« First «...10 20 30...1,834 1,8351,8361,837 1,838...1,850 1,860 1,870...»Last »

Microsoft: Systems seem safe from WikiLeaks alleged CIA hacks – CNET

Posted on March 9, 2017 by admin

Microsoft says PCs powered by its latest Windows 10 software should be safe from alleged CIA hacking tools.

The Central Intelligence Agency's alleged hacking tools shouldn't be able to crack the latest Windows PCs.

That's according to a Microsoft statement Thursday afternoon, which was responding to a Tuesday data dump from WikiLeaks that accused the CIA of creating programs that take advantage of unknown vulnerabilities in nearly all the world's mobile phones, tablets and computers. The software can even target smart TVs and connected cars, WikiLeaks said. CNET hasn't been able to verify whether the documents are real or have been altered.

Regardless, Microsoft said computers powered by its Windows 10 software should be safe from the "dated" vulnerabilities that appear to target "older systems."

"We take security issues very seriously and are continuing a deeper analysis to determine if additional steps are necessary to further protect our customers," the company said in an emailed statement. It also pledged to send updates to customers should any new threats be found.

Apple and Google have similarly said customers running their latest software appear to be safe from vulnerabilities, though about 97 percent of devices powered by Android are running on older software.

Other tech giants, like Samsung and LG, are still looking into the situation.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it?

See the original post here:
Microsoft: Systems seem safe from WikiLeaks alleged CIA hacks - CNET

WikiLeaks will give details of CIA hacking tools to tech companies – The Boston Globe

Posted on March 9, 2017 by admin

Julian Assange.

PARIS (AP) WikiLeaks will work with technology companies to help defend them against the Central Intelligence Agencys hacking tools, founder Julian Assange said Thursday, an approach which sets up a potential conflict between Silicon Valley firms eager to protect their products and an agency stung by the radical transparency groups disclosures.

In an online press conference, Assange acknowledged that some companies had asked for more details about the CIA cyberespionage toolkit whose existence he purportedly revealed in a massive leak published Tuesday.

We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out, Assange said. Once tech firms had patched their products, he said, he would release the full data of the hacking tools to the public.

The CIA has so far declined to comment directly on the authenticity of the leak, but in a statement issued Wednesday it suggested that the release had been damaging by equipping adversaries with tools and information to do us harm.

Get Talking Points in your inbox:

An afternoon recap of the days most important business news, delivered weekdays.

Assange began his online press conference with a dig at the agency for losing control of its cyberespionage arsenal, saying that all the data had been kept in one place.

Should the spy agency exploit security flaws in software instead of warning companies to fix them?

This is a historic act of devastating incompetence, he said, adding that, WikiLeaks discovered the material as a result of it being passed around.

Assange said the technology was nearly impossible to keep under wraps or under control.

Theres absolutely nothing to stop a random CIA officer or even a contractor from using the technology, Assange said. The technology is designed to be unaccountable, untraceable; its designed to remove traces of its activity.

Read the original post:
WikiLeaks will give details of CIA hacking tools to tech companies - The Boston Globe

WikiLeaks to help defend tech companies from CIA hacks – Topeka Capital Journal

Posted on March 9, 2017 by admin

PARIS WikiLeaks will work with technology companies to help defend them against the Central Intelligence Agencys hacking tools, founder Julian Assange said Thursday, an approach that sets up a potential conflict between Silicon Valley firms eager to protect their products and an agency stung by the radical transparency groups disclosures.

In an online news conference, Assange acknowledged some companies had asked for more details about the CIA cyberespionage toolkit whose existence he purportedly revealed in a massive leak published Tuesday.

Assange began his online press conference with a dig at the agency for losing control of its cyberespionage arsenal, saying that all the data had been kept in one place.

This is a historic act of devastating incompetence, he said, adding that, WikiLeaks discovered the material as a result of it being passed around.

Assange said the technology was nearly impossible to keep under wraps or under control.

