Researchers find flaw in Apple’s iMessage, decrypt iCloud photo

Apple's iMessage system has a cryptography flaw that allowed researchers to decrypt a photo stored in iCloud, the Washington Post reported on Sunday.The researchers, led by cryptography expert Matthew D. Green of Johns Hopkins University, wrote software that mimicked an Apple server and then targeted an encrypted photo stored on iCloud, the publication reported.To read this article in full or to leave a comment, please click here

Vagrant, Ubuntu “Wily Werewolf,” and Networking

In what has been a fairly classic “yak shaving” exercise, I’ve been working on getting Ubuntu 15.10 “Wily Werewolf” running with Vagrant so that I can perform some testing with some other technologies that need a Linux kernel version of at least 4.2 (which comes with Ubuntu 15.10 by default). Along the way, I ran smack into a problem with Ubuntu 15.10’s networking configuration when used with Vagrant, and in this post I’m going to explain what’s happening here and provide a workaround.

The issue (described here on GitHub, among other places) involves a couple of changes in Ubuntu Linux (and upstream Debian GNU/Linux as well, although I haven’t personally tested it). One of the changes is in regards to how network interfaces are named; instead of the “old” eth0 or eth1 naming convention, Ubuntu 15.10 now uses persistent interface names like ens32 or ens33. Additionally, an update to the “ifupdown” package now returns an error where an error apparently wasn’t returned before.

The end result is that when you try to create a Vagrant VM with multiple network interfaces, it fails. Using a single network interface is fine; the issue only rears its Continue reading

Why we are upset with the NYTimes Paris terrorist article

On the Twitters, we've been mocking that NYTimes article on the Paris terrorists and how they used "encryption". I thought I'd write up a brief note as to why.

It's a typical example of yellow journalism. The public isn't familiar with "encryption", so it's easy to sensationalize it, to make it seem like something sinister is going on.

At one point, the article says:
According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown, and is among the details that Mr. Abdeslam’s capture could help reveal.
That's not how encryption works. Instead, if "encryption" were the one thing the terrorists were using to hide, then you'd certainly find encrypted emails and encrypted messages -- ones you couldn't read without knowing the key.

The lack of emails/messages instead hints that the terrorists were meeting in person, passing paper notes to each other, or using telepathy. All of these, even telepathy, are more likely explanation for the lack of evidence than "encryption".

This article cites anonymous "authorities" here as concluding encryption was used. The New Continue reading

Government sets new FOIA failure record: Can find NO files for 1 in 6 FOIA requests

Sunshine Week 2016 may be over, but the public’s right to access public government information in order to make the government accountable never ends.Before Barack Obama was president, he repeatedly promised many things that never came to fruition such as to provide the “most transparent” administration in history. But the truth is that the Obama administration has set an all-time new record for failure to provide documents via FOIA requests. The Associated Press analyzed FOIA requests sent to 100 federal government agencies in 2015 – the final figures to be released during Obama’s administration.To read this article in full or to leave a comment, please click here

Redefining the WAN

One of the more interesting recent trends in the network space has been around software defined WAN (SDWAN).  While I’ll admit I first didn’t give it much attention, I’ve since given it a harder look and see quite a bit of promise in the technology.  The WAN is a part of the network that, until recently, hasn’t received much attention particularly as it relates to SDN.  SDN in the enterprise space seems mostly focused on the data center since that’s where the network always seems to be the most complicated.  The unfortunate outcome of that mindset is that while we focus on the data center network, technologies like SDWAN appear and don’t always get the attention they deserve.  I think the primary reason for this is that many of us have WANs that we think are ‘working just fine’.  And while that may be the case, I think SDWAN has the potential to significantly reduce costs, improve WAN performance, and increase network agility.

One of the vendors in this market that I’ve recently had the chance to hear about is Silver Peak.  Silver Peak has been around for quite some time and is Continue reading

Edward Snowden: Privacy can’t depend on corporations standing up to the government

NSA whistleblower Edward Snowden opened the Free Software Foundation's LibrePlanet 2016 conference on Saturday with a discussion of free software, privacy and security, speaking via video conference from Russia.Snowden credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects – drawing one of several enthusiastic rounds of applause from the crowd in an MIT lecture hall.+ ALSO ON NETWORK WORLD: Pwn2Own contest highlights renewed hacker focus on kernel issues + Apple engineers could walk away from FBI’s iPhone demandsTo read this article in full or to leave a comment, please click here

