recentpopularlog in

dmcdev : security   857

« earlier  
Identifying vulnerabilities and protecting you from phishing
"Google’s Threat Analysis Group (TAG) works to counter targeted and government-backed hacking against Google and the people who use our products. Following our November update, today [Thursday 3/26/20] we’re sharing the latest insights to fight phishing, and for security teams, providing more details about our work identifying attacks against zero-day vulnerabilities...Upon reviewing phishing attempts since the beginning of this year, we’ve seen a rising number of attackers, including those from Iran and North Korea, impersonating news outlets or journalists. For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email. Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks." - Toni Gidwani, Security Engineering Manager, Threat Analysis Group, Google

+ "A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private networks (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses.

While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed...'Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,' ProtonVPN says." via Bleeping Computer: Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic
otf  digisec  security  phishing  awareness  google  vuln  vulnerability 
yesterday by dmcdev
Private Internet Access announces WireGuard VPN Beta
"Private Internet Access is happy to announce that the beta client and apps now feature WireGuard® VPN support. WireGuard on our desktop clients and mobile apps are currently being rolled out to PIA beta testers. Note that this is still a beta version of PIA WireGuard support, there are still some features such as per-app connections on our Android VPN app that don’t yet work with WireGuard – but rest assured that we’re working on it! Also note that PIA will be closing signups for its mobile beta program during this WireGuard beta phase, meaning that the WireGuard beta is only available to existing beta testers." - Private Internet Access
otf  wireguard  vpn  pia  privacy  access  security 
9 days ago by dmcdev
Targeted Surveillance Attacks in Uzbekistan: An Old Threat with New Techniques
ICYMI: This Amnesty International report released last week documents targeted "phishing and spyware attacks targeting Human Rights Defenders (HRDs) from Uzbekistan," documenting what Amnesty calls "a worrying evolution in the surveillance threat facing HRDs in Uzbekistan, which now appear more sophisticated than previously documented, and able to bypass some security tools HRDs use to protect themselves against surveillance." Amnesty's investigation follows on a May 2019 report published by eQualitie analyzing phishing attacks targeting Uzbek human rights actors.
otf  uzbekistan  CentralAsia  phishing  surveillance  soviet  hrd  security  digisec  DigitalSecurity 
11 days ago by dmcdev
WireGuard Gives Linux a Faster, More Secure VPN
WIRED reports on how WireGuard, an OTF-supported project, "wins fans with its simplicity and ease of auditing":

"Many older VPN offerings are 'way too huge and complex, and it's basically impossible to overview and verify if they are secure or not,' says Jan Jonsson, CEO of VPN service provider Mullvad, which powers Firefox maker Mozilla's new VPN service. That explains some of the excitement around WireGuard, an open source VPN software and protocol that will soon be part of the Linux kernel—the heart of the open source operating system that powers everything from web servers to Android phones to cars. WireGuard, created by security researcher Jason A. Donenfeld, is smaller and simpler than most other VPN software. The first version of WireGuard contained fewer than 4,000 lines of code—compared with tens of thousands of lines in other VPN software. That doesn't make WireGuard more secure, but it makes it easier to find and fix problems." - Klint Finley, WIRED
otf  wireguard  vpn  security  access  linux 
22 days ago by dmcdev
Dangerzone Lets You Open Email Attachments Safely
"Opening email attachments from untrusted senders has long been one of the easiest ways to get hacked. But unlike other common security screwups—using 'password' for your password, downloading pirated software from shady websites—there's no practical way for a modern human to avoid opening the occasional mystery-meat attachment. Now one technologist has produced a solution. Micah Lee, the head of information security for First Look Media, plans to release an alpha version of a free tool called Dangerzone on GitHub a week from Sunday, timed to a talk about it at the Nullcon conference in Goa, India. Dangerzone is a simple quarantine program that allows anyone to sanitize untrusted documents, neutering any tracking beacons, malicious scripts, or other nastiness that those files might carry." - Andy Greenberg, WIRED
otf  dangerzone  email  encryption  security  pdf  attachment 
26 days ago by dmcdev
Let's Encrypt Has Issued a Billion Certificates
"We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event. In particular, we want to talk about what has happened since the last time we talked about a big round number of certificates - one hundred million. One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody."
letsencrypt  encryption  https  security  cert 
4 weeks ago by dmcdev
Firefox to enable DNS-over-HTTPS by default to US users
"Mozilla will bring its new DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks, the browser maker has confirmed. It follows a year-long effort to test the new security feature, which aims to make browsing the web more secure and private. Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can’t be intercepted or hijacked in order to send a user to a malicious site. These unencrypted DNS queries can also be used to snoop on which websites a user visits." - Zack Whittaker, TechCrunch

+ Mozilla's blog post announcing the rollout: Firefox continues push to bring DNS over HTTPS by default for US users
otf  mozilla  dns  doh  https  encryption  security  firefox 
4 weeks ago by dmcdev
Grindr Introduces Discreet App Icon Feature for All Users
"As part of its continued commitment to the safety and security of its users, Grindr has made its Discreet App Icon feature available to all Grindr users. The company has also released two new language versions of its Holistic Security Guide. The Discreet App Icon provides users with the option of replacing the Grindr app image on their phone with another symbol. The feature was developed in collaboration with Article 19 (the London-based human rights organization), The Guardian Project, and Grindr for Equality to help protect users when there is the possibility that someone may look at their phone and recognize that they are LGBTQ. Grindr first made the feature available in countries where gay, bi, and trans people are in the most danger, and now is launching the feature for all users."- Grindr press release
otf  grindr  lgbtq  app  security  guardian  article19 
4 weeks ago by dmcdev
How Saudi Arabia Infiltrated Twitter
"[Ali] Alzabarah and Ahmad Abouammo, a colleague on Twitter’s global media team, regularly accessed and delivered information that could’ve led Saudi intelligence to identify anonymous dissidents. While news of the allegations against them has been public since November 2019, the extent of their roles and abilities inside the company have never previously been reported. Alzabarah, Abouammo, and al-Asaker did not respond to requests for comment. Though Azabarah fled, he and Abouammo, who remained in the US, are currently indicted in United States federal court on charges of acting as undeclared agents of the Saudi government. No matter the verdict, the case has exposed tech companies’ vulnerability to attempted foreign infiltration. One well-placed employee can potentially do extensive damage." - Alex Kantrowitz, BuzzFeed News
otf  saudi  saudiarabia  mena  twitter  social  surveillance  awareness  security 
5 weeks ago by dmcdev
EU Commission to staff: Switch to Signal messaging app
EU Commission recommends its employees use Signal "for communications between staff and people outside the institution," Politico reports. Note that OTF previously provided support for the development of Signal.

"The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications. The instruction appeared on internal messaging boards in early February, notifying employees that 'Signal has been selected as the recommended application for public instant messaging.' The app is favored by privacy activists because of its end-to-end encryption and open-source technology...Signal was developed in 2013 by privacy activists. It is supported by a nonprofit foundation that has the backing of WhatsApp founder Brian Acton, who had left the company in 2017 after clashing with Facebook's leadership." – Lauren Cerulus, Politico
otf  eu  signal  app  encryption  e2e  messaging  security  privacy  europe  ows  openwhispersystems 
5 weeks ago by dmcdev
Signal Is Finally Bringing Its Secure Messaging to the Masses
WIRED reports on the growth and development of Signal (an app previously supported by OTF) which "is finally reaching that mass audience it was always been intended for," as Andy Greenberg writes:

"That new phase in Signal's evolution began two years ago this month. That's when WhatsApp cofounder Brian Acton, a few months removed from leaving the app he built amid post-acquisition clashes with Facebook management, injected $50 million into [Signal creator Moxie] Marlinspike's end-to-end encrypted messaging project. Acton also joined the newly created Signal Foundation as executive chairman. The pairing up made sense; WhatsApp had used Signal's open-source protocol to encrypt all WhatsApp communications end-to-end by default, and Acton had grown disaffected with what he saw as Facebook's attempts to erode WhatsApp's privacy. Since then, Marlinspike's nonprofit has put Acton's millions—and his experience building an app with billions of users—to work. After years of scraping by with just three overworked full-time staffers, the Signal Foundation now has 20 employees. For years a bare-bones texting and calling app, Signal has increasingly become a fully featured, mainstream communications platform...

