Europe Will Unite Against Security Threats – By SIMON NIXON Nov. 15, 2015 6:44 p.m. ET

The forces that bind together the EU are stronger than those threatening to rend it

Demonstrators attended a Paris unity rally in January.

Demonstrators attended a Paris unity rally in January. PHOTO: AGENCE FRANCE PRESSE/GETTY IMAGES

The last time Islamic terrorists attacked Paris, they brought Europeans closer together.

Following the Charlie Hebdo murders in January, citizens from across the continent took to social media to show solidarity using the hashtag #JeSuisCharlie. European leaders walked arm-in-arm in Paris in defense of European values and free speech. Governments promised to work even more closely together to combat terrorism and religious extremism.

The latest attacks on Paris have engendered similar displays of sympathy, but they do so against an altogether more contested political landscape.

The arrival of more than a million refugees in the European Union this year has fueled tensions both within and between countries. Razor wire fences once again run along some borders between EU members; several governments have reintroduced border checks; trust in the willingness and capacity of countries to enforce EU rules has been severely eroded; and the principle of free movement of people within the EU—a cornerstone of integration—has been widely called into question.

Only the day before the Paris attacks, European Council President Donald Tusk warned that the survival of the EU’s Schengen passport-free travel zone was at stake.

The fact that one of the Paris terrorists appears to have entered Greece alongside refugees in October—and evidence of a possible Belgian link to the plot—is bound to further erode public confidence in open borders. It may also boost support for right-wing populist politicians who insist that the answer to the terrorist threat and migration crises lies in national—rather than European—solutions.

Yet there is little sign so far that any national government is tempted by this populist agenda. Even the new right-wing Polish government, which initially responded to the Paris attacks by saying it would no longer participate in the EU’s refugee resettlement program, backtracked somewhat from its position on Sunday.

Instead, the attacks seem more likely to underline the central message behind Mr. Tusk’s warning: that unless EU governments swiftly take the necessary steps to restore trust in the security of the EU’s external borders, the wider benefits of European integration, including its single market, risk being lost.

Article continues:


Security News This Week: 9 Out of 10 Websites Leak Your Data to Third Parties – YAEL GRAUER. : 11.07.15. . 7:00 AM

This week, hackers won a million dollar bounty for discovering a long-sought iOS zero-day. Federal lawmakers introduced the Stingray Privacy Act, a new bill that would require state and local lawmakers to get a warrant before using the invasive surveillance devices. The world got its first look at the full text of the Trans-Pacific Partnership trade pact. We found out the UK’s TalkTalk telecom hack may not be as bad as it looked. Android users can finally use Open Whisper Systems’ RedPhone app and TextSecure messaging app in one app, called Signal. And Crackas With Attitude, the teens who hacked CIA Director John Brennan, are back with a new hack.

But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!

Turns Out 90 Percent of the Internet’s Top Sites Leak Your Data to Third Parties

It’s no secret that websites typically send user data to third parties (typically without their knowledge or consent), but now new peer-reviewed research published by University of Pennsylvania privacy researcher and doctoral student Tim Libert shows that the scale of this is enormous—nine out of ten sites are leaking user data to an average of nine external domains. That means that a single site you visit will send your data to nine outside websites. Tim Libert cites Google as the worst culprit, but gives Twitter props for respecting browsers’ Do Not Track setting. He also points out that the NSA has leveraged commercial tracking tools in order to monitor users. For added privacy, using Tor is your best bet, Libert told Motherboard, so long as you don’t log into any accounts (Gmail, Facebook, etc.) while you’re on it.

The Pentagon Outsourced Its Coding to Russia (What Could Go Wrong?)

A four-year federal investigation revealed this week that the Pentagon has outsourced work writing software for sensitive US military communication systems to Russian programmers. Contractor John C. Kingsley discovered the Russian-contracted software had built-in holes that left the Pentagon’s communication system vulnerable to viruses. The two firms involved, Massachusetts-based NetCracker Technology Corporation and Virginia-based Computer Sciences Corporation (which had subcontracted the work), agreed to pay fines of $11.4 million and $1.35 million, respectively. Outsourcing work on classified systems to anyone who’s not a US citizen with approved security clearance violates federal regulations, as well as the company’s contract.

