Jump to content

Search the Community

Showing results for tags 'encryption'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 18 results

  1. The UK Is Trying to Stop Facebook's End-to-End Encryption The government's latest attack is aimed at discouraging the company from following through with its planned rollout across platforms. Photograph: Dan Kenyon/Getty Images The UK is planning a new attack on end-to-end encryption, with the Home Office set to spearhead efforts designed to discourage Facebook from further rolling out the technology to its messaging apps. Home Secretary Priti Patel is planning to deliver a keynote speech at a child protection charity’s event focused on exposing the perceived ills of end-to-end encryption and asking for stricter regulation of the technology. At the same time a new report will say that technology companies need to do more to protect children online. Patel will headline an April 19 roundtable organized by the National Society for the Prevention of Cruelty to Children (NSPCC), according to a draft invitation seen by WIRED. The event is set to be deeply critical of the encryption standard, which makes it harder for investigators and technology companies to monitor communications between people and detect child grooming or illicit content, including terror or child abuse imagery. End-to-end encryption works by securing communications between those involved in them—only the sender and receiver of messages can see what they say and platforms providing the technology cannot access the content of messages. The tech has been increasingly made standard in recent years with WhatsApp and Signal using end-to-end encryption by default to protect people’s privacy. The Home Office's move comes as Facebook plans to roll out end-to-end encryption across all its messaging platforms—including Messenger and Instagram—which has sparked a fierce debate in the UK and elsewhere over the supposed risks the technology poses to children. During the event, the NSPCC will unveil a report on end-to-end encryption by PA Consulting, a UK firm that has advised the UK’s Department for Digital Culture Media and Sport (DCMS) on the forthcoming Online Safety regulation. An early draft of the report, seen by WIRED, says that increased usage of end-to-end encryption would protect adults’ privacy at the expense of children’s safety, and that any strategy adopted by technology companies to mitigate the effect of end-to-end encryption will “almost certainly be less effective than the current ability to scan for harmful content.” The report also suggests that the government devise regulation “expressly targeting encryption”, in order to prevent technology companies from “engineer[ing] away” their ability to police illegal communications. It recommends that the upcoming Online Safety Bill—which will impose a duty of care on online platforms—make it compulsory for tech companies to share data about online child abuse, as opposed to voluntary. The Online Safety Bill is expected to require companies whose services use end-to-end encryption to show how effectively they are tackling the spread of harmful content on their platforms—or risk being slapped with fines by communication authority Ofcom, which will be in charge of enforcing the rules. As a last resort, Ofcom could demand that a company use automated systems to winnow out illegal content from their services. The NSPCC says that this set-up does not go far enough in reining in encryption: in a statement released last week, the charity urged the digital secretary, Oliver Dowden, to strengthen the proposed regulation, preventing platforms from rolling out end-to-end encryption until they can demonstrate that they can safeguard children’s safety. Facebook currently tackles the circulation of child sex abuse content on WhatsApp by removing accounts displaying forbidden images in their profile pictures, or groups whose names suggest an illegal activity. WhatsApp says it bans more than 300,000 accounts per month that it suspects of sharing child sexual abuse material. “Ofcom will have to meet a series of tests before it could take action on a regulated platform,” says Andy Burrows, NSPCC’s head of child safety online policy. “That is about being able to require evidence of serious and sustained abuse, which is going to be practically very difficult to do because of end-to-end encryption will take away a significant amount of the reporting flow.” Burrows declined to comment directly about the event with the Home Secretary, and whether any policy announcement will be made then. In an email, a Home Office spokesperson wrote that “end-to-end encryption poses an unacceptable risk to user safety and society. It would prevent any access to messaging content and severely erode tech companies’ ability to tackle the most serious illegal content on their own platforms, including child abuse and terrorism.” “The Home Secretary has been clear that industry must step-up to meet the evolving threat,” the spokesperson says. Since Facebook’s announcement on the extension of end-to-end encryption in 2019, Patel has grown increasingly impatient and vocal about the dangers of the technology—publicly calling on Facebook to “halt plans for end-to-end encryption”, and bringing up the subject in meetings with her US counterparts and the Five Eyes intelligence alliance of English-speaking countries. While Dowden is working jointly with the Home Office—taking part in conversations with Facebook on the matter—in an online press conference on March 10 he said that end-to-end encryption will not be dealt with in the Online Safety Bill. The comment has caused concern among observers. According to a person familiar with policy discussions, technology companies are now increasingly worried that the Home Office could issue a Technical Capability Notice (TCN) against Facebook—that is: an injunction forbidding the company from switching to end-to-end encryption. A TCN would allow investigators with a warrant to keep obtaining decrypted conversations on Instagram and Facebook Messenger, the platforms of main concern because they potentially allow unsolicited messaging between adults and children. In December last year, Sky News reported, quoting Home Office policy advisers, that a TCN would have become an option if the Online Safety Bill did not demand that Facebook kept its ability to spot child abuse—a scenario that would arguably materialize if Facebook had its way with encryption. Jim Killock, executive director at digital rights organization Open Rights Group, says he is “worried that the Home Office will be considering using a secret order (TCN) to force Facebook to limit or circumvent their encryption.” “Facebook would be gagged from saying anything,” Killock adds. Although the action would be targeted to Facebook only, he thinks that such a move would set a precedent. One industry source who has spoken with government figures is skeptical that such a radical scenario will come to pass, pointing out that encryption has routinely been in the Home Office’s crosshairs since Theresa May’s tenure as home secretary started in 2010, but that the technical difficulty—and the unpopularity—of outlawing encryption eventually always prevailed over the rhetorical posturing. In a statement, a Facebook company spokesperson said that end-to-end encryption is “already the leading security technology used by many services to keep people safe from having their private information hacked and stolen.” Company executives have previously admitted that the increased rollout of end-to-end encryption will reduce the amount of child abuse reports it makes to industry monitoring groups. “Its full rollout on our messaging services is a long-term project and we are building strong safety measures into our plans,” the spokesperson added. This story originally appeared on WIRED UK. The UK Is Trying to Stop Facebook's End-to-End Encryption
  2. malakai1911

    Comprehensive Security Guide

    Comprehensive Security Guide NOTE: As of 1/1/2019 this guide is out of date. Until parts are rewritten, consider the below for historical reference only. i. Foreword The primary purpose of this guide is to offer a concise list of best-of-breed software and advice on selected areas of computer security. The secondary purpose of this guide is to offer limited advice on other areas of security. The target audience is an intermediately skilled user of home computers. Computer software listed are the freeware versions when possible or have free versions available. If there are no free versions available for a particular product, it is noted with the "$" symbol. The guide is as well formatted as I could make it, within the confines of a message board post. ii. Table of Contents i. Foreword ii. Table of Contents 1. Physical Security a. Home b. Computer c. Personal 2. Network Security a. Hardware Firewall b. Software Firewall 3. Hardening Windows a. Pre-install Hardening b. Post-install Hardening c. Alternative Software d. Keep Windows Up-To-Date 4. Anti-Malware a. Anti-Virus b. HIPS / Proactive Defense c. Malware Removal 5. Information and Data Security a. Privacy / Anonymity b. Encryption c. Backup, Erasure and Recovery d. Access Control (Passwords, Security Tokens) 6. Conclusion 1. Physical Security I just wanted to touch on a few things in the realm of physical security, and you should investigate physical and personal security in places other than here. a. Home How would you break in to your own home? Take a close look at your perimeter security and work inwards. Make sure fences or gates aren't easy to climb over or bypass. The areas outside your home should be well lit, and motion sensor lights and walkway lights make nice additions to poorly lit areas. If possible, your home should have a security system featuring hardwired door and window sensors, motion detectors, and audible sirens (indoor and outdoor). Consider integrated smoke and carbon monoxide detectors for safety. Don't overlook monitoring services, so the police or fire department can be automatically called during an emergency. Invest in good locks for your home, I recommend Medeco and Schlage Primus locks highly. Both Medeco and Schlage Primus locks are pick-resistant, bump-proof, and have key control (restricted copying systems). Exterior doors should be made of steel or solid-core wood and each should have locking hardware (locking doorknob or handle), an auxiliary lock (mortise deadbolt) with a reinforced strike plate, and a chain. Consider a fireproof (and waterproof) safe for the storage of important documents and valuables. A small safe can be carried away during a robbery, and simply opened at another location later, so be sure and get a safe you can secure to a physical structure (in-wall, in-floor, or secured to something reasonably considered immovable). You may be able to hide or obscure the location of your safe in order to obtain some additional security, but don't make it cumbersome for yourself to access. b. Computer Computers are easy to just pick up and take away, so the only goal you should have is to deter crimes of opportunity. For desktop computers, you may bring your desktop somewhere and an attacker may not be interested in the entire computer, but perhaps just an expensive component (video card) or your data (hard drive), and for that I suggest a well-built case with a locking side and locking front panel. There are a variety of case security screws available (I like the ones from Enermax (UC-SST8) as they use a special tool), or you can use screws with less common bits (such as tamper resistant Torx screws) to secure side panels and computer components. There are also cable lock systems available for desktop computers to secure them to another object. For laptop computers, you are going to be primarily concerned about a grab-and-go type robbery. There are a variety of security cables available from Kensington, which lock into the Kensington lock slot found on nearly all laptops, which you can use to secure it to another object (a desk or table, for example). Remember though, even if it's locked to something with a cable, it doesn't make it theft-proof, so keep an eye on your belongings. c. Personal Always be aware of your surroundings. Use your judgment, if you feel an area or situation is unsafe, avoid it altogether or get away as quickly and safely as possible. Regarding hand to hand combat, consider a self-defense course. Don't screw around with traditional martial arts (Karate, Aikido, Kung-Fu), and stay away from a McDojo. You should consider self-defense techniques like Krav Maga if you are serious about self defense in a real life context. I generally don't advocate carrying a weapon on your person (besides the legal mess that may be involved with use of a weapon, even for self-defense, an attacker could wrestle away a weapon and use it against you). If you choose to carry any type of weapon on your person for self-defense, I advise you to take a training course (if applicable) and to check with and follow the laws within the jurisdiction you decide to possess or carry such weapons. Dealing with the Police Be sure to read Know Your Rights: What to Do If You're Stopped by the Police a guide by the ACLU, and apply it. Its advice is for within the jurisdiction of the US but may apply generally elsewhere, consult with a lawyer for legal advice. You should a;so watch the popular video "Don't talk to the police!" by Prof. James Duane of the Regent University Law School for helpful instructions on what to do and say when questioned by the police: (Mirror: regent.edu) Travelling Abroad Be sure and visit the State Department or Travel Office for your home country before embarking on a trip abroad. Read any travel warnings or advisories, and they are a wealth of information for travelers (offering guides, checklists, and travel advice): (US, UK, CA). 