routers to continuously scan the Internet for more vulnerable routers.

Last week, researchers in Vienna, Austria-based security firm SEC Consult released data suggesting that there are more than 600,000 vulnerable Ubiquiti routers in use by Internet service providers (ISPs) and their customers. All are sitting on the Internet wide open and permitting anyone to abuse them for these digital shakedowns.

These vulnerable devices tend to coalesce in distinct geographical pools with deeper pools in countries with more ISPs that shipped them direct to customers without modification. SEC Consult said it found heavy concentrations of the exposed Ubiquiti devices in Brazil (480,000), Thailand (170,000) and the United States (77,000).

SEC Consult cautions that the actual number of vulnerable Ubiquiti systems may be closer to 1.1 million. Turns out, the devices ship with a cryptographic certificate embedded in the router’s built-in software (or “firmware”) that further weakens security on the devices and makes them trivial to discover on the open Internet. Indeed, the Censys Project, a scan-driven Internet search engine that allows anyone to quickly find hosts that use that certificate, shows exactly where each exposed router resides online.

The Imperva research from May 2015 touched a nerve among some Ubiquiti customers who thought the company should be doing more to help customers secure these routers. In a May 2015 discussion thread on the company’s support site, Ubiquiti’s vice president of technology applications Matt Harding said the router maker briefly disabled remote access on new devices, only to reverse that move after pushback from ISPs and other customers who wanted the feature turned back on.

In a statement sent to KrebsOnSecurity via email, Hardy said the company doesn’t market its products to home users, and that it sells its products to industry professionals and ISPs.

“Because of this we originally shipped with the products’ configurations as flexible as possible and relied on the ISPs to secure their equipment appropriately,” he said. “Some ISPs use self-built provisioning scripts and intentionally locking down devices out of the box would interfere with the provisioning workflows of many customers.”

Hardy said it’s common in the networking equipment industry to ship with a default password for initial use. While this may be true, it seems far less common that networking companies ship hardware that allows remote administration over the Internet by default. He added that beginning with firmware version 5.5.2 — originally released in August 2012 — Ubiquiti devices have included very persistent messaging in the user interface to remind customers to follow best practices and change their passwords.

“Any devices shipping since then would have this reminder and users would have to intentionally ignore it to install equipment with default credentials,” he wrote.  Hardy noted that the company also provides a management platform that ISPs can use to change all default device passwords in bulk.

Ubiquiti's nag screen asking users to change the default credentials. The company's devices still ship with remote administration turned on.

Ubiquiti’s nag screen asking users to change the default credentials. The company’s devices still ship with remote administration turned on.

ANALYSIS

When companies ship products, software or services with built-in, by-design vulnerabilities, good citizens of the Internet suffer for it. Protonmail — an email service dedicated to privacy enthusiasts — has been offline for much of the past week thanks to one of these shakedowns.

[NB: While no one is claiming that compromised routers were involved in the Protonmail attacks, the situation with Ubiquiti is an example of the type of vulnerability that allows attackers to get in and abuse these devices for nefarious purposes without the legitimate users ever even knowing they are unwittingly facilitating criminal activity (and also making themselves a target of data theft)].

Protonmail received a ransom demand: Pay Bitcoins or be knocked offline. The sad part? The company paid the ransom and soon got hit by what appears to be a second extortion group that likely smelled blood in the water.

The criminal or group that extorted Protonmail, which self-identifies as the “Armada Collective,” also tried to extort VFEmail, another email service provider.  VFE’s Rick Romero blogged about the extortion demand, which turned into a full-blown outage for his ISP when he ignored it. The attack caused major disruption for other customers on his ISP’s network, and now Romero says he’s having to look for another provider. But he said he never paid the ransom.

“It took out my [hosting] provider and THEIR upstream providers,” he said in an email. “After the 3rd attack took down their datacenter, I got kicked out.”

