STE WILLIAMS

Satellite outfit ViaSat is forming a €68m (£60m) public-private partnership with the European Space Agency (ESA), which among other things is intended to fund ground stations for home broadband speeds of 100Mbps.

The programme will focus on developing fixed and mobile terminals to allow its ViaSat-3 satellites to provide a ground-based network.

Each ViaSat-3 satellite offers over 1-Terabit per second (Tbps) of network capacity, potentially bringing speeds of 100Mbps to areas without fixed-line broadband.

The €68m project will be co-funded by the ESA with the support of three of its member states (Switzerland, the Netherlands and Romania), ViaSat and others within European industry.

This programme will focus on developing fixed and mobile user terminals, including the development of a fully electronic phased array for residential broadband, in-flight Wi-Fi and connected car applications.

It will also include ground segment equipment and gateways for the ViaSat-3 network, which include the Satellite Access Node (SAN) subsystems for a cloud-based ground network infrastructure.

ViaSat recently said it will take legal action against Ofcom over its decision to grant its British rival Inmarsat permission to operate an in-flight broadband network.

Magali Vaissiere, ESA director of telecommunications and integrated applications, said: “The PPP with ViaSat will bring ESA and industry together to quickly develop broadband products that will serve the needs of millions of consumers across Europe who are currently without adequate internet service.

“We believe this is a significant industrial opportunity that will keep Europe at the forefront of satellite and broadband technology development, giving Europe a leading position on the deployment of a next-generation broadband system with advanced ground networks and consumer equipment.”

ViaSat managing director Stefano Vaccaro said the support from ESA would allow it to further invest in research and development programs “that will focus on forward-looking broadband technologies”.

Products under the PPP are expected to be available in 2019. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/06/viasat_teams_up_with_european_space_agency_in_68m_partnership/

Thousands of free-to-use cash machines could be axed from Britain’s high streets due to plans to cut fees that fund the network, banking industry group LINK warned last week.

LINK has a strategy to minimise the impact to consumers due to a proposed reduction in fees over the next four years from around 25p to 20p per cash withdrawal. The reduction in fees paid by card issuers (banks and building societies) to ATM operators will inevitably push down the number of cash machines.

LINK wants to manage the process to prune ATMs in areas where there are multiple machines very close together while safeguarding provision of ATMs in deprived communities, where demand would not otherwise make one viable.

The growing popularity of contactless and online payments is reducing consumers’ demand for cash and therefore the need for ATMs. Data from UK Finance predicts that over the next ten years, the number of cash payments will fall by 43 per cent to 8.7 billion payments, with the total value predicted to fall by 23 per cent to £185bn in 2026.

Reducing fees for running ATMs is likely to push Britain further towards a cashless society, according to some payments experts.

An estimated 38 million transactions were made in 2016 using mobile payments, accounting for £288m spent using mobile phones. Pubs, bars and restaurants made up 20 per cent of all mobile payments processed and “Meal Deal” hotspots for workers buying lunch – such as supermarkets and grocery stores – accounted for 54 per cent, according to recent research by WorldPay.

Given the option, 26 per cent of Brits would never choose to pay cash when buying an item in a shop and more than a quarter (26.35 per cent) find it irritating when they have to pay by cash rather than card, according to a survey commissioned by global payment experts PPRO Group.

A contrary view comes in another study by ACI Worldwide, which found that despite a rise in mobile and contactless payments, 42 percent of UK consumers still use ATMs just as much as they always have. A little under a third (29 per cent) of respondents would like to see ATMs offer better and more secure means of authentication.

ACI Worldwide is a supplier of real-time payments software used by ATM networks so it has skin in the game.

“I don’t see the ATMs heading for retirement any time soon,” said Lu Zurawski, consumer payments lead EMEA at ACI Worldwide. “As well as being ubiquitous and simple to use, some people prefer hard cash as a deliberate way of controlling their spending.

“The trend towards regional bank branch closures may put an even greater emphasis on the role of the ATM, including services beyond simple cash withdrawal.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/06/link_atm_shakeup_analysis/

Wondering if your boyfriend really, really did delete that photo of you naked, wearing a sports championship medal, as he said he would (but which he didn’t, in the case of the Richmond Football Club’s Nathan Broad and the image of a young girl with the sports memorabilia on her bare chest that he told her he’d delete but instead shared)?