Article continues:

California Now Has the Nation’s Best Digital Privacy Law – KIM ZETTER 10.08.15. 9:58 PM

California continued its long-standing tradition for forward-thinking privacy laws today when Governor Jerry Brown signed a sweeping law protecting digital privacy rights.

The landmark Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or to search them.

The legislation, which easily passed the Legislature last month, is the most comprehensive in the country, says the ACLU.

“This is a landmark win for digital privacy and all Californians,” Nicole Ozer, technology and civil liberties policy director at the ACLU of California, said in a statment. “We hope this is a model for the rest of the nation in protecting our digital privacy rights.”

Five other states have warrant protection for content, and nine others have warrant protection for GPS location tracking. But California is the first to enact a comprehensive law protecting location data, content, metadata and device searches, Ozer told WIRED.

“This is really a comprehensive update for the modern digital age,” she said.

State senators Mark Leno (D-San Francisco) and Joel Anderson (R-Alpine) wrote the legislation earlier this year to give digital data the same kinds of protection that non-digital communications have.

“For what logical reason should a handwritten letter stored in a desk drawer enjoy more protection from warrantless government surveillance than an email sent to a colleague or a text message to a loved one?” Leno said earlier this year. “This is nonsensical and violates the right to liberty and privacy that every Californian expects under the constitution.”

The bill enjoyed widespread support among civil libertarians like the American Civil Liberties Union and the Electronic Frontier Foundation as well as tech companies like Apple, Google, Facebook, Dropbox, LinkedIn, and Twitter, which have headquarters in California. It also had huge bipartisan support among state lawmakers.

“For too long, California’s digital privacy laws have been stuck in the Dark Ages, leaving our personal emails, text messages, photos and smartphones increasingly vulnerable to warrantless searches,” Leno said in a statement today. “That ends today with the Governor’s signature of CalECPA, a carefully crafted law that protects personal information of all Californians. The bill also ensures that law enforcement officials have the tools they need to continue to fight crime in the digital age.”

The law applies only to California law enforcement entities; law enforcement agencies in other states would be compelled by the laws in their jurisdictions, which is why Ozer and others say it’s important to get similar comprehensive laws passed elsewhere.

The law places California not only at the forefront of protecting digital privacy among states, it outpaces even the federal government, where such efforts have stalled.


Article continues:

That Big Security Fix for Credit Cards Won’t Stop Fraud – KIM ZETTER 09.30.15. 8:00 AM

Tomorrow is the deadline that Visa and MasterCard have set for banks and retailers across the US to roll out a new system for more secure bank cards with microchips embedded in them.

Over the last few years, card issuers have spent between $200 million and $800 million to distribute new debit and credit cards to accountholders, while large retailers like Target, Home Depot and Walmart have spent more than $8 billion to install new card readers capable of reading the chips.

Despite this effort, retailers say the new system is highly flawed because instead of issuing the so-called chip ‘n’ PIN cards that offer two-factor authentication, banks and other card issuers are distributing chip ‘n’ signature cards, which thieves can easily undermine.

“Chip and PIN has been proven to combat fraud dramatically,” says Brian Dodge, executive vice president of the Retail Industry Leaders Association. “But that’s not what American consumers are getting, and thus far banks have gone to great lengths to blur the lines between the two distinctly different transactions.”

Even with PINs, however, the new technology will not eliminate fraud, but will simply shift the type of fraud that occurs.

The Hope of a More Secure System

The new technology—called EMV for Europay, MasterCard and Visa—consists of cards with a microchip that contains data traditionally stored in the card’s magnetic strip. These work with new point-of-sale readers that scan the chip and process payment transactions in a secure manner using encryption.

The chip reduces fraud because it contains a cryptographic key that authenticates the card as a legitimate bank card and also generates a one-time code with each transaction. This means thieves can’t simply take account numbers stolen in a breach and emboss them onto the magnetic strip of a random card, or program them onto the chip of a random chip card, to make fraudulent purchases at stores or unauthorized withdrawals at ATMs.

