msm1267 writes "Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy. They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said. 'We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,' the paper said. 'Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.'"
Slashdot is powered by your submissions, so send in your scoop
An anonymous reader writes "By 'buying out' the most obvious lunch spot nearest the RSA conference yesterday, opponents and truth-seekers regarding RSA's alleged deal with the NSA raised awareness amongst attendees in the most brutal way possible: by taking away tacos and tequila drinks. Robert Imhoff, Vegas 2.0 co-founder, says, 'RSA could begin to fix this by going on the record with a detailed response about the accusations.'" I tried to get attendees of the conference to comment on camera — even a little bit — on what they thought of the NSA spying revelations, and not a single person I approached would do so. The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell. Especially at a conference where the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting, even if they'd rather not be subject to it personally, so their don't want their face shown saying so.
An anonymous reader writes "Researchers at the University of Liverpool have shown for the first time that WiFi networks can be infected with a virus that can move through densely populated areas as efficiently as the common cold spreads between humans. The team designed and simulated an attack by a virus, called 'Chameleon,' that not only could spread quickly between homes and businesses, but avoided detection and identified the points at which WiFi access is least protected by encryption and passwords. The research appears in EURASIP Journal on Information Security." The technical details are explained in the journal article.
Nerval's Lobster writes "Our lives online come with perils, whether from the NSA checking up on our digital communications, or the possibility of the wrong e-message going viral. Twitter, Facebook, Google, Instagram, and other social networks have collected all sorts of personal data about us, where we've been, what we're saying, what we like, and our friends. No wonder the idea of ephemeral messages — such as those sent via Snapchat and other services — is beginning to resonate, attracting lots of startups who want to service that very need. These creators of self-destructing message apps claim they don't care about monetization, and that their products are secure — but as so many apps from other startups have demonstrated, security is often a very porous thing, and government agencies are more than happy to fire off a warrant to see unread messages stored on a server. Lots of developers want to become the Snapchat (if it means they can take a multi-billion-dollar buyout), but in the case of vaporizing messages, they're tiptoeing into tricky territory."
New submitter BrianPRabbit writes "Bruce Schneier proposes 'breaking up' the NSA. He suggests assigning the targeted hardware/software surveillance of enemy operations to U.S. Cyber Command. Further, the NSA's surveillance of Americans needs to be scaled back and placed under the control of the FBI. Finally, he says, is 'the deliberate sabotaging of security. The primary example we have of this is the NSA's BULLRUN program, which tries to "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices." This is the worst of the NSA's excesses, because it destroys our trust in the Internet, weakens the security all of us rely on and makes us more vulnerable to attackers worldwide. .... [T]he remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.'"
bmearns writes "Over the past few weeks we've been hearing a lot about a possible breakthrough in decoding the infamous Voynich manuscript, made by a team of botanists who suggested that the plants depicted in the manuscript may have been from the New World and the mysterious writing could be a form of an Aztec language. But the latest development comes from linguist Stephen Bax, of Bedfordshire University, who believes he has identified some proper names (including of the constellation 'Taurus') in the manuscript and is using these as a crib to begin deciphering the rest of the text, which he believes comes from the near east or Asia."
sciencehabit writes "As the cost of genetic sequencing plummets, experts believe our genomes will help doctors detect diseases and save lives. But not all of us are comfortable releasing our biological blueprints into the world. Now cryptologists are perfecting a new privacy tool that turns genetic information into a secure yet functional format. Called homomorphic encryption, the method could help keep genomes private even as genetic testing shifts to cheap online cloud services."
mendax points out a story at the NY Times about evidence that the Australian Signals Directorate notified the NSA in 2013 that it was spying on discussions between Indonesia and an American law firm. The information gathered by the Directorate included material covered by attorney-client privilege. The Times says: "Most attorney-client conversations do not get special protections under American law from N.S.A. eavesdropping. Amid growing concerns about surveillance and hacking, the American Bar Association in 2012 revised its ethics rules to explicitly require lawyers to 'make reasonable efforts' to protect confidential information from unauthorized disclosure to outsiders. ... Several newly disclosed documents provide details of the cooperation between the United States and Australia, which share facilities and highly sensitive intelligence, including efforts to break encryption and collect phone call data in Indonesia. Both nations have trade and security interests in Indonesia, where Islamic terrorist groups that threaten the West have bases."
