Hacker News: Skype Finally Adds End-to-End Encryption for Private Conversations

Good news for Skype users who are concerned about their privacy.

Microsoft is collaborating with popular encrypted communication company Signal to bring end-to-end encryption support to Skype messenger.

End-to-end encryption assured its users that no one, not even the company or server that transmits the data, can decrypt their messages.

Signal Protocol is an open source cryptographic protocol that has become an industry-wide standard—which is used in Apple iMessageFacebook MessengerWhatsapp, and Google Allo for secure messaging.

Dubbed Private Conversations, the new feature which is about to be introduced in Skype will offer end-to-end encryption for audio calls, text, and multimedia messages like videos and audio files.

“Skype Private Conversations give you enhanced security through end-to-end encryption with an additional layer of security for conversations between you and your friends and family,” the company announced.

“Private Conversations can only be between you and one other contact. This is not supported in groups.”

How to Start Skype End-to-End Encrypted Calls and Chats

Private Conversations is already available to the Skype Insider program—a platform that allows Skype users to test new features before they rolled out to the rest of its over 300 million of users worldwide.

To initiate a new secure communication with your Skype contact, you need to tap or click on the (+) icon, select ‘New Private Conversation’ and then select the contact you would like to start the secure communication with.

A Private Conversation will have a lock icon next to your Skype contact’s name. Preview messages from Private Conversations will not appear in the chat list or notifications.

Unlike WhatsApp, end-to-end encryption feature is not enabled by default in Skype and users need to select ‘New Private Conversation’ from the app’s “Compose” menu, or from another user’s profile to initiate a secure communication—it’s like Facebook Messenger’s Secret Conversations, which is also based on of Signal.

Unfortunately, Private Conversations also doesn’t currently support video calling, but this is secured by the standard encryption that Microsoft already provides with its Skype service.

Also, even with Private Conversations enabled, Skype will still be able to access some information (metadata) about your secure communications, like when you initiate them, and how long the conversation last.

Skype Insider users can test Private Conversations using Skype build version 8.13.76.8 for iOS, Android, Linux, Mac, and Windows Desktop.

Mohit Kumar - Hacking News
      
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Hacker News: New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It’s been a terrible new-year-starting for Intel.

Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally.

As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access corporate laptops remotely.

Finnish cyber security firm F-Secure reported unsafe and misleading default behaviour within Intel Active Management Technology (AMT) that could allow an attacker to bypass login processes and take complete control over a user’s device in less than 30 seconds.

AMT is a feature that comes with Intel-based chipsets to enhance the ability of IT administrators and managed service providers for better controlling their device fleets, allowing them to remotely manage and repair PCs, workstations, and servers in their organisation.

The bug allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS and BitLocker passwords and TPM pin codes—enabling remote administration for post-exploitation.

In general, setting a BIOS password prevents an unauthorised user from booting up the device or making changes to the boot-up process. But this is not the case here.

The password doesn’t prevent unauthorised access to the AMT BIOS extension, thus allowing attackers access to configure AMT and making remote exploitation possible.

Although researchers have discovered some severe AMT vulnerabilities in the past, the recently discovered issue is of particular concern because it is:

  • easy to exploit without a single line of code,
  • affects most Intel corporate laptops, and
  • could enable attackers to gain remote access to the affected system for later exploitation.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential,” said F-Secure senior security researcher Harry Sintonen, who discovered the issue in July last year.

“In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

According to the researchers, the newly discovered bug has nothing to do with the Spectre and Meltdownvulnerabilities recently found in the microchips used in almost all PCs, laptops, smartphones and tablets today.

Here’s How to Exploit this AMT Issue

To exploit this issue, all an attacker with physical access to a password (login and BIOS) protected machine needs to do is reboot or power-up the targeted PC and press CTRL-P during boot-up, as demonstrated by researchers at F-Secure in the above video.

The attacker then can log into Intel Management Engine BIOS Extension (MEBx) with a default password.

Here, the default password for MEBx is “admin,” which most likely remains unchanged on most corporate laptops.

Once logged in, the attacker can then change the default password and enable remote access, and even set AMT’s user opt-in to “None.”

Now, since the attacker has backdoored the machine efficiently, he/she can access the system remotely by connecting to the same wireless or wired network as the victim.

Although exploiting the issue requires physical access, Sintonen explained that the speed and time at which it can be carried out makes it easily exploitable, adding that even one minute of a distraction of a target from its laptop is enough to do the damage.

Attackers have identified and located a target they wish to exploit. They approach the target in a public place—an airport, a café or a hotel lobby—and engage in an ‘evil maid’ scenario,” Sintonen says.

Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time—the whole operation can take well under a minute to complete.

Along with CERT-Coordination Center in the United States, F-Secure has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.

Meanwhile, users and IT administrators in an organisation are recommended to change the default AMT password of their device to a strong one or disable AMT if this option is available, and never leave their laptop or PC unattended in a public place.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Hacker News: Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors

meltdown-spectre-kernel-vulnerability

Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues.

Disclosed today by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.

These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.

Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimize performance.

“In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” Project Zero says.

Therefore, it is possible for such speculative execution to have “side effects which are not restored when the CPU state is unwound and can lead to information disclosure,” which can be accessed using side-channel attacks.

Meltdown Attack

The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.

“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”

Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel.

“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”

Nearly all desktop, laptop, and cloud computers affected by Meltdown.

Spectre Attack

exploit-for-spectre-vulnerability

The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.

Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.

Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

“In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.” the paper explains.

“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”

According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.

What You Should Do: Mitigations And Patches

Many vendors have security patches available for one or both of these attacks.

  • Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
  • MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
  • Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.  Other users have to wait for their device manufacturers to release a compatible security update.

Mitigations for Chrome Users

Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
  • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
  • Look for Strict Site Isolation, then click the box labeled Enable.
  • Once done, hit Relaunch Now to relaunch your Chrome browser.

There is no single fix for both the attacks since each requires protection independently.

Mohit Kumar - Hacking News
      
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.