Topic security

Amazon AWS continues to use TrueCrypt despite project's demise

Anonymous Coward
in security on (#3NQ)
Bad news for any users who have settled on Amazon Simple Storage Service as a provider: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the Truecrypt encryption software was discontinued .

What to do now? Well, no word from Amazon, anyway, who did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future.

Curious how it works currently? Here are Amazon's docs on using Truecrypt with ASSS export and import . And here are Amazon's security FAQs.

OpenSSL CCS Injection Vulnerability

in security on (#3NE)
A researcher reviewing the OpenSSL library has found another bug in the implementation.
This [vulnerability] can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server.
Pretty much all versions of OpenSSL from the last few years are affected.

New GnuTLS buffer overflow

in security on (#3ND)
story imageAnother week, another buffer overflow in a crypto library! This time, GnuTLS is the culprit as it misses the length checks for the session ID in the ServerHello message. Because most server applications choose OpenSSL over GnuTLS, the list of affected packages is actually rather small - but make sure your systems are up to date regardless.

TrueCrypt Project Problems

Anonymous Coward
in security on (#3N8)
story imageFinally, a story for resident conspiracy theorists that has truth behind it, an impact on the world, and may actually mean something.

TrueCrypt, the standout semi-open source multiplatform full-disk-encryption software package, has acted all squirrelly and more or less shut the the project down, blaming it, somewhat hilariously, on the end of Microsoft's Windows XP support. All this while a paid (and long awaited) audit of TrueCrypt has been nearing completion.

Discussed at lots of places including lifehacker , Slashdot , SoylentNews , and reddit .

This is really troubling for lots of reasons. The audit was deemed necessary because TC's authorship and operation were shrouded in mystery. (the two main developers are anonymous and go by the pseudonyms "ennead" and "syncon") This doesn't help any in that regard. What happened? Loss of control of the domain? Website defacement? Warrant canary?

Everything is broken

in security on (#3MW)
Journalist Quinn Norton writes on the broken culture of computer security. From complex software flawed with 0-days to human error and general culture prone to feeling powerless, she explains how security is currently just a mirage.

Is computer security really just a wishful dream?

Move over Java: drive-by attacks exploiting Microsoft Silverlight on the rise

Anonymous Coward
in security on (#3MM)
Java takes a regular beating for its frequent exploits , and it's not uncommon for people to complain Java is inherently insecure , or an unacceptable risk for secure computing platforms. Well, good thing there's Microsoft Silverlight to lend a hand, then! Recent investigation now shows a rise in drive-by attacks exploiting Microsoft Silverlight . From the article:
The number of drive-by malware attacks that exploit vulnerabilities in Microsoft's Silverlight application framework may be surpassing those that abuse Oracle's Java framework, according to a recent analysis of one popular hack-by-numbers tool kit. Since April 23, the Angler exploit kit has shown a significant uptick in attacks that target Silverlight users, according to a blog post published Monday by Levi Gundert, technical lead in Cisco Systems' threat research group.
The original Cisco piece can be read here .

[Ed. note: I for one propose a framework that will eliminate all such attacks: how about we eliminate graphics and video formats totally, and go back to green screen ASCII text over a serial connection ?]

When is your data not your own? When it's in the cloud

in security on (#3MK)
story imageI've got Captain Obvious on the line, and he'd like you to know: the data you store in the cloud isn't private. You might be thinking, "I knew that." But it's news to some, like this guy, who got busted for possession of illegal pornographic images (child porn) , after backing up his computer to a Verizon cloud backup service. Bonus: he was the deacon of a Catholic school in Baltimore county: oops.
Turns out, cloud storage providers routinely sweep stored data, using hashes for known illegal images or media files. If they find one, you're toast.

From Ars Technica:
When Congress passed the PROTECT Our Children Act of 2008 mandating that service providers report suspected child pornography in the content that their customers surf and store, the law gave providers an out: if they couldn't check, they wouldn't know, and they wouldn't have to report it. But while checking is still voluntary, the National Center for Missing and Exploited Children has been pushing providers to use image-matching technology to help stop the spread of child pornography.
This isn't breaking news: the articles date back to March. But it's still relevant in the framework of the ongoing discussion of cloud-versus-local and the rights of authorities to revise your computing habits.

Cisco Letter to Obama Objecting to NSA Implants

Anonymous Coward
in security on (#3MD)
Listen, do you hear something? It's " waaa, waaaa, waaa, waaaa ." It's the sound of Cisco executives crying to the Whitehouse that their business is being ruined now that the public knows their hardware is being sabotaged by the NSA with listening devices .

I'd feel sympathetic for them, but I'm too busy buying other manufacturers' hardware. This PDF is the letter Cisco executives have sent to President Obama. Or have a look here. The Washington Post reports Cisco John Chandler wrote :
Absent a new approach where industry plays a role, but in which you, Mr. President, can lead, we are concerned that our country's global technological leadership will be impaired. Moreover, the result could be a fragmented Internet, where the promise of the next Internet is never fully realized.
More interesting than the complaint is this graph showing the difference between what Cisco's predicted and actual growth, potentially due to this revelation . Who needs a diaper change and a nice bottle of warmed milk?

[Ed note 2014-05-20 12:10: update with a new, interesting link: ]
Ed note: 2014-05-20 16:20 Link in the first ed note has been fixed.

lntel vPro chip gives snoops backdoor PC access

Anonymous Coward
in security on (#3MC)
story imageBad news: you're still rooted six ways to Sunday. This article comes from September 2013, but before you complain it's not breaking news, note that nothing has been done about it . In sum, Intel Core vPro processors contain a secret 3G chip that allows remote disabling and backdoor access to any computer even when it is turned off .

From the article:
"Intel actually embedded the 3G radio chip in order to enable its Anti Theft 3.0 technology. And since that technology is found on every Core i3/i5/i7 CPU after Sandy Bridge, that means a lot of CPUs, not just new vPro, might have a secret 3G connection nobody knew about until now,"reports Softpedia ... Core vPro processors contain a second physical processor embedded within the main processor which has it's own operating system embedded on the chip itself," writes Jim Stone. "As long as the power supply is available and and in working condition, it can be woken up by the Core vPro processor, which runs on the system's phantom power and is able to quietly turn individual hardware components on and access anything on them."
Curious? Outraged? Here are some more links so you can catch up on your new, pw0ned lifestyle.

Happy websurfing, suckers. Remember, Intel knows if you're posting anonymously ;)

myGov Site Exposed Australians' Private Information

Anonymous Coward
in security on (#3M0)
story imageThe Australian Department of Human Services has been blasted over its "appalling response" to a security researcher's report which found it has been exposing millions of Australians' personal information by leaving serious security flaws unchecked in a critical government website that is a portal to several government services and which may soon be required to be used by Australians for interacting with government services online.
The vulnerabilities were found in the myGov website, which stores the private records of Australians, including their doctor visits, prescription drugs, childcare and welfare payments. The Tax Office is expected to make the site mandatory for electronic tax returns this year.