Follow this link:
WikiLeaks to help defend tech companies from CIA hacks - Topeka Capital Journal

History Lists – History

Posted on March 9, 2017 by admin

The Hutchinson Letters Benjamin Franklin. (Credit: DeAgostini/Getty Images)

In December 1772, Benjamin Franklin, who was then serving as Britains Postmaster General of the American colonies, anonymously received a packet of letters written to a British official by Thomas Hutchinson, the governor of Massachusetts. In the letters, Hutchinson urged Britain to send additional troops to deter rebellious colonists in Boston. Franklin circulated the letters privately, but John Adams had them published in the Boston Gazette in 1773, prompting a scandal that forced Hutchinson to flee the country and fueled tensions that would lead to the Revolutionary War. When three innocent men were accused of leaking the letters, Franklin admitted his role in the affair; he was publicly reprimanded by Parliament and dismissed as Postmaster General.

In 1848, the reporter John Nugent published an unsigned copy of the Treaty of Guadalupe Hidalgo, which would conclude the two-year-long Mexican-American War, in the New York Herald. Questioned by a furious Senate, Nugent refused to reveal his source, beyond insisting it was not a member of the Senate. He was kept under virtual house arrest at the Capitol for a month, but didnt crack. Ten years later, President James Buchanan gave Nugent a valuable commission to investigate possible development in New Caledonia (now British Columbia). Evidence suggests Buchanan, as secretary of state, was the source of the treatys leak.

In June 1971, the New York Times published a series of excerpts from a top-secret Department of Defense report about U.S. involvement in Vietnam between 1945 and 1967. Part of a study commissioned by Secretary of Defense Robert McNamara, the so-called Pentagon Papers revealed that four successive presidential administrations had deliberately misled Congress and the American public about the scope, objectives and progress of the Vietnam War. Daniel Ellsberg, a military analyst who opposed the war and had surreptitiously photocopied and leaked the documents, was prosecuted under the 1917 Espionage Act, but the judge later dismissed the charges. Exactly 40 years after the Pentagon Papers leaked, they were declassified and for the first time published in their entirety on the National Archives website.

In mid-1972, five men were arrested for breaking into and trying to bug Democratic National Committee headquarters at the Watergate hotel complex in Washington, D.C. Carl Bernstein and Bob Woodward of the Washington Post were subsequently able to connect the break-in directly to Richard Nixons administration, leading to a series of Senate hearings and eventually to Nixons resignation in 1974. To get their story, Woodward and Bernstein relied heavily on information from an anonymous informant, dubbed Deep Throat. The identity of the man responsible for exposing the biggest political scandal in U.S. history remained a secret for 33 years, until in 2005 the former FBI agent Mark Felt revealed himself as Deep Throat.

In July 2003, Joseph Wilson, who had been a CIA envoy to Niger in 2002, published an op-ed in the New York Times saying George W. Bushs claim that Iraq attempted to buy uranium from Niger (which the president used to build the case for war) was unsubstantiated. Less than two weeks later, right-wing commentator Robert Novak wrote a column in the Washington Post in which he revealed that Wilsons wife, Valerie Plame, was a CIA operative. With her cover blown, Plames work with the agency was compromised, and Wilson accused the White House of leaking her identity to punish him. An investigation led by a special prosecutor interviewed Bush, Vice President Dick Cheney and other officials, as well as journalists, and in 2007 Lewis Scooter Libby, Cheneys chief of staff, was found guilty on counts of perjury, obstruction of justice and making false statements during the investigation. (Bush later commuted his 30-month sentence.) Libby wasnt the leaks source, however: Richard L. Armitage, a former deputy secretary of state, later acknowledged his conversation with Novak likely led to the article outing Plame.

In May 2005, the Sunday Times of London obtained and published a transcript of notes taken in a meeting of Prime Minister Tony Blairs national security team on July 23, 2002. During the meeting, held nine months before the war in Iraq began, the head of British Secret Intelligence Services (MI6) said his impression from meetings in the United States was that military action was now inevitable. According to him, the Bush administration knew that Saddam Hussein didnt have weapons of mass destruction but had decided to overthrow him by force anyway, and the intelligence and the facts were being fixed around the policy in order to publicly justify the invasion. Critics of the war called the Downing Street Memo a smoking gun that proved Bush and Blair, his closest ally, made a secret decision to invade Iraq and manipulated the intelligence to support it.