Article continues:


Near-Perfect Computer Security May Be Surprisingly Close – KEVIN HARTNETT 09.13.15. 7:00 AM


In July 2013 a  pair of studies set the cryptography world on fire. They were posted within days of one another to an online archive where researchers share their work, and together they described a powerful new method for hiding the secrets inside software programs.

Quanta Magazine


Original story reprinted with permission from Quanta Magazine, an editorially independent division of the Simons Foundation whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences

The method was called “indistinguishability obfuscation,” or IO. The authors touted it as a “central hub” for all of cryptography—a unified basis upon which to reconstruct familiar cryptographic tools like public keys and selectively secure signatures. The papers also took a first stab at demonstrating what IO might look like mathematically.

The research produced a flurry of interest at the time, but in the two years since the announcement, computer science researchers have encountered a number of practical challenges that stand in the way of using IO. For one thing, IO is extraordinarily slow. Obfuscating a program adds delays that would be measured not in minutes or hours, but in lifetimes. In addition, the method is not nearly as mathematically secure as it needs to be.

But in the past few months, a number of studies have provided some of the most important advances since the 2013 announcement. Some researchers now think we could get a working system in a decade, or maybe even sooner than that. “As of right now it seems like there are no big limitations,” said Amit Sahai, a computer scientist at the University of California, Los Angeles, who was a co-author on both of the papers. “IO is powerful and can do almost anything we’ve ever wanted to do.” And if IO can be constructed in terms of certain simple mathematical assumptions, researchers believe that even a quantum computer couldn’t break it.*

A Mountain of Small Steps

Indistinguishability obfuscation begins by positing two programs that compute the exact same outputs by different methods — for example, the equivalent functions f(x) = x(a + b) and f(x) = ax + bx. For any set of three inputs—ab and x—each program produces the same result as the other, but arrives at that result by a different path. IO says that given two equivalent programs, it should be possible to encrypt them so that users cannot tell which version they have, no matter how much they poke around.

The 2013 papers convinced many people that IO has the power to dramatically broaden the scope of cryptography. But the studies didn’t specify how to make the idea practical. Researchers have two primary challenges: First, to speed up the process. And second, to ensure that IO is secure.


Article continues:

Security News This Week: Turns Out Baby Monitors Are Wildly Easy to Hack – YAEL GRAUER. 09.05.15. 7:00 AM

This week, malware hit jailbroken (mostly Chinese) iPhones, stealing 225,000 iTunes login credentials. Leaked documents show that diplomatic officials in the Ecuadorean embassy in London considered smuggling WikiLeaks founder Julian Assange to freedom in a diplomatic bag. The FBI obtained an audio recording of an “off the record and on background” confession made by accused kidnapper Matthew D. Muller speaking with a local television reporter. And Edward Snowden pointed out that other people go to jail for what Hillary Clinton did with her email server.

And that’s not all. Each week we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted, and stay safe out there!

Baby monitors are crazy easy to hack

If the thought of a hacker turning your baby monitor into a spy cam or using it to terrorize you or your child gives you nightmares, I’ve got bad news for you. When security firm Rapid 7 tested nine widely available internet-connected baby monitors for security vulnerabilities, the results weren’t pretty. “Eight of the nine cameras got an F and one got a D minus,” security researcher Mark Stanislav told Fusion’s Kashmir Hill. Security flaws included issues such as a lack of encryption, the use of default passwords, and access to Internet portals with the device’s serial number or account number. Rapid 7 disclosed the vulnerabilities to the companies, who will hopefully all take the information to heart. Stanislav recommends Nestcam (formerly Dropcam) for security, though Hill points out that law enforcement sometimes sends search warrants for the video. Another option is a radio frequency-based baby monitor, which could only be hacked by someone intercepting the radio signal with a sniffing device outside your house, rather than everyone on the Internet.

