Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'encryption'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 167 results

  1. Though Encryption is not a new topic, you might have heard it online, while doing purchases, etc. Whats App messages are protected with end-to-end encryption. Your credit card details, id& password, payment information are transferred over an encrypted network. You might have already read these things on various sites and services. So, every time you read about or heard of encryption, what was the first thing that came to your mind? Most of the people would think that encryption is complex, has something to do with security and only computer programmers or geeks can understand it. But it is not that complicated you might be thinking right now. I mean the encryption techniques you may find hard to understand but the basic essence of encryption and decryption is very simple. So, What is Encryption? In simple words, Encryption is the process of encoding a data in such a way that only intended or authorized recipient can decode it. Encryption does not secure the data but it makes your data un-readable to other parties. Which means, even if an unauthorized person or hacker is able to read the network he/she won’t be able to make any sense out of it without the correct decryption key. The science of encryption and decryption is called cryptography. Why is Encryption important? In today’s scenario, we perform a lot of data exchange online. When much of your personal information and financial transactions are processed via the Internet, no business or individual can afford to get their data stolen. Not only the financial data or business files, even the messages we exchanged with our friends, the photos/files shared with family or emails sent to our clients, we need encryption for all of these data. Cybercrime is already at its peak. Nothing is really safe. We witness cases of identity theft on daily basis. Keeping your personal data secure while using the system or at your end can be done. But when the same information is sent over the Internet, you want that information to be only viewed by the particular person and no one else. The data is first sent to the local network and then travels to Internet Service Provider. Finally, a person for whom the information was meant for, finally receives it. Meanwhile, there are numerous of people who can access your information that you are sending. That is the reason why encryption is important. Individuals use it to protect personal information, businesses use it to protect corporate secrets and government uses it to secure classified information. Basic Encryption Techniques For Network Security You Should Know About The strength of encryption is measured by its key size. No matter how strong encryption algorithm is being used, the encrypted data can be subjected to brute force attacks. There are some basic encryption techniques that are used by online services and websites that you should know about. 1. AES (Advanced Encryption Standard) Advanced Encryption Standard is a symmetric encryption technique. Symmetric encryption means it involves secret key that could be a number, word or a string of random letters which is known to both sender and receiver. This secret key is applied to messages in a particular way after which the data becomes encrypted. As long as the sender and recipient know the secret key, encryption and decryption can be performed. AES is extremely efficient in 128-bit form and it uses 192 and 256 bits for encryption purposes. In present day cryptography, AES is widely supported in hardware and software with a built-in flexibility of key length. The security with AES is assured if and only if it is implemented correctly with the employment of good key management. AES-256 bit is a very heavy and strong encryption. Most of the governments use it. 2. Blowfish Encryption Blowfish is symmetric cipher technique ideal for domestic and exportable purpose as this symmetric cipher splits messages into blocks of 64 bit each and then encrypts them individually. Blowfish encryption technique can be used as a drop-in replacement for DES. The technique takes variable length key varying from 32 bits to 448 bits. Blowfish is found in software categories ranging from e-commerce platform from security passwords to various password management tools. It is one the most flexible encryption methods available. 3. RSA Encryption The Rivest Shamir Adleman (RSA) encryption technique is one of the most popular and secure public key encryption methods. This public key encryption technique is also known as asymmetric cryptography that uses two keys, one public and one private. In RSA encryption technique, both public and private key can be used to encrypt the message. But for the decryption of the message, the opposite key that has been used for encryption will be used. Most of the times, the data is encrypted with public key and decrypte using the private key. RSA encryption method assures the confidentiality, authenticity, integrity and non-reputability of electronic communication and data storage. 4. Triple DES Encryption Triple DES encryption method is a more secure procedure of encryption as the encryption is done three times. Triple DES encryption technique takes three keys each of 64bit, so overall key length is 192bis. The data is encrypted with the first key, decrypted with the second key and then again encrypted with the third key. The procedure of decryption is somewhat same as the procedure included in encryption expect that it is executed in reverse. 5. Twofish Encryption Twofish is a symmetric block cipher method, in which single key is used for encryption and decryption. Twofish could be the best choice when among AES techniques as this encryption technique is unique in terms of speed, flexibility, and conservative design. Twofish is new encryption technique which is highly secure and flexible. This encryption technique works extremely well with large microprocessors, dedicated hardware, and 8-bit or 32-bit card processors. Also, twofish encryption technique can be used in network applications where keys tend to change frequently and in various applications with little or no ROM or RAM available. 6. DES Encryption Data Encryption Standard (DES) is symmetric block cipher which uses 56-bit key to encrypt and decrypt 64-bit block of data. The Same key is used to encrypt and decrypt the message, so both the sender and the receiver should know how to use the same private key. DES has been suspended by more secure and advanced AES encryption technique and triple DES encryption techniques. 7. IDEA Encryption International Data Encryption Algorithm (IDEA) is another block cipher encryption technique that uses 52 sub keys, each 16-bit long. This technique was used in pretty good privacy version 2. Conclusion Encryption is a standard method for making a communication private. The sender encrypts the message before sending it to another user. Only the intended recipient knows how to decrypt the message. Even if someone was eavesdropping over the communication would only know about the encrypted messages, but not how to decrypt the message successfully. Thus in order to ensure the privacy in electronic communication, various encryption techniques and methods are used. As with the growth of electronic commerce and Internet, the issue of privacy has forefront in electronic communication. In this era of internet, where every kind of data is transferred in digital format, it is important that we know how our data is transferred, saved and used. Everyone must know about these basic encryption techniques. You can share this information with your friends and family to make them aware of encryption techniques. Article source
  2. Dear Mailvelope users, We have a security notice for anyone who uses the encryption add-on Mailvelope with Firefox. We have had a current security audit of Mailvelope undertaken, in which a critical vulnerability was found in the interaction between Mailvelope and Firefox. Under certain circumstances, Firefox’s security architecture allows attackers to access users’ private keys via compromised add-ons. We therefore ask all users of Mailvelope in Firefox to carefully read our security recommendations found in this article, below. This also affects Mailvelope users with all other providers such as Gmail, Outlook.com, Yahoo!Mail, etc. Firefox’s architecture does not sufficiently compartmentalise add-ons from each other – this has been known for years. The fact that a Mailvelope user’s private keys could be compromised via targeted attacks in Firefox was not proven until now, however. The security engineers that we engaged from Cure53 have now proved this. In their investigative report, they conclude that Firefox does not currently constitute a suitable environment for Mailvelope. They write, “At the end of the day, the Cure53 testing team cannot in good conscience recommend the use of Mailvelope on Firefox.” Weakness expected to last until November 2017 We informed Thomas Oberndörfer, the developer of Mailvelope, after the security audit. He is unable to fix the weakness, however, as it has to do with Firefox’s architecture. New architecture is already being developed at Firefox. Mozilla is planning to conclude this work with the release of Firefox 57 in November 2017. Oberndörfer is also working on a version of Mailvelope for the new and improved Firefox architecture. We would like to thank him for his development work. Until Mozilla has updated the architecture, the following security recommendations apply: Option 1.) In the interim, switch to different software. Either use Mailvelope in a different browser, or use PGP with a local email program. You can find various instructions for these options in the Posteo help section. Option 2.) Alternatively, using an independent Firefox profile for Mailvelope minimises the risk in the interim. In the Posteo help section, we have published step-by-step instructions for the creation of Firefox profiles on Mac and on Windows. Mailvelope users with other providers can also follow these instructions. Please be sure to note the following security recommendations in order to effectively minimise the risk of a fruitful attack: Do not install any further add-ons in the newly-created browser profile Use the Firefox profile exclusively for your encrypted Mailvelope communication. Only access your provider’s webmail interface and never visit other websites using this profile. In addition, use a password for your PGP key that is as secure as possible Be careful not to accidentally install any add-ons via phishing, through which you could be attacked Due to the problems with the Firefox architecture, we additionally recommend: Restrict the use of add-ons in the Firefox browser to a minimum, until Mozilla has updated the architecture You can further protect yourself from potential attackers by setting up an additional user on your operating system for end-to-end encrypted communication Here are the recommendations from the Cure53 report once again, for transparency reasons: “Two paths can be recommended for the users who rely on Mailvelope for encryption and decryption of highly sensitive data. First, they could use Mailvelope on a browser profile that hosts only and exclusively Mailvelope with no other extensions. Secondly, they would need to rely on a different software solution, for instance Thunderbird with Enigmail.” “At present, any users working with Mailvelope on Firefox are encouraged to export their settings, delete the extension and migrate their setup to a Mailvelope installation running on Google Chrome. Alternatively, a separate browser profile running Mailvelope only could be used, with the caveat that one must not have any other extensions