STE WILLIAMS

Back in February 2018, Google’s Project Zero went public with a Microsoft Edge bug that Redmond couldn’t fix in time for its next patch release. Now, the Google researcher – Ivan Fratric – has provided a detailed technical explanation of the problem and says Microsoft’s fix might not be adequate.

Fratric discovered that an interaction between just-in-time JavaScript compilation, Edge’s Chakra JavaScript engine, and Arbitrary Code Guard that gave attackers an arbitrary code execution vector.

Arbitrary Code Guard (ACG) is designed to prevent code being dynamically modified, and had its most recent enhancements in March 2017.

Google reveals Edge bug that Microsoft has had trouble fixing

READ MORE

Fratric explained the problem in this post last Thursday: “When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or modify existing executable memory. The goal of this is to make it more difficult for an attacker who already gained some capabilities in the browser’s Content Process to execute arbitrary code.”

This white paper (PDF) explains Fratric’s attack in more detail: his attack vector related to how JavaScript just-in-time (JIT) compilation works when ACG is present.

Because JIT is incompatible with ACG, instead of running JIT as part of the Edge Content Process, Microsoft pulled the JIT Engine into its own process.

If the Chakra JavaScript engine encounters a function that needs JIT compilation, it passes the bytecode to the JIT Server, which “compiles the bytecode and writes the resulting executable code back into the calling process using shared memory.”

That, the white paper explained, lets the Content Process execute the JIT code “without violating the dynamic code policy.”

The other key to the attack surface is the Control Flow Guard (CFG), designed to protect against memory corruption vulnerabilities. The Fratric paper notes that one vector here is that “returns aren’t protected, so overwriting a return address is all that’s needed for a successful bypass. Normally, in order to be able to overwrite a return address on the stack, an attacker first needs to know where stack is. Chakra bytecode removes this requirement by including opcodes that can be used to read write to the stack”.

There’s a full walk-through of various memory mappings and process interactions before we get to the attack scenario set out in the white paper:

• Attacker observes the addresses for the JIT allocations and predicts the address of the next one;
• Attacker unmaps the corresponding JIT section UnmapViewOfFile();
• Attacker calls VirtualAlloc() to reclaim the memory, but this time with PAGE_READWRITE permissions;
• Attacker writes their payload to a newly allocated location;
• Attacker waits until the JIT server makes the memory region executable. After this, an attacker can simply transfer control flow to the code written in step 4.

As is so often the case, the fix wasn’t as hard as Microsoft feared: Redmond just had to remove the VirtualAllocEx() call.

There’s a proof-of-concept here, and its only assumption was that “an attacker already managed to get a memory read/write primitive in the Content Process through an unrelated vulnerability.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/15/microsoft_acg_mitigation_missed_memory_bug/

Updated A professor of Computer Security at the Münster University of Applied Sciences‏ has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.

Professor Sebastian Schinzel took to Twitter with the news early on Monday, European time.

We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

— Sebastian Schinzel (@seecurity) May 14, 2018

A second Tweet warns “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Schnizel and his fellow researchers have alerted a few folks about the problem, among them the Electronic Frontier Foundation which has assessed his research and agreed that PGP has flaws.

An EFF advisory says “these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF’s post said. It also name dEnigmail for Thunderbird, GPGTools for Apple Mail and Gpg4win for Outlook as worthy of disablement, and offers instructions on how to do so.

“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” the advisory says.

Schnizel has promised full details on Tuesday morning at 0700 UTC. Reg operatives somewhere will be paying attention when he reveals all. ®

Updated to add

You can find out more about the vulnerabilities here, now that the embargo has lifted.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/pgp_s_mime_flaws_allow_plaintext_email_access/

Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

The flaw, dubbed EFAIL, is present in the way some email clients handle PGP and S/MIME encrypted messages. By taking advantage of the way the applications handle HTML content of these messages, an attacker could potentially see encrypted messages as plaintext.

In other words, decrypt your secret emails.