In October 2010, WikiLeaks posted nearly 400,000 classified military documents concerning the Iraq War, a massive info dump that dwarfed its release of some 77,000 documents on the war in Afghanistan several months earlier. WikiLeaks founder, the Australian journalist Julian Assange, shared the documents with the press, including the New York Times, Der Spiegel and the Guardian, beforehand. Among the revelations in the so-called Iraq War Logs was evidence that the U.S. military deliberately ignored abuse of detainees by its Iraqi allies, and that there were actually 15,000 more civilian casualties than previously acknowledged. Chelsea Manning, who as Pfc. Bradley Manning had served as a U.S. Army intelligence analyst in Iraq, was later convicted under the Espionage Act for leaking the information. Sentenced to 35 years imprisonment, she was pardoned by President Barack Obama in January 2017.

In 2013, Edward J. Snowden, a technical contractor and former CIA employee, leaked classified details of a top-secret National Security Administration (NSA) electronic surveillance program, codenamed PRISM, to the Washington Post and the Guardian. The information, which Snowden obtained while working as a subcontractor for the NSA in Hawaii, revealed that the NSA and FBI were collecting data, including email, chats, videos, photos and social networking information, from ordinary internet users in the U.S. and abroad. Under fire for breach of privacy, President Obamas administration defended the surveillance program, claiming it helped prevent terrorist attacks. Though some denounced Snowden as a traitor, many others supported his actions, calling him a whistleblower. After federal prosecutors charged Snowden under the Espionage Act, Russia gave him asylum, and he remains there after attempts to gain a presidential pardon proved unsuccessful.

In April 2016, a leak of some 11.5 million files from the database of the Panama-based Mossack Fonseca, the worlds fourth largest offshore law firm, revealed personal financial information about thousands of wealthy individuals and public officials. The German newspaper Sddeutsche Zeitung, which had obtained the files from an anonymous source, shared them with the International Consortium of Investigative Journalists (ICIJ), and that organization passed them on to a large network of international news outlets, including BBC and the Guardian. According to the so-called Panama Papers (Panamas government has strongly objected to the name), among the people who used offshore tax havens to shelter their fortunes were the presidents of Argentina, Ecuador and Ukraine; the king of Saudi Arabia; the prime ministers of Australia and Iceland; members of the Spanish royal family; and a number of prominent athletes, actors and businesspeople around the world.

Go here to read the rest:
History Lists - History

Edward Snowden Thinks The Wikileaks Docs Are Real And Offers His Take On What The ‘Big Deal’ Is – GOOD Magazine

Posted on March 9, 2017 by admin

Say what you want about the prior acts of Edward Snowden, but good, bad, or otherwise, the man is in a position to look at the recent Wikileaks document dump and shed some light on whats really at play.

Snowden, currently living in asylum in Russia while a wanted man in his native United States, suggested via Twitter that the docs look authentic to him. He offers not only an explanation of what led him to draw the conclusion that theyre real, but also talks about what he finds to be the biggest story amidst the thousands of docs and cables.

He provides his thoughts in some pretty intuitive and logically successive tweets which tell the story well devoid of any other necessary context.

He also posits that the documents reveal the governments activity in keeping privately-produced software vulnerable so that they can access data contained therein. That part is more difficult to ascertain based on the snippets he presents, but you certainly can choose to take him at his word or not.

The last time this issue made headlines was in the fallout of the San Bernadino shooting when the U.S. government tried to compel Apple to assist in accessing the shooters phone in the name of national security. Apple declined, stating that act would undercut the publics faith in not just Apples willingness to maintain privacy, but all companies.

If what Snowdens saying here is true that the U.S. government is hacking the software of U.S.-made products that might all be moot, as theyll gain access without assistance. And the holes that they leave open can allow other rogue hackers to gain the same access in pursuit of whatever ends they seek.

Boiled down, his observations, however insightful, tell us what most of us already presumed the U.S. government cares more about information gathering than it does about the privacy of its citizens. Perhaps not a revelation, but hopefully this concrete evidence, if true, will result in answers and explanations.

Never one to leave us on an upbeat note, Snowden let us know the many, many ways the government could be peering into your life.