'The major transition Signal has undergone is from a three-person small effort to something that is now a serious project with the capacity to do what is required to build software in the world today,' Marlinspike says."
otf  signal  whatsapp  encryption  e2e  security  privacy 
6 weeks ago by dmcdev
U.S. Officials Say Huawei Can Covertly Access Telecom Networks
"U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through 'back doors' designed for use by law enforcement, as Washington tries to persuade allies to exclude the Chinese company from their networks. Intelligence shows Huawei has had this secret capability for more than a decade, U.S. officials said. Huawei rejected the allegations. The U.S. kept the intelligence highly classified until late last year, when U.S. officials provided details to allies including the U.K. and Germany, according to officials from the three countries. That was a tactical turnabout by the U.S., which in the past had argued that it didn’t need to produce hard evidence of the threat it says Huawei poses to nations’ security." - Bojan Pancevski, Wall Street Journal

+ "China’s biggest military technology company has set up a national laboratory to research advanced policing technologies such as crime prediction and emotion recognition, giving its first wave of grants to academics across China — as well as one lab in the UK. The flagship lab, which does not have a physical presence but is a network of researchers, is owned by China Electronics Technology Group Corporation, a state-owned defence company that has longstanding partnerships with the Chinese police and military...The new lab has partnerships with China’s central police training academy in Beijing, as well as with local police in Xinjiang. Its only physical locations appear to be the Urumqi research centre and another facility in Beijing." via Financial Times: China sets up national laboratory for advanced policing
otf  china  asia  huawei  security  privacy  surveillance  police  xinjiang  uyghur 
6 weeks ago by dmcdev
Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree
OTF-supported WireGuard is a step closer to inclusion in the next Linux release candidate after it was merged into the git repository for Linux version 5.6, Ars Technica reports: "[On Tuesday], Linux creator Linus Torvalds merged David Miller's net-next into his source tree for the Linux 5.6 kernel. This merger added plenty of new network-related drivers and features to the upcoming 5.6 kernel, with No.1 on the list being simply 'Add WireGuard.'

As previously reported, WireGuard was pulled into net-next in December—so its inclusion into Linus' 5.6 source tree isn't exactly a surprise. It does represent clearing another potential hurdle for the project; there is undoubtedly more refinement work to be done before the kernel is finalized, but with Linus having pulled it in-tree, the likelihood that it will disappear between now and 5.6's final release (expected sometime in May or early June) is vanishingly small." - Jim Salter, Ars Technica
otf  wireguard  linux  vpn  security  access  circumvention 
8 weeks ago by dmcdev
Exclusive: Hackers acting in Turkey's interests believed to be behind recent cyberattacks
"Sweeping cyberattacks targeting governments and other organizations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, three senior Western security officials said. The hackers have attacked at least 30 organizations, including government ministries, embassies and security services as well as companies and other groups, according to a Reuters review of public internet records. Victims have included Cypriot and Greek government email services and the Iraqi government’s national security advisor, the records show. The attacks involve intercepting internet traffic to victim websites, potentially enabling hackers to obtain illicit access to the networks of government bodies and other organizations...

"The attacks highlight a weakness in a core pillar of online infrastructure that can leave victims exposed to attacks that happen outside their own networks, making them difficult to detect and defend against, cybersecurity specialists said. The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server. By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there." - Jack Stubbs, Christopher Bing, Joseph Menn, Reuters
otf  turkey  hack  dns  hijack  security  digisec  mena  europe 
8 weeks ago by dmcdev
Coming soon - the smartphone that promotes 'Russian values'
"Smartphones and other devices sold in Russia must be pre-installed with software that is morally sound and espouses traditional Russian values, according to new draft rules. President Vladimir Putin signed legislation last year requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software. The Federal Anti-Monopoly Service has now drafted guidelines outlining what kinds of software could be made mandatory. A draft government resolution seen by Reuters said such software should help with the 'formation of the priority of traditional Russian spiritual and moral values'. It must be both popular and secure. The text did not explicitly define these values, and the monopoly office did not immediately respond to a request for comment." -Tom Balmforth, Nadezhda Tsydenova, Reuters

+ Reuters: Russia blocks encrypted email service ProtonMail
otf  russia  security  awareness  digisec  surveillance  censorship 
8 weeks ago by dmcdev
Chinese hacker group caught bypassing 2FA
"Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks. The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in a report published [in mid-December]. The group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks." - Catalin Cimpanu, ZDNet

+ Wall Street Journal: China’s New Internet-Censorship Rules Highlight Role of Algorithms

+ BBC: China internet: Top talking points of 2019 and how they evaded the censors
otf  china  asia  gfw  2fa  security  algorithms  censorship 
11 weeks ago by dmcdev
Researcher Releases Data on 100,000 Phishing Attempts to Teach You How to Not Get Hacked
"A security researcher who specializes in tracking government hacking attempts published 25GB of data on 100,000 phishing attacks on Monday...Claudio Guarnieri, who works at Amnesty International and has been tracking targeted attacks against dissidents and activists for almost a decade, published the dataset to help other researchers track hackers, and to help cybersecurity educators use them as real-world examples. 'Because phishing is such a dominant threat for the targeted groups I normally work with, I have been working over the last years on a number of tools and services to mitigate and respond to such attacks,' Guarnieri, who has contributed to Motherboard, wrote in a blog post, where he shared a link to download the dataset via torrent. Guarnieri explained that the archive contains a database of phishing URLs, their corresponding HMTL data, and screenshots of the phishing page. " - Lorenzo Franceschi-Bicchierai, VICE
otf  phishing  security  hack  awareness  digisec 
december 2019 by dmcdev
In Hong Kong, protesters fight to stay anonymous
"For five months, images of Hong Kong’s leaderless protests have flooded out of the city and into the rest of the world. With police now treating every protest as an illegal assembly, anyone found in the streets can be found guilty under colonial-era public assembly laws. It’s impossible to arrest the entire crowd, but if you’re identified on camera, you can be singled out for punishment. More than 2,000 people have been arrested so far, and a parallel extrajudicial crackdown has targeted countless others with violence, doxxing, and online harassment. It’s led to a new struggle over how and when protesters can be identified — and what they can do to stay anonymous." - The Verge

+ The Intercept: Cybersecurity for the People: How to Protect Your Privacy at a Protest

+Bloomberg: China’s Information War on Taiwan Ramps Up as Election Nears
otf  hongkong  hk  protest  digisec  security  asia  taiwan 
october 2019 by dmcdev
How to Start Taking Digital Security More Seriously
For Source, Emma Carew Grovum "spoke with a range of folks whose work takes place at this intersection of the internet and journalism, and I asked them what newsrooms can be doing better, both to support their staff and freelance journalists online. Larger news institutions have started to staff up their digital security teams and offer training to help their reporters minimize the damage, should they become the target of one of these attacks." Grovum spoke with Neena Kapur, senior information security analyst and Kristen Kozinski, training manager, information security, both of the New York Times; Martin Shelton, a security researcher who works with journalists at the Freedom of the Press Foundation; Chris Grant, editor in chief of Polygon; and Amanda Hickman, director of the Freelance Futures initiative at AIR Media. Among their tips and suggestions: use MFA/2FA on all your accounts, strong passwords (stored via password managers), update the software on your devices, and dox yourself (yup, really). Hiring an in-house digital security expert is also a great idea.
otf  digisec  journalism  press  security  media  news 
october 2019 by dmcdev
Hackers Tried to Compromise Phones of Tibetans Working for Dalai Lama
"Hackers tried to break into the iPhones and Android devices of several Tibetans, some working for the office of the Dalai Lama, the Central Tibetan Administration, and the Tibetan parliament, according to a new report. The hackers used exploits and spyware developed for the iOS and Android operating systems, and attempted to deliver them through carefully crafted phishing messages sent via WhatsApp, from people who pretended to be journalists, staffers of NGOs, and volunteers to Tibetan human rights groups, according to the report, published by the digital rights group Citizen Lab on Tuesday. The researchers conclude that this hacking campaign was carried out by the same hacking group that targeted the Uyghur people living in China. At the end of last month, Google detailed a shocking campaign against the Muslim minority, where hackers used several exploits that at the time were unknown (these type of hacking tools are called zero-days, given that the company who makes the software targeted has had zero days to fix them.)" - Lorenzo Franceschi-Bicchierai, Motherboard

+ Access the full Citizen Lab report here: Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits
otf  tibet  hack  security  digisec  ios  android 
september 2019 by dmcdev
Apple Disputes Google’s Claims of a Devastating iPhone Hack
ICYMI: After Google's Project Zero published research detailing iOS exploits that were used to target Uyghur websites, Apple disputed the claim - attracting widespread criticism in the process: "In a rare move, Apple has released a statement to comment on the attacks on iPhone users revealed by Google last week. Last week, Google dropped a bombshell in the form of a long, detailed analysis of five chains of iOS vulnerabilities discovered by its security teams. Google didn’t say who was behind the attacks, nor who was targeted, but described the attack as 'indiscriminate,' and potentially hitting 'thousands' of people. Apple disagrees. Friday, Apple published a brief press release that disputes some relatively minor details that Google released about the attacks. Namely, that the attacks lasted for a shorter amount of time and that they were less widespread than Google reported...Clearly, Apple isn’t happy that Google—perhaps its fiercest competitor—discovered what is an embarrassing slew of attacks, and a dangerous example of what a country like China can do to go after an oppressed minority. Google's Project Zero has been a constant thorn in Apple's side, as it has discovered more zero-day exploits and bugs in iOS in recent years than any other entity. This, of course, is good for Apple's overall security and good for iPhone users as a whole, but the fact that Google continues to find and publish severe vulnerabilities in iOS has done damage to the perception that iPhone exploits are rare and that Apple's security team is infallible." - Lorenzo Franceschi-Bicchierai, VICE

On Twitter, former Facebook CISO Alex Stamos criticized Apple's response, saying it "...should be graded somewhere between 'disappointing' and 'disgusting'."

