Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 10 min ago

Microsoft Patches Major Windows 10 Vulnerability After NSA Warning

Tue, 01/14/2020 - 13:25
Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal. In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

Apple Responds To AG Barr Over Unlocking Pensacola Shooter's Phone: 'No.'

Tue, 01/14/2020 - 08:41
On Monday, Attorney General William Barr called on Apple to unlock the alleged phone of the Pensacola shooter -- a man who murdered three people and injured eight others on a Naval base in Florida in December. Apple has responded by essentially saying: "no." From a report: "We reject the characterization that Apple has not provided substantive assistance in the Pensacola investigation," the company said. "It was not until January 8th that we received a subpoena for information related to the second iPhone, which we responded to within hours," Apple added, countering Barr's characterization of the company being slow in its approach to the FBI's needs. However, it ends the statement in no uncertain terms: "We have always maintained there is no such thing as a backdoor just for the good guys." Despite pressure from the government, Apple has long held that giving anyone the keys to users' data or a backdoor to their phones -- even in cases where terrorism or violence was involved -- would compromise every user. The company is clearly standing by those principles.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Tue, 01/14/2020 - 06:00
Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."

City of Las Vegas Said It Successfully Avoided Devastating Cyberattack

Mon, 01/13/2020 - 16:10
An anonymous reader quotes a report from ZDNet: Officials from the city of Las Vegas said they narrowly avoided a major security incident that took place on Tuesday, January 7. According to a statement published by the city on Wednesday, the compromise took place on Tuesday, at 4:30 am, in the morning. The city said IT staff immediately detected the intrusion and took steps to protect impacted systems. The city responded by taking several services offline, including its public website, which is still down at the time of writing. City officials have not disclosed any details about the nature of the incident, but local press reported that it might have involved an email delivery vector. In a subsequent statement published on Twitter on Wednesday, the city confirmed it "resumed full operations with all data systems functioning as normal." "Thanks to our software security systems and fast action by our IT staff, we were fortunate to avoid what had the potential to be a devastating situation," it said. "We do not believe any data was lost from our systems and no personal data was taken. We are unclear as to who was responsible for the compromise, but we will continue to look for potential indications," the city also added.

Unpatched Citrix Vulnerability Now Exploited, Patch Weeks Away

Mon, 01/13/2020 - 14:10
An anonymous reader quotes a report from Ars Technica: On December 16, 2019, Citrix revealed a vulnerability in the company's Application Delivery Controller and Gateway products -- commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request. Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets. This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have "worked aggressively" to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers -- especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet's Catalin Cimpanu reported. "The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway's Web interface," the report adds. "The attacks use a request for the directory '/vpn/../vpns/' to fool the Apache Web server on the gateway to point to the '/vpns/' directory without authentication. The attacks then inject a command based on the template returned from the first request." You can check for the vulnerability here.

Barr Asks Apple To Unlock iPhones of Pensacola Gunman

Mon, 01/13/2020 - 11:53
Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman. From a report: Mr. Barr's appeal was an escalation of an ongoing fight between the Justice Department and Apple pitting personal privacy against public safety. "This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence," Mr. Barr said, calling on Apple and other technology companies to find a solution and complaining that Apple has provided no "substantive assistance." Apple has given investigators materials from the iCloud account of the gunman, Second Lt. Mohammed Saeed Alshamrani, a member of the Saudi air force training with the American military, who killed three sailors and wounded eight others on Dec. 6. But the company has refused to help the F.B.I. open the phones themselves, which would undermine its claims that its phones are secure.

UK Govt Warns Not To Access Online Banking on Windows 7

Mon, 01/13/2020 - 10:10
The UK's National Cyber Security Centre (NCSC) is warning people of using online banking or accessing sensitive accounts from devices running Windows 7 from Tuesday, 14 January, when Microsoft ends support for the operating system. From a report: The NCSC, the government body for cybersecurity, is encouraging people to upgrade from Windows 7 as soon as possible, due to Microsoft's 2019 decision to stop providing technical support for the software. "The NCSC would encourage people to upgrade devices currently running Windows 7, allowing them to continue receiving software updates which help protect their devices," the NCSC spokesperson said. "We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."

