Jump to content

Search the Community

Showing results for tags 'encryption'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 82 results

  1. The common belief that encryption enables bad behavior primarily used by thieves, international terrorists, and other villainous characters is simply not true. Here's why. Encryption engenders passionate opinions and reactions from a variety of government regulators, technologists, and privacy and security advocates. It's become the de facto standard of online commerce and communication, embraced by technocrats and security pros everywhere. Conversely, some governments routinely seek to destabilize encryption through legislation, regulation, or dictatorial fiat. A common approach is to require device manufacturers and technology providers to implement "backdoors" in an attempt to break end-to-end encryption in order to surveil conversations deemed high risk. Such efforts are generally met with strong objections from privacy rights advocates. There is also an evolving focus on user privacy, perhaps most prominently triggered by the passage of the European Union's General Data Protection Regulation, but now surging in many other parts of the world. Regulations and user concerns are forcing shifts in technology vendor practices, for example: Apple's announcements at their recent Worldwide Developer Conference declaring data privacy as a fundamental human right that will be central to all Apple products; The pullback by Google to restrict third-party developers' access to Google user data that previously had been accessible; and Facebook amending its corporate privacy stance given numerous recent scandals. These threads are converging, putting encryption at the center of major business, government, and societal shifts. The fact is that encryption is a highly reliable method of safeguarding devices and information in the digital age. It is, in effect, the foundation of modern computing and collaboration. While it can't serve as a comprehensive security solution for all issues an enterprise may face, it does offer a powerful backstop when intrusions and breaches occur. For instance, you might think of encryption as relevant for protecting digital assets from being stolen. But cybercriminals are very savvy and continually up the cat-and-mouse security game; in reality, company assets are stolen every day. It's better to acknowledge that every asset, whether it resides on a corporate website, a government database, or elsewhere, is at risk of compromise. When compromise occurs, encryption is the last layer of defense, preventing thieves from utilizing what's been taken. Just in recent weeks, we've seen several reports of high-profile breaches involving sensitive customer information: A massive American Medical Collections Agency data breach ensnared data from medial testing giants Quest Diagnostics (11.9 million patient records) and Lab Corp (7.7 million patient records). Real estate title insurance giant First American Financial leaked hundreds of millions of digitized customer documents. There was also research published by Digital Shadows reporting 2.3 billion files stolen. Additional research from the vpnMentor research team revealed 11 million photos were exposed due to a misconfigured cloud service. While these breaches are filling headlines and causing ongoing customer worries, the situation would likely be quite different had these files been encrypted. Encryption's Mistaken Beliefs & Unintended Consequences If we consider government backdoor access demands, aside from the privacy concerns, imposing such actions actually could have unintended and contradictory consequences. For example, a government might compel a mobile phone manufacturer to install a backdoor that breaks encryption in high-risk situations such as terrorism incidents. But once such a mechanism exists, it is implausible in this active cyber threat environment that only that government entity would be able to access and utilize it. Realistically, it will be utilized by both good and bad actors, and is ultimately likely to cause more problems than obviating the problem it was originally intended to solve. There are a few other common but erroneous beliefs about encryption that need to be dispelled. One is that because it's so hard to use, only sophisticated users can take advantage of it. Practically speaking, encryption is no longer just about locking down hard drives. It's now about protecting information at the point of creation and then being able to dynamically update policies around that data wherever it goes. Modern approaches can actually make this fairly simple to apply. Another mistaken belief is that encryption is easily breakable. While sophisticated nation-states can harness the significant processing power needed to decrypt protected assets, that's not a common situation. Frankly, it's just easier for attackers to move on to other targets with unencrypted data stores. Finally, there's a common belief that encryption enables a lot of bad behavior — that it's only used by thieves, international terrorists, and other villainous characters. This is simply not true. Encryption is actually central to our digital lives and enables trillions of dollars of secure commerce from banking transactions to the myriad online consumer and enterprise services we all utilize on a daily basis. Encryption forms the essential underpinning of our virtual world. With the emotion that often gets packed into discussions and decisions about how encryption should be used, it's important to pause, separate fact from fiction, and responsibly apply this powerful tool to advance the security of the systems and data that enable our modern lifestyles. Source
  2. The latest chapter of a largely behind-the-scenes encryption fight unfolded on Wednesday when Trump administration officials held a National Security Council meeting focused on the challenges and benefits of encryption, according to a report in Politico. One of Politico’s sources said that the meeting was split into two camps: Decide, create and publicize the administration’s position on encryption or go so far as to ask Congress for legislation to ban end-to-end encryption. That would be a huge escalation in the encryption fight and, moreover, would probably be unsuccessful due to a lack of willpower in Congress. No decision was made by the Trump administration officials, Politico reported. The White House did not respond to a request for comment. Not too long ago, encryption was a front page issue. Apple and the FBI fought an open and loud battle over encryption in 2015 and, during a campaign speech, then-candidate Donald Trump proposed a boycott of Apple that never materialized. In the United States, the issue has become an important behind-closed-doors topic of discussion. FBI Director Chris Wray earlier this year described ongoing conversations between the federal government and technology giants about the issue of encryption. “It can’t be a sustainable end state for there to be an entirely unfettered space that’s utterly beyond law enforcement for criminals to hide,” Wray said. “We have to figure out a way to deal with this problem.” He continued by saying that he is “hearing increasingly that there are solutions” for strong encryption that opens the targeted data to law enforcement. However, he gave no specific examples of what that means. The fact that these discussions are ongoing both within the White House and with Silicon Valley shows that the issue is still very much alive within the corridors of power. Earlier this year, a court battle unfolded when the U.S. government tried to compel Facebook to decrypt Facebook Messenger’s encryption in a criminal investigation. The judge on the case, however, ruled that the details would be kept secret. Outside of the United States, a lot has happened since encryption was in the headlines two years ago. Most notably, Australia passed an encryption law in December 2018 requiring companies to give law enforcement and security agencies access to encrypted data like Facebook’s WhatsApp or Apple’s iMessage. It’s considered a landmark test being watched closely by governments and technology companies around the world. In Europe, Germany — a country famous for its world-leading privacy policies — is closely considering its own encryption policy at the moment. What exactly that ultimately means in Germany, Europe, and around the world, however, remains unclear. Source
  3. malakai1911

    Comprehensive Security Guide

    Comprehensive Security Guide NOTE: As of 1/1/2019 this guide is out of date. Until parts are rewritten, consider the below for historical reference only. i. Foreword The primary purpose of this guide is to offer a concise list of best-of-breed software and advice on selected areas of computer security. The secondary purpose of this guide is to offer limited advice on other areas of security. The target audience is an intermediately skilled user of home computers. Computer software listed are the freeware versions when possible or have free versions available. If there are no free versions available for a particular product, it is noted with the "$" symbol. The guide is as well formatted as I could make it, within the confines of a message board post. ii. Table of Contents i. Foreword ii. Table of Contents 1. Physical Security a. Home b. Computer c. Personal 2. Network Security a. Hardware Firewall b. Software Firewall 3. Hardening Windows a. Pre-install Hardening b. Post-install Hardening c. Alternative Software d. Keep Windows Up-To-Date 4. Anti-Malware a. Anti-Virus b. HIPS / Proactive Defense c. Malware Removal 5. Information and Data Security a. Privacy / Anonymity b. Encryption c. Backup, Erasure and Recovery d. Access Control (Passwords, Security Tokens) 6. Conclusion 1. Physical Security I just wanted to touch on a few things in the realm of physical security, and you should investigate physical and personal security in places other than here. a. Home How would you break in to your own home? Take a close look at your perimeter security and work inwards. Make sure fences or gates aren't easy to climb over or bypass. The areas outside your home should be well lit, and motion sensor lights and walkway lights make nice additions to poorly lit areas. If possible, your home should have a security system featuring hardwired door and window sensors, motion detectors, and audible sirens (indoor and outdoor). Consider integrated smoke and carbon monoxide detectors for safety. Don't overlook monitoring services, so the police or fire department can be automatically called during an emergency. Invest in good locks for your home, I recommend Medeco and Schlage Primus locks highly. Both Medeco and Schlage Primus locks are pick-resistant, bump-proof, and have key control (restricted copying systems). Exterior doors should be made of steel or solid-core wood and each should have locking hardware (locking doorknob or handle), an auxiliary lock (mortise deadbolt) with a reinforced strike plate, and a chain. Consider a fireproof (and waterproof) safe for the storage of important documents and valuables. A small safe can be carried away during a robbery, and simply opened at another location later, so be sure and get a safe you can secure to a physical structure (in-wall, in-floor, or secured to something reasonably considered immovable). You may be able to hide or obscure the location of your safe in order to obtain some additional security, but don't make it cumbersome for yourself to access. b. Computer Computers are easy to just pick up and take away, so the only goal you should have is to deter crimes of opportunity. For desktop computers, you may bring your desktop somewhere and an attacker may not be interested in the entire computer, but perhaps just an expensive component (video card) or your data (hard drive), and for that I suggest a well-built case with a locking side and locking front panel. There are a variety of case security screws available (I like the ones from Enermax (UC-SST8) as they use a special tool), or you can use screws with less common bits (such as tamper resistant Torx screws) to secure side panels and computer components. There are also cable lock systems available for desktop computers to secure them to another object. For laptop computers, you are going to be primarily concerned about a grab-and-go type robbery. There are a variety of security cables available from Kensington, which lock into the Kensington lock slot found on nearly all laptops, which you can use to secure it to another object (a desk or table, for example). Remember though, even if it's locked to something with a cable, it doesn't make it theft-proof, so keep an eye on your belongings. c. Personal Always be aware of your surroundings. Use your judgment, if you feel an area or situation is unsafe, avoid it altogether or get away as quickly and safely as possible. Regarding hand to hand combat, consider a self-defense course. Don't screw around with traditional martial arts (Karate, Aikido, Kung-Fu), and stay away from a McDojo. You should consider self-defense techniques like Krav Maga if you are serious about self defense in a real life context. I generally don't advocate carrying a weapon on your person (besides the legal mess that may be involved with use of a weapon, even for self-defense, an attacker could wrestle away a weapon and use it against you). If you choose to carry any type of weapon on your person for self-defense, I advise you to take a training course (if applicable) and to check with and follow the laws within the jurisdiction you decide to possess or carry such weapons. Dealing with the Police Be sure to read Know Your Rights: What to Do If You're Stopped by the Police a guide by the ACLU, and apply it. Its advice is for within the jurisdiction of the US but may apply generally elsewhere, consult with a lawyer for legal advice. You should a;so watch the popular video "Don't talk to the police!" by Prof. James Duane of the Regent University Law School for helpful instructions on what to do and say when questioned by the police: (Mirror: regent.edu) Travelling Abroad Be sure and visit the State Department or Travel Office for your home country before embarking on a trip abroad. Read any travel warnings or advisories, and they are a wealth of information for travelers (offering guides, checklists, and travel advice): (US, UK, CA). 