The original Google Project Zero research can be found in full here:

Read Apple's statement released on Friday here: A message about iOS security

EFF provides a good recap here while also considering the broader implications of how repressive states can and are using 0day exploits to target entire populations (as opposed to the "million dollar dissident") : Watering Holes and Million Dollar Dissidents: the Changing Economics of Digital Surveillance
otf  apple  google  security  uyghur  ios  iphone 
september 2019 by dmcdev
China hacked iPhones and Android devices to target Uyghur Muslims
"Hackers associated with the Chinese government compromised websites frequented by ethnic minority Uyghurs earlier this year, programming them to install monitoring implants to spy on the phones of users that visited them, according to researchers. Some of the sites had the capability to infect both Android phones and iPhones, a source familiar with multiple companies' research on the sites, some of which is not public, confirmed to CNN. It wasn't clear, however, that the sites were capable of hacking both types of phones at the same time...Researchers at the cybersecurity company Volexity, whose specialties include tracking how the Chinese government spies on Uyghurs, released a report Monday showing how certain websites tailored for a Uyghur audience would automatically hack the Android phones of some people who visit them. Called a 'watering hole' attack, the tactic allows a hacker to compromise sites their targets are likely to go to rather than seek them out directly." - Kevin Collier, CNN

The full report from security research firm Volexity can be found here: Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs

+ Reuters: China hacked Asian telcos to spy on Uighur travelers: sources
otf  china  uyghur  surveillance  privacy  security  asia  isp 
september 2019 by dmcdev
Chinese people are pushing back on Beijing's digital surveillance
"In the face of mounting pressure on personal freedom, Chinese internet users appear to be trying more actively to push back against tightening digital surveillance from Beijing. On both Chinese and foreign websites, discussions, tips and software hacks to combat the government’s grip over cyberspace have picked up in recent months. The advice represents a rare wave of resistance to the government’s use of intrusive surveillance tools to gather data on its citizens, and comes as a number of recent media reports have reignited the fears of many that they could face repercussions for seeking out content deemed 'sensitive' by the ruling Communist party. People in China are already aware that their online communications, even messages sent in private chats, are subject to monitoring and censorship. But recently, there has been a string of events that have left many worried that surveillance is becoming even more intrusive. There’s been coverage about phone-monitoring apps being installed on citizens’ devices, along with widely shared reports of police in Beijing conducting checks on people’s mobile phones, as well as accounts from some Chinese Twitter users on being questioned (link in Chinese) by the police for accessing the banned social network in China." - Jane Li, Quartz
otf  china  asia  security  awareness  circumvention  censorship  gfw  surveillance 
august 2019 by dmcdev
How phishing attacks trick our brains
"It’s simple and effective: getting someone to click a malicious link in an email and enter private information such as a password is the most important skill in many hackers’ toolkits. Phishing is the most common form of cyberattack and still growing. And the reason it’s so effective, according to research being done at Google and the University of Florida, is that it takes advantage of how the human brain works—and, crucially, how people fail to detect deception, depending on factors like emotional intelligence, cognitive motivation, mood, hormones, and even the victim’s personality." - Patrick Howell O'Neill ,MIT Technology Review
otf  phish  hack  security  digisec  awareness  safety 
august 2019 by dmcdev
Kazakhstan halts introduction of internet surveillance system
"Kazakhstan has halted the implementation of an internet surveillance system criticized by lawyers as illegal, with the government describing its initial rollout as a test. Mobile phone operators in the oil-rich Central Asian nation’s capital, Nur-Sultan, had asked customers to install an encryption certificate on their devices or risk losing internet access...Several Kazakh lawyers said this week they had sued the country’s three mobile operators, arguing that restricting internet access to those who refused to install the certificate would be illegal. But late on Tuesday, Kazakhstan’s State Security Committee said in a statement that the certificate rollout was simply a test which has now been completed. Users can remove the certificate and use internet as usual, it said." - Reuters
otf  Kazakhstan  https  security  centralasia  surveillance  privacy 
august 2019 by dmcdev
CPJ Launches Digital Safety Kit
The Committee to Protect Journalists released a new digital security guide this week. CPJ's Digital Safety Kit is designed "for journalists looking to better protect themselves, their sources, and their information. The kit, produced by CPJ's Emergencies Response Team, combines six bite-sized safety notes on different topics in an accessible format that is easy to digest." Among the recommendations are OTF-supports tools including Signal, Tor, Tails, and Mailvelope. The guide includes basic best practice tips on topics like securing accounts and devices, protecting against phishing, and how to use the Internet more securely, and is available in English, French, Spanish, and Russian.
otf  cpj  guide  digisec  security  journalism  media  press  safety 
august 2019 by dmcdev
Kazakhstan government is now intercepting all HTTPS traffic
"Starting Wednesday, July 17, 2019, the Kazakhstan government has started intercepting all HTTPS internet traffic inside its borders. Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser. The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination...In a statement posted on its website, the Kazakh Ministry of Digital Development, Innovation and Aerospace said only internet users in Kazakhstan's capital of Nur-Sultan will have to install the certificate; however, users from all across the country reported being blocked from accessing the internet until they installed the government's certificate. Some users also received SMS messages on their smartphones about having to install the certificates, according to local media." - Catalin Cimpanu, ZDNet

+ In a statement, the Committee to Protect Journalists (CPJ) said that the " security measure looks much more like an attempt to increase the government's censorship and surveillance capabilities": Kazakhstan government-backed security certificate raises censorship, surveillance concerns
otf  Kazakhstan  centralasia  security  mitm  https  encryption  surveillance 
july 2019 by dmcdev
China’s Huawei secretly helped build North Korea’s wireless network, documents reveal
"Huawei Technologies Co., the Chinese tech giant embroiled in President Trump’s trade war with China and blacklisted as a national security threat, secretly helped the North Korean government build and maintain the country’s commercial wireless network, according to internal documents obtained by The Washington Post and people familiar with the arrangement. Huawei partnered with a Chinese state-owned firm, Panda International Information Technology Co. Ltd., on a variety of projects there spanning at least eight years, according to past work orders, contracts and detailed spreadsheets taken from a database that charts the company’s telecom operations worldwide. The arrangement made it difficult to discern Huawei’s involvement." - Ellen Nakashima, Gerry Shih and John Hudson, Washington Post

+ 38 North: North Korea’s Koryolink: Built for Surveillance and Control
otf  china  huawei  northkorea  network  security  asia 
july 2019 by dmcdev
Brushing Off Security Concerns, Telecoms Minister Touts Iranian-Made Mobile Phone Operating System
"Telecommunications Minister Mohammad Javad Azari Jahromi announced on July 7, 2019, the development of an Iranian-made version of the Android operating system (OS) by a team of students at the Sharif University of Technology in Tehran. Taking into account the Iranian government’s documented history of monitoring and collecting private online user data, particularly from apps and websites with servers based in Iran, the 'Aria Mini' OS could come equipped with a range of security issues. The Center for Human Rights in Iran (CHRI) cannot independently verify claims about Aria Mini as it is not currently publicly accessible. However, the announcement of its development came soon after the Iranian government blocked access to a website that allows developers to download a raw version of the Android OS to develop their own versions. This strengthens the possibility that the government aims to ultimately force all Android users in the country to use Aria Mini."   – Center for Human Rights in Iran

+ Radio Farda: Iran Cuts Internet Access To Prevent Cheating In University Exams
otf  iran  mena  android  security  access 
july 2019 by dmcdev
Anti-Virus Companies Now Flag Malware China Installs on Tourists’ Phones
Following a collaborative report published Tuesday analyzing the 'BXAQ' app used by Chinese authorities to collect large amounts of data and scan for banned content from tourists' and other visitors' phones when crossing borders in Xinjiang, "[m]ultiple antivirus companies are now explicitly flagging in their products an app that Chinese authorities were planting onto the phones of tourists at the country's border," Motherboard reports. Author Joseph Cox added that "how effective a piece of antivirus software is really going to be against a border official with physical access to your phone is questionable," while noting that "we did hear about authorities not searching some devices if too difficult."
otf  xinjiang  uyghur  privacy  security  bxaq  china  asia 
july 2019 by dmcdev
For two hours, a large chunk of European mobile traffic was rerouted through China
"For more than two hours on Thursday, June 6, a large chunk of European mobile traffic was rerouted through the infrastructure of China Telecom, China's third-largest telco and internet service provider (ISP).