Academic Research Finds Five US Telcos Vulnerable To SIM Swapping Attacks

Mon, 01/13/2020 - 08:50
A Princeton University academic study found that five major US prepaid wireless carriers are vulnerable to SIM swapping attacks. From a report: A SIM swap is when an attacker calls a mobile provider and tricks the telco's staff into changing a victim's phone number to an attacker-controlled SIM card. This allows the attacker to reset passwords and gain access to sensitive online accounts, like email inboxes, e-banking portals, or cryptocurrency trading systems. All last year, Princeton academics spent their time testing five major US telco providers to see if they could trick call center employees into changing a user's phone number to another SIM without providing proper credentials. According to the research team, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures with their customer support centers, procedures that attackers could use to conduct SIM swapping attacks. In addition, the research team also looked at 140 online services and websites and analyzed on which of these attackers could employ a SIM swap to hijack a user's account. According to the research team, 17 of the 140 websites were found to be vulnerable.

ICANN Wants to Let VeriSign Raise Prices on<nobr> <wbr></nobr>.Com Domains

Mon, 01/13/2020 - 03:34
VeriSign has released a "proposed agreement" with ICANN to amend their exclusive .com registry agreement to allow them to raise the price of dotcom registrations up to 28% every six years. Those new terms "are now open to public comment" -- and the Register points out that ICANN's decision seems to come with a corresponding $20 million for ICANN: Operator of the dot-com registry, Verisign, has decided to pay DNS overseer ICANN $4 million a year for the next five years in order to "educate the wider ICANN community about security threats." Even though the generous $20 million donation has nothing to do with ICANN signing off on an extension of the dot-com contract until 2024, the "binding letter of intent" [PDF] stating the exact amount of funding will be appended to the registry agreement that Verisign has with ICANN to run the dot-com registry. That extension lifts a price freeze put in place several years ago and will allow Verisign to increase prices by seven per cent a year [in each of the last four years of each six year contract renewal]. It's an increase that we calculated was worth $993 million and which the stock market appeared to agree with when it raised the company's share price by 16 per cent when the agreement was first flagged in November 2018... ICANN explains the $20 million this time will be used to "support ICANN's initiatives to preserve and enhance the security, stability and resiliency of the DNS, including root server system governance, mitigation of DNS security threats, promotion and/or facilitation of DNSSEC deployment, the mitigation of name collisions, and research into the operation of the DNS." Which is all entirely above board and not at all shady.

How Is Computer Programming Different Today Than 20 Years Ago?

Mon, 01/13/2020 - 00:04
This week a former engineer for the Microsoft Windows Core OS Division shared an insightful (and very entertaining) list with "some changes I have noticed over the last 20 years" in the computer programming world. Some excerpts: - Some programming concepts that were mostly theoretical 20 years ago have since made it to mainstream including many functional programming paradigms like immutability, tail recursion, lazily evaluated collections, pattern matching, first class functions and looking down upon anyone who don't use them... - 3 billion devices run Java. That number hasn't changed in the last 10 years though... - A package management ecosystem is essential for programming languages now. People simply don't want to go through the hassle of finding, downloading and installing libraries anymore. 20 years ago we used to visit web sites, downloaded zip files, copied them to correct locations, added them to the paths in the build configuration and prayed that they worked. - Being a software development team now involves all team members performing a mysterious ritual of standing up together for 15 minutes in the morning and drawing occult symbols with post-its.... - Since we have much faster CPUs now, numerical calculations are done in Python which is much slower than Fortran. So numerical calculations basically take the same amount of time as they did 20 years ago... - Even programming languages took a side on the debate on Tabs vs Spaces.... - Code must run behind at least three levels of virtualization now. Code that runs on bare metal is unnecessarily performant.... - A tutorial isn't really helpful if it's not a video recording that takes orders of magnitude longer to understand than its text. - There is StackOverflow which simply didn't exist back then. Asking a programming question involved talking to your colleagues. - People develop software on Macs. In our new world where internet connectivity is the norm and being offline the exception, "Security is something we have to think about now... Because of side-channel attacks we can't even trust the physical processor anymore." And of course, "We don't use IRC for communication anymore. We prefer a bloated version called Slack because we just didn't want to type in a server address...."