More:
Edward Snowden Thinks The Wikileaks Docs Are Real And Offers His Take On What The 'Big Deal' Is - GOOD Magazine

The Edward Snowden effect? Millennial view on data a concern for government and business – ABC Online

Posted on March 9, 2017 by admin

By Jessica Haynes

Updated March 09, 2017 14:32:11

Former director of the CIA Michael Hayden has hinted the younger generation of security agency staff are not to be trusted in the wake of thousands of US intelligence documents being released to Wikileaks.

In an interview with the BBC he said:

"I don't mean to judge them at all, but this group of millennials and related groups simply have different understandings of the words loyalty and secrecy and transparency than certainly my generation did".

Australian Centre for Cyber Security Professor Greg Austin said he does.

"When Edward Snowden went public with his leaks in 2013 in our organisation in New York, we did a bit of survey and we found that all the young people thought [Snowden] had done the right thing and all the people of my generation thought he'd done the wrong thing," Professor Austin said.

"We just really stopped on that question because it was quite confronting. You can sort of imagine the more mature people were ... fuming about the Snowden leaks and the others were saying 'he's got a point'.

"Michael Hayden is one of the most serious and well-informed people in the United States to be talking about this subject so I credit his point of view."

Director of the Australian Centre for Cyber Security Jill Slay said a new report from Frost and Sullivan set to be released next week found millennials working in cyber security needed more job satisfaction, better opportunities and pay, and wanted to be heard.

"Organisations need to adjust to take on these perspectives," Professor Slay said.

"My generation feel bound by [the] Official Secrets Act ... this generation values individuality."

Professor Austin said there were instances of cyber crime right here in Australia.

"There have been eight [people] convicted for cyber-related offences at the federal level in the last eight years and three of the eight were Australian public servants," he said.

"And [from] what I recall, all younger than 40."

"I think Snowden has a huge effect," Professor Austin said.

"The recent movie shows him in a very positive light."

That's a reference to the film Snowden, which depicts the former NSA contractor's leak of thousands of classified documents in 2013.

The film is directed by Oliver Stone and stars Joseph Gordon-Levitt as Snowden.

Julian Assange's story has also been told on screen.

Benedict Cumberbatch played him in the 2013 film The Fifth Estate and Australian actor Alex Williams portrayed him in the 2012 biographical drama Underground: The Julian Assange Story.

In short, yes.

"Well the information age brings with it completely new attitudes to secrecy and privacy, and that's the reality we face, and people who've grown up with open access and transparency of the sort that's available through the internet and mobile devices really simply just have a different emotional relationship with information and privacy," Professor Austin said.

"And in designing secrecy arrangements within Government we have to take that into account.

"We need to bear in mind 50 to 100 years ago young people also had a more cavalier attitude to information.

"And the best example of that are the Cambridge spies ... but governments definitely do have to take this into account but also corporations and private citizens.

"The old conceptions of privacy have gone out the door."

Professor Austin said Snowden's agenda to uncover lies told in Congress by senior US officials was not inherently liberal.

"So the what I mean by that is that people haven't become in general more liberal they've become more conservative," he said.

"Snowden wasn't out there on the barricades for a more liberal approach to United States society, he was out there to defend well-established principles of the United States political system.

"So we can paint that as a liberal agenda, but it's not really.

"I think we do have to take account of the fact that as of today the information age favours the more conservative political movement and not the more liberal political movements."

Pretty big.

No longer are leaks a handful of pieces of paper.

"The scale and scope of the information that can be released in one leak can threaten the political legitimacy of the highest levels of government," Professor Austin said.

So, should average citizens be worried?

Probably not.

"The good news is the average citizen doesn't fall victim to it," he said.

"But people in public life, celebrities and public officials have a new reality to deal with that's very different and very demanding."

And for millennials, it means government agencies and businesses might hold some scepticism with giving sensitive information to younger staff.

Professor Slay warned some millennials didn't understand the long-term ramifications of leaking sensitive information.

"You'll never be allowed in the circle of trust if you're ever seen to breach those," she said.