The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP.

The Border Gateway Protocol (BGP), which is used to reroute traffic at the ISP level, has been known to be problematic to work with, and BGP leaks happen all the time.

However, there are safeguards and safety procedures that providers usually set up to prevent BGP route leaks from influencing each other's networks.

But instead of ignoring the BGP leak, China Telecom re-announced Safe Host's routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host's network and other nearby European telcos and ISPs." - Catalin Cimpanu, ZDNet
otf  china  bgp  chinatelecom  security  routing 
june 2019 by dmcdev
WhatsApp voice calls used to inject Israeli spyware on phones
"A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs...As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method.  Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to the same vulnerability that WhatsApp was trying to patch." - Mehul Srivastava. Financial Times
otf  whatsapp  security  awareness  hack  nsogroup  digisec 
may 2019 by dmcdev
Google announces Adiantum: Encryption for the Next Billion Users
Google discusses security blog: "Storage encryption protects your data if your phone falls into someone else's hands. Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted."

The blog explains the current challenges to device encryption, namely that the way most Android devices are encrypted (Advanced Encryption Standard, or AES) causes low-end devices to run too slowly. Adiantum seeks to address this problem. For more technical background, read the blog post or check out this research paper explaining how it works.
google  encryption  security  privacy 
february 2019 by dmcdev
Google Made a Quiz to See if You Can Identify Phishing Emails
Can you spot a phishing attempt from a legitimate email? Google's Jigsaw made a quiz to help you discern between the two. The quiz is eight questions long and shows several realistic looking emails containing various attachments, links, and invitations, and you need to assess their legitimacy.

Phish or no? Take the quiz here:
otf  google  phish  phishing  digisec  awareness  security 
january 2019 by dmcdev
When Best Practice Isn’t Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users
A new report from Amnesty International details how hackers have been able to successfully phish "hundreds of Google and Yahoo" email accounts in a campaign focusing on users in the MENA region. Users of email providers Tutanota and ProtonMail were also targeted in another campaign.

Motherboard reports: "If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account. Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled. They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account. The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method."

+ Certfa last week published a report on "the latest wave of organized phishing attacks by Iranian state-backed hackers," with targets including "individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world."
otf  iran  hacking  2fa  security  email  mena  activist  hrd 
december 2018 by dmcdev
Why Did Telegram Warn Users That Iranian Versions of the Telegram App—Talaeii and Hotgram—Are “Unsafe”? – @ICHRI
The Center for Human Rights in Iran (CHRI) "welcomes" a recent move by Telegram to issue a warning to Iran-based users connecting to the messaging app through "client apps" like Talaeii and Hotgram, which security experts have long called insecure and "unsafe."

"Warning! The app you are using was not made by Telegram and is unsafe. We can only guarantee your safety if you use official Telegram apps,” said a message [] that appeared when users first logged on to the apps on December 15, 2018. The Center for Human Rights in Iran (CHRI) welcomes this move by Telegram. Five months before the company issued the warning, and again a week before the advisory was issued, CHRI had reached out to Telegram urging it to inform users that the Iranian government can access and monitor private user activities on the modified Telegram Talaeii and Hotgram apps."
otf  iran  telegram  mena  security 
december 2018 by dmcdev
Many free mobile VPN apps are based in China or have Chinese ownership
"Roughly 60 percent of the top free mobile VPN apps returned by Google Play Store and Apple Play Store searches are from developers based in China or with Chinese ownership, raising serious concerns about data privacy, a study published today has revealed...The researcher [Simon Migliano, Head of Research at Metric Labs] says he analyzed the top 20 free VPN apps that appear in searches for VPN apps on the Google and Apple mobile app stores, for both the US and UK locales. He says that 17 of the 30 apps he analyzed (10 apps appeared on both stores) had formal links to China, either being a legally registered Chinese entity or by having Chinese ownership, based on business registration and shareholder information Migliano shared with ZDNet." - Catalin Cimpanu, ZDNet
otf  china  vpn  access  awareness  security  asia  gifw 
november 2018 by dmcdev
'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption
Sara Dickinson of the OTF-supported DNS Privacy project [] was quoted in this Register piece on the Internet Engineering Task Force (IETF)'s adoption of DNS-over-HTTPS (or DoH) as a standard. It's now categorized as Request for Comments [RFC] 8484. [].

From the article: " Mozilla's Daniel Steinberg wrote at the end of last week, the main reason the controversy exists is that the DNS world has failed for decades to act to preserve user privacy.

'To me, DoH is partly necessary because the 'DNS world' has failed to ship and deploy secure and safe name lookups to the masses and this is the one way applications 'one layer up' can still secure our users.'

That echoes what DNS privacy expert Sara Dickinson (author of DoT test platform Stubby) said in a July interview with the Council of European National Top-Level Domain Registries. The industry, she said, brought DoH on itself by being slow to react. 'The browsers are just walking straight in, because if they were already getting what they needed from DNS, they might be less eager to go down the DoH route. However, they are just not getting what they need, and I think they kind of feel they never will.'

It is just as likely that DoT-versus-DoH will be solved by user or provider choices, since both are being deployed, as is documented by the DNS Privacy Project."
dns  dnsprivacy  projectmentions  https  encryption  privacy  security  core  cif 
october 2018 by dmcdev
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
It's the stuff of sci-fi thrillers: an upstream supply-chain attack affecting technology (a tiny microchip) relied upon by scores of big tech companies - including Amazon and Apple, among "almost 30 U.S. companies," Bloomberg reports:

"Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community...During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China. This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get."
china  microchip  supplychain  security  asia 
october 2018 by dmcdev
News From Deflect Labs: DDoS attacks against Vietnamese Civil Society - @eQualitie
New research published through eQualitie's Deflect Labs, which provides website security services to civil society organizations, identifies "10 different DDoS attacks targeting two Vietnamese websites protected by Deflect, and, between the 17th of April and 15th of June 2018." eQualitie found that the IP addresses used in the DDoS attacks during this period were common to those used in a June 2018 DDoS attack on websites that were "critical against the Vietnam cybersecurity law," as analyzed by Qurium ( in July 2018. eQualitie notes that the DDoS attacks "happened in the context of an important lack of Internet Freedom in Vietnam with regular online attacks against activists and independent media." eQualitie breaks down the attacks, sorting them into "four different groups sharing the same Tactics, Techniques, and Procedures (TTPs)," finding that and have "have common enemies even if they have different political perspectives." The full report further analyzes the source of the attacks as identified by IP address, origin countries, and the frequency of attacks by each group.
otf  vietnam  ddos  security  defect  equalitie  digisec  digitalsecurity 
september 2018 by dmcdev
Research: "Chinese Cyberespionage Originating From Tsinghua University Infrastructure"
New analysis by Recorded Future's Insikt Group takes a look at malware targeting the Tibetan community, finding "a novel Linux backdoor called 'ext4' deployed against the same Tibetan victim group" identified by Recorded Future in a previous report, which focused on a series of espionage campaigns dubbed "RedAlpha." Recorded Future found after analyzing the "highly sophisticated" backdoor that the campaigns were emanating from an IP address associated with Tsinghua University infrastructure that was engaged in "targeting many geopolitical organizations" abroad, in both the public and private sectors. The campaigns appear to coincide with relevant political events, such as protests in Tibet and changes in trade relations between China and other countries, such as Kenya, Brazil, and the US (specifically, the state of Alaska).

Read the full analysis (pdf) here.
tibet  china  asia  malware  security  gfw  research 
august 2018 by dmcdev
The Uncertain Effects of HTTPS Adoption on Access to Information Worldwide
With the release of Google Chrome version 68, visiting an unencrypted ("HTTP") site will prompt a "not secure" warning. The update reflects the gradual migration from HTTP to the more secure HTTPS encryption protocol, and while the benefits for users' privacy and security are significant, "the implications of this global trend on Internet filtering and access to information are mixed," writes Berkman Klein Center Research Associate Casey Tilton, as government censors must take an all-or-nothing approach to blocking websites that can result in an "overblocking" of certain sites. In Iran, for example, the move to HTTPS has increased access to information since "the Iranian government has not blocked the entirety of Wikipedia since the platform transitioned to HTTPS in June 2015 despite the censors having blocked hundreds of specific Persian-language articles before 2015." Turkey, however, has blocked Wikipedia in its entirety since April 2017 over "a few offending articles."