2. Network Security As this is a guide geared towards a home or home office network, the central theme of network security is going to be focused around having a hardware firewall behind your broadband modem, along with a software firewall installed on each client. Since broadband is a 24/7 connection to the internet, you are constantly at risk of attack, making both a hardware and software firewall absolutely essential. a. Hardware Firewall A hardware firewall (router) is very important. Consider the hardware firewall as your first line of defense. Unfortunately, routers (usually) aren't designed to block outbound attempts from trojans and viruses, which is why it is important to use a hardware firewall in conjunction with a software firewall. Be sure that the firewall you choose features SPI (Stateful Packet Inspection). Highly Recommended I recommend Wireless AC (802.11ac) equipment, as it is robust and widely available. Wireless AC is backwards compatible with the earlier Wireless N (802.11n) G (802.11g) and B (802.11b) standards. 802.11ac supports higher speeds and longer distances than the previous standards, making it highly attractive. I generally recommend wireless networking equipment from Ubiquiti or Asus. Use WPA2/WPA with AES if possible, and a passphrase with a minimum of 12 characters. If you are really paranoid, use a strong random password and remember to change it every so often. Alternatives A spare PC running SmoothWall or IPCop, with a pair of NIC's and a switch can be used to turn a PC into a fully functional firewall. b. Software Firewall A software firewall nicely compliments a hardware firewall such as those listed above. In addition to protecting you from inbound intrusion attempts, it also gives you a level of outbound security by acting as a gateway for applications looking to access the internet. Programs you want can access the internet, while ones you don't are blocked. Do not use multiple software firewalls simultaneously. You can actually make yourself less secure by running two or more software firewall products at once, as they can conflict with one another. Check out Matousec Firewall Challenge for a comparison of leak tests among top firewall vendors. Leaktests are an important way of testing outbound filtering effectiveness. Highly Recommended Comodo Internet Security Comodo is an easy to use, free firewall that provides top-notch security. I highly recommend this as a first choice firewall. While it includes Antivirus protection, I advise to install it as firewall-only and use an alternate Antivirus. Alternatives Agnitum Outpost Firewall Free A free personal firewall that is very secure. Be sure to check out the Outpost Firewall Forums, to search, and ask questions if you have any problems. Online Armor Personal Firewall Free Online Armor Personal Firewall makes another great choice for those who refuse to run Comodo or Outpost. Online Armor 3. Hardening Windows Windows can be made much more secure by updating its components, and changing security and privacy related settings. a. Pre-install Hardening Pre-install hardening has its primary focus on integrating the latest available service packs and security patches. Its secondary focus is applying whatever security setting tweaks you can integrate. By integrating patches and tweaks, you will be safer from the first boot. Step 1 - Take an original Windows disc (Windows 7 or later) and copy it to a folder on your hard drive so you can work with the install files. Step 2 - Slipstream the latest available service pack. Slipstreaming is a term for integrating the latest service pack into your copy of windows. Step 3 - Integrate the latest available post-service pack updates. This can be done with a utility such as nLite or vLite, and post-service pack updates may be available in an unofficial collection (such as the RyanVM Update Pack for XP). Step 4 - Use nLite (Windows 2000/XP) or vLite (Windows Vista/7) to customize your install. Remove unwanted components and services, and use the tweaks section of nLite/vLite to apply some security and cosmetic tweaks. Step 5 - Burn your newly customized CD, and install Windows. Do not connect the computer to a network until you install a software firewall and anti-virus. b. Post-Install Hardening If you have followed the pre-install hardening section, then your aim will be to tweak settings to further lock down windows. If you hadn't installed from a custom CD, you will need to first update to the latest service pack, then install incremental security patches to become current. After updating, you'll then disable unneeded Windows services, perform some security tweaks, and use software such as xpy to tweak privacy options. Disable Services Start by disabling unneeded or unnecessary services. By disabling services you will minimize potential security risks, and use fewer resources (which may make your system slightly faster). Some good guides on disabling unnecessary services are available at Smallvoid: Windows 2000 / Windows XP / Windows Vista. Some commonly disabled services: Alerter, Indexing, Messenger, Remote Registry, TCP/IP NetBIOS Helper, and Telnet. Security Tweaks I highly recommend using a strong Local Security Policy template as an easy way to tweak windows security options, followed by the registry. Use my template (security.inf) to easily tweak your install for enhanced security (Windows 2000/XP/Vista/7): 1. Save the following attachment: (Download Link Soon!) 2. Extract the files. 3. Apply the Security Policy automatically by running the included "install.bat" file. 4. (Optional) Apply your policy manually using the following command: [ secedit /configure /db secedit.sdb /cfg "C:\<Path To Security.inf>\<template>.inf" ] then refresh your policy using the following the command:[ secedit /refreshpolicy machine_policy ] (Windows 2000), [ gpupdate ] (Windows XP/Vista/7) This template will disable automatic ("administrative") windows shares, prevent anonymous log on access to system resources, disable (weak) LM Password Hashes and enable NTLMv2, disable DCOM, harden the Windows TCP/IP Stack, and much more. Unfortunately my template can't do everything, you will still need to disable NetBIOS over TCP (NetBT), enable Data Execution Prevention (AlwaysOn), and perform other manual tweaks that you may use. Privacy Tweaks xpy (Windows 2000/XP) and vispa (Windows Vista/7) These utilities are great for modifying privacy settings. They supersede XP AntiSpy because they include all of XP Anti-Spy's features and more. You should use them in conjunction with the security tweaks I've listed above. c. Alternative Software Another simple way of mitigating possible attack vectors is to use software that is engineered with better or open security processes. These products are generally more secure and offer more features then their Microsoft counterparts. Highly Recommended Google Chrome (Web Browser) Mozilla Thunderbird (Email Client) OpenOffice.org (Office Suite) Alternatives Mozilla Firefox (Web Browser) Google Docs (Online) (Office Suite) Firefox Additions Mozilla has a Privacy & Security add-on section. There are a variety of add-ons that may appeal to you (such as NoScript). And although these aren't strictly privacy related, I highly recommend the AdBlock Plus add-on, with the EasyList and EasyPrivacy filtersets. d. Keep Windows Up-To-Date Speaking of keeping up-to-date, do yourself a favor and upgrade to at least Windows XP (for older PC's) and Windows 7 (or later) for newer PC's. Be sure to keep up-to-date on your service packs, they're a comprehensive collection of security patches and updates, and some may add minor features. Microsoft Windows Service Packs Windows 2000 Service Pack 4 with Unofficial Security Rollup Package Windows XP Service Pack 3 with Unofficial Security Rollup Package Windows XP x64 Service Pack 2 with Unofficial Security Rollup Package Windows Vista Service Pack 2 Windows 7 Service Pack 1 Microsoft Office Service Packs Office 2000 Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office XP (2002) Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office 2003 Service Pack 3 with the Office 2007 Compatibility Pack (SP3) and Office File Validation add-in. Office 2007 Service Pack 3 with the Office File Validation add-in. Office 2010 Service Pack 1 After the service pack, you still need to keep up-to-date on incremental security patches. Windows supports Automatic Updates to automatically update itself. However, if you don't like Automatic Updates: You can use WindowsUpdate to update windows periodically (Must use IE5 or greater, must have BITS service enabled), or you can use MS Technet Security to search for and download patches individually, or you can use Autopatcher, an unofficial updating utility. In addition to security patches, remember to keep virus definitions up-to-date (modern virus scanners support automatic updates so this should not be a problem), and stay current with latest program versions and updates, including your replacement internet browser and mail clients. 4. Anti-Malware There are many dangers lurking on the internet. Trojans, viruses, spyware. If you are a veteran user of the internet, you've probably developed a sixth-sense when it comes to avoiding malware, but I advocate backing up common sense with reliable anti-malware software. a. Anti-Virus Picking a virus scanner is important, I highly recommend Nod32, but there are good alternatives these days. Check out AV Comparatives for a comparison of scanning effectiveness and speed among top AV vendors. Highly Recommended Nod32 Antivirus $ I recommend Nod32 as a non-free Antivirus. Features excellent detection rates and fast scanning speed. Nod32 has a great heuristic engine that is good at spotting unknown threats. Very resource-friendly and historically known for using less memory than other AV's. There is a 30 day free trial available. Alternatives Avira AntiVir Personal I recommend Avira as a free Antivirus. Avira is a free AV with excellent detection rates and fast scanning speed. (Kaspersky no longer recommended, due to espionage concerns.) Online-Scanners Single File Scanning Jotti Online Malware Scan or VirusTotal These scanners can run a single file through a large number of different Antivirus/Antimalware suites in order to improve detection rates. Highly recommended. Whole PC Scanning ESET Online Scanner Nod32 Online Antivirus is pretty good, ActiveX though, so IE only. There is a beta version available that works with Firefox and Opera. b. HIPS / Proactive Defense Host-based intrusion prevention systems (HIPS) work by disallowing malware from modifying critical parts of the Operating System without permission. Classic (behavioral) HIPS software will prompt the user for interaction before allowing certain system modifications, allowing you stop malware in its tracks, whereas Virtualization-based HIPS works primarily by sandboxing executables. Although HIPS is very effective, the additional setup and prompts are not worth the headache for novice users (which may take to just clicking 'allow' to everything and defeating the purpose altogether). I only recommend HIPS for intermediate or advanced users that require a high level of security. Highly Recommended I highly recommend firewall-integrated HIPS solutions. Comodo Defense+ is a classic HIPS built into Comodo Internet Security, and provides a very good level of protection. Outpost and Online Armor provide their own HIPS solutions, and the component control features of the firewalls are powerful enough to keep unwanted applications from bypassing or terminating the firewall. If you want to use a different HIPS, you can disable the firewall HIPS module and use an alternative below. Alternatives Stand-alone HIPS solutions are good for users who either don't like the firewall built-in HIPS (and disable the firewall HIPS), or use a firewall without HIPS features. HIPS based on Behavior (Classic) ThreatFire ThreatFire provides a strong, free behavioral HIPS that works well in conjunction with Antivirus and Firewall suites to provide additional protection. HIPS based on Virtualization DefenseWall HIPS $ DefenseWall is a strong and easy-to-use HIPS solution that uses sandboxing for applications that access the internet. GeSWall Freeware GeSWall makes a nice free addition to the HIPS category, like DefenseWall it also uses sandboxing for applications that access the internet. Dealing with Suspicious Executables You can run suspicious executables in a full featured Virtual Machine (such as VMware) or using a standalone sandbox utility (such as Sandboxie) if you are in doubt of what it may do (though, you may argue that you shouldn't be running executables you don't trust anyway). A more advanced approach to examining a suspicious executable is to run it through Anubis, a tool for analyzing the behavior of Windows executables. It displays a useful report with things the executable does (files read, registry modifications performed, etc.), which will give you insight as to how it works. c. Malware Removal I recommend running all malware removal utilities on-demand (not resident). With a firewall, virus scanner, HIPS, and some common sense, you won't usually get to the point of needing to remove malware... but sometimes things happen, perhaps unavoidably, and you'll need to remove some pretty nasty stuff from a computer. Highly Recommended Anti-Spyware Spybot Search & Destroy Spybot S&D has been around a long time, and is very effective in removing spyware and adware. I personally install and use both Spybot & Ad-Aware, but I believe that Spybot S&D has the current edge in overall detection and usability. Anti-Trojan Malwarebytes' Anti-Malware Malwarebytes has a good trojan detector here, and scans fast. Anti-Rootkit Rootkit Unhooker RKU is a very advanced rootkit detection utility. Alternatives Anti-Spyware Ad-Aware Free Edition Ad-Aware is a fine alternative to Spybot S&D, its scanning engine is slower but it is both effective and popular. Anti-Trojan a-squared (a2) Free a-squared is a highly reputable (and free) trojan scanner. Anti-Rootkit IceSword (Mirror) IceSword is one of the most capable and advanced rootkit detectors available. 