Topics: computers-and-technology, hacking, government-and-politics, australia

First posted March 09, 2017 12:35:43

See the article here:
The Edward Snowden effect? Millennial view on data a concern for government and business - ABC Online

The former CIA director is blaming millennials for the existence of leaks but his ignorance is part of the problem – The Independent

Posted on March 9, 2017 by admin

Millennialshave had to get used to being characterised as lazy, selfish and narcissistic. Now this much maligned generation face the more serious accusation of being traitors to their country.

In the wake of this week's Wikileaks dump of top secret files, a former CIA director has broken cover to point the finger at the millennial generation for the growing trend in damaging security blunders.

"I dont mean to judge them all," Michael Hayden told BBC2's Newsnight on Thursday, "But this group of millennialssimply have different understandings of the words loyalty, secrecy and transparency than my generation did."

Just so everyone is in no doubt who he is talking about, Hayden namedEdward Snowden and Chelsea Manning as the worst cases of millennial treachery.

"So we bring these people into the agency good Americans all, I can only assume but again, culturally, they have different instincts than the people who made the decision to hire them and we may be running into this different cultural approach."

So has Hayden helpfully identified a glitch in the cultural makeup of the millennial generation or is he simply looking for a new scapegoat for an old problem?

In the digital age the skills of the professional gamer and amateur hacker have become highly prized assets among the CIA and GCHQ who actively recruit from the geek generation for their code breakers.

This is the reason why so many millennials work for internet companies like Google and Facebook or join hacking groups like Anonymous and Lulz or even a whistleblowers' portal (such as Wikileaks).

But it is hardly the fault of the millennial generation that because hacking is a young person's game their talents are suddenly in demand.

Edward Snowden addresses Facebook fake news claims

The truth is treachery is not a new phenomenon that can be laid at the door of one particular generation.

Britain and America's history is littered with cases of young (and not so young) spies who have committed acts of treachery or whistleblowing (depending on your point of view) for all kinds of reasons.

Nevertheless, motives such as idealism and ideology do seem to have played a greater influence over younger spies.

Britain's most notorious gang of double agents, the Cambridge Spy Ring, were all twenty-somethings when they started passing on secrets to the Soviets in the 1930s and 1940s.

More recently David Shayler and Annie Machon, who blew the whistle on an MI5 plot to kill Colonel Gaddafi, were only in their late 20s when they first felt the stirrings of betrayal in the 1990s.

But it is not just twenty-somethings who commit acts of treachery. The most famous American double agent, responsible for the deaths of at least ten American agents, was well into his 40s when he started passing secrets to the KGB.

Aldrich Ames compromised more CIA "assets" than any other mole in history until Robert Hanssen's arrest seven years later in 2001. Hanssen, a career CIA officer, was 39 when he started his Soviet spying career.

Perhaps this shows that when it comes to treachery no generation is more culpable than any other.

What Hayden and the rest of his baby boomer generation forget is that in the age of the internet, secrets are much harder to keep while the tools of the whistleblower and the leaker are capable of causing catastrophic damage.

The security services in the UK and America have sophisticated vetting procedures which are supposed to spot high-minded young men and women who might one day put principle before country.

But history shows us that no system of secrecy is perfect. Demonising a new generation for one of the oldest sins of all is a desperate attempt to avoid confronting the urgent problem of protecting state secrets in a digital age.

Robert Verkaik is the author of "Jihadi John, the Making of a Terrorist"

Excerpt from:
The former CIA director is blaming millennials for the existence of leaks but his ignorance is part of the problem - The Independent

Gaming, NSA Spying, and You: Two Games That Could Change Your Mind – The Libertarian Republic

Posted on March 9, 2017 by admin

LISTEN TO TLRS LATEST PODCAST:

By: Paul Meekin

Kotaku brought the gameOrwellto my attention today. Its a game about spying on peoples personal data in order to ascertain potential terrorist activity. Your end goal is to thwart that activity. The point of the game, in addition to being an entertaining pot boiler, is the fundamental question of when, and if, its okay to violate the privacy of human beings in order to prevent acts of terror. This is a wonderful concept and one I support fundamentally as a gamer and fan of thinking critically while playing them.

The point of the article was the question if people today even careabout privacy.The most popularcomment on the article?

I dont care. I mean first off what can we do to stop them from spying on us? Nothing. Even if we did complain they could say they stopped but keep on spying anyways.

