Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

DARPA Is Building a $10 Million, Open Source, Secure Voting System

Thu, 03/14/2019 - 10:02
samleecole writes: For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven't been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking. The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don't have to blindly trust that the machines and election officials delivered correct results.

Quantum Computer Not Ready To Break Public Key Encryption For At Least 10 Years, Some Experts Say

Thu, 03/14/2019 - 08:05
physburn writes: The Register has spoken to some experts to get a better understanding of the risk quantum computers present to the existing encryption systems we have today. Richard Evers, cryptographer for a Canadian security biz called Kryptera, argues that media coverage and corporate pronouncements about quantum computing have left people with the impression that current encryption algorithms will soon become obsolete. But they will not be ready for at least 10 years, he said. As an example, Evers points to remarks made by Arvind Krishna, director of IBM research, at The Churchill Club in San Francisco last May, that those interested in protecting data for at least ten years "should probably seriously consider whether they should start moving to alternate encryption techniques now." In a post Evers penned recently with his business partner Alastair Sweeny, he contends, "The hard truth is that widespread beliefs about security and encryption may prove to be based on fantasy rather than fact." And the reason for this, he suggests, is the desire for funding and fame.

Two-Thirds of Android Antivirus Apps Are Total BS

Wed, 03/13/2019 - 15:50
An anonymous reader quotes a report from Tom's Guide: Austrian antivirus-testing lab AV-Comparatives tested 250 antivirus apps in Google Play against 2,000 malware samples. They found that only 80 of the apps could stop even a minimal amount of malware. "Less than one in 10 of the apps tested defended against all 2,000 malicious apps, while over two-thirds failed to reach a block rate of even 30 percent," the lab said in a press release. To make sure you're protecting your Android device properly, stick to apps from well-known antivirus companies. Basically, AV-Comparatives said, most Android antivirus apps are phony, and many of them seemed to have been created only to display ads or promote a developer's career. "The main purpose of these apps seems to be generating easy revenue for their developers, rather than actually protecting their users," the AV-Comparatives report said.

America's Latest Effort To Thwart the Growth of China's Huawei is Playing Out Beneath the World's Oceans

Wed, 03/13/2019 - 09:50
A new front has opened in the battle between the U.S. and China over control of global networks that deliver the internet. This one is beneath the ocean. [Editor's note: the link may be paywalled; syndicated source.] From a report: While the U.S. wages a high-profile campaign to exclude China's Huawei from next-generation mobile networks over fears of espionage, the company is embedding itself into undersea cable networks that ferry nearly all of the world's internet data. About 380 active submarine cables -- bundles of fiber-optic lines that travel oceans on the seabed -- carry about 95% of intercontinental voice and data traffic, making them critical for the economies and national security of most countries. Current and former security officials in the U.S. and allied governments now worry that these cables are increasingly vulnerable to espionage or attack and say the involvement of Huawei potentially enhances China's capabilities. Huawei denies any threat. The U.S. hasn't publicly provided evidence of its claims that Huawei technology poses a cybersecurity risk. Its efforts to persuade other countries to sideline the company's communication technology have been met with skepticism by some. Huawei Marine Networks, majority owned by the Chinese telecom giant, completed a 3,750-mile cable between Brazil and Cameroon in September. It recently started work on a 7,500-mile cable connecting Europe, Asia and Africa and is finishing up links across the Gulf of California in Mexico. Altogether, the company has worked on some 90 projects to build or upgrade seabed fiber-optic links, gaining fast on the three U.S., European and Japanese firms that dominate the industry. These officials say the company's knowledge of and access to undersea cables could allow China to attach devices that divert or monitor data traffic -- or, in a conflict, to sever links to entire nations.

