Here’s Why You Should Delete Your Yahoo Account Right Now

Here’s Why You Should Delete Your Yahoo Account Right Now

If your primary email account is Yahoo-based, people might judge you. These days, having a Yahoo account and using it doesn’t make any sense. Worsening the situation, a recent revelation by Reuters tells the shocking amount of dedication shown by Yahoo to spy on your emails and pass them to the U.S. government.

According to the report, Yahoo designed a secret email scanning software that worked at the behest of U.S. intelligence officials, NSA in particular. This makes Yahoo a serious privacy liability.

Reuters’s Joseph Menn reports that this decision led to the resignation of Yahoo’s chief information security officer Alex Stamos. He is now the head of security at Facebook.

At the moment, it is not known what kind of information U.S. intelligence wanted. This incident is also the first of its kind as it involves a U.S. internet company agreeing to the government’s demands of reading all the emails, instead of scanning the stored ones or some particular ones.

This spying program was signed off by CEO Marissa Mayer and General Counsel Ron Bell. They chose to refrain themselves from taking any kind of input from Yahoo’s security department, who were called the “paranoids” internally.

The program was discovered by Yahoo’s security team in May 2015. Initially, they thought that it was kind of hacking attack. Interestingly, due to a programming flaw in the program, hackers could’ve accessed the stored emails.

Yahoo has issued the following statement and it sounds like a joke:
“Yahoo is a law-abiding company, and complies with the laws of the United States.”

Well, deleting Yahoo account isn’t a tough task. Just go ahead, open Google.com and search the method.

This incident, once again, stresses the importance of end-to-end encryption. This type of encryption should be made standard and used by default in all email and messaging applications.

We have asked Microsoft, Google, and Facebook to make a comment on their own policies in such situations. We’ll be updating this story if we hear back.

Update:

In response to our query, Facebook told that the company has never received a request like the “one described in these news reports from any government, and if we did we would fight it.”

Similar remarks were made by Google. “We’ve never received such a request, but if we did, our response would be simple: ‘no way’,” Google told us in an email.

Did you find this article helpful? Don’t forget to drop your feedback in the comments section below.

Source: Reuters

Cloudflare reCAPTCHA Exposes Tor User's Anonymity

Online privacy is an Internet buzzword nowadays. If you are also concerned about the privacy of your web surfing, the most efficient way is to use TOR – a free software that lets users communicate anonymously by hiding their actual location from snoopers.

The Tor network—used by activists, journalists, law enforcement, and yes, criminals—is famous for cloaking web surfers’ identities and locations. But, apparently, there's a risk to all that protective anonymity.
 
Cloudflare's insistence on solving reCAPTCHA puzzles when visitors are coming from Tor exit nodes to one of the 2 million web sites that Cloudflare 'protects' can be very instrumental for traffic analysis and de-anonymizing of Tor users.

This is how:

The only non-public prerequisite for the de-anonymizing entity is the ability to monitor traffic between ISPs and Tor entry nodes, and traffic entering Cloudflare servers (no decryption required in either case). There are, of course, no 2 million Cloudflare servers, probably there is no more than few hundred.

Each click on one of the images in the puzzle generates a total of about 50 packets between Tor user's computer and the Cloudflare's server (about half are requests and half are real-time responses from the server.) All this happens in less than a second, so eventual jitter introduced in onion mixing is immaterial. The packet group has predictable sizes and patterns, so all the adversary has to do is note the easily detectable signature of the "image click" event, and correlate it with the same on the Cloudflare side. Again, no decryption required.

There likely are many simultaneous users (thousands), but they do not solve puzzles at the same time, and they do not click on the puzzle image at the same time. Simple math shows that disambiguating is trivial. If there is some ambiguity left, Cloudflare can conveniently serve few more images to specific users (or even random users, as long as within the same few seconds different users get different amount of 'correct' images.)

This obvious opportunity is not the proof, but NSA would have to be utterly incompetent not to be exploiting it. No one is that incompetent.





Source:CRYPTOME

NSA HELPED GCHQ (BRITISH SPIES) FIND SECURITY HOLES IN JUNIPER FIREWALLS – SNOWDEN LEAK

British spies enlisted the help of the US National Security Agency (NSA) to learn how to hack firewalls made by top internet security provider Juniper, according to leaked documents.