2. Network Security As this is a guide geared towards a home or home office network, the central theme of network security is going to be focused around having a hardware firewall behind your broadband modem, along with a software firewall installed on each client. Since broadband is a 24/7 connection to the internet, you are constantly at risk of attack, making both a hardware and software firewall absolutely essential. a. Hardware Firewall A hardware firewall (router) is very important. Consider the hardware firewall as your first line of defense. Unfortunately, routers (usually) aren't designed to block outbound attempts from trojans and viruses, which is why it is important to use a hardware firewall in conjunction with a software firewall. Be sure that the firewall you choose features SPI (Stateful Packet Inspection). Highly Recommended I recommend Wireless AC (802.11ac) equipment, as it is robust and widely available. Wireless AC is backwards compatible with the earlier Wireless N (802.11n) G (802.11g) and B (802.11b) standards. 802.11ac supports higher speeds and longer distances than the previous standards, making it highly attractive. I generally recommend wireless networking equipment from Ubiquiti or Asus. Use WPA2/WPA with AES if possible, and a passphrase with a minimum of 12 characters. If you are really paranoid, use a strong random password and remember to change it every so often. Alternatives A spare PC running SmoothWall or IPCop, with a pair of NIC's and a switch can be used to turn a PC into a fully functional firewall. b. Software Firewall A software firewall nicely compliments a hardware firewall such as those listed above. In addition to protecting you from inbound intrusion attempts, it also gives you a level of outbound security by acting as a gateway for applications looking to access the internet. Programs you want can access the internet, while ones you don't are blocked. Do not use multiple software firewalls simultaneously. You can actually make yourself less secure by running two or more software firewall products at once, as they can conflict with one another. Check out Matousec Firewall Challenge for a comparison of leak tests among top firewall vendors. Leaktests are an important way of testing outbound filtering effectiveness. Highly Recommended Comodo Internet Security Comodo is an easy to use, free firewall that provides top-notch security. I highly recommend this as a first choice firewall. While it includes Antivirus protection, I advise to install it as firewall-only and use an alternate Antivirus. Alternatives Agnitum Outpost Firewall Free A free personal firewall that is very secure. Be sure to check out the Outpost Firewall Forums, to search, and ask questions if you have any problems. Online Armor Personal Firewall Free Online Armor Personal Firewall makes another great choice for those who refuse to run Comodo or Outpost. Online Armor 3. Hardening Windows Windows can be made much more secure by updating its components, and changing security and privacy related settings. a. Pre-install Hardening Pre-install hardening has its primary focus on integrating the latest available service packs and security patches. Its secondary focus is applying whatever security setting tweaks you can integrate. By integrating patches and tweaks, you will be safer from the first boot. Step 1 - Take an original Windows disc (Windows 7 or later) and copy it to a folder on your hard drive so you can work with the install files. Step 2 - Slipstream the latest available service pack. Slipstreaming is a term for integrating the latest service pack into your copy of windows. Step 3 - Integrate the latest available post-service pack updates. This can be done with a utility such as nLite or vLite, and post-service pack updates may be available in an unofficial collection (such as the RyanVM Update Pack for XP). Step 4 - Use nLite (Windows 2000/XP) or vLite (Windows Vista/7) to customize your install. Remove unwanted components and services, and use the tweaks section of nLite/vLite to apply some security and cosmetic tweaks. Step 5 - Burn your newly customized CD, and install Windows. Do not connect the computer to a network until you install a software firewall and anti-virus. b. Post-Install Hardening If you have followed the pre-install hardening section, then your aim will be to tweak settings to further lock down windows. If you hadn't installed from a custom CD, you will need to first update to the latest service pack, then install incremental security patches to become current. After updating, you'll then disable unneeded Windows services, perform some security tweaks, and use software such as xpy to tweak privacy options. Disable Services Start by disabling unneeded or unnecessary services. By disabling services you will minimize potential security risks, and use fewer resources (which may make your system slightly faster). Some good guides on disabling unnecessary services are available at Smallvoid: Windows 2000 / Windows XP / Windows Vista. Some commonly disabled services: Alerter, Indexing, Messenger, Remote Registry, TCP/IP NetBIOS Helper, and Telnet. Security Tweaks I highly recommend using a strong Local Security Policy template as an easy way to tweak windows security options, followed by the registry. Use my template (security.inf) to easily tweak your install for enhanced security (Windows 2000/XP/Vista/7): 1. Save the following attachment: (Download Link Soon!) 2. Extract the files. 3. Apply the Security Policy automatically by running the included "install.bat" file. 4. (Optional) Apply your policy manually using the following command: [ secedit /configure /db secedit.sdb /cfg "C:\<Path To Security.inf>\<template>.inf" ] then refresh your policy using the following the command:[ secedit /refreshpolicy machine_policy ] (Windows 2000), [ gpupdate ] (Windows XP/Vista/7) This template will disable automatic ("administrative") windows shares, prevent anonymous log on access to system resources, disable (weak) LM Password Hashes and enable NTLMv2, disable DCOM, harden the Windows TCP/IP Stack, and much more. Unfortunately my template can't do everything, you will still need to disable NetBIOS over TCP (NetBT), enable Data Execution Prevention (AlwaysOn), and perform other manual tweaks that you may use. Privacy Tweaks xpy (Windows 2000/XP) and vispa (Windows Vista/7) These utilities are great for modifying privacy settings. They supersede XP AntiSpy because they include all of XP Anti-Spy's features and more. You should use them in conjunction with the security tweaks I've listed above. c. Alternative Software Another simple way of mitigating possible attack vectors is to use software that is engineered with better or open security processes. These products are generally more secure and offer more features then their Microsoft counterparts. Highly Recommended Google Chrome (Web Browser) Mozilla Thunderbird (Email Client) OpenOffice.org (Office Suite) Alternatives Mozilla Firefox (Web Browser) Google Docs (Online) (Office Suite) Firefox Additions Mozilla has a Privacy & Security add-on section. There are a variety of add-ons that may appeal to you (such as NoScript). And although these aren't strictly privacy related, I highly recommend the AdBlock Plus add-on, with the EasyList and EasyPrivacy filtersets. d. Keep Windows Up-To-Date Speaking of keeping up-to-date, do yourself a favor and upgrade to at least Windows XP (for older PC's) and Windows 7 (or later) for newer PC's. Be sure to keep up-to-date on your service packs, they're a comprehensive collection of security patches and updates, and some may add minor features. Microsoft Windows Service Packs Windows 2000 Service Pack 4 with Unofficial Security Rollup Package Windows XP Service Pack 3 with Unofficial Security Rollup Package Windows XP x64 Service Pack 2 with Unofficial Security Rollup Package Windows Vista Service Pack 2 Windows 7 Service Pack 1 Microsoft Office Service Packs Office 2000 Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office XP (2002) Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office 2003 Service Pack 3 with the Office 2007 Compatibility Pack (SP3) and Office File Validation add-in. Office 2007 Service Pack 3 with the Office File Validation add-in. Office 2010 Service Pack 1 After the service pack, you still need to keep up-to-date on incremental security patches. Windows supports Automatic Updates to automatically update itself. However, if you don't like Automatic Updates: You can use WindowsUpdate to update windows periodically (Must use IE5 or greater, must have BITS service enabled), or you can use MS Technet Security to search for and download patches individually, or you can use Autopatcher, an unofficial updating utility. In addition to security patches, remember to keep virus definitions up-to-date (modern virus scanners support automatic updates so this should not be a problem), and stay current with latest program versions and updates, including your replacement internet browser and mail clients. 4. Anti-Malware There are many dangers lurking on the internet. Trojans, viruses, spyware. If you are a veteran user of the internet, you've probably developed a sixth-sense when it comes to avoiding malware, but I advocate backing up common sense with reliable anti-malware software. a. Anti-Virus Picking a virus scanner is important, I highly recommend Nod32, but there are good alternatives these days. Check out AV Comparatives for a comparison of scanning effectiveness and speed among top AV vendors. Highly Recommended Nod32 Antivirus $ I recommend Nod32 as a non-free Antivirus. Features excellent detection rates and fast scanning speed. Nod32 has a great heuristic engine that is good at spotting unknown threats. Very resource-friendly and historically known for using less memory than other AV's. There is a 30 day free trial available. Alternatives Avira AntiVir Personal I recommend Avira as a free Antivirus. Avira is a free AV with excellent detection rates and fast scanning speed. (Kaspersky no longer recommended, due to espionage concerns.) Online-Scanners Single File Scanning Jotti Online Malware Scan or VirusTotal These scanners can run a single file through a large number of different Antivirus/Antimalware suites in order to improve detection rates. Highly recommended. Whole PC Scanning ESET Online Scanner Nod32 Online Antivirus is pretty good, ActiveX though, so IE only. There is a beta version available that works with Firefox and Opera. b. HIPS / Proactive Defense Host-based intrusion prevention systems (HIPS) work by disallowing malware from modifying critical parts of the Operating System without permission. Classic (behavioral) HIPS software will prompt the user for interaction before allowing certain system modifications, allowing you stop malware in its tracks, whereas Virtualization-based HIPS works primarily by sandboxing executables. Although HIPS is very effective, the additional setup and prompts are not worth the headache for novice users (which may take to just clicking 'allow' to everything and defeating the purpose altogether). I only recommend HIPS for intermediate or advanced users that require a high level of security. Highly Recommended I highly recommend firewall-integrated HIPS solutions. Comodo Defense+ is a classic HIPS built into Comodo Internet Security, and provides a very good level of protection. Outpost and Online Armor provide their own HIPS solutions, and the component control features of the firewalls are powerful enough to keep unwanted applications from bypassing or terminating the firewall. If you want to use a different HIPS, you can disable the firewall HIPS module and use an alternative below. Alternatives Stand-alone HIPS solutions are good for users who either don't like the firewall built-in