maninthemiddleattack
Latest
Sennheiser's headphone software could allow attackers to intercept data
Sennheiser's HeadSetup and HeadSetup Pro software poses a cybersecurity risk, according to a vulnerability disclosure from Germany's Secorvo Security Consulting. The headphone-maker is now urging users to update to new versions of the software after researchers revealed it was installing a root certificate, along with an encrypted private key, into the Trusted Root CA Certificate store, which could enable man-in-the-middle (MITM) attacks.
New Lenovo PCs shipped with factory-installed adware
Buy a new Lenovo computer recently? Well, it looks like it could be infected with some factory-installed adware. Users on the official Lenovo forums started noticing that search results were being injected with sponsored links (like what happens when a machine is infected with typical adware or spyware) as far back as last September, and some even report that sites including Kelley Blue Book and JetBlue wouldn't render properly at all. This apparently isn't the only problem, however. As Facebook engineer Mike Shaver recently discovered, the program at fault, Superfish, appears to install a man-in-the-middle certificate that allows outside parties to take a peek at secure websites you might be visiting, too. Like your bank's, for example.
New web service prevents spies from easily intercepting your data
The encryption that protects your email and social updates is far from flawless -- it's relatively easy for spies to intercept your data using spoofs and hacked servers. If Greg Slepak has his way, though, there will soon be a safer way to send your info. His okTurtles project uses blockchains (the transaction databases you see in virtual currencies like Bitcoin) to let you communicate over the web without the risk of a man-in-the-middle attack. Rather than rely on website security certificates that could easily be compromised, it gives individual users public keys that unlock data within blockchains. There's no centralized authority, and you can even run one of the necessary servers yourself if you don't trust others. When complete, okTurtles will have a browser add-on that lets you use this authentication on virtually any site. You could talk to a fellow okTurtles user through Gmail without worrying that someone besides your recipient could easily read the message, for example.
Apple: No, we can't read your iMessages
Just yesterday, we reported on the claims of security firm QuarksLab that Apple could read iMessage communications, despite the company's statement to the contrary back in June when the NSA Prism program first came to light. Well, Apple has jumped right on those claims -- with a vengeance. The QuarksLab research explains how since Apple controls the encryption keys for iMessage, it could theoretically perform a "man-in-the-middle attack" and read or alter the communications between two people, either for nefarious purposes or for the government. Apple spokesperson Trudy Miller sent a statement to AllThingsD about the research, saying "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so." AllThingsD's John Paczkowski sums up his story about Apple's declaration with a good comment about the state of surveillance these days, saying "perhaps in today's world iMessage's encryption is only as good as your trust in Apple." With other companies being asked by the NSA to enable methods of intercepting messages, one security researcher told AllThingsD that "it would be naive to think that Apple wasn't at least approached by the government at some point."
Researchers challenge Apple's 'unbreakable' iMessages
Shortly after revelations about the NSA's data-snooping programs became public, Apple publicly stated that the end-to-end encryption used in iMessage was so good that it was impossible for anyone -- including Apple -- to break the code. Now security researchers are saying that it could be possible for someone inside Apple to intercept uncoded messages either for themselves or the government. The researchers spoke at the Hack in the Box conference in Kuala Lumpur, with iOS jailbreaker Cyril Cattiaux going so far as to call Apple's assertion that iMessage encryption is rock-solid "just basically lies." The team noted that there's no evidence that Apple or the NSA is actually reading iMessages, but say that it's possible. Apple uses public key cryptography to encrypt iMessages, and Cattiaux says that "Apple has full control over this public key directory." That means that a sender doesn't have the ability to see whether a key has changed, or if the key is actually under the control of the recipient. Another researcher noted that "they give the key and nobody can really know if it's a substitute or anything like that ... it's a matter of trust." Cryptography expert Moxie Marlinspike wasn't involved with the research, but noted that trusting another party to manage cryptography keys on your behalf is no more secure than trusting them with unencrypted text. As Paul Kocher of Cryptography Research put it in an email to Computerworld, "It isn't fair to criticize Apple too heavily since other services aren't better (and most are worse)."
