An anonymous reader shares a report: A little more than a year ago, Amazon, specifically Amazon Web Services, flashed its stacks of cash as it announced it was buying up the end-to-end encrypted messaging app Wickr. AWS users could suddenly use Wickr's services, and some reporters speculated Amazon could have been trying to make a move in the increasingly crowded encrypted messaging space. That's much more unlikely now as Amazon announced Monday it was nixing its secure messaging app Wickr Me.

The tech giant said that Wickr would instead be focused on business and public sector communications, specifically through AWS Wickr and Wickr Enterprise. The company will no longer allow registrations for Wickr Me after Dec. 31, and a year later, at the tail end of 2023, the app will be but a puff of smoke and a memory. Wickr was worth in the ballpark of $60 million when it was purchased, but just a few years ago Wickr was spouting off about its features that encrypted conference calls, which was a major evolution in the encrypted messaging space. Amazon's other messaging app, Chime, does videoconferencing without encryption. In September, Amazon finally added end-to-end encryption for the data sent to users through its Ring doorbells.

VMware today announced the launch of Fusion 13, the latest major update to the Fusion virtualization software. MacRumors reports: For those unfamiliar with Fusion, it is designed to allow Mac users to operate virtual machines to run non-macOS operating systems like Windows 11. Fusion 13 Pro and Fusion 13 Player are compatible with both Intel Macs and Apple silicon Macs equipped with M-series chips, offering native support. VMware has been testing Apple silicon support for several months now ahead of the launch of the latest version of Fusion.

With Fusion 13, Intel and Apple silicon Mac users can access Windows 11 virtual machines. Intel Macs offer full support for Windows 11, while on Apple silicon, VMware says there is a first round of features for Windows 11 on Arm. Users who need to run traditional win32 and x64 apps can do so through built-in emulation. Fusion 13 also includes a TPM 2.0 virtual device that can be added to any VM, storing contents in an encrypted section of the virtual machine files and offering hardware-tpm functionality parity. To support this feature, Fusion 13 uses a fast encryption type that encrypts only the parts of the VM necessary to support the TPM device for performance and security. The software supports OpenGL 4.3 in Windows and Linux VMs on Intel and in Linux VMs on Apple silicon.

Brian Krebs writes via KrebsOnSecurity: Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called "Zeppelin" in May 2020. He'd been on the job less than six months, and because of the way his predecessor architected things, the company's data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," the agent said. "We've found someone who can crack the encryption." Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder -- Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code. "The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. "If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!" [James and co-author Joel Lathrop wrote in a blog post]. "The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key." Unit 221B ultimately built a "Live CD" version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys. A more technical writeup on Unit 221B's discoveries (cheekily titled "0XDEAD ZEPPELIN") is available here.

Fearing the possibility of encryption-cracking quantum computers, Quanta magazine reports that researchers are "scrambling to produce new,'post-quantum' encryption scheme." Earlier this year, the National Institute of Standards and Technology revealed four finalists in its search for a post-quantum cryptography standard. Three of them use "lattice cryptography" — a scheme inspired by lattices, regular arrangements of dots in space.

Lattice cryptography and other post-quantum possibilities differ from current standards in crucial ways. But they all rely on mathematical asymmetry. The security of many current cryptography systems is based on multiplication and factoring: Any computer can quickly multiply two numbers, but it could take centuries to factor a cryptographically large number into its prime constituents. That asymmetry makes secrets easy to encode but hard to decode.... A quirk of factoring makes it vulnerable to attack by quantum computers.... Originally developed in the 1990s, [lattice cryptography] relies on the difficulty of reverse-engineering sums of points...

Of course, it's always possible that someone will find a fatal flaw in lattice cryptography... Cryptography works until it's cracked. Indeed, earlier this summer one promising post-quantum cryptography scheme was cracked using not a quantum computer, but an ordinary laptop.
At a recent panel discussion on post-quantum cryptography, Adi Shamir (the S in RSA), expressed concern that NIST's proposed solutions are predominantly based on lattice cryptography. "In some sense, we are putting all eggs in the same basket, but that is the best we have....

"The best advice for young researchers is to stay away from lattice-based post-quantum crypto," Shamir added. "What we really lack are entirely different ideas which will turn out to be secure. So any great idea for a new basis for public-key cryptography which is not using lattices will be greatly appreciated."