For his part, Romero places a large portion of the blame for the attacks on the ISP community.

“Who can see this bandwidth? Who can stop this,” Romero asked in his online column. “I once had an argument with a nice German fellow – they have very strict privacy laws – about what the ISP can block.  You can’t block anything in the EU.  In the US we’re fighting for open access, and for good reason – but we still have to be responsible netizens. I think the ISP should have the flexibility to block potentially harmful traffic – whether it be email spam, fraud, or denial of service attacks.”

So, hardware makers definitely could be doing more, but ISPs probably have a much bigger role to play in fighting large scale attacks. Indeed, many security experts and recent victims of these Bitcoin shakedowns say the ISP community could be doing a lot more to make it difficult for attackers to exploit these exposed devices.

This is how the former cyber advisor to Presidents Clinton and Bush sees it. Richard Clarke, now chairman and CEO of Good Harbor Consulting, said at a conference last year that the ISPs could stop an awful lot of what’s going with malware and denial-of-service attacks, but they don’t.

“They don’t, they ship it on, and in some cases they actually make money by shipping it on,” Clarke said at a May 2014 conference by the Information Systems Security Association (ISSA). “Denial-of-service attacks actually make money for the ISPs, huge volumes of data coming down the line. Why don’t we require ISPs to do everything that the technology allows to stop [denial-of-service] attacks and to identify and kill malware before it gets to its destination. They could do it.”

One basic step that many ISPs can but are not taking to blunt these attacks involves a network security standard that was developed and released more than a dozen years ago. Known as BCP38, its use prevents abusable resources on an ISPs network (hacked Ubiquiti routers, e.g.) from being leveraged in especially destructive and powerful denial-of-service attacks.

Back in the day, attackers focused on having huge armies of bot-infected computers they controlled from afar. These days an attacker needs far fewer resources to launch even more destructive attacks that let the assailant both mask his true origin online and amplify the bandwidth of his attacks.

Using a technique called traffic amplification, the attacker reflects his traffic from one or more third-party machines toward the intended target. In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.

BCP-38 is designed to filter such spoofed traffic, so that it never even traverses the network of an ISP that’s adopted the anti-spoofing measures. This blog post from the Internet Society does a good job of explaining why many ISPs ultimately decide not to implement BCP38.

As the Internet of Things grows, we can scarcely afford a massive glut of things that are insecure-by-design.  One reason is that this stuff has far too long a half-life, and it will remain in our Internet’s land and streams for many years to come.

Okay, so maybe that’s putting it a bit too dramatically, but I don’t think by much. Mass-deployed, insecure-by-default devices are difficult and expensive to clean up and/or harden for security, and the costs of that vulnerability are felt across the Internet and around the globe.

Continue reading ‘Krebs on Security: The Lingering Mess from Default Insecurity’ »

Darknet - The Darkside: ProtonMail DDoS Attack – Sustained & Sophisticated

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So the ProtonMail DDoS Attack – if you’re not familiar ProtonMail is an secure, free, encrypted e-mail service that promises absolutely no compromises. It’s been getting hit hard since November 3rd, with a large scale rather sophisticated set of DDoS attacks rendering it unable to receive or send e-mail. It seems to have…

Read the full post at darknet.org.uk

TorrentFreak: MPAA: Online Privacy Hurts Anti-Piracy Enforcement

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoEvery year the United States Trade Representative (USTR) inventorizes what problems local industries face when doing business abroad.

The major Hollywood studios, represented by the MPAA, just submitted their latest overview listing trade barriers across the globe.

The MPAA points out that many countries don’t do enough to deter piracy. This is also a common theme in Europe, where privacy laws and regulations make it harder for copyright holders to go after online pirates.

“Privacy has always been a major issue in the European Union. EU Member States have implemented a number of privacy directives to protect individuals’ personal data,” MPAA writes.

According to the MPAA, European privacy rules are extremely complex and difficult. As a result they are often used against efforts that could help to prevent copyright infringement.