5. Information and Data Security Data can be reasonably protected using encryption and a strong password, but you will never have complete and absolute anonymity on the internet as long as you have an IP address. a. Privacy / Anonymity Anonymity is elusive. Some of the following software can help you achieve a more anonymous internet experience, but you also must be vigilant in protecting your own personal information. If you use social networking sites, use privacy settings to restrict public access to your profile, and only 'friend' people you know in real life. Don't use (or make any references to) any of your aliases or anonymous handles on any websites that have any of your personal information (Facebook, Amazon, etc..). You should opt-out from information sharing individually for all banks and financial institutions you do business with using their privacy policy choices. You should opt-out of preapproved credit offers (US), unsolicited commercial mail and email (US, UK, CA), and put your phone numbers on the "Do Not Call" list (US, UK, CA). Highly Recommended Simply install and use Tor with Vidalia to surf the internet anonymously. It's free, only downside is it's not terribly fast, but has fairly good anonymity, so it's a tradeoff. Keep in mind its for anonymity not for security, so make sure sites you put passwords in are SSL encrypted (and have valid SSL certificates), and remember that all end point traffic can be sniffed. You can use the Torbutton extension for Firefox to easily toggle on/off anonymous browsing. POP3/IMAP and P2P software won't work through Tor, so keep that in mind. Portable Anonymous Browsing The Tor Project now has a "Zero-Install Bundle" which includes Portable Firefox and Tor with Vidalia to surf anonymously from a USB memory stick pretty much anywhere with the internet. It also includes Pidgin with OTR for encrypted IM communications. Note: These won't protect you from Trojans/Keyloggers/Viruses on insecure public terminals. Never type important passwords or login to important accounts on a public computer unless it is absolutely necessary! Alternatives I2P functions similar to Tor, allowing you to surf the general internet with anonymity. IPREDator $ is a VPN that can be used to anonymize P2P/BitTorrent downloads. Freenet is notable, but not for surfing the general internet, it's its own network with its own content. b. Encryption For most people, encryption may be unnecessary. But if you have a laptop, or any sort of sensitive data (whether it be trade secrets, corporate documents, legal or medical documents) then you can't beat the kind of protection that encryption will offer. There are a variety of options available today, including a lot of software not listed here. A word to the wise, please, please don't fall for snake oil, use well established applications that use time tested (and unbroken) ciphers. Regardless of what software you use, the following "what to pick" charts will apply universally. If you have to pick an encryption cipher: Best: AES (Rijndael) (128-bit block size) Better: Twofish (128-bit block size), Serpent (128-bit block size) Good: RC6 (128-bit block size) Depreciated: Blowfish (64-bit block size), CAST5 (CAST-128) (64-bit block size), Triple-DES (64-bit block size) When encrypting large volumes of data, it is important to pick a cipher that has a block size of at least 128-bytes. This affords you protection for up to 2^64x16 bytes (264 exabytes) . 64-bit block ciphers only afford protection of up to 2^32x8 bytes (32 gigabytes) so using it as a full disk or whole disk encryption cipher is not recommended. The depreciated list is only because some of you might be stuck using software that only supports older encryption methods, so I've ordered it from what I feel is best to worst (though all three that are on there are pretty time tested and if properly implemented, quite secure). If you have to pick a hash to use: Best: Whirlpool (512-bit) Better: SHA-512 (512-bit), SHA-256 (256-bit) Good: Tiger2/Tiger (192-bit), RIPEMD-160 (160-bit) Depreciated: RIPEMD-128, SHA-1, MD-5. With all the recent advances in cryptanalysis (specifically with work on hash collisions) These days I wouldn't trust any hash that is less than 160-bits on principle. To be on the safe side, use a 192-bit, 256-bit, or 512-bit hash where available. There will be cases where your only options are insecure hashes, in which case I've ordered the "depreciated" list from best to worst (they are all varying levels of insecure). Many older hashes (MD4, MD2, RIPEMD(original), and others) are totally broken, and are not to be used. A quick software rundown, these applications are popular and trusted: Highly Recommended Freeware Whole Disk Encryption TrueCrypt Based upon E4M, TrueCrypt is a full featured disk encryption suite, and can even be run off a USB memory stick. TrueCrypt supports the whole disk encryption of Windows, with pre-boot authentication. Very nice. If you can't use whole-disk encryption (WDE), you can use the TCTEMP add-on to encrypt your swapfile, temp files and print spooler, and you can use the TCGINA add-on to encrypt your windows home directory. (Note: TCTEMP/TCGINA is less secure than WDE, and only preferable if WDE is not an option. WDE is highly recommended.) Freeware PKI Encryption GnuPG (GPG) GnuPG provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, and encryption and decryption of documents and email messages. Freeware Email Encryption Enigmail Enigmail is truly a work of art, it integrates with GnuPG and provides seamless support for encryption and decryption of email messages, and can automatically check PGP signed documents for validity. (Enigmail requires both Mozilla Thunderbird and GnuPG) Alternatives Encryption Suite (with Whole Disk and Email Encryption) PGP Full Disk Encryption $ PGP provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, encryption and decryption of documents and email messages, volume disk encryption, whole disk encryption, outlook integration, and instant messenger encryption support. c. Backup, Erasure and Recovery // This section is under construction. Backups Your data might be safe from prying eyes, but what if you are affected by hardware failure, theft, flood or fire? Regular backups of your important data can help you recover from a disaster. You should consider encryption of your backups for enhanced security. Local Backup Cobian Backup Cobian Backup is a fully-featured freeware backup utility. SyncBack Freeware, Macrium Reflect Free SyncBack Freeware and Macrium Reflect Free are feature-limited freeware backup utilities. Off-site Backup SkyDrive (25GB, filesize limited to 100MB), box.net (5GB) SkyDrive and box.net offer free online storage, useful for easy offsite backups. Be sure to utilize encrypted containers for any sensitive documents. Data Destruction It would be better to have your data residing in an encrypted partition, but sometimes that may not be possible. When sanitizing a hard drive, I recommend using a quality Block Erase tool like DBAN followed by a run-through with ATA Secure Erase if you really want a drive squeaky clean. Block erasing is good for data you can normally reach, but ATA secure erase can hit areas of the drive block erasers can't. As for multiple overwrite passes, there is no proof that data overwritten even one time can be recovered by professional data recovery corporations. For moderate security, a single pseudorandom block-erase pass (random-write) followed by an ATA Secure Erase pass (zero-write) is sufficient to thwart any attempts at data recovery. For a high level of security, a "DoD Short (3 pass)" block-erase pass followed by an ATA Enhanced Secure Erase will ensure no recovery is possible. Single-File/Free Space Erase If you are interested in just erasing single files or wiping free space, you can use the Eraser utility. Block Erase For hard drive block-erasure, use DBAN. ATA Secure Erase For ATA Secure Erasing, use the CMRR Secure Erase Utility. CMRR Secure Erase Protocols (.pdf) http://cmrr.ucsd.edu...seProtocols.pdf NIST Guidelines for Media Sanitation (.pdf) - http://csrc.nist.gov...800-88_rev1.pdf File Recovery Software This is kind of the opposite of data destruction. Keep in mind no software utility can recover properly overwritten data, so if it's overwritten there is no recovery. Highly Recommended Recuva Recuva is an easy to use GUI-based recovery utility. Alternatives TestDisk and PhotoRec These tools are powerful command-line recovery utilities. TestDisk can recover partitions, and PhotoRec is for general file recovery. Ontrack EasyRecovery Professional $ EasyRecovery is one of the best paid utilites for file recovery. d. Access Control (Passwords, Security Tokens) // This section is under construction. Secure Passwords //Section under construction. Your security is only as strong as its weakest password. There are a few basic rules to follow when creating a strong password. Length - Passwords should be at least 12 characters long. When possible, use a password of 12 or more characters, or a "passphrase". If you are limited to using less than 12 characters, you should try and make your password as long as allowable. Complexity - Passwords should have an element of complexity, a combination of upper and lowercase characters, numbers, and symbols will make your passwords much harder to guess, and harder to bruteforce. Uniqueness - Passwords should avoid containing common dictionary words, names, birthdays, or any identification related to you (social security, drivers license, or phone numbers for example). Secret - If you have a password of the utmost importance, do not write it down. Do not type them in plain view of another person or share them with anyone. Avoid use of the same password in multiple places. Security Tokens Security Tokens are cryptographic devices that allow for two-factor authentication. Google Titan Yubikey 5 Series 6. Conclusion And here we are at the end! I would like to thank all of you for taking the time to read my guide, it's a few (slow) years in the making and I've kept it up to date. This guide is always changing, so check back from time to time. Revision 1.10.020 Copyright © 2004-2012 Malakai1911, All Rights Reserved The information contained within this guide is intended solely for the general information of the reader and is provided "as is" with absolutely no warranty expressed or implied. Any use of this material is at your own risk, its authors are not liable for any direct, special, indirect, consequential, or incidental damages or any damages of any kind. This guide is subject to change without notice. Windows_Security_Template__1.10.015_.zip
  4. source Flaws in Popular SSD Drives Bypass Hardware Disk Encryption By Lawrence Abrams November 5, 2018 01:56 PM 8 Researchers have found flaws that can be exploited to bypass hardware decryption without a password in well known and popular SSD drives. In a new report titled "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)", researchers Carlo Meijer and Bernard van Gastel from Radboud University explain how they were able to to modify the firmware or use a debugging interface to modify the password validation routine in SSD drives to decrypt hardware encrypted data without a password. The researchers tested these methods against well known and popular SSD drives such as the Crucial MX100, Crucial MX200, Crucial MX300, Samsung 840 EVO, Samsung 850 EVO, Samsung T3 Portable, and Samsung T5 Portable and were able to illustrate methods to access the encrypted drive's data. "We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware," stated the report. "In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret." To make matters worse, as Windows' BitLocker software encryption will default to hard drive encryption if supported, it can be bypassed using the same discovered flaws. Accessing encrypted files without knowing the password To bypass decryption passwords, the researchers utilized a variety of techniques depending on whether debug ports were available, the ATA Security self-encrypting drive (SED) standard was being used, or if the newer TCG Opal SED specification was being used. These flaws were responsibly disclosed to Crucial and Samsung to give them time to prepare firmware updates. New firmware is availble for Crucial SSD drives, while Samsung has only released new firmwarefor their T3 and T5 Portable SSD drives. For their non-portable drives (EVO), they recommend that users utilize software encryption instead. Crucial MX 100, Crucial MX 200, & Samsung T3 Portable For the Crucial MX 100, Crucial MX 200, and Samsung T3 Portable SSD drives, the researchers were able to connect to the drive's JTAG debugging interfaces and modify the password validation routine so that it always validates as successful regardless of the password that is entered. This allows them to enter any password and have the drive unlocked. JTAG Interface Crucial MX300 SSD Drive The Crucial MX300 also has a JTAG debugging port, but it is disabled on the drive. Therefore, the researchers had to rely on a more complicated routine of flashing the device with a modified firmware that allows them to perform various routines, which ultimately allow them to either decrypt the password or authenticate to the device using an empty password. Samsung 840 EVO and Samsung 850 EVO SSD Drives Depending on which SED specification is used, the researchers were able to access the encrypted data by either connecting to the JTAG debug port and modifying the password validation routine or by using a wear-level issue that allows that them to recover the cryptographic secrets needed to unlock the drive from a previous unlocked instance. The Samsung 850 EVO does not have the wear-level issue, so would need to rely on the modification of the password-validation routine through the debug port. BitLocker fails by defaulting to hardware encryption Most modern operating systems provide software encryption that allows a user to perform whole disk encryption. While software decryption offered by Linux, macOS, Android, and iOS offer strong software encryption, BitLocker on Windows falls prey to the SSD flaw by defaulting to hardware encryption when available. When using BitLocker to encrypt a disk in Windows, if the operating system detects a SSD drive with hardware encryption, it will automatically default to using it. This allows drives encrypted by BitLocker using hardware encryption to be decrypted by the same flaws discussed above. BitLocker software encryption on the other hand has no known and verifiable flaws that allow users to bypass password authentication. In order to prevent the use of SSD hardware encryption, the researchers suggest that users disable its use using a Windows Group Policy at "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives" called "Configure use of hardware-based encryption for operating system drives". Windows Policy to disable Hardware Encryption This policy is also available for removable and fixed data drives and should be disabled for them as well to enforce software encryption. Before software encryption will be used, after you change these policies you must first completely decrypt the drive and then enable BitLocker again to use software encryption. Update 11/6/18: Microsoft has issued an advisory related to BitLocker and discovered flaws in SSD hardware encryption. This advisory contains mitigation information "Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Customers concerned about this issue should consider using the software only encryption provided by BitLocker Drive Encryption™. On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker."