Government Communications Headquarters (GCHQ), which is the UK’s foremost electronic intelligence and surveillance agency, looked to its counterpart across the Atlantic to access the firm’s firewalls.

The revelations come as the Intercept website released a six-page document dating back to 2011 titled “Assessment of Intelligence Opportunity – Juniper” that was written by an NSA employee working with GCHQ. It reveals that Britain’s communication intelligence network was then looking for a partner on an urgent basis across Atlantic in order to infiltrate Juniper’s security products.

“The threat comes from Juniper’s investment and emphasis on being a security leader,” the document states.

According to the document, Juniper was not the market leader but the firm’s products were of particular importance as they were used by countries such as Pakistan, India, China and Yemen, which were major targets of American and British spy agencies.

The document is one of thousands classified intelligence documents leaked by Snowden in 2013, revealing the extent of spy activities by the NSA and its sister organization, GCHQ.

It warns that signals intelligence (SIGINT) agencies could be left unable to keep up with technological advance.

“If the SIGINT community falls behind, it might take years to regain a Juniper firewall or router access capability if Juniper continues to rapidly increase their security.”

The document was one of thousands leaked by NSA contractor-turned-whistleblower Edward Snowden.

The revelation caught both Washington and London in hot water as the two countries’ spy networks collected phone and email data of millions of people including their leaders around the world.

To avoid espionage charges, Snowden fled his country and was granted asylum in Russia, where he currently resides. Many Americans consider Snowden as a whistle-blower and a national hero for blowing the lid off the US government’s global surveillance operations.

Asked about the document, GCHQ says it does not comment on intelligence matters and complies with “a strict legal and policy framework.”

Juniper told the Intercept in a statement that it “operates with the highest of ethical standards and is committed to maintaining the integrity, security, and quality of our products.”

GCHQ says it does not comment on intelligence matters and operates within a strict legal framework.

In a statement, Juniper told the Intercept it “operates with the highest of ethical standards.”

Snowden Unveils NSA "God Mode" Malware That Lives On Your Motherboard And Can Not Be Traced

New Snowden revelation “GODSURGE” gives NSA ability to see everything your computer does – even the screen

The NSA backdoor GODSURGE hooks in and propagates with DIETYBOUNCE

Original documents released by Snowden reveal surveillance powers that go beyond root access, and into the hardware of all computer systems everywhere.

The exploit hooks itself into a computer’s boot loader, initiating an “infected” BIOS that is in no way distinguishable from normal computer activity, and can only be discovered through forensic investigation of the physical data chip using electron microscopes.

With GODSURGE, a complex malware loaded by the similarly named malware DEITYBOUNCE, secret agents are able to monitor users’ computer activity – even when the computer is offline – because the malware phones home when users plug back in, reporting activity and filling in historical gaps.

It is safe from an operating system reinstall because it lives on the motherboard, and does not affect the installation at all, remaining undetected by antivirus scanners and even computer scientists.

When Ross Ulbricht was found hiding among the stacks in the Glen Park public library in San Francisco, the 29-year-old Silk Road operator was believed to have covered his tracks perfectly. Speculation is rampant as to how he was really caught.

Neckbeards with no working knowledge of Internet technology hypothesized that an “anonymous” forum post asking for help on specialized messageboard code led unseen internet police to backtrace his IP. It is an unlikely connection, but compelling conspiracy theory, because it is a common supposition that the Internet is a self-referencing, self-cleaning hivemind; but it is far more likely that ubiquitous, self-replicating code that bounces to destinations through “jump hosts” – a self-replicating “Onion Router” of malware – led to his discovery because it tells the NSA exactly what any given computer is doing – or trying to do – without being caught.

Or to put it another way, they see what you see.

Also See:

Here's How Google Can "Remotely Bypass" Pattern Lock Of Android Device

Critical 'Port Fail' Vulnerability Reveals Real IP Addresses of VPN Users

NSA to shut down bulk phone surveillance program by Sunday

Nmap7:The New Version Of Nmap Released After 3.5 Years

Mark Zuckerberg Quits His Job At Facebook, All Due To A Facebook Bug

NSA to shut down bulk phone surveillance program by Sunday

The National Security Agency will end its mass metadata surveillance program this weekend, two and a half years after Edward Snowden’s revelations. However, he NSA’s replacement “reasonable compromise” is far from being celebrated by privacy advocates.

