The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

HTTPS Questionmark screenshot

Google warns of unauthorized TLS certificates trusted by almost all OSes Ars Technica

“In the latest security lapse involving the Internet’s widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.” (more…)

· ·

Tulips and windmill

DutchNews.nl reports that ISPs in the Netherlands will no longer be required to retain data for law enforcement.

Since 2009, national laws have required keeping records on the activities of all users for a period of one year. In 2014 the EU determined that such mass storage was a violation of fundamental privacy rights.

This court ruling brings the EU and Dutch rules into accord by ending the data retention requirement.

·

HiRes

There is a new “man in the middle” attack against web pages that is significantly worse than I have seen before. Interestingly, it does not even appear to be intended as an attack. (more…)

·

Feb/15

13

Snipers at the Watering Hole

Play

Rhino at watering hole

Security researchers discovered a very sophisticated watering hole attack against Forbes.

There is a major trend towards increasingly targeted cyber attacks, from advanced persistent threats (APT), to spear phishing. Now we are seeing targeting applied to watering hole attacks. I think of this as the sniper at the watering hole. (more…)

· · · · · · ·

Asian woman at computer

“HONG KONG — The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China.”

New Rules in China Upset Western Tech Companies – NYTimes.com

Previous blog posts on China censorship:

China celebrates 25th anniversary of Tiananmen with censorship. – The Privacy Blog The Privacy Blog

China launches MITM attack on GitHub – The Privacy Blog The Privacy Blog

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

Asian woman headsmack

FBI Director James Cormey says that the North Korean’s who hacked Sony were tracked because of bad operational security in their use of proxies.

We saw the same thing with the take down of the Silk Road website. Few people have the skills, tools, and discipline to be 100% consistent with their anonymity. Any slip at any time can blow your cover. Of course, this could have been an intentional false flag, the rabbit hole can get very deep. Jeff Carr makes the case that this is actually quite likely.

(more…)

· · · ·

3 birds on a wire

Google engineer Adrienne Felt recently noticed that Gogo in-flight Wi-Fi was messing with the SSL certificates on secure Google web pages.

Her browser showed a problem with the HTTPs connection, and further investigation showed that the SSL certificate was self signed by Gogo’s own untrusted certificate authority. (more…)

· · · · ·

Play

Rotten onion

Right after the Lizard Squad finished with a DDOS attack on the PSN and XBOX networks, they launched an attack against the Tor anonymity system. The attack was simple, set up enough Tor relays to be able to identify a significant fraction of Tor users and connect them with their activity. They got caught because they were bozos (perhaps intentionally). They did the attack hard and fast, which made it easy to identify the rogue relays, and they bragged about it (which told people to look for the attack). (more…)

· · · · · ·

HiRes

It looks like people who care about Internet anonymity need to look outside Canada for their providers. It is not just a concern that the Canadian government would be able to subpoena the information, but it is also vulnerable to insider and external attack. If the data exists, it will eventually leak.

Starting today Canadian Internet providers are required to forward copyright infringement notices to their subscribers. This notification scheme provides a safe harbor for ISPs but is also expected to result in a surge in piracy settlement schemes. The new law further causes trouble for VPN providers, who are now required to log customers for at least six months.

Canadian ISPs and VPNs Now Have to Alert Pirating Customers | TorrentFreak

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· · · ·

Looking in Dark Box

I have long said that privacy services are all about trust. I this article demonstrating how to use a simple web proxy to compromise the users of that proxy. Of course, the operator of the proxy is being untrustworthy, but that is the whole point. If you don’t have a reason to specifically trust the operator of your privacy service, you need to assume that they are attempting to do you harm. Of course, the same argument applies to Tor. Literally anyone could be running that proxy for any purpose. (more…)

· · · ·

<< Latest posts

Older posts >>