Tim Berners-Lee Talks About India's Recent Push To Data Localization, Proposed Compromise of End-to-End Encryption, and Frequent Internet Shutdowns

Wed, 03/13/2019 - 08:51
On the occasion of the web's 30th anniversary, its creator, Tim Berners-Lee, has given some interviews and shared his thoughts on some challenges that the web faces today. He spoke with Medianama, an Indian outlet, on some of the relatively unique challenges that the government over there has been pushing lately. Some of these challenges include government's push to have Silicon Valley companies store data of Indians in India itself; a nudge to WhatsApp to put an end to its encryption (On a side note: The Australian government recently passed a law to do this exact thing); and frequent shutdowns in the nation. On data localisation and data as a national resource : That's one of the things that the Web Foundation has always been concerned about: the balkanisation of the Internet. If you want to balkanise it, that's a pretty darn effective way of doing it. If you say that Indian people's data can't be stored outside India, that means that when you start a social network which will be accessed by people all over the world, that means that you will have to start 152 different companies all over the world. It's a barrier to entry. Facebook can do that. Google can do that. When an Indian company does it, and you'll end up with an Indian company that serves only Indian users. When people go abroad, they won't be able to keep track of their friends at home. The whole wonderful open web of knowledge, academic and political discussions would be divided into country groups and cultural groups, so there will be a massive loss of richness to the web.

Microsoft Brings DirectX 12 To Windows 7

Tue, 03/12/2019 - 16:50
Microsoft has announced a form of DirectX 12 that will support Windows 7. "Now before you get too excited, this is currently only enabled for World of Warcraft; and indeed it's not slated to be a general-purpose solution like DX12 on Win10," reports AnandTech. "Instead, Microsoft has stated that they are working with a few other developers to bring their DX12 games/backends to Windows 7 as well. As a consumer it's great to see them supporting their product ten years after it launched, but with the entire OS being put out to pasture in nine months, it seems like an odd time to be dedicating resources to bringing it new features." From the report: For some background, Microsoft's latest DirectX API was created to remove some of the CPU bottlenecks for gaming by allowing for developers to use low-level programming conventions to shift some of the pressure points away from the CPU. This was a response to single-threaded CPU performance plateauing, making complex graphical workloads increasingly CPU-bounded. There's many advantages to using this API over traditional DX11, especially for threading and draw calls. But, Microsoft made the decision long ago to only support DirectX 12 on Windows 10, with its WDDM 2.0 driver stack. Today's announcement is a pretty big surprise on a number of levels. If Microsoft had wanted to back-port DX12 to Windows 7, you would have thought they'd have done it before Windows 7 entered its long-term servicing state. As it is, even free security patches for Windows 7 are set to end on January 14, 2020, which is well under a year away, and the company is actively trying to migrate users to Windows 10 to avoid having a huge swath of machines sitting in an unpatched state. In fact, they are about to add a pop-up notification to Windows 7 to let users know that they are running out of support very soon. So adding a big feature like DX12 now not only risks undermining their own efforts to migrate people away from Windows 7, but also adding a new feature well after Windows 7 entered long-term support. It's just bizarre.

Windows Brings DirectX 12 To Windows 7

Tue, 03/12/2019 - 16:50
Microsoft has announced a form of DirectX 12 that will support Windows 7. "Now before you get too excited, this is currently only enabled for World of Warcraft; and indeed it's not slated to be a general-purpose solution like DX12 on Win10," reports AnandTech. "Instead, Microsoft has stated that they are working with a few other developers to bring their DX12 games/backends to Windows 7 as well. As a consumer it's great to see them supporting their product ten years after it launched, but with the entire OS being put out to pasture in nine months, it seems like an odd time to be dedicating resources to bringing it new features." From the report: For some background, Microsoft's latest DirectX API was created to remove some of the CPU bottlenecks for gaming by allowing for developers to use low-level programming conventions to shift some of the pressure points away from the CPU. This was a response to single-threaded CPU performance plateauing, making complex graphical workloads increasingly CPU-bounded. There's many advantages to using this API over traditional DX11, especially for threading and draw calls. But, Microsoft made the decision long ago to only support DirectX 12 on Windows 10, with its WDDM 2.0 driver stack. Today's announcement is a pretty big surprise on a number of levels. If Microsoft had wanted to back-port DX12 to Windows 7, you would have thought they'd have done it before Windows 7 entered its long-term servicing state. As it is, even free security patches for Windows 7 are set to end on January 14, 2020, which is well under a year away, and the company is actively trying to migrate users to Windows 10 to avoid having a huge swath of machines sitting in an unpatched state. In fact, they are about to add a pop-up notification to Windows 7 to let users know that they are running out of support very soon. So adding a big feature like DX12 now not only risks undermining their own efforts to migrate people away from Windows 7, but also adding a new feature well after Windows 7 entered long-term support. It's just bizarre.