Signed into law this past June, the USA Freedom Act requires that by 11:59pm EST on November 28, the NSA must cease its bulk collection of telephony metadata. The NSA is ready to move ahead with a different program, also ordered by the law, at the same time.

No longer will the NSA rely on the Patriot Act’s Section 215 to collect all phone records. Instead it will have to contact telecommunications companies holding the data for them. Unlike general warrants leaked by former NSA contractor Edward Snowden such as the one issued by the Foreign Intelligence Surveillance Court (FISC) granting the NSA access to all Verizon customers’ records, the new program only allows the NSA to collect records from telecoms when a “specific selection term” pertaining to limited data is outlined in a FISC warrant, which will limit investigations of the metadata to six months.

The move has encouraged a wide variety of opinions to be voiced.

"The act struck a reasonable compromise which allows us to continue to protect the country while implementing various reforms," Ned Price, a spokesman of the National Security Council, an advisory group to the US President, told Reuters.

Meanwhile, Alex Abdo of the American Civil Liberties Union told the Baltimore Sun that “the ending of the phone records program may in the future seem to be more a symbolic victory, given it was the first major concession the intelligence agencies had to make.”

While privacy advocates described the change as only a single step with the prospect of more progress to come, lawmakers adopted a tone of finality.

"I think we have the balance right," Representative C. A. Dutch Ruppersberger (D-Maryland) told the Sun. Ruppersberger has called Snowden a traitor and was ranking member of House Permanent Select Committee on Intelligence when the leaks were published.

Marcy Wheeler, a national security blogger, disagreed strongly. Wheeler wrote that the USA Freedom Act expands on, rather than replaces, what the NSA interpreted Section 215 as authorizing. What’s more, a separate executive order is in place, she says, to run parallel to the bulk metadata collection.

“Right now, the Section 215 phone dragnet is not getting some cell records, probably not getting all VOIP, and probably not getting non-telephony messaging,” Wheeler wrote on the Empty Wheel blog, adding “just a tiny corner of the phone dragnet will shut down, and the government will continue to collect telephony metadata records in bulk … including records of both U.S. and non-U.S. persons’ under EO 12333,” in reference to an executive order issued in 1981 by President Ronald Reagan.

Although the bulk metadata collection is coming to an end, what’s already been collected will not be immediately destroyed, as an NSA request to keep the metadata until the end of February 2016 is under FISC consideration. The White House told Reuters the NSA still needs limited access to it, not for analytical purposes but “data integrity purposes,” while the reliability of the new focus-oriented program is monitored.

This month, a federal court found the soon-to-end program unconstitutional, ordering that the past data be destroyed. However, an appeals court stayed that ruling out of national security interests. Larry Klayman, founder of public interest groups Judicial Watch and Freedom Watch, has been in court with the NSA since 2013 over its mass surveillance, and he says his case depends on that data not being destroyed.

On Wednesday, FISC fulfilled another part of the new surveillance law, adding five advisers to a panel, known as an amicus curiae in legal-speak, to offer legal advice from a perspective promoting civil liberties when applicable to a warrant request. The panel consists of four lawyers and a law professor.

How to Remain Secure Against The NSA Data Decryption Attack.

Researchers Alex Halderman and Nadia Heninger presented a research stating that how NSA Exploits Flaws to Decrypt Huge Amounts of Communications Instead of Securing the Internet. The NSA can decrypt a huge amount of HTTPS, SSH, and VPN connections by means of the Diffie-Hellman key exchange algorithm with 1024-bit primes. Researchers Alex Halderman and Nadia Heninger were also a part of a research group that published a study of the Logjam attack, which took advantage of neglected and obsolete code to impose downgraded, 512-bit parameters for Diffie-Hellman.

While major browser vendors such as Internet Explorer, Chrome, and Firefox have already removed support for 512-bit Diffie-Hellman but however, the 1024-bit Diffie-Hellman is still supported despite being vulnerable to NSA surveillance.

Here's some tips on how to protect yourself from the NSA Data Decryption Attacks.

