Linux.com (blog) | Bruce Schneier on New Security Threats from the Internet of Things Linux.com (blog) Security expert Bruce Schneier says we're creating an Internet that senses, thinks, and acts, which is is the classic definition of a robot. I contend that we're building a world-sized robot without even realizing it, he said recently at the Open ... |
Follow this link:
Bruce Schneier on New Security Threats from the Internet of Things - Linux.com (blog)
Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned.
The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on.
However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks.
In the paper [PDF], titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.
"While for some older clients, proxies increased connection security, these improvements were modest compared to the vulnerabilities introduced: 97 per cent of Firefox, 32 per cent of e-commerce, and 54 per cent of Cloudflare connections that were intercepted became less secure," it warns, adding: "Alarge number of these severely broken connections were due to network-based middleboxes rather than client-side security software: 62per cent of middlebox connections were less secure and an astounding 58per cent had severe vulnerabilities enabling later interception."
Of the 12 middleboxes the researchers tested ranging from Checkpoint to Juniper to Sophos just one achieved an "A" grade. Five were given "F" fail grades meaning that they "introduce severe vulnerabilities" and the remaining six got "C" grades. In other words, if you have a middlebox on your network and it's not the Blue Coat ProxySG 6642, pull it out now.
Likewise, of the 20 client-side pieces of software from 12 companies, just two received an "A" grade: Avast's AV 11 for Windows (not Mac), and Bullguard's Internet Security 16. Ten of the 20 received "F" grades; the remaining eight, "C" grades.
TLS and SSL encrypt comms between a client and server over the internet by creating an identity chain using digital certificates. A trusted third party provides that certificate and it verifies that your connection is to a trusted server.
In order to work, therefore, an interception device needs to issue its own trusted certificate to client devices or users would constantly see warnings that their connection was not secure.
Browsers and other applications use this certificate to validate encrypted connections but that introduces two problems: first, it is not possible to verify a web server's certificate; but second, and more importantly, the way that the inspection product communicates with the web server becomes invisible to the user.
In other words, the user can only be sure that their connection to the interception product is legit, but has no idea whether the rest of the communication to the web server, over the internet is secure or has been compromised.
And, it turns out, many of those middleboxes and interception software suites do a poor job of security themselves. Many do not properly verify the certificate chain of the server before re-encrypting and forwarding client data. Some do a poor job forwarding certificate-chain verification errors, keeping users in the dark over a possible attack.
In other words: the effort to check that a security system is working undermines the very security it is supposed to be checking. Think of it as someone leaving your front door wide open while they check that the key fits.
What's the solution? According to US-CERT, head to the website badssl.com to verify whether your inspection product is doing proper verification itself. And of course, check out the SSL paper and make sure you're not running any of the products it flags as security fails on your network.
See original here:
Are you undermining your web security by checking on it with the wrong tools? - The Register
Boston Business Journal | Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology Boston Business Journal The scholarly and research community, the technology industry and Congress appear to be in agreement that weakening the encryption that in part enables information security even if done in the name of public safety or national security is a bad idea. |
Go here to read the rest:
Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal
Usually I try to write articles that are not aimed at a particular distribution. Although I may give examples assuming a Debian-based distribution, whenever possible, I try to make my instructions applicable to everyone. This is not going to be one of those articles. Here, I document a process I went through recently with Debian preseeding (a method of automating a Debian install, like kickstart on Red Hat-based systems) that I found much more difficult than it needed to be, mostly because documentation was so sparse. In fact, I really found only two solid examples to work from in my research, one of which referred to the other.
In this article, I describe how to preseed full-disk encryption in a Debian install. This problem came up as I was trying to create a fully automated "OEM" install for a laptop. The goal was to have an automated boot mode that would guide users through their OS install and use full-disk encryption by default, but would make the process as simple as possible for users. Normally, unless you are going to encrypt the entire disk as one big partition, the Debian installer makes you jump through a few hoops to set up disk encryption during an install.