Facebook wants you to stop worrying about your nudes being shared without your consent like that. It wants you to get to that worry-free state by sending it your nude photos.

WHAAAA????

Stop, breathe. It actually makes sense: Facebook hasn’t given much detail, but from what little has been shared it sounds like it’s planning to use hashes of our nude images, just like law enforcement uses hashes of known child abuse imagery.

A hash is created by feeding a photo into a hashing function. What comes out the other end is a digital fingerprint that looks like a short jumble of letters and numbers. You can’t turn the hash back into the photo but the same photo, or identical copies of it, will always create the same hash.

So, a hash of your most intimate picture is no more revealing than this:

48008908c31b9c8f8ba6bf2a4a283f29c15309b1

Since 2008, the National Center for Missing Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.

The hash originally used to create unique file identifiers was MD5, but Microsoft at one point donated its own PhotoDNA technology to the effort.

PhotoDNA creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid. In each grid cell, the technology finds a histogram of intensity gradients or edges from which it derives its so-called DNA. Images with similar DNA can then be matched.

Given that the amount of data in the DNA is small, large data sets can be scanned quickly, enabling companies including Microsoft, Google, Verizon, Twitter, Facebook and Yahoo to find needles in haystacks and sniff out illegal child abuse imagery. It works even if the images have been resized or cropped.

Mind you, we don’t know if that’s the technology Facebook’s planning to use. It’s announced a pilot program with four countries—the UK, the US, Australia and Canada—in which people will typically be advised to send the photos to themselves via Messenger.

Julie Inman Grant, Australia’s e-safety commissioner, whose office is working with Facebook, told ABC News in Australia that sending photos via Messenger would be enough to enable Facebook to take action to prevent any re-uploads, without the photo being stored or viewed by employees.

Facebook says that it won’t be storing nude pictures but will use photo-matching technology to tag the images after they’re sent via its encrypted Messenger service. Then, Inman Grant said, “if somebody tried to upload that same image, which would have the same digital footprint or hash value, it will be prevented from being uploaded”.

The scheme’s being trialed first in Australia and will soon be tested in Britain, the US and Canada. At present, Facebook users can report photos of themselves that have already been posted nonconsensually or maliciously. Once the images are flagged, Facebook’s in-house teams review them, using hashing to prevent them from being re-uploaded.

Under the pilot scheme, users can act preemptively by notifying safety organizations working with Facebook about specific photos.

True, initially, you do have to hand over the photo in question in order to create the hash. But after that, the hash will be able to help the online platform more or less instantly answer the question “Do I know that photo?”—and to block its reposting—without you having to send the photo again.

We’d like to see a lot more detail from Facebook on this. For example, what safeguards are in place to ensure that people can’t take any old picture they want—a non-porn publicity photo, for example—and send it in, under the false premise that it’s a nude and that it’s a photo they themselves have the rights to have expunged from social media circulation?

The few details that have been revealed about this program look promising, but Facebook needs to put some flesh on its bones. If it responds to my questions, I’ll let you know.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QngIdsf_Gus/

One-third of Internet hosts with IPv4 addresses were subject to denial of service attacks in the last two years.

That’s the headline number from a two-year study conducted by the Center for Applied Internet Data Analysis (CAIDA), published last week.

CAIDA conducted the study to provide a “framework to enable a macroscopic characterisation of attacks, attack targets, and mitigation behaviours”.

To get that macroscopic view, the study’s international group of six authors used two raw data sources: CAIDA’s UCSD Network Telescope (explained here), and the AmpPot network of DDoS honeypots (here). Their two secondary data sources were OpenINTEL (an active DNS measurement project) and data gathered from DDoS prevention companies like Cloudflare and others.

Their data showed 2.2 million /24 networks (one third of the address space) experienced 20 million attacks during the study, either as direct DoS attacks or some kind of reflection attack, and 137,000 targets were hit by both kinds of attack.

Each day, three per cent of all registered Web domains are hosted on targeted IP addresses, the paper states, and over the two years, two-thirds of all Web sites were on IP addresses that were part of an attack.

It’s no surprise that countries with the biggest presence on the Internet figure high as attack targets: America, China, France and Germany, for example. Russia is also a dangerous place.

The most popular protocols for a reflection attack are those that are most promiscuous in their responses: the Network Time Protocol (NTP) and the Domain Name System (DNS) make up more than 66 per cent of the data.