Chrome 73 Arrives With Support For Hardware Media Keys, PWAs and Dark Mode On Mac

Tue, 03/12/2019 - 16:10
An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 73 for Windows, Mac, and Linux. The release includes support for hardware media keys, PWAs and dark mode on Mac, and the usual slew of developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. Chrome 73 supports Progressive Web Apps (PWAs) on macOS. These apps install and behave like native apps (they don't show the address bar or tabs). Google killed off Chrome apps last year and has been focusing on PWAs ever since. Adding Mac support means Chrome now supports PWAs on all desktop and mobile platforms: Windows, Mac, Linux, Chrome OS, Android, and iOS. Chrome now also supports dark mode on Apple's macOS; dark mode for Windows is on the way, the team promises. The VentureBeat report includes a long list of developer features included in this release, as well as all the security fixes found by external researchers. Chrome 73 implements a total of 60 security fixes.

Researchers Find Critical Backdoor In Swiss Online Voting System

Tue, 03/12/2019 - 13:35
An international group of researchers who have been examining the source code for an internet voting system that Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection. New submitter eatmorekix shares a report: The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection. "The vulnerability is astonishing," said Matthew Green, who teaches cryptography at Johns Hopkins University and did not do the research but read the researchers' report. "In normal elections, there is no single person who could undetectably defraud the entire election. But in this system they built, there is a party who could do that." The researchers provided their findings last week to Swiss Post, the country's national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Postâ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."

Microsoft Will Now Pester Windows 7 Users To Upgrade To Windows 10 With Pop-ups

Tue, 03/12/2019 - 09:27
Mark Wilson writes: Anyone who is still using Windows 7 doesn't have much longer until the operating system is no longer supported by Microsoft. Come January 14, 2020 only those enterprise customers who are willing to pay for Extended Security Updates will receive any kind of support. Microsoft has already done a lot to encourage Windows 7 diehards to make the move to Windows 10, and now it is stepping things up a gear. Throughout 2019, the company will show pop-up notifications in Windows 7 about making the switch to the latest version of Windows.

US Tells Germany To Stop Using Huawei Equipment Or Lose Some Intelligence Access

Tue, 03/12/2019 - 02:00
The Wall Street Journal is reporting that the United States has told Germany to drop Huawei from its future plans or risk losing access to some U.S. intelligence. The U.S. says the Chinese company's equipment could be used for espionage -- a concern that Huawei says is unfounded. "The Trump administration has been pressing allies to end their relationships with Huawei, but Germany, moving ahead with its plans, has not moved to ban the company from its networks," reports The Verge. From the report: According to the Journal, a letter sent from the U.S. Ambassador to Germany warns the country that the U.S. will stop sharing some secrets if it allows Huawei to work on its next-generation 5G infrastructure. The letter, according to the Journal, argues that network security can't be effectively managed by audits of equipment or software. While the U.S. plans to continue sharing intelligence with Germany regardless, the Journal reports, officials plan to curtail the scope of that information if Huawei equipment is used in German infrastructure.

Russia Blocks Encrypted Email Provider ProtonMail

Mon, 03/11/2019 - 19:31
An anonymous reader quotes a report from TechCrunch: Russia has told internet providers to enforce a block against encrypted email provider ProtonMail, the company's chief has confirmed. The block was ordered by the state Federal Security Service, formerly the KGB, according to a Russian-language blog, which obtained and published the order after the agency accused the company and several other email providers of facilitating bomb threats. Several anonymous bomb threats were sent by email to police in late January, forcing several schools and government buildings to evacuate. In all, 26 internet addresses were blocked by the order, including several servers used to scramble the final connection for users of Tor, an anonymity network popular for circumventing censorship. Internet providers were told to implement the block "immediately," using a technique known as BGP blackholing, a way that tells internet routers to simply throw away internet traffic rather than routing it to its destination. But the company says while the site still loads, users cannot send or receive email. The way the KGB blocked ProtonMail is "particularly sneaky," ProtonMail chief executive Andy Yen said. "ProtonMail is not blocked in the normal way, it's actually a bit more subtle. They are blocking access to ProtonMail mail servers. So Mail.ru -- and most other Russian mail servers -- for example, is no longer able to deliver email to ProtonMail, but a Russian user has no problem getting to their inbox." "That's because the two ProtonMail servers listed by the order are its back-end mail delivery servers, rather than the front-end website that runs on a different system," adds TechCrunch.