In my case, I couldn't just use the full disk, because I needed to carve off a small section of the disk as a rescue partition to store the OEM install image itself. My end goal was to make it so users just had to enter their passphrase, and it would set up an unencrypted /boot and rescue disk partition and an encrypted / and swap. As an additional challenge, I also wanted to skip the time-consuming disk-erasing process that typically happens when you enable disk encryption with Debian, since the disk was going to be blank to start with anyway.
Unfortunately, although there is a lot of documentation on how to automate ordinary partitioning and LVM with preseeding (I actually wrote a whole section on the topic myself in one of my books), I had a hard time finding much documentation on how to add encryption to the mix. After a lot of research, I finally found two posts (and as I mentioned, one of them referenced the other) that described the magic incantation that would enable this. Unfortunately, the only supported mode for encrypted disks in Debian preseed requires the use of LVM (something I confirmed later when I read the source code responsible for this part of the install). That's not the end of the world, but it would have been simpler in my mind if it didn't have that requirement.
Since you need a basic unencrypted /boot partition to load a kernel and prompt the user for a passphrase, I had to account for both and preserve a small 2GB rescue disk partition that already was present on the disk. After that, the remaining / and swap partitions were encrypted. Here is the partition section of the preseed config:
Read the original:
Preseeding Full Disk Encryption - Linux Journal
After making its encryption key management service generally available last week, Google on Wednesday announced a number of new encryption key partners for customers who want to supply their own keys.
The company now offers multiple levels of encryption offerings for its Google Cloud Platform (GCP) customers. By default, GCP encrypts customer content stored at rest, without any action required from the customer. Next, closing a gap in its enterprise offerings, Google now offers its key management service for customers who want control over factors like how and when keys are rotated or deleted. Customers can supply keys themselves for Google Cloud Storage or Google Compute Engine.
For customers who want to supply their own keys without managing them, Google is now working with a group of partners that can generate customer-supplied encryption keys. (Image: Google)
"It's not a particularly hard task, but if you've never done crypto before, it can be kind of daunting," explained Maya Kaczorowski, product manager at Google, to ZDNet.
For customers who want to supply their own keys without managing them, Google is now working with a group of partners that can generate customer-supplied encryption keys: Gemalto, Ionic, KeyNexus, Thales, and Virtru.
The partners were chosen for various reasons, Kaczorowski said. Some are already strong partners for other Google services; Gemalto, for instance, has support client-side encryption with Google Cloud Storage for years. KeyNexus, meanwhile, gives customers a centralized system they can use to manage keys across GCP as well as hundreds of other bring-your-own-key use cases spanning SaaS, IaaS, mobile, and on-premise.
Enteprise customers coming to KeyNexus may be juggling dozens of different software-as-a-Service solutions on multiple clouds -- all with keys to manage. Yet when Google began encrypting customer data years ago, "quite frankly, customers weren't ready for it," said Jeff MacMillan, CEO of KeyNexus, to ZDNet.
Google's decision years ago to encrypt data at the infrastructure and hardware device layers eased the burden on developers, Kaczorowski said. The company is giving customers more choices now that encryption is becoming a minimum requirement for the cloud.
"This is one of those differentiators of the cloud, which a lot on-premise solutions don't get," she said. "I might not choose to encrypt data in my private data center if I was a customer because I don't have the expertise, or it's too complicated... But by moving workloads to the cloud, customers get that by default... If you're going to move to the cloud, you better have it."
Continue reading here:
Google Cloud adds new customer-supplied encryption key partners ... - ZDNet
Today, a Brooklyn-based Secret Service agent learned what those of us without security clearance have known for years: Dont leave a laptop in your car if you dont want it to be stolen.
Law enforcement sources told both ABC and The New York Daily News on Friday that a laptop containing private informationincluding the floor plans for Trump Tower and information on the criminal investigation against Hilary Clintons use of a private email serverwas stolen from a Secret Service agents car.
This is how the Daily News described the crime:
The thief stepped out of a car, possibly an Uber, on a street in Bath Beach and stole the laptop from the agents vehicle, which was parked in the driveway of her home.