HIPS (and disable the firewall HIPS), or use a firewall without HIPS features. HIPS based on Behavior (Classic) ThreatFire ThreatFire provides a strong, free behavioral HIPS that works well in conjunction with Antivirus and Firewall suites to provide additional protection. HIPS based on Virtualization DefenseWall HIPS $ DefenseWall is a strong and easy-to-use HIPS solution that uses sandboxing for applications that access the internet. GeSWall Freeware GeSWall makes a nice free addition to the HIPS category, like DefenseWall it also uses sandboxing for applications that access the internet. Dealing with Suspicious Executables You can run suspicious executables in a full featured Virtual Machine (such as VMware) or using a standalone sandbox utility (such as Sandboxie) if you are in doubt of what it may do (though, you may argue that you shouldn't be running executables you don't trust anyway). A more advanced approach to examining a suspicious executable is to run it through Anubis, a tool for analyzing the behavior of Windows executables. It displays a useful report with things the executable does (files read, registry modifications performed, etc.), which will give you insight as to how it works. c. Malware Removal I recommend running all malware removal utilities on-demand (not resident). With a firewall, virus scanner, HIPS, and some common sense, you won't usually get to the point of needing to remove malware... but sometimes things happen, perhaps unavoidably, and you'll need to remove some pretty nasty stuff from a computer. Highly Recommended Anti-Spyware Spybot Search & Destroy Spybot S&D has been around a long time, and is very effective in removing spyware and adware. I personally install and use both Spybot & Ad-Aware, but I believe that Spybot S&D has the current edge in overall detection and usability. Anti-Trojan Malwarebytes' Anti-Malware Malwarebytes has a good trojan detector here, and scans fast. Anti-Rootkit Rootkit Unhooker RKU is a very advanced rootkit detection utility. Alternatives Anti-Spyware Ad-Aware Free Edition Ad-Aware is a fine alternative to Spybot S&D, its scanning engine is slower but it is both effective and popular. Anti-Trojan a-squared (a2) Free a-squared is a highly reputable (and free) trojan scanner. Anti-Rootkit IceSword (Mirror) IceSword is one of the most capable and advanced rootkit detectors available. 5. Information and Data Security Data can be reasonably protected using encryption and a strong password, but you will never have complete and absolute anonymity on the internet as long as you have an IP address. a. Privacy / Anonymity Anonymity is elusive. Some of the following software can help you achieve a more anonymous internet experience, but you also must be vigilant in protecting your own personal information. If you use social networking sites, use privacy settings to restrict public access to your profile, and only 'friend' people you know in real life. Don't use (or make any references to) any of your aliases or anonymous handles on any websites that have any of your personal information (Facebook, Amazon, etc..). You should opt-out from information sharing individually for all banks and financial institutions you do business with using their privacy policy choices. You should opt-out of preapproved credit offers (US), unsolicited commercial mail and email (US, UK, CA), and put your phone numbers on the "Do Not Call" list (US, UK, CA). Highly Recommended Simply install and use Tor with Vidalia to surf the internet anonymously. It's free, only downside is it's not terribly fast, but has fairly good anonymity, so it's a tradeoff. Keep in mind its for anonymity not for security, so make sure sites you put passwords in are SSL encrypted (and have valid SSL certificates), and remember that all end point traffic can be sniffed. You can use the Torbutton extension for Firefox to easily toggle on/off anonymous browsing. POP3/IMAP and P2P software won't work through Tor, so keep that in mind. Portable Anonymous Browsing The Tor Project now has a "Zero-Install Bundle" which includes Portable Firefox and Tor with Vidalia to surf anonymously from a USB memory stick pretty much anywhere with the internet. It also includes Pidgin with OTR for encrypted IM communications. Note: These won't protect you from Trojans/Keyloggers/Viruses on insecure public terminals. Never type important passwords or login to important accounts on a public computer unless it is absolutely necessary! Alternatives I2P functions similar to Tor, allowing you to surf the general internet with anonymity. IPREDator $ is a VPN that can be used to anonymize P2P/BitTorrent downloads. Freenet is notable, but not for surfing the general internet, it's its own network with its own content. b. Encryption For most people, encryption may be unnecessary. But if you have a laptop, or any sort of sensitive data (whether it be trade secrets, corporate documents, legal or medical documents) then you can't beat the kind of protection that encryption will offer. There are a variety of options available today, including a lot of software not listed here. A word to the wise, please, please don't fall for snake oil, use well established applications that use time tested (and unbroken) ciphers. Regardless of what software you use, the following "what to pick" charts will apply universally. If you have to pick an encryption cipher: Best: AES (Rijndael) (128-bit block size) Better: Twofish (128-bit block size), Serpent (128-bit block size) Good: RC6 (128-bit block size) Depreciated: Blowfish (64-bit block size), CAST5 (CAST-128) (64-bit block size), Triple-DES (64-bit block size) When encrypting large volumes of data, it is important to pick a cipher that has a block size of at least 128-bytes. This affords you protection for up to 2^64x16 bytes (264 exabytes) . 64-bit block ciphers only afford protection of up to 2^32x8 bytes (32 gigabytes) so using it as a full disk or whole disk encryption cipher is not recommended. The depreciated list is only because some of you might be stuck using software that only supports older encryption methods, so I've ordered it from what I feel is best to worst (though all three that are on there are pretty time tested and if properly implemented, quite secure). If you have to pick a hash to use: Best: Whirlpool (512-bit) Better: SHA-512 (512-bit), SHA-256 (256-bit) Good: Tiger2/Tiger (192-bit), RIPEMD-160 (160-bit) Depreciated: RIPEMD-128, SHA-1, MD-5. With all the recent advances in cryptanalysis (specifically with work on hash collisions) These days I wouldn't trust any hash that is less than 160-bits on principle. To be on the safe side, use a 192-bit, 256-bit, or 512-bit hash where available. There will be cases where your only options are insecure hashes, in which case I've ordered the "depreciated" list from best to worst (they are all varying levels of insecure). Many older hashes (MD4, MD2, RIPEMD(original), and others) are totally broken, and are not to be used. A quick software rundown, these applications are popular and trusted: Highly Recommended Freeware Whole Disk Encryption TrueCrypt Based upon E4M, TrueCrypt is a full featured disk encryption suite, and can even be run off a USB memory stick. TrueCrypt supports the whole disk encryption of Windows, with pre-boot authentication. Very nice. If you can't use whole-disk encryption (WDE), you can use the TCTEMP add-on to encrypt your swapfile, temp files and print spooler, and you can use the TCGINA add-on to encrypt your windows home directory. (Note: TCTEMP/TCGINA is less secure than WDE, and only preferable if WDE is not an option. WDE is highly recommended.) Freeware PKI Encryption GnuPG (GPG) GnuPG provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, and encryption and decryption of documents and email messages. Freeware Email Encryption Enigmail Enigmail is truly a work of art, it integrates with GnuPG and provides seamless support for encryption and decryption of email messages, and can automatically check PGP signed documents for validity. (Enigmail requires both Mozilla Thunderbird and GnuPG) Alternatives Encryption Suite (with Whole Disk and Email Encryption) PGP Full Disk Encryption $ PGP provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, encryption and decryption of documents and email messages, volume disk encryption, whole disk encryption, outlook integration, and instant messenger encryption support. c. Backup, Erasure and Recovery // This section is under construction. Backups Your data might be safe from prying eyes, but what if you are affected by hardware failure, theft, flood or fire? Regular backups of your important data can help you recover from a disaster. You should consider encryption of your backups for enhanced security. Local Backup Cobian Backup Cobian Backup is a fully-featured freeware backup utility. SyncBack Freeware, Macrium Reflect Free SyncBack Freeware and Macrium Reflect Free are feature-limited freeware backup utilities. Off-site Backup SkyDrive (25GB, filesize limited to 100MB), box.net (5GB) SkyDrive and box.net offer free online storage, useful for easy offsite backups. Be sure to utilize encrypted containers for any sensitive documents. Data Destruction It would be better to have your data residing in an encrypted partition, but sometimes that may not be possible. When sanitizing a hard drive, I recommend using a quality Block Erase tool like DBAN followed by a run-through with ATA Secure Erase if you really want a drive squeaky clean. Block erasing is good for data you can normally reach, but ATA secure erase can hit areas of the drive block erasers can't. As for multiple overwrite passes, there is no proof that data overwritten even one time can be recovered by professional data recovery corporations. For moderate security, a single pseudorandom block-erase pass (random-write) followed by an ATA Secure Erase pass (zero-write) is sufficient to thwart any attempts at data recovery. For a high level of security, a "DoD Short (3 pass)" block-erase pass followed by an ATA Enhanced Secure Erase will ensure no recovery is possible. Single-File/Free Space Erase If you are interested in just erasing single files or wiping free space, you can use the Eraser utility. Block Erase For hard drive block-erasure, use DBAN. ATA Secure Erase For ATA Secure Erasing, use the CMRR Secure Erase Utility. CMRR Secure Erase Protocols (.pdf) http://cmrr.ucsd.edu...seProtocols.pdf NIST Guidelines for Media Sanitation (.pdf) - http://csrc.nist.gov...800-88_rev1.pdf File Recovery Software This is kind of the opposite of data destruction. Keep in mind no software utility can recover properly overwritten data, so if it's overwritten there is no recovery. Highly Recommended Recuva Recuva is an easy to use GUI-based recovery utility. Alternatives TestDisk and PhotoRec These tools are powerful command-line recovery utilities. TestDisk can recover partitions, and PhotoRec is for general file recovery. Ontrack EasyRecovery Professional $ EasyRecovery is one of the best paid utilites for file recovery. d. Access Control (Passwords, Security Tokens) // This section is under construction. Secure Passwords //Section under construction. Your security is only as strong as its weakest password. There are a few basic rules to follow when creating a strong password. Length - Passwords should be at least 12 characters long. When possible, use a password of 12 or more characters, or a "passphrase". If you are limited to using less than 12 characters, you should try and make your password as long as allowable. Complexity - Passwords should have an element of complexity, a combination of upper and lowercase characters, numbers, and symbols will make your passwords much harder to guess, and harder to bruteforce. Uniqueness - Passwords should avoid containing common dictionary words, names, birthdays, or any identification related to you (social security, drivers license, or phone numbers for example). Secret - If you have a password of the utmost importance, do not write it down. Do not type them in plain view of another person or share them with anyone. Avoid use of the same password in multiple places. Security Tokens Security Tokens are cryptographic devices that allow for two-factor authentication. Google Titan Yubikey 5 Series 6. Conclusion And here we are at the end! I would like to thank all of you for taking the time to read my guide, it's a few (slow) years in the making and I've kept it up to date. This guide is always changing, so check back from time to time. Revision 1.10.020 Copyright © 2004-2012 Malakai1911, All Rights Reserved The information contained within this guide is intended solely for the general information of the reader and is provided "as is" with absolutely no warranty expressed or implied. Any use of this material is at your own risk, its authors are not liable for any direct, special, indirect, consequential, or incidental damages or any damages of any kind. This guide is subject to change without notice. Windows_Security_Template__1.10.015_.zip