sciencehabit writes "What may look like mere scratches is much more. A 900-year-old Viking code known as jötunvillur has been cracked. The code-cracker, runologist Jonas Nordby from the University of Oslo, deciphered the system after realizing he needed to replace the original runic character with the last sound used to pronounce it. For instance, the runic character 'k' is pronounced 'kaun,' so k becomes n. Nordby believes secret messages were created by the Vikings for entertainment. One piece of wood reads: 'Kiss me.'"
This site's "Your Rights Online" section, sadly, has never suffered for material. The revelations we've seen over the last year-and-change, though, of widespread spying on U.S. citizens, government spying in the E.U. on international conferences, the UK's use of malware against citizens, and the use of modern technology to oppress government protesters in the middle east and elsewhere shows how persistent it is. It's been a banner year on that front, and the banner says "You are being spied on, online and off." A broad coalition of organizations is calling today "The Day We Fight Back" against the growing culture of heads-they-win, tails-you-lose surveillance, but all involved know this is not a one-day struggle. (Read more, below.)
darthcamaro writes "Though Microsoft hasn't yet patched its Internet Explorer web browser in 2014, it did patch IE at least once every month in 2013. According to HP's 2013 Cyber Risk Report, more researchers tried to sell IE vulnerabilities than any other product vulnerability. 'IE is the most prevalent browser on the systems that attackers want to compromise' said Jacob West, CTO of HP's Enterprise Security Group."
holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."
An anonymous reader writes "Tensions are high at Bletchley Park between the new management who want a 21st century installment and the volunteers who want to show the whole story (and get dismissed for doing so). This report [Note: video, with sound] is from the BBC: 'The groundbreaking intelligence work carried out at Bletchley Park during the second world war was credited with bringing forward the end of the conflict. In 2011 the site was awarded a £4.6m grant from the Heritage Lottery Fund (HLF). But Bletchley is currently in the throes of a bitter dispute, between owners who want to create a brand new visitors centre, and volunteers who have been working on the site for years.'"
hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""
bmearns writes "The Voynich Manuscript is most geeks' favorite 'indecipherable' illuminated manuscript. Its bizarre depictions of strange plants and animals, astrological diagrams, and hordes of tiny naked women bathing in a system of interconnected tubs (which bear an uneasy resemblance to the human digestive system), have inspired numerous essays and doctoral theses', plus one XKCD comic. Now a team of botanists (yes, botanists) may have uncovered an important clue as to its origin and content by identifying several of the plants and animals depicted, and linking them to the Spanish territories in Central America."
ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."
An anonymous reader writes "Cyber security labs at Ben Gurion University have uncovered a network vulnerability on Android devices which has serious implications for users of VPNs. This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."
judgecorp writes "Syed Hussain, already serving time for helping to plot attacks against UK targets, got another four months for refusing to divulge the password of a USB stick the police and GCHQ wanted to examine. The USB was believed to contain data about a suspected fraud unconnected with national security, and Hussain claimed to have forgotten it under stress, He later remembered it and it turned out to be a password he had used on other systems investigated by the police."
Sparrowvsrevolution writes "For the last year Bram Cohen, who created the breakthrough file-sharing protocol BitTorrent a decade ago, has been working on a tool he calls DissidentX, a steganography tool that's available now but is still being improved with the help of a group of researchers at Stanford. Like any stego tool, DissidentX can camouflage users' secrets in an inconspicuous website, a corporate document, or any other, pre-existing file from a Rick Astley video to a digital copy of Crime and Punishment. But it uses a new form of steganography based on cryptographic hashes to make the presence of a hidden message far harder for an eavesdropper to detect than in traditional stego. And it also makes it possible to encode multiple encrypted messages to different keys in the same cover text."
An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."