He was then seen on video walking away from the scene with a backpack.
The agent reported the laptop contained floor plans for Trump Tower, evacuation protocols and information regarding the investigation of Hillary Clintons private email server.
The agent also told investigators that while nothing about the White House or foreign leaders is stored on the laptop, the information on there could compromise national security.
Despite reports that the Secret Service is privately FREAKING and scrambling like mad, however, the agency is totally not panicking over this. Like, not at all.
In addition to telling ABC that the laptop can be wiped remotely, the agency assured the public in a statement that Secret Service issued laptops contain multiple layers of security including full disk encryption and are not permitted to contain classified information.
Im trying to reconcile how not having classified information on a laptop and having information that could compromise national security can exist in the same timeline, but the Secret Service says its no big deal, its all fine. Everything is just fine.
[The New York Daily News]
Read the original post:
Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo
If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works, and the industry should use more of it.
Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks.
"We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago."
More Encryption
Four years ago is when former NSA contractor Edward Snowden revealed details of huge and secret U.S. eavesdropping programs. To help thwart spies and snoops, the tech industry began to protectively encrypt email and messaging apps, a process that turns their contents into indecipherable gibberish without the coded "keys" that can unscramble them.
The NSA revelations shattered earlier assumptions that internet data was nearly impossible to intercept for meaningful surveillance, said Joseph Lorenzo Hall, chief technologist at the Washington-based civil-liberties group Center for Democracy & Technology. That was because any given internet message gets split into a multitude of tiny "packets," each of which traces its own unpredictable route across the network to its destination.
The realization that spy agencies had figured out that problem spurred efforts to better shield data as it transits the internet. A few services such as Facebook's WhatsApp followed the earlier example of Apple's iMessage and took the extra step of encrypting data in ways even the companies couldn't unscramble, a method called end-to-end encryption.
Challenges for Authorities
In the past, spy agencies like the CIA could have hacked servers at WhatsApp or similar services to see what people were saying. End-to-end encryption, though, makes that prohibitively difficult. So the CIA has to resort to tapping individual phones and intercepting data before it is encrypted or after it's decoded.
It's much like the old days when "they would have broken into a house to plant a microphone," said Steven Bellovin, a Columbia University professor who has long studied cybersecurity issues.
Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
Encryption has grown so strong that even the FBI had to seek Apple's help last year in cracking the locked iPhone used by one of the San Bernardino attackers. Apple resisted what it considered an intrusive request, and the FBI ultimately broke into the phone by turning to an unidentified party for a hacking tool --" presumably one similar to those the CIA allegedly had at its disposal.
On Wednesday, FBI Director James Comey acknowledged the challenges posed by encryption. He said there should be a balance between privacy and the FBI's ability to lawfully access information. He also said the FBI needs to recruit talented computer personnel who might otherwise go to work for Apple or Google.
Government officials have long wanted to force tech companies to build "back doors" into encrypted devices, so that the companies can help law enforcement descramble messages with a warrant. But security experts warn that doing so would undermine security and privacy for everyone. As Apple CEO Tim Cook pointed out last year, a back door for good guys can also be a back door for bad guys. So far, efforts to pass such a mandate have stalled.
Still a Patchwork
At the moment, though, end-to-end encrypted services such as iMessage and WhatsApp are still the exception. While encryption is far more widely used than it was in 2013, many messaging companies encode user data in ways that let them read or scan it. Authorities can force these companies to divulge message contents with warrants or other legal orders. With end-to-end encryption, the companies wouldn't even have the keys to do so.
Further expanding the use of end-to-end encryption presents some challenges. That's partly because encryption will make it more difficult to perform popular tasks such as searching years of emails for mentions of a specific keyword. Google announced in mid-2014 that it was working on end-to-end encryption for email, but the tools have yet to materialize beyond research environments.
Instead, Google's Gmail encrypts messages in transit. But even that isn't possible unless it's adopted by the recipient's mail system as well.