Thursday the Kudelski Group's cybersecurity division released "a tool for Linux that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes."

"Each volume is encrypted with a different secret key, scrambled across the empty space of an underlying existing storage medium, and indistinguishable from random noise when not decrypted." Even if the presence of the Shufflecake software itself cannot be hidden — and hence the presence of secret volumes is suspected — the number of volumes is also hidden. This allows a user to create a hierarchy of plausible deniability, where "most hidden" secret volumes are buried under "less hidden" decoy volumes, whose passwords can be surrendered under pressure. In other words, a user can plausibly "lie" to a coercive adversary about the existence of hidden data, by providing a password that unlocks "decoy" data.

Every volume can be managed independently as a virtual block device, i.e. partitioned, formatted with any filesystem of choice, and mounted and dismounted like a normal disc. The whole system is very fast, with only a minor slowdown in I/O throughput compared to a bare LUKS-encrypted disk, and with negligible waste of memory and disc space.

You can consider Shufflecake a "spiritual successor" of tools such as Truecrypt and Veracrypt, but vastly improved. First of all, it works natively on Linux, it supports any filesystem of choice, and can manage up to 15 nested volumes per device, so to make deniability of the existence of these partitions really plausible.
"The reason why this is important versus "simple" disc encryption is best illustrated in the famous XKCD comic 538," quips Slashdot reader Gaglia (in the original submission. But the big announcement from Kudelski Security Research calls it "a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.

"Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under the GNU General Public License v3.0 or superior.... The current release is still a non-production-ready prototype, so we advise against using it for really sensitive operations. However, we believe that future work will sensibly improve both security and performance, hopefully offering a really useful tool to people who live in constant danger of being interrogated with coercive methods to reveal sensitive information.

At its Zoomtopia conference, the company announced a bunch of features that are coming to its platform, including two key ones for productivity: email and calendars. Engadget reports: You can connect third-party email and calendar services to Zoom and access them through the desktop app. The company says that can help save you time instead of having to switch between apps and perhaps needing to hunt for the right tab in your browser. Those on the Zoom One Pro or Zoom Standard Pro plans will be able to set up email accounts through the platform, and folks with certain plans have the option to use custom domains. You'll get up to 100GB of storage included. The key selling point is that messages sent directly between Zoom Mail Service users (i.e. those who use Zoom's email hosting services) will have end-to-end encryption. You'll also be able to send external emails that can expire and contain access-restricted links.

As for Zoom Calendar, there will be options to see which of your contacts has joined a meeting, and you can schedule Zoom voice and video calls in the app. Zoom's own calendar service will include the ability to book appointments. On the way in 2023 is a feature called Zoom Spots. The company describes this as a virtual coworking space where colleagues can stay more connected during the workday via video-first conversations. While the company didn't reveal too much detail about Zoom Spots in its blog post, there may be a downside as the feature could enable bosses to keep a closer eye on what their employees are doing.

Businesses will soon be able to employ Zoom Virtual Agent, a conversational AI and chatbot designed to help customers resolve issues. That tool will be available in early 2023. Other things in the pipeline include a way for developers to make money from the Zoom Apps Marketplace and a virtual coach to help sellers perfect their pitches. As for the core functions people know Zoom for, there's a feature on the way that connects team chats with in-meeting chats. You'll be able to carry the conversation from one to the other and back again to keep things flowing. The company is also looking to roll out translation options for team chats in 2023. In the near future, you'll be able to schedule a chat message to send at a later time.

Zoom Phone is coming to the web, which should be handy for many folks. A progressive web app will be available for ChromeOS too. Meanwhile, users will be able to use a one-click chat message as a response when they can't answer a call. As for Zoom Rooms, there will be a way for folks in one of those to join a Google Meet room and vice versa. Last, but by no means least, Zoom revealed a string of updates for meetings. The Smart Recordings feature uses AI to generate summaries, next steps and chapters to make archived meetings more digestible and help you get to the part you're looking for. There will be meeting templates that can automatically configure the right settings and a way to record videos with narration and screensharing that you can send to colleagues. On top of that, you'll have more avatar options, including the ability to use a Meta avatar.