Congress Introduces Bill To Improve 'Internet of Things' Security

Mon, 03/11/2019 - 18:30
Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.

Debit Card With Built-In Fingerprint Reader Begins Trial In the UK

Mon, 03/11/2019 - 15:40
British bank Natwest is trialing the use of a new NFC payment card with a built-in fingerprint scanner. "The trial, which will include 200 customers when it begins in mid-April, will allow its participants to make NFC payments (called 'contactless' in the UK) without needing to input a PIN or offer a signature," reports The Verge. "The standard [30 British pound] limit for contactless payments will not apply when the fingerprint is used." From the report: Currently, anyone can make a contactless payment in the UK by tapping their card on the terminal to make a payment. As a result of this lack of security, a [30 British pound] limit is applied to such payments, with retailers requiring you to place your card into the card reader and enter a PIN for more expensive purchases (commonly referred to as the "Chip and PIN" method). Although mobile payments require authentication, customers often find they're subject to the same [30 British pound] limit. The fingerprint data is stored locally on the card, meaning there's no security information for a hacker to be able to steal from a bank's central database. It's not foolproof -- there's always the risk a sufficiently determined thief could steal and imitate your fingerprint -- but it's much more secure than a PIN that someone could learn by simply looking over your shoulder as you enter it.

Samsung Galaxy S10 Facial Recognition Fooled by a Video of the Phone Owner

Mon, 03/11/2019 - 08:07
Experts have proven once again that facial recognition on modern devices remains hilariously insecure and can be bypassed using simple tricks such as showing an image or a video in front of a device's camera. From a report: The latest device to fall victim to such attacks is Samsung Galaxy S10, Samsung's latest top tier phone and considered one of the world's most advanced smartphones to date. Unfortunately, the Galaxy S10's facial recognition feature remains just as weak as the one supported in its previous versions or on the devices of its competitors, according to Lewis Hilsenteger, a smartphone reviewer better known as Unbox Therapy on YouTube. Hilsenteger showed in a demo video uploaded on his YouTube channel last week how putting up a video of the phone owner in front of the Galaxy S10 front camera would trick the facial recognition system into unlocking the device.

US Government Will Be Scanning Your Face At 20 Top Airports, Documents Show

Mon, 03/11/2019 - 06:40
An anonymous reader shares a report: In March 2017, President Trump issued an executive order expediting the deployment of biometric verification of the identities of all travelers crossing its borders. That mandate stipulates facial recognition identification for "100 percent of all international passengers," including American citizens, in the top 20 US airports by 2021. Now, the United States Department of Homeland Security is rushing to get those systems up and running at airports across the country. But it's doing so in the absence of proper vetting, regulatory safeguards, and what some privacy advocates argue is in defiance of the law. According to 346 pages of as-yet-unpublished documents obtained by the nonprofit research organization Electronic Privacy Information Center, US Customs and Border Protection is scrambling to implement this "biometric entry-exit system," with the goal of using facial recognition technology on travelers aboard 16,300 flights per week -- or more than 100 million passengers traveling on international flights out of the United States -- in as little as two years, to meet Trump's accelerated timeline for a biometric system that had initially been signed into law by the Obama administration. This, despite questionable biometric confirmation rates and few, if any, legal guardrails. These same documents state -- explicitly -- that there were no limits on how partnering airlines can use this facial recognition data. CBP did not answer specific questions about whether there are any guidelines for how other technology companies involved in processing the data can potentially also use it. It was only during a data privacy meeting last December that CBP made a sharp turn and limited participating companies from using this data. But it is unclear to what extent it has enforced this new rule. CBP did not explain what its current policies around data sharing of biometric information with participating companies and third-party firms are, but it did say that the agency "retains photos ... for up to 14 days" of non-US citizens departing the country, for "evaluation of the technology" and "assurance of the accuracy of the algorithms" -- which implies such photos might be used for further training of its facial matching AI.