Outside of that who cares. Let them see my life. My boring facebook posts. My boring emails once and awhile. My youtube watching. Going to Kotaku. Even any porn Ive looked at.

Actually why would you worry about what people see anyways? Unless your hiding something you have no reason to worry. Do you look at child porn? Do you hire hitmen? If not then who cares.

Sorry, I just threw up in my mouth a little.In 2013 we learned the NSA was in our business. Directly or indirectly, the fact of the matter was the NSA was gathering massive amounts of data on Americans, foreigners, and scorned lovers.

Its possible youre much like the commenter above and didnt care. You had nothing to hide and are perfectly okay with invasions of personal privacy and personal data in the name of security.

But its also possible youre a principled individual and dont think the constitution should be violated just in case youre up to no good.

The beauty of Orwellis that it could change your mind one way or another.Unfortunately, as a Mac user, I am unable to play Orwell, but I support it on principle.

A game I did play, that didchange my mind, was Tom ClancysSplinter Cell: Blacklist. Released in August 2013, a few months after the scale and scope of the NSAs activities were revealed.

The backlash to these activities was massive. But along comes Splinter Cell. Without trying and without foreknowledge of this event, it made quite a case in favor of a bit of privacy invasion. Of course the reviewer of the game disregarded the plot as Right Wing mumbo jumbo on a podcast.

But it was mumbo jumbo with a point. Splinter Cell: Blacklist is a game that demonstrates the awesome force of the Military Industrial Complex. From wire tapping to drone strikes to covert operations to warrantless searches and seizures it demonstrated what a single team of highly qualified individuals were capable of when they *werent* restrained by thebureaucracy of the federal government and the morelimiting aspects of the Constitution (and The Bill of Rights in particular).

Obviously it was just a game, and not based on fact although some of the technology is quite believable in hindsight. But the point it makes has real world applications; Just how many times have lives been saved by illegal wire tapping and covert operations we never hear about?Well never know.

How many lives make that violation of privacy worth it? Batman seems to think its about two boatloads.

The Libertarian in me says no lives are worth it. That the fundamental cost of liberty is that the federal government shouldnt be in the business of convicting people for crimes before theyre committed and spying on them, again just in case.

If were willing to violate the privacy of lives to save lives, those lives arent worth as much as we initially thought, are they?

In playing Splinter Cell, you realize America is embroiled in a war with a stacked deck. The enemy doesnt obey the laws of combat. They fight dirty and they fight mean and they behead journalists, use children as suicide bombers, and drag bodies through the street. As a result, if we fight the war as governed by the Geneva convention, were essentially playing checkers while the enemy is playing tackle football.

Games have an amazing capacity to educate while entertaining. Unlike a movie you watch, or a book you read, you participate in a game. And the best of them, from Oregon Trail to Splinter Cell to even Madden Football, can enlighten you on a subject in a way no other media can.

Regarding the NSA? I still dont know how I feel. Theres valid arguments on both sides. I lean toward getting the government out of my computer.

Then again, I have nothing to hide.

gamingGeorge OrwellkotakuSplinter CellSpyingvideo games

Here is the original post:
Gaming, NSA Spying, and You: Two Games That Could Change Your Mind - The Libertarian Republic

That Encrypted Chat App the White House Liked? Full of Holes – WIRED

Posted on March 9, 2017 by admin

Slide: 1 / of 1. Caption: Caption: A woman would normally produce this photo and write this caption. She is not here because of the International Women's Day strike. WIRED

Leaks have plagued the Trump administration since he took office less than seven weeks ago. The presidents anger about these backchannels has grown, up to and including reported demands of an investigation into the source. Press secretary Sean Spicer has even apparently taken to doing random phone checks, supervised by White House attorneys, to see what staffers and aides are up to on their devices and whether they have secure communication apps.

In the midst of all of this, the end-to-end encrypted, disappearing messages app Confide has emerged as a popular choice among administration officials looking to discuss sensitive topics with coworkers, the press, or other groups. But in spite of Confides claims that it gives you the comfort of knowing that your private messages will now truly stay that way, researchers at security firm IOActive recently notified its developers of a number of critical vulnerabilities in the app. Those have since been resolved, but thats small consolation for White House staffers and general users who relied on Confide while it was exposed.