  5. Though Encryption is not a new topic, you might have heard it online, while doing purchases, etc. Whats App messages are protected with end-to-end encryption. Your credit card details, id& password, payment information are transferred over an encrypted network. You might have already read these things on various sites and services. So, every time you read about or heard of encryption, what was the first thing that came to your mind? Most of the people would think that encryption is complex, has something to do with security and only computer programmers or geeks can understand it. But it is not that complicated you might be thinking right now. I mean the encryption techniques you may find hard to understand but the basic essence of encryption and decryption is very simple. So, What is Encryption? In simple words, Encryption is the process of encoding a data in such a way that only intended or authorized recipient can decode it. Encryption does not secure the data but it makes your data un-readable to other parties. Which means, even if an unauthorized person or hacker is able to read the network he/she won’t be able to make any sense out of it without the correct decryption key. The science of encryption and decryption is called cryptography. Why is Encryption important? In today’s scenario, we perform a lot of data exchange online. When much of your personal information and financial transactions are processed via the Internet, no business or individual can afford to get their data stolen. Not only the financial data or business files, even the messages we exchanged with our friends, the photos/files shared with family or emails sent to our clients, we need encryption for all of these data. Cybercrime is already at its peak. Nothing is really safe. We witness cases of identity theft on daily basis. Keeping your personal data secure while using the system or at your end can be done. But when the same information is sent over the Internet, you want that information to be only viewed by the particular person and no one else. The data is first sent to the local network and then travels to Internet Service Provider. Finally, a person for whom the information was meant for, finally receives it. Meanwhile, there are numerous of people who can access your information that you are sending. That is the reason why encryption is important. Individuals use it to protect personal information, businesses use it to protect corporate secrets and government uses it to secure classified information. Basic Encryption Techniques For Network Security You Should Know About The strength of encryption is measured by its key size. No matter how strong encryption algorithm is being used, the encrypted data can be subjected to brute force attacks. There are some basic encryption techniques that are used by online services and websites that you should know about. 1. AES (Advanced Encryption Standard) Advanced Encryption Standard is a symmetric encryption technique. Symmetric encryption means it involves secret key that could be a number, word or a string of random letters which is known to both sender and receiver. This secret key is applied to messages in a particular way after which the data becomes encrypted. As long as the sender and recipient know the secret key, encryption and decryption can be performed. AES is extremely efficient in 128-bit form and it uses 192 and 256 bits for encryption purposes. In present day cryptography, AES is widely supported in hardware and software with a built-in flexibility of key length. The security with AES is assured if and only if it is implemented correctly with the employment of good key management. AES-256 bit is a very heavy and strong encryption. Most of the governments use it. 2. Blowfish Encryption Blowfish is symmetric cipher technique ideal for domestic and exportable purpose as this symmetric cipher splits messages into blocks of 64 bit each and then encrypts them individually. Blowfish encryption technique can be used as a drop-in replacement for DES. The technique takes variable length key varying from 32 bits to 448 bits. Blowfish is found in software categories ranging from e-commerce platform from security passwords to various password management tools. It is one the most flexible encryption methods available. 3. RSA Encryption The Rivest Shamir Adleman (RSA) encryption technique is one of the most popular and secure public key encryption methods. This public key encryption technique is also known as asymmetric cryptography that uses two keys, one public and one private. In RSA encryption technique, both public and private key can be used to encrypt the message. But for the decryption of the message, the opposite key that has been used for encryption will be used. Most of the times, the data is encrypted with public key and decrypte using the private key. RSA encryption method assures the confidentiality, authenticity, integrity and non-reputability of electronic communication and data storage. 4. Triple DES Encryption Triple DES encryption method is a more secure procedure of encryption as the encryption is done three times. Triple DES encryption technique takes three keys each of 64bit, so overall key length is 192bis. The data is encrypted with the first key, decrypted with the second key and then again encrypted with the third key. The procedure of decryption is somewhat same as the procedure included in encryption expect that it is executed in reverse. 5. Twofish Encryption Twofish is a symmetric block cipher method, in which single key is used for encryption and decryption. Twofish could be the best choice when among AES techniques as this encryption technique is unique in terms of speed, flexibility, and conservative design. Twofish is new encryption technique which is highly secure and flexible. This encryption technique works extremely well with large microprocessors, dedicated hardware, and 8-bit or 32-bit card processors. Also, twofish encryption technique can be used in network applications where keys tend to change frequently and in various applications with little or no ROM or RAM available. 6. DES Encryption Data Encryption Standard (DES) is symmetric block cipher which uses 56-bit key to encrypt and decrypt 64-bit block of data. The Same key is used to encrypt and decrypt the message, so both the sender and the receiver should know how to use the same private key. DES has been suspended by more secure and advanced AES encryption technique and triple DES encryption techniques. 7. IDEA Encryption International Data Encryption Algorithm (IDEA) is another block cipher encryption technique that uses 52 sub keys, each 16-bit long. This technique was used in pretty good privacy version 2. Conclusion Encryption is a standard method for making a communication private. The sender encrypts the message before sending it to another user. Only the intended recipient knows how to decrypt the message. Even if someone was eavesdropping over the communication would only know about the encrypted messages, but not how to decrypt the message successfully. Thus in order to ensure the privacy in electronic communication, various encryption techniques and methods are used. As with the growth of electronic commerce and Internet, the issue of privacy has forefront in electronic communication. In this era of internet, where every kind of data is transferred in digital format, it is important that we know how our data is transferred, saved and used. Everyone must know about these basic encryption techniques. You can share this information with your friends and family to make them aware of encryption techniques. Article source
  6. If you want to secure the data on your computer, one of the most important steps you can take is encrypting its hard drive. That way, if your laptop gets lost or stolen—or someone can get to it when you're not around—everything remains protected and inaccessible. But researchers at the security firm F-Secure have uncovered an attack that uses a decade-old technique, which defenders thought they had stymied, to expose those encryption keys, allowing a hacker to decrypt your data. Worst of all, it works on almost any computer. To get the keys, the attack uses a well-known approach called a "cold boot," in which a hacker shuts down a computer improperly—say, by pulling the plug on it—restarts it, and then uses a tool like malicious code on a USB drive to quickly grab data that was stored in the computer's memory before the power outage. Operating systems and chipmakers added mitigations against cold boot attacks 10 years ago, but the F-Secure researchers found a way to bring them back from the dead. In Recent Memory Cold boot mitigations in modern computers make the attack a bit more involved than it was 10 years ago, but a reliable way to decrypt lost or stolen computers would be extremely valuable for a motivated attacker—or one with a lot of curiosity and free time. "If you get a few moments alone with the machine, the attack is a very reliable way to extract secrets from the memory," says Olle Segerdahl, principal security consultant at F-Secure. "We tested it on a number of different makes and models and found that the attack is effective and reliable. It's a bit invasive because it involves unscrewing the case and connecting some wires, but it's pretty quick and very doable for a knowledgable hacker. It's not super technically challenging." Segerdahl notes that the findings have particular implications for corporations and other institutions that manage a large number of computers, and could have their whole network compromised off of one lost or stolen laptop. To carry out the attack, the F-Secure researchers first sought a way to defeat the the industry-standard cold boot mitigation. The protection works by creating a simple check between an operating system and a computer's firmware, the fundamental code that coordinates hardware and software for things like initiating booting. The operating system sets a sort of flag or marker indicating that it has secret data stored in its memory, and when the computer boots up, its firmware checks for the flag. If the computer shuts down normally, the operating system wipes the data and the flag with it. But if the firmware detects the flag during the boot process, it takes over the responsibility of wiping the memory before anything else can happen. Looking at this arrangement, the researchers realized a problem. If they physically opened a computer and directly connected to the chip that runs the firmware and the flag, they could interact with it and clear the flag. This would make the computer think it shut down correctly and that the operating system wiped the memory, because the flag was gone, when actually potentially sensitive data was still there. So the researchers designed a relatively simple microcontroller and program that can connect to the chip the firmware is on and manipulate the flag. From there, an attacker could move ahead with a standard cold boot attack. Though any number of things could be stored in memory when a computer is idle, Segerdahl notes that an attacker can be sure the device's decryption keys will be among them if she is staring down a computer's login screen, which is waiting to check any inputs against the correct ones. Cold Case Because of the threat posed by this type of attack, Segerdahl says that institutions should keep careful track of all their devices so they can take action if one is reported lost or stolen. No matter how big an organization is, IT managers need to be able to revoke VPN credentials, Wi-Fi certificates, and other authenticators that let devices access the full network to minimize the fallout if a missing device is compromised. Another potential protection involves setting computers to automatically shut down when idle rather than going to sleep and then using a disk encryption tool—like Microsoft's BitLocker—to require an extra PIN when a computer turns on, before the operating system actually boots. This way there's nothing in memory yet to steal. If you're worried about leaving your computer unsupervised, tools that monitor for physical interactions with a device—like the Haven mobile app and Do Not Disturb Mac application—can help notify you about unwanted physical access to a device. Intrusions like the cold boot technique are often called "evil maid" attacks. The researchers notified Microsoft, Apple, and Intel about their findings. Microsoft has released updated guidance on using BitLocker to manage the problem. “This technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring bitlocker with a Personal Identification Number,” Jeff Jones, a senior director at Microsoft said. Segerdahl says, though, that he doesn't see a quick way to fix the larger issue. Operating system tweaks and firmware updates could make the flag-check process more resilient, but since attackers are already accessing and manipulating the firmware as part of the attack, they could simply downgrade updated firmware back to a vulnerable version. As a result, Segerdahl says, long term mitigations require physical design changes that make it harder for an attacker to manipulate the flag check. Apple has already created one such solution through its T2 chip in new iMacs. The scheme separates certain crucial processes on a dedicated, secure chip away from the main processors that run general firmware and the operating system. Segerdahl says that though the renewed cold boot attack works on most Macs, the T2 chip does successfully defeat it. An Apple spokesperson also suggested that users could set a firmware password to prevent unauthorized access, and that the company is exploring how to protect Macs that don't have a T2. Intel declined to comment on the record. "This is only fixable through hardware updates," says Kenn White, director of the Open Crypto Audit Project, who did not participate in the research. "Physical access is a constant cat and mouse game. The good news for most people is that 99.9 percent of thieves would just sell a device to someone who would reinstall the OS and delete your data." For institutions with valuable data or individuals carrying sensitive information, though, the risk will continue to exist on most computers for years to come. Source
  7. from the with-an-eye-on-undermining-all-encrypted-messaging-services dept The DOJ's war on encryption continues, this time in a secret court battle involving Facebook. The case is under seal so no documents are available, but Reuters has obtained details suggesting the government is trying to compel the production of encryption-breaking software. The request seeks Facebook's assistance in tapping calls placed through its Messenger service. Facebook has refused, stating it simply cannot do this without stripping the protection it offers to all of its Messenger users. The government disagrees and has asked the court for contempt charges. Underneath it all, this is a wiretap order -- one obtained in an MS-13 investigation. This might mean the government hasn't used an All Writs Acts request, but is rather seeking to have the court declare Messenger calls to be similar to VoIP calls. If so, it can try to compel the production of software under older laws and rulings governing assistance of law enforcement by telcos. Calls via Messenger are still in a gray area. Facebook claims calls are end-to-end encrypted so it cannot -- without completely altering the underlying software -- assist with an interception. Regular messages via Facebook's services can still be decrypted by the company but voice calls appear to be out of its reach. Obviously, the government would very much like a favorable ruling from a federal judge. An order to alter this service to allow interception or collection could then be used against a number of other services offering end-to-end encryption. It's unknown what legal options Facebook has pursued, but it does have a First Amendment argument to deploy, if nothing else. If code is speech -- an idea that does have legal precedent -- the burden falls on the government to explain why it so badly needs to violate a Constitutional right with its interception request. This is a case worth watching. However, unlike the DOJ's very public battle with Apple in the San Bernardino case, there's nothing to see. I'm sure Facebook has filed motions to have court documents unsealed -- if only to draw more attention to this case -- but the Reuters article says there are currently no visible documents on the docket. (The docket may be sealed as well.) There is clearly public interest in this case, so the presumption of openness should apply. So far, that hasn't worked out too well for the public. And if the DOJ gets what it wants, that's not going to work out too well for the public either. Source
  8. I noticed that even though I put HTTPS in my URL-bar, whenever I click a link nsaneforums would force HTTP_ again. Now everyone should only post when HTTPS is on for security reasons, else "they" know your username and what you posted. There are many browser addons that force HTTPS to be on, however the EFF approved HTTPS Everywhere is the most popular one. Sadly by default it doesn't recognize nsaneforums, so here is how to add a new rule: When you do this you always will use HTTPS on nsaneforums, protect your username and make your ISP / government not be able to read what you post! Be safe friend, always encrypt!