installed in order to minimize the risk of key material leakage.” Security engineers engaged by Posteo found the weakness In their daily activities, our customers use various devices, browsers and add-ons in their local environments. Our users’ communication security is very important to us – we therefore also continually have external standard components checked for weaknesses. Among others, we work together to this end with independent IT security experts at Cure53. They have now made a find with Mailvelope in Firefox. Dr Mario Heiderich from Cure53 explains, “the problem is currently located in the architecture. There is therefore no easy fix. Mozilla knows this, but also has to keep a difficult balance between radical changes and ones that are prudent but are often decisions that are slow to take effect. Things are going in the right direction, however, which is definitely something positive for more complex software.” Thomas Oberndörfer of Mailvelope states, “Mailvelope is naturally dependent on the security of the underlying browser. Weaknesses in Firefox’s add-on system have been known of for some time, so Mozilla’s improvement should be welcomed. Security audits such as the one undertaken by Posteo are important indicators for us to see how we can further improve Mailvelope.” Report to be published after weakness is overcome The weakness outlined above is expected to be overcome by Mozilla in November 2017. Out of consideration for security, we will therefore first publish the report at a later point. In it, the method of attack will be described in detail. The report is already available to Mailvelope and the BSI (German Federal Office for Information Security). The security audit has also yielded some positive results for Mailvelope, which we would like to outline here: There was a check made as to whether email providers for which Mailvelope is used could access a Mailvelope user’s private keys saved in the browser – this was not possible. All other attempts made by the security engineers to access private keys saved in Mailvelope, such as operating third party websites or man-in-the-middle attacks, were also unsuccessful. Weakness shows that open source increases security For security reasons, we exclusively support open source components with transparent code – such as the encryption plug-in Mailvelope. In our view, transparent code is essential for the security and democratic control of the internet: Independent experts can at any time identify weaknesses or backdoors via code analysis, as happened here. A provider or developer’s security claims do not need to be trusted. With the security audits that we commission, we want to contribute to further increasing the security of established open source components and genuine end-to-end encryption. Best regards, The Posteo Team Article source
  3. FileFriend: Hide Files, Folders Or Text In JPEG Images FileFriend is a free portable program for Microsoft Windows devices that enables you to hide files, folders or text in jpeg images. The file manipulation and encryption tool has more to offer than that, most notably options to split and join files on top of its encryption functionality. Computer users have quite a few options at their disposal when it comes to protecting files, folders or text from unauthorized access. One of the best options is to create an encrypted container, or encrypt a hard drive partition or even the entire hard drive. Programs like VeraCrypt, Microsoft's Bitlocker, or Drive Cryptor provide you with that functionality. Hide files, folders or text in JPEG images Sometimes however you may need something simpler. FileFriend may be such a solution. When it comes to the encryption functionality that it provides, all it offers are simple options to hide text, files or folders in jpeg images. Note: The program runs a check for updates on start. Simply run the program and select one of the three encryption options that it supports with a click on one of the tabs: Encrypt: use it to encrypt a file or folder using a password that you specify. JPK: hide a file or a directory inside a JPEG image. JTX: hide text inside a JPEG image. While this is super simple to execute, even for beginners or inexperienced computer users, you will notice that the program does not provide you with information on the encryption algorithm that it uses. The developer website does not offer anything in this regard as well. This is problematic, as you don't know how good the encryption algorithm really is. While you do get some extra security through obfuscation, you may prefer to use a tried and tested solution instead to protect your data from unauthorized access. FileFriend has two additional features. The first allows you to split large files into smaller parts, the second to join the files again. This works similarly to how archive software like 7-Zip or Bandizip handle this. Closing Words FileFriend can be a useful program, but one thing prevents me from recommending it. I'm not saying that FileFriend is a bad software program, only that I do not know enough about the encryption that it uses to determine whether it is a program that I can recommend, or not. Since I cannot do that right now, I suggest you use different programs. Now You: Which program do you use to encrypt files? Source
  4. As the internet continues to limp toward better security, sites have increasingly embraced HTTPS encryption. You’ve seen it around, including here on WIRED; it’s that little green padlock in the upper lefthand corner, and it keeps outside eyes from snooping on the details of your time online. Today, the biggest porn site on the planet announced that it’s joining those secured ranks. Pornhub’s locking it down, and that’s a bigger deal than you’d think. On April 4, both Pornhub and its sister site, YouPorn, will turn on HTTPS by default across the entirety of both sites. By doing so, they’ll make not just adult online entertainment more secure, but a sizable chunk of the internet itself. The Pornhub announcement comes at an auspicious time. Congress this week affirmed the power of cable providers to sell user data, while as of a few weeks ago more than half the web had officially embraced HTTPS. Encryption doesn’t solve your ISP woes altogether—they’ll still know that you were on Pornhub—but it does make it much harder to know what exactly you’re looking at while you’re there. “If you’re visiting sites that allow HTTPS, you don’t have to worry so much about what they’re doing to observe your traffic,” says Joseph Hall, chief technologist at the Center for Democracy and Technology, a digital rights group that has offered HTTPS assistance to the adult industry, but was not part of Pornhub or YouPorn’s switch. That’s especially important for porn sites, and not just for prudes. In countries and cultures where homosexuality is considered a crime, for instance, encryption can be critical. To get a sense of just how big this Pornhub news is, though, it helps to get a sense of Pornhub’s size. Traffic Hub It can be hard to keep porn sites straight, since so many of them sound like parodies to begin with, and mostly seem to follow the same basic rubric. Pornhub stands out, though, as not just the biggest adult site in the world, but one of the biggest sites over all. Just how much traffic flows through Pornhub on any given day? Try 75 million daily visitors. According to Alexa site rankings, that makes it the 38th largest website overall, sliding in one slot below Ebay. It’s bigger than WordPress. It’s bigger than Tumblr. It’s only a few spots down from Netflix. It’s a behemoth. YouPorn’s no slouch either; it cracks the Alexa top 300, and serves a billion (with a b) video views every month. In fact, that both Pornhub and YouPorn are predominantly video-based makes their HTTPS transition all the more consequential—and difficult. There are plenty of challenges to HTTPS implementation, but among the biggest is that it requires any content coming in from the outside—like third-party ads—to be HTTPS compliant. For a video-heavy site, there’s the added challenge of finding a content delivery network—the companies that own the servers that shuttle web pages and videos across the great wide internet——that’s willing to take on that volume of encrypted video. “Finding CDN providers to handle the massive amount of traffic, but also stream through HTTPS is never easy,” says Pornhub vice-president Corey Price. “There are few providers worldwide that can handle our levels of traffic, especially in HTTPS.” Price declined to give specific names, but says that Pornhub has managed to enlist three “large CDN partners” to handle the switchover. HTTPS comes with other inherent challenges as well, especially on a site of this size. Fortunately, Pornhub wasn’t starting from scratch. Its parent company, MindGeek, also owns a popular adult site called RedTube, which made the transition earlier this month. And Pornhub itself had already dabbled as well, offering HTTPS for its paid Pornhub Premium service late last year. “The biggest learning was finding ways to mitigate the site speed impacts of switching to HTTPS, as many of the techniques we used don’t have the same effect with HTTPS,” says Price. Encrypt It All On its own, Pornhub’s HTTPS embrace will secure a significant portion of the web literally overnight. It also has broader importance, though. First, it’s part of MindGeek’s commitment to rolling out HTTPS across all of its properties. That’s over 100 million unique visitors every single day that will eventually enjoy a secure connection. Facebook nets 200 million in a month. The only question is when, not if, that’s going to happen. “All properties are managed independently with different engineering teams,” says Price. “Each team always faces different challenges as each site is an entirely different codebase. Some features and changes can take a couple of hours to do on Pornhub, but take weeks on YouPorn, and vice-versa.” More significantly, it signals that encryption has become the norm on the web. Broad HTTPS adoption is great, but nothing beats concentrated implementation among the very biggest sites. “The reason that a lot of us are focused on the top 100 websites is because so much of web traffic is represented by those sites,” says Hall. “Right now we’re at 50 percent of all web browser connections on HTTPS. If we were to get the top 100, that would easily get to 80 or 90 percent.” That’s still a ways off. But on April 4, two sites will keep the internet that much safer from all kinds of prying eyes. By Brian Barret https://www.wired.com/2017/03/pornhub-https-encryption/