The research team that uncovered the flaw claimed the only way to fully protect against EFAIL, right now, is to stop handling PGP and S/MIME decryption in your mail client, and fully patching it will require updates to the encryption standards themselves. Disabling the viewing of HTML content will help a lot. Even better, convert messages to plain text and read them offline in a text editor.

PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

READ MORE

The vulnerability comes in two parts: an HTML exfiltration attack in which a snoop sends the target an email with specially crafted web mark-up language. The HTML code would then trick the victim’s email client into fetching a URL with the unencrypted message contained in plain text in the request. The attacker would then simply need to find the URL request in their web server logs to see the decoded message.

The second component, referred to as CBC/CFB gadget attack, potentially allows an attacker to send malformed data blocks that, when read by the target, would fool the email client into sending to the attacker’s server the unencrypted contents of the message.

The vulnerability has been assigned two CVE IDs. The PGP CFB gadget attack was assigned CVE-2017-17688, while the S/MIME CBC vulnerability was given CVE-2017-17689.

To mitigate the chance of a successful attack, users who rely on PGP or S/MIME for email encryption should disable the viewing of HTML emails, the eggheads stressed. That won’t fully close the flaw, but it will cut off the primary way of exploiting it.

“The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc,” the researchers – Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk – wrote.

“Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL.”

Don’t panic, yet

There are also limitations to this attack. The researchers said the gadget attack technique is more effective for S/MIME than for PGP, where it only works about one third of the time.

The researchers also noted that an attacker needs full access to the target’s email account, ie: the spy has to be able to log into your inbox. Unfortunately, guarding messages from an attacker with full access to your data is one of the primary use cases for both encryption formats.

So, basically, your email account needs to be hijacked first.

So, how bad is it? Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we’re unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

“It’s a serious risk if you rely on PGP and S/MIME for email security which most organisations use. It is not as severe as code execution and requires HTML emails to exploit so it may not be as wide spread for attacks,” Hickey explained.

“It’s still a concern, and our advice is to disable email plugins until a fix is supplied and disable HTML emails to prevent additional attack vectors.”

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/smime_pgp_encryption_flaw_emails_vulnerable_to_snooping/

Yet another rogue Facebook app that gathered and sold “intimate” details on millions of users has come to light.

A report from New Scientist finds that the myPersonality app had been collecting and sharing the personal information for as many as three million users who had installed the app on their Facebook profile. The data has been passed to hundreds of researchers.

Look, we’re doing stuff: Facebook suspends 200 super slurper apps

READ MORE

The report notes that the app, developed by Cambridge University researchers, had advertised its data sharing as being anonymous, but poor security meant the profiles could be de-anonymized.

The app had been operating for four years when, in April of this year, Facebook suspended it, the social network confirmed.

“We suspended the mypersonality app almost a month ago because we believe that it may have violated Facebook’s policies,” Facebook VP of product partnerships Ime Archibong said in a statement provided to The Register.

“We are currently investigating the app, and if mypersonality refuses to cooperate or fails our audit, we will ban it.”

The revelation comes as Facebook is trying to rehab its image in the wake of the Cambridge Analytica scandal. Having another Cambridge-based outfit caught harvesting details from millions of users is hardly a good look for Zuck and Co..

Still, the Social Network is pulling out all the stops to sell the public on its efforts to tighten control over user information. On Monday, Archibong posted the preliminary findings of the app audit promised by Zuckerberg earlier this year.

So far, Facebook says it has already had to suspend 200 apps it found to be misusing profile information.

“We have large teams of internal and external experts working hard to investigate these apps as quickly as possible,” Archibong said.

“To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data.”

While these efforts are widely considered a step in the right direction, it’s unclear if the campaign will have any lasting effect. After all, we’ve seen this before. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/15/acebook_data_slurping/

An Infoblox survey shows many companies have thousands of non-business Internet of Things devices connecting to their network daily.

The task of managing unsanctioned devices on enterprise networks is becoming a whole lot harder at many organizations with the growing use of personally owned Internet of Things (IoT) products in the workplace.