Third on the list is probably going to trigger nostalgia, though: CHARGEN responses were still seen in more than 22 per cent of reflected attacks. ®

Bootnote: Direct denial-of-service attacks are straightforward: attackers try to hose Google.com by overloading an IP address like 216.58.200.110 with traffic.

In “reflected” attacks, an IP spoofs that IP address, issuing requests to a huge number of other hosts so that responses to 216.58.200.110 over load it. Responses collected by CAIDA for this study included “TCP SYN/ACK, TCP RST, ICMP Echo Reply, ICMP Destination Unreachable, ICMP Source Quench, ICMP Redirect, ICMP Time Exceeded, ICMP Parameter Problem, ICMP Timestamp Reply, ICMP Information Reply, or ICMP Address Mask Reply”.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/05/caida_study_finds_one_third_of_the_internet_suffered_denial_of_service_attacks_between_2015_and_2017/

Popular anime streamer Crunchyroll is warning users to check their systems for malware, after attackers got access to its Cloudflare config and targeted Windows users with a malicious file.

The attack only lasted 150 minutes – from 0330 to 0600 Pacific Time on Sunday November 5 (when owner Ellation took the site down). As the site has 20 million users, that’s still plenty of time for people to download the malicious file.

During the attack, as this post explains, people trying to visit Crunchyroll were directed to a site impersonating the service, offering “CrunchyrollViewer.exe” to visitors.

Infosec bod Bart Blaze took a look at what was in the malware here.

He writes that the malware dropped a svchost.exe in the user’s machine, and while running, it went back to a command-and-control server to download a Metasploit Meterpreter module.

Either Crunchyroll’s response was fast enough to stop any truly nasty outcomes, or the attacker was merely trying his hand at malware, because that’s as far as things went.

Anyone infected by the attack can get rid of the infection with a few steps (outlined at the Crunchyroll post linked above): remove the malicious .exe file, get rid of a malicious Java Run key from their registry, delete the svchost.exe file, and run an antivirus scan. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/06/crunchyroll_spent_a_couple_of_hours_distributing_malware/

Happy weekend, everyone, except those of you on call, of course. Let us catch you up on all the IT security bits and pieces besides what’s been reported this week.

Down in New Zealand, Kim Dotcom, the bête noire of Hollywood, reached a settlement with the New Zealand authorities over a rather dramatic raid in 2012 on his home. Cops flew in with guns and dogs to arrest Dotcom and found him hiding in his panic room.

The terms of the settlement haven’t been announced, but Dotcom’s lawyers said the police have promised to review their tactics. Dotcom said he hopes to make his permanent home in New Zealand. Maybe Peter Thiel will be a neighbor?

Email ennui

As seems to be so often the case these days, emails became news items this week. First off, President Donald Trump’s daughter Ivanka came under the spotlight for using her personal email for US government business. This isn’t the first time she’s been warned on this, and details emerged from a freedom-of-information request that she was still using her personal inbox for conversations with treasury department officials.

However, it was Hillary Clinton’s emails that sparked the bigger headlines. An investigation into the hacking of the Democratic Party revealed some interesting snippets, notably that Guccifer 2.0 actually edited the contents before passing them on to WikiLeaks for dissemination.

The infiltration of the party’s computer systems began on March 10 last year, and at first weren’t that well targeted. The hacker, or hackers, impersonated Gmail’s technical support personal to trick party officials into handing over their account passwords, and, as we all know, it only takes one cockup for a hacking campaign to take hold.

But Hillary and the Democrats weren’t the only target of the hackers. Kremlin-linked miscreants also reportedly went after foreign journalists, US military contractors, and even the Pope’s personal envoy to the Ukraine.

In addition, Twitter announced it has identified 2,752 accounts [PDF] on its milliblogging platform that were fakes set up to cause mischief by Russia’s Internet Research Agency – aka Putin’s troll central. Some of the handles amassed thousands of followers, who are presumably feeling somewhat red-faced over being duped. Among them was Jenna Abrams, a master troll princess who duped journos and the rest of the world.

Fatal flaws

On the flaws front, it has been a busy week – thanks in part to the mobile phone version of the Pwn2Own competition run in Japan. Hackers fly in from around the world to win big money compromising gear by exploiting zero-day vulnerabilities, and weren’t disappointed – $515,000 was paid out in bug bounties.