  9. Dino8

    Gpg4win 3.11

    What is Gpg4win? Gpg4win enables users to securely transport emails and files with the help of encryption and digital signatures. Encryption protects the contents against an unwanted party reading it. Digital signatures make sure that it was not modified and comes from a specific sender. Gpg4win supports both relevant cryptography standards, OpenPGP and S/MIME (X.509), and is the official GnuPG distribution for Windows. It is maintained by the developers of GnuPG. Gpg4win and the software included with Gpg4win are Free Software (Open Source; among other things free of charge for all commercial and non-commercial purposes). Gpg4win Components GnuPG : The backend; this is the actual encryption tool. Kleopatra : A certificate manager for OpenPGP and X.509 (S/MIME) and common crypto dialogs. GpgOL : A plugin for Microsoft Outlook 2003/2007/2010/2013/2016 (email encryption). With Outlook 2010 and higher GpgpOL supports MS Exchange Server. GpgEX : A plugin for Microsoft Explorer (file encryption). GPA : An alternative certificate manager for OpenPGP and X.509 (S/MIME). Homepage : https://www.gpg4win.de/index.html Download : https://files.gpg4win.org/gpg4win-3.1.1.exe
  10. Radpop

    Lifetime licence for Kryptel 8.0

    Lifetime licence for Kryptel 8.0 Kryptel is an encryption tool that provides fast, reliable, and failure-resistant protection of sensitive data using industry standard AES 256-bit encryption. Easy-to-use drag-and-drop interface combined with advanced encryption technologies makes military-strength data protection affordable for everyone. Other features of Kryptel include encrypted backups, secure file deletion (shredding), data compression, batch encryption capabilities, and integration into Windows’ right-click context menu. It even comes in a portable version you can run on any computer from a USB flash drive, without installing. Version 8.0, latest For Windows 2000, XP, Vista, 7, 8, 10 multi-computer lifetime license, for commercial or noncommercial use No free updates; if you update the giveaway, it may become unregistered You get free tech support You must redeem the code before this offer has ended Giveaway homepage: https://sharewareonsale.com/s/inv-softworks-kryptel-freebie-sale Product homepage: https://www.kryptel.com/products/kryptel.php
  11. Researchers believe a new encryption technique may be key to maintaining a balance between user privacy and government demands. For governments worldwide, encryption is a thorn in the side in the quest for surveillance, cracking suspected criminal phones, and monitoring communication. Officials are applying pressure on technology firms and app developers which provide end-to-end encryption services provide a way for police forces to break encryption. However, the moment you provide a backdoor into such services, you are creating a weak point that not only law enforcement and governments can use -- assuming that tunneling into a handset and monitoring is even within legal bounds -- but threat actors, and undermining the security of encryption as a whole. As the mass surveillance and data collection activities of the US National Security Agency hit the headlines, faith in governments and their ability to restrain such spying to genuine cases of criminality began to weaken. Now, the use of encryption and secure communication channels is ever-more popular, technology firms are resisting efforts to implant deliberate weaknesses in encryption protocols, and neither side wants to budge. What can be done? From the outset, something has got to give. However, researchers from Boston University believe they may have come up with a solution. On Monday, the team said they have developed a new encryption technique which will give authorities some access, but without providing unlimited access in practice, to communication. In other words, a middle ground -- a way to break encryption to placate law enforcement, but not to the extent that mass surveillance on the general public is possible. Mayank Varia, Research Associate Professor at Boston University and cryptography expert, has developed the new technique, known as cryptographic "crumpling." In a paper documenting the research, lead author Varia says that the new cryptography methods could be used for "exceptional access" to encrypted data for government purposes while keeping user privacy at large at a reasonable level. "Our approach places most of the responsibility for achieving exceptional access on the government, rather than on the users or developers of cryptographic tools," the paper notes. "As a result, our constructions are very simple and lightweight, and they can be easily retrofitted onto existing applications and protocols." The crumpling techniques use two approaches -- the first being a Diffie-Hellman key exchange over modular arithmetic groups which leads to an "extremely expensive" puzzle which must be solved to break the protocol, and the second a "hash-based proof of work to impose a linear cost on the adversary for each message" to recover. Crumpling requires strong, modern cryptography as a precondition as it allows per-message encryption keys and detailed management. The system requires this infrastructure so a small number of messages can be targeted without full-scale exposure. The team says that this condition will also only permit "passive" decryption attempts, rather than man-in-the-middle (MiTM) attacks. By introducing cryptographic puzzles into the generation of per-message cryptographic keys, the keys will be possible to decrypt but will require vast resources to do so. In addition, each puzzle will be chosen independently for each key, which means "the government must expend effort to solve each one." "Like a crumple zone in automotive engineering, in an emergency situation the construction should break a little bit in order to protect the integrity of the system as a whole and the safety of its human users," the paper notes. "We design a portion of our puzzles to match Bitcoin's proof of work computation so that we can predict their real-world marginal cost with reasonable confidence." To prevent unauthorized attempts to break encryption an "abrasion puzzle" serves as a gatekeeper which is more expensive to solve than individual key puzzles. While this would not necessarily deter state-sponsored threat actors, it may at least deter individual cyberattackers as the cost would not be worth the result. The new technique would allow governments to recover the plaintext for targeted messages, however, it would also be prohibitively expensive. A key length of 70 bits, for example -- with today's hardware -- would cost millions and force government agencies to choose their targets carefully and the expense would potentially prevent misuse. The research team estimates that the government could recover less than 70 keys per year with a budget of close to $70 million dollars upfront -- one million dollars per message and the full amount set out in the US' expanded federal budget to break encryption. However, there could also be additional costs of $1,000 to $1 million per message, and these kind of figures are difficult to conceal, especially as one message from a suspected criminal in a conversation without contextual data is unlikely to ever be enough to secure conviction. The research team says that crumpling can be adapted for use in common encryption services including PGP, Signal, as well as full-disk and file-based encryption. "We view this work as a catalyst that can inspire both the research community and the public at large to explore this space further," the researchers say. "Whether such a system will ever be (or should ever be) adopted depends less on technology and more on questions for society to answer collectively: whether to entrust the government with the power of targeted access and whether to accept the limitations on law enforcement possible with only targeted access." The research was funded by the National Science Foundation. Source
  12. To comply with new laws \ Last month, Apple announced that it would hand over management of its Chinese iCloud data to a local, state-owned firm in China called Cloud Big Data Industrial Development Co (GCBD) at the end of February in order to comply with new laws. Now, Reuters is reporting that Apple will also hold iCloud encryption keys for Chinese users in China itself, raising new concerns about government access. The new policy does not affect any iCloud users outside of China. As Reuters notes, that compliance means Chinese authorities will have easier access to user data that’s stored in Apple’s iCloud service, especially now that, for the first time, Apple will store the keys for Chinese iClouds within China. Apple says it alone would control the encryption keys, and Chinese authorities do not have any “backdoor” to access data. Until now, such keys were exclusively stored in the US for all users. Starting February 28th, Apple’s operation of iCloud services in the country will transfer to GCBD. Reuters spoke to human rights activists who said there was fear that those in power could use the new rules to track down dissidents. In a statement, Apple said it “had to comply with recently introduced Chinese laws that require cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China.” Apple noted that its values don’t change even if it is “subjected to each country’s laws.” Apple’s attempt to capitalize one of its largest growth markets has been a juggle between consumer rights and business opportunities. Last year, the company controversially removed VPN apps from its App Store in China, claiming to only be following the law in order to continue operating there. It’s also snuck in several nods to the Chinese market during its major product announcement keynotes, such as references to WeChat during its previous demonstrations of the Apple Watch. Apple chief executive Tim Cook is also due to co-chair the China Development Forum in March. We’ve reached out to Apple for further comment. Source
  13. [Poster Comment: Personally I don't understand why they would need encryption since they had no protection in the age of film, which could be and was confiscated or destroyed and could be stolen. Just because the medium has changed there doesn't need to be an expensive system put in place that would cost everyone more, not just the professional photographers. And their cards could still be stolen.] A year after photojournalists and filmmakers sent a critical letter to camera makers for failing to add a basic security feature to protect their work from searches and hacking, little progress has been made. The letter, sent in late-2016, called on camera makers to build encryption into their cameras after photojournalists said they face "a variety of threats from border security guards, local police, intelligence agents, terrorists, and criminals when attempting to safely return their footage so that it can be edited and published," according to the Freedom of the Press Foundation, which published the letter. The threat against photojournalists remains high. The foundation's US Press Freedom Tracker tallied more than 125 incidents against reporters last year, including the smashing of reporters' cameras and the "bodyslam" incident. Even when they're out in the field, collecting footage and documenting evidence, reporters have long argued that without encryption, police, the military, and border agents in countries where they work can examine and search their devices. "The consequences can be dire," the letter added. Although iPhones and Android phones, computers, and instant messengers all come with encryption, camera makers have fallen behind. Not only does encryption protect reported work from prying eyes, it also protects sources -- many of whom put their lives at risk to expose corruption or wrongdoing. The lack of encryption means high-end camera makers are forcing their customers to choose between putting their sources at risk, or relying on encrypted, but less-capable devices, like iPhones. We asked the same camera manufacturers if they plan to add encryption to their cameras -- and if not, why. The short answer: don't expect much any time soon. An Olympus spokesperson said the company will "in the next year... continue to review the request to implement encryption technology in our photographic and video products and will develop a plan for implementation where applicable in consideration to the Olympus product roadmap and the market requirements." When reached, Canon said it was "not at liberty to comment on future products and/or innovation." S ony also said it "isn't discussing product roadmaps relative to camera encryption." A Nikon spokesperson said the company is "constantly listening to the needs of an evolving market and considering photographer feedback, and we will continue to evaluate product features to best suit the needs of our users." And Fuji did not respond to several requests for comment by phone and email prior to publication. Trevor Timm, executive director of the Freedom of the Press Foundation, told ZDNet that it's "extremely disappointing the major camera manufacturers haven't even committed to investing resources into more research into this issue, let alone actually building solutions into their cameras." "Dozens of the world's best filmmakers made clear a year ago that camera companies -- in today's world -- have an obligation to build in a way for everyone to encrypt their files and footage to potentially help keep them safe," he added. "I hope the camera companies eventually listen to some of their most important and at-risk customers," he said. Article
  14. Massive data breaches are now spreading at an alarming rate. Confidential information and personal records are getting leaked, lost and stolen – from threats both virtual and physical. On top of pains from unwanted access to sensitive information, penalties have become more severe and more frequent for non-compliance with regulations on financial, medical and personal data. No information security strategy is complete unless data is properly protected at the source where it is stored. Data encryption secures the confidentiality of sensitive data to address the risks of data leaks and data theft, while also ensuring regulatory compliance. If you store sensitive data, encryption is essential. Use Cases for Data Encryption Prevent Data Breaches Unwanted access – for data stored on active computers, shared workstations or network storage vulnerable to prying eyes Physical theft – for data stored on lost or stolen computers, laptops, external drives & USB sticks Protection of Sensitive Information Against Threats Personally Identifiable Information (PII) Electronic Health Records (EHR) Credit card data Insurance & financial records Student information Client records & customer databases Proprietary information or trade secrets Emails Chat histories Compliance with Regulations Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI-DSS) General Data Protection Regulation (GDPR) Sarbanes-Oxley Act (SOX) Gramm-Leach-Bliley Act (GLBA) UK Data Protection Act Protection of Personal Information Act (POPI) - South Africa Homepage: https://www.jetico.com/data-encryption/encrypt-files-bestcrypt-container-encryption Download: https://www.jetico.com/data-encryption/encrypt-files-bestcrypt-container-encryption SETUP + PATCH: https://www.upload.ee Share code: /files/7946916/Jetico.BestCrypt.Container.Encryption.v9.03.70-F4CG.rar.html
  15. GiliSoft Full Disk Encryption 3.3.0 GiliSoft Full Disk Encryption's offers encryption of all disk partitions, including the system partition.Through password protecting a disk, disk partition or operating system launch, the program disables any unauthorized reading/writing activity on your disk or PC, restricts access and launch of specific disks and files. It provides automatic security for all information on endpoint hard drives, including user data, operating system files and temporary and erased files. For maximum data protection, multi-factor pre-boot authentication ensures user identity, while encryption prevents data loss from theft. Features and Benefits Website: http://www.gilisoft.com/ OS: Windows XP / Vista /7 / 8 Language: Rus / Ukr / Eng Medicine: Keygen Size: 1,69 Mb