"For example, before Wikipedia implemented HTTPS in 2015, governments could filter specific Wikipedia articles while allowing access to the vast majority of content on Wikipedia," Tilton writes. "HTTPS makes this type of fine-tuned filtering very difficult, which poses a challenge to government censors. Now that social media platforms and many news sites are encrypted, censors have a hard decision to make: do they block the entirety of popular platforms like Wikipedia, Facebook, or Medium because of a few offending articles or pages? Or do they allow all of the content to remain accessible?...If the current popularity and ubiquity of social media platforms are any indication, the overall share of content hosted by centralized, encrypted social media and publishing platforms will likely continue to grow in the future. And if so, it will become increasingly difficult for a government to censor the content it deems objectionable while avoiding the collateral damage that comes with blocking entire platforms."
otf  https  chrome  encryption  security  privacy  access  berkman 
august 2018 by dmcdev
.@certfalab research analyzes PushIran.DL malware, a "botnet of fraudulent advertising in Iran" affecting million of Android devices
A new report by CERTFA (Computer Emergency Response Team in Farsi) analyzes PushIran.DL, a malware group that "has in effect created a major advertising botnet that can be distributed and used in various ways to exploit users" in Iran. These criminal activities "are costing Iranian smartphone users billions of Iranian Rials (millions of US dollars) each year," the group says, noting that the PushIran.DL malware is "largely" detectable via well-known commercial anti-virus software platforms. CERTFA estimates that "more than 10 million" Iran-based Android devices are infected and notes that while the malware has been utilized to serve up ads to users, there exists the potential for more malicious uses in the future.   

CERTFA describes the malware family as "a family of fake and destructive Android apps which are distributed across Iran’s mobile network — whether through Telegram Messenger or other Android malware — by playing different tricks, including distributing downloaders and adult apps, and by sending text messages and deceptive notification ads in other mobile apps...No accurate data about the full extent of infection of mobile devices by PushIran.DL is available, but we believe that more than 10 million Android devices in Iran have been infected...The developers of these malwares have used this data for advertisement but in the near future, it is very possible that they will use it for more destructive purposes, such as the implementation of phishing attacks, the release of ransomware and as cryptocurrency extractors."

- In other buggy news, NYU researchers suggest that if you want to hide the real bugs, try adding a whole bunch of fake bugs (Motherboard). Galaxy brain!
otf  iran  malware  security  research  mena  android  certfa 
august 2018 by dmcdev
Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces - @CitizenLab
A new Citizen Lab report analyzes the “Resurfaced Campaign,” a sophisticated malware campaign that operated between January and March 2018 and which was aimed at Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration (Tibet's India-based exile government). The report includes an investigation of a compromised Tibet-focused NGO targeted by the malware, a look at the challenges involved with investigating "closed espionage ecosystems," and connects the dots between this campaign and previous, similar ones also targeting Tibetan groups.

From the report: "In January 2018, a Tibetan activist received a mundane-looking email purporting to be program updates from a human rights NGO. Attached to the message were a PowerPoint presentation and a document. The activist, like many in the Tibetan diaspora, had grown wary of unsolicited emails with attachments, and instead of opening the documents, shared the files with Citizen Lab researchers. The suspicion was warranted: the attachments were malicious. If clicked, the files would run recent exploits to infect Windows computers with custom malware. This email was the start of a malware campaign active between January to March 2018 that targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration. We worked closely with the targeted groups to collect the malicious messages, and also engaged in incident response with a compromised organization. This collaboration enabled us to gain further insights into the tactics, techniques, and procedures used by the operators."

- In a Council on Foreign Relations Net Politics blog post, Citizen Lab fellow Lennart Maschmeyer discusses the report within the broader context of how civil society organizations are particularly susceptible to nation-state level threats, as they "lack resources to build up resilience and enlist outside help, rendering them highly vulnerable."
otf  tibet  china  asia  citizenlab  research  malware  cso  CivilSociety  awareness  security 
august 2018 by dmcdev
Apple Comes Under Media Fire in China
Last week, Chinese state media - through at least five media outlets both in print and television - began criticizing Apple for not filtering out "prohibited content" on its iMessage platform, while also allowing "illegal gambling apps" to flourish on the Apple App Store, the Wall Street Journal reports.

WSJ: "China’s state-controlled news agency Xinhua and at least four state-supported media outlets have published criticism of Apple for not doing enough to filter banned content on its iMessage service. State broadcaster CCTV joined in Tuesday on another front, saying Apple’s app store allowed illegal gambling apps disguised as official lottery apps. Apple declined to comment on the media criticism, but pointed to tools on iMessage that can help users filter or block spam and other unwanted content...On Monday, China’s Ministry of Industry and Information Technology and other top government agencies said they would impose new requirements requiring mobile-phone makers to include spam-filtering features...In its news story, Xinhua quoted experts saying Apple could technically intercept and block messages with prohibited content, but chooses not to because it doesn’t want to be seen as infringing on user privacy....Apple has promoted iMessage as a secure way for users of its iPhone, iPad and other devices to communicate, via encrypted messages that only the sender and receiver can access. The company says it can’t decrypt the messages and doesn’t log any messaging content."

- Also in China news: Zhuang Rongwen has been named head of the Cyberspace Administration of China (CAC), the country's central internet regulator, Reuters reports Zhuang replaces Xu Lin, a former Shanghai propaganda chief who will likely take over as head of the CPC's international propaganda division, per the South China Morning Post The appointment follows on Monday's announced bribery charges against former CAC head Lu Wei

- China's surveillance extends abroad, keep track of Chinese Muslims making the Hajj pilgrimage to Mecca in Saudi Arabia (WSJ).
otf  china  asia  apple  censor  gfw  privacy  security 
august 2018 by dmcdev
Chrome now marks all unencrypted websites as ‘not secure’
If you use Google's Chrome browser, you might notice a change today with the new release of Chrome version 68: visiting an unencrypted site will prompt a "note secure" warning, The Verge reports.

"The change applies equally to all HTTP sites, which will now display a 'Not Secure' image in the address bar. HTTPS-enabled sites are unaffected by the change. First announced in February, Chrome’s design shift is the latest move in a multipronged push by Google for more encryption on the web. Login sites have displayed similar 'not secure' warnings since 2016, with gradually escalating alarms for expired certificates."

More details in Google's blog post:

So, what sites might you notice a lack of encryption on? A fair chunk, as "20% of the world's largest 502 websites" fail to use HTTPS, per the Why No HTTPS? - a project of security researcher Scott Helme.
otf  google  chrome  https  encryption  security 
july 2018 by dmcdev
New report: Defending Politically Vulnerable Organizations Online - @CLTCBerkeley
A new report released today by UC Berkeley's Center for Long-Term Cybersecurity (CLTC) "details how media outlets, human rights groups, NGOs, and other politically vulnerable organizations face significant cybersecurity threats—often at the hands of powerful governments—but have limited resources to protect themselves," detailing "the wide range of threats that politically vulnerable organizations face—from phishing emails, troll campaigns, and government-sanctioned censorship to sophisticated 'zero-day' attacks" while shedding light on "the urgent need for additional technical expertise to help civil society organizations protect themselves online." The report, based off "an extensive open-source review of more than 100 organizations supporting politically vulnerable organizations, and conducted more than 30 interviews with activists, threat researchers, and cybersecurity professionals," recommends "that new direct assistance models are needed that will, for example, tailor support to match the risks and capabilities of each organization’s context, provide long-term support and partnership, and document and distribute lessons learned to inform the broader ecosystem of politically vulnerable organizations around the world."

CLTC Research fellow Sean Brooks, the report's author, shared some highlights and thoughts on the report in a Twitter thread here:

Access "Defending Politically Vulnerable Organizations Online" in full (pdf) here:
otf  cltc  report  security 
july 2018 by dmcdev
How to Secure Your Accounts With Better Two-Factor Authentication
Ask any digisec-savvy techie how to improve your security, and adding two-factor authentication (2FA) to your accounts is typically among the lowest hanging fruit. But not all 2FA methods are equal: SMS-based 2FA is more insecure than, say, using an authentication app (like Google Authenticator or Authy) or using a hardware security key device.

Wired explains: "Yes, the easiest way to implement two-factor is with SMS, receiving a text with an access code every time you try to log into a secured account. While certainly better than nothing, getting your 2FA from SMS has plenty of potential downside. Specifically, it leaves you exposed if someone hijacks your smartphone’s SIM, a longtime problem that has only gotten worse of late. By stealing your phone number, hackers can redirect any two-factor notifications to their own devices, allowing them much easier entry to your accounts...The good news? Most of the sensitive accounts you use today already offer stronger 2FA. And there’s no shortage of third-party authenticator apps that’ll enable it for you." Wired then runs through the steps on how to set it up.

*But: the head of Google's threat analysis group said 2FA is no silver bullet. But, but: not a single Google employee (85,000+) has been phished since early 2017, after the company mandated use of physical security keys.
otf  2fa  security 
july 2018 by dmcdev
The Rise of China's Security-Industrial Complex
China's appetite for all things surveillance and security is driving the emergence of a new "security-industrial complex," and that other state-fueled 'industrial complex' you may be familiar with, the "similar phenomenon" emerging in China is pushing the country's leadership "to increase security spending," writes University of Oxford cybersecurity PhD candidate Valentin Weber for the Council on Foreign Relations. This mutually reinforcing, "symbiotic" relationship between the Chinese government and the private sector helps keep the surveillance state running, raises the importance of Chinese tech companies, while also boosting their growth domestically before they can be exported abroad to developing markets, Weber writes.