Biggest Tor overhaul in a decade adds layers of security improvements

READ MORE

The contest saw some innovative hacks, including the longest attack chain ever seen in the competition. MWR Labs linked together 11 bugs in six different apps to harvest data from a Samsung Galaxy S8, and several iPhones also fell to the infosec gurus. The good news is that all the exploited bugs have been reported privately to the affected software and hardware makers, so look out for patches coming soon for these leveraged holes.

Separately, Apple released a big pile of security updates for its shiny gear. In all, seven patches were released, fixing multiple issues with macOS, iOS, Safari and iTunes. You can review the whole list here – download and install them as usual.

Google had its own software cockups. A cunning hacker managed to find flaws in Google’s internal bug tracker, which it uses to manage issues and vulnerabilities with its vast sprawling empire of code. Security researcher Alex Birsan found out about the system and went digging. He not only found enough coding errors to allow him to get into the confidential database, but also to win him $15,600 in rewards from a grateful Google, which has traditionally been a strong supporter bounties.

(Speaking of Google, Pixel 2 XL handsets shipped with no operating system installed. Oops!)

OpenSSL also had its own issues this week. A moderate, but still important, flaw has been found in how the code handles encryption, to the extent that if it was applied an attacker with enough computing power, it could get some serious hacking done.

Hacking the home

The week began with the FBI warning of a new type of hacking that can earn the criminal scum big money and leave people with serious losses. The scammers are now targeting home buyers.

It works like this. The hacker gets onto the network of the realty agent selling a house – a profession not known for its IT prowess. When someone buys it, the hackers change the details of the payment account receiving the funds to one they control and then make their getaway, leaving everyone out of pocket.

Lovesense, the manufacturer of a mobile-phone operated vibrating butt plug, took issue with stories of how it can be hijacked and set off remotely because it’s so easy to hack. On a reconnaissance mission in Berlin, the hackers found an open device that could have been activated.

Now the manufacturer has hit back, saying that it’s almost impossible to hack into its devices. The company pointed out that it was Bluetooth at fault, not the device, the attacker would have to be within 30 meters of their target, and that if they had connected it to their phone then there was no chance of the device becoming a pain in the arse.

As for the consequences of hacking, Hilton Worldwide agreed to settle with the authorities for allowing not one but two hacking attacks to take place. The hotel group agreed to pay a total of $700,000 to New York State for allowing customer’s credit cards to be stolen, and for not reporting it in time.

Finally, good news for fans of the secure messaging service of choice for hackers and those that work in the field – Signal. The service had a brief outage last week, and this week announced that it has a desktop app now.

This is welcome news, but you do have to have the mobile app on your phone for it to work. That said, it’s the most secure messaging app out there and it’s run by people who won’t sell you out to the highest bidder. ®

PS: Don’t miss the Microsoft staffer who, during an Ignite presentation on Azure, stopped to install Google Chrome because Edge just wasn’t working properly with the Redmond cloud. Oops. It’s 37 minutes in from this vid below…

If you haven’t seen it: Microsoft bod installed Chrome during an Azure talk because Edge kept crashing (ff 37min) https://t.co/b2USWlWleY

— The Register (@TheRegister) October 31, 2017

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/04/security_roundup/

In 2017, attackers developed new ransomware delivery techniques, leading to global outbreaks such as WannaCry, NotPetya and, most recently, Bad Rabbit. It’s a trend that’s expected to continue in the next year, according to the 2018 Malware Forecast released by Sophos on Thursday.

The report reviews malicious activity analyzed by SophosLabs in 2017 to predict what might happen in 2018. Here’s a taster of what the report has to say about this summer’s ransomware activity.

Ransomware from 1 April – 3 October 2017

Ransomware remains a vexing problem for many companies. In the forecast SophosLabs looks at the most prolific ransomware families and attack vectors over a six-month period up to October 2017.

WannaCry

WannaCry, unleashed in May 2017, was the number-one ransomware intercepted from customer computers, dethroning longtime leader Cerber, which first appeared in early 2016.

WannaCry accounted for 45.3% of all ransomware tracked through SophosLabs, with Cerber accounting for 44.2%.

For the first time, we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of a stolen NSA exploit known as EternalBlue, which targeted an old Windows vulnerability to help it spread.