  3. Though Encryption is not a new topic, you might have heard it online, while doing purchases, etc. Whats App messages are protected with end-to-end encryption. Your credit card details, id& password, payment information are transferred over an encrypted network. You might have already read these things on various sites and services. So, every time you read about or heard of encryption, what was the first thing that came to your mind? Most of the people would think that encryption is complex, has something to do with security and only computer programmers or geeks can understand it. But it is not that complicated you might be thinking right now. I mean the encryption techniques you may find hard to understand but the basic essence of encryption and decryption is very simple. So, What is Encryption? In simple words, Encryption is the process of encoding a data in such a way that only intended or authorized recipient can decode it. Encryption does not secure the data but it makes your data un-readable to other parties. Which means, even if an unauthorized person or hacker is able to read the network he/she won’t be able to make any sense out of it without the correct decryption key. The science of encryption and decryption is called cryptography. Why is Encryption important? In today’s scenario, we perform a lot of data exchange online. When much of your personal information and financial transactions are processed via the Internet, no business or individual can afford to get their data stolen. Not only the financial data or business files, even the messages we exchanged with our friends, the photos/files shared with family or emails sent to our clients, we need encryption for all of these data. Cybercrime is already at its peak. Nothing is really safe. We witness cases of identity theft on daily basis. Keeping your personal data secure while using the system or at your end can be done. But when the same information is sent over the Internet, you want that information to be only viewed by the particular person and no one else. The data is first sent to the local network and then travels to Internet Service Provider. Finally, a person for whom the information was meant for, finally receives it. Meanwhile, there are numerous of people who can access your information that you are sending. That is the reason why encryption is important. Individuals use it to protect personal information, businesses use it to protect corporate secrets and government uses it to secure classified information. Basic Encryption Techniques For Network Security You Should Know About The strength of encryption is measured by its key size. No matter how strong encryption algorithm is being used, the encrypted data can be subjected to brute force attacks. There are some basic encryption techniques that are used by online services and websites that you should know about. 1. AES (Advanced Encryption Standard) Advanced Encryption Standard is a symmetric encryption technique. Symmetric encryption means it involves secret key that could be a number, word or a string of random letters which is known to both sender and receiver. This secret key is applied to messages in a particular way after which the data becomes encrypted. As long as the sender and recipient know the secret key, encryption and decryption can be performed. AES is extremely efficient in 128-bit form and it uses 192 and 256 bits for encryption purposes. In present day cryptography, AES is widely supported in hardware and software with a built-in flexibility of key length. The security with AES is assured if and only if it is implemented correctly with the employment of good key management. AES-256 bit is a very heavy and strong encryption. Most of the governments use it. 2. Blowfish Encryption Blowfish is symmetric cipher technique ideal for domestic and exportable purpose as this symmetric cipher splits messages into blocks of 64 bit each and then encrypts them individually. Blowfish encryption technique can be used as a drop-in replacement for DES. The technique takes variable length key varying from 32 bits to 448 bits. Blowfish is found in software categories ranging from e-commerce platform from security passwords to various password management tools. It is one the most flexible encryption methods available. 3. RSA Encryption The Rivest Shamir Adleman (RSA) encryption technique is one of the most popular and secure public key encryption methods. This public key encryption technique is also known as asymmetric cryptography that uses two keys, one public and one private. In RSA encryption technique, both public and private key can be used to encrypt the message. But for the decryption of the message, the opposite key that has been used for encryption will be used. Most of the times, the data is encrypted with public key and decrypte using the private key. RSA encryption method assures the confidentiality, authenticity, integrity and non-reputability of electronic communication and data storage. 4. Triple DES Encryption Triple DES encryption method is a more secure procedure of encryption as the encryption is done three times. Triple DES encryption technique takes three keys each of 64bit, so overall key length is 192bis. The data is encrypted with the first key, decrypted with the second key and then again encrypted with the third key. The procedure of decryption is somewhat same as the procedure included in encryption expect that it is executed in reverse. 5. Twofish Encryption Twofish is a symmetric block cipher method, in which single key is used for encryption and decryption. Twofish could be the best choice when among AES techniques as this encryption technique is unique in terms of speed, flexibility, and conservative design. Twofish is new encryption technique which is highly secure and flexible. This encryption technique works extremely well with large microprocessors, dedicated hardware, and 8-bit or 32-bit card processors. Also, twofish encryption technique can be used in network applications where keys tend to change frequently and in various applications with little or no ROM or RAM available. 6. DES Encryption Data Encryption Standard (DES) is symmetric block cipher which uses 56-bit key to encrypt and decrypt 64-bit block of data. The Same key is used to encrypt and decrypt the message, so both the sender and the receiver should know how to use the same private key. DES has been suspended by more secure and advanced AES encryption technique and triple DES encryption techniques. 7. IDEA Encryption International Data Encryption Algorithm (IDEA) is another block cipher encryption technique that uses 52 sub keys, each 16-bit long. This technique was used in pretty good privacy version 2. Conclusion Encryption is a standard method for making a communication private. The sender encrypts the message before sending it to another user. Only the intended recipient knows how to decrypt the message. Even if someone was eavesdropping over the communication would only know about the encrypted messages, but not how to decrypt the message successfully. Thus in order to ensure the privacy in electronic communication, various encryption techniques and methods are used. As with the growth of electronic commerce and Internet, the issue of privacy has forefront in electronic communication. In this era of internet, where every kind of data is transferred in digital format, it is important that we know how our data is transferred, saved and used. Everyone must know about these basic encryption techniques. You can share this information with your friends and family to make them aware of encryption techniques. Article source
  4. source Flaws in Popular SSD Drives Bypass Hardware Disk Encryption By Lawrence Abrams November 5, 2018 01:56 PM 8 Researchers have found flaws that can be exploited to bypass hardware decryption without a password in well known and popular SSD drives. In a new report titled "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)", researchers Carlo Meijer and Bernard van Gastel from Radboud University explain how they were able to to modify the firmware or use a debugging interface to modify the password validation routine in SSD drives to decrypt hardware encrypted data without a password. The researchers tested these methods against well known and popular SSD drives such as the Crucial MX100, Crucial MX200, Crucial MX300, Samsung 840 EVO, Samsung 850 EVO, Samsung T3 Portable, and Samsung T5 Portable and were able to illustrate methods to access the encrypted drive's data. "We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware," stated the report. "In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret." To make matters worse, as Windows' BitLocker software encryption will default to hard drive encryption if supported, it can be bypassed using the same discovered flaws. Accessing encrypted files without knowing the password To bypass decryption passwords, the researchers utilized a variety of techniques depending on whether debug ports were available, the ATA Security self-encrypting drive (SED) standard was being used, or if the newer TCG Opal SED specification was being used. These flaws were responsibly disclosed to Crucial and Samsung to give them time to prepare firmware updates. New firmware is availble for Crucial SSD drives, while Samsung has only released new firmwarefor their T3 and T5 Portable SSD drives. For their non-portable drives (EVO), they recommend that users utilize software encryption instead. Crucial MX 100, Crucial MX 200, & Samsung T3 Portable For the Crucial MX 100, Crucial MX 200, and Samsung T3 Portable SSD drives, the researchers were able to connect to the drive's JTAG debugging interfaces and modify the password validation routine so that it always validates as successful regardless of the password that is entered. This allows them to enter any password and have the drive unlocked. JTAG Interface Crucial MX300 SSD Drive The Crucial MX300 also has a JTAG debugging port, but it is disabled on the drive. Therefore, the researchers had to rely on a more complicated routine of flashing the device with a modified firmware that allows them to perform various routines, which ultimately allow them to either decrypt the password or authenticate to the device using an empty password. Samsung 840 EVO and Samsung 850 EVO SSD Drives Depending on which SED specification is used, the researchers were able to access the encrypted data by either connecting to the JTAG debug port and modifying the password validation routine or by using a wear-level issue that allows that them to recover the cryptographic secrets needed to unlock the drive from a previous unlocked instance. The Samsung 850 EVO does not have the wear-level issue, so would need to rely on the modification of the password-validation routine through the debug port. BitLocker fails by defaulting to hardware encryption Most modern operating systems provide software encryption that allows a user to perform whole disk encryption. While software decryption offered by Linux, macOS, Android, and iOS offer strong software encryption, BitLocker on Windows falls prey to the SSD flaw by defaulting to hardware encryption when available. When using BitLocker to encrypt a disk in Windows, if the operating system detects a SSD drive with hardware encryption, it will automatically default to using it. This allows drives encrypted by BitLocker using hardware encryption to be decrypted by the same flaws discussed above. BitLocker software encryption on the other hand has no known and verifiable flaws that allow users to bypass password authentication. In order to prevent the use of SSD hardware encryption, the researchers suggest that users disable its use using a Windows Group Policy at "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives" called "Configure use of hardware-based encryption for operating system drives". Windows Policy to disable Hardware Encryption This policy is also available for removable and fixed data drives and should be disabled for them as well to enforce software encryption. Before software encryption will be used, after you change these policies you must first completely decrypt the drive and then enable BitLocker again to use software encryption. Update 11/6/18: Microsoft has issued an advisory related to BitLocker and discovered flaws in SSD hardware encryption. This advisory contains mitigation information "Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Customers concerned about this issue should consider using the software only encryption provided by BitLocker Drive Encryption™. On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker."