  5. European justice and home affairs ministers are putting their heads together to try to decide on a collective response to Internet companies’ use of strong encryption. And, ultimately, whether to push for legislation requiring backdoors in end-to-end encryption to afford the region’s law enforcement agencies access to user data on-demand. Last summer home affairs ministers from France and Germany called for a law to enable courts to demand Internet companies decrypt data on request. Their call was repeated earlier this week by UK Home Secretary, Amber Rudd, who said intelligence services must be able to access readable data from apps such as end-to-end encrypted WhatsApp, asserting: “There should be no place for terrorists to hide.” As is typically the case when politicians denounce technology companies’ use of encryption, Rudd was speaking in the wake of a terror attack. France and Germany have also suffered a series of terror attacks in recent years, upping the ante for ministers to be seen to be taking action to defuse more terrorist plots. Encryption technology has been the scapegoat of choice for Western politicians responding to terrorist attacks for multiple years now, despite governments also operating vast, dragnet digital surveillance programs. And having access to ever more traceries of metadata to link possible suspects to potential plots. (Arguably it’s the volume of data that security agencies are now systematically collecting that’s causing them problems in prioritizing which suspects to watch closely — hence calls by Rudd et al for access to content too.) Yesterday EU Justice Commissioner Vera Jourova also touched on the topic of encrypted apps, speaking during a press conference held following a meeting of the Justice and Home Affairs Council in Brussels. A Euractiv report of her comments suggests the EC has already made up its mind to put forward measures this summer — aimed at forcing what she described as a “swift, reliable response” from encrypted apps when asked to hand over decrypted data. Jourova also reportedly said she’s holding “very intensive” talks with big Internet companies about giving police access to encrypted data. However a Commission spokeswoman told TechCrunch that no decisions have been made about how to approach encryption at this stage, adding that discussions are not yet “very advanced”. “On encryption the discussions are still ongoing,” the spokeswoman told us. “And for now there’s no legislative plan.” She could not confirm whether WhatsApp is one of the companies Jourova is holding talks with. The Facebook-owned messaging giant has had its service blocked by courts in Brazil on several occasions, after the company was penalized for not providing decrypted chat logs pertaining to criminal investigations (the company has maintained it cannot provide the data to police as it does not have access to the data). Whether similar legal actions might be brought against it and other encrypted apps in Europe in future remains to be seen. We’ve reached out to WhatsApp for comment on the EC discussions and will update this story with any response. The Commission spokeswoman said a separate issue under discussion by the Council — so-called e-evidence; aka the process for prosecutors to request digital evidence across legal jurisdictions (such as a prosecutor in an EU country seeking to obtain data held on a server in California, for example) — is at a more advanced stage, and confirmed there will be legislative options and other measures proposed on that this June. But the question of whether EU lawmakers intend to push to require Internet companies such as WhatsApp to effectively backdoor their end-to-end encryption remains an open-ended one. Asked for more details of the ongoing talks between EU ministers on encryption, the spokeswoman confirmed there is agreement between them that the technology presents a challenge for law enforcement — though, again, she stressed there is no clarity on what measures they might push for in future. “Yesterday all the ministers agreed that this is an issue and that criminal justice in cyberspace is being challenged by this, but for now no one really came up with any concrete solution,” she said. “There’s a working group that’s organized by the Commission, bringing experts from all over Europe and from different [sectors], technology but also justice, to discuss it together. “We’re gathering evidence and information on this, and this will be discussed again in June.” The spokeswoman also noted there are further complications for having an EU-wide response on this issue, given Member States set their own laws where national security issues are concerned. Indeed, the UK has already legislated to be able to demand decryption on request and block use of e2e encryption in the Investigatory Powers Act, which passed into UK law last year — although some elements of the legislation have yet to be implemented, owing to a separate EU legal ruling regarding “generate and indiscriminate” data retention, which the law appears to breach. “Everyone agrees that if there is a crime, if the data is encrypted, it has to be handed in to the authorities in a readable way. But the issue is very, very complex in the sense that matters of national security are also Member State competence so there’s no competence at the EU level. So that’s also a point that’s complicating the discussions here,” the spokeswoman told us. “Also we have to find the right balance,” she added. “For which reasons would you access this data? And so there is still a lot of open questions. If someone wants to access it for bad reasons… how do you put safeguards for that? So it’s really all those open questions are out there.” The EU’s anti-terrorism coordinator, Gilles de Kerchove, previously discussed this notion of balance, telling Euractiv: “We need a very strong internet — we don’t want to create vulnerabilities”, but also emphasizing that security services, police, and law enforcement agencies must be able to “get access to the content, which is important for security reasons”. “The question is, can you open a backdoor for Europol only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies? This is part of the discussion but we are not there yet. There is internal work — it’s a tricky issue,” de Kerchove added. Elsewhere, the Commissions’ technology policy chief recently tweeted a confirmation he’s still against the idea of mandating backdoors and weakening encryption — although in his earlier comments, from November he also conceded the issue is not so black and white where the interests of law enforcement are concerned. Andrus Ansip (@Ansip_EU) The EC spokeswoman confirmed to us today that there is no timeframe at this point for when the Justice & Home Affairs working group will have reached a decision on how to proceed. Which means this is an opportune moment for the technology and security industry to get in touch with EU politicians to reiterate the point that weakening security for all Internet users is not a sensible nor proportionate response to national security concerns. The region has also recently legislated to beef up local data protection laws. So any push to perforate commercial security systems and put millions of app users’ data at risk of hacking would be a hugely contrarian move vs the incoming General Data Protection Regulation which will hike potential fines for data breaches to up to 4 per cent of a company’s global turnover. Source
  6. Developers shouldn't use JSON Web Tokens or JSON Web Encryption in their applications at all, lest their private keys get stolen A vulnerability in a JSON-based web encryption protocol could allow attackers to retrieve private keys. Cryptography experts have advised against developers using JSON Web Encryption (JWE) in their applications in the past, and this vulnerability illustrates those very dangers. Software libraries implementing the JWE, or RFC 7516, specification suffer from a classic Invalid Curve Attack, wrote Antonio Sanso, a senior software engineer at Adobe Research Switzerland and part of the Adobe Experience Manager security team. The JSON Web Token (JWT) is a JSON-based open standard defined in the OAuth specification family used for creating access tokens, and JWE is a set of signing and encryption methods for JWT. Developers using JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) are affected. A quick primer in elliptic curve cryptography is in order to understand the Invalid Curve Attack. ECC is a way to calculate public-private key pairs based on the algebraic structure of elliptic curves over a finite data set. The order of the elliptic curve is big enough that it becomes difficult for an attacker to try to guess the private key. ECDH-E is a key exchange mechanism based on elliptic curves, and it's used by websites to provide perfect forward secrecy in SSL. The Invalid Curve Attack lets attackers take advantage of a mathematical mistake in the curve's formula to find a smaller curve. Because the order of the smaller elliptic curve is more manageable, attackers can build malicious JWEs to extract the value of the secret key and perform the operation multiple times to collect more information about the key. The Invalid Curve Attack was first published 17 years ago, and it was described in a 2014 talk on elliptic curve cryptography at Chaos Communication Congress in Hamburg by Tanja Lange, a professor of cryptology at the Netherlands' Eindhoven University of Technology and Daniel J Bernstein, a mathematician and research professor at the University of Illinois at Chicago. The problems have been in the open for a long time, but Sanso found that several well-known libraries using RFC 7516 were vulnerable to the attack. Developers who rely on libraries go-jose, node-jose, jose2go, Nimbus JOSE+JWT, or jose4 with ECDH-ES should update their existing applications to work with the latest version and make sure they are using the latest version for all new code. The updated version numbers are the following: node-jose v0.9.3, jose2go v1.3, jose4 v0.5.5 and later, Nimbus JOSE+JWT v4.34.2, and go-jose. "At the end of the day the issue here is that the specification and consequently all the libraries I checked missed validating that the received public key (contained in the JWE Protected Header) is on the curve," Sanso wrote. The exposed vulnerability was due to a gap in the RFC 7516 specification, and as most implementers would follow the specification directly, they unintentionally introduced the vulnerability into their libraries, said Matias Woloski, CTO and Co-Founder of Auth0, a universal identity platform. "It's a rare case where the flaw was in the specifications design and not the implementation," Woloski said. The default Java SUN JCA provider, which comes with Java prior to version 1.8.0_51, is also affected, but later Java versions and the BouncyCastle JCA provider are not. It appears that the latest version of Node.js is immune to this attack, but Sanso warned it was still possible to be vulnerable when using browsers without support for web cryptography. As part of his research, Sanso set up an attacker application on Heroku. When users clicks on the "recovery key" button on the app, they'll be able to see how the attacker recovers the secret key from the server. The code for demonstration and proof-of-concept are available on GitHub. Luckily, the impact may be limited, as JWE with ECDH-ES is not widely used. Developers who decide to go with JWT are trying to avoid having to use server-side storage for sessions, but they wind up turning to wacky workarounds instead of careful engineering, said Sven Slootweg Cryto Coding Collective. With JWE, developers are forced to make decisions on which key encryption and message encryption options to adopt -- a decision that shouldn't be left up to noncryptographers. "Don't use JWT for sessions," said Slootweg. "The JWE standard is a minefield that noncryptographers shouldn't be forced to navigate." Instead, developers should stick with sessions, using cookies delivered securely over HTTPS. The library libsodium also offers developers a tried and tested method of using signatures via crypto_sign() and crypto_sign_open(), or encryption via the crypto_secretbox() and crypto_box() APIs. Library developers and engineers working with security-focused libraries need to make sure they stay up to date with the latest developments, so they can be ready to patch the issues. "The specification designers (often from industry) should be more proactive in engaging the research community to evaluate the security of specifications in a proactive (pre-standardization) instead of reactive way," Woloski said. More cryptographers need to review software libraries that developers use to make sure the algorithms are implemented correctly. All too often, the people working on the specifications have little to no contact with researchers. The issue was reported to the JavaScript Object Signing and Encryption working group's mailing list. This advisory also highlights why specifications should never be considered a static document: They must be revisited and updated periodically to reflect any detail that was initially overlooked or changed based on available new information. "We all seem to agree that an errata [on the specification] where the problem is listed is at least welcomed," Sanso wrote. Source