And encryption isn't a panacea, as the WikiLeaks disclosures suggest.
According to the purported CIA documents, spies have found ways to exploit holes in phone and computer software to grab messages when they haven't been encrypted yet. Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open.
"There are different levels where attacks take place, said Daniel Castro, vice president with the Information Technology and Innovation Foundation. "We may have secured one level (with encryption), but there are other weaknesses out there we should be focused on as well."
Cohn said people should still use encryption, even with these bypass techniques.
"It's better than nothing," she said. "The answer to the fact that your front door might be cracked open isn't to open all your windows and walk around naked, too."
2017 Associated Press under contract with NewsEdge/Acquire Media. All rights reserved.
The rest is here:
What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network
For people looking to buy and sell altcoins, centralized exchanges are the only option right now.
Cryptocurrency exchanges are vital to the success of bitcoin and altcoins. Consumers and investors rely on centralized platforms to diversify their cryptocurrency portfolio. However, it appears quite a few of these platforms have issues remaining online when trading intensifies. Poloniex and Coinbase have had brief outages these past few hours, indicating the infrastructure cannot cope with the demand.
It is not the first time cryptocurrency exchanges deal with issues during intensive trading sprees. Any platform dealing with popular cryptocurrencies has seen an increasing amount of trading volume these past few days. Unfortunately, this also means some services will start to slow down or even briefly go offline in the process. Although issues like these need to be avoided at all costs, it is pretty much inevitable for centralized platforms.
Both Poloniex and Coinbase have had brief issues over the past 12 hours. Poloniex is the worlds largest altcoin exchange, generating massive amounts of trading volume. With thousands of users placing orders at the same time, the server gets overloaded every now and then. Thankfully, these issues never last long, and it appears Poloniex is up and running once again.
Coinbase is another exchange suffering from similar issues right now. It is unclear what is causing the brief outages every so often. For now, Coinbase seems to be operating just fine, although there are some complaint son Reddit. Luckily, it appears no funds have been lost in the process and all existing trades have been executed properly.
All of these issues highlight a big problem in the cryptocurrency industry, though. Centralized exchanges continue to pose a risk for traders and investors. Moreover, users store a lot of funds on exchanges, even though they really shouldnt. If an exchange goes offline for an extended period of time, users will lose access to their money as well. So far, that has not happened for either Coinbase or Poloniex, yet it remains a risk to take into account.
For people looking to buy and sell altcoins, centralized exchanges are the only option right now. Very few ATMs support any currency other than bitcoin. Peer-to-peer trading platforms have yet to warm up to altcoin trading as well. This is good news for centralized exchanges, as they make a lot of money from trading fees. However, they also need to ensure their service remains up and running at all times.
Header image courtesy of Shutterstock
Originally posted here:
Several Exchanges Face Connectivity Issues During Bitcoin and Altcoin Trading Craze - newsBTC
Moreover, PoSWallet provides users with an exchange platform, which is of great value.
It can be quite challenging to the find the right cryptocurrency wallet for your specific needs. PoSWallet is well worth seeking out, as the platform has a lot to offer. Not only is PoSWallet the worlds leading online staking wallet, but the company also offers an exchange platform. It is evident PoSWallet offers plenty of features, which makes it well worth checking out.
There is a lot more to PoSWallet than meets the eye. First of all, there is the online staking wallet aspect to take note of. Altcoin enthusiasts will find this service rather attractive, as PoSWallet provides an alternative way to earn proof-of-stake rewards. Considering how the platform supports 108 different coins, the platform offers something for everyone.
Additionally, PoSWallet offers faucets for their supported coins. The platform also keeps track of which faucets have enough liquidity to let users receive a payout at any given time. Users can also donate some of their own coins to the faucets to ensure other users can claim small rewards. An interesting take on things, as it allows users to remain within the PoSWallet ecosystem at all times.
Moreover, PoSWallet provides users with an exchange platform, which is of great value. To be more specific, users who were part of the PoSWallet ICO will have received POSW tokens in exchange for their investment. These tokens can be directly traded against bitcoin on the built-in exchange platform. Once again, a very nifty feature that will be well received by most users. There is no need to rely on external exchanges to trade this token, which is a very nice addition.