  5. The common belief that encryption enables bad behavior primarily used by thieves, international terrorists, and other villainous characters is simply not true. Here's why. Encryption engenders passionate opinions and reactions from a variety of government regulators, technologists, and privacy and security advocates. It's become the de facto standard of online commerce and communication, embraced by technocrats and security pros everywhere. Conversely, some governments routinely seek to destabilize encryption through legislation, regulation, or dictatorial fiat. A common approach is to require device manufacturers and technology providers to implement "backdoors" in an attempt to break end-to-end encryption in order to surveil conversations deemed high risk. Such efforts are generally met with strong objections from privacy rights advocates. There is also an evolving focus on user privacy, perhaps most prominently triggered by the passage of the European Union's General Data Protection Regulation, but now surging in many other parts of the world. Regulations and user concerns are forcing shifts in technology vendor practices, for example: Apple's announcements at their recent Worldwide Developer Conference declaring data privacy as a fundamental human right that will be central to all Apple products; The pullback by Google to restrict third-party developers' access to Google user data that previously had been accessible; and Facebook amending its corporate privacy stance given numerous recent scandals. These threads are converging, putting encryption at the center of major business, government, and societal shifts. The fact is that encryption is a highly reliable method of safeguarding devices and information in the digital age. It is, in effect, the foundation of modern computing and collaboration. While it can't serve as a comprehensive security solution for all issues an enterprise may face, it does offer a powerful backstop when intrusions and breaches occur. For instance, you might think of encryption as relevant for protecting digital assets from being stolen. But cybercriminals are very savvy and continually up the cat-and-mouse security game; in reality, company assets are stolen every day. It's better to acknowledge that every asset, whether it resides on a corporate website, a government database, or elsewhere, is at risk of compromise. When compromise occurs, encryption is the last layer of defense, preventing thieves from utilizing what's been taken. Just in recent weeks, we've seen several reports of high-profile breaches involving sensitive customer information: A massive American Medical Collections Agency data breach ensnared data from medial testing giants Quest Diagnostics (11.9 million patient records) and Lab Corp (7.7 million patient records). Real estate title insurance giant First American Financial leaked hundreds of millions of digitized customer documents. There was also research published by Digital Shadows reporting 2.3 billion files stolen. Additional research from the vpnMentor research team revealed 11 million photos were exposed due to a misconfigured cloud service. While these breaches are filling headlines and causing ongoing customer worries, the situation would likely be quite different had these files been encrypted. Encryption's Mistaken Beliefs & Unintended Consequences If we consider government backdoor access demands, aside from the privacy concerns, imposing such actions actually could have unintended and contradictory consequences. For example, a government might compel a mobile phone manufacturer to install a backdoor that breaks encryption in high-risk situations such as terrorism incidents. But once such a mechanism exists, it is implausible in this active cyber threat environment that only that government entity would be able to access and utilize it. Realistically, it will be utilized by both good and bad actors, and is ultimately likely to cause more problems than obviating the problem it was originally intended to solve. There are a few other common but erroneous beliefs about encryption that need to be dispelled. One is that because it's so hard to use, only sophisticated users can take advantage of it. Practically speaking, encryption is no longer just about locking down hard drives. It's now about protecting information at the point of creation and then being able to dynamically update policies around that data wherever it goes. Modern approaches can actually make this fairly simple to apply. Another mistaken belief is that encryption is easily breakable. While sophisticated nation-states can harness the significant processing power needed to decrypt protected assets, that's not a common situation. Frankly, it's just easier for attackers to move on to other targets with unencrypted data stores. Finally, there's a common belief that encryption enables a lot of bad behavior — that it's only used by thieves, international terrorists, and other villainous characters. This is simply not true. Encryption is actually central to our digital lives and enables trillions of dollars of secure commerce from banking transactions to the myriad online consumer and enterprise services we all utilize on a daily basis. Encryption forms the essential underpinning of our virtual world. With the emotion that often gets packed into discussions and decisions about how encryption should be used, it's important to pause, separate fact from fiction, and responsibly apply this powerful tool to advance the security of the systems and data that enable our modern lifestyles. Source
  6. Last week, Attorney General William Barr and FBI Director Christopher Wray chose to spend some of their time giving speeches demonizing encryption and calling for the creation of backdoors to allow the government access to encrypted data. You should not spend any of your time listening to them. Don’t be mistaken; the threat to encryption remains high. Australia and the United Kingdom already have laws in place that can enable those governments to undermine encryption, while other countries may follow. And it’s definitely dangerous when senior U.S. law enforcement officials talk about encryption the way Barr and Wray did. The reason to ignore these speeches is that DOJ and FBI have not proven themselves credible on this issue. Instead, they have a long track record of exaggeration and even false statements in support of their position. That should be a bar to convincing anyone—especially Congress—that government backdoors are a good idea. Barr expressed confidence in the tech sector’s “ingenuity” to design a backdoor for law enforcement that will stand up to any unauthorized access, paying no mind to the broad technical and academic consensus in the field that this risk is unavoidable. As the prominent cryptographer and Johns Hopkins University computer science professor Matt Green pointed out on Twitter, the Attorney General made sweeping, impossible-to-support claims that digital security would be largely unaffected by introducing new backdoors. Although Barr paid the barest lip service to the benefits of encryption—two sentences in a 4,000 word speech—he ignored numerous ways encryption protects us all, including preserving not just digital but physical security for the most vulnerable users. For all of Barr and Wray’s insistence that encryption poses a challenge to law enforcement, you might expect that that would be the one area where they’d have hard facts and statistics to back up their claims, but you’d be wrong. Both officials asserted it’s a massive problem, but they largely relied on impossible-to-fact-check stories and counterfactuals. If the problem is truly as big as they say, why can’t they provide more evidence? One answer is that prior attempts at proof just haven’t held up. Some prime examples of the government’s false claims about encryption arose out of the 2016 legal confrontation between Apple and the FBI following the San Bernardino attack. Then-FBI Director James Comey and others portrayed the encryption on Apple devices as an unbreakable lock that stood in the way of public safety and national security. In court and in Congress, these officials said they had no means of accessing an encrypted iPhone short of compelling Apple to reengineer its operating system to bypass key security features. But a later special inquiry by the DOJ Office of the Inspector General revealed that technical divisions within the FBI were already working with an outside vendor to unlock the phone even as the government pursued its legal battle with Apple. In other words, Comey’s statements to Congress and the press about the case—as well as sworn court declarations by other FBI officials—were untrue at the time they were made. Wray, Comey’s successor as FBI Director, has also engaged in considerable overstatement about law enforcement’s troubles with encryption. In congressional testimony and public speeches, Wray repeatedly pointed to almost 8,000 encrypted phones that he said were inaccessible to the FBI in 2017 alone. Last year, the Washington Post reported that this number was inflated due to a “programming error.” EFF filed a Freedom of Information Act request, seeking to understand the true nature of the hindrance encryption posed in these cases, but the government refused to produce any records. But in their speeches last week, neither Barr nor Wray acknowledged the government’s failure of candor during the Apple case or its aftermath. They didn’t mention the case at all. Instead, they ask us to turn the page and trust anew. You should refuse. Let’s hope Congress does too. Source: The EFF
  7. NEW YORK (AP) — U.S. Attorney General Bill Barr said Tuesday that increased encryption of data on phones and computers and encrypted messaging apps are putting American security at risk. Barr’s comments at a cybersecurity conference mark a continuing effort by the Justice Department to push tech companies to provide law enforcement with access to encrypted devices and applications during investigations. “There have been enough dogmatic pronouncements that lawful access simply cannot be done,” Barr said. “It can be, and it must be.” The attorney general said law enforcement is increasingly unable to access information on devices, and between devices in the virtual world, even with a warrant supporting probable cause of criminal activity. Barr said that terrorists and cartels often will switch mid-communication to an encrypted application to plan especially deadly operations. He described a transnational drug cartel’s use of WhatsApp group chat to specifically coordinate murders of Mexico-based police officials. Gail Kent, Facebook’s global public policy lead on security, recently said that allowing the government’s ability to gain access to encrypted communications would jeopardize cybersecurity for millions of law-abiding people who rely on it. WhatsApp is owned by Facebook. “It’s impossible to create any backdoor that couldn’t be discovered, and exploited, by bad actors,” Kent said. Kent said changing encryption practices won’t stop bad actors from using encrypted devices or applications on other services that might pop up to enable this. Encrypted communications are ones that are only available to users on either end of the communications. The increasing use of this technology has long been coined by the Justice Department as the “going dark” problem. The remarks acknowledged the need for encryption to ensure overall cybersecurity that has enabled people to bank relatively securely online and engage in e-commerce. Barr said that to date, law enforcement in Garland, Texas, have been unable to access 100 instant messages sent between terrorists who carried out an attack there. “The status quo is exceptionally dangerous, it is unacceptable and only getting worse,” Barr said. “It’s time for the United States to stop debating whether to address it and start talking about how to address it.” Ex-FBI director James Comey championed the need for a law enforcement workaround to encrypted devices and communications. He led a highly publicized push to gain access to an iPhone belonging to a perpetrator of a terrorist attack in San Bernardino, California, that killed 14 people in 2015. From the Senate floor on Tuesday, Sen. Ron Wyden, D-Ore., responded to Barr’s remarks in New York calling it an “outrageous, wrongheaded and dangerous proposal.” Wyden said Barr wants to “blow a hole” in a critical security feature for Americans’ digital lives by trying to undermine strong encryption and advocating for government backdoors into the personal devices of Americans. He said strong encryption helps keep health records, personal communications and other sensitive data secure from hackers. “Once you weaken encryption with a backdoor, you make it far easier for criminals, hackers and predators to get into your digital life,” Wyden said. He said he fears and expects that Barr and President Donald Trump would abuse the power to break encryption if they were allowed to do so. Given their records “it is clear to me that they cannot be trusted with this kind of power,” Wyden said. Source