Infoblox recently commissioned a survey of 1,000 IT directors in the US, UK, Germany, and the UAE to understand the security implications of shadow devices on organizational networks. Thirty-five percent of the respondents from the first three countries reported more than 5,000 non-business devices connected to their enterprise network every single day. One-third of the respondents from US, UK, and Germany reported more than 1,000 shadow-IoT devices connected to their network on a typical day.

Thirty-nine percent of the respondents from the US and UK said they used personal devices while connected to the enterprise network to access social media; 24% reported using the devices to download apps, while 13% did so to access games.

The most common unsanctioned IoT devices on enterprise networks included fitness trackers, such as Fitbit and Gear Fit; digital assistants, such as Google Home and Amazon Alexa; smart TVs; and smart kitchen devices, such as connected microwaves and kettles.

The proliferation of such devices significantly increases the security burden for organizations, says Sean Tierney, director of cyber intelligence at Infoblox. As it is, security administrators have an enormous task simply managing the sanctioned devices on the enterprise network. Over 75% of the organizations in the Infoblox survey, for instance, reported having more than 1,000 company-supplied devices, including laptops and tablets on the network.

The challenge of managing these devices has been compounded by explosion in the number of insecure and unsanctioned IoT devices being added to company networks, Tierney says. “Due to the poor security levels of many of these consumer devices, there is a very real threat posed by these connected devices operating under the radar,” he says. “These insecure and vulnerable devices present a weak entry point for cybercriminals into the network, and a serious security risk to the company.”

Data exfiltration is one major threat. Improperly secured IoT devices can provide cybercriminals an entry point for breaking into the broader enterprise network and stealing data from it via methods like DNS tunneling, for instance, Infoblox said in its report.

As Mirai demonstrated in late 2016, vulnerable IoT devices on enterprise networks can also be hijacked and used in large-scale distributed denial-of-service attacks and other malicious campaigns. In addition, IoT devices and networks themselves can become targets of malicious attacks, such as ransomware. “Whether it comes down to neglect or ignorance, it is clear that organizations cannot rely upon employees to follow their security policy for connected devices,” Tierney says.

Exacerbating the situation is how easy it is for cybercriminals to find vulnerable IoT devices on enterprise networks. Search engines like Shodan make it trivial for criminals to find connected devices and the services they might be running like HTTP, FTP, SSSH, and SNMP. In March 2018, a search that Infoblox conducted showed there were nearly 6,000 identifiable webcams openly accessible via the Web in the UK, some 2,350 smart TVs in Germany, and 1,571 Google Home devices in the US.

Many companies appear aware of the threat. Eighty-two percent of the respondents in the Infoblox survey said their employers had policies in place for dealing with connected devices. Unfortunately, there appears to be a clear disconnect between IT leaders and employees over the effectiveness of these policies.

Eighty-eight percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24% of employees represented in the survey said they did not even know such policies existed, while a bare 20% of the people who professed knowledge of these policies actually abided by them.

“Enterprises need to do a better job of communicating the dangers that insecure devices can pose on a company network,” Tierney says. Convenience is often top of mind when users connect personal devices to the enterprise network. “Security is often an afterthought when it comes to shadow devices,” he notes. The reality is that ineffective policies can cost an organization thousands of dollars in both downtime and brand reputation in the event of a cyberattack.

“Organizations need to decide if they will approach risk through mitigation, transfer, or acceptance,” Tierney says. Effective policies should reflect the culture of the organization and employee behavior, in addition to the reality of the risk the organization is willing to accept. “Policies should also incorporate measures for determining their effectiveness through testing or monitoring,” he says.

Related Content:

• Deconstructing the Possibilities and Realities of Enterprise IoT Security
• Why Enterprises Can’t Ignore Third-Party IoT-Related Risks
• Anatomy of an Attack on the Industrial IoT
• 10 Lessons From an IoT Demo Lab 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/shadow-iot-devices-pose-a-growing-problem-for-organizations/d/d-id/1331797?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A newly revealed vulnerability in email encryption is a big problem for a small subset of users.