  16. DATA BREACHES AND exposures all invite the same lament: if only the compromised data had been encrypted. Bad guys can only do so much with exfiltrated data, after all, if they can't read any of it. Now, IBM says it has a way to encrypt every level of a network, from applications to local databases and cloud services, thanks to a new mainframe that can power 12 billion encrypted transactions per day. The processing burden that comes with all that constant encrypting and decrypting has prevented that sort of comprehensive data encryption at scale in the past. Thanks to advances in both hardware and software encryption processing, though, IBM says that its IBM Z mainframe can pull off the previously impossible. If that holds up in practice, it will offer a system that's both accessible for users, and offers far greater data security than currently possible. According to IBM, hackers have compromised around nine billion digital data records since 2013, a third of them medical. A meager four percent of that data was encrypted, though, meaning those credit card numbers, user names and passwords, and social security numbers passed easily onto dark-web criminal exchanges. Even encrypted data often ends up compromised, because companies don't always opt for hacker-proof cryptography. Cybercriminals don't mind putting in the effort; the data people bother to encrypt tends to be valuable, which means putting resources into decrypting it usually pays off. A system that encrypts virtually all data, though, makes it much more difficult for criminals to identify worthwhile targets. Enter IBM Z. All it takes is a massive amount of computing power. The IBM Z mainframe locks data down with public 256-bit AES encryption—the same robust protocol used in the ubiquitous SSL and TLS web encryption standards, and trusted by the US government for protecting classified data. But the company's breakthrough lies less in quality than it does quantity. Thanks to some proprietary on-chip processing hardware, IBM Z can encrypt up to 13 gigabytes of data per second per chip, with roughly 24 chips per mainframe, depending on the configuration. "This represents a 400 percent increase in silicon that’s dedicated specifically to cryptographic processes—over six billion transistors dedicated to cryptography," says Caleb Barlow, vice president of threat intelligence at IBM Security. "So for any type of transaction system we can now get the safety that we’re all after, which just hasn’t really been attainable up to this point." For a better sense of why that all-encompassing encryption matters, compare it to something like a typical banking website interaction. The service likely encrypts your browsing session on the site, but that encryption may not endure in the backend of the application and the network operating system. Some point in the workflow lacks encryption, and that's where your data becomes vulnerable. IBM Z, by contrast, keeps data encrypted at all times unless it is being actively processed, and even then it is only briefly decrypted during those actual computations, before being encrypted again. "It can process 12 billion transactions per day on one machine. If you take something like Cyber Monday there’s probably about 30 million transactions that go on," says Barlow. "So one of these machines can process that kind of crazy workload without even breaking a sweat in less than a day." The system also drastically cuts down on the number of administrators who can access raw, readable data. That means hackers have fewer fruitful targets to go after in their attempts to gain privileged credentials to access a system. And IBM Z offers granularity so users can access the data they need for day to day work without exposing large swaths of data they don't need. IBM says breakthroughs in its ability to do large-scale cryptographic processing let it take the leap. The company also has full component control in its mainframes, increasing efficiency and system control. The company says that large-scale cryptographic implementation is a "natural extension of the architecture." Big questions remain, though. IBM Z's "pervasive" encryption may stymie many current methods of attack, but there's no such thing as perfect security; researchers and bad actors will almost certainly find weaknesses, given the chance. IBM developers anticipate this as well; they've added a feature in which the mainframe stores its decryption keys in a tamper-resistant way. At any sign of an intrusion, the system can automatically invalidate all of its keys until the breach is mitigated. The other question about a system like the IBM Z is how widely it will be adopted. It would have potential economic benefits for companies in terms of easily allowing them to comply with increasingly stringent international data retention regulations, like US Federal Information Processing Standards. But for organizations that don't already rely on mainframes, the IBM Z may not seem like a relevant option. "The established mainframe-based clients will jump all over this," says Joe Clabby, an analyst at the independent technology assessment firm Clabby Analytics. "As for new clients, that’s a hard one to answer. A lot of clients have a strong Intel bias. But encrypting all data, that’s a huge step. It’s pretty exciting given what a mess the world is without it." Source
  17. Per its terms and conditions, YOU Broadband, the fifth largest Indian internet service provider (ISP), doesn’t let its subscribers use strong encryption. The ISP does technically allow VPN and encryption use… but only “up to the bit length permitted by the Department of Telecommunications,” which is 40 bits. It was over twenty years ago in 1997 that Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours. He famously said then: “This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete.” Yet YOU Broadband, and other Indian ISPs, still insist that their users can’t use anything stronger than a twenty-year-broken key size. That’s not viable security in the 21st century, and makes you wonder why encryption is discouraged in the first place. Nowadays, because 40 bit encryption has long been shown to be obsolete, the minimum standard is usually at least a 128 bit encryption key size. Indian ISP, YOU Broadband, doesn’t want you to use encryption because it hampers their logging Earlier this week, redditor bf_of_chitti_robot pointed out in the /r/India subreddit that Clause 38 of YOU Broadband’s Terms and Conditions clearly set out the company’s stance on encryption, as well as explaining why the company wanted such a rule. YOU Broadband Terms and Conditions Clause 38 (June 2016 Internet Archive snapshot): The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer. The ISP’s stated intentions of maintaining customer logs and ensuring that they have access to copies of all your packages/data are, of course, mandated by law under the Information Technology Act. After the clause was pointed out, YOU Broadband quickly updated Clause 38 of their user policy to simply state: The Customer may use VPN and encryption up to the bit length permitted by the Department of Telecommunications. Needless to say, nothing has changed about their intentions – making sure you aren’t using strong encryption because it gets in the way of their snooping. This is the same snooping that ISPs in America, like AT&T, are able to exploit now that internet privacy rules have been relaxed in the states (but not all states). Nosy ISPs seem to be an international problem. India’s Department of Telecommunications only allows up to 40 bit encryption, which is insecure What is the bit length permitted by the Department of Telecommunications, anyways? According to a 2002 note on ISP regulation by the Department of Telecommunications, the encryption key length hard limit is 40 bits for internet service licensees aka internet service providers. Internet service licensees, such as YOU Broadband, have an obligation to the licensor, the Department of Telecommunications, to forbid individuals, groups, and organizations from using encryption with keys stronger than 40 bits without permission. Instead of asking the regulators for this permission to allow its users to actually utilize viable encryption key lengths without violating the user policy, YOU Broadband has elected to pass on the 15 year old rule on encryption – essentially making the use of encryption online against the rules of the ISP and a potential reason to lose service. Under the current and previous iterations of the user policy, YOU Broadband subscribers are technically breaking the ISP’s rules every time they access https://www.google.co.in. Secure encryption is a necessity in today’s online world – and an ISP that explicitly forbids it needs to be pointed out. What would you do if your ISP said that you shouldn’t use meaningful encryption? What do you do when your government’s laws are outdated and don’t protect your privacy? Article source
  18. Eighty-three organisations and experts from the Five Eyes countries have called on ministers responsible for security to respect the right to use and develop strong encryption. In a statement, the group called on the ministers to "commit to pursuing any additional dialogue in a transparent forum with meaningful public participation". The statement came in the wake of a meeting of ministers from the five countries — the US, the UK, Canada, Australia and New Zealand — in Ottawa this week to discuss recent terrorist incidents and discuss means to "thwart" the use of encryption by terrorists. The group said that the ministers had, in a joint communique, "committed to exploring shared solutions to the perceived impediment posed by encryption to investigative objectives". "While the challenges of modern-day security are real, such proposals threaten the integrity and security of general purpose communications tools relied upon by international commerce, the free press, governments, human rights advocates, and individuals around the world," the statement said. "Last year, many of us joined several hundred leading civil society organisations, companies, and prominent individuals calling on world leaders to protect the development of strong cryptography. "This protection demands an unequivocal rejection of laws, policies, or other mandates or practices — including secret agreements with companies — that limit access to or undermine encryption and other secure communications tools and technologies. "Today, we reiterate that call with renewed urgency. We ask you to protect the security of your citizens, your economies, and your governments by supporting the development and use of secure communications tools and technologies, by rejecting policies that would prevent or undermine the use of strong encryption, and by urging other world leaders to do the same." The group said that attempts to create backdoors in encrypted applications or software were short-sighted and counter-productive. They said that if there were restrictions to access of encryption products in Five Eyes countries, anybody who wanted such tools would obtain them in other countries or on the blackmarket. "We urge you, as leaders in the global community, to remember that encryption is a critical tool of general use. It is neither the cause nor the enabler of crime or terrorism. As a technology, encryption does far more good than harm," the statement said. "We therefore ask you to prioritise the safety and security of individuals by working to strengthen the integrity of communications and systems. As an initial step we ask that you continue any engagement on this topic in a multi-stakeholder forum that promotes public participation and affirms the protection of human rights." Electronic Frontiers Australia executive officer Jon Lawrence said encryption was a necessary and critical tool enabling individual privacy, a free media, online commerce and the operations of organisations, including government agencies. "Undermining encryption therefore represents a serious threat to national security in its own right, as well as threatening basic human rights and the enormous economic and social benefits that the digital revolution has brought for people across the globe," he added. Article source
  19. Dear Mailvelope users, We have a security notice for anyone who uses the encryption add-on Mailvelope with Firefox. We have had a current security audit of Mailvelope undertaken, in which a critical vulnerability was found in the interaction between Mailvelope and Firefox. Under certain circumstances, Firefox’s security architecture allows attackers to access users’ private keys via compromised add-ons. We therefore ask all users of Mailvelope in Firefox to carefully read our security recommendations found in this article, below. This also affects Mailvelope users with all other providers such as Gmail, Outlook.com, Yahoo!Mail, etc. Firefox’s architecture does not sufficiently compartmentalise add-ons from each other – this has been known for years. The fact that a Mailvelope user’s private keys could be compromised via targeted attacks in Firefox was not proven until now, however. The security engineers that we engaged from Cure53 have now proved this. In their investigative report, they conclude that Firefox does not currently constitute a suitable environment for Mailvelope. They write, “At the end of the day, the Cure53 testing team cannot in good conscience recommend the use of Mailvelope on Firefox.” Weakness expected to last until November 2017 We informed Thomas Oberndörfer, the developer of Mailvelope, after the security audit. He is unable to fix the weakness, however, as it has to do with Firefox’s architecture. New architecture is already being developed at Firefox. Mozilla is planning to conclude this work with the release of Firefox 57 in November 2017. Oberndörfer is also working on a version of Mailvelope for the new and improved Firefox architecture. We would like to thank him for his development work. Until Mozilla has updated the architecture, the following security recommendations apply: Option 1.) In the interim, switch to different software. Either use Mailvelope in a different browser, or use PGP with a local email program. You can find various instructions for these options in the Posteo help section. Option 2.) Alternatively, using an independent Firefox profile for Mailvelope minimises the risk in the interim. In the Posteo help section, we have published step-by-step instructions for the creation of Firefox profiles on Mac and on Windows. Mailvelope users with other providers can also follow these instructions. Please be sure to note the following security recommendations in order to effectively minimise the risk of a fruitful attack: Do not install any further add-ons in the newly-created browser profile Use the Firefox profile exclusively for your encrypted Mailvelope communication. Only access your provider’s webmail interface and never visit other websites using this profile. In addition, use a password for your PGP key that is as secure as possible Be careful not to accidentally install any add-ons via phishing, through which you could be attacked Due to the problems with the Firefox architecture, we additionally recommend: Restrict the use of add-ons in the Firefox browser to a minimum, until Mozilla has updated the architecture You can further protect yourself from potential attackers by setting up an additional user on your operating system for end-to-end encrypted communication Here are the recommendations from the Cure53 report once again, for transparency reasons: “Two paths can be recommended for the users who rely on Mailvelope for encryption and decryption of highly sensitive data. First, they could use Mailvelope on a browser profile that hosts only and exclusively Mailvelope with no other extensions. Secondly, they would