  7. Firefox warns users about unencrypted pages We suppose it was only a matter of time before someone had a complaint about the notifications browsers display when a website accepts logins over unencrypted HTTP pages. In fact, Mozilla has received a complaint about this very "issue." Folks over at Ars Technica spotted the complaint over on Mozilla's Bugzilla bug-reporting service. "Your notice of insecure password and/or log-on automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission. Please remove it immediately. we have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business," the message signed by dgeorge reads. Of course, they seem to be late to the party since this type of warnings have been showing for a few months now and became standard earlier this year for both Firefox and Chrome. The benefits of HTTPS Thankfully, someone from Mozilla came forward and cleared things up for dear ol' dgeorge telling him that when a site requests a user's password over HTTP, the transmission is done in the clear. "As such, anybody listening on the network would be able to record those passwords. This puts not just users at risk when using your site, but also puts them at risk on any other website that they might share a password with yours," they explain. In the end, it's been proven time and time again, that providing email and passwords over HTTP is no longer safe. For years now, there's been a push for HTTPS and web admins have been given plenty of time to make the change, both for their sake and their users' sake. Now, Chrome will display a "Not Secure" notification next to the address bar, while Firefox takes things a step further, displaying below the user name and password fields "this connection is not secure. Logins entered here could be compromised." Source
  8. Five Issues That Will Determine The Future Of Internet Health In January, we published our first Internet Health Report on the current state and future of the Internet. In the report, we broke down the concept of Internet health into five issues. Today, we are publishing issue briefs about each of them: online privacy and security, decentralization, openness, web literacy and digital inclusion. These issues are the building blocks to a healthy and vibrant Internet. We hope they will be a guide and resource to you. We live in a complex, fast moving, political environment. As policies and laws around the world change, we all need to help protect our shared global resource, the Internet. Internet health shouldn’t be a partisan issue, but rather, a cause we can all get behind. And our choices and actions will affect the future health of the Internet, for better or for worse. We work on many other policies and projects to advance our mission, but we believe that these issue briefs help explain our views and actions in the context of Internet health: 1. Online Privacy & Security: Security and privacy on the Internet are fundamental and must not be treated as optional. In our brief, we highlight the following subtopics: Meaningful user control – People care about privacy. But effective understanding and control are often difficult, or even impossible, in practice. Data collection and use – The tech industry, too often, reflects a culture of ‘collect and hoard all the data’. To preserve trust online, we need to see a change. Government surveillance – Public distrust of government is high because of broad surveillance practices. We need more transparency, accountability and oversight. Cybersecurity – Cybersecurity is user security. It’s about our Internet, our data, and our lives online. Making it a reality requires a shared sense of responsibility. Protecting your privacy and security doesn’t mean you have something to hide. It means you have the ability to choose who knows where you go and what you do. 2. Openness: A healthy Internet is open, so that together, we can innovate. To make that a reality, we focus on these three areas: Open source – Being open can be hard. It exposes every wrinkle and detail to public scrutiny. But it also offers tremendous advantages. Copyright – Offline copyright law built for an analog world doesn’t fit the current digital and mobile reality. Patents – In technology, overbroad and vague patents create fear, uncertainty and doubt for innovators. Copyright and patent laws should better foster collaboration and economic opportunity. Open source, open standards, and pro-innovation policies must continue to be at the heart of the Internet. 3. Decentralization: There shouldn’t be online monopolies or oligopolies; a decentralized Internet is a healthy Internet. To accomplish that goal, we are focusing on the following policy areas. Net neutrality – Network operators must not be allowed to block or skew connectivity or the choices of Internet users. Interoperability – If short-term economic gains limit long-term industry innovation, then the entire technology industry and economy will suffer the consequences. Competition and choice – We need the Internet to be an engine for competition and user choice, not an enabler of gatekeepers. Local contribution – Local relevance is about more than just language; it’s also tailored to the cultural context and the local community. When there are just a few organizations and governments who control the majority of online content, the vital flow of ideas and knowledge is blocked. We will continue to look for public policy levers to advance our vision of a decentralized Internet. 4. Digital Inclusion: People, regardless of race, income, nationality, or gender, should have unfettered access to the Internet. To help promote an open and inclusive Internet, we are focusing on these issues: Advancing universal access to the whole Internet – Everyone should have access to the full diversity of the open Internet. Advancing diversity online – Access to and use of the Internet are far from evenly distributed. This represents a connectivity problem and a diversity problem. Advancing respect online – We must focus on changing and building systems that rely on both technology and humans, to increase and protect diverse voices on the Internet. Numerous and diverse obstacles stand in the way of digital inclusion, and they won’t be overcome by default. Our aim is to collaborate with, create space for, and elevate everyone’s contributions. 5. Web Literacy: Everyone should have the skills to read, write and participate in the digital world. To help people around the globe participate in the digital world, we are focusing on these areas: Moving beyond coding – Universal web literacy doesn’t mean everyone needs to learn to code; other kinds of technical awareness and empowerment can be very meaningful. Integrating web literacy into education – Incorporating web literacy into education requires examining the opportunities and challenges faced by both educators and youth. Cultivating digital citizenship – Everyday Internet users should be able to shape their own Internet experience, through the choices that they make online and through the policies and organizations they choose to support. Web literacy should be foundational in education, like reading and math. Empowering people to shape the web enables people to shape society itself. We want people to go beyond consuming and contribute to the future of the Internet. Promoting, protecting, and preserving a healthy Internet is challenging, and takes a broad movement working on many different fronts. We hope that you will read these and take action alongside us, because in doing so you will be protecting the integrity of the Internet. For our part, we commit to advancing our mission and continuing our fight for a vibrant and healthy Internet. Source
  9. In a research paper published at the end of February, a team of five scientists from the Graz University of Technology has described a novel method of leaking data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, and other. Starting with the Skylake line, Intel introduced a new hardware extension called SGX (Software Guard Extensions) that isolates the CPU memory at the hardware level, creating safe spaces where applications can store information that only they can write or read. Attack targets Intel SGX enclaves These isolated memory fields are called enclaves and are used by both regular computers and by cloud servers. On regular PCs, enclaves store sensitive information from each process, separating the data from the operating system's reach. On cloud servers, where multiple customers share the same machine, enclaves are crucial elements used by hypervisors, the software that creates and runs the different virtual machines for each customer. Because of this memory separation and because the data stored in enclaves is also encrypted to safeguard from hardware-level attackers, right after its introduction, Intel has recommended that software developers store encryption keys in SGX enclaves, as there's no safer place to store such information. Researchers create enclave malware In their research paper, the team of Austrian experts says they've created the very first malware that can be stored in Intel SGX enclaves. In their experiments, researchers demonstrated how this "super malware" can attack its host and leak data from enclaves located on the same machine via simple cache attacks. "Our proof-of-concept malware is able to recover RSA keys by monitoring cache access patterns of an RSA signature process in a semi-synchronous attack," researchers said. "In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace," they said. "We extract the full RSA private key in an automated attack from 11 traces within 5 minutes." Malware uses enclaves to remain invisible As a paradox, the attack and the malware are completely invisible to the host, due to the effectiveness of the SGX enclave isolation, Security software won't detect any of its malicious actions, as it cannot access the enclave of another process. "Even the most advanced detection mechanisms using performance counters cannot detect our malware," researchers bragged. "Intel intentionally does not include SGX activity in the performance counters for security reasons. However, this unavoidably provides attackers with the ability to hide attacks as it eliminates the only known technique to detect cache side-channel attacks." More details on the attacks and proposed countermeasures are available in the research paper titled "Malware Guard Extension: Using SGX to Conceal Cache Attacks." Back in December 2016, researchers have highlighted that AMD's new line of Zen processors may have "theoretical" flaws. Article source