Two common methods of encrypting email messages are broken and could lead to an attacker seeing every encrypted detail in plain text, according to a group of researchers in Europe. But several security experts meanwhile contend that the flaws don’t lie within the S/MIME and OpenPGP protocols but instead in certain email clients.

The research paper, “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels,” was written by eight researchers working at three European universities. In it, they describe a method by which an attacker can intercept an encrypted message, insert simple HTML code, and have returned to them an unencrypted version of the text.

“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails,” write the researchers. And it is in this statement where the disagreements start: “This paper is misnamed. It’s not an attack on OpenPGP. It’s an attack on broken email clients that ignore GnuPG’s warnings and do silly things after being warned,” writes the GnuPG and Gpg4Win team in an official response to the paper.

So who’s right? “If you look at the analysis, it’s the email clients that are named as the vulnerabilities,” says Steve Malone, director of product management for messaging security services at Mimecast. “This is a fantastic piece of publicity. It sounds good and tells a great story — huge problem in global email protocols.”

The problem is, he says, “It’s been presented as a major, major security flaw, but we need to take a step back and take a look from an objective point of view.”

The attack works like this: An email client is set to automatically display images sent via HTML mail. Now, you intercept an encoded message and forward the message to the email client with one addition: Open an IMG tag in front of the encrypted piece and don’t close it until after the encrypted piece. Here’s what the code will look like:

(Image: https://efail.de)

When the image tries to automatically display on the email client, the text is decrypted, and (here’s the good part) a request for the image is sent back to the named server with the unencrypted text as part of the request string.

Email or Encryption At Fault?

Malone says that sequence shows that “It’s been played up as an earth-shattering security vulnerability, but I’d describe it as an unfortunate series of events.” 

The series includes at least one step – adding text to an encrypted message – that, according to the GnuPG team, should generate an error message. And if your email client responds as it should to that error, then there should be no decryption.

“If your email client respects this warning and does the right thing – namely, not showing you the email – then you are completely protected from the Efail attack, as it’s just a modern spin on something we started defending against almost twenty years ago,” writes Robert J. Hansen, chief author of the GnuPG group response.

That EFAIL is a vulnerability that should not have a major impact on a huge population is the consensus in several tweets today from high-profile security experts, such as Dan Guido:

Before anyone freaks out about “efail”, realize that using it would be:
1) extremely easy to detect
2) archived in your target’s email
As an attacker, I could not care less about this technique. It’s intellectually neat, but operationally stupid.https://t.co/ykJjwUBwHA

— Dan Guido (@dguido) May 14, 2018

Others on Twitter have pointed out that an effective exploit of the vulnerability involves phishing as well as traffic capture.

Disabling HTML email solves most issues regarding EFAIL. Seems to be a subset of clients that have script execution ability – probably limited to a few/not all clients. Cool attack regardless. Still need to 1. obtain access to encrypted mail, 2. phish user to open modified mail

— Dave Kennedy (ReL1K) (@HackingDave) May 14, 2018

In addition to the PGP attack, there is a very similar vulnerability described for S/MIME as well as a CBC/CFB gadget attack that makes use of similar tactics but is more complicated to pull off. In all of these cases, though, the effect of an exploit of the vulnerability is the same, and the mitigation of the three is identical.

Fixing the Problem

Different organizations and individuals have suggested various ways to mitigate the vulnerability, ranging from turning off HTML mail display to turning off automatic display and decryption, to ripping out PGP and S/MIME altogether. These actions will certainly serve to protect from the vulnerability, but they will also have a severely disruptive impact on the way many organizations and individuals use email in 2018.

At the root of the vulnerability is a set of email clients that either haven’t incorporated the latest versions of a standard or mishandle part of that standard’s operation. “This is not the first and won’t be the last example of problems with legacy components and standards that are very dated,” says Malone.