The Intercept reports that protesters in Iran "have often been left wondering how the government was able to track down their locations or gain access to their private communications — tactics that are frighteningly pervasive but whose mechanisms are virtually unknown."

But The Intercept now has evidence of a new possibility: While disconnecting broad swaths of the population from the web remains a favored blunt instrument of Iranian state censorship, the government has far more precise, sophisticated tools available as well. Part of Iran's data clampdown may be explained through the use of a system called "SIAM," a web program for remotely manipulating cellular connections made available to the Iranian Communications Regulatory Authority. The existence of SIAM and details of how the system works, reported here for the first time, are laid out in a series of internal documents from an Iranian cellular carrier that were obtained by The Intercept.

According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their phones. The tools can slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where. Such a system could help the government invisibly quash the ongoing protests — or those of tomorrow — an expert who reviewed the SIAM documents told The Intercept.

"SIAM can control if, where, when, and how users can communicate," explained Gary Miller, a mobile security researcher and fellow at the University of Toronto's Citizen Lab. "In this respect, this is not a surveillance system but rather a repression and control system to limit the capability of users to dissent or protest."
Thanks to long-time Slashdot reader mspohr for submitting the article.

Here's the Guardian's report on new cryptographic techniques where "you can share data while keeping that data private" — known by the umbrella term "privacy-enhancing technologies" (or "Pets). They offer opportunities for data holders to pool their data in new and useful ways. In the health sector, for example, strict rules prohibit hospitals from sharing patients' medical data. Yet if hospitals were able to combine their data into larger datasets, doctors would have more information, which would enable them to make better decisions on treatments. Indeed, a project in Switzerland using Pets has since June allowed medical researchers at four independent teaching hospitals to conduct analysis on their combined data of about 250,000 patients, with no loss of privacy between institutions. Juan Troncoso, co-founder and CEO of Tune Insight, which runs the project, says: "The dream of personalised medicine relies on larger and higher-quality datasets. Pets can make this dream come true while complying with regulations and protecting people's privacy rights. This technology will be transformative for precision medicine and beyond."

The past couple of years have seen the emergence of dozens of Pet startups in advertising, insurance, marketing, machine learning, cybersecurity, fintech and cryptocurrencies. According to research firm Everest Group, the market for Pets was $2bn last year and will grow to more than $50bn in 2026. Governments are also getting interested. Last year, the United Nations launched its "Pet Lab", which was nothing to do with the welfare of domestic animals, but instead a forum for national statistical offices to find ways to share their data across borders while protecting the privacy of their citizens.

Jack Fitzsimons, founder of the UN Pet Lab, says: "Pets are one of the most important technologies of our generation. They have fundamentally changed the game, because they offer the promise that private data is only used for its intended purposes...." The emergence of applications has driven the theory, which is now sufficiently well developed to be commercially viable. Microsoft, for example, uses fully homomorphic encryption when you register a new password: the password is encrypted and then sent to a server who checks whether or not that password is in a list of passwords that have been discovered in data breaches, without the server being able to identify your password. Meta, Google and Apple have also over the last year or so been introducing similar tools to some of their products.
The article offers quick explanations of zero-knowledge proofs, secure multiparty computation, and fully homomorphic encryption (which allows the performance of analytics on data by a second party who never reads the data or learns the result).

And "In addition to new cryptographic techniques, Pets also include advances in computational statistics such as 'differential privacy', an idea from 2006 in which noise is added to results in order to preserve the privacy of individuals."

The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from "significant national security risks." TechCrunch reports: Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the "highest-risk" devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others.

The initiative, described by White House officials as "Energy Star for cyber," will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will "keep things simple." The labels, which will be "globally recognized" and debut on devices such as routers and home cameras, will take the form of a "barcode" that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.

Mark Zuckerberg, writing in a Facebook post: WhatsApp is far more private and secure than iMessage, with end-to-end encryption that works across both iPhones and Android, including group chats. With WhatsApp you can also set all new chats to disappear with the tap of a button. And last year we introduced end-to-end encrypted backups too. All of which iMessage still doesn't have.

"Europe is aiming to launch a technology demonstration satellite for secure, quantum-encrypted communications in 2024," reports Space.com, "with a view to developing a larger constellation." The satellite, Eagle-1, will be the first space-based quantum key distribution (QKD) system for the European Union and could lead to an ultrasecure communications network for Europe, according to a statement from the European Space Agency (ESA).