For example, IP-addresses are protected as private personal information in several countries including Italy, where they can only be used in criminal cases.

“All EU Member States have detailed data protection laws. These rules, often very strict, are subject to the interpretation of the national data protection authorities,” MPAA notes (pdf).

“Most of them consider IP addresses as personal data and believe that the privacy rules apply to their use,” they add.

The MPAA points out that privacy rights of citizens often trump the rights of copyright holders, which they believe is a “very problematic” development.

As a result, Internet providers often refuse to cooperate with copyright holders claiming that this violates the privacy of their users. This makes it hard for the content industries to cooperate with these companies in various anti-piracy efforts.

“Telecommunications operators and ISPs constantly invoke data protection rules to avoid any meaningful cooperation with the content sector,” MPAA writes.

“Such restrictive interpretations preclude meaningful cooperation with Internet intermediaries, such as telecommunications operators and ISPs, in particular cooperation to combat IP theft.”

In addition, the MPAA is not happy with the EU Court of Justice decision to no longer make data retention mandatory. As a result, many ISPs no longer keep extensive IP-address logs.

The movie studios believe that data retention is an important law enforcement tool, suggesting that it’s harder to track down online pirates without logs.

“Data retention remains a very valuable tool for law enforcement. Rights holders have always claimed the need for reasonable rules and legal certainty. This decision has created even more legal uncertainty in this field.

“Member States have started to respond to the consequences of this decision with legislation and some have invalidated their rules,” MPAA adds.

The data retention argument is not new, but it’s worth noting that the U.S. itself has no mandatory data retention laws. This makes it hard for the U.S. Government to demand that other countries adopt them.

It’s clear though, that the MPAA is not happy with the increased interest in online privacy. With or without help from the U.S. government, they will continue to try and minimize the impact it has on their enforcement efforts.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Darknet - The Darkside: SpiderFoot – Open Source Intelligence Automation Tool (OSINT)

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname or network subnet. SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively…

Read the full post at darknet.org.uk

Krebs on Security: FCC Fines Cox $595K Over Lizard Squad Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In September 2014, I penned a column called “We Take Your Privacy and Security. Seriously.” It recounted my experience receiving notice from my former Internet service provider — Cox Communications — that a customer service employee had been tricked into giving away my personal information to hackers. This week, the Federal Communications Commission (FCC) fined Cox $595,000 for the incident that affected me and 60 other customers.

coxletterI suspected, but couldn’t prove at the time, that the band of teenage cybercriminals known as the Lizard Squad was behind the attack. According to a press release issued Thursday by the FCC, the intrusion began after LizardSquad member “Evil Jordie” phoned up Cox support pretending to be from the company’s IT department, and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website.

“With those credentials, the hacker gained unauthorized access to Cox customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers of Cox’s cable customers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers,” the FCC said. “The hacker then posted some customers’ information on social media sites, changed some customers’ account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.”

My September 2014 column took Cox to task for not requiring two-step authentication for employees: Had the company done so, this phishing attack probably would have failed. As a condition of the settlement with the FCC, the commission said Cox has agreed to adopt a comprehensive compliance plan, which establishes an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information, and the FCC will monitor Cox’s compliance with the consent decree for seven years.

It’s too bad that it takes incidents like this to get more ISPs to up their game on security. It’s also too bad that most ISPs hold so much personal and sensitive information on their customers. But there is no reason to entrust your ISP with even more personal info about yourself — such as your email. If you need a primer on why using your ISP’s email service as your default or backup might not be the best idea, see this story from earlier this week.

If cable, wireless and DSL companies took customer email account security seriously, they would offer some type of two-step authentication so that if customer account credentials get phished, lost or stolen, the attackers still need that second factor — a one-time token sent to the customer’s mobile phone, for example. Unfortunately, very few if any of the nation’s largest ISPs support this basic level of added security, according to twofactorauth.org, a site that tracks providers that offer it and shames those that do not.