  8. If you want to secure the data on your computer, one of the most important steps you can take is encrypting its hard drive. That way, if your laptop gets lost or stolen—or someone can get to it when you're not around—everything remains protected and inaccessible. But researchers at the security firm F-Secure have uncovered an attack that uses a decade-old technique, which defenders thought they had stymied, to expose those encryption keys, allowing a hacker to decrypt your data. Worst of all, it works on almost any computer. To get the keys, the attack uses a well-known approach called a "cold boot," in which a hacker shuts down a computer improperly—say, by pulling the plug on it—restarts it, and then uses a tool like malicious code on a USB drive to quickly grab data that was stored in the computer's memory before the power outage. Operating systems and chipmakers added mitigations against cold boot attacks 10 years ago, but the F-Secure researchers found a way to bring them back from the dead. In Recent Memory Cold boot mitigations in modern computers make the attack a bit more involved than it was 10 years ago, but a reliable way to decrypt lost or stolen computers would be extremely valuable for a motivated attacker—or one with a lot of curiosity and free time. "If you get a few moments alone with the machine, the attack is a very reliable way to extract secrets from the memory," says Olle Segerdahl, principal security consultant at F-Secure. "We tested it on a number of different makes and models and found that the attack is effective and reliable. It's a bit invasive because it involves unscrewing the case and connecting some wires, but it's pretty quick and very doable for a knowledgable hacker. It's not super technically challenging." Segerdahl notes that the findings have particular implications for corporations and other institutions that manage a large number of computers, and could have their whole network compromised off of one lost or stolen laptop. To carry out the attack, the F-Secure researchers first sought a way to defeat the the industry-standard cold boot mitigation. The protection works by creating a simple check between an operating system and a computer's firmware, the fundamental code that coordinates hardware and software for things like initiating booting. The operating system sets a sort of flag or marker indicating that it has secret data stored in its memory, and when the computer boots up, its firmware checks for the flag. If the computer shuts down normally, the operating system wipes the data and the flag with it. But if the firmware detects the flag during the boot process, it takes over the responsibility of wiping the memory before anything else can happen. Looking at this arrangement, the researchers realized a problem. If they physically opened a computer and directly connected to the chip that runs the firmware and the flag, they could interact with it and clear the flag. This would make the computer think it shut down correctly and that the operating system wiped the memory, because the flag was gone, when actually potentially sensitive data was still there. So the researchers designed a relatively simple microcontroller and program that can connect to the chip the firmware is on and manipulate the flag. From there, an attacker could move ahead with a standard cold boot attack. Though any number of things could be stored in memory when a computer is idle, Segerdahl notes that an attacker can be sure the device's decryption keys will be among them if she is staring down a computer's login screen, which is waiting to check any inputs against the correct ones. Cold Case Because of the threat posed by this type of attack, Segerdahl says that institutions should keep careful track of all their devices so they can take action if one is reported lost or stolen. No matter how big an organization is, IT managers need to be able to revoke VPN credentials, Wi-Fi certificates, and other authenticators that let devices access the full network to minimize the fallout if a missing device is compromised. Another potential protection involves setting computers to automatically shut down when idle rather than going to sleep and then using a disk encryption tool—like Microsoft's BitLocker—to require an extra PIN when a computer turns on, before the operating system actually boots. This way there's nothing in memory yet to steal. If you're worried about leaving your computer unsupervised, tools that monitor for physical interactions with a device—like the Haven mobile app and Do Not Disturb Mac application—can help notify you about unwanted physical access to a device. Intrusions like the cold boot technique are often called "evil maid" attacks. The researchers notified Microsoft, Apple, and Intel about their findings. Microsoft has released updated guidance on using BitLocker to manage the problem. “This technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring bitlocker with a Personal Identification Number,” Jeff Jones, a senior director at Microsoft said. Segerdahl says, though, that he doesn't see a quick way to fix the larger issue. Operating system tweaks and firmware updates could make the flag-check process more resilient, but since attackers are already accessing and manipulating the firmware as part of the attack, they could simply downgrade updated firmware back to a vulnerable version. As a result, Segerdahl says, long term mitigations require physical design changes that make it harder for an attacker to manipulate the flag check. Apple has already created one such solution through its T2 chip in new iMacs. The scheme separates certain crucial processes on a dedicated, secure chip away from the main processors that run general firmware and the operating system. Segerdahl says that though the renewed cold boot attack works on most Macs, the T2 chip does successfully defeat it. An Apple spokesperson also suggested that users could set a firmware password to prevent unauthorized access, and that the company is exploring how to protect Macs that don't have a T2. Intel declined to comment on the record. "This is only fixable through hardware updates," says Kenn White, director of the Open Crypto Audit Project, who did not participate in the research. "Physical access is a constant cat and mouse game. The good news for most people is that 99.9 percent of thieves would just sell a device to someone who would reinstall the OS and delete your data." For institutions with valuable data or individuals carrying sensitive information, though, the risk will continue to exist on most computers for years to come. Source
  9. By Edward Snowden In every country of the world, the security of computers keeps the lights on, the shelves stocked, the dams closed, and transportation running. For more than half a decade, the vulnerability of our computers and computer networks has been ranked the number one risk in the US Intelligence Community’s Worldwide Threat Assessment – that’s higher than terrorism, higher than war. Your bank balance, the local hospital’s equipment, and the 2020 US presidential election, among many, many other things, all depend on computer safety. And yet, in the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world’s information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe. In the simplest terms, encryption is a method of protecting information, the primary way to keep digital communications safe. Every email you write, every keyword you type into a search box – every embarrassing thing you do online – is transmitted across an increasingly hostile internet. Earlier this month the US, alongside the UK and Australia, called on Facebook to create a “backdoor”, or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications. So far, Facebook has resisted this. If internet traffic is unencrypted, any government, company, or criminal that happens to notice it can – and, in fact, does – steal a copy of it, secretly recording your information for ever. If, however, you encrypt this traffic, your information cannot be read: only those who have a special decryption key can unlock it. I know a little about this, because for a time I operated part of the US National Security Agency’s global system of mass surveillance. In June 2013 I worked with journalists to reveal that system to a scandalised world. Without encryption I could not have written the story of how it all happened – my book Permanent Record – and got the manuscript safely across borders that I myself can’t cross. More importantly, encryption helps everyone from reporters, dissidents, activists, NGO workers and whistleblowers, to doctors, lawyers and politicians, to do their work – not just in the world’s most dangerous and repressive countries, but in every single country. When I came forward in 2013, the US government wasn’t just passively surveilling internet traffic as it crossed the network, but had also found ways to co-opt and, at times, infiltrate the internal networks of major American tech companies. At the time, only a small fraction of web traffic was encrypted: six years later, Facebook, Google and Apple have made encryption-by-default a central part of their products, with the result that today close to 80% of web traffic is encrypted. Even the former director of US national intelligence, James Clapper, credits the revelation of mass surveillance with significantly advancing the commercial adoption of encryption. The internet is more secure as a result. Too secure, in the opinion of some governments. Donald Trump’s attorney general, William Barr, who authorised one of the earliest mass surveillance programmes without reviewing whether it was legal, is now signalling an intention to halt – or even roll back – the progress of the last six years. WhatsApp, the messaging service owned by Facebook, already uses end-to-end encryption (E2EE): in March the company announced its intention to incorporate E2EE into its other messaging apps – Facebook Messenger and Instagram – as well. Now Barr is launching a public campaign to prevent Facebook from climbing this next rung on the ladder of digital security. This began with an open letter co-signed by Barr, UK home secretary Priti Patel, Australia’s minister for home affairs and the US secretary of homeland security, demanding Facebook abandon its encryption proposals. If Barr’s campaign is successful, the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design. And those communications will be vulnerable not only to investigators in the US, UK and Australia, but also to the intelligence agencies of China, Russia and Saudi Arabia – not to mention hackers around the world. End-to-end encrypted communication systems are designed so that messages can be read only by the sender and their intended recipients, even if the encrypted – meaning locked – messages themselves are stored by an untrusted third party, for example, a social media company such as Facebook. The central improvement E2EE provides over older security systems is in ensuring the keys that unlock any given message are only ever stored on the specific devices at the end-points of a communication – for example the phones of the sender or receiver of the message – rather than the middlemen who own the various internet platforms enabling it. Since E2EE keys aren’t held by these intermediary service providers, they can no longer be stolen in the event of the massive corporate data breaches that are so common today, providing an essential security benefit. In short, E2EE enables companies such as Facebook, Google or Apple to protect their users from their scrutiny: by ensuring they no longer hold the keys to our most private conversations, these corporations become less of an all-seeing eye than a blindfolded courier. It is striking that when a company as potentially dangerous as Facebook appears to be at least publicly willing to implement technology that makes users safer by limiting its own power, it is the US government that cries foul. This is because the government would suddenly become less able to treat Facebook as a convenient trove of private lives. The true explanation for why the US, UK and Australian governments want to do away with end-to-end encryption is less about public safety than it is about power: E2EE gives control to individuals and the devices they use to send, receive and encrypt communications, not to the companies and carriers that route them. This, then, would require government surveillance to become more targeted and methodical, rather than indiscriminate and universal. What this shift jeopardises is strictly nations’ ability to spy on populations at mass scale, at least in a manner that requires little more than paperwork. By limiting the amount of personal records and intensely private communications held by companies, governments are returning to classic methods of investigation that are both effective and rights-respecting, in lieu of total surveillance. In this outcome we remain not only safe, but free. To justify its opposition to encryption, the US government has, as is traditional, invoked the spectre of the web’s darkest forces. Without total access to the complete history of every person’s activity on Facebook, the government claims it would be unable to investigate terrorists, drug dealers money launderers and the perpetrators of child abuse – bad actors who, in reality, prefer not to plan their crimes on public platforms, especially not on US-based ones that employ some of the most sophisticated automatic filters and reporting methods available. • Edward Snowden is former CIA officer and whistleblower, and author of Permanent Record. He is president of the board of directors of the Freedom of the Press Foundation Source