Even though WannaCry activity has tapered off, SophosLabs researcher Dorka Palotay doesn’t think that’s the last we’ve seen of the techniques it used:

We’re expecting cybercriminals to build upon WannaCry and NotPetya and their ability to replicate, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya.

NotPetya

The Sophos 2018 Malware Forecast also reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact.

It was able to spread via the EternalBlue exploit, just like WannaCry, but because NotPetya came later it found many fewer machines that were unpatched and vulnerable.

The motive behind NotPetya is still unclear because there were many missteps, cracks and faults in its attack. For instance, the email account that victims were supposed to use didn’t work, and victims could not decrypt and recover their data, according to Palotay:

NotPetya spiked fast and furiously before taking a nose dive, but did ultimately hurt businesses. This is because NotPetya permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started. We suspect the cybercriminals were experimenting, or their goal was not ransomware, but something more destructive like a data wiper.

Cerber and Locky

With all the sound and fury produced by WannaCry and NotPetya it would be easy to miss the danger posed by older, more persistent threats.

Cerber, an example of Ransomware as a Service (RaaS), is sold as a ransomware kit on the Dark Web and remains a dangerous threat despite being eclipsed by WannaCry in the summer.

The creators of Cerber make money by charging the criminals who use it a percentage of each ransom they’re paid, and are constantly updating it and making improvements in an attempt to stay one step ahead of security software.

Although Locky accounted for barely 4% of the ransomware stopped by SophosLabs it showed signs of resurgence over the summer. New variants displayed the usual Locky behavior, using the same ransom note and Tor payment site, and spread via email attachments like script files and Word documents.

The view from SophosLabs

The trends are captured in the following ransomware graphic, also released today (click to enlarge and use the magnifying glass to zero in on specific stats):

For more insight into what to expect next year download the Sophos 2018 Malware Forecast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vXJ8uvG2TRA/

Looks like it’s at least a possibility that DefCon won’t be the only place hackers can compete for prizes by exposing flaws in US voting systems.

Proposed legislation with bipartisan sponsorship – US senators Martin Heinrich (D-NM) and Susan Collins (R-Maine) – would empower the Department of Homeland Security (DHS) to sponsor a competition similar to DefCon’s “Voting Machine Hacking Village” this past summer that – not surprisingly – resulted in white-hat hackers finding numerous vulnerabilities in voting machine software.

Not that it’s even close to a done deal. The bill [PDF], with the title as usual crafted to yield an easy-to-remember acronym – the Securing America’s Voting Equipment Act (SAVE) of 2017 – hasn’t even been assigned a number. The space for which committee will be assigned to consider it is blank.

Still, the fact that such a bill has even been drafted is a declaration from the sponsors that, protests in some states notwithstanding, it is time for a national effort to ensure that electoral results are credible – which means giving voters good reason to believe the systems are secure from tampering.

“Until we set up a stronger set of protections for our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable,” Heinrich told reporters.

The bill calls for the “Cooperative Hack the Election Program,” to be in place one year after the bill is enacted. Its purpose is:

… to strengthen electoral systems from outside interference by encouraging entrants to work cooperatively with election system vendors to penetrate inactive voting and voter registration systems to discover vulnerabilities of, and develop defenses for, such systems.

The program would offer awards for finding the most significant vulnerabilities, but doesn’t specify how much they would pay.

It also gives hackers a pass from the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), which is in the middle of a three-year waiver for researchers, as long as they don’t exploit the flaws for their own purposes or reveal them publicly before providing the information to the DHS.

Beyond the hacking competition, the bill would also:

• Formally designate voting systems as “critical infrastructure” – something DHS did last January.
• Provide grants to help states improve the security of their voting systems.
• Require voting system integrity audits, beginning in 2019 and continuing every four years after that. Only systems that passed the audit criteria could be used in future elections.
• Improve classified information sharing from the federal government to the states regarding security threats to voting systems. This would be accomplished by Director of National Intelligence (DNI) providing security clearances up to the “top-secret” level to each “chief eligible state election official” plus one more designee of that official, who would then be able to receive the information.

The bill gets a reasonably good review from Joseph Lorenzo Hall, chief technologist at the Center for Democracy Technology, who calls it, “a pretty strange-looking bug bounty program,” but adds that given that it is, “brand-new territory for both legislators and election officials, it’s understandable it might need some tweaking.”

He applauds the exemptions from the CFAA and DMCA, but says some of the restrictions – on exploiting vulnerabilities and public reporting, “could use some attention.”