"In 1961, U.S. President Dwight D. Eisenhower coined the term 'military-industrial complex' in his farewell address, warning that the combined interests of the military and private sector could undermine democracy and have unchecked influence in policymaking. China is witnessing a similar phenomenon at the moment via the emergence of a security-industrial complex, made up of politicians dependent on security-related industries, private security companies, and the Ministry of Public Security...The Communist Party is all too happy to oblige given that the extra security keeps it in power, creating a symbiotic relationship between the security industry and Beijing...China’s security-industrial complex is also looking to export its approach to other markets. China has been a major proponent of the concept of 'Safe Cities' throughout the developing world. Huawei, the world’s largest telecommunication provider, rolled out the Safe Cities model to Nairobi, Kenya and installed 1800 surveillance cameras as part of the initiative...Unlike the military-industrial complex which Eisenhower warned could undermine U.S. democracy, China’s security-industrial complex has cemented the power of the Communist Party, increasingly concerned with controlling the actions of those it governs."
otf  china  asia  surveillance  censorship  gfw  security 
july 2018 by dmcdev
.@brave Introduces Beta of Private Tabs with Tor for Enhanced Privacy while Browsing
Brave, an open source web browser than comes with built-in ad-blocking, announced a new beta release (Brave 0.23) with an experimental "Private Tabs" feature that incorporates Tor functionality, offering users an option for increased browsing privacy and security. This way, within the same browsing window you can run "normal" tabs directly alongside tabs utilizing Tor. Brave is not only incorporating Tor into its browser, but also helping expand the Tor network but running relays, which are volunteer-run and essential to the Tor network.

From Brave: "This new functionality, currently in beta, integrates Tor into the browser and gives users a new browsing mode that helps protect their privacy not only on device but over the network. Private Tabs with Tor help protect Brave users from ISPs (Internet Service Providers), guest Wi-Fi providers, and visited sites that may be watching their Internet connection or even tracking and collecting IP addresses, a device’s Internet identifier...Private Tabs with Tor default to DuckDuckGo as the search engine, but users have the option to switch to one of Brave’s other nineteen search providers...In addition, Brave is contributing back to the Tor network by running Tor relays. We are proud to be adding bandwidth to the Tor network, and intend to add more bandwidth in the coming months. Our relays can be viewed at:"

You can download Brave and try out the new feature here:
otf  tor  brave  browser  privacy  security  anonymity 
june 2018 by dmcdev
Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery
Yesterday, EFF announced the launch of STARTTLS Everywhere, an OTF-supported Core Infrastructure project focused on securing the delivery of email. EFF explained the program in a blog post, stating how STARTTLS Everywhere aims "to do for email what we’ve done for web browsing," comparing the tool to previous security-boosting efforts like Let's Encrypt and Certbot. As those tools helped make it easier to secure websites via HTTPS encryption, STARTTLS Everywhere will "make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance" with a program that is easy for sys admins to configure.

From the EFF blog post: "TARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers. Finally, STARTTLS Everywhere includes a “preload list” of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance. Mailserver admins can read more about how STARTTLS Everywhere’s list is designed, how to run it on your mailserver, and how to get your mailserver added to the preload list."

The blog contains great context on the gap STARTTLS Everywhere seeks to fill, explaining why email is generally so insecure in the first place. Also, as EFF notes, it's good to know that "...STARTTLS Everywhere is designed to be run by mailserver admins, not regular users." With that said, EFF made a cool email provider security check-up tool that anyone can use: just enter your email address domain at to try it out.
eff  starttlseverywhere  projects  email  security 
june 2018 by dmcdev
Microsoft Adds Post-Quantum Cryptography to an OpenVPN Fork
A new open source project from Microsoft called "PQCrypto-VPN" incorporates post-quantum cryptography (PQC) within OpenVPN, testing out how PQC encryption algorithms (and in turn users' privacy and security) might fare against attacks generated by quantum computers with the (theoretical) capability of beating encryption algorithms relied upon at present.

Lawrence Abrams writes for Bleeping Computer: "Being developed by the Microsoft Research Security and Cryptography group as part of their research into post-quantum cryptography, this fork is being used to test PQC algorithms and their performance and functionality when used with VPNs. Post-quantum cryptography algorithms are encryption algorithms that are designed to be secure against attack by quantum computers. While quantum computers are still in their infancy, it is theorized that current encryption algorithms can be cracked using a sufficiently powerful quantum computer in a short period of time. Due to this, researchers are creating new algorithms that are designed to protect a user's privacy and sensitive data as quantum computers become more readily available."

The project, available on GitHub, makes use of three different PQC protocols at present. Tolkien fans will be glad to see that one of them is called "Frodo." Keep [your browsing] secret, keep it safe.
otf  vpn  security  microsoft  pqc  encryption 
june 2018 by dmcdev
Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
PGP mail fail: Encrypting your email via PGP is notorious for the usability challenges involved. Now, security researchers say they have discovered another a new security vulnerability, which they have called "EFail," that allows an attacker to decrypt PGP-encrypted mail thanks to a flaw with the email client or plugin used in the process. To be clear, the flaw lies with the email client being used - not with PGP itself. The most critical vulns have been present in Thunderbird, macOS Mail, and Outlook for more than 10 years, they say.

EFF recaps: "The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days. Because of the straightforward nature of the proof of concept, the severity of these security vulnerabilities, the range of email clients and plugins affected, and the high level of protection that PGP users need and expect, EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now...Fixing this entirely is going to take time. Some software patches have already begun rolling out, but it will be some time before every user of every affected software is up-to-date, and even longer before the standards are updated. Right now, information security researchers and the coders of OpenPGP-based systems are poring over the research paper to determine the scope of the flaw...The flaw that the researchers exploited in PGP was known for many years as a theoretical weakness in the standard—one of many initially minor problems with PGP that have grown in significance over its long life...We’re taking this latest announcement as a wake-up call to everyone in the infosec and digital rights communities: not to pile on recriminations or criticisms of PGP and its dedicated, tireless, and largely unfunded developers and supporters, but to unite and work together to re-forge what it means to be the best privacy tool for the 21st century."
otf  pgp  email  encryption  security 
may 2018 by dmcdev
Inside the Unnerving Supply Chain Attack That Corrupted CCleaner
You may recall that back in September, file wiping tool CCleaner suffered a significant security breach after researchers found that hackers had planted malware on the tool, and it had been there for over a month. The damage: over 2 million corrupt versions of CCleaner had been downloaded. At the RSA security conference this week, the CTO of Avast (CCleaner owner) Ondrej Vlcek provided further detail into the attack.

Lily Hay Newman reports for Wired: "On March 11 of last year, attackers compromised the systems Piriform, the company that created CCleaner. That June, Avast acquired Piriform. By September, it knew it had a massive security crisis on its hands. Vlcek says that Avast's quick response and existing goodwill toward CCleaner—which has a sometimes cultish online following—has allowed Avast to learn from the incident and better protect its users. But the specter of supply chain attacks is difficult to shake. 'This thing was a bit, shall we say, black. It was an unexpected surprise gift we got as part of the acquisition,' Vlcek told WIRED ahead of his talk at RSA...Hackers initially got onto Piriform’s London networks by using stolen credentials to log into a TeamViewer remote desktop account on a developer PC. From there, the attackers moved laterally to a second computer, always working outside office hours when it was unlikely that people would be using the machines. The attackers installed malware called ShadowPad, sort of customizable malware platform that can be used for an assortment of attacks from DDoS to keylogging, on the compromised computers. In this case, the attackers used the keylogger functionality and other analysis features to burrow deep into Piriform's development and distribution systems. Then they waited."
otf  ccleaner  malware  security 
april 2018 by dmcdev
How Creative DDOS Attacks Still Slip Past Defenses
We're living in the "terabit [DDoS] attack era," says network security firm Arbor Networks, and yet here we are; why can some denial-of-service attacks get around defenses designed to deter or defeat them, and how come these attacks are getting bigger? Lily Hay Newman for Wired:

"The type of DDoS attack hackers have been using recently to mount enormous attacks is somewhat similar. Known as memcached DDoS, these attacks take advantage of unprotected network management servers that aren't meant to be exposed on the internet. And they capitalize on the fact that they can send a tiny customized packet to a memcached server, and elicit a much larger response in return. So a hacker can query thousands of vulnerable memcached servers multiple times per second each, and direct the much larger responses toward a target...The DDoS defense and internet infrastructure industries have made significant progress on DDoS mitigation, partly through increased collaboration and information-sharing. But with so much going on, the crucial point is that DDoS defense is still an active challenge for defenders every day."
otf  ddos  security 
march 2018 by dmcdev
A 1.3Tbs DDoS Hit GitHub, the Largest Yet Recorded
GitHub on Wednesday suffered the largest DDoS attack ever recorded, with about 1.35 terabits of traffic per second sitting the site at once. The DDoS attack method of choice in this instance does not rely on bots to overwhelm the target, as seen with other large scale denial of service attacks of late. Rather, they exploit "memcached servers" ("database caching systems [that] work to speed networks and websites") to carry out what's called an amplification attack, as Lily Hay Newman of Wired explains:

Memcached servers "aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply. Unlike the formal botnet attacks used in large DDoS efforts, like against Dyn and the French telecom OVH, memcached DDoS attacks don't require a malware-driven botnet. Attackers simply spoof the IP address of their victim, send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim...Until memcached servers get off the public internet, though, it seems likely that attackers will give a DDoS of this scale another shot."
otf  github  security  ddos 
march 2018 by dmcdev
Generative Models for Spear Phishing Posts on Social Media (pdf) #research
Machine learning can be effectively used for offensive purposes (if you're a bad guy, that is) when it comes to security, researchers John Seymour of Salesforce and Philip Tully of ZeroFOX find in this study. Seymour and Tully look specifically at social media as a potential vector for spreading malicious, machine-generated content, finding ways to tap into users' preferences and styles to increase the likelihood of engagement (that is, infection).

From the abstract: " Social networks, with their access to extensive personal data, bot-friendly APIs, colloquial syntax, and prevalence of shortened links, are the perfect venues for spreading machine-generated malicious content. We aim to discover what capabilities an adversary might utilize in such a domain...The model is trained with word vector representations of social media posts, and in order to make a click-through more likely, it is dynamically seeded with topics extracted from the target’s timeline...We augment the model with clustering to triage high value targets based on their level of social engagement, and measure success of the [a long short-term memory network]'s phishing expedition using click-rates of IP-tracked links. We achieve state of the art success rates, tripling those of historic email attack campaigns, and outperform humans manually performing the same task."
otf  research  security 
february 2018 by dmcdev
Dissidents Have Been Abandoned and Besieged Online
Human rights activists, journalists, dissidents, and civil society actors are particularly at risk of suffering digital attacks, with efforts to bolster their security -
whether by the groups themselves or with help from outside expertise - sorely lacking, write Collin Anderson and Claudio Guarnieri for Motherboard, drawing examples from their documentation of attacks against Iranian activists and others around the world: "For several years, we have conducted research ( on targeted attacks against civil society and activists in Iran and elsewhere. From these experiences, one lesson in particular stands outs: human rights defenders and journalists are a canary in the coal mine for the attacks used to steal military secrets, coerce perceived foreign adversaries, and undermine critical infrastructure. Despite this chilling predicament, those at-risk populations are afforded substantially less opportunities to protect themselves and are often relegated to the margins of conversations about cyber security. This inequity is to the detriment of everyone, and must change if we want to improve the Internet for all communities...

While most reports from the cyber security community focus on attacks on the private sector, nearly every known Iranian-origin hacking operation has targeted dissidents with the same tools and tactics at the same time...Many cyber security researchers and public discussions focus on countries where governments are constantly seeking to stifle dissent and exert general control over the public debate. For these governments, political opponents, human rights advocates, and independent media therefore constitute one of the primary targets, and the intelligence gathering tools usually used to spy on perceived foreign adversaries or transnational criminal networks will be often be concomitantly turned inward to monitor their own population."
otf  iran  humanrights  dissident  security 
february 2018 by dmcdev
A flaw in Hotspot Shield can expose VPN users, locations
Popular VPN service Hotspot Shield is not as secure as it claims, according to a security researcher who discovered a bug that leaks user data including the country location and WiFi network name. Zack Whittaker writes for ZDNet: "That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data. 'By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located,' said Paulos Yibelo, who found the bug (detailed here Combined with knowing the user's country, 'you can narrow down a list of places where your victim is located,' he said.

ZDNet was able to independently verify Yibelo's findings by using his proof-of-concept code to reveal a user's Wi-Fi network. We tested on several machines and different networks, all with the same result...Yibelo said he was able in limited circumstances to obtain real IP addresses of a user, but that the results were mixed. ZDNet did not see real IP addresses in our tests. For its part, AnchorFree strenuously denied that real IP addresses were exposed, contrary to Yibelo's claim. 'We have reviewed and tested the researcher's report,' said AnchorFree's Tim Tsoriev. 'We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country.'"
otf  vpn  security 
february 2018 by dmcdev
Flooding the messengers – analysis of a DoS attack in Azerbaijan
A technical documentation of how Qurium Media Foundation analyzed a denial of service (DoS) attack launched on an Azeri media website following its reporting on oil giant SOCAR and Palmali, an international ship management company. The site,, experienced the attack on the same day that two other Azeri sites, and, sustained similar attacks. Qurium found that the attacker searched for "SOCAR" using the search function on the organization's website just minutes before the attack, while also following up to report about the attack's progression via WhatsApp.
otf  Azerbaijan  security 
february 2018 by dmcdev
Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community
A new Citizen Lab report looks a sophisticated phishing operating targeting Tibetan civil society groups, finding the operation to be cheap and simple, but also effective. Citizen Lab's "analysis indicates other possible targets among ethnic minorities, social movements, a media group, and government agencies in South and Southeast Asia.

The operation was simplistic and inexpensive, yet achieved some successes. We estimate the infrastructure used in the operation cost slightly over 1,000 USD to setup and required only basic system administration and web development skills to maintain.

The operation illustrates that the continued low adoption rates for digital security features, such as two factor authentication, contribute to the low bar to entry for digital espionage through basic phishing."
otf  tibet  phishing  security 
january 2018 by dmcdev
Facebook invites submissions for “Secure the Internet Grants”
As part of its pledge to offer $1 million in defense research, Facebook is accepting proposals to "Secure the Internet," Facebook Chief Security Officer Alex Stamos announced in a blog post yesterday. Proposals can get up to $100k each and are open to academia, NGOs, and non-profits, with the goal "to spur development of technology that may be applied in practice, rather than pure research." Focus areas include "anti-phishing," "abuse detection and reporting," and "security for users in emerging markets," among others. Proposals are due by March 30, 2018, with the winners announced at Black Hat USA 2018.

Learn more about the program at link above or access more details and the application here.
otf  facebook  funders  alt  research  security 
january 2018 by dmcdev
Want to Avoid Malware on Your Android Phone? Try the F-Droid App Store
The Android Google Play app store can be a minefield of malware and imposter apps, research has shown - including by Yale Privacy Lab, who've used Exodus Privacy's app scanning software to detect data sucking hidden trackers, spyware, and other malware. The previously OTF-supported F-Droid app store offers a safer alternative, as the Lab's Sean O'Brien and Michael Kwet write in Wired: "A polluted ocean of apps is plaguing Android, an operating system built upon Free and Open-Source Software (FOSS) but now barely resembling those venerable roots. Today, the average Android device is not only susceptible to malware and trackers, it’s also heavily locked down and loaded with proprietary components—characteristics that are hardly the calling cards of the FOSS movement. Though Android bears the moniker of open-source, the chain of trust between developers, distributors, and end-users is broken...

F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. F-Droid doesn't offer the millions of apps available in Google Play, so some people will not want to use it exclusively...Installing F-Droid isn’t a silver bullet, but it’s the first step in protecting yourself from malware. With this small change, you’ll even have bragging rights with your friends with iPhones, who are limited to Apple’s App Store unless they jailbreak their phones."
otf  fdroid  malware  appstore  security 
january 2018 by dmcdev
EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World
A massive hacking campaign tied to a powerful Lebanese security agency targeting activists, journalists, military personnel, and lawyers has been revealed in a new report by the Electronic Frontier Foundation (EFF) and mobile security firm Lookout. The report relied on planted malware in "trojanized apps" to siphon personal information from "thousands of people in more than 20 countries." The fake apps, which included Signal and WhatsApp lookalikes, "function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more."

Says EFF: "The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut.

'People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,' said EFF Director of Cybersecurity Eva Galperin. 'This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.'"

Access the full report here (pdf):
otf  lebanon  security  eff 
january 2018 by dmcdev
Less than 1 in 10 Gmail users enable two-factor authentication
Less than 10% of active Gmail users have enabled 2FA, Google software engineer Grzegorz Milka said during a presentation at Usenix's Enigma 2018 security conference. The low adoption rate for what is a relatively simple security feature, is right there with the number of Americans who've enabled a password manager (12%, 2016 Pew study).

Ian Thomson reports for the Register: "The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. 'The answer is usability,' he replied. 'It’s about how many people would we drive out if we force them to use additional security.'