  10. Google last week released its E2EMail encryption code to open source as a way of pushing development of the technology. "Google has been criticized over the amount of time and seeming lack of progress it has made in E2EMail encryption, so open sourcing the code could help the project proceed more quickly," said Charles King, principal analyst at Pund-IT. That will not stop critics, as reactions to the decision have shown, he told LinuxInsider. However, it should enable the company to focus its attention and resources on issues it believes are more pressing, King added. Google started the E2EMail project more than a year ago, as a way to give users a Chrome app that would allow the simple exchange of private emails. The project integrates OpenPGP into Gmail via a Chrome extension. It brings improved usability and keeps all cleartext of the message body exclusively on the client. E2EMail is built on a proven, open source Javascript crypto library developed at Google, noted KB Sriram, Eduardo Vela Nava and Stephan Somogyi, members of Google's Security and Privacy Engineering team, in an online post. E2EMail Unwrapped The early versions of E2EMail are text-only and support only PGP/MIME messages. It now uses its own keyserver. The encryption application eventually will rely on Google's recent Key Transparency initiative for cryptographic key lookups. Google earlier this year released the project to open source with the aim of simplifying public key lookups at Internet scale. The Key Transparency effort addresses a usability challenge hampering mainstream adoption of OpenPGP. During installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine. E2EMail uses a bare-bones central keyserver for testing. Google's Key Transparency announcement is crucial to its further evolution. Google Partially Benefits Secure messaging systems could benefit from open sourcing the system. Developers could use a directory when building apps to find public keys associated with an account along with a public audit log of any key changes. Encryption key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced, suggested Sriram, Nava and Somogyi in their joint post. Key Transparency delivers a solid, scalable and practical solution. It replaces the problematic web-of-trust model traditionally used with PGP, they pointed out. "Google announced end-to-end email encryption almost three years ago, and no product or solution ever materialized," said Morey Haber, vice president of technology at BeyondTrust. "With this announcement, Google is making good on the promise of a Chrome extension that would seamlessly encrypt Gmail end-to-end," he told LinuxInsider. Since Google decided to open source the project, the technology will not remain proprietary for Chrome and Gmail, Haber added. Instead, Google no longer is working on this project, and the community will own the work and any potential derivatives. "This could be viewed as coming clean on a 3-year-old promise, or the release of a market perceived vaporware project. In either case, the techniques being used might spur some other innovation for similar messaging-type solutions," added Haber. Last Ditch Effort Google's decision to drop E2EMail and release it to open source might be the company's way of saving face, suggested Rob Enderle, principal analyst at the Enderle Group. The best-case scenario is that sharing the project might inspire other developers and possibly improve security in general, he told LinuxInsider. "I think, like a lot of Google projects, Google lost interest in this one," Enderle continued, "and putting into open source is a way of at least allowing others to benefit from the effort. It is better than just shuttering the effort and archiving the work in a private repository." The impact of Google's decision to open source the project is difficult to assess, noted King. "Google has admitted that the issues surrounding end-to-end email encryption are far more complex that it originally assumed, so the code it has released is far from fully baked, he said. That makes its actual value hard to determine, King added, but bringing additional eyes and energy to the effort could help it progress more quickly. Solutions Still Needed About half of the email that traverses the Internet does so unencrypted, although that may not be the case for messaging and social media apps, suggested BeyondTrust's Haber. "Basic implementations of technology like this can be used to secure everything from banking statements to password resets," he said. Although Google's project never materialized into a product, the ideas and methodologies are good examples to learn from. "It will help educate people on techniques and potentially failed projects related to end-to-end encryption," Haber said, "but in the end, there are big problems to solve with key management and SHA1 collisions that researchers and security engineers should be focusing on." Article source
  11. A new report starts to quantify the effect that popular encryption products have on law enforcement. Encrypted smartphones and messaging apps that prevent even the companies that make them from decrypting their data are unreasonably hindering criminal investigations, and the situation is worsening, say law enforcement officials. A new report from the Center for Strategic and International Studies, a prominent bipartisan policy think tank, helps quantify the scale and complexity of the issue. Apple helped catalyze a surge in popularity of devices with strong encryption when it redesigned iOS in 2014 so that it is impossible even for the company itself to break. That led to last year’s showdown with the FBI, and has helped to reignite the decades-old policy debate over encryption. Meanwhile, the popularity of encrypted messaging apps, including foreign products, is also growing rapidly, further complicating the issue for policymakers. According to the report, some 13 percent of all mobile devices around the world now run iOS, and 95 percent of those run a version that Apple cannot access. In the U.S., 47 percent of all mobile devices work this way. During a recent discussion marking the release of the new report, the FBI’s general counsel, James A. Baker, said that between October and December 2016, the FBI was unable to access the data on 1,245 of the 2,870 devices it seized. The authors of the new report estimate that 1.5 billion people in the world use messaging apps, including Apple’s iMessage and WhatsApp, with end-to-end encryption, which prevents third parties, including service providers, from being able to read messages. About 18 percent of the world’s total communications traffic is now inaccessible to law enforcement, they say. Because the marketplace for encryption is global, a national law that restricts it or gives the government special access to encrypted data will not eliminate the obstacles the technology raises for law enforcement. People will simply switch to foreign products like Line and Viber, popular messaging apps made in Japan and Cyprus, respectively. People could also develop their own apps; the code that implements end-to-end encryption in WhatsApp, Facebook Messenger, and Signal is open source. < Here >
  12. Cerber Ransomware Switches To .CERBER3 Extension For Encrypted Files A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files. When I tested this new sample, there was some minor outward differences between this version and the previous version. The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below. Encrypted Files Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url. The previous Cerber version had also sent UDP packets to the range of IP addresses. This version appears to be using the range for statistical purposes. As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article. Source
  13. Kryptel Standard 7.4.1 - Latest - Full Version Promo by Comss.ru Overview: Kryptel Standard offers reliable protection using encryption and ability to encrypt your files and folders with a single click. After this, your data will be part of an impregnable fortress. The app is easy to use to encrypt sensitive data, important files and documents. Kryptel Standard allows you to decrypt all or only some files at a time, and also includes a built-in browser that allows you to view the contents of the encrypted container. Kryptel Standard uses the latest encryption standard (NIST-Approved Advanced Encryption Standard - AES 256-bit), and also some additional ciphers for advanced users. You can even use Kryptel Standard to scan your hard disks in search for certain types of files to encrypt them when they are there. In addition, the application Kryptel Standard is so small that it can be run on a USB flash drive for protection on the go. More Info: Product Homepage, Edition Comparison Links: Offer: https://www.comss.info/page.php?al=Kryptel_Standard Shared Key: Note: Limited Period Offer. Current Status: Open. Terms: License should be activated by February 7, 2017 Lifetime license only for Kryptel Standard version 7.4.1[Specific Version] No upgrades to future versions No free support Personal use only Downloads: Kryptel Standard v7.4.1 - [Size: 17.56 MB]: https://www.kryptel.com/download/KryptelTrial.7.4.1.exe
  14. Avast Releases Three New Decryption Tools to Fight Ransomware There are now 14 anti-ransomware tools available from Avast “In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat,” reads a blog post signed by Jakub Kroustek, reverse engineer and malware analyst at Avast. The three new decryption tools address three different ransomware strains – HiddenTear, Jigsaw and Stampado/Philadelphia. Some solutions for these particular strains are already available, coming from other security researchers. Avast decided, however, that it is always best to have multiple options. That’s because these three strains are particularly active and frequently encountered, especially in the past few months. Since the used encryption keys update often, so must the decryption tools. In the end, whether it’s Avast’s tools or those made by other security researchers that work against the ransomware, it’s all for the same purpose. “Last but not least, we were able to significantly speed-up the decryption time, more precisely the password brute-force process, so e.g. some of the HiddenTear variants will be decrypted within minutes instead of days. The best results are achieved when decrypting files directly from the infected machine,” Kroustek writes. Decrypting HiddenTear HiddenTear has been around for a while and the code is actually hosted on GitHub. Given the fact that it is so present, many hackers have gone and tweaked the code and starting using it. Encrypted files have a wide range of extensions: .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed. and more. After all the files are encrypted, a text file will appear on the user’s desktop. Decrypting Jigsaw Jigsaw was first spotted in the wild in March 2016, and many of its strains use the picture of the Jigsaw Killer from the same-name movie in the ransom screen. Files encrypted after the computer was infected with Jigsaw have Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush. Keeping up with the movie script, the malware will delete a file per hour if you don’t pay up. Decrypting Stampado This particular ransomware has been around since August 2016, and it’s being sold on the dark web. Multiple versions have been circulating on the Internet, one of them is called Philadelphia. Most often than not, Stampado adds the .locked extension to the encrypted files. Stampado will delete a new file every 6 hours unless you pay the ransom. Check out Avast’s list of anti-ransomware tools and see if you can find one to help you out. Source
  15. Today the average volume of encrypted internet traffic finally surpassed the average volume of unencrypted traffic, according to Mozilla, the company behind the popular Firefox web browser. That means when you visit a website, you’re now more likely than not to see a little green lock right next to its address. That little lock indicates that the page you visited came to you via HTTPS, the web’s secure protocol, rather than plain old HTTP. Mozilla’s estimate represents a two-week running average, so the figure could still slide around over the next few days. But this milestone is a still a big deal. Read The Full Article Here