need to rely on a different software solution, for instance Thunderbird with Enigmail.” “At present, any users working with Mailvelope on Firefox are encouraged to export their settings, delete the extension and migrate their setup to a Mailvelope installation running on Google Chrome. Alternatively, a separate browser profile running Mailvelope only could be used, with the caveat that one must not have any other extensions installed in order to minimize the risk of key material leakage.” Security engineers engaged by Posteo found the weakness In their daily activities, our customers use various devices, browsers and add-ons in their local environments. Our users’ communication security is very important to us – we therefore also continually have external standard components checked for weaknesses. Among others, we work together to this end with independent IT security experts at Cure53. They have now made a find with Mailvelope in Firefox. Dr Mario Heiderich from Cure53 explains, “the problem is currently located in the architecture. There is therefore no easy fix. Mozilla knows this, but also has to keep a difficult balance between radical changes and ones that are prudent but are often decisions that are slow to take effect. Things are going in the right direction, however, which is definitely something positive for more complex software.” Thomas Oberndörfer of Mailvelope states, “Mailvelope is naturally dependent on the security of the underlying browser. Weaknesses in Firefox’s add-on system have been known of for some time, so Mozilla’s improvement should be welcomed. Security audits such as the one undertaken by Posteo are important indicators for us to see how we can further improve Mailvelope.” Report to be published after weakness is overcome The weakness outlined above is expected to be overcome by Mozilla in November 2017. Out of consideration for security, we will therefore first publish the report at a later point. In it, the method of attack will be described in detail. The report is already available to Mailvelope and the BSI (German Federal Office for Information Security). The security audit has also yielded some positive results for Mailvelope, which we would like to outline here: There was a check made as to whether email providers for which Mailvelope is used could access a Mailvelope user’s private keys saved in the browser – this was not possible. All other attempts made by the security engineers to access private keys saved in Mailvelope, such as operating third party websites or man-in-the-middle attacks, were also unsuccessful. Weakness shows that open source increases security For security reasons, we exclusively support open source components with transparent code – such as the encryption plug-in Mailvelope. In our view, transparent code is essential for the security and democratic control of the internet: Independent experts can at any time identify weaknesses or backdoors via code analysis, as happened here. A provider or developer’s security claims do not need to be trusted. With the security audits that we commission, we want to contribute to further increasing the security of established open source components and genuine end-to-end encryption. Best regards, The Posteo Team Article source
  20. FileFriend: Hide Files, Folders Or Text In JPEG Images FileFriend is a free portable program for Microsoft Windows devices that enables you to hide files, folders or text in jpeg images. The file manipulation and encryption tool has more to offer than that, most notably options to split and join files on top of its encryption functionality. Computer users have quite a few options at their disposal when it comes to protecting files, folders or text from unauthorized access. One of the best options is to create an encrypted container, or encrypt a hard drive partition or even the entire hard drive. Programs like VeraCrypt, Microsoft's Bitlocker, or Drive Cryptor provide you with that functionality. Hide files, folders or text in JPEG images Sometimes however you may need something simpler. FileFriend may be such a solution. When it comes to the encryption functionality that it provides, all it offers are simple options to hide text, files or folders in jpeg images. Note: The program runs a check for updates on start. Simply run the program and select one of the three encryption options that it supports with a click on one of the tabs: Encrypt: use it to encrypt a file or folder using a password that you specify. JPK: hide a file or a directory inside a JPEG image. JTX: hide text inside a JPEG image. While this is super simple to execute, even for beginners or inexperienced computer users, you will notice that the program does not provide you with information on the encryption algorithm that it uses. The developer website does not offer anything in this regard as well. This is problematic, as you don't know how good the encryption algorithm really is. While you do get some extra security through obfuscation, you may prefer to use a tried and tested solution instead to protect your data from unauthorized access. FileFriend has two additional features. The first allows you to split large files into smaller parts, the second to join the files again. This works similarly to how archive software like 7-Zip or Bandizip handle this. Closing Words FileFriend can be a useful program, but one thing prevents me from recommending it. I'm not saying that FileFriend is a bad software program, only that I do not know enough about the encryption that it uses to determine whether it is a program that I can recommend, or not. Since I cannot do that right now, I suggest you use different programs. Now You: Which program do you use to encrypt files? Source
  21. As the internet continues to limp toward better security, sites have increasingly embraced HTTPS encryption. You’ve seen it around, including here on WIRED; it’s that little green padlock in the upper lefthand corner, and it keeps outside eyes from snooping on the details of your time online. Today, the biggest porn site on the planet announced that it’s joining those secured ranks. Pornhub’s locking it down, and that’s a bigger deal than you’d think. On April 4, both Pornhub and its sister site, YouPorn, will turn on HTTPS by default across the entirety of both sites. By doing so, they’ll make not just adult online entertainment more secure, but a sizable chunk of the internet itself. The Pornhub announcement comes at an auspicious time. Congress this week affirmed the power of cable providers to sell user data, while as of a few weeks ago more than half the web had officially embraced HTTPS. Encryption doesn’t solve your ISP woes altogether—they’ll still know that you were on Pornhub—but it does make it much harder to know what exactly you’re looking at while you’re there. “If you’re visiting sites that allow HTTPS, you don’t have to worry so much about what they’re doing to observe your traffic,” says Joseph Hall, chief technologist at the Center for Democracy and Technology, a digital rights group that has offered HTTPS assistance to the adult industry, but was not part of Pornhub or YouPorn’s switch. That’s especially important for porn sites, and not just for prudes. In countries and cultures where homosexuality is considered a crime, for instance, encryption can be critical. To get a sense of just how big this Pornhub news is, though, it helps to get a sense of Pornhub’s size. Traffic Hub It can be hard to keep porn sites straight, since so many of them sound like parodies to begin with, and mostly seem to follow the same basic rubric. Pornhub stands out, though, as not just the biggest adult site in the world, but one of the biggest sites over all. Just how much traffic flows through Pornhub on any given day? Try 75 million daily visitors. According to Alexa site rankings, that makes it the 38th largest website overall, sliding in one slot below Ebay. It’s bigger than WordPress. It’s bigger than Tumblr. It’s only a few spots down from Netflix. It’s a behemoth. YouPorn’s no slouch either; it cracks the Alexa top 300, and serves a billion (with a b) video views every month. In fact, that both Pornhub and YouPorn are predominantly video-based makes their HTTPS transition all the more consequential—and difficult. There are plenty of challenges to HTTPS implementation, but among the biggest is that it requires any content coming in from the outside—like third-party ads—to be HTTPS compliant. For a video-heavy site, there’s the added challenge of finding a content delivery network—the companies that own the servers that shuttle web pages and videos across the great wide internet——that’s willing to take on that volume of encrypted video. “Finding CDN providers to handle the massive amount of traffic, but also stream through HTTPS is never easy,” says Pornhub vice-president Corey Price. “There are few providers worldwide that can handle our levels of traffic, especially in HTTPS.” Price declined to give specific names, but says that Pornhub has managed to enlist three “large CDN partners” to handle the switchover. HTTPS comes with other inherent challenges as well, especially on a site of this size. Fortunately, Pornhub wasn’t starting from scratch. Its parent company, MindGeek, also owns a popular adult site called RedTube, which made the transition earlier this month. And Pornhub itself had already dabbled as well, offering HTTPS for its paid Pornhub Premium service late last year. “The biggest learning was finding ways to mitigate the site speed impacts of switching to HTTPS, as many of the techniques we used don’t have the same effect with HTTPS,” says Price. Encrypt It All On its own, Pornhub’s HTTPS embrace will secure a significant portion of the web literally overnight. It also has broader importance, though. First, it’s part of MindGeek’s commitment to rolling out HTTPS across all of its properties. That’s over 100 million unique visitors every single day that will eventually enjoy a secure connection. Facebook nets 200 million in a month. The only question is when, not if, that’s going to happen. “All properties are managed independently with different engineering teams,” says Price. “Each team always faces different challenges as each site is an entirely different codebase. Some features and changes can take a couple of hours to do on Pornhub, but take weeks on YouPorn, and vice-versa.” More significantly, it signals that encryption has become the norm on the web. Broad HTTPS adoption is great, but nothing beats concentrated implementation among the very biggest sites. “The reason that a lot of us are focused on the top 100 websites is because so much of web traffic is represented by those sites,” says Hall. “Right now we’re at 50 percent of all web browser connections on HTTPS. If we were to get the top 100, that would easily get to 80 or 90 percent.” That’s still a ways off. But on April 4, two sites will keep the internet that much safer from all kinds of prying eyes. By Brian Barret https://www.wired.com/2017/03/pornhub-https-encryption/
  22. European justice and home affairs ministers are putting their heads together to try to decide on a collective response to Internet companies’ use of strong encryption. And, ultimately, whether to push for legislation requiring backdoors in end-to-end encryption to afford the region’s law enforcement agencies access to user data on-demand. Last summer home affairs ministers from France and Germany called for a law to enable courts to demand Internet companies decrypt data on request. Their call was repeated earlier this week by UK Home Secretary, Amber Rudd, who said intelligence services must be able to access readable data from apps such as end-to-end encrypted WhatsApp, asserting: “There should be no place for terrorists to hide.” As is typically the case when politicians denounce technology companies’ use of encryption, Rudd was speaking in the wake of a terror attack. France and Germany have also suffered a series of terror attacks in recent years, upping the ante for ministers to be seen to be taking action to defuse more terrorist plots. Encryption technology has been the scapegoat of choice for Western politicians responding to terrorist attacks for multiple years now, despite governments also operating vast, dragnet digital surveillance programs. And having access to ever more traceries of metadata to link possible suspects to potential plots. (Arguably it’s the volume of data that security agencies are now systematically collecting that’s causing them problems in prioritizing which suspects to watch closely — hence calls by Rudd et al for access to content too.) Yesterday EU Justice Commissioner Vera Jourova also touched on the topic of encrypted apps, speaking during a press conference held following a meeting of the Justice and Home Affairs Council in Brussels. A Euractiv report of her comments suggests the EC has already made up its mind to put forward measures this summer — aimed at forcing what she described as a “swift, reliable response” from encrypted apps when asked to hand over decrypted data. Jourova also reportedly said she’s holding “very intensive” talks with big Internet companies about giving police access to encrypted data. However a Commission spokeswoman told TechCrunch that no decisions have been made about how to approach encryption at this stage, adding that discussions are not yet “very advanced”. “On encryption the discussions are still ongoing,” the spokeswoman told us. “And for now there’s no legislative plan.” She could not confirm whether WhatsApp is one of the companies Jourova is holding talks with. The Facebook-owned messaging giant has had its service blocked by courts in Brazil on several occasions, after the company was penalized for not providing decrypted chat logs pertaining to criminal investigations (the company has maintained it cannot provide the data to police as it does not have access to the data). Whether similar legal actions might be brought against it and other encrypted apps in Europe in future remains to be seen. We’ve reached out to WhatsApp for comment on the EC discussions and will update this story with any response. The Commission spokeswoman said a separate issue under discussion by the Council — so-called e-evidence; aka the process for prosecutors to request digital evidence across legal jurisdictions (such as a prosecutor in an EU country seeking to obtain data held on a server in California, for example) — is at a more advanced stage, and confirmed there will be legislative options and other measures proposed on that this June. But the question of whether EU lawmakers intend to push to require Internet companies such as WhatsApp to effectively backdoor their end-to-end encryption remains an open-ended one. Asked for more details of the ongoing talks between EU ministers on encryption, the spokeswoman confirmed there is agreement between them that the technology presents a challenge for law enforcement — though, again, she stressed there is no clarity on what measures they might push for in future. “Yesterday all the ministers agreed that this is an issue and that criminal justice in cyberspace is being challenged by this, but for now no one really came up with any concrete solution,” she said. “There’s a working group that’s organized by the Commission, bringing experts from all over Europe and from different [sectors], technology but also justice, to discuss it together. “We’re gathering evidence and information on this, and this will be discussed again in June.” The spokeswoman also noted there are further complications for having an EU-wide response on this issue, given Member States set their own laws where national security issues are concerned. Indeed, the UK has already legislated to be able to demand decryption on request and block use of e2e encryption in the Investigatory Powers Act, which passed into UK law last year — although some elements of the legislation have yet to be implemented, owing to a separate EU legal ruling regarding “generate and indiscriminate” data retention, which the