What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake.
The OpenSSL developer who approved the change didn't notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years. It's hard to blame those guys. OpenSSL is an open source project. As the Wall Street Journal describes it, the project is "managed by four core European programmers, only one of whom counts it as his full-time job." The OpenSSL Foundation had a budget of less than $1 million in 2013.Read more
Back in December, documents revealed the NSA had been using Google's ad-tracking cookies to follow browsers across the web, effectively coopting ad networks into surveillance networks.
A new paper from computer scientists at Princeton breaks down exactly how easy it is, even without the resources and access of the NSA. The researchers were able to reconstuct as much as 90% of a user's web activity just from monitoring traffic to ad-trackers like Google's DoubleClick. Crucially, the researchers didn't need any special access to the ad data. They just sat back and watched public traffic across the network. As it turns out, trackers are displaying a surprising amount of information in public.Read more
As businessmen tend to choose more secure data protection and storage software in light of Edward Snowden's revelations, researchers are wondering about the potentially dramatic consequences this may have for the future of the Internet.
A survey of more than 1,000 businessmen across the world shows that most of them favor more secure forms of data storage as the whistleblower's disclosures continue to reverberate. Governments are responding to the trend by encouraging efforts to reroute regional online traffic locally, rather than through the United States. Paradoxically, US high-tech giants, including Facebook and Google, may be hit hard in the coming years by a global backlash against technology "made in the USA".Read more
Google today filled one more privacy and security hole in its Gmail email service by encrypting all message traffic between email users, the search engine giant's email servers, and its data centers.
The full HTTPS encryption move was the next logical step to protecting Gmail users from the snooping eyes of government or malicious actors. "Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers--no matter if you're using public WiFi or logging in from your computer, phone or tablet," said Nicolas Lidzborski, Gmail Security Engineering Lead, in a blog post announcing the move.Read more
Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.
The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks. The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan.Read more
Apple has released a massive update to its “iOS Security” white paper for IT professionals. It contains more information on iOS security than Apple has ever shared publicly before, including extensive details on Touch ID, Data Protection, network security, application security, and nearly all security-related features, options, and protective controls.
For the first time, we have extensive details on iCloud security. For security professionals like myself, this is like waking up and finding a pot of gold sitting on my keyboard. Along with some of the most impressive security I’ve ever seen, Apple has provided a way to make it impossible for agencies like the NSA to obtain your iCloud Keychain passwords.Read more
WhatsApp users should switch to a more secure messaging service now that it is being bought by Facebook, a German data protection commissioner urged Thursday.
Facebook announced on Wednesday that it plans to acquire WhatsApp, a mobile messaging service with about 450 million monthly users, for $12 billion in shares, $4 billion in cash as well as $3 billion in stock options. The deal could raise important data protection issues because the personal data of its users will likely be merged with Facebook data, said Thilo Weichert, data protection commissioner for the German state of Schleswig-Holstein. When communication metadata and content of both services is merged, it can be used for profiling and commercially exploited for advertising purposes, Weichert said.Read more
On Data Protection day 2014, Vice-President Reding called for a "data protection compact for Europe" - eight principles that should govern the way data is processed by the public and the private sector.
Two years after the European Commission proposed a major reform of the EU’s data protection rules, Vice-President Reding called for full speed on data protection in 2014, saying "Europe must act decisively to establish a robust data protection framework that can be the gold standard for the world. Otherwise others will move first and impose their standards on us." Speaking about national security programmes and their implications for data protection, Vice-President Reding said it is essential that Europe get its own house in order. "National security should be invoked sparingly.Read more
The Chaos Computer Congress is the largest offline hacker gathering in Europe. Over 9000 people came to Hamburg between Christmas and New Years Eve to attend talks, discuss, meet up with like-minded folk, hack, make and rejoice in the abundance of LEDs.
It being a hacker conference there was a high DIY level. The congress was organized and run by volunteers called Angels, self-organized sessions outnumbered the talks of the main program and groups organized in Assemblies to create a home base in the sea of people. The Congress Center Hamburg building was completely pimped, its CCH logo hacked to read CCC, a temporary night club was built up on the ground floor (with working water canon!) and the congress’ rocket logo came to life in front of the entrance.Read more
Security researchers have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, by listening – yes, with a microphone — to a computer as it decrypts some encrypted data.
The attack is fairly simple and can be carried out with rudimentary hardware. The repercussions for the average computer user are minimal, but if you’re a secret agent, power user, or some other kind of encryption-using miscreant, you may want to reach for the Rammstein when decrypting your data. This acoustic cryptanalysis, carried out by Daniel Genkin, Adi Shamir (who co-invented RSA), and Eran Tromer, uses what’s known as a side channel attack. A side channel is an attack vector that is non-direct and unconventional, and thus hasn’t been properly secured.Read more