  16. Could the future of encryption be solved by rising cybersecurity star Shane Curran? Teenager Shane Curran from Ireland lands the BT Young Scientist and Technology award for his qCrypt unbreakable encryption technology Encryption is a hot topic at the moment. From rogue agents of governments trying to break it, to big tech companies like Google, Facebook and Apple all adopting it more widely, the ability to securely store your data will become one of the most important technology arms race in the decades to come. This is even more pertinent when you consider that quantum computing, which promises a huge leap forward in computing capabilities, is predicted to render all current encryption technologies null and void. So the news that a new system for storing data has been built — which its creator claims is impervious to the powers of quantum computers — is something to sit up and digest, especially when the creator is a 16-year-old secondary school student from Ireland. qCrypt is described by its mastermind Shane Curran as: "The quantum-secure, encrypted, data storage solution with multijurisdictional quorum sharding technology." Now that does not really mean anything to most people, so here is a somewhat less technical description. How unbreakable encryption works Curran's system splits up the data (sharding) you are looking to keep secure and stores it in numerous locations (multijurisdictional) which prevents the data from being reassembled even if a court demands it. To achieve this Curran created a new encryption key system which he claims is resistant to quantum computers. The idea for the project was hearing that Boston College was forced to release historical political interviews involving former IRA members. "[I thought] how could I apply technology to an existing problem out there, and the problem was keeping secrets secure for life," Curran told IBTimes UK. Under his system, the interviews would have remained secret forever — no matter who wanted access. Curran says the system, which took six months of research and five months to build, is as easy to use as any file transfer product but 40% faster. Despite the bold claims and his young age, Curran is confident that his technology will stand up to scrutiny. "From a theoretical perspective, it seems pretty solid," Curran stated. Where qCrypt could be used The general idea of what is known as post quantum cryptography has been discussed and debated in academic circles in the past few years, and there have been a lot of theoretical papers written about it. But to date there have been very few systems released with a practical implementation of this technology — making Curran's project all the more remarkable. Last year, the National Security Agency (NSA) published a memorandum on quantum computing warning that the introduction of this new technology threatens the security of public key cryptography. Last weekend Curran won the BT Young Scientist 2017 award in Dublin for his invention. John Dunnion, associate professor at University of College Dublin and one of the judges of the competition, said: "It addresses a number of shortfalls of current data encryption systems; in particular, the algorithm used in the system has been demonstrated to be resistant to attacks by quantum computers in the future." While Curran took home a trophy and a cheque for €5,000 (£4,320), the future could hold much bigger prizes. "There has definitely been a lot of interest," Curran said, adding that qCrypt "is certainly a commercially viable idea". The student would not reveal who had been in touch but the list of organisations who would be interested in this technology is endless. From governments and large companies seeking to prevent cyber espionage, to companies like Apple, Facebook and Google looking to reassure customers their data is safe, an uncrackable encryption technology is a very valuable product. But for Curran, it is not all about the money. "If it's possible to simultaneously have something which is useful to the world as a whole as well as producing a decent revenue stream, then that would fantastic," Curran said. "I'm not completely motivated by money but it would be great to have a tool that would be useful to millions or even billions of people over the next while — and that's something to aspire to." Teenage dreams In 2005, Patrick Collison another Irish 16-year-old won the Young Scientist award. He went on to establish online payment technology company Stripe with his brother John. In November the outfit was valued at $9bn making the Collison brothers billionaires — something Curran certainly sees as an inspiration. "The work Patrick Collison and his younger brother John have done, is a huge aspiration or goal to set. If I could get anywhere near what the Collisons have done it would be fantastic." While Curran is convinced the theory behind qCrypt is solid, and he has been working with professors in the maths department of University College Dublin, doubts will remain, especially because of his tender age. But when you consider that Curran installed his first Linux distro at the age of six, created a web browser using Visual Basic when he was seven and launched an online library management system at the age of 12, there are lots of reasons to believe in him. Article source
  17. Mozilla: The Internet Is Unhealthy And Urgently Needs Your Help Mozilla argues that the internet's decentralized design is under threat by a few key players, including Google, Facebook, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce, and search. Can the internet as we know it survive the many efforts to dominate and control it, asks Firefox maker Mozilla. Much of the internet is in a perilous state, and we, its citizens, all need to help save it, says Mark Surman, executive director of Firefox maker the Mozilla Foundation. We may be in awe of the web's rise over the past 30 years, but Surman highlights numerous signs that the internet is dangerously unhealthy, from last year's Mirai botnet attacks, to market concentration, government surveillance and censorship, data breaches, and policies that smother innovation. "I wonder whether this precious public resource can remain safe, secure and dependable. Can it survive?" Surman asks. "These questions are even more critical now that we move into an age where the internet starts to wrap around us, quite literally," he adds, pointing to the Internet of Things, autonomous systems, and artificial intelligence. In this world, we don't use a computer, "we live inside it", he adds. "How [the internet] works -- and whether it's healthy -- has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies." Surman's call to action coincides with nonprofit Mozilla's first 'prototype' of the Internet Health Report, which looks at healthy and unhealthy trends that are shaping the internet. Its five key areas include open innovation, digital inclusion, decentralization, privacy and security, and web literacy. Mozilla will launch the first report after October, once it has incorporated feedback on the prototype. That there are over 1.1 billion websites today, running on mostly open-source software, is a positive sign for open innovation. However, Mozilla says the internet is "constantly dodging bullets" from bad policy, such as outdated copyright laws, secretly negotiated trade agreements, and restrictive digital-rights management. Similarly, while mobile has helped put more than three billion people online today, there were 56 internet shutdowns last year, up from 15 shutdowns in 2015, it notes. Mozilla fears the internet's decentralized design, while flourishing and protected by laws, is under threat by a few key players, including Facebook, Google, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce and search. "While these companies provide hugely valuable services to billions of people, they are also consolidating control over human communication and wealth at a level never before seen in history," it says. Mozilla approves of the wider adoption of encryption today on the web and in communications but highlights the emergence of new surveillance laws, such as the UK's so-called Snooper's Charter. It also cites as a concern the Mirai malware behind last year's DDoS attacks, which abused unsecured webcams and other IoT devices, and is calling for safety standards, rules and accountability measures. The report also draws attention to the policy focus on web literacy in the context of learning how to code or use a computer, which ignores other literacy skills, such as the ability to spot fake news, and separate ads from search results. Source Alternate Source - 1: Mozilla’s First Internet Health Report Tackles Security, Privacy Alternate Source - 2: Mozilla Wants Infosec Activism To Be The Next Green Movement
  18. Lavabit — Encrypted Email Service Once Used by Snowden, Is Back Texas-based Encrypted Email Service 'Lavabit,' that was forced to shut down in 2013 after not complying with a court order demanding access to SSL keys to snoop on Edward Snowden's emails, is relaunching on Friday. Lavabit CEO Ladar Levison had custody of the service's SSL encryption key that could have helped the government obtain Snowden's password. Although the FBI insisted it was only after Snowden's account, that was the key to the kingdom that would have helped the FBI agents obtain other users’ credentials as well. But rather than complying with the federal request that could compromise the communications of all of its customers, Levison preferred to shut down his encrypted email service, leaving its 410,000 users unable to access their email accounts. Now, Levison has announced that he is reviving Lavabit with a new architecture that fixes the SSL problem — which according to him, was the biggest threat — and includes other privacy-enhancing features that will help its users send emails that he can't eavesdrop, even if ordered to do so. Levison is releasing the source code for an open-source end-to-end encrypted global email standard that promises surveillance-proof messaging that even hides the metadata on emails to prevent agencies like the NSA or FBI from being able to find out with whom Lavabit users communicate. Dubbed Dark Internet Mail Environment (DIME), the standard will be available on Github today, along with an associated mail server program called Magma, which is ready for use with the Dark Internet Mail Environment. According to Levison, Magma server is designed to offer an easy-to-use application so that even non-technical users with existing email clients can use Lavabit encrypted email service with ease. DIME standard includes a ‘Trustful’ encryption mode, which requires users to trust the server to manage the encryption and their keys. Also, the DIME also offers Cautious Mode and Paranoid Mode for users who want absolute control over their encryption keys, so that their keys never transmits anywhere. Paranoid means Lavabit will never store a user’s private keys on its server. Initially, the new Lavabit service will only be accessible to its existing customers and only in Trustful mode. However, if you were not LAvabit customer in the past before the service shut down, you can pre-register and wait for the eventual rollout. Source