Internet Pioneers Fight For Control of<nobr> <wbr></nobr>.Org Registry By Forming a Nonprofit Alternative

Sun, 01/12/2020 - 16:44
Reuters reports that a group of "prominent internet pioneers" now has a plan to block the $1.1 billion sale of the .org internet domain registry to Ethos Capital. The group has created their own nonprofit cooperative to offer an alternative: "There needs to be a place on the internet that represents the public interest, where educational sites, humanitarian sites, and organizations like Wikipedia can provide a broader public benefit," said Katherine Maher, the CEO of Wikipedia parent Wikimedia Foundation, who signed on to be a director of the new nonprofit. The crowd-sourced research tool Wikipedia is the most visited of the 10 million .org sites registered worldwide... Hundreds of nonprofits have already objected to the transaction, worried that Ethos will raise registration and renewal prices, cut back on infrastructure and security spending, or make deals to sell sensitive data or allow censorship or surveillance... "What offended me about the Ethos Capital deal and the way it unfolded is that it seems to have completely betrayed this concept of stewardship," said Andrew McLaughlin, who oversaw the transfer of internet governance from the U.S. Commerce Department to ICANN, completed in 2016. Maher and others said the idea of the new cooperative is not to offer a competing financial bid for .org, which brings in roughly $100 million in revenue from domain sales. Instead, they hope that the unusual new entity, formally a California Consumer Cooperative Corporation, can manage the domain for security and stability and make sure it does not become a tool for censorship. The advocacy group Electronic Frontier Foundation (EFF), which previously organized a protest over the .org sale that drew in organizations including the YMCA of the United States, Greenpeace, and Consumer Reports, is also supporting the cooperative. "It's highly inappropriate for it to be turned over to a commercial venture at all, much less one that's going to need to recover $1 billion," said EFF Executive Director Cindy Cohn.

Equifax's Stock Rose More Than 50% In 2019

Sun, 01/12/2020 - 13:49
"There's still time to file a claim for a share of the $425 million that Equifax agreed to cough up after hosing almost half of the country in its massive data breach a few years ago," writes a Pennyslvania newspaper columnist, pointing victims to equifaxbreachsettlement.com. "But unless you can prove you were an identity theft victim who lost money, or had to waste time cleaning up the mess, don't expect much of a payout. Victims are being hosed again." The breach affected an estimated 147 million Americans. Hackers exploited a known but unpatched website vulnerability and gained access to names, Social Security numbers, birth dates, addresses, driver's license numbers and credit card numbers. Facing lawsuits from federal and state consumer protection agencies, Equifax agreed to a settlement. It offered several ways for people to file claims, with a deadline of Jan. 22. The option that applies to most people is 10 years of free credit monitoring, or a cash payout of up to $125 for those who already have monitoring. But you aren't going to get anywhere near $125. The settlement called for a pot of only $31 million for those payouts. And based on the number of people who have applied, that's not enough to cover the maximum payment. You may not even get enough to buy a decent sandwich, according to Ted Frank, director of litigation for Hamilton Lincoln Law Institute, which includes the Center for Class Action Fairness. "That's down to $6 or $7 now," Frank told CNBC in December. "Maybe even less than that." Frank spoke after the federal judge overseeing the settlement awarded $77.5 million of the $425 million settlement fund to the attorneys who represented consumers against Equifax. His organization had opposed that award as being too much. Meanwhile, the Motley Fool notes that in 2019 Equifax's stock rose 50.5% -- after dropping 21% in 2018 and remaining "relatively flat" in 2017. "The credit-reporting company's stock rose thanks to a series of earnings beats and with the shadow of the big 2017 data breach receding further into the rear view...."