Eagle-1 will spend three years in orbit testing the technologies needed for a new generation of secure communications. The satellite will demonstrate the "feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system," according to ESA...

"European security and sovereignty in a future world of quantum computing is critical to the success of Europe and its Member States," Steve Collar, CEO of SES, said in the statement. He added that the goal is "to advance quantum communications and develop the Eagle-1 system to support secure and sovereign European networks of the future."
SES will be leading a consortium of more than 20 European countries, according to the ESA's statement: Eagle-1 will demonstrate the feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system. To do so, the system will build on key technologies developed under ESA's Scylight programme, with the aim of validating vital components supplied within the EU....

It will allow the EU to prepare for a sovereign, autonomous cross-border quantum secure communications network.

The system will initially use an upgraded optical ground terminal from the German Aerospace Centre (DLR) alongside a new optical ground terminal to be developed by a team from the Netherlands. The Eagle-1 platform satellite from Italian company Sitael will carry a quantum-key payload built by Tesat Spacecom of Germany and will be operated by Luxembourg-headquartered SES.

"A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption," reports VentureBeat. "The flaw enables a hacker to infer the contents of encrypted messages." OME uses the electronic codebook (ECB) block cipher, which leaks structural information about the message. This means if an attacker obtains many emails they can infer the contents of the messages by analyzing the location and frequency of patterns in the messages and matching these to other emails. For enterprises, this highlights that just because your emails are encrypted, doesn't mean they're safe from threat actors. If someone steals your email archives or backups, and accesses your email server, they can use this technique to sidestep the encryption.

The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.

WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn't issued a fix.

Nearly four years after its last major release, VirtualBox 7.0 arrives with a... host of new features. Chief among them are Windows 11 support via TPM, EFI Secure Boot support, full encryption for virtual machines, and a few Linux niceties. From a report: The big news is support for Secure Boot and TPM 1.2 and 2.0, which makes it easier to install Windows 11 without registry hacks (the kind Oracle recommended for 6.1 users). It's strange to think about people unable to satisfy Windows 11's security requirements on their physical hardware, but doing so with a couple clicks in VirtualBox, but here we are. VirtualBox 7.0 also allows virtual machines to run with full encryption, not just inside the guest OSâ"but logs, saved states, and other files connected to the VM. At the moment, this support only works through the command line, "for now," Oracle notes in the changelog.

This is the first official VirtualBox release with a Developer Preview for ARM-based Macs. Having loaded it on an M2 MacBook Air, I can report that the VirtualBox client informs you, extensively and consistently, about the non-production nature of your client. The changelog notes that it's an "unsupported work in progress" that is "known to have very modest performance." A "Beta Warning" shows up in the (new and unified) message center, and in the upper-right corner, a "BETA" warning on the window frame is stacked on top of a construction-style "Dev Preview" warning sign. It's still true that ARM-based Macs don't allow for running operating systems written for Intel or AMD-based processors inside virtual machines. You will, however, be able to run ARM-based Linux installations in macOS Venture that can themselves run x86 processors using Rosetta, Apple's own translation layer.

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.

Privacy-focused cryptocurrency and payments firm MobileCoin, in collaboration with stablecoin platform Reserve, has launched a stablecoin dubbed "Electronic Dollars" (eUSD). CoinDesk reports: According to MobileCoin, eUSD is backed by a basket of other stablecoins, namely, USD coin (USDC), Pax dollar (USDP) and trueUSD (TUSD). Each transaction is said to be encrypted using end-to-end zero-knowledge encryption. In other words, only the transacting parties can see their own transactional data, thanks to encryption that uses zero knowledge proofs (a way of proving something without revealing sensitive information). The stablecoin eUSD is built on the MobileCoin blockchain, which, according to MobileCoin, is optimized for mobile devices. Apparently, MobileCoin was originally designed for integration with encrypted mobile messaging app, Signal. Consequently, eUSD will inherit the features of MobileCoin's native cryptocurrency, MOB, although eUSD users will pay transaction fees (a flat $0.0026 per transaction) in eUSD and not MOB.

