of 172 page(s)
The Only Email System The NSA Can't Access
by Hollie Slade
May 19, 2014
When the NSA surveillance news broke last year it sent shockwaves through CERN. Andy Yen, a PhD student, took to the Young at CERN Facebook group with a simple message: "I am very concerned about the privacy issue..."
There was a massive response, and of the 40 or so active in the discussion, six started meeting at CERN's Restaurant Number 1, pooling their deep knowledge of computing and physics to found ProtonMail, a gmail-like email system which uses end-to-end encryption, making it impossible for outside parties to monitor. Encrypted emails have actually been around since the 1980s, but they are extremely difficult to use. When Edward Snowden asked a reporter to use an end-to-end encrypted email to share details of the NSA surveillance program the reporter couldn't get the system to work, says Yen.
Apple Helps Cops Hide Police Brutality
May 12, 2014
The rapid emergence of smart phones with high definition cameras leads to consequences for law-breaking cops.
Recently, law enforcement throughout the country has been trying to pass laws that would make it illegal to film them while they're on duty. But Apple is coming out with a new technology that would put all the power in a cop's hands.
California smartphone 'kill switch' bill advances
by Don Thompson
May 8, 2014
On a second attempt, California lawmakers advanced a bill Thursday that would require electronics manufacturers to install a shut-off function in all smartphones as a way to deter what one senator called a crime wave of thefts.
The legislation by Democratic Sen. Mark Leno requires companies to produce smartphones with technology that makes them inoperable if the owner loses possession. It fell two votes short of passing the 40-member Senate two weeks ago, but Leno said amendments since then removed opposition from Apple Inc. and Microsoft Corp. It now applies to smartphones manufactured and sold after July 2015 and no longer includes tablets. The wireless industry, however, opposes the measure as unnecessary.
Urgent Security Update Regarding Your Bitly Account
May 8, 2014
We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens.
We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login. We are recommending all Bitly users make these changes. Please take the following steps to secure your account: change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts.
Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
May 6, 2014
Yesterday afternoon, Ars Technica published a story reporting two possible logs of Heartbleed attacks occurring in the wild, months before Monday's public disclosure of the vulnerability.
It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure. In response to the story, EFF called for further evidence of Heartbleed attacks in the wild prior to Monday. The first thing we learned was that the SeaCat report was a possible false positive; the pattern in their logs looks like it could be caused by ErrataSec's masscan software, and indeed one of the source IPs was ErrataSec.
Schneier on Security: Heartbleed
May 5, 2014
Heartbleed is a catastrophic bug in OpenSSL. Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own. Test your vulnerability here. The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected. At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
PC users struggle to keep all their software patched
by Ian Barker
May 1, 2014
The average private user PC in the UK has 76 different programs from 26 different vendors, which leaves users struggling to keep everything up to date.
Vulnerability management specialist Secunia has published a report on the state of security among PC users in the UK based on scans from Secunia Personal Software Inspector between January and March 2014. It finds that 58 percent of identified vulnerabilities originate from third party programs, 29 percent from Microsoft programs and 13 percent from operating systems. More worrying is that 12 percent of users are using unpatched operating systems, a figure that's likely to rise following the end of support for XP. Just over one in ten third-party programs on the average PC are unpatched compared to just over three percent of Microsoft programs.
Documents Show That Company Tried To Protect Customers From NSA
Personal Liberty Alerts
by Sam Rolley
April 25, 2014
A series of top-secret court documents reveal the extent to which private companies have been powerless to protect customers against NSA spying.
The documents from the Foreign Intelligence Surveillance Court reveal that a phone company whose name was redacted in the documents challenged an NSA's request to hand over telecommunications data in bulk. The company petitioned the court to "vacate, modify or affirm the current production order" in January after a District Judge ruled that the NSA's phone records program was likely unConstitutional a month earlier. "Judge [Richard] Leon's Memorandum Opinion introduces, for the first time, a question about the legal validity of an order issued by this Court," the company stated.
Did Google hide its knowledge of the Heartbleed Bug?
by Joseph Mayton
April 21, 2014
Reports suggested that the National Security Agency (NSA) may have been exploiting the Heartbleed Bug in order to grab personal information of millions of Americans.
Now, reports are surfacing that Google may have known about the online bug before it was made public, putting into question the Mountain View-based search company's intentions into question. In a series of reports, including one from Fairfax Media, Google has been accused of learning about the bug, but failing to report it to Open Source and company rivals, which many tech experts believe to be evidence that Google was exploiting the OpenSSL bug for its own purposes.
RCMP arrest computer-science student in 'Heartbleed' theft of Canada Revenue Agency data
by Douglas Quan and Vito Pilieci
April 18, 2014
A Western University computer-science student has been accused by authorities of exploiting the online security vulnerability known as Heartbleed that led to a breach of personal data from the Canada Revenue Agency website.
The fact that it didn't take long for authorities to zero in on a suspect - the arrest comes roughly a week after the data theft was spotted - suggests the security breach may not have been committed by an elite hacker as many in the security community had feared, experts said Wednesday. "You know in the movie scenes when they are tracing a call and they show you the global map and the guy making the call is bouncing off of a bunch of global satellites? That's what a good attacker would do and a professional would do. They would bounce their attack off of a bunch of proxy servers; it'd never be easily traced back to them," said Mark Nunnikhoven, vice-president of cloud and emerging technology at security research firm Trend Micro.
Help keep this page up-to-date. Submit a Virus Information News link for inclusion on this page.