  10. from the with-an-eye-on-undermining-all-encrypted-messaging-services dept The DOJ's war on encryption continues, this time in a secret court battle involving Facebook. The case is under seal so no documents are available, but Reuters has obtained details suggesting the government is trying to compel the production of encryption-breaking software. The request seeks Facebook's assistance in tapping calls placed through its Messenger service. Facebook has refused, stating it simply cannot do this without stripping the protection it offers to all of its Messenger users. The government disagrees and has asked the court for contempt charges. Underneath it all, this is a wiretap order -- one obtained in an MS-13 investigation. This might mean the government hasn't used an All Writs Acts request, but is rather seeking to have the court declare Messenger calls to be similar to VoIP calls. If so, it can try to compel the production of software under older laws and rulings governing assistance of law enforcement by telcos. Calls via Messenger are still in a gray area. Facebook claims calls are end-to-end encrypted so it cannot -- without completely altering the underlying software -- assist with an interception. Regular messages via Facebook's services can still be decrypted by the company but voice calls appear to be out of its reach. Obviously, the government would very much like a favorable ruling from a federal judge. An order to alter this service to allow interception or collection could then be used against a number of other services offering end-to-end encryption. It's unknown what legal options Facebook has pursued, but it does have a First Amendment argument to deploy, if nothing else. If code is speech -- an idea that does have legal precedent -- the burden falls on the government to explain why it so badly needs to violate a Constitutional right with its interception request. This is a case worth watching. However, unlike the DOJ's very public battle with Apple in the San Bernardino case, there's nothing to see. I'm sure Facebook has filed motions to have court documents unsealed -- if only to draw more attention to this case -- but the Reuters article says there are currently no visible documents on the docket. (The docket may be sealed as well.) There is clearly public interest in this case, so the presumption of openness should apply. So far, that hasn't worked out too well for the public. And if the DOJ gets what it wants, that's not going to work out too well for the public either. Source
  11. The RIAA and other music groups recently accused youtube-dl and related stream-ripping tools of circumventing YouTube's 'rolling cipher' protection. While that may sound complex, anyone can download full audio and video files from YouTube, using nothing more than a web browser. It's surprisingly easy and we failed to spot any ciphers. Downloading audio and video from YouTube is generally not allowed, as the video service clearly states in its terms of service. Despite this restriction, there are numerous ‘stream-ripping’ tools available on the web that do just that. These tools have legal uses but they are also a thorn in the side of music industry outfits, who see them as a major piracy threat. That was illustrated once again last week when an RIAA takedown notice wiped youtube-dl off GitHub. The Rolling cipher According to the RIAA, youtube-dl violates the DMCA’s anti-circumvention provisions because it bypasses YouTube’s ‘rolling cipher’ technical protection measure. That sounds rather complicated, but publicly little is known about how it works. To find out more we reached out to YouTube, which didn’t respond to our inquiry. However, we did find out more about the ‘rolling cipher’ in a judgment from a German court in Hamburg. This 2017 verdict was explicitly mentioned in the RIAA’s takedown request to GitHub. At the Hamburg court, copyright holders argued that YouTube’s ‘rolling cipher’ is an effective technological protection measure under EU law. It’s so complex that average users can’t decipher it. “In the case of the video at issue, the user would have to filter out the 22 encoded URLs from a total of 72,338 characters, then find the ‘S variable’ of each URL, decipher it – using the respectively valid, because changing key – and then the newly generated URL use to get the video,” their argument was. In the 2017 verdict, the court went along with this assessment ruling that encryption by the so-called “S variable” or “rolling cipher” is a technical measure within the meaning of Germany’s Copyright Act. DIY Downloading From YouTube At TorrentFreak, we have relatively little knowledge about encryption, so it would be impossible for us to bypass this ‘rolling cipher,’ one would think. However, after a few Google searches, we learned that pretty much every browser can do this by default. Once you know the trick it takes only 20 seconds or so to download the audio or video from any YouTube clip, using only a browser and no dedicated ripping tools. Our ‘deciphering’ quest started in Chrome but works in Firefox and other browsers as well. Because we don’t want any trouble, we used Dubioza Kolektiv’s Pirate Bay song as the test video. When that was loaded up, we opened Chrome’s devtools inspector, and navigated to the ‘network’ tab. The devtools inspector shows you what requests are made by a page. When we filter for the keyword ‘audio’, several URLs appear, all pointing to chopped up audio streams from the YouTube video. Without any encryption knowledge, we opened one of these streams in a separate browser tab. As expected, this didn’t immediately bring up the full audio with the Pirate Bay song. That requires the extra step of removing the last part of the URL, which starts with “range=”. When that’s done the audio clip shows up in full and it can be played just fine. In fact, Chrome even offers the option to download it. While we didn’t dare to go that far, we heard that it indeed saves just fine. And when the ‘weba’ extension is renamed to MP3, it will play offline too. Downloading From YouTube is Easy So there we have it. In just a few clicks and keystrokes we managed to bypass YouTube’s copyright protection using a browser. We didn’t see any rolling cipher in the process and anyone can do it. That brings us back to the RIAA’s takedown request and the cited court verdict, which said that “an average user is not able to access the video info file, let alone decipher it.” Either we are geniuses or the court’s statement is wrong, at least for the present situation. The above is the simple conclusion, but there’s more to it, which gets a bit technical. But Where’s the Encryption? After talking to several experts we learned that YouTube uses different ‘signatures’ for video URLs. Most have a fixed “sig” parameter, but there are also others that use an “s” parameter. In the latter cases, the player’s JavaScript is called with this “s” parameter which varies (or ‘rolls’). That parameter shuffling is likely what rightsholders refer to with a ‘rolling cipher.’ However, this doesn’t involve any real encryption and youtube-dl doesn’t use it, as it simply executes the JavaScript code with a JavaScript interpreter, much like a browser does. Over the past weeks, dozens of experts have chimed in about the legality or illegality of tools such as youtube-dl. We are not going to add to this, as these questions are ultimately up to a court to decide. Stream-Rippers are Not Needed What our little quest shows, however, is that there doesn’t appear to be any encryption to stop average users from downloading files in a browser. Anyone can download audio and video from YouTube without a dedicated stream-ripping tool. That leads us to the final question, which we will leave unanswered. Or perhaps it answers itself. If youtube-dl is violating the DMCA because it allows people to download audio from YouTube, should browsers such as Chrome be outlawed as well? Source: TorrentFreak
  12. There’s a story in the Washington Post “Cybersecurity 202” newsletter that confirms that the Department of Justice is capitalizing on the techlash in order to build up congressional support for the DOJ’s long-desired goal of legislation that will restrict your freedom to encrypt your data and communications. The Post reports that, according to assistant attorney general for national security John Demers, the DOJ has given up hope that tech companies will “voluntarily” backdoor their own encryption, as the agency had been pressing them to do since around 2016. Instead, the DOJ is now “focusing on getting legislation that forces companies to cooperate – and is hoping encryption-limiting laws in Australia and the United Kingdom will ease the path for a similar law in the United States.” Why now? What’s changed since 2016, when we had the great Apple vs. FBI showdown? According to Demers, two things: (1) the “techlash” by Congress and the public “in the wake of myriad privacy scandals” and the 2016 election; and (2) Australia’s 2018 passage of the Assistance and Access Act, which followed on the heels of similar legislation in the United Kingdom in 2016. Demers “hopes these laws will create a model for how lawmakers in the United States might limit encryption.” These two factors lay out, straight from the horse’s mouth, what I’ve been saying for a while. It comes as something of a relief for a high-ranking DOJ official to finally acknowledge publicly the playbook I could see they were running to try to get Congress to finally ban strong encryption. That doesn’t mean I’m happy about it. I explained last month that the techlash has now gained enough momentum that law enforcement may have a fighting chance of getting its anti-encryption wish, under the guise of protecting children, in the form of a terrible bill called the EARN IT Act. That bill doesn’t look much like Australia’s Assistance and Access Act or the UK’s IP Act -- in fact it doesn’t mention the word “encryption” at all -- but right now it’s the lead contender for the DOJ to get an “encryption-limiting law” passed in the U.S. Exploiting the techlash is a strategy I’ve been calling law enforcement out for since October 2017. It’s incredibly frustrating for me to see that this obvious ploy is working so well. AAG Demers admitted that the DOJ thinks it can persuade congressmembers to be angry at tech companies over encryption because they’re already mad at those companies for violating users’ privacy. But this, let’s call it, transitive rage contradicts itself. Why? Because encryption protects user privacy. It doesn’t just do that; indeed, information security experts have had to push back for years against the overly simplistic “security versus privacy” framing to emphasize that the encryption debate is primarily a question of “security versus security.” Nevertheless, privacy certainly is one of the main interests that encryption protects. And it doesn’t just shield your data and conversations from criminals and snoops: it can even shield them from the eyes of the entity that provided the encryption. For example, when you use a chat app such as WhatsApp that end-to-end encrypts your conversations by default, not even the app provider (Facebook, in the case of WhatsApp) can read your messages or listen in on your calls. So, if you’re mad at Facebook for invading your privacy, you should be glad that they use encryption that prevents them from snooping on your WhatsApp conversations, and that they’re planning the same for their other messaging services too. Thus, the DOJ’s strategy is obviously just trying to sow confusion among the public and Congress by mixing up the issues: conflating tech companies’ privacy violations with tech companies’ privacy-protective encryption, as I pointed out in a recent press article. Even Senator Graham, the author of the EARN IT Act bill, admitted in that very same article that this doesn’t make any sense: “When asked whether he saw any tension between Capitol Hill’s ongoing effort to pass privacy legislation and its burgeoning push to mandate encryption backdoors,” Graham admitted he saw “‘a lot.’” So, if even Senator Graham can see through the DOJ’s ploy to elicit what I’m calling transitive rage, why is it working? The answer might be: children. Per the Post today (and me last fall), “Justice officials have also shifted their messaging on encryption, talking less about the danger of terrorists recruiting and planning operations outside law enforcement's view and more about the threat of a surge in child predators sharing illicit images or luring children on social media.” Congress seems receptive to this child-safety messaging. Legislators expect Big Tech to protect the privacy of users, including children. Encryption shields users’ privacy. Simultaneously, they also expect Big Tech to be able to detect the bad guys on their services, including those who are hurting children. But encryption shields the bad guys too. How to resolve this dilemma? Previously, the answer from Congress was “do nothing,” both on passing an anti-encryption law -- something for which Congress has heretofore shown no appetite -- and on passing comprehensive federal privacy legislation. But the tide has shifted, the Hill is awash in the techlash, and the DOJ has succeeded in equating being pro-encryption with being anti-child safety. If pedophiles benefit from strong encryption built in by default to popular software and devices, then, according to Senator Graham, nobody should get that benefit anymore. (Never mind that it won’t work out the way he thinks.) In a Congress already dithering over passing a federal privacy law, the child safety rationale may prevail, at the expense of the many interests that encryption protects -- privacy not least among them. Maybe Graham, in acknowledging the dilemma of demanding both privacy and encryption backdoors simultaneously, was really just tacitly admitting that when 327 million Americans’ privacy is pitted against the rhetorical power of “think of the children,” privacy loses. Overall, the attitude from Congress in 2020 seems to be, to paraphrase Michael Pollan: “Protect users. Not too much. Mostly kids.” It is likewise unsurprising yet disappointing that DOJ views Australia’s stupid law as clearing the way to make anti-encryption legislation palatable to the U.S. Congress. In October 2018, I warned that the passage of the Australian law (then a pending bill) would likely have a domino effect on other Five Eyes countries, including the U.S. By passing the bill in December 2018, “Australia set an example of a Western democracy passing legislation that undermined encryption, making it look like that’s normal and OK,” I said last summer. It’s not OK, even if it becomes normal. Of the DOJ officials currently rejoicing over the opening Australia and the UK have given them to finally shove anti-encryption legislation through Congress, how many have ever said to their children, “And if all your friends jumped off a bridge, would you jump too?” The DOJ wants the U.S. to take a blinkered view of how governments should handle the topic of encryption. In July 2018, I had predicted that the DOJ would place itself in an echo chamber where it would listen to “only other countries whose governments have adopted anti-encryption stances,” specifically Australia and the UK, while ignoring countries that have come out more strongly in favor of encryption, such as Germany. That seems to be what’s happening now: the DOJ wants America to imitate Australia, when Germany’s federal Office of Information Security just today issued a set of proposed requirements for smartphones that require full-disk encryption. This shows that another way is possible than the path chosen by the UK and Australia. The German approach may have much to teach the U.S. It is dangerous for DOJ to urge Congress to stick its head in the sand and refuse to listen. Yet here we are. With the disastrous EARN IT Act bill about to drop, the DOJ is openly and pointedly taking the gloves off in the encryption fight. But make no mistake: once the DOJ throws its knock-out punch, it’ll be your privacy and security that hit the floor. Source