Many enterprise IT teams have either moved away from PGP and S/MIME, or never used them to begin with, so EFAIL is a nonissue for them. Individuals and smaller organizations who depend on these email encryption techniques should take a careful look at the list of affected email clients included in the paper and EFAIL website.

If your organization falls into the slice of the Venn diagram that shows the union of PGP and S/MIME users and those with affected email programs on desktops, then you should definitely take one (or more) of the remediation steps. If not, then @GossiTheDog says it well:

The attack also relies on PGP downgrade attack mitigated 18 years ago. Some niche mail clients didn’t implement that fix properly but they either already fixed or will. When we escape the echo chamber by shouting “fire” it probably shouldn’t be because we just found some matches.

— Kevin Beaumont (@GossiTheDog) May 14, 2018

Related Content:

• The Week in Crypto: Bad News for SSH, WPA2, RSA Privacy
• ROPEMAKER Attack Turns Benign Emails Hostile Post-Delivery
• A Real-Life Look into Responsible Disclosure for Security Vulnerabilities
• Encrypted Attacks Continue to Dog Perimeter Defenses

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/efail-email-encryption-flaw-research-stirs-debate/d/d-id/1331796?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A strong relationship between IT and security leads to strong defense, but it’s not always easy getting the two to collaborate.

The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they’re protected.

Finding the right balance between accessibility and security is “a key part of the modern organization’s success,” said Juliet Okafor, senior vice president of global security solutions at Fortress Information Security, in an InteropITX presentation on the topic this month. Rigid silos between IT and security have become “a clear point of attack” leaving organizations vulnerable.

The dynamic between the two groups has changed along with technology. Back in the 1990s, security was considered a function of IT. Corporate networks had a hard perimeter; firewalls were the foundation of security. Modern enterprise computing environments have since become global, borderless, fully mobile, and more complex than ever before.

This evolution has driven new sets of challenges for both groups, said Okafor. IT is worried about data availability while security prioritizes data protection. IT focuses on system uptime; security works on system safety and control.

Culture also varies between the two. IT tends to be more agile, with shorter and more frequent maintenance windows. Operational technology, and sometimes security, typically require more time with longer maintenance periods. They don’t want systems down for periods of time, she noted; they’re operating in an environment where things have to stay up and running.

Companies are figuring out how to best position the two. An upcoming Dark Reading study on the relationship between IT and security found 37% of businesses surveyed have a distinct security department, with its own staff, within a larger IT department. Twenty-one percent have one or two security people in IT; 21% said they don’t have any people who are dedicated to security full-time. This is just a peek at the study, which will be published in July.

Thirty percent of 120 technology and security professionals report IT and security work well together and their relationship is improving. The majority (38%) says while their dynamic is generally good, it “needs some work here and there.” About one-quarter say miscommunication between the two has led to continuity or security issues.

Turf Battle

“The disparity between how IT operates, and how infosec operates, demands we take a closer look at how they’re working together,” Okafor explained. “Due to budgets, reporting structure, IT and infosec often have a tough time with competing and sharing turf.”

The CISO and security team should be given a seat the table when decisions are being made, she noted. Oftentimes they aren’t: Only 15% of respondents in Dark Reading’s study say security is at the table for the beginning of every new project, and their views are always considered critical. Twenty-eight percent say security is brought in at the start of most important projects and they have a strong voice.

However, nearly the same amount (27%) reports security is “consulted sometimes” and is usually heard “if it’s a legitimate concern.”

Technical knowledge is important but it’s not the only answer to the problem, said Okafor. What’s critical here is communication: the ability to understand and engage with the person you’re talking to. “The biggest issue with security and technology tends to be people,” she pointed out.

A key trend in bridging silos is having different team members work on problems together, she added. Give IT workers a sense of what security projects are like, for example, so they can learn about requirements and needs from the infosec side and apply those skills to other projects.