Then again, perhaps the FCC fines will push ISPs toward doing the right thing by their customers: According to The Washington Post‘s Brian Fung, the FCC is offering in this action another sign that it is looking to police data breaches and sloppy security more closely.

According to twofactorauth.org, very few ISPs offer basic email security protection.

According to twofactorauth.org, very few ISPs offer basic email security protection.

AWS Security Blog: How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext

This post was syndicated from: AWS Security Blog and was written by: Greg Rubin. Original post: at AWS Security Blog

One of the most important and critical concepts in AWS Key Management Service (KMS) for advanced and secure data usage is EncryptionContext. Using EncryptionContext properly can help significantly improve the security of your applications. In this blog post, I will show the importance of EncryptionContext and will provide a simple example showing how you can use it to protect the integrity and authenticity of your encrypted data.

At its core, EncryptionContext is a key-value map (both strings) that is provided to KMS with each encryption and decryption request. The maps at encryption and decryption must match, or the decryption request will fail.

EncryptionContext provides three benefits:

  1. Additional authenticated data (AAD)
  2. Audit trail
  3. Authorization context

I will focus on the first benefit, AAD, but all three of these benefits build on the existing cryptographic primitive of authenticated encryption with associated data (AEAD).

What is AEAD?

A security best practice is to require that secret data remain secret (confidentiality) and unmodified (integrity/authenticity). Unfortunately, many older forms of encryption (such as AES-CBC) don’t provide any integrity guarantees, and thus open their users to potential vulnerabilities such as being able to change the meaning of a message without decrypting or re-encrypting it. To avoid these situations, you can use AEAD encryption. AEAD encryption is really two related parts of a single concept: authenticated encryption (the "AE" part of “AEAD”) and associated data (the "AD" part of “AEAD”). I will look at these parts one at a time.

Authenticated encryption

At its core, using authenticated encryption prevents tampering with ciphertext itself. Authenticated encryption is built into KMS, so if you can successfully decrypt a message using KMS, an authorized user must have created that message. You can almost think of this as providing a “signature” over the ciphertext.

For example, take a look at the following code in which KMS throws an InvalidCiphertextException upon receiving ciphertext that has been tampered with.

import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;

import com.amazonaws.services.kms.*;
import com.amazonaws.services.kms.model.*;

public class Example1 {
  public static void main(final String[] args) {
    final AWSKMS kms = new AWSKMSClient();

    final String plaintext = "My very secret message";
    final byte[] plaintextBytes = plaintext.getBytes(StandardCharsets.UTF_8);
    System.out.println("Plaintext: " + plaintext);

    // Encrypt the data
    final EncryptRequest encReq = new EncryptRequest();
    encReq.setKeyId("alias/EcDemo");
    encReq.setPlaintext(ByteBuffer.wrap(plaintextBytes));
    final ByteBuffer ciphertext = kms.encrypt(encReq).getCiphertextBlob();

    // Decrypt the data
    final DecryptRequest decReq1 = new DecryptRequest();
    decReq1.setCiphertextBlob(ciphertext);
    final ByteBuffer decrypted = kms.decrypt(decReq1).getPlaintext();
    final String decryptedStr = new String(decrypted.array(), StandardCharsets.UTF_8);
    System.out.println("Decrypted: " + decryptedStr);

    // Attempt to tamper with the ciphertext
    final byte[] tamperedCt = ciphertext.array().clone();
    // Flip all the bits in a byte 24 bytes from the end
    tamperedCt[tamperedCt.length - 24] ^= 0xff; 

    final DecryptRequest decReq2 = new DecryptRequest();
    decReq2.setCiphertextBlob(ByteBuffer.wrap(tamperedCt));

    try {
      kms.decrypt(decReq2).getPlaintext();
    } catch (final InvalidCiphertextException ex) {
      ex.printStackTrace();
    }
  }
}

Associated data

Though authenticated encryption prevents tampering with the ciphertext itself, the problem with the preceding code is that it doesn’t protect the context of the message. Encrypted data is seldom completely self-contained, but rather depends on unencrypted context. Somebody might be able to modify that context—for example, by copying the ciphertext from one location to another—and exploit the system in that way.