IOActive found vulnerabilities in numerous areas of the Confide app on Windows, macOS, and Android. By reverse-engineering the applications to see how they work and where they might have weaknesses and probing Confides public API to see what data could be accessible to anyone, the researchers discovered that they could alter messages and attachments in transit, decrypt messages, impersonate users, and reconstruct a database of all Confide users, their names, email addresses, and phone numbers. Its a concerning list of potential attacks for an app that touts security and privacy as its main offerings.

In total, the IOActive researchers laid out 11 vulnerabilities. For example, they were able to access over 7,000 records for users who joined Confide between February 22 and February 24, before Confide detected the intrusion. The database contains between 800,000 and 1 million user records in all. The app didnt have protection against brute-forcing account passwords and didnt even have strong minimum requirements for what a users password could be. It didnt notify recipients when senders sent unencrypted messages, and the system didnt require a valid web encryption certificate.

IOActive disclosed the bugs to Confide on February 28. Confide was already aware of some of the bugs after detecting the researchers probing, and by March 3 the company told IOActive that all the vulnerabilities had been patched. IOActive says that it was satisfied with Confides reaction. When our researchers connected with Confide to disclose the vulnerabilities, they were receptive to our research, quick to move on addressing critical issues found, and worked with us to share the information, IOActive CEO Jennifer Steffens said in a statement.

Confide has been around since 2014, though, so protecting the app going forward, while crucial, doesnt mitigate the risk its users have already faced. But Confide assures its users that the bugs were never exploited. Our security team is continuously monitoring our systems to protect our users integrity, says Confide president Jon Brod. IOActives attempt to gather account information was detected and stopped in real time. Not only has this particular issue been resolved, but we also have no detection of it being exploited by any other party. In addition, weve also ensured that the same or similar approaches will not be possible going forward.

Other researchers have piled on similar findings about the state of Confides security. Experts have also been calling the app out for a while for using proprietary cryptography and offering no evidence that it has invited independent code audits to check for vulnerabilities. Encrypted communication services that are open source, like Signal, garner more trust in the security community because of their transparency.

Public review of open source code can [reveal] such flaws, says Sven Dietrich, a cryptography researcher at CUNY John Jay College of Criminal Justice. He adds that code reviews allow experts to identify programming mistakes that jeopardize user messages or credentials, and protocol mistakes like improper exchange of keys or messages. Basically, all the issues Confide ran into.

Its difficult for consumers to know which security products to choose or even how to compare the options. This puts responsibility on software makers to secure their products. Encryption software assumes such an important role today. The only way to ensure that a piece of software does not contain back doors or gaping holes is to have independent trust experts audit the code. This is best practice, says Kevin Curran, a cybersecurity researcher at Ulster University and IEEE senior member. We all know that it is unreasonable to expect vulnerability-free software, but we need to look at risk mitigation.

Now that Confide has patched its vulnerabilities, users will have more protection. But without greater transparency, users may not have confidence that other flaws arent lurking in their favorite encrypted chat app. For a White House staffer leaking information critical to United States discourse and fearing retribution from a temperamental boss, theres no room for error.

Read this article:
That Encrypted Chat App the White House Liked? Full of Holes - WIRED

The real lesson of WikiLeaks’ massive CIA document dump encryption works – Yahoo Finance

Posted on March 9, 2017 by admin

WikiLeaks posting Tuesday of a gigantic trove of CIA documents shows one thing: Our communications are increasingly secure.

You, however, may have seen a different distillation of this data dump in headlines warning the CIA could have been spying on you through your phone, tablet and even TV all along.

But that take gets this story wrong. And we need to get it right to understand a debate we keep coming back to: Should developers of encrypted devices and apps provide special access to law-enforcement agencies?

WikiLeaks announced Tuesday that it had posted 8,761 documents from a CIA facility in Langley, Va. the first in a series of planned disclosures of the agencys activities that the group calls Vault 7. This batch focused on the CIAs ability to conduct surveillance by hacking devices and apps, something WikiLeaks chose to highlight by playing up the scare factor of the CIA or the United Kingdoms MI5 intelligence agency hacking into your smart TV to turn it into a clandestine listening device.