More and more, Okafor continued, success in security means knowing and understanding the business. Security professionals with business and/or liberal arts backgrounds can and should work with their IT colleagues, who have more technical expertise, to come up with more comprehensive solutions to problems. IT employees may also bring technical contributions to security teams, which may not have the same level of proficiency in Java or C++.

“The more we can bring IT people into infosec, the more the IT team, and the entire security department, benefits,” said Okafor.

Related Content:

• Calculating Cloud Cost: 8 Factors to Watch
  
• The New Security Playbook: Get the Whole Team Involved
• 5 Ways to Better Use Data in Security
• Email Security Tools Try to Keep Up with Threats

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/smashing-silos-and-building-bridges-in-the-it-infosec-divide/d/d-id/1331798?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Encryption is making it more difficult for law enforcement agencies to detect dangerous offenders, according the the National Crime Agency’s (NCA) yearly assessment of serious organised crime in Britain.

“Since 2010, communication service providers have migrated to encrypted services ‘by default’, a process that accelerated following the Snowden disclosures,” said the National Strategic Assessment of Serious and Organised Crime 2018.

“Now, the majority of internet traffic is encrypted and publicly available mobile device apps offer end-to-end encryption as standard.”

Although the report acknowledged this meant enhanced privacy for users, the NCA warned the use of encryption “is impacting on law enforcement’s ability to collect intelligence and evidence”.

NCA director general Lynne Owens said: “This year’s assessment shows that organised crime groups are exploiting digital technology, for instance using encryption to communicate, and dark web marketplaces to aid their activities.”

The report warned encryption built into mainstream products would continue to expand and will offer criminals enhanced protection by default, rather than design. “The pace of these developments will continue to challenge law enforcement capability and resource, with narrowing options for mitigation,” it said.

Rudd-y hell, dark web! Amber alert! UK Home Sec is on the war path for stealthy cyber-crims

READ MORE

However, the report did not cover whether the government should break encrypted services, as has been previously suggested, which could potentially lead to anyone exploiting back doors, including criminals.

On the subject of the dark web, the combination of encryption and anonymisation pose “substantial challenges to law enforcement’s collection of intelligence and evidence”, the NCA document stated.

In April, former Home Secretary Amber Rudd announced a £9m war chest to tackle crims using the darker recesses of the web for illegal activities, such as selling firearms, drugs, malware and people.

Rudd had previously spoken out about encryption, often prompting criticism due to her apparent lack of understanding.

Technologies such as virtual private networks and virtual currencies will support fast, “secure” and anonymous operating environments, facilitating all levels of criminality,” the report said.

Unsurprisingly, a number of the security services were consulted prior to publication, including MI5 and GCHQ.

Elsewhere in the report, the NCA warned the UK remained a prime destination for money laundering. “Investment in UK property, particularly in London, continues to be an attractive mechanism to launder funds,” it said. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/encryption_hindering_law_enforcement_says_nca/

The Royal Navy, always keeping up with the times, has named its newest attack submarine HMS Agincourt, after the 1415 battle where an English army beat French troops led by its nobility.

Agincourt the boat is the seventh and final Astute-class attack sub. The nuclear-powered vessels are used primarily to defend British interests from underwater, including seeing off marauding Russian vessels near British waters and also for sneaky-beaky missions of their own into foreign waters.

The £1.5bn submarine is under construction at BAE Systems’ yard in Barrow-in-Furness, Cumbria. Defence equipment minister Guto Bebb joyously declared: “Today’s announcement includes a £60m contract for Rolls-Royce, supporting over 700 jobs here in Derby as the factory continues to make the reactors that will power our state-of-the-art Dreadnought subs into the 2060s.”

While naval-gazers had enthusiastically discussed rumours that the seventh Astute boat might fall victim to defence cuts, rumours fed by an increasingly ominous silence from the Ministry of Defence, a scoop by defence trade news website Shephard confirmed that construction was indeed going ahead, the contract having been signed back in March.

All of the Astute class are fitted with the BAE Systems-developed Core Combat System, which runs on VMware and Dell hardware inside the boat as a “miniature data centre”.