Microsoft To Start Selling Windows 7 Add-On Support April 1st

Sun, 03/10/2019 - 08:34
AmiMoJo quotes Computerworld: Microsoft plans to start selling its Windows 7 add-on support beginning April 1. Labeled "Extended Security Updates" (ESU), the post-retirement support will give enterprise customers more time to purge their environments of Windows 7. From Windows 7's Jan. 14, 2020 end of support, ESU will provide security fixes for uncovered or reported vulnerabilities in the OS. Patches will be issued only for bugs rated "Critical" or "Important" by Microsoft, the top two rankings in a four-step scoring system. ESU will be dealt out in one-year increments for up to three years and support will be sold on a per-device basis, rather than the per-user approach Microsoft has pushed for Windows 10 licensing. Costs for ESU will start out low — $25 or $50 per year per device — but will double each year, ending at $100 or $200 per device for the third and final year

Could Blockchain-Based Fractions of Digitized Stocks Revolutionize Markets?

Sun, 03/10/2019 - 06:34
An anonymous reader quotes VentureBeat: Despite being championed as a decentralized form of money that puts individuals firmly in control of their own wealth, cryptocurrencies mostly remain the preserve of the super-rich and the super-nerdy. 1,000 Bitcoin wallets currently hold 35.18% of all Bitcoins, for example, and only a select few computer scientists understand the inner workings and machinations of blockchains... Such inconvenient truths undermine the oft-repeated claim that blockchains will democratize wealth, largely by lowering barriers to entry in financial networks and by preventing central banks from devaluing money via inflation. Nonetheless, this prediction has moved one step closer to realization in recent months, with the emergence of tokenized stocks.... In contrast to a new cryptocurrency designed specifically to conform to securities legislation (i.e. a security token), tokenized stocks provide digitized versions of existing shares in established companies, such as Google, Facebook, or Apple... [W]hat's interesting and potentially radical about such digital stocks is that they permit customers to buy fractions of stocks in big companies. This will open up trading to millions of people who wouldn't otherwise be able to afford buying shares in Apple or Amazon... One significant side effect of tokenized stocks is that they could change the fundamental nature of global stock markets and how they behave, by opening them up to round-the-clock trading... It's interesting to note that some commentators believe the growth of round-the-clock exchanges might, in the long term, result in the emergence of a single global stock market. The article also notes that it will be cheaper to trade digital versions of stocks, "since person-to-person trades circumvent the need to go through a broker... "They look set to make the financial world more accessible to millions people, in addition to having serious implications for global markets."

'Smart' Car Alarm App Could Allow 3 Million Cars To Be Unlocked Remotely

Sat, 03/09/2019 - 14:34
"Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine," reports CNET: The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found in alarm systems made by Viper [known as Clifford in the U.K.] and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands... Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added... Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found. Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said. ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".

Many Android VPN Apps Request 'Dangerous' Permissions They Don't Need

Sat, 03/09/2019 - 11:34
A VPN researcher found that many Android VPN apps request access to sensitive permissions that they don't need, according to an article shared by WaitingForSupport. ZDNet reports: The study, carried out by John Mason from TheBestVPN.com, analyzed 81 Android apps available for download through the Google Play Store. Mason said he downloaded and extracted the permissions requested by each VPN app from their respective APK installer files.... According to Mason, 50 of the 81 Android VPN apps he tested requested access to at least one dangerous permission that accessed user data... Mason said he discovered VPN apps that requested access to read/write permissions for external device storage, wanted access to precise location data, wanted the ability to read or write system settings, and, in some cases, wanted to access call logs or manage local files. "In theory, VPN apps should only need a few permissions to function. INTERNET and ACCESS_NETWORK_STATE should usually be enough," Mason told us. "The use of a large number of dangerous permissions could be cause for suspicion."