Tor has been the go-to for anonymous communication online for years now — and that has made it one of the juiciest targets possible to the likes of the NSA and FBI. A new anonymizing protocol from MIT may prove more resilient against such determined and deep-pocketed attackers.
The potential problem with Tor is that if an adversary gets enough nodes on the network, they can work together to track the progress of packets. They might not be able to tell exactly what is being sent, but they can put together a breadcrumb trail tying a user to traffic coming out of an exit node — at least, that’s the theory.
A team of researchers led by MIT grad student Albert Kwon (with help from EPFL) aims to leapfrog Tor’s anonymizing technique with a brand new platform called Riffle.
“Tor aims to provide the lowest latency possible, which opens it up to certain attacks,” wrote Kwon in an email to TechCrunch. “Riffle aims to provide as much traffic analysis resistance as possible.”
In addition to wrapping messages in multiple layers of encryption (the eponymous technique of Tor, “The Onion Router”), Riffle adds two extra measures meant to baffle would-be attackers.
First, servers switch up the order in which received messages are passed on to the next node, preventing anyone scrutinizing incoming and outgoing traffic from tracking packets using metadata.
Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.
In the coming months, Google servers will add a new, experimental cryptographic algorithm to the more established elliptic curve algorithm it has been using for the past few years to help encrypt HTTPS communications. The algorithm—which goes by the wonky name "Ring Learning With Errors"—is a method of exchanging cryptographic keys that's currently considered one of the great new hopes in the age of quantum computing. Like other forms of public key encryption, it allows two parties who have never met to encrypt their communications, making it ideal for Internet usage.
Virtually all forms of public key encryption in use today are secured by math problems that are so hard that they take millennia for normal computers to solve. In a world with quantum computers, the same problems take seconds to solve. No one knows precisely when this potential doomsday scenario will occur. Forecasts call for anywhere from 20 to 100 years. But one thing is certain: once working quantum computers are a reality, they will be able to decrypt virtually all of today's HTTPS communications. Even more unnerving, eavesdroppers who have stashed away decades' worth of encrypted Internet traffic would suddenly have a way to decrypt all of it.
Symantec has warned customers that security flaws in the firm's systems outed by Google's Project Zero last month won't be fixed until mid-July.
Patches were rushed out to cover some of the "as bad as it gets" flaws identified by Project Zero, but patches to secure the fundamental architectural flaws are still some weeks away.
The cloud-based versions of Symantec's Endpoint Protection Small Business Edition will finally be updated this week, but users of the workstation versions will have to wait weeks.
Symantec has promised updates "by mid-July" and recommended that customers apply them as a matter of urgency, but in the meantime Symantec's systems remain vulnerable.
Project Zero publicized the flaws found in Symantec's Norton Antivirus products last week, after uncovering them in May and reporting them to Symantec.
Security experts have documented a disturbing spike in a particularly virulent family of Android malware, with more than 10 million handsets infected and more than 286,000 of them in the US.
Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android. The Check Point researchers have dubbed the malware family "HummingBad," but researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices.
For the past five months, Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways, including by infiltrating the command and control servers it uses. The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers. HummingBad does this by silently installing promoted apps on infected phones, defrauding legitimate mobile advertisers, and creating fraudulent statistics inside the official Google Play Store.
Facebook appears to have a major tax headache on its hands after the Internal Revenue Service sued the social network on Wednesday to force it to comply with summonses related to a 2010 asset transfer.
According to documents the IRS filed in San Francisco federal court, the agency suspects Facebook and its accounting firm, Ernst & Young, understated the value of intangible assets transferred to Ireland by billions of dollars.
The IRS says it is seeking an order to enforce six summonses that asked Facebook to appear at the agency’s offices in San Jose, Calif., and to produce papers and others records. According to IRS agent Nina Stone, Facebook failed to show up at the appointed date of June 17, and nor did it provide the documents.
“Facebook complies with all applicable rules and regulations in the countries where we operate,” a spokesperson for the company told Fortune by email.
The dispute arose as a result of an ongoing audit of Facebook by IRS that stretches back to 2010. In that year, the company chose to designate Facebook Ireland as the rights-holder for its worldwide business outside of the U.S. and Canada, and also to transfer intellectual property assets such as its platform and “marketing intangibles.”