law appears to breach. “Everyone agrees that if there is a crime, if the data is encrypted, it has to be handed in to the authorities in a readable way. But the issue is very, very complex in the sense that matters of national security are also Member State competence so there’s no competence at the EU level. So that’s also a point that’s complicating the discussions here,” the spokeswoman told us. “Also we have to find the right balance,” she added. “For which reasons would you access this data? And so there is still a lot of open questions. If someone wants to access it for bad reasons… how do you put safeguards for that? So it’s really all those open questions are out there.” The EU’s anti-terrorism coordinator, Gilles de Kerchove, previously discussed this notion of balance, telling Euractiv: “We need a very strong internet — we don’t want to create vulnerabilities”, but also emphasizing that security services, police, and law enforcement agencies must be able to “get access to the content, which is important for security reasons”. “The question is, can you open a backdoor for Europol only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies? This is part of the discussion but we are not there yet. There is internal work — it’s a tricky issue,” de Kerchove added. Elsewhere, the Commissions’ technology policy chief recently tweeted a confirmation he’s still against the idea of mandating backdoors and weakening encryption — although in his earlier comments, from November he also conceded the issue is not so black and white where the interests of law enforcement are concerned. Andrus Ansip (@Ansip_EU) The EC spokeswoman confirmed to us today that there is no timeframe at this point for when the Justice & Home Affairs working group will have reached a decision on how to proceed. Which means this is an opportune moment for the technology and security industry to get in touch with EU politicians to reiterate the point that weakening security for all Internet users is not a sensible nor proportionate response to national security concerns. The region has also recently legislated to beef up local data protection laws. So any push to perforate commercial security systems and put millions of app users’ data at risk of hacking would be a hugely contrarian move vs the incoming General Data Protection Regulation which will hike potential fines for data breaches to up to 4 per cent of a company’s global turnover. Source
  23. Developers shouldn't use JSON Web Tokens or JSON Web Encryption in their applications at all, lest their private keys get stolen A vulnerability in a JSON-based web encryption protocol could allow attackers to retrieve private keys. Cryptography experts have advised against developers using JSON Web Encryption (JWE) in their applications in the past, and this vulnerability illustrates those very dangers. Software libraries implementing the JWE, or RFC 7516, specification suffer from a classic Invalid Curve Attack, wrote Antonio Sanso, a senior software engineer at Adobe Research Switzerland and part of the Adobe Experience Manager security team. The JSON Web Token (JWT) is a JSON-based open standard defined in the OAuth specification family used for creating access tokens, and JWE is a set of signing and encryption methods for JWT. Developers using JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) are affected. A quick primer in elliptic curve cryptography is in order to understand the Invalid Curve Attack. ECC is a way to calculate public-private key pairs based on the algebraic structure of elliptic curves over a finite data set. The order of the elliptic curve is big enough that it becomes difficult for an attacker to try to guess the private key. ECDH-E is a key exchange mechanism based on elliptic curves, and it's used by websites to provide perfect forward secrecy in SSL. The Invalid Curve Attack lets attackers take advantage of a mathematical mistake in the curve's formula to find a smaller curve. Because the order of the smaller elliptic curve is more manageable, attackers can build malicious JWEs to extract the value of the secret key and perform the operation multiple times to collect more information about the key. The Invalid Curve Attack was first published 17 years ago, and it was described in a 2014 talk on elliptic curve cryptography at Chaos Communication Congress in Hamburg by Tanja Lange, a professor of cryptology at the Netherlands' Eindhoven University of Technology and Daniel J Bernstein, a mathematician and research professor at the University of Illinois at Chicago. The problems have been in the open for a long time, but Sanso found that several well-known libraries using RFC 7516 were vulnerable to the attack. Developers who rely on libraries go-jose, node-jose, jose2go, Nimbus JOSE+JWT, or jose4 with ECDH-ES should update their existing applications to work with the latest version and make sure they are using the latest version for all new code. The updated version numbers are the following: node-jose v0.9.3, jose2go v1.3, jose4 v0.5.5 and later, Nimbus JOSE+JWT v4.34.2, and go-jose. "At the end of the day the issue here is that the specification and consequently all the libraries I checked missed validating that the received public key (contained in the JWE Protected Header) is on the curve," Sanso wrote. The exposed vulnerability was due to a gap in the RFC 7516 specification, and as most implementers would follow the specification directly, they unintentionally introduced the vulnerability into their libraries, said Matias Woloski, CTO and Co-Founder of Auth0, a universal identity platform. "It's a rare case where the flaw was in the specifications design and not the implementation," Woloski said. The default Java SUN JCA provider, which comes with Java prior to version 1.8.0_51, is also affected, but later Java versions and the BouncyCastle JCA provider are not. It appears that the latest version of Node.js is immune to this attack, but Sanso warned it was still possible to be vulnerable when using browsers without support for web cryptography. As part of his research, Sanso set up an attacker application on Heroku. When users clicks on the "recovery key" button on the app, they'll be able to see how the attacker recovers the secret key from the server. The code for demonstration and proof-of-concept are available on GitHub. Luckily, the impact may be limited, as JWE with ECDH-ES is not widely used. Developers who decide to go with JWT are trying to avoid having to use server-side storage for sessions, but they wind up turning to wacky workarounds instead of careful engineering, said Sven Slootweg Cryto Coding Collective. With JWE, developers are forced to make decisions on which key encryption and message encryption options to adopt -- a decision that shouldn't be left up to noncryptographers. "Don't use JWT for sessions," said Slootweg. "The JWE standard is a minefield that noncryptographers shouldn't be forced to navigate." Instead, developers should stick with sessions, using cookies delivered securely over HTTPS. The library libsodium also offers developers a tried and tested method of using signatures via crypto_sign() and crypto_sign_open(), or encryption via the crypto_secretbox() and crypto_box() APIs. Library developers and engineers working with security-focused libraries need to make sure they stay up to date with the latest developments, so they can be ready to patch the issues. "The specification designers (often from industry) should be more proactive in engaging the research community to evaluate the security of specifications in a proactive (pre-standardization) instead of reactive way," Woloski said. More cryptographers need to review software libraries that developers use to make sure the algorithms are implemented correctly. All too often, the people working on the specifications have little to no contact with researchers. The issue was reported to the JavaScript Object Signing and Encryption working group's mailing list. This advisory also highlights why specifications should never be considered a static document: They must be revisited and updated periodically to reflect any detail that was initially overlooked or changed based on available new information. "We all seem to agree that an errata [on the specification] where the problem is listed is at least welcomed," Sanso wrote. Source
  24. Firefox warns users about unencrypted pages We suppose it was only a matter of time before someone had a complaint about the notifications browsers display when a website accepts logins over unencrypted HTTP pages. In fact, Mozilla has received a complaint about this very "issue." Folks over at Ars Technica spotted the complaint over on Mozilla's Bugzilla bug-reporting service. "Your notice of insecure password and/or log-on automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission. Please remove it immediately. we have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business," the message signed by dgeorge reads. Of course, they seem to be late to the party since this type of warnings have been showing for a few months now and became standard earlier this year for both Firefox and Chrome. The benefits of HTTPS Thankfully, someone from Mozilla came forward and cleared things up for dear ol' dgeorge telling him that when a site requests a user's password over HTTP, the transmission is done in the clear. "As such, anybody listening on the network would be able to record those passwords. This puts not just users at risk when using your site, but also puts them at risk on any other website that they might share a password with yours," they explain. In the end, it's been proven time and time again, that providing email and passwords over HTTP is no longer safe. For years now, there's been a push for HTTPS and web admins have been given plenty of time to make the change, both for their sake and their users' sake. Now, Chrome will display a "Not Secure" notification next to the address bar, while Firefox takes things a step further, displaying below the user name and password fields "this connection is not secure. Logins entered here could be compromised." Source
  25. Five Issues That Will Determine The Future Of Internet Health In January, we published our first Internet Health Report on the current state and future of the Internet. In the report, we broke down the concept of Internet health into five issues. Today, we are publishing issue briefs about each of them: online privacy and security, decentralization, openness, web literacy and digital inclusion. These issues are the building blocks to a healthy and vibrant Internet. We hope they will be a guide and resource to you. We live in a complex, fast moving, political environment. As policies and laws around the world change, we all need to help protect our shared global resource, the Internet. Internet health shouldn’t be a partisan issue, but rather, a cause we can all get behind. And our choices and actions will affect the future health of the Internet, for better or for worse. We work on many other policies and projects to advance our mission, but we believe that these issue briefs help explain our views and actions in the context of Internet health: 1. Online Privacy & Security: Security and privacy on the Internet are fundamental and must not be treated as optional. In our brief, we highlight the following subtopics: Meaningful user control – People care about privacy. But effective understanding and control are often difficult, or even impossible, in practice. Data collection and use – The tech industry, too often, reflects a culture of ‘collect and hoard all the data’. To preserve trust online, we need to see a change. Government surveillance – Public distrust of government is high because of broad surveillance practices. We need more transparency, accountability and oversight. Cybersecurity – Cybersecurity is user security. It’s about our Internet, our data, and our lives online. Making it a reality requires a shared sense of responsibility. Protecting your privacy and security doesn’t mean you have something to hide. It means you have the ability to choose who knows where you go and what you do. 2. Openness: A healthy Internet is open, so that together, we can innovate. To make that a reality, we focus on these three areas: Open source – Being open can be hard. It exposes every wrinkle and detail to public scrutiny. But it also offers tremendous advantages. Copyright – Offline copyright law built for an analog world doesn’t fit the current digital and mobile reality. Patents – In technology, overbroad and vague patents create fear, uncertainty and doubt for innovators. Copyright and patent laws should better foster collaboration and economic opportunity. Open source, open standards, and pro-innovation policies must continue to be at the heart of the Internet. 3. Decentralization: There shouldn’t be online monopolies or oligopolies; a decentralized Internet is a healthy Internet. To accomplish that goal, we are focusing on the following policy areas. Net neutrality – Network operators must not be allowed to block or skew connectivity or the choices of Internet users. Interoperability – If short-term economic gains limit long-term industry innovation, then the entire technology industry and economy will suffer the consequences. Competition and choice – We need the Internet to be an engine for competition and user choice, not an enabler of gatekeepers. Local contribution – Local relevance is about more than just language; it’s also tailored to the cultural context and the local community. When there are just a few organizations and governments who control the majority of online content, the vital flow of ideas and knowledge is blocked. We will continue to look for public policy levers to advance our vision of a decentralized Internet. 4. Digital Inclusion: People, regardless of race, income, nationality, or gender, should have unfettered access to the Internet. To help promote an open and inclusive Internet, we are focusing on these issues: Advancing universal access to the whole Internet – Everyone should have access to the full diversity of the open Internet. Advancing diversity online – Access to and use of the Internet are far from evenly distributed. This represents a connectivity problem and a diversity problem. Advancing respect online – We must focus on changing and building systems that rely on both technology and humans, to increase and protect diverse voices on the Internet. Numerous and diverse obstacles stand in the way of digital inclusion, and they won’t be overcome by default. Our aim is to collaborate with, create space for, and elevate everyone’s contributions. 5. Web Literacy: Everyone should have the skills to read, write and participate in the digital world. To help people around the globe participate in the digital world, we are focusing on these areas: Moving beyond coding – Universal web literacy doesn’t mean everyone needs to learn to code; other kinds of technical awareness and empowerment can be very meaningful. Integrating web literacy into education – Incorporating web literacy into education requires examining the opportunities and challenges faced by both educators and youth. Cultivating digital citizenship – Everyday Internet users should be able to shape their own Internet experience, through the choices that they make online and through the policies and organizations they choose to support. Web literacy should be foundational in education, like reading and math. Empowering people to shape the web enables people to shape society itself. We want people to go beyond consuming and contribute to the future of the Internet. Promoting, protecting, and preserving a healthy Internet is challenging, and takes a broad movement working on many different fronts. We hope that you will read these and take action alongside us, because in doing so you will be protecting the integrity of the Internet. For our part, we commit to advancing our mission and continuing our fight for a vibrant and healthy Internet. Source
×
×
  • Create New...