It’s often necessary to exploit a vulnerability in order to adequately evaluate the security system in the face of that flaw. I think the most important question here is what would this do above and beyond what we can do with things like the DefCon Voting Village or non-federal bug bounty programs from state or local election officials.

Still, even given that, selling it in Congress might seem to be a layup, even in the current contentious political environment – who doesn’t want secure, credible election results? But not all states have welcomed federal involvement, even if well intentioned.

When former DHS secretary Jeh Johnson offered last August to inspect state voting systems for online vulnerabilities, several states rejected the overture. Georgia Secretary of State Brian Kemp branded it a “vast federal overreach,” declaring in an email to Nextgov that, “the question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security.”

Even though it seemed pretty obvious they needed the help. Zeynep Tufekci, a University of North Carolina information and library science professor, had recently told National Public Radio that Georgia’s electronic voter machines, which provided no paper trail:

… are more than a decade old, so the hardware is falling apart. And the operating system they’re using is Windows 2000, which hasn’t been updated for security for years, which means it’s a sitting duck.

Ironically enough, Kemp is now the lead defendant in a lawsuit, Curling v. Kemp, that seeks to annul the results of a 20 June 2017 special election in Georgia for Congress in which Republican Karen Handel beat Democrat Jon Ossoff. The plaintiffs allege that the voting systems used were out of date and insecure, and provided no paper backups.

The latest news in that case is that even electronic information may have gone missing – a server and its backups that were said to be key evidence in the case were deleted. But Kemp’s office contends there was nothing nefarious going on, since the data still exist elsewhere. Ars Technica reported that according to Ryan Germany of the Secretary of State’s office:

Current indication is that the FBI retained an image of the data on those servers as part of their investigation and that it will be available for use in the ongoing litigation.

Still, that is yet another reminder that until (or if) electronic voting systems become more secure through the SAVE Act or other initiatives, a lot of headaches and legal expenses could be avoided simply by using paper.

As we reported a few weeks ago, Lawrence Norden, co-author of a September 2015 report for the Brennan Center for Justice titled “America’s Voting Machines at Risk,” called it the most effective security measure at the moment:

The most important technology for enhancing security has been around for millennia: paper. Specifically, every new voting machine in the United States should have a paper record that the voter reviews, and that can be used later to check the electronic totals that are reported.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XLTKjlmJEQg/

Here at Naked Security, we’ve been banging the drum for password managers for a long while now, and there are a number of strong examples out there in the marketplace.

For people who care deeply about privacy and security, deciding which password manager to use means making decisions about password storage, reputation, browser integration, credential sharing options, whether you want cloud-based or local password vaults, and cost.

For many though, it’s still a question of why bother at all?

Convincing people who aren’t as security-focussed as you to use any kind of password manager at all can be difficult because it adds extra complexity to something many already regard as a hassle.

That said, two juggernauts have recently entered the scene, and they will likely help password managers become more mainstream: Apple’s iCloud Keychain and Google’s Smart Lock.

Both are built-in and on by default, which could make it easier for users to make the switch to using a password manager.

Integrated password managers

The whole point of password managers is to remove the burden of having to remember umpteen passwords. Ideally, with that burden taken from us, we’ll be more likely to use different passwords for each of the websites and apps we use instead of reusing the same one (I’m looking at you passw0rd1) or making weak iterations of the same password (passw0rd2,passw0rd3…).

In their current state, these password managers do exactly what you’d expect. They capture passwords that you enter on one device or website, store them in an encrypted form in the cloud and then automatically fill in your credentials the next time you need them, so you don’t have to remember them.

Your stored credentials are tied to a central identifying account with each service. If you’re logged in to your Google or iCloud account on multiple devices or browsers, any of those devices can access your credentials, no matter where you first entered them.

So an iPhone or Android user can enter their credentials into a web form on their smartphone, and then log in to that same website using the Safari or Chrome browser on their laptop, without having to remember the password, if they’re logged in to the same iCloud or Google account on both devices.

It should be noted that Apple’s iCloud Keychain can also store credit card information, and many third-party password managers do as well.

Both iCloud Keychain and Smart Lock are turned on automatically, helpfully prompting users to save their username and password for later in much the same way that browsers have been offering to do for us years, only now these credentials aren’t just stored locally, or in plain text. (No more getting stuck with an old password on a browser you haven’t used in a while, as credentials will sync to use the latest version.)