Web Browser

Always have a look at the Encryption Algorithms & make sure you're using the strongest crypto, that your browser supports. There's an excellent tool, How's My SSL?, that will to test your browser's cipher suite support. The relevant area of the page is the bottom, Given Cipher Suites. You want to make sure that you don't see the text "_DHE_" in the list of ciphersuites - although the Elliptic Curve variant of Diffie-Hellman, represented by suites with "_ECDHE_" is okay. It is important to note that there is a trade-off here: removing your clients support for "_DHE_" ciphers will eliminate the risk of this attack, but it may also removeForward Secrecy support altogether for some sites. Here's how to remove those "_DHE_" cipher suites if you still have them:

Firefox

(tested with 40.0.3)

Open a new tab, enter "about:config" into the location bar and hit the "Enter" key. If you get a warning page, click "I'll be careful, I promise!" This will bring you to the Firefox configuration settings. In the search bar up top, type ".dhe_" and hit the "Enter" key. This should result in two settings being displayed: "security.ssl3.dhe_rsa_aes_128_sha" and "security.ssl3.dhe_rsa_aes_256_sha". Double-click both of them to change the value from "true" to "false".

Now, if you refresh the How's My SSL page, the "_DHE_" ciphersuites should be gone!

Chrome

After following these steps in the following operating systems, refresh the How's My SSL page, the "_DHE_" ciphersuites should be gone. Note that the hex values for the blacklist correspond to the TLS Cipher Suite Registry

OSX

(tested with 46.0.2490.71, OSX 10.10.5)

Open "automator" and double-click "Run Shell Script". Replace the "cat" command with the following:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

Save the application to your applications folder with whatever filename you like. In finder, you can drag the application to your dock and use that to launch Chrome without the vulnerable ciphers.

Windows

(tested with 46.0.2490.71, Windows 7)

Right-click the shortcut to your Chrome application, click "properties" and then add the following to the end of the "target": "--cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15"

The target then should be similar to the following:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

From now on, open Chrome from this shortcut.

Linux

Tested with 46.0.2490.13, Ubuntu 14.04 LTS

Starting chrome from the command line with the following flag removes the undesired ciphers:

google-chrome --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

SSH

An excellent guide for hardening your SSH configuration was released after revelations that the NSA can sometimes decrypt SSH connections. The guide is available here.

VPN

OpenVPN

Most VPN software supports the ".ovpn" file extension used by OpenVPN. Many VPN providers will also provide ".ovpn" files to connect using OpenVPN. You can query your OpenVPN client for the ciphers it supports with the following command:

openvpn --show-tls

This list should be ordered by strongest ciphers first. Recent versions of OpenVPN will have "ECDHE" support, but in order to connect your VPN provider has to support the desired cipher as well. Ciphers with just "DHE" can be vulnerable, however OpenVPN often has VPN servers generate their own primes, which mitigates the risk of the precompute attack. Edit your ".ovpn" file with a line containing the strongest ciphers and testing it against your VPN provider to see if it connects properly:

tls-cipher [cipher-1]:[cipher-2]:[cipher-3]

If it does not connect with strong ciphers, contact your VPN provider and request they update their servers to support the strongest ciphers available.

Microsoft helped the NSA to decrypt the encryption of "Outlook.com,Web chat, Hotmail service, and Skype".

Microsoft worked hand-in-hand with the United States government in order to allow federal investigators to bypass encryption mechanisms meant to protect the privacy of millions of users, Edward Snowden told The Guardian.

According to an article published on Thursday by the British newspaper, internal National Security Agency memos show that Microsoft actually helped the federal government find a way to decrypt messages sent over select platforms, including Outlook.com Web chat, Hotmail email service, and Skype.

The documents, which are reportedly marked top-secret, come in the wake of other high-profile disclosures attributed to Snowden since he first started collaborating with the paper for articles published beginning June 6. The United States government has since indicted Snowden under the Espionage Act, and he has requested asylum from no fewer than 20 foreign nations.

“The latest NSA revelations further expose the tensions between Silicon Valley and the Obama administration,” the journalists wrote. “All the major tech firms are lobbying the government to allow them to disclose more fully the extent and nature of their cooperation with the NSA to meet their customers' privacy concerns. Privately, tech executives are at pains to distance themselves from claims of collaboration and teamwork given by the NSA documents, and insist the process is driven by legal compulsion.”

In the case of Microsoft, however, it appears as if the Bill Gates-founded tech company went out of its way to assist federal investigators.