The eUSD relies on what seems to be a centralized governance structure where the MobileCoin Foundation acts as the primary governing body. The foundation elects "governors" who are authorized to mint and burn eUSD. The stablecoin's collateral is held in a popular Ethereum multisignature (multisig) wallet called Safe (formerly "Gnosis Safe"). New eUSD is only minted after governors confirm an equivalent amount of collateral has been transferred to the Safe wallet. "Anybody can inspect the contract holding this basket [of collateral], to see what the current balances are. It's a Gnosis safe, which is also one of the most highly regarded contracts on Ethereum for holding assets," Henry Holtzman, MobileCoin's chief innovation officer explained during an interview with CoinDesk.

Similarly, if a user redeems eUSD, the token is "verifiably burned" and governors release the corresponding collateral. Verifiable burning is when burned eUSD is sent to a "burn address" that renders it "visible" for transparency purposes, "but unspendable." However, everyday users won't typically engage in burning and minting. An individual seeking eUSD would simply purchase it on an exchange. Approved liquidity providers (LPs) would be the ones minting large amounts of eUSD. To our knowledge, no project has created a native stablecoin with privacy properties, which is a first-class citizen in the ecosystem, and which never requires the use of 'non-private' transaction technologies to use normally. In short, no one has yet actually created a private digital dollar," MobileCoin stated in the eUSD white paper.

Holtzman said that eUSD uses a "reserve-auditor" program that "connects to the Safe wallet via an application programming interface (API) and verifies that each newly minted eUSD has a corresponding amount of collateral in the wallet." Holtzman added: "We'll release it all open source. So if you want to run your own copy [of the reserve auditor], you can. You can examine it to make sure we really are backed exactly as we claim," Holtzman told CoinDesk.

Iran's government is trying to limit internet access, reports CNBC — while Iranians are trying a variety of technologies to bypass the blocks: Outages first started hitting Iran's telecommunications networks on September 19, according to data from internet monitoring companies Cloudflare and NetBlocks, and have been ongoing for the last two and a half weeks. Internet monitoring groups and digital rights activists say they're seeing "curfew-style" network disruptions every day, with access being throttled from around 4 p.m. local time until well into the night. Tehran blocked access to WhatsApp and Instagram, two of the last remaining uncensored social media services in Iran. Twitter, Facebook, YouTube and several other platforms have been banned for years.

As a result, Iranians have flocked to VPNs, services that encrypt and reroute their traffic to a remote server elsewhere in the world to conceal their online activity. This has allowed them to restore connections to restricted websites and apps. On September 22, a day after WhatsApp and Instagram were banned, demand for VPN services skyrocketed 2,164% compared to the 28 days prior, according to figures from Top10VPN, a VPN reviews and research site. By September 26, demand peaked at 3,082% above average, and it has continued to remain high since, at 1,991% above normal levels, Top10VPN said....

Mahsa Alimardani, a researcher at free speech campaign group Article 19, said a contact she's been communicating with in Iran showed his network failing to connect to Google, despite having installed a VPN. "This is new refined deep packet inspection technology that they've developed to make the network extremely unreliable," she said. Such technology allows internet service providers and governments to monitor and block data on a network. Authorities are being much more aggressive in seeking to thwart new VPN connections, she added....

VPNs aren't the only techniques citizens can use to circumvent internet censorship. Volunteers are setting up so-called Snowflake proxy servers, or "proxies," on their browsers to allow Iranians access to Tor — software that routes traffic through a "relay" network around the world to obfuscate their activity.

Great Firewall Report (GFW), an organization that monitors and reports on China's censorship efforts, has this week posted a pair of assessments indicating a crackdown on TLS encryption-based tools used to evade the Firewall. The Register reports: The group's latest post opens with the observation that starting on October 3, "more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC." Trojan is a tool that promises it can leap over the Great Firewall using TLS encryption. Xray, V2ray and VLESS are VPN-like internet tunneling and privacy tools. It's unclear what the reference to gRPC describes -- but it is probably a reference to using the gRPC Remote Procedure Call (RPC) framework to authenticate client connections to VPN servers.