  19. Explained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug! What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication. The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp. Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited What's the Issue: The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes. WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change. In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding. Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing." What Experts argued: According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration." Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp." A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor." What's the fact: Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats. What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment." What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO! No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption. As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly. Then Why Signal is more Secure than WhatsApp? You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor." It's because there is always room for improvement. The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender. And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered. So, here WhatsApp chose usability over security and privacy. It’s not about 'Do We Trust WhatsApp/Facebook?': WhatsApp says it does not give governments a "backdoor" into its systems. No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users. But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access. Why 'Verifying Keys' Feature Can't Protect You? WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number. But here’s the catch: This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this. WhatsApp Prevention against such MITM Attacks are Incomplete WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings. But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense. Have you received a notification indicating that your contact's security code has changed? Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually. The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys. What WhatsApp should do? Without panicking all one-billion-plus users, WhatsApp can, at least: Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so). Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users. ...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it. Source
  20. Ransomware Attacks To Decrease In 2017 Ransomware is expected to deflate a bit next year, but hackers won’t be resting on their laurels, that’s for sure. Instead, they might just move to dronejacking, for a "variety of criminal or hacktivist purposes". This is according to McAfee Labs, whose new report, the McAfee Labs 2017 Threats Predictions Report, identifies 14 cyber-security trends to watch in 2017. Based on the opinions of 31 Intel Security thought leaders, the report says we can expect a decrease in both volume and effectiveness of ransomware in the second half of 2017. Windows vulnerability exploits will also continue downwards, but infrastructure and virtualization software attacks will increase. So will attacks against hardware and firmware. Attacks against mobile devices will be a combination of mobile device locks and credential theft, allowing attackers access to information such as credit cards. IoT malware could open up backdoors into the connected home -- backdoors which could stay undetected for years. Also, we can expect to see hijackings of drones, or as the report puts it -- Dronejackings. "To change the rules of the game between attackers and defenders, we need to neutralize our adversaries' greatest advantages", says Vincent Weafer, vice president of Intel Security’s McAfee Labs. “As a new defensive technique is developed, its effectiveness increases until attackers are compelled to develop countermeasures to evade it. To overcome the designs of our adversaries, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamics in six key areas: information asymmetry, making attacks more expensive, improving visibility, better identifying exploitation of legitimacy, improving protection for decentralized data, and detecting and protecting in agentless environments". The full report can be found on this link (PDF). Published under license from ITProPortal.com, a Future plc Publication. All rights reserved. Source
  21. Encrypted Email Sign-Ups Instantly Double In Wake of Trump Victory ProtonMail suggests fear of the Donald prompting lockdown "ProtonMail follows the Swiss policy of neutrality. We do not take any position for or against Trump," the Swiss company's CEO stated on Monday, before revealing that new user sign-ups immediately doubled following Trump's election victory. ProtonMail has published figures showing that as soon as the election results rolled in, the public began to seek out privacy-focused services such as its own. CEO Andy Yen said that, in communicating with these new users, the company found people apprehensive about the decisions that President Trump might take and what they would mean considering the surveillance activities of the National Security Agency. "Given Trump's campaign rhetoric against journalists, political enemies, immigrants, and Muslims, there is concern that Trump could use the new tools at his disposal to target certain groups," Yen said. "As the NSA currently operates completely out of the public eye with very little legal oversight, all of this could be done in secret." ProtonMail was launched back in May 2014 by scientists who had met at CERN and MIT. In response to the Snowden revelations regarding collusion between the NSA and other email providers such as Google, they created a government-resistant, end-to-end encrypted email service. The service was so popular that it was "forced to institute a waiting list for new accounts after signups exceeded 10,000 per day" within the first three days of opening, the CEO previously told The Register when ProtonMail reopened free registration to all earlier this year. ProtonMail new user signups doubled immediately after Trump's election victory Yen said his service was now "seeing an influx of liberal users" despite its popularity on both sides of the political spectrum. "ProtonMail has also long been popular with the political right, who were truly worried about big government spying, and the Obama administration having access to their communications. Now the tables have turned," Yen noted. "One of the problems with having a technological infrastructure that can be abused for mass surveillance purposes is that governments can and do change, quite regularly in fact. "The only way to protect our freedom is to build technologies, such as end-to-end encryption, which cannot be abused for mass surveillance," Yen added. "Governments can change, but the laws of mathematics upon which encryption is based are much harder to change." Source
  22. A majority of Mozilla users were served encrypted pageloads for the first time yesterday, meaning their web browsing data was secured from snoopers and hackers while in transit. The HTTPS milestone was tweeted by Josh Aas, head of the Let’s Encrypt initiative which has been working to help smaller websites switch to encrypting their web traffic. Mozilla, which is one of the organizations backing Let’s Encrypt, was reporting that 40 per cent of page views were encrypted as of December 2015. So it’s an impressively speedy rise. That said, there are plenty of caveats here — the biggest being it’s just one browser, Mozilla’s Firefox, which lags far behind the dominant default browsers of the mainstream web. Statista pegs Firefox at just a 7.77 per cent global marketshare for July 2016 vs 49.5 per cent for Google’s Chrome and 13.68 per cent for Apple’s Safari browser. Add to that, is also only a subset of Firefox users who are running Mozilla’s telemetry browser performance reporting feature. The telemetry feature is also not default switched on for most Firefox users (only for users of pre-release Firefox builds). And it’s just a one-day snapshot. All of which is to say the sample here is certainly very salami sliced and clearly not representative of mainstream web usage. So, while the speed of the shift to HTTPS among this user group is noteworthy and encouraging, there’s still plenty of work to be done to make encrypted connections the rule for the majority of web users and web browsing sessions. The Let’s Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to Aas, Let’s Encrypt added more than a million new active certificates in the past week — which is also a significant step up. In the initiative’s first six months (when still in beta) it only issued around 1.7 million certificates in all. As well as carrots there are sticks driving websites to shift to HTTPS. One of which is Google, which has said it intends to flag unsecured connections in its popular Chrome browser — thereby brandishing the threat of a traffic apocalypse for sites that do not roll out encryption. Article source
  23. Senator Ron Wyden opposes giving the Justice Department more power to get consumer data from technology companies. WASHINGTON — After Apple and the F.B.I. made their battle over encryption public in February, members of Congress quickly jumped into the debate. Some lawmakers promised new rules that would give authorities more access to smartphones, while others promised to fight off those laws. Yet after several hearings and bills, and the formation of congressional working groups, little has been done to resolve the central tug of war between the tech industry and federal authorities over civil rights versus national security. Law enforcement officials have argued that hundreds of criminal investigations have been held up by their inability to get access to locked smartphones and encrypted apps. Privacy advocates and tech companies say such access would cost people their personal information and lead to a slippery slope of surveillance. The debate has flared anew recently, with Open Whisper Systems, maker of the encrypted messaging app Signal, revealing it had received a federal subpoena for user information earlier this year, along with a gag order. Last week, reports also surfaced that Yahoo worked to satisfy a secret court order by scanning incoming emails for digital “signatures” tied to a state-sponsored terrorist organization. Ron Wyden, a Democratic senator from Oregon, has been a leading voice on the side of encryption and against giving the Justice Department more power to get consumer data from tech companies. Mr. Wyden, a member of the Senate Select Committee on Intelligence, recently talked to The New York Times about the privacy-versus-security debate. Cecilia Kang Q. What is the state of encryption and other security debates on Capitol Hill? A. This is going to be a big, big two months. First, obviously, there are those who want to weaken encryption. They are still at it. Then, the F.B.I. wants authority to circumvent court oversight to obtain Americans’ browsing histories. Third, there is what’s known as Rule 41, where the F.B.I. wants the authority to hack thousands or millions of hacking victims with one warrant from a single judge. These and other issues will come up right when we get back in session in November, after the election. A draft proposal released in May by Senators Richard Burr of North Carolina and Dianne Feinstein of California to give law enforcement greater access to encrypted devices never caught on. What is the status of encryption proposals? You’ll have to ask them, but if an anti-encryption bill gets out of the Intelligence Committee, which is where its strength is greatest, I will do everything I can to prevent that. If it goes to the floor, then I will filibuster. I will use every procedural tool to block legislation that in my view would make us less safe and jeopardize our liberty. There seems to be no change in the standoff between companies that want strong personal privacy and security protections, and law enforcement, which argues that it needs to get past encryption for national security. There were tens of thousands of news stories during the first days of the encryption discussion that said, “Today, in the ongoing debate between privacy and security, the following happened.” I don’t think that’s the right way to think about it. I think it is about more security versus less security. If you want to be in a safe community, you shouldn’t be able to weaken encryption. We pushed back very, very hard on the idea