Charter's Spectrum Kills Home Security Business, Refuses Refunds on Now-Worthless Equipment

Sun, 01/12/2020 - 07:34
Charter Comunications' Spectrum cable service includes a home security service, and -- whoops. No it doesn't. "Spectrum customers who are also users of the company's home security service are about a month away from being left with a pile of useless equipment that in many cases cost them hundreds of dollars," reports Gizmodo: On February 5, Spectrum will no longer support customers who've purchased its Spectrum Home Security equipment. None of the devices -- the cameras, motion sensors, smart thermostats, and in-home touchscreens -- can be paired with other existing services. In a few weeks, it'll all be worthless junk. While some of the devices may continue to function on their own, customers will soon no longer be able to access them using their mobile devices, which is sort of the whole point of owning a smart device... Spectrum is hoping to smooth things over with "exclusive offers" from other home security companies, including Ring, which is owned by Amazon... Spectrum apparently believes it can afford to aggravate these customers, some if not most of whom will have no choice but to continue paying Spectrum for internet service. Spectrum "inherited" the business after acquiring Time Warner Cable and Bright House Networks in 2016, Gizmodo reports. "It's not offering refunds, though... The firmware on the devices doesn't allow switching to other services, either."

A Quick Look At the Fight Against Encryption

Sat, 01/11/2020 - 13:34
b-dayyy shared this overview from the Linux Security site: Strong encryption is imperative to securing sensitive data and protecting individuals' privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies... This fear of strong, unbroken encryption is not only unfounded -- it is dangerous. Encryption with built-in backdoors which provide special access for select groups not only has the potential to be abused by law enforcement and government agencies by allowing them to eavesdrop on potentially any digital conversation, it could also be easily exploited by threat actors and criminals. U.S. Attorney General William Barr and U.S. senators are currently pushing for legislation that would force technology companies to build backdoors into their products, but technology companies are fighting back full force. Apple and Facebook have spoken out against the introduction of encryption backdoors, warning that it would introduce massive security and privacy threats and would serve as an incentive for users to choose devices from overseas. Apple's user privacy manager Erik Neuenschwander states, "We've been unable to identify any way to create a backdoor that would work only for the good guys." Facebook has taken a more defiant stance on the issue, adamantly saying that it would not provide access to encrypted messages in Facebook and WhatsApp. Senator Lindsey Graham has responded to this resistance authoritatively, advising the technology giants to "get on with it", and stating that the Senate will ultimately "impose its will" on privacy advocates and technologists. However, Graham's statement appears unrealistic, and several lawmakers have indicated that Congress won't make much progress on this front in 2020... Encryption is an essential component of digital security that should be embraced, not feared. In any scenario, unencrypted data is subject to prying eyes. Strong, unbroken encryption is vital in protecting privacy and securing data both in transit and in storage, and backdoors would leave sensitive data vulnerable to tampering and theft.

A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings

Sat, 01/11/2020 - 02:00
Insecure storage systems being used by hundreds of hospitals, medical offices and imaging centers are exposing over 1 billion medical images of patients across the world. "Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors' offices to the problem, many have ignored their warnings and continue to expose their patients' private health information," writes Zack Whittaker from TechCrunch. From the report: "It seems to get worse every day," said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year. The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy. A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors' offices disregard security best practices and connect their PACS server directly to the internet without a password. These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient's name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient's Social Security number to identify patients in these systems.

