Two New Vulnerabilities With Severe Risk -- Skip-TLS and FREAK

The SMACKTLS team has posted two new major vulnerabilities to internet infrastructure today.

Both of the new attacks require a man-in-the-middle to tamper with inbound and outbound traffic in order to elicit weak encryption. This is usually done by fooling clients into visiting a fake web server through DNS manipulation or manipulation of the HOSTS file.

The first of the two has been named Skip-TLS.

Researchers found that in certain implementations of SSL, you can skip steps of the handshake, and the software will continue the process from that point forward. This allows an attacker to "skip" steps of authentication and selecting encryption ciphers. This effectively nullifies any encryption and can force a vulnerable client to send data unencrypted.

> read more

A New Security Threat for Linux - All about the glibc Ghost Vulnerability

A new security vulnerability named Ghost was discovered by Qualys this week in a library used by some web servers that run on Linux. The vulnerability is potentially very damaging but limited in scope because a victim has to be set up a very specific way in order to be vulnerable to attack.

In order for Ghost to be exploitable, you need to have a Linux server with a vulnerable glibc library installed, and you need to be calling specific functions from that library. These functions are called GetHostByName and GetHostByName2. They are typically called for applications that need to do DNS resolution. These functions can be attacked in order to create a buffer overrun, which is a common flaw that can be exploited to gain unauthorized access to servers.

Fortunately, a fix for this particular bug has been in play since August 12th 2013. At the time, it was not known that there was a security vulnerability, but the code was corrected.

> read more

New Math Breakthroughs in 2014 Weaken Encryption

It is amazing to me that the security of the world relies on a small handful of math concepts that were pioneered in the 1970's. The only way that we can continue to remain secure, is to increase the size of the numbers that protect our data. While there are dozens of valid ciphers out there, there's only a few methods for handing off those keys during the first steps of setting up a secure connection. Those methods are RSA, DH, and ECDH. They are compute intensive and require a lot of time to complete, so generally these connections are set up as a "handshake" where a key for a cipher is handed off securely, and then the encryption switches to those methods for much lighter computational work while maintaining data security.

These methods rely one two principles; The Discrete Logarithm Problem and techniques for factoring large integers.

> read more

Why "Good Enough" Encryption Is Not Good Enough

While reading various conversations in the privacy community, often the argument comes up about cipher lengths, which ciphers are safe, and which are considered unsafe, and inevitably someone steps in to say the following:

"(Some cipher) is perfectly fine to use. There are no known ways to break (cipher) at (strength)."

This is dangerous thinking in the current surveillance environment. Organizations like the American NSA, the Russian FSB, the British GCHQ, and the Chinese MSS all have programs where encrypted data is logged and stored away for when it can be broken. Their strategy is the same as the sci-fi strategy of freezing a corpse until technology exists that can revive it, the only difference being that computing and cryptography move so fast that we are talking about years, not centuries to have this strategy bear fruit for the agency.

> read more

The Dangers Of Free Proxies - Why Free Proxies Exist - Why You Shouldn't Use A Free Proxy

Whenever someone tells you something is free, you should be instantly skeptical.  Unless it's coming from a beloved friend or family member, most people won't put forth very much effort to do something for nothing in return.

One must ask, what is the "Free Proxy" getting out of this?  How are they profiting?  I can assure you that they are making money.  Piles of money, but you are NOT their customer.  You are their product.

In the case of "Free Proxies", you are paying in several ways.

The proxy service is almost definitely harvesting your data and selling it to 3rd party buyers.  These buyers may be marketing companies, governments, copyright enforcement groups, lawyers, law enforcement, etc.  For the more benign "Free Proxies", it stops here.  They simply sell your data.  Kind of defeats the purpose of using a proxy to begin with, right?  You wanted to be anonymous, and your anonymity just got sold to the highest bidder.

> read more

A New Antispyware Tool Called Detekt Looks for Government-Grade Spyware on Your PC

A group of human rights and internet freedom organizations have come together to build a software tool to detect state-sponsored spyware on your PC. Amnesty International, Digitale Gesellschaft, the Electronic Frontier Foundation and Privacy International have funded and supported a new tool called Detekt for finding spyware on your Windows PC.

The purpose of the tool, according to the resist surveillance website is: "to provide researchers, human rights workers, journalists and others who suspect they are targets of unlawful surveillance with the means to easily test their computers for known spyware"

> read more

Firewalls - Locking Down Your Network

This article is intended to be a general guideline. If you mess up your network following this guide, we are not responsible.

Firewalls are a common tool today. They are built into Windows, OSX, Linux, and BSD by default. You can configure your firewall to block specific applications, traffic signatures, ports, or a litany of other things moving through your network.

This guide is designed to help you understand the critical ports to leave open, and how to mitigate threats using a firewall. It is not specific to any hardware or software firewall.

Why a firewall is important

A firewall stops your device from sending or receiving data on undesired channels. This can prevent your computer from being compromised through apps and features that you do not use, and can protect you from bugs in operating systems or software that can lead to compromise. It is a powerful tool for resisting communication with your device by outside parties.

> read more

EFF Creates a Messaging Scorecard for IM and Text Security

The Electronic Frontier Foundation has posted a new scorecard for messaging apps. It measures how the different messaging systems compare to one another with regard to security and trust. They used the same general metrics that we use to weigh our own VPN service against other services.

The metrics used to measure how effective a messaging app was at privacy were:

Is the data encrypted in transit? This means that they are evaluating if your messages leave your device in a secure format, so that anyone that happens to be between you and the person you are messaging cannot decipher the message.

Is the data encrypted so that the provider can't read it? This is an important distinction because if the keys are not generated by the device you are using, and the keys are generated by the servers at the company that runs the messaging service, they still have access to your messages because they have the keys to decrypt them.

> read more

The Electronic Frontier Foundation Updates Their Surveillance Self-Defense Page

The EFF has updated their surveillance self-defense page. It is a comprehensive guide to find all of the information about surveillance techniques and the tools to defend yourself against mass surveillance programs by governments and marketers around the world.

The information contained in the site is extremely accurate and up to date (as of this writing) and is a great guide to keeping your data safe and private.

The index to the site is here:

Topics include everything from simple introductions to creating strong passwords and guides on how to install and use basic tools of the trade to advanced topics like using PGP, full drive encryption, and defeating internet censorship.

They even have comprehensive playlists such as the security starter pack that gives you a run-down of how to protect yourself. They even have a special area for

> read more

Google Finds Man-In-The-Middle Flaw in SSLv3, Introducing the POODLE Vulnerability

Google Security has found a new serious man-in-the-middle vulnerability against the venerable SSLv3 cipher suites. While SSLv3 is getting quite old, it is still used by a number of sites that aim at support old and antiquated browsers. SSL 3.0 is the final predecessor to TLS which replaced it.

The POODLE attack, which is a successful man-in-the-middle attack for people with a privileged position on the network, can decrypt an entire session that is supposed to be private.

This problem spans a lot of products, because SSL 3.0 is supported by many websites and services in order to keep older browsers and software working. It is enabled on a large number of operating systems, browsers, and some security products.

> read more