To fix this, most modern forms of authenticated encryption (including KMS) support AAD. AAD is not included in ciphertext directly, but AAD’s integrity is protected by using AEAD encryption. You can think of this as extending the signature over the ciphertext to cover additional data as well. In general, AAD should not contain any secret information, but should be contextual information used to understand the secret information.

What is EncryptionContext?

EncryptionContext is KMS’s implementation of AAD. I highly recommend that you use it to ensure that unencrypted data related to the ciphertext is protected against tampering. Data that is commonly used for AAD might include header information, unencrypted database fields in the same record, file names, or other metadata. It’s important to remember that EncryptionContext should contain only nonsensitive information because it is stored in plaintext JSON files in AWS CloudTrail and can be seen by anyone with access to the bucket containing the information.

The following scenario illustrates the use of EncryptionContext as AAD. For this example, imagine that I have a shared address book that users can use to save and retrieve their physical address. For privacy and security purposes, I will encrypt the addresses before storing them in an Amazon DynamoDB table. (The table will have the string hash key, EmailAddress, which means each physical mailing address is associated with a corresponding email address.) 

First, I’ll do this the wrong way and build an insecure implementation. (I have commented out the methods you shouldn’t use in order to prevent accidental use.) In this insecure implementation, if user Mallory can modify the DynamoDB table, she can replace Alice’s address with her own. Mallory can do this even without access to the encryption keys by simply swapping the encrypted addresses between the records, which doesn’t require her to encrypt or decrypt anything. Depending on the circumstances, this could completely defeat the purpose of encrypting the addresses. After swapping the records, Mallory can easily view Alice’s address as if it was her own, and anything that Alice orders for herself will be delivered to Mallory’s address instead.

The following code demonstrates this purposefully insecure implementation.

import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.*;

import com.amazonaws.services.dynamodbv2.*;
import com.amazonaws.services.kms.*;
import com.amazonaws.services.kms.model.*;

public class Example2 {
  private static final String ADDRESS = "Address";
  private static final String EMAIL = "EmailAddress";
  private static final String TABLE = "EcDemoAddresses";
  final static AWSKMS kms = new AWSKMSClient();
  final static AmazonDynamoDB ddb = new AmazonDynamoDBClient();

  public static void main(final String[] args) {
    // Alice stores her address
    saveAddress("alice@example.com", "Alice Lovelace, 123 Anystreet Rd., Anytown, USA");
    // Mallory stores her address
    saveAddress("mallory@example.com",
        "Mallory Evesdotir, 321 Evilstreed Ave., Despair, USA");

    // Output saved addresses
    System.out.println("Alice's Address: " + getAddress("alice@example.com"));
    System.out.println("Mallory's Address: " + getAddress("mallory@example.com"));

    // Mallory tampers with the database by swapping the encrypted addresses.
    // Note that this doesn't require modifying the ciphertext at all.
    // First, retrieve the records from DynamoDB
    final Map mallorysRecord = ddb
        .getItem(
            TABLE,
            Collections.singletonMap(EMAIL,
                new AttributeValue().withS("mallory@example.com"))).getItem();
    final Map alicesRecord = ddb.getItem(TABLE,
        Collections.singletonMap(EMAIL, new AttributeValue().withS("alice@example.com")))
        .getItem();

    // Second, extract the encrypted addresses
    final ByteBuffer mallorysEncryptedAddress = mallorysRecord.get(ADDRESS).getB();
    final ByteBuffer alicesEncryptedAddress = alicesRecord.get(ADDRESS).getB();