that this is a battle between privacy and security. Is this a minority point of view or are you seeing more people adopt this? I think you are starting to see surprising voices in this discussion, like Mike McConnell, the former director of national intelligence, raise questions about what it means to weaken encryption. What else is coming up for consideration in the cybersecurity space? Browser spying. Senators John McCain and Richard Burr have a proposal to give any F.B.I. field office new authority to scoop up Americans’ browsing history and a slew of American digital records without going to a judge. Email, text message logs and certain location information would be included. We had a vote on this at the end of June. Yet this would give law enforcement access to valuable information to aid in investigations. My view is that if you know a person is visiting a website of a substance abuse group, a political organization or mental health clinic, then you know a lot about that person. It’s practically a window into their innermost thoughts. This should come with court oversight. The F.B.I. can already get this information with a court order today. One thing that civil liberties groups have protested is what’s known as Rule 41. Can you explain what that is? It would allow the government to hack into multiple devices with a single warrant from a single judge. The Justice Department will say this is a modest thing. But one tech person said this whole Rule 41 thing is coming forward under “cover of dullness.” The F.B.I. says that the changes to Rule 41 are the best way for them to investigate cybercriminals, including child abusers. What’s your response? Everyone believes that the F.B.I. should have the tools it needs to catch dangerous criminals. But too often over the past decade, intelligence and law enforcement agencies choose approaches that sweep up information from millions of innocent Americans instead of targeting terrorists and criminals. These approaches don’t make us safer. The changes to Rule 41 allow the F.B.I. to hack millions of victims of cybercrime. These victims of hacks are regular people, not criminals. This is a serious issue that the American people and their elected representatives should consider and debate, rather than allowing the Department of Justice to put into law through an obscure bureaucratic process. There would be overwhelming congressional support for something that gives the F.B.I. the tools it needs, while providing the American people the strong protections they deserve. Is the encryption debate between tech companies and law enforcement unsolvable? It will be a long debate. But look, it’s still possible to use metadata when the government thinks there is a problem. On the security side, we are no longer collecting millions of phone records on people, so that’s solid policy. There is a way to address security while also addressing liberty: by emergency authority and focusing on people who are a threat. Article source
  24. Remove Ransomware Infections From Your PC Using These Free Tools Symantec A how-to on finding out what ransomware is squatting in your PC -- and how to get rid of it. Ransomware, a variety of malware which encrypts user files and demands payment in return for a key, has become a major threat to businesses and the average user alike. Coming in a variety of forms, ransomware most often compromises PCs through phishing campaigns and fraudulent emails. Once a PC is infected, the malware will encrypt, move and potentially delete files, before throwing up a landing page demanding a ransom in Bitcoin. Demands for payment can range from a few to thousands of dollars. However, giving in and paying the fee not only further funds the development and use of this malware, but there is no garuntee any decryption keys given in return will work. It is estimated that ransomware attacks cost more than $1 billion per year. The No More Ransom Project, launched by the National High Tech Crime Unit of the Netherlands' police, Europol, Kaspersky and Intel Security, is a hub for victims to find out how to remove infections -- and how to prevent themselves becoming infected in the future. Unfortunately, not every type of ransomware has been cracked by research teams. Time and vulnerabilities which can be exploited by cybersecurity experts are required, and so some ransomware families do not have a solution beyond wiping your system clean and using backup data. However, researchers are cracking more types of ransomware every month and there are a number of tools available which give victims some hope to retrieve their files. The No More Ransom Project offers a quick way to find out what sort of ransomware is on your PC using this step-by-step guide. Alternatively, the Ransomware hunter team runs the ID Ransomware online service which can also be used to identify infections. Below, in alphabetical order, you can find a range of tools and software made available by researchers to scour your PC clean of the most common types of infection. Al-Namrood: Removal tool. Emisoft. Apocalypse: Removal tool. Emisoft. ApocalypseVM: Removal tool. Emisoft. Autolocky: Removal tool. Emisoft. BadBlock: Removal tool. Trend Micro. Alternative: BadBlock: Removal tool. Emisoft. Bart: Removal tool | AVG | Original file copy required Bitcryptor: Removal tool. Kaspersky Cerber v.1: Removal tool. Trend Micro. Chimera: Removal tool. Trend Micro. CoinVault: Removal tool. Kaspersky CrypBoss: Removal tool. Emisoft. CryptoDefense: Removal tool. Emisoft. CryptInfinite: Removal tool. Emisoft. CryptXXX v.1 & 2: Removal tool (.zip). Kaspersky. (*Files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted) CryptXXX v1, 2, 3, 4, 5: Removal tool. Trend Micro. DMALocker: Removal tool. Emisoft. DMALocker2: Removal tool. Emisoft. Fabiansomware: Removal tool. Emisoft. FenixLocker: Removal tool. Emisoft. Gomasom: Removal tool. Emisoft. Globe: Removal tool. Emisoft. Harasom: Removal tool. Emisoft. HydraCrypt: Removal tool. Emisoft. Jigsaw: Removal tool. Trend Micro. KeyBTC: Removal tool. Emisoft. Lechiffree: Removal tool. Trend Micro. Marsjoke | Polyglot: Removal tool (.zip) | Kaspersky. See also: One more bites the dust: Kaspersky releases decryption tool for Polyglot ransomware Nemucod: Removal tool. Trend Micro. Nemucod: Removal tool. Emisoft. MirCop: Removal tool. Trend Micro. Operation Global III: Removal tool. TeslaCrypt: Removal tool. Cisco. PClock: Removal tool. Emisoft. Petya: Removal tool. Key generator. Philadelphia: Removal tool. Emisoft. PowerWare: Removal tool Rakhni & similar: Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Lortok, Cryptokluchen, Democry: Removal tool (.exe). Kaspersky Rannoh: Removal tool (.zip). Kaspersky Shade v1 & 2: Removal tool. Kaspersky SNSLocker: Removal tool. Trend Micro. Stampado: Removal tool. Trend Micro. Alternative: Removal tool. Emisoft. TeslaCrypt v1, 2, 3, 4: Removal tool. Trend Micro. UmbreCrypt: Removal tool. Emisoft. Vandev: Removal tool. Kaspersky Wildfire: Removal tool (.zip). Kaspersky Xorist: Removal tool. Kaspersky Xorist: Removal tool. Emisoft. (Alternative: Removal tool. Trend Micro.) 777: Removal tool. Trend Micro. Source
  25. CAMBRIDGE, Ma.—The National Security Agency came out in support of encryption again Wednesday, but privacy advocates were quick to contest the agency’s stance, criticizing it for having a different definition of the term than others. Glenn Gerstell, general counsel for the NSA, stressed that the agency believes in strong encryption multiple times during a panel, “Privacy vs. Security: Beyond the Zero-Sum Game,” at Cambridge Cyber Summit here at MIT, on Wednesday. Another panelist, Cindy Cohn, executive director of the Electronic Frontier Foundation, took offense and said that when the NSA uses the word encryption, it should really place an asterisk at the end. “I think there should be an asterisk most of the time. I’ve been in meetings with people from the NSA and FBI and when they say we support strong encryption… what they really mean is strong encryption that only they have access to,” Cohn said. “It sounds disingenuous, it seems what they mean by strong encryption isn’t the same as what the rest of us mean,” Cohn said. Gerstell was echoing sentiments previously made by NSA director Adm. Mike Rogers, and General Michael Hayden, former director of the CIA and NSA. Both have gone on record this year that they support encryption but also admitted that robust crypto provides them with challenges in their day-to-day work. Gerstell said the NSA was focused on encryption but called it “more of a law enforcement issue than an NSA or foreign intelligence issue,” alluding to the difficulties the government faces when terrorist groups like ISIL use encrypted messaging apps to communicate. Likening what the NSA does to gain intelligence as “going spotty, not dark,” Gerstell said at one point though that encryption doesn’t have to be an impenetrable wall and that there can be ways around it. “Just because there’s end-to-end encryption doesn’t mean that’s the end of the problem, Gerstell said, “sometimes people lose passwords to their encrypted devices, someone might forget a password, they might have to reset it – that exposes vulnerabilities. All these things provide an opportunity to exploit that system.” “The government shouldn’t be in the business of breaking our technology, they should be in the business helping make it more secure,” Cohn quipped. The panel, moderated by the Washington Post’s Ellen Nakashima, quickly developed into a spirited privacy versus security debate. Gerstell at one point was forced to defend accusations from Cohn that the NSA frequently hoarded zero-day vulnerabilities and failed to report them to companies, leaving users vulnerable. Gerstell insisted that the NSA discloses the majority of vulnerabilities it encounters, roughly 95 percent. Sometimes however equipment can be out of cycle, or not supported by manufacturers, and that the agency has to withhold them for national security reasons, he said. Cohn fired back, citing the NSA’s “extremely vague” response to a FOIA request the EFF filed regarding the government’s Vulnerability Equities Process in 2014. Cohn told Gerstell the government’s level of being forthcoming around the issue is far below what the general public expects. While we’re almost half a year removed from this spring’s FBI vs. Apple encryption debacle, it clearly hasn’t halted the conversation, or vitriol, around the topic of encryption. Another panelist, Daniel Weitzner, the founding director of MIT’s Internet Policy Research Initiative and a principal research scientist at MIT CSAIL, said that we’re getting tripped up on the encryption debate – something, he said, was really just a narrow slice of the conversation. “Let’s find a solution,” Weitzner said, “I believe the technical community has an obligation to help the intelligence community investigate crime and terrorism. We should be talking about all the other ways law enforcement can be effective with encryption.” Near the panel’s end, the professor said that we’ll likely never have perfectly secure systems, but that end-to-end encryption will soon be ubiquitous and that the world needs to adapt. “It’s very clear that end-to-end encryption is going to be widely available, all around the world, non-U.S. sources, terrorists will be able to use it,” Weitzner said. “That’s not a good thing but I don’t think that’s a thing that we can control. The question now is; where are our strategic interests – in the security and trust of users overall or guaranteeing this can be used in law enforcement investigation? I think given the numbers, we have to err on the side of protecting the law-abiding users,” Weitzner said. Source: https://threatpost.com/eff-nsas-support-of-encryption-disingenuous/121134/