Hackers at the Central Intelligence Agency, with the help of colleagues from the British spy agency MI5, developed malware to secretly spy on targets through their Samsung Smart TVs, according to new documents published by WikiLeaks.
On Tuesday, WikiLeaks dumped a large cache of documents allegedly coming from the CIA’s hacking unit. Julian Assange’s organization dubbed the release, which it says it’s the first in a series, as “Vault 7,” and billed it as the largest-ever of confidential CIA intelligence documents.

Source: VICE

I said it once and I say it again: Using smart-home technology maybe convenient, but it’s not smart.

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels. There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.

Source: https://www.openwall.com/lists/oss-security/2019/06/17/5

Scanning your computer for malware viruses is important to keep it running smoothly. This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks.

Source: Samsung

Why does the TV need Internet access anyway? No Samsung devices for me then. Never ever.

About two years ago Theresa May said:

[..] that last night’s London terror attacks mean that the Internet cannot be allowed to provide a “safe space” for terrorists and therefore working cryptography must be banned in the UK.

Source: https://boingboing.net/2017/06/04/theresa-may-king-canute.html

The German interior ministry said today:

Das Bundesinnenministerium ist dem Vorwurf entgegengetreten, es wolle Anbieter von Messenger-Diensten wie WhatsApp zur Entschlüsselung der Kommunikation ihrer Nutzer zwingen. Die Bundesregierung halte an dem Prinzip “Sicherheit durch Verschlüsselung und Sicherheit trotz Verschlüsselung” fest, sagte ein Sprecher der dpa. Er betonte: “Wir wollen weiterhin keine Hintertüren oder Verschlüsselungsverbote.”
Damit Terroristen und Bandenmitglieder ihre Kommunikation nicht durch die Nutzung verschlüsselter Messenger-Dienste komplett abschotten könnten, müssten die Provider aber einen “staatlichen Zugriff als gesetzlich geregelte Ausnahme” ermöglichen. Einen Gesetzentwurf hierzu gebe es jedoch noch nicht, sagte der Sprecher. “Wir stehen hier noch am Anfang einer Lösungsfindung.”

Source: https://www.heise.de/-4447537

To my mind it seems like most of the politicians do not realize that cryptography has something to do with mathematics, rather than with sets of rules like who’s (dis)allowed to do what.

2019-06-12 @ 07:59: RAMBleed Bugs | Security

RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.
RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well. Furthermore, unlike Rowhammer, RAMBleed does not require persistent bit flips, and is thus effective against ECC memory commonly used by server computers.

RAMBleed

Now imagine you put your stuff into the cloud ….

EverCrypt—developed and verified by the Project Everest team—offers the same features, convenience, and performance as popular existing cryptographic libraries without the bugs that leave protocols and applications vulnerable. Usable by verified and unverified clients alike, EverCrypt emphasizes both multiplatform support and high performance. We accomplish this by producing both platform-agnostic C code and optimized assembly code for specific hardware targets through the combination of two components of Project Everest: the HACL* cryptographic library developed jointly between Inria and Microsoft Research and the Vale-Crypto library of assembly primitives developed collectively between Microsoft Research and Carnegie Mellon University.

By Jonathan Protzenko, Researcher; Bryan Parno, Associate Professor, Carnegie Mellon University

The verification process is likely more complex than the code itself. Anyway, this is one great step. Read the full article over at Microsoft.

Lawmakers are set to approve plans for an enormous new database that will collect biometric data on almost all non-EU citizens in Europe’s visa-free Schengen area. The database — merging previously separate systems tracking migration, travel and crime — will grant officials access to a person’s verified identity with a single fingerprint scan.

Source: Politico

This sounds like Mielke’s wet dream come true. I doubt there’ll be any improvements in security. Just more surveillance and possibilities to repression.

You see, Internet Explorer is a compatibility solution. We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers.

Chris Jackson at Microsoft. See full article.

Good to see this has been clarified finally. As I say for many years Internet Explorer is not a browser. It’s a compatibility solution without any right to exist any longer.

That’s because Amazon is spying on you. And if that are not enough bad news for you, then keep in mind that you payed them for spying on you, when you bought one of their home-intrusion-microphones.

There’s a whole team at Amazon reviewing audio clips in an effort to help the voice-activated assistant respond to commands.

I don’t feel sorry for you. You’ve been warned several times.

According to this article a new bill regarding IT security is being planned in Germany.

If this bill is passed it will be illegal to refuse turning over your credentials (e.g. for social media, e-mail, encrypted devices and other accounts) to government agencies, such as the police.

Punishment could be up to six months of coercive detention, no matter whether their allegations are true or not. Just another steps towards the abolishment of the constitutional democracy.

In case you don’t like either handing over your credentials or getting detained I recommend to store sensitive information in a hidden, encrypted volume on an encrypted device. Doing it this way will give you plausible deniability. This is your ultimate “Get Out of Jail Free” card.

To create a hidden volume use either TrueCrypt or VeraCrypt. Both programs are free open-source software.


  • About

    We never asked for this.