    // Third, swap the encrypted addresses
    mallorysRecord.put(ADDRESS, new AttributeValue().withB(alicesEncryptedAddress));
    alicesRecord.put(ADDRESS, new AttributeValue().withB(mallorysEncryptedAddress));

    // Finally, store them back in DynamoDB
    ddb.putItem(TABLE, mallorysRecord);
    ddb.putItem(TABLE, alicesRecord);

    // Now, when Alice tries to use her address (say to get something shipped to her)
    // it goes to Mallory instead.
    System.out.println("Alice's Address: " + getAddress("alice@example.com"));
    // Likewise, if Mallory tries to look up her address, she can view Alice's instead
    System.out.println("Mallory's Address: " + getAddress("mallory@example.com"));
  }

// DO NOT USE:   private static void saveAddress(final String email, final String address) {
// DO NOT USE:     final EncryptRequest enc = new EncryptRequest();
// DO NOT USE:     enc.setKeyId("alias/EcDemo");
// DO NOT USE:     enc.setPlaintext(ByteBuffer.wrap(address.getBytes(StandardCharsets.UTF_8)));
// DO NOT USE:     final ByteBuffer ciphertext = kms.encrypt(enc).getCiphertextBlob();
// DO NOT USE: 
// DO NOT USE:     final Map item = new HashMap<>();
// DO NOT USE:     item.put(EMAIL, new AttributeValue().withS(email));
// DO NOT USE:     item.put(ADDRESS, new AttributeValue().withB(ciphertext));
// DO NOT USE:     ddb.putItem(TABLE, item);
// DO NOT USE:   }
// DO NOT USE: 
// DO NOT USE:   private static String getAddress(final String email) {
// DO NOT USE:     final Map item = ddb.getItem(TABLE,
// DO NOT USE:         Collections.singletonMap(EMAIL, new AttributeValue().withS(email))).getItem();
// DO NOT USE:     final DecryptRequest dec = new DecryptRequest();
// DO NOT USE:     dec.setCiphertextBlob(item.get(ADDRESS).getB());
// DO NOT USE:     final ByteBuffer plaintext = kms.decrypt(dec).getPlaintext();
// DO NOT USE:     return new String(plaintext.array(), StandardCharsets.UTF_8);
// DO NOT USE:   }
}

In this purposefully insecure implementation, Mallory can still attack the system even without the ability to modify the ciphertext. She can do this because she can change the context of the ciphertext so that it is interpreted differently. In this case she is “just” changing addresses, but it should be clear that this same attack could be used to expose sensitive information or even take over accounts.

We can fix this by including the unencrypted email address associated with the encrypted physical address as EncryptionContext. Now, when the system attempts to decrypt the record that has been tampered with, an InvalidCiphertextException is thrown and the threat is mitigated. This is because the EncryptionContext parameter that was provided at encryption (in this case, Alice’s email address) does not match the EncryptionContext provided at decryption (in this case, Mallory’s email address).

The following code improves the security of the implementation.

private static void saveAddress(final String email, final String address) {
  final EncryptRequest enc = new EncryptRequest();
  enc.setKeyId("alias/EcDemo");
  enc.setPlaintext(ByteBuffer.wrap(address.getBytes(StandardCharsets.UTF_8)));
  enc.setEncryptionContext(Collections.singletonMap(EMAIL, email));
  final ByteBuffer ciphertext = kms.encrypt(enc).getCiphertextBlob();

  final Map item = new HashMap<>();
  item.put(EMAIL, new AttributeValue().withS(email));
  item.put(ADDRESS, new AttributeValue().withB(ciphertext));
  ddb.putItem(TABLE, item);
}

private static String getAddress(final String email) {
  final Map item = ddb.getItem(TABLE,
      Collections.singletonMap(EMAIL, new AttributeValue().withS(email))).getItem();
  final DecryptRequest dec = new DecryptRequest();
  dec.setCiphertextBlob(item.get(ADDRESS).getB());
  dec.setEncryptionContext(Collections.singletonMap(EMAIL, email));
  final ByteBuffer plaintext = kms.decrypt(dec).getPlaintext();
  return new String(plaintext.array(), StandardCharsets.UTF_8);
}