SIM Swappers Are Using RDP To Directly Access Internal T-Mobile, AT&amp;T, and Sprint Tools

Fri, 01/10/2020 - 16:02
An anonymous reader quotes a report from Motherboard: Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted. The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It's commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds. This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they're tricking telecom employees to install or activate RDP software, and then remotely reaching into the company's systems to SIM swap individuals. The process starts with convincing an employee in a telecom company's customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, "and they believe it." Hackers may also convince employees to provide credentials to a RDP service if they already use it. Once RDP is enabled, "They RDP into the store or call center [computer] [...] and mess around on the employees' computers including using tools," said Nicholas Ceraolo, an independent security researcher who first flagged the issue to Motherboard. Motherboard then verified Ceraolo's findings with the active SIM swapper.

Indian Supreme Court Finds 150-Day Internet Blackout In Kashmir Illegal

Fri, 01/10/2020 - 14:00
An anonymous reader quotes a report from Ars Technica: The Indian region of Kashmir has had most Internet service blacked out since August. The government of Narendra Modi says the online blackout is a necessary security measure in the face of growing unrest in the region triggered by a change in Kashmir's status under the Indian constitution. (Kashmir's status within India has been a topic of controversy for decades.) But on Friday, India's highest court rejected the government's rationale, arguing that the blackout violated Indian telecommunications laws. "Freedom of Internet access is a fundamental right," justice N. V. Ramana said. "The Supreme Court ruling won't lead to an immediate restoration of Internet access in Kashmir, however," the report adds. "Instead, India's highest court has given the government a week to revise its policies. The court also required the government to be more transparent about its Internet shutdown orders." Further reading: Reuters

Streaming Services Reckon With Password-Sharing 'Havoc'

Fri, 01/10/2020 - 12:50
In 2019, companies lost about $9.1 billion to password piracy and sharing. From a report: On Dec. 9, Charter Communications CEO Tom Rutledge took aim at the "content companies" entering the direct-to-consumer streaming business. The cable executive told a roomful of investment bankers in Manhattan that these new streamers are "creating havoc in the ecosystem." Rutledge wasn't talking about the proliferation of content or the fight to secure exclusive deals with talent. He was targeting the lax security and rampant password sharing that's prevalent across the streaming landscape. "Half the people in the country live in houses with two or less people in them, and yet these services have five streams," Rutledge added. "There are more streams available than there are homes to use them." Password sharing has serious economic consequences. In 2019, companies lost about $9.1 billion to password piracy and sharing, and that will rise to $12.5 billion in 2024, according to data released by research firm Parks Associates. For now, many streamers -- including Netflix, Hulu, Disney+ and Amazon Prime -- seem content to allow the practice to continue, even while they crack down on illicit password sales. But as services mature, priorities will likely change. "When the growth starts to flatten and you start to look at the balance sheet, you are going to be looking for revenue," says Jean-Marc Racine, chief product officer of video delivery and security firm Synamedia. The company (which counts Disney, Comcast and AT&T among its clients) conducted a study of two anonymous video providers and said Jan. 6 that it found they were losing more than $70 million annually from password sharing.

Hundreds of Millions of Cable Modems Are Vulnerable To New Cable Haunt Vulnerability

Fri, 01/10/2020 - 11:30
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips. From a report: The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality. On most cable modems, access to this component is limited for connections from the internal network. The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.

Over Two Dozen Encryption Experts Call on India To Rethink Changes To Its Intermediary Liability Rules

Fri, 01/10/2020 - 08:50
Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules. From a report: In an open letter to India's IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet. The Indian government proposed a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes. The originally proposed rules say that intermediaries -- which the government defines as those services that facilitate communication between two or more users and have five million or more users in India -- will have to proactively monitor and filter their users' content and be able to trace the originator of questionable content to avoid assuming full liability for their users' actions. "By tying intermediaries' protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures," the experts wrote in the letter, coordinated by the Internet Society