GFW's analysis of this incident is that "blocking is done by blocking the specific port that the circumvention services listen on. When the user changes the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked." Interestingly, domain names used with these tools are not added to the Great Firewall's DNS or SNI blacklists, and blocking seems to be automatic and dynamic. "Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools," the organization asserts. An alternative circumvention tool, naiveproxy, appears not to be impacted by these changes. "It's not hard to guess why China might have chosen this moment to upgrade the Great Firewall: the 20th National Congress of the Chinese Communist Party kicks off next week," notes the Register. "The event is a five-yearly set piece at which Xi Jinping is set to be granted an unprecedented third five-year term as president of China."

An anonymous reader quotes a report from Ars Technica: Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers' servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Wednesday's GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People's Republic of China. GTSC went on to say that the malware the threat actors eventually install emulates Microsoft's Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August. The malware then sends and receives data that's encrypted with an RC4 encryption key that's generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild. People running on-premises Exchange servers "should apply a blocking rule that prevents servers from accepting known attack patterns," reports Ars. The rule can be found in Microsoft's advisory.

"For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082."

An anonymous reader quotes a report from Gizmodo: The NYPD says it wants to reimagine its current police communication system and transition to encrypted messages by 2024, according to a recent amNY report confirmed by Gizmodo. While law enforcement has spent years fighting to make encryption less accessible for everyday people, police think they need a little more privacy. Critics worry a turn towards encryption by law enforcement could reduce transparency, hamstring the news media, and potentially jeopardize the safety of protestors looking to stay a step ahead.

According to amNY, the NYPD's new plan would allow law enforcement officers discretion on whether or not to publicly disclose newsworthy incidents. That means the NYPD essentially would get to dictate the truth unchallenged in a number of potentially sensitive local stories. The report suggests police are floating the idea of letting members of the news media monitor certain radio transmissions through an NYPD-controlled mobile app. There's a catch though. According to the report, the app would send radio information with a delay. Users may also have to pay a subscription fee to use the service, the paper said.

The NYPD confirmed its planning a "systems upgrade" in the coming years in an email to Gizmodo. "The NYPD is undergoing a systems upgrade that is underway and that will be complete after 2024," a spokesperson for the Deputy Commissioner of Public Information said. "This infrastructure upgrade allows the NYPD to transmit in either an encrypted or non-encrypted format," the NYPD said. "Some parts of the city have had the necessary equipment installed and the Department will begin testing the technology in these areas later this year. We are currently evaluating encryption best practices and will communicate new policies and procedures as we roll out this upgraded technology." The spokesperson claimed the department intends to listen to and consider the needs of the news media during the transition process. "The entire public safety news coverage system depends on scanners, and if scanners and scanner traffic are no longer available to newsrooms then news reporting about crime, fire -- it's going to be very hit or miss," CaliforniansAware General Counsel Terry Francke told the Reporters Committee in a blog post.

"Cutting off the media from getting emergency transmissions represents the clearest regression of the NYPD policy of transparency in its history," New York Press Photographers Association President Bruce Cotler said in an interview with amNY. "We believe shutting down radio transmissions is a danger to the public and to the right of the public to know about important events."

Gizmodo notes that New York joins a growing list of cities considering encrypting radio communications. "Denver, Baltimore, Virginia Beach, Sioux City, Iowa, and Racine, Wisconsin have all moved to implement the technology in recent years."

The head of WhatsApp has warned UK ministers that moves to undermine encryption in a relaunched online safety bill would threaten the security of the government's own communications and embolden authoritarian regimes. From a report: In an interview with the Financial Times, Will Cathcart, who runs the Meta-owned messaging app, insisted that alternative techniques were available to protect children using WhatsApp, without having to abandon the underlying security technology that safeguards its more than 2bn users. The UK's bill, which the government argues will make the internet safer, has become a focus of global debate over whether companies such as Google, Meta and Twitter should be forced to proactively scan and remove harmful content on their networks.

Tech companies claim it is not technically possible for encrypted messaging apps to scan for material such as child pornography without undermining the security of the entire network, which prevents anyone -- including platform operators -- from reading users' messages. Cathcart said the UK's ultimate position on the issue would have a global impact. "If the UK decides that it is OK for a government to get rid of encryption, there are governments all around the world that will do exactly the same thing, where liberal democracy is not as strong, where there are different concerns that really implicate deep-seated human rights," he said, citing Hong Kong as a potential example.