Of course, there might be other things an attacker could do, such as move the entire record from one DynamoDB table to another. This is why EncryptionContext should include all of the information associated with the ciphertext that you will later need to interpret it. A good rule is to always include at least enough information to uniquely identify the location of the ciphertext (for example, a URI, file path, or database table and primary keys).

Of course, the best code is the code you don’t need to write, allowing you to concentrate on the things that matter to you (which is rarely cryptography) and leave the cryptographic code to groups that specialize in it. In this case, we can use the aws-dynamodb-encryption-java library. It includes in EncryptionContext not only DynamoDBHashKey (and RangeKey, if available) but also the table name and cryptographic algorithms used.

This final code sample demonstrates an improved and more secure implementation of our example application that takes advantage of the aws-dynamodb-encryption-java library.

import java.nio.ByteBuffer;
import java.security.*;
import java.util.*;

import com.amazonaws.services.dynamodbv2.*;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.*;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.
providers.DirectKmsMaterialProvider;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import com.amazonaws.services.kms.*;

public class Example4 {
  private static final String ADDRESS = "Address";
  private static final String EMAIL = "EmailAddress";
  private static final String TABLE = "EcDemoAddresses";
  final static AWSKMS kms = new AWSKMSClient();
  final static AmazonDynamoDB ddb = new AmazonDynamoDBClient();

  // Set up the aws-dynamodb-encryption-java library
  final static DynamoDBEncryptor cryptor = DynamoDBEncryptor.getInstance(
      new DirectKmsMaterialProvider(kms, "alias/EcDemo"));
  // Despite the similar name, the DynamoDb EncryptionContext is used to guide
  // the DynamoDBEncryptor for key and algorithm selection (among other things)
  // and not just for the KMS EncryptionContext (though it is used for that as well).
  final static EncryptionContext ddbCtx = new EncryptionContext.Builder()
      .withTableName(TABLE)
      .withHashKeyName(EMAIL)
      .build();

  public static void main(final String[] args) throws GeneralSecurityException {
    // Alice stores her address
    saveAddress("alice@example.com", "Alice Lovelace, 123 Anystreet Rd., Anytown, USA");
    // Mallory stores her address
    saveAddress("mallory@example.com",
        "Mallory Evesdotir, 321 Evilstreed Ave., Despair, USA");

    // Output saved addresses
    System.out.println("Alice's Address: " + getAddress("alice@example.com"));
    System.out.println("Mallory's Address: " + getAddress("mallory@example.com"));

    // Mallory tampers with the database by swapping the encrypted addresses.
    // Note that this doesn't require modifying the ciphertext at all.
    // First, retrieve the records from DynamoDB
    final Map mallorysRecord = ddb
        .getItem(
            TABLE,
            Collections.singletonMap(EMAIL,
                new AttributeValue().withS("mallory@example.com"))).getItem();
    final Map alicesRecord = ddb.getItem(TABLE,
        Collections.singletonMap(EMAIL, new AttributeValue().withS("alice@example.com")))
        .getItem();

    // Second, extract the encrypted addresses
    final ByteBuffer mallorysEncryptedAddress = mallorysRecord.get(ADDRESS).getB();
    final ByteBuffer alicesEncryptedAddress = alicesRecord.get(ADDRESS).getB();

    // Third, swap the encrypted addresses
    mallorysRecord.put(ADDRESS, new AttributeValue().withB(alicesEncryptedAddress));
    alicesRecord.put(ADDRESS, new AttributeValue().withB(mallorysEncryptedAddress));