Thats the goal of a CIA program, code-namedWeeping Angel, that targeted someSamsung smart TVs to listen in on people. WikiLeaks the secretive group founded by Julian Assange to post government documents called Weeping Angel the most emblematic realization of the endless surveillance described in George Orwells book 1984.

Much first-round coverage for instance, a New York Daily News front page, inspired by the movie Poltergeist, that had a headline screaming THEY HEE-EAR obligingly focused on that angle without providing an important bit of context.

That would be the detail that Weeping Angel apparently requires somebody to plug a USB flash drive into the TV in question to load this malware. And the CIA document posted by WikiLeaks observes that Firmware version 1118+ eliminated the current USB installation method, so it no longer works on an updated set anyway.

If somebody from the CIA can sneak into your house and pop a flash drive into your TV, you have many larger problems. The CIA agent, meanwhile, might find it more efficient to hide traditional listening bugs throughout your house instead of limiting her attention to your TV.

The CIAs attempts to crack smartphones, meanwhile, all appear to target old versions of iOS and Android.

For example, a table of iOS exploits doesnt list any versions of that Apple (AAPL) operating system newer than 9.2. The current release is iOS 10, and its already on 79% of devices. The 24 Android exploits listed, meanwhile, dont specify a version newer than 4.4.4, far behind the current 7.1.1 release of the Google (GOOG, GOOGL) operating systemalthough an embarrassingly high 33.4% of Android devices run versions as old as 4.4.4.

Both Google and Apple have said theyve closed most of these holes, many of which also require physical access to a phone. In a Thursday video appearance, WikiLeaks founder Julian Assange said the group would share data on the other vulnerabilities with companies affected.

Donald Trumps Android may be more at risk than other devices. AP Photo/Matt Rourke

President Donald Trumps own Android phone photos suggest its a 2012 Galaxy S3 may be among the more exposed devices, owing to its Android software seeing its last update in 2015. That and the sight of WikiLeaks targeting the CIA instead of his political opponents may explain why the man who in October tweeted a compliment for the incredible information provided by WikiLeaks now seems much less fond of the group.

Summed up security analyst Robert Graham in a post unpacking the Vault 7 news: Most of this dump is childs play, simply malware/trojans cobbled together from bits found on the internet.

WikiLeaks says its only posted about 1% of the total Vault 7 info, so its possible that scarier stuff lurks in this file. And other details, like the disclosure of CIA efforts to hack wireless routers remotely, point to lingering security problems that the tech industry needs to address before it connects every computerized device to the internet.

But we can draw one conclusion from the revelations available now: Encryption works. Otherwise intelligence agencies would not work so hard to compromise individual devices.

Thats an easy thing to overlook in, for example, a tweet from WikiLeaks suggesting that these exploits allow the CIA to defeat such encrypted communications apps as Signal or WhatsApp. Yes, they could allow the CIA to take over a phone and thereby log a users speech and touchscreen interactions but a CIA technician could also bypass Signals encryption by looking over a Signal users shoulder.

But without that compromise of an individual phone, the CIA cant snoop on a Signal chat.

The alternative to hacking into specific devices is to require manufacturers and developers to keep extra keys for cops. That was the focus of last years dispute between Apple and the FBIover unlocking an iPhone 5 used by one of the San Bernardino shooters: The Feds wanted Apple to write software that would defeat the lock on any iPhone 5, but Apple resisted and the FBI eventually paid a third party to hack into that particular device.

FBI director James Comey offered a reminder of that in a speech Wednesday in which he said there is no such thing as absolute privacy in America and called on tech firms to provide some way for law enforcement to access a locked device after getting a court order.

The prospect of the three-letter agencies targeting your phone can be scary, not least since they could probably do it. As security expert Bruce Schneier said at a May 2015 event in Washington, when the debate over whether to restrain the National Security Agencys bulk surveillance was nearing its end: If the NSA wanted to be in my computer, theyd be in it.

But, Schneier noted, that must be seen as a desirable outcome of encryption systems operating as designed: They make bulk collection infeasible and force the listeners to target.