Edward Snowden: Privacy can’t depend on corporations standing up to the government

NSA whistleblower Edward Snowden opened the Free Software Foundation's LibrePlanet 2016 conference on Saturday with a discussion of free software, privacy and security, speaking via video conference from Russia.Snowden credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects – drawing one of several enthusiastic rounds of applause from the crowd in an MIT lecture hall.+ ALSO ON NETWORK WORLD: Pwn2Own contest highlights renewed hacker focus on kernel issues + Apple engineers could walk away from FBI’s iPhone demandsTo read this article in full or to leave a comment, please click here

Pwn2Own contest highlights renewed hacker focus on kernel issues

Hackers demonstrated 21 new vulnerabilities in attacks against browsers and operating systems during this year's Pwn2Own hacking contest. The complexity of the exploits, though, shows that hackers have to jump through many hoops to gain full system control.On Wednesday and Thursday, five contestants -- four teams and one independent researcher -- demonstrated three successful remote code execution attacks against Safari on OS X, two against Microsoft Edge on Windows, four against Adobe Flash on Windows and one partially successful attack against Google Chrome on Windows. Firefox was not a target in this year's contest.To read this article in full or to leave a comment, please click here

Securing BGP: A Case Study (5)

BGP provides reachability for the global ‘net, as well as being used in many private networks. As a system, BGP (ultimately) isn’t very secure. But how do we go about securing BGP? This series investigates the questions, constraints, and solutions any proposal to secure BGP must deal with as a case study of asking the right questions, and working at the intersection of business and technology.

As a short review, we started off with three questions, described in the first post, each of which we’ve been considering in some detail:

  • Should we focus on a centralized solution to this problem, or a distributed one?
    • Assuming we’re using some sort of encryption to secure the information used in path validation, where do the keys come from? The fourth post considers this question.
    • Should the information used to validate paths be distributed or stored in a somewhat centralized database?
  • Should we consider solutions that are carried within the control plane, within BGP itself, or outside?
  • What is it we can actually prove in a packet switched network? This is considered in post 2 and post 3.

Here I’m going to discuss the problem of a centralized versus distributed database to carry the Continue reading

Apple sees weakness in FBI hearing request

A last-minute request by the FBI to call witnesses to next week's court hearing in the San Bernardino iPhone case indicates the agency might feel some weakness in its legal arguments, Apple says.On Wednesday evening, the FBI asked for an evidentiary hearing, which means the court will hear live testimony from expert witnesses from both sides. Apple agreed to the FBI's request on Thursday.Speaking on Friday with reporters, lawyers for Apple said the FBI's request was a surprise, and they don't understand why the government wants to present witnesses to the court.If lawyers believe they have a strong legal case, they typically want to get up and argue it without bothering with witnesses in these types of hearings, so the request perhaps indicates the FBI isn't as comfortable as it was in relying solely on legal arguments, an Apple lawyer said.To read this article in full or to leave a comment, please click here

5 things you need to know about SSL

An uptick in cyberattacks and greater awareness about government surveillance have prompted calls for tighter security on the Internet, and a big part of that is encrypting  the traffic that flows to and from websites. Google, Facebook and Microsoft are among the many companies that have been pushing for wider use of SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption, though it can be tricky and expensive to implement. Here's the basics of what you need to know.To read this article in full or to leave a comment, please click here

Apple engineers could walk away from FBI’s iPhone demands

Should the FBI prevail in getting Apple to offer a backdoor for an encrypted iPhone, the agency may have trouble getting anyone to build it.At least that’s the word from several current and former Apple employees—including security engineers—who spoke anonymously to the New York Times. Some said they’re refuse to do the work, or quit their jobs if necessary, rather than create what they believe is a major security compromise for all users.+ MORE: Tim Cook to Time: 'I feel like I'm in this bad dream' +To read this article in full or to leave a comment, please click here

FBI warning puts car hacking on bigger radar screen

The FBI this week warned carmakers and owners that they need to pay much closer attention to automotive cybersecurity.The National Highway Transportation Safety joined with the FBI in warning consumer that the increasing number of computers in the form of electronic control units (ECUs) that control numerous vehicle functions from steering, braking, and acceleration, to the lights and windshield wipers make them vulnerable to potential cybersecurity problems.+More on Network World: World’s coolest concept cars+To read this article in full or to leave a comment, please click here

1 3,011 3,012 3,013 3,014 3,015 3,763