Australia

Australian Officials Want Encryption Laws To Fight 'Terrorist Messaging' (arstechnica.com) 77

An anonymous reader quotes Ars Technica: Two top Australian government officials said Sunday that they will push for "thwarting the encryption of terrorist messaging" during an upcoming meeting next week of the so-called "Five Eyes" group of English-speaking nations that routinely share intelligence... According to a statement released by Attorney General George Brandis, and Peter Dutton, the country's top immigration official, Australia will press for new laws, pressure private companies, and urge for a new international data sharing agreement amongst the quintet of countries... "Within a short number of years, effectively, 100 per cent of communications are going to use encryption," Brandis told Australian newspaper The Age recently. "This problem is going to degrade if not destroy our capacity to gather and act upon intelligence unless it's addressed"... Many experts say, however, that any method that would allow the government access even during certain situations would weaken overall security for everyone.
America's former American director of national intelligence recently urged Silicon Valley to "apply that same creativity, innovation to figuring out a way that both the interests of privacy as well as security can be guaranteed." Though he also added, "I don't know what the answer is. I'm not an IT geek, but I just don't think we're in a very good place right now."
Crime

90 Cities Install A Covert Technology That Listens For Gunshots (businessinsider.com) 201

An anonymous reader quotes Business Insider: In more than 90 cities across the US, including New York, microphones placed strategically around high-crime areas pick up the sounds of gunfire and alert police to the shooting's location via dots on a city map... ShotSpotter also sends alerts to apps on cops' phones. "We've gone to the dot and found the casings 11 feet from where the dot was, according to the GPS coordinates," Capt. David Salazar of the Milwaukee Police Dept. told Business Insider. "So it's incredibly helpful. We've saved a lot of people's lives."

When three microphones pick up a gunshot, ShotSpotter figures out where the sound comes from. Human analysts in the Newark, California, headquarters confirm the noise came from a gun (not a firecracker or some other source). The police can then locate the gunshot on a map and investigate the scene. The whole process happens "much faster" than dialing 911, Salazar said, though he wouldn't disclose the exact time.

The company's CEO argues their technology deters crime by demonstrating to bad neighborhoods that police will respond quickly to gunshots. (Although last year Forbes discovered that in 30% to 70% of cases, "police found no evidence of a gunshot when they arrived.") And in a neighborhood where ShotSpotter is installed, one 60-year-old man is already complaining, "I don't like Big Brother being in all my business."
Privacy

State Legislators Want Surveillance Cameras To Catch Uninsured Drivers (arstechnica.com) 253

An anonymous reader quotes Ars Technica: A Rhode Island legislative committee has approved a bill that would greatly expand the surveillance state through the deployment of license plate readers. For the first time in the US, these devices would be attached along Rhode Island highways and roads for the stated purpose of catching uninsured motorists from any state... The legislation spells out that the contractor for the project would get 50 percent of the fines paid by uninsured motorists ensnared under the program. The state and the contractor would each earn an estimated $15 million annually. Fines are as high as $120.

Many police departments nationwide are using surveillance cameras tacked onto traffic poles and police vehicles to catch traffic violators and criminal suspects. The proceeds from traffic fines usually are divvied up with contractors. But according to the Rhode Island lawmaker sponsoring this legislation, it's time to put surveillance cameras to a new purpose -- fining uninsured motorists.

Operating Systems

32TB of Windows 10 Internal Builds, Core Source Code Leak Online (theregister.co.uk) 200

According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.
Network

WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs (bleepingcomputer.com) 72

An anonymous reader writes: "WikiLeaks dumped today the manuals of several hacking utilities part of Brutal Kangaroo, a CIA malware toolkit for hacking into air-gapped (offline) networks using tainted USB thumb drives," reports Bleeping Computer. The CIA uses these tools as part of a very complex attack process, that allows CIA operatives to infect offline, air-gapped networks. The first stage of these attacks start with the infection of a "primary host," an internet-connected computer at a targeted company. Malware on this primary host automatically infects all USB thumb drives inserted into the machine. If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices. This malware is so advanced, that it can even create a network of hacked air-gapped PCs that talk to each other and exchange commands. To infect the air-gapped computers, the CIA malware uses LNK (shortcut) files placed on the USB thumb drive. Once the user opens and views the content of the thumb drive in Windows Explorer, his air-gapped PC is infected without any other interaction.
Security

Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 110

An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
Google

Google Will Stop Reading Your Emails For Gmail Ads (bloomberg.com) 67

Google will soon stop scanning emails received by some Gmail users, a practice that has allowed it to show them targeted advertising but which stirred privacy worries. From a report: The decision didn't come from Google's ad team, but from its cloud unit, which is angling to sign up more corporate customers. Alphabet's Google Cloud sells a package of office software, called G Suite, that competes with market leader Microsoft. Paying Gmail users never received the email-scanning ads like the free version of the program, but some business customers were confused by the distinction and its privacy implications, said Diane Greene, Google's senior vice president of cloud. "What we're going to do is make it unambiguous," she said. Ads will continue to appear inside the free version of Gmail, as promoted messages. But instead of scanning a user's email, the ads will now be targeted with other personal information Google already pulls from sources such as search and YouTube.
Google

Google Will Now Hide Personal Medical Records From Search Results (betanews.com) 34

Mark Wilson, writing for BetaNews: Google has updated its search policies without any sort of fanfare. The search engine now "may remove" -- in addition to existing categories of information -- "confidential, personal medical records of private people" from search results. That such information was not already obscured from search results may well come as something of a surprise to many people. The change has been confirmed by Google, although the company has not issued any form of announcement about it.
Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
Microsoft

Microsoft Admits Disabling Anti-Virus Software For Windows 10 Users (bbc.com) 206

An anonymous reader quotes a report from the BBC: Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software. Microsoft says it implemented defenses to keep Windows 10 users secure. In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware. To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners. The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update. For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software. "To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating," writes Rob Lefferts, a partner director of the Windows and Devices group in enterprise and security at Microsoft.
Software

NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com) 64

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.
Network

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 232

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
Security

Facial Recognition Is Coming To US Airports (theverge.com) 147

Facial recognition systems will be coming to U.S. airports in the very near future. "Customs and Border Protection first started testing facial recognition systems at Dulles Airport in 2015, then expanded the tests to New York's JFK Airport last year," reports The Verge. "Now, a new project is poised to bring those same systems to every international airport in America." From the report: Called Biometric Exit, the project would use facial matching systems to identify every visa holder as they leave the country. Passengers would have their photos taken immediately before boarding, to be matched with the passport-style photos provided with the visa application. If there's no match in the system, it could be evidence that the visitor entered the country illegally. The system is currently being tested on a single flight from Atlanta to Tokyo, but after being expedited by the Trump administration, it's expected to expand to more airports this summer, eventually rolling out to every international flight and border crossing in the U.S. U.S. Customs and Border Protection's Larry Panetta, who took over the airport portion of the project in February, explained the advantages of facial recognition at the Border Security Expo last week. "Facial recognition is the path forward we're working on," Panetta said at the conference. "We currently have everyone's photo, so we don't need to do any sort of enrollment. We have access to the Department of State records so we have photos of U.S. Citizens, we have visa photos, we have photos of people when they cross into the U.S. and their biometrics are captured into [DHS biometric database] IDENT."
Privacy

California May Restore Broadband Privacy Rules Killed By Congress and Trump (arstechnica.com) 85

An anonymous reader quotes a report from Ars Technica: A proposed law in California would require Internet service providers to obtain customers' permission before they use, share, or sell the customers' Web browsing history. The California Broadband Internet Privacy Act, a bill introduced by Assembly member Ed Chau (D-Monterey Park) on Monday, is very similar to an Obama-era privacy rule that was scheduled to take effect across the US until President Trump and the Republican-controlled Congress eliminated it. If Chau's bill becomes law, ISPs in California would have to get subscribers' opt-in consent before using browsing history and other sensitive information in order to serve personalized advertisements. Consumers would have the right to revoke their consent at any time. The opt-in requirement in Chau's bill would apply to "Web browsing history, application usage history, content of communications, and origin and destination Internet Protocol (IP) addresses of all traffic." The requirement would also apply to geolocation data, IP addresses, financial and health information, information pertaining to minors, names and billing information, Social Security numbers, demographic information, and personal details such as physical addresses, e-mail addresses, and phone numbers.
Privacy

If It Uses Electricity, It Will Connect To the Internet: F-Secure's CRO (theregister.co.uk) 304

New submitter evolutionary writes: According to F-Secure's Chief Research Officer "IoT is unavoidable. If it uses electricity, it will become a computer. If it uses electricity, it will be online. In future, you will only buy IoT appliances, whether you like it or not, whether you know it or not." F-Secure's new product to help mitigate data leakage, "Sense", is a IoT Firewall, combining a traditional firewall with a cloud service and uses concepts including behaviour-based blocking and device reputation to figure out whether you have insecure devices.
Android

Mozilla Launches Privacy-Minded 'Firefox Focus' Browser For Android (venturebeat.com) 58