Vice News Translator Detained In Turkey Because He Allegedly Had An Encrypted Hard Drive

Two Vice news reporters who were filming clashes between security forces and youth members of the Kurdistan Workers’ Party in the southeastern Turkish province of Diyarbakir were arrested for allegedly ‘aiding an armed organization,’ a claim that Vice head of news programming in Europe said was “baseless and alarmingly false charges” and made “in an attempt to intimidate and censor their coverage.” Although the two journalists have been released, Mohammed Ismael Rasool, the translator who was arrested alongside them, has been kept in prison. An anonymous Turkish official told Al Jazeera that Rasool had “a complex encryption system on his personal computer that a lot of ISIL militants also utilize for strategic communications.” It turns out that this complex encryption system is simply an encrypted password-protected hard drive. Rasool denies the claim.


Article continues:

Websites, Please Stop Blocking Password Managers. It’s 2015 – JOSEPH COX: 07.26.15. 7:00 AM


Rather than fancy zero-day exploits, or cutting-edge malware, what you mostly need to worry about when it comes to security is using strong, unique passwords on all the sites and services you visit.

You know that. But what’s crazy is that, in 2015, some websites are intentionally disabling a feature that would allow you to use stronger passwords more easily—and many are doing so because they wrongly argue it makes you safer.

Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.

Typically, a password manager will generate a long, complex, and—most importantly—unique password, and then store it in an encrypted fashion on either your computer or a remote service. All you have to do is remember one password to enter all of your others. In essence, the task of remembering dozens of passwords is relegated to the manager, meaning that you don’t have to deploy that same, easy to remember password on multiple sites.

Companies constantly interrupt password managers, as they falsely believe they’re improving the situation by forcing people to actually type passwords in. CEO of LastPass Joe Seigrist

This week a customer called out T-Mobile for blocking their password manager. WIRED confirmed on Thursday that it was not possible to paste text into the create password field on the T-Mobile site. T-Mobile got in touch on Sunday to say the problem had now been patched.1

Jai Ferguson, a spokesman for T-Mobile, told WIRED earlier in the week that the company was “aware of the copy/paste issues and are actively working on a fix.” He added that the problem “certainly isn’t by design,” despite the HTML code used on the web-page explicitly prohibiting users from pasting into the password field.

Another customer complained that the German site for Barclaycard prevented pasting. Again, WIRED checked that this was the case. WIRED also confirmed that it was not possible to paste passwords in the registration section of the Western Union website.

The list goes on, and several people complained this month that PayPal was presenting a similar problem when users tried to change their password.

Article continues:

The Stock Exchange and United Outages Weren’t Hacks But They Were Just As Scary – By Lily Hay Newman JULY 9 2015 7:50 PM

 A trader on the floor of the New York Stock Exchange during Wednesday's outage. Photo by Lucas Jackson

A trader on the floor of the New York Stock Exchange during Wednesday’s outage.
Photo by Lucas Jackson

On Wednesday, an hour-and-a-half-long reservation system failure grounded United Airlines flights, the New York Stock Exchange was down for almost four hours, and the Wall Street Journal’s website suffered intermittent outages. At an intelligence committee hearing that afternoon, Sen. Barbara Mikulski firmly told FBI Director James Comey, “I don’t believe in coincidences.” But no matter how hack-like the situation seemed, all three companies and law enforcement have been adamant that bad actors were not behind the failures. And that’s just as scary.

A United representative told the Los Angeles Times that a router issue had “degraded network connectivity for various applications,” causing the company’s system problems. And after consistently but opaquely claiming that there weren’t bad actors behind the stock exchange outage, NYSE said in a statement on Thursday that a software update was to blame. “As is standard NYSE practice, the initial release was deployed on one trading unit … [but] there were communication issues between customer gateways and the trading unit with the new release.” NYSE attempted to correct the problem, but this caused new complications and “the decision was made to suspend trading.” The Wall Street Journal is still investigating the cause of its outages, with some speculating that heavy Web traffic brought the site down.

Between the Office of Personnel Management hack and the breach at Sony, the idea of large-scale malicious cyberattacks has become markedly more real for consumers in recent months. But Dave Chronister, who founded the cybersecurity firm Parameter Security and formerly did IT management at financial institutions like A.G. Edwards, points out that there doesn’t have to be a bad actor on the other end for something to be a cybersecurity problem. “We’re in a hypersensitive time right now where everybody’s worried about the malicious attacker, but the chances are you’re going to have a lot more incidents like [those on Wednesday] than actual attacks,” he said. “These were security incidents. The systems went down. It didn’t matter that it wasn’t an attack.”