Please, if you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn't enough – they need your unlocked phone, or similar, to to get in."
otf  2fa  security  digisec  gmail  google 
january 2018 by dmcdev
Attack of the Week: Group Messaging in WhatsApp and Signal - @matthew_d_green
New research released at the Real World Crypto security conference shows some theoretical flaws affecting the security of group messaging apps. However, the attacks would be exceedingly difficult to actually carry out, so there is no real risk here. Executing the attack would require knowing a a group chat's "group ID," which is a random 128-bit number, which would be extremely difficult to attain (let alone guess). As crypto expert (and OTF AC member) Matthew Green writes, the research "takes a close look at the problem of group messaging, and finds that while messengers may be doing fine with normal (pairwise) messaging, group messaging is still kind of a hack.

If all you want is the TL;DR, here’s the headline finding: due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat. However, the caveat is that these attacks are extremely difficult to pull off in practice, so nobody needs to panic."

There are some differences between how this issues affects Signal vs. WhatsApp, as laid out by Green in fuller detail in the full blog post linked to above. The full research (here also looks at messaging app Threema.
otf  messaging  security  e2e  encryption  privacy  whatsapp  signal 
january 2018 by dmcdev
With WPA3, Wi-Fi security is about to get a lot tougher
The lack of security on open, public WiFi networks has long been a security woe for internet users. But these woes will be addressed with WPA3, replacing the less secure WPA2 standard. "The Wi-Fi Alliance, an industry body made up of device makers including Apple, Microsoft, and Qualcomm, announced Monday its next-generation wireless network security standard, WPA3. The standard will replace WPA2, a near-two decades-old security protocol that's built in to protect almost every wireless device today -- including phones, laptops, and the Internet of Things.

One of the key improvements in WPA3 will aim to solve a common security problem: open Wi-Fi networks. Seen in coffee shops and airports, open Wi-Fi networks are convenient but unencrypted, allowing anyone on the same network to intercept data sent from other devices.

WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven't been manipulated." - Zack Whittaker, ZDNet
otf  wifi  wpa3  wpa2  security 
january 2018 by dmcdev
5 New Year’s Resolutions to Protect Your Technology
Among adding 'upping your digital security' to your resolutions for 2018. Brian X. Chen from the New York Times has some relatively easy recommendations, including 1. update your software 2. actually reading privacy policies 3. getting rid of unnecessary apps (as they're likely sucking up your personal info whether you use them or not) 4. use a VPN, especially if you're on a public WiFi network, and 5. showing some TLC to your physical device via a screen protector or phone case.
otf  newyears  digisec  digitalsecurity  security  awareness 
january 2018 by dmcdev
A New Type of Computer Could Render Many Software Hacks Obsolete
DARPA is hoping to build an "unhackable computer" through a project called MORPHEUS, undertaken by the University of Michigan and funded to the tune of $3.6 million. The project aims to improve upon the way computer security functions as present, known to some as the "patch and pray" model. Instead of scrambling from patch to patch, DARPA wants to bake security into the hardware itself: "The MORPHEUS system will supposedly render [common] software exploits ineffective using computer circuits that are designed to randomly shuffle data around a computer system. This way, even if an attacker finds a bug and tries to exploit it, the location of that software bug, as well as the location of any valuable data (such as passwords) will constantly be changing." - Article by Daniel Oberhaus for Motherboard. Read the University of Michigan/DARPA announcement here:
otf  darpa  security  research  exploit  software  hardware 
december 2017 by dmcdev
Too Many People Are Still Using ‘Password’ as a Password
The 25 worst passwords of 2017 include some classics (‘12345678,’ 'qwerty,' and 'passw0rd' are all there) as well as some new fan favorites like 'starwars' and 'trustno1.' This is based off data gathered by SplashData, a password management company, which looked at over five million leaked passwords publicized after largescale security breaches. If you see your password on this list, you should probably consider an upgrade. Article by Yael Grauer, Motherboard.
otf  password  security  awareness 
december 2017 by dmcdev
How to Encrypt All of the Things, From Chats to Calls and More
Wired explains how to encrypt your online life - including your texts, video and voice chats, data storage, and email. It's part of an extensive new Wired Guide to Digital Security, which you can check out here:
otf  encrypt  security  privacy  encryption  awareness 
december 2017 by dmcdev
Phishing attacks growing more sophisticated
"Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate. According to stats released this week by anti-phishing firm Phishlabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter." - Brian Krebs. The Phishlabs data can be found here:
otf  phishing  security 
december 2017 by dmcdev
Man-in-the-Middle Flaw in Major Banking, VPN Apps Exposes Millions
New research from the University of Birmingham finds a serious encryption flaw affecting tens of millions of users, potentially exposing them to man-in-the-middle (MitM) style attacks. Among the affected apps are popular VPN service TunnelBear and those of the Bank of America and HSBC banks. "'Our tests find that apps from some of the world's largest banks contain the flaw, which if exploited, could enable an attacker to decrypt, view and modify traffic - including log-in credentials - from the users of the app,' write Chris Mcmahon Stone, Tom Chothia, and Flavio Garcia of University of Birmingham, who detailed the discovery...The findings came as part of a study involving a new blackbox automated-testing mechanism the team came up with to find applications that implement TLS certificate-pinning but fail to verify the hostname, leaving them open to MitM attacks. Dubbed Spinner, the tool uses the Censys Internet scanning engine to scale up what has in the past been a costly, manual process to check." - Ericka Chickowski, Dark Reading. Read the research here:
otf  spinner  mitm  vuln  research  security  vpn 
december 2017 by dmcdev
How to Protect Yourself Against Spearphishing: A Comic Explanation
Learn how to avoid getting phished with some digital security basics, as told through a comic narrative portraying a prominent hack you may be familiar with (the Podesta/DNC 2016 hack). Artwork by Joyce Rice and words by Intercept journalist Micah Lee.
otf  digisec  spearphishing  phishing  security  awareness  2fa 
december 2017 by dmcdev
Security Education Companion - a new #digitalsecurity resource from @EFF
EFF recently announced the launch of the Security Education Companion, a new digital security resource " for people who would like to help their communities learn about digital security but are new to the art of security training." on explaining the rationale for the project, EFF writes: "It’s rare to find someone with not only technical expertise but also a strong background in pedagogy and education. More often, folks are stronger in one area: someone might have deep technical expertise but little experience teaching, or, conversely, someone might have a strong background in teaching and facilitation but be new to technical security concepts. The Security Education Companion is meant to help these kinds of beginner trainers share digital security with their friends and neighbors in short awareness-raising gatherings." Check it out here:
otf  security  digisec  digitalsecurity  guide  resource 
november 2017 by dmcdev
macOS bug lets you log in as admin with no password required
"In one of Apple's biggest security blunders in years, a bug in macOS High Sierra allows untrusted users to gain unfettered administrative control without any password.

The bypass works by putting the word "root" (without the quotes) in the user name field of a login window, moving the cursor into the password field, and then hitting enter button with the password field empty. With that—after a few tries in some cases—the latest version of Apple's operating system logs the user in with root privileges. Ars reporters were able to replicate the behavior multiple times on three Macs. The flaw isn't present on previous macOS versions." - Dan Goodin, Ars Technica. To temporarily address the exploit, Apple issued a statement recommending that users set a password for the "root" account, but not to disable the account, since the exploit allows the account to be re-enabled at will. Steps on how to set a root password are in the article at the link above.
otf  security  macOS  password  awareness  vuln  apple 
november 2017 by dmcdev
Staggering Variety of Clandestine Trackers Found in Popular Android Apps
"Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, ride-sharing, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising. Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers...The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking." - Yael Grauer, The Intercept
otf  android  security  awareness  privacy 
november 2017 by dmcdev
Still Safer Without: Another look at Korean Child Monitoring and Filtering Apps - @citizenlab
A new follow-up Citizen Lab report on vulnerabilities found in South Korean-child monitoring apps, mandated by the government to be used on the cell phones of minors. Citizen Lab (again) finds that "children in Korea are safer without child monitoring apps" due to the exploitability of the flaws found within such apps. Read the full report at the above link. The findings have also been disseminated in a new OTF-supported Net Alert infographic, accessible here:
otf  netalert  security  asia  korea  citizenlab 
november 2017 by dmcdev
Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation
"Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet.

The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55.

FPI works by separating cookies on a per-domain basis. This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad.

With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing.

This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile." - Catalin Cimpanu, Bleeping Computer
otf  firefox  tor  security 
november 2017 by dmcdev
*privacy not included - a holiday shopping guide from @Mozilla
With the holiday season upon us, many will begin the rush to purchase gifts for friends and family. But with how ubiquitous internet-connected devices are becoming, have you thought about the security of those things? From toys to fridges to games, Mozilla looks into the privacy (infringing) properties of some top holiday gifts.
otf  mozilla  security  awareness 
november 2017 by dmcdev
« earlier      
per page:    204080120160

Copy this bookmark:

to read