An anonymous reader quotes a report from VentureBeat: Mozilla today launched a new browser for Android. In addition to Firefox, the company now also offers Firefox Focus, a browser dedicated to user privacy that by default blocks many web trackers, including analytics, social, and advertising. You can download the new app now from Google Play. Because Google isn't as strict as Apple, Android users can set Firefox Focus as their default browser. There are many use cases for wanting to browse the web without being tracked, but Mozilla offers a common example: reading articles via apps "like Facebook." On iOS, Firefox Focus is basically just a web view with tracking protection. On Android, Firefox Focus is the same, with a few additional features (which are still "under consideration" for iOS):
  • Ad tracker counter -- Lists the number of ads that are blocked per site while using the app.
  • Disable tracker blocker -- For sites that are not loading correctly, you can disable the tracker blocker to fix the issues.
  • Notification reminder -- When Firefox Focus is running in the background, a notification will remind you so you can easily tap to erase your browsing history.

Bitcoin

South Korean Web Hosting Provider Pays $1 Million In Ransomware Demand (bleepingcomputer.com) 100

An anonymous reader writes: Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer' servers. The ransomware infection appears has taken place on June 10, but Nayana admitted to the incident two days later, in a statement on its website.

Attackers asked for an initial ransom payment of 550 Bitcoin, which was worth nearly $1.62 million at the time of the request. After two days of negotiations, Nayana staff said they managed to reduce the ransom demand to 397.6 Bitcoin, or nearly $1 million. In a subsequent announcement, Nayana officials stated that they negotiated with the attackers to pay the ransom demand in three installments, due to the company's inability to produce such a large amount of cash in a short period of time.

On Saturday, June 17, the company said it already paid two of the three payment tranches. In subsequent announcements, Nayana updated clients on the server decryption process, saying the entire operation would take up to ten days due to the vast amount of encrypted data. The company said 153 Linux servers were affected, servers which stored the information of more than 3,400 customers.

Security

Cisco Subdomain Private Key Found in Embedded Executable (google.com) 53

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.
Encryption

Equipment Already In Space Can Be Adapted For Extremely Secure Data Encryption (helpnetsecurity.com) 20

Orome1 quotes a report from Help Net Security: In a new study, researchers from the Max Planck Institute in Erlangen, demonstrate ground-based measurements of quantum states sent by a laser aboard a satellite 38,000 kilometers above Earth. This is the first time that quantum states have been measured so carefully from so far away. A satellite-based quantum-based encryption network would provide an extremely secure way to encrypt data sent over long distances. Developing such a system in just five years is an extremely fast timeline since most satellites require around 10 years of development. For the experiments, the researchers worked closely with satellite telecommunications company Tesat-Spacecom GmbH and the German Space Administration. The German Space Administration previously contracted with Tesat-Spacecom on behalf of the German Ministry of Economics and Energy to develop an optical communications technology for satellites. This technology is now being used commercially in space by laser communication terminals onboard Copernicus -- the European Union's Earth Observation Program -- and by SpaceDataHighway, the European data relay satellite system. It turned out that this satellite optical communications technology works much like the quantum key distribution method developed at the Max Planck Institute. Thus, the researchers decided to see if it was possible to measure quantum states encoded in a laser beam sent from one of the satellites already in space. In 2015 and the beginning of 2016, the team made these measurements from a ground-based station at the Teide Observatory in Tenerife, Spain. They created quantum states in a range where the satellite normally does not operate and were able to make quantum-limited measurements from the ground. The findings have been published in the journal Optica.
EU

European Parliament Committee Endorses End-To-End Encryption (tomshardware.com) 120

The civil liberties committee of the European Parliament has released a draft proposal "in direct contrast to the increasingly loud voices around the world to introduce regulations or weaken encryption," according to an anonymous Slashdot reader. Tom's Hardware reports: The draft recommends a regulation that will enforce end-to-end encryption on all communications to protect European Union citizens' fundamental privacy rights. The committee also recommended a ban on backdoors. Article 7 of the E.U.'s Charter of Fundamental Rights says that E.U. citizens have a right to personal privacy, as well as privacy in their family life and at home. According to the EP committee, the privacy of communications between individuals is also an important dimension of this right...

We've lately seen some EU member states push for increased surveillance and even backdoors in encrypted communications, so there seems to be some conflict here between what the European Parliament institutional bodies may want and what some member states do. However, if this proposal for the new Regulation on Privacy and Electronic Communications passes, it should significantly increase the privacy of E.U. citizens' communications, and it won't be so easy to roll back the changes to add backdoors in the future.

Security researcher Lukasz Olejnik says "the fact that policy is seriously considering these kind of aspects is unprecedented."

Slashdot Top Deals