Article continues:

Last night NSA scare tactics finally stopped working – Updated by Timothy B. Lee on May 23, 2015, 10:50 a.m. ET

There was drama in the Senate last night, as Senate Majority Leader Mitch McConnell struggled to extend a Patriot Act provision that supporters say allows the government to conduct mass surveillance of Americans’ calling records. (Opponents think the program is illegal regardless, but the legislative provision has become a focal point for the fight over the larger issue.) But his fellow Kentucky Republican senator, Rand Paul, led the charge to stop him. Wrote the Hill:

The battle between the two Kentucky Republicans spilled over on the Senate floor, with Paul using procedural tactics to force the chamber into an early Saturday vote. He then used his leverage to kill off McConnell’s repeated attempts to reauthorize the expiring National Security Agency (NSA) programs — first for two months, then for eight days, then for five, then three, then two.

It’s a tactic advocates of mass surveillance have used repeatedly in recent years:

  • They drag their feet on legislation to curtail NSA spying authority until the last possible minute.
  • They argue that it would be reckless to let old spying authority expire without an alternative to put in its place.
  • Terrified of appearing soft on terrorism, members of Congress have repeatedly extended current authority without changes.

But it didn’t work this time, and for good reason.

The NSA program the Senate was debating last night, which collects phone records of every American, was never authorized by Congress in the first place. At least that’s the view of the Second Circuit Appeals Court, which ruled the program was illegal earlier this month. While the secretive FISA court disagrees with the Second Circuit, the latter’s ruling has stiffened the spines of those who believe the program was illegal from the outset.

And two years after the phone records program was revealed by NSA whistleblower Ed Snowden, the program’s advocates still haven’t produced any convincing evidence that the program makes us safer.

There’s broad agreement that the government should have access to the calling records of suspected terrorists, of course. But there’s no reason to think it’s helpful to collect the calling records of millions of innocent Americans just in case one of them happens to be a terrorist. And in particular, there’s no reason to think that a few days or weeks without bulk collection of telephone records will lead to a rash of terrorist attacks. The US government still has a number of ways to get the calling records of terrorism suspects — these mechanisms just involve more court oversight.

Finally, after years of repeating this tactic, it’s become clear that it’s just that — a tactic. Mass surveillance advocates are going to use it over and over to keep current law in place indefinitely. Only by saying no to short-term extensions and being willing to actually let the program lapse will reformers have the leverage to insist on serious reforms of the spying agency.

US security chief warns shoppers after terror threat – BBC News 22 February 2015 Last updated at 16:16 ET

Jeh Johnson told ABC: ''We're in a new phase now''

Jeh Johnson told ABC: ”We’re in a new phase now”

Jeh Johnson told ABC: ”We’re in a new phase now”

US Homeland Security Secretary Jeh Johnson has urged people to be vigilant following a terror threat to Western shopping centres, including one of America’s largest malls.

He said he took the threat by the Somali-based group al-Shabab seriously.

In a video, the group urged followers to carry out attacks on shopping centres in the US, Canada and the UK.

Al-Shabab was responsible for the 2013 attack on Westgate shopping mall in Nairobi that killed 67 people.

Mr Johnson told CNN that the threat was part of “a new phase” of terrorism in which attacks would increasingly come from “independent actors in their homelands”.

“Anytime a terrorist organisation calls for an attack on a specific place, we’ve got to take that seriously,” he said.

But Mr Johnson added that he was not advising people not to go to the malls named by the militants.

In the video, a man with a British-sounding accent and full face covering calls on supporters of al-Shabab to attack “American or Jewish-owned” Western shopping centres.

He specifically mentions Minnesota’s Mall of America – the second-largest US shopping centre – and Canada’s West Edmonton Mall, as well as London’s Oxford Street and the UK capital’s two Westfield shopping centres.

Co-ordinates for the various targets were listed on the screen as they were described.

The BBC’s Naomi Grimley in Washington says it is possible that the video is part of a rivalry between al-Shabab, which is linked to al-Qaeda, and Islamic State, which has dominated media coverage recently.

Article continues;