    // Finally, store the encrypted addresses back in DynamoDB
    ddb.putItem(TABLE, mallorysRecord);
    ddb.putItem(TABLE, alicesRecord);

    // Now, when Alice tries to use her address we attempt to decrypt the tampered data
    // get a SignatureException
    try {
      System.out.println("Alice's Address: " + getAddress("alice@example.com"));
      // Likewise, if Mallory tries to look up her address, she can view Alice's instead
      System.out.println("Mallory's Address: " + getAddress("mallory@example.com"));
    } catch (final SignatureException ex) {
      ex.printStackTrace();
    }
  }

  private static void saveAddress(final String email, final String address)
      throws GeneralSecurityException {
    final Map item = new HashMap<>();
    item.put(EMAIL, new AttributeValue().withS(email));
    item.put(ADDRESS, new AttributeValue().withS(address));
    final Map encryptedItem = cryptor.encryptAllFieldsExcept(
        item, ddbCtx, EMAIL);
    ddb.putItem(TABLE, encryptedItem);
  }

  private static String getAddress(final String email) throws GeneralSecurityException {
    final Map encryptedItem = ddb.getItem(TABLE,
        Collections.singletonMap(EMAIL, new AttributeValue().withS(email))).getItem();
    final Map item = cryptor.decryptAllFieldsExcept(
        encryptedItem,
        ddbCtx, EMAIL);
    return item.get(ADDRESS).getS();
  }

Authenticated encryption with associated data encryption is one of the more important advances in cryptography from the past twenty years. You’ve seen here a few examples of just how critical AAD can be to the security of your systems. From my personal experience, the majority of data encrypted with KMS should have an associated EncryptionContext. I encourage you to review your systems and new development efforts to see how best to leverage this powerful tool.

If you have questions or comments about this post, either post them below or visit the KMS forum.

– Greg

yovko in a nutshell: Signal

This post was syndicated from: yovko in a nutshell and was written by: Йовко Ламбрев. Original post: at yovko in a nutshell

Реших да редуцирам каналите си за връзка, най-вече по отношение на всевъзможните messenger-и за директни съобщения.

Винаги предпочитам електронната поща за основна комуникация, понеже мога да подреждам (или пренебрегвам) по приоритет писмата, които заслужават внимание и евентуален отговор, и разполагам с end-to-end криптиране при нужда. Тук е актуалният ми PGP ключ. А ако не знаете някой от моите email адреси, винаги можете да ползвате този начин.

Преглеждам пощата си поне един-два пъти дневно, освен когато съм в почивка, без Интернет или работя по някой спешен проблем или проект. Но не получавам нотификации за нея на смартфона си – това е адски разсейващо и контрапродуктивно. „Любимо“ ми е някой да ми звънне по телефона с изречението: Току-що ти изпратих mail. Видя ли го?

За директни съобщения занапред ще използвам основно Signal на Open Whisper Systems като прилична база за отворена и сигурна платформа, която заслужава да бъде ползвана, популяризирана и подкрепена от потребителите. Временно, като резервна опция, оставям и WhatsApp заради няколко близки приятели, които предпочитат навика и не осъзнават необходимостта от сигурна комуникация, поради което ще отнеме време да бъдат убедени.

Okay, ако сте с iPhone или Mac можете да ми изпратите и iMessage като друга резервна опция, с едно наум, че сигурността и там е според зависи от Apple.

Принципно не ползвам Skype освен след предварителна уговорка за конкретен разговор. Нито Viber и Facebook Messenger (те дори не успяха да ми харесат). Спирам също и Hangouts, и Telegram, както и всякакви други, защото ми идват в повече.

Опитайте Signal – семпло и леко приложение – за криптирани писмени съобщения и разговори. Освен, че е свободно и open source е и безплатно. Има го за iPhone и Android, а скоро и за web. И даже Snowden го благослови ;)