  13. The FBI will be able to snoop on your free Zoom calls, unless you pay for the company’s premium service, which offers end-to-end encryption. In brief Zoom is building end-to-end encryption for its video calls, but only for its premium users. The decision to keep free calls encrypted was in order to comply with the FBI. Zoom may allow users to verify their ID to get access to such encryption in the future. Communications company Zoom has no intentions of adding end-to-end encryption to Zoom calls for its free users, in order to appease the FBI. Meanwhile, it is developing such end-to-end encryption for its commercial clients, thanks to its acquisition of Keybase last month. "Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Zoom CEO Eric Yuan said during a Zoom conference call on Wednesday. Zoom has morphed into an indispensable service amid the coronavirus outbreak. With citizens in lockdown, the typical meetings of the 9-5 grind have migrated online. But while this has been a significant boon for the communications firm, it hasn't been without its pitfalls. In recent months Zoom's security protocols have come under tremendous strain. This global stress test exposed a myriad of security issues and provoked privacy snafus in excess. In April, the company's claimed method of end-to-end encryption was deflated, as it was found that Zoom had access to unencrypted user data. Soon after, reports revealed that hackers could steal passwords from Zoom's vulnerable Windows client. Zooming off This news isn't sitting too well with some. Businesses have already started boycotting Zoom in opposition to the service's lack of privacy controls. Most notable was SpaceX, which banned its employee from using Zoom in April, citing "significant privacy and security concerns." Now, after this latest apparent affront, others are jumping on the bandwagon. "I just cancelled my @zoom_us subscription for my law firm, which I had recently purchased to assist with doing remote consultations with clients during the COVID-19 lockdown," tweeted attorney Joel Alan Gaffney in response to Zoom's announcement. Journalist Adam L. Penenberg also condemned the move. "Because people who can afford to pay for Zoom don't commit crimes?" he quipped. Nevertheless, according to a Zoom spokesperson speaking to The Independent, the company intends to provide end-to-end encryption to users who verify their identity. Whether this will extend to free users is unknown—but there may still be hope yet. Source
  14. Senator Wyden puts surveillance nerve-center on blast It's said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account of US Senator Ron Wyden's efforts to determine whether the NSA is still in the business of placing backdoors in US technology products. Wyden (D-OR) opposes such efforts because, as the Juniper incident demonstrates, they can backfire, thereby harming national security, and because they diminish the appeal of American-made tech products. But Wyden's inquiries, as a member of the Senate Intelligence Committee, have been stymied by lack of cooperation from the spy agency and the private sector. In June, Wyden and various colleagues sent a letter to Juniper CEO Rami Rahim asking about "several likely backdoors in its NetScreen line of firewalls." Juniper acknowledged in 2015 that “unauthorized code” had been found in ScreenOS, which powers its NetScreen firewalls. It's been suggested that the code was in place since around 2008. The Reuters report, citing a previously undisclosed statement to Congress from Juniper, claims that the networking biz acknowledged that "an unnamed national government had converted the mechanism first created by the NSA." Wyden staffers in 2018 were told by the NSA that a "lessons learned" report about the incident had been written. But Wyden spokesperson Keith Chu told Reuters that the NSA now claims it can't find the file. Wyden's office did not immediately respond to a request for comment. The reason this malicious code was able to decrypt ScreenOS VPN connections has been attributed to Juniper's "decision to use the NSA-designed Dual EC Pseudorandom Number Generator." The company has yet to clarify exactly why it made that decision. Juniper did not respond to a request for comment. When former NSA contractor Edward Snowden leaked agency secrets in 2013, Reuters reported that years earlier security firm RSA, now part of storage biz EMC, had accepted a $10m contract with the NSA to use Dual Elliptic Curve, or Dual EC, encryption. RSA at the time denied some of the claims without disputing the existence of the contract. The NSA had been keen to see Dual EC adopted and worked with the US Commerce Department to promote it. But in 2007, two Microsoft researchers reported there were serious flaws with the Dual Elliptic Curve Deterministic Random Bit Generator that led it to produce weak cryptography. By 2014, US standards agency NIST withdrew support for Dual EC. Juniper at some point between 2008 and 2009 appears to have added Dual EC support to its products at the request of "a single customer," widely believed to be the NSA. After Snowden's disclosures about the extent of US surveillance operations in 2013, the NSA is said to have revised its policies for compromising commercial products. Wyden and other lawmakers have tried to learn more about these policies but they've been stonewalled, according to Reuters. The NSA also declined to provide backdoor policy details to Reuters, stating that it doesn't share "specific processes and procedures." The news agency says three former senior intelligence officials have confirmed that NSA policy now requires a fallout plan with some form of warning in the event an implanted back door gets discovered and exploited. The Register asked the NSA to comment. We've not heard back. Source
  15. This article has been updated with a comment from Facebook. The governments of seven countries are calling on Facebook and other tech firms to do the technically impossible - to weaken encryption by giving law enforcement access to messages, whilst not reducing user safety. The governments of the U.S., U.K., Australia, New Zealand, Canada, India and Japan have issued the joint statement which pleads with Facebook specifically, as well as other tech firms, to drop “end-to-end encryption policies which erode the public’s safety online”. The governments once again raise the issue of child abusers and terrorists using encrypted services such as WhatsApp to send messages without fear of content being intercepted. “We owe it to all of our citizens, especially our children, to ensure their safety by continuing to unmask sexual predators and terrorists operating online,” the U.K.’s home secretary, Priti Patel, said in a statement. “It is essential that tech companies do not turn a blind eye to this problem and hamper their, as well as law enforcement’s, ability to tackle these sickening criminal acts. Our countries urge all tech companies to work with us to find a solution that puts the public’s safety first.” Encryption muddle Once again, the politicians seem unable to grasp one of the fundamental concepts of end-to-end encryption - that putting back doors into the encryption algorithms that allow security services to intercept messages effectively breaks the encryption. According to the U.K. government’s statement, the “seven signatories of the international statement have made it clear that when end-to-end encryption is applied with no access to content, it severely undermines the ability of companies to take action against illegal activity on their own platforms”. Yet, end-to-encryption with the ability for third parties to intercept content is not end-to-end encryption in any meaningful sense. Worse, by introducing back doors to allow security services to access content, it would compromise the entire encryption system. Nevertheless, the “international intervention calls on tech companies to ensure there is no reduction in user safety when designing their encrypted services; to enable law enforcement access to content where it is necessary and proportionate; and work with governments to facilitate this.” As has been pointed out to the governments many times before, what they are asking for is technically impossible. An open letter sent to several of the signatory countries by a coalition of international civil rights groups in 2019 made this very point. “Proponents of exceptional access have argued that it is possible to build backdoors into encrypted consumer products that somehow let ‘good actors’ gain surreptitious access to encrypted communications, while simultaneously stopping ‘bad actors’ from intercepting those same communications,” the letter stated. “This technology does not exist. “To the contrary, technology companies could not give governments backdoor access to encrypted communications without also weakening the security of critical infrastructure, and the devices and services upon which the national security and intelligence communities themselves rely.” “Critical infrastructure runs on consumer products and services, and is protected by the same encryption that is used in the consumer products that proponents of backdoor access seek to undermine,” the letter adds. In response to the statement from the seven nations, a Facebook spokesperson said: “We've long argued that end-to-end encryption is necessary to protect people's most private information. In all of these countries, people prefer end-to-end encrypted messaging on various apps because it keeps their messages safe from hackers, criminals, and foreign interference. Facebook has led the industry in developing new ways to prevent, detect, and respond to abuse while maintaining high security and we will continue to do so. Source
  16. Yahoo plans to enable end-to-end encryption for all of its Mail users next year. The company is working with Google on the project and the encryption will be mostly transparent for users, making it as simple as possible to use. Alex Stamos, CISO at Yahoo, said that the project has been a priority since he joined the company a few months ago and will be a key way to make online life safer for millions of users. Yahoo is using the browser plugin Google released in June that enables end-to-end encryption of all data leaving the browser. Stamos said Yahoo is working to ensure that its system works well with Google’s so that encrypted communications between Yahoo Mail and Gmail users will be simple. “The goal is to have complete compatibility with Gmail,” Stamos said during a talk at the Black Hat USA conference here Thursday. The email encryption isn’t the only security improvement on the horizon for Yahoo. The company is also working on enabling HSTS on its servers, as well as certificate transparency. HSTS (HTTP strict transport security) allows Web sites to tell users’ browsers that they only want to communicate over an encrypted connection. Thecertificate transparency concept involves a system of public logs that list all certificates issued by cooperating certificate authorities. It requires the CAs to voluntarily submit their certificates, but it would help protect against attacks such as spoofing Web sites or man-in-the-middle. The security upgrades on the docket at Yahoo are aimed at making it easier for everyday users to use the Internet safely and securely, without needing to be security or privacy experts, Stamos said. The security industry spends a lot of time working out defenses and new products to protect against exotic attacks while users are being targeted by much more mundane attacks that still don’t have effective solutions. “Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real,” Stamos said. “We as an industry have failed. We’ve failed to keep users safe. “If we can’t build systems that our users in the twenty-fifth percentile can use, we’re failing. And we are failing. We don’t build systems that normal people can use.” Source
  17. Encryption Software (free upload to 20 MB file), encrypt file using from password (ASCII) or without password 'Same PC'. Using 'Same PC' there is no password needed but the file can decrypted from same computer only. Download: https://www.microsoft.com/en-us/p/encryption-software/9p9v2m2pdm92?activetab=pivot:overviewtab Website:; http://www.softcleaner.in/soft-cleaner-safe Version: 108.31.2019.11 License: Free System Requirement OS: Windows 10 and Higher
  18. PastJeff

    NordLocker giveaway on Twitter

    Homepage: https://nordlocker.com/download/ Available on Windows and MacOS.
×
×
  • Create New...