It is worth noting the PoSWCoin can be traded on Livecoin and Cryptopia as well. Users who buy this token will be eligible for monthly dividends generated by the PoSWallet platform. It is worth noting users can earn dividends along with the stake rewards, as they are not mutually exclusive. PoSWCoin stakes at a 1% stake rate, yet the total amount of coins is kept at 250,000 at all times. Funds held by the developer will be burned at the same rate as stake rewards are generated.
While most users will make use of PoSWallet to stake coins online, the other features are well worth checking out as well. Being able to support your favorite coin and earn proof-of-stake rewards without having to keep the wallet running on your computer at all times is a big plus. Claiming funds from one of the many faucets will allow PoSWallet users to earn some extra funds, as those coins can be staked as well. All things considered, this is a very powerful ecosystem that will elevate the altcoin sector to new heights.
Last but not least, PoSWallet is hosting a competition on ICOTimeline to promote awareness of this project. A total of 10 winners will be eligible for rewards between now and March 31st. Participating requires some social activity, as can be seen on the promotionpage. A total of 200,000 POSWCoins are at stake to incentivize users to raise awareness about this online wallet staking platform.
Header image courtesy of PoSWallet
View original post here:
PoSWallet Offers Online Altcoin Staking and Exchange Services - newsBTC
A bitcoin token.Chris Ratcliffe Bloomberg via Getty Images
A New Jersey pastor and a Florida software engineer were convicted on Friday of scheming to help an illegal bitcoin exchange avoid having banks and regulators look into its activities.
The bitcoin exchange, Coin.mx, was linked to an investigation of a data breach at JPMorgan Chase & Co, revealed in 2014, that exposed more than 83 million accounts.
Pastor Trevon Gross, 47, and programmer Yuri Lebedev, 39, were convicted of conspiracy and bribery charges by a jury in Manhattan federal court after a week of deliberations, according to a spokesman for federal prosecutors. Lebedev was also convicted of wire fraud and bank fraud.
Get Data Sheet , Fortunes technology newsletter.
Henry Klingeman, Gross's attorney, said in an email that he would seek an order overturning the verdict, "and if and when the time comes a fair and lenient sentence."
Eric Creizman, a lawyer for Lebedev, had no immediate comment.
Prosecutors charged that Lebedev helped arrange bribes to Gross, including $150,000 in donations to his church. In exchange, they say, Gross helped the operator of Coin.mx, Anthony Murgio, take over a small credit union Gross ran from his church.
Murgio used the credit union to evade scrutiny of banks wary of processing payments involving the virtual currency, prosecutors say. Lebedev was accused of working for Coin.mx through a front called "Collectables Club."
Attention 20-Year-Olds: Dont Ruin Your Finances
Over the course of a four-week trial, lawyers for Lebedev and Gross tried to paint a different picture, saying their clients did not know that Murgio was running an illegal operation and never acted with corrupt intent.
The trial followed a probe rooted in the JPMorgan ( jpm ) data breach, which lead to charges against nine people.
Gross, Lebedev and Murgio were not accused of hacking. But prosecutors said Coin.mx was owned by an Israeli who was behind the breach, Gery Shalon.
Bitcoin May Go Boom: A Guide to This Weeks Big SEC Decision
Prosecutors say Shalon, together with Maryland-born Joshua Samuel Aaron, orchestrated cyber attacks that resulted in the theft of information from more than 100 million people.
Prosecutors said they carried out the hacks to further other schemes with another Israeli, Ziv Orenstein, including pumping up stock prices with promotional emails. Shalon, Aaron and Orenstein have pleaded not guilty.
Murgio pleaded guilty to charges related to Coin.mx in January. He is scheduled to be sentenced on June 16.
Go here to read the rest:
Pastor, Programmer Convicted of Conspiracy and Bribery in Bitcoin Exchange Scheme - Fortune