France to lend Brexit Britain sore souvenir of Norman yoke – the Bayeux Tapestry

READ MORE

The name Agincourt is mildly controversial, inasmuch as it brings to mind the famous victory of King Henry V over France at a time where the English army, which was blundering around the Pas-de-Calais countryside, was largely thought to be on its last legs and cut off from its chances to retreat back home. In the words of the king’s (fictional, thanks to Shakespeare) eve-of-battle speech, it was “we few, we happy few, we band of brothers” up against the very best France had to offer.

Through “yew bow and cloth yard shaft”, as the chroniclers of the day put it, the English and Welsh longbowmen shot a torrent of arrows into the heavily armoured French knights. The arrows’ steel points penetrated the plate armour of the French nobles and the lightly equipped English then set about the bogged-in Frenchmen, whose weighty suits of armour were totally unsuited to the heavy mud of the battlefield.

In today’s world, where the UK and France are close allies and England has given way to the United Kingdom, naming the submarine Agincourt may be seen by some as a bit of an unintentional snub, bringing to mind Henry V’s slaughter of French prisoners of war and the failed negotiations that preceded the battle over Henry’s disputed claim to the title of King of France.

Though the name has historical connotations of success for England, its Royal Navy history is rather more chequered. Five ships of the fleet have been named Agincourt throughout the centuries, most recently a Second World War-era destroyer converted to carry one of the Navy’s first anti-aircraft guided missile systems, as well as a First World War dreadnought battleship seized by the British government from the Ottoman Empire at the war’s outbreak – an act that seriously hacked off Turkey, not least because it had paid for the ship in full and was awaiting her delivery.

Agincourt will take her place in the fleet alongside sister sub HMS Artful – which brings to mind the Artful Dodger, a pickpocket in Charles Dickens’ novel Oliver Twist. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/new_royal_navy_submarine_hms_agincourt/

F-35 maker Lockheed Martin’s UK chief has breezily dismissed the idea of Britain cutting the number of jets it is buying from the US firm.

Speaking to the Press Association, Peter Ruddock said he was “respectful” of the Ministry of Defence’s financial situation, which happens to include a whopping great big black hole to the tune of £21bn.

But he didn’t believe the MoD would reduce its planned F-35 order, on the grounds that without the full order, Britain’s two new Queen Elizabeth-class aircraft carriers would be left in a sticky situation.

“I think what we have seen in terms of the analysis that we are privy to, is that when the MoD has looked at what capabilities they need in the future, the F-35 rates very highly on that list,” Ruddock, a retired RAF air marshal who is now chief exec of Lockheed Martin UK, told the PA.

“Add that to the fact that significant money has been spent on two carriers, two very large carriers – there is a very strong commitment to having those carriers available or at least one of those carriers available at all times,” he added.

Central to the carriers’ concept of operations (the big master plan that’s supposed to make them worth their joint £6.5bn price tag) is the idea that they will carry a squadron’s worth of F-35B fighters when deployed. The supersonic stealth jets are the only modern fixed-wing fighting aircraft capable of flying from the carriers; without them, there are no other fighter jets at present that can do the job.

Though the carriers’ vast hangars and acres of deck space provide a more than adequate helicopter operating base, it is the fighter jets that put them above the abilities of ships such as ex-HMS Ocean, the recently decommissioned Royal Navy helicopter carrier. Without the jets, or with a reduced number of them aboard, the main point of the carriers is much reduced, particularly in a war-like situation.

The MoD has publicly committed to buying 138 F-35Bs, of which the first 48 should be bought, paid for and delivered by the year 2025. Currently the UK owns 15, all of which are being flight tested in America. This autumn HMS Queen Elizabeth, the first of the UK’s two new carriers, will sail across the Atlantic for flight trials with the F-35s. The first fixed-wing landing is scheduled to take place in late September with a Royal Navy pilot at the controls. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/14/lockheed_f35_uk_order_numbers/