Where 3rd party managers win

Smart Lock and iCloud Keychain still have room to grow, of course. They are mostly without bells and whistles at the moment – they encrypt, transmit, and then store your passwords centrally in the cloud and allow you to lock down your password manager account with a master password and/or biometric security. Pretty standard.

Smart Lock doesn’t generate passwords for you – though iCloud can – so, Google users, the burden is still on you to think up a strong password, and undoubtedly this means a lot of people won’t. Smart Lock will just fill up with multiple copies of passw0rd1 instead of a collection of strong, rare passwords.

Where 3rd party managers lose

One area where both Google and Apple have a number of third-party password managers beat is storing credentials for smartphone apps. As of Apple iOS 11, iCloud Keychain supports app sign-ins with AutoFill.

iOS 11 users can save credentials not just for web-based forms, but even for stand-alone apps. These credentials are saved to the iCloud Keychain, and when the user logs back into the app in the future, they’ll be presented with the option to have AutoFill automatically enter their credentials and log in.

Similarly, Google notes that Smart Lock can fill in credentials for some apps, but not all.

Those of us who use third-party password managers have a few more steps to take if the app doesn’t already support grabbing credentials from password managers (switch apps, log in to password manager, copy/paste the credentials).

It remains to be seen if Apple or Google will make pulling credentials from third-party password managers easier, or if they will leave that up to individual app developers to support as they do now.

How do I enable or disable these password managers?

If you’re using a recently updated Apple or Google smartphone, unless you’ve taken steps to disable your password manager it’s likely already active and working for you. But if you want to make sure the service is enabled, or if you want to disable it, here’s how:

• Google’s Password Vault: go to passwords.google.com, sign in and disable Google Smart Lock.
• Apple’s iCloud Keychain: log in to your iCloud account on a Mac or iPhone, and check the iCloud options in Settings and select the “Keychain” option.

As these services come with your phone they’ll be an easy choice for many who may have bristled at the idea of using a password manager previously. And for those of us who want to see more people moving to password managers, no matter how imperfect, this is absolutely a good thing.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0eEe3TQ-PUk/

Tor developers have taken the wraps off the next generation of Onion Services.

The alpha release promises the biggest overhaul in the anonymity service for the last 10 years. The opening section of the change log provides a good overview of the tweaks, some of which aim to address recently discovered security weaknesses in the protocol, such as the potential for rogue nodes to learn about the network.

With enough rogue nodes, an adversary could start to map paths and hence reduce anonymity. The update will make this sort of attack much harder if not impossible.

In other respects the revamp is a comprehensive service rather than radical redesign.

“It’s not a revolution, more an evolution,” said Professor Alan Woodward, a computer scientist at the University of Surrey. “It has some interesting new features, mostly around client authentication and extensibility. The former is an interesting one in that it may help security of some Onion sites. The latter is rather like the curate’s egg: good in parts.”

Woodward expressed concerns that the greater extensibility built into the alpha release could result in increased complexity causing more mistakes that crack anonymity. Some of what Tor is doing appears to make it “simpler” to deploy hidden services. This might be compared to attempts at encouraging secure web server deployment by enabling security features by default.

Crypto improvements in the protocol offer extra resistance to replay attacks and similar attempts to corrupt connections. Key to this is a proposal to replace SHA1/DH/RSA1024 with SHA3/ed25519/curve25519. “[There were] concerns around the original public key systems so they have simply gone for the later, more trusted PKI,” Woodward said.

In a blog post, Tor’s developers promise further innovations as part of an ambitious roadmap.

As the current code stabilizes further, we plan to add features like offline service keys, advanced client authorization, a control port interface, improved guard algorithms, secure naming systems, statistics, mixed-latency routing, blockchain support, AI logic and a VR interface (j/k about some of these). We are planning to take it slow, since there is lots to do and many bugs to squash.

The jokes here would appear to include at least the virtual reality interface and perhaps more.

One important issue is backward compatibility: new hidden services with old Tor browsers. It may be that users will be pushed towards the latest Tor browser by reduced or impaired functionality otherwise.

Professor Woodward concluded: “Under the hood the protocol has changed. There are improvements to prevent certain types of discovery. However, the current system goes back 10 years so it’s not surprising in this game of whack a mole, the mole is evolving.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/03/tor_ravamp/