With numerous reports of hacking and other forms of cyber attack, getting an end-to-end encryption (E2EE) feature would definitely boost the security of online engagements. Meanwhile, users have been sharing in Twitter, Reddit as well as in various media outlets screenshots of Google's new E2EE feature, which is apparently available already for Google Messages on Android for beta testing.

Back in November, the tech giant announced to add its new feature for RCS messages, but since it is already on beta testing, we can expect the feature to be officially added on the app soon.

(Photo : Google)Google Messages End-to-End Encryption

Having an E2EE feature added to any mode of communication gives an additional layer of security to conversations as well as all files and messages included in it.

While security is the main goal of this feature, it also adds integrity, confidentiality, and authentication to communication. It also aims to enhance the user experience and ensure that security of all other messages in case one has been compromised.

While encryption is no longer new in messaging apps like Facebook Messenger, WhatsApp, Apple Messages, Telegram, Signal, and other apps, having it in Google Messages is a significant upgrade.

Google Messages switched from SMS to RCS messages as standard text messaging protocol. Which one is better? Well, the RCS is much better than SMS in many ways, but when Google created "Chat," the technology was finally had a widespread adoption as the universal RCS protocol. However, unlike other RCS protocols, the Chat does not have E2EE, which was a major setback, particularly to those users and advocates of privacy. They were only left that RCS would get more secured as SMS replacement.

Read also: Apple and Cloudflare Team Up to Strengthen Online Privacy Measures with New DNS

Google Messages' E2EE is currently on beta testing, so those who want to check the new feature may try it out already on Android. All they need to do is enroll their account in the Google Messages beta program.

(Photo : Google Play)Google Messages End-to-End Encryption Now on Beta

To enroll, just click on the program link and click on the "Become a Tester" button. Testers will get an update to the Messages app if it is already installed on the Android device.

Otherwise, users may have it downloaded and installed fromGoogle Play. Although it may take a while to receive the update, it would be worth it since they may immediately try out the new encryption feature.

Once the update is done, testers may turn on the Chat feature in Messages. Just click on the three-dot button located in the upper-right of the screen and press "Settings." Then, choose "Chat features" on settings, and click on "Enable chat features."

(Photo : Google)Google Messages End-to-End Encryption Now on Beta

Once the feature is activated conversations will show a padlock icon just after the "delivered" tag to show that the most recently-sent message is encrypted. The same can be seen on the"Send"button.

In case testers want to back out of the program, they may do so at any time. They can switch to the app's public version whenever the update is available. However, they need to uninstall the testing version. They need to wait for a few hours before they can download the public version from Google Play and install it on the device.

Meanwhile, Google Message's E2EE feature will only show up when both parties within a conversation have the app's latest version and if their mobile networks supportRCS messaging. Otherwise, a link of the encryption will show up on the message.

(Photo : Google)Google Messages End-to-End Encryption Now on Beta

As of the moment, all other conversations and group chats are still unencrypted, although it is highly possible in the future.

Related article: Google Messages App Might Soon Offer More Secured RCS Texting Through End-to-End Encryption

This is owned by Tech Times

Written by CJ Robles

2018 TECHTIMES.com All rights reserved. Do not reproduce without permission.

More here:
Google Messages End-to-End Encryption Guide: How It Works on Android - Tech Times

Close to US$4 million (S$5.3 million) in illicit funds linked to a group that provided encrypted telecommunication devices and network services used by transnational organised criminal syndicates has been seized in Singapore.

About US$3.97 million was seized from four bank accounts here by the Singapore Police Force's Commercial Affairs Department (CAD) and the US authorities, the United States Department of Justice (DOJ) said on Monday.

The funds belonged to Phantom Secure, an encrypted telecommunications network used by transnational organised criminal syndicates. The amount has been repatriated to the US, according to announcements from the Attorney's Office for the Southern District of California.

The seizure of the funds follows the indictment of Vincent Ramos, the chief executive of Canada-based Phantom Secure, and four of his associates, by a US federal grand jury in March 2018.

The five were accused of ope-rating a criminal enterprise that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted telecommu-nications devices and services to drug traffickers.

According to court documents, Phantom Secure had advertised that its "uncrackable" phones were impervious to decryption, wire-tapping or legal third-party records requests. It also provided a service to guarantee the destruction of evidence contained in the device if it were ever compromised by an informant, or if law enforcement acquired it.

In 2018, Ramos pleaded guilty to leading a criminal enterprise that facilitated the transnational importation and distribution of narcotics including cocaine, heroin and methamphetamine to the US through the sale of these encrypted devices.

Ramos was sentenced to 108 months in prison, and the Phantom Secure network has been shut down.

As part of his guilty plea, Ramos agreed to an US$80 million forfeiture money judgment. He also agreed to give up tens of millions of dollars in identified assets in bank accounts worldwide, as well as houses, a Lamborghini, cryptocurrency accounts and gold coins. The money repatriated from Singapore was among the assets identified by investigators to be forfeited.

The DOJ said Ramos' customers used his products to devastating and sometimes deadly effect. For instance, a 2014 Australian Broadcasting Corporation news article reported that investigations into a gangland murder in Sydney were stymied because the suspects used Phantom Secure devices to coordinate the killing.

Ramos had used this news to market his encryption services to criminals across the world, writing: "This is the best verification on what we have been saying all along - proven and effective for now over nine years. It is the highest level of authority confirming our effectiveness. It can't get better than that."

The DOJ said it had worked closely with Singapore's CAD since 2018 to identify and seize the funds linked to the sale of Phantom Secure devices. It commended the efforts of its Singapore counterparts in identifying, freezing and repatriating proceeds of Ramos' criminal enterprise.

Ms Suzanne Turner, special agent in charge at the US Federal Bureau of Investigation, said: "The repatriation of close to US$4 million by our Singapore-based partners ensures that Vincent Ramos and the leaders of Phantom Secure will pay for their crimes."

View post:
S'pore seizes $5.3m in illicit funds linked to Canadian network used by crime syndicates - The Straits Times

Over the past several years, questions about how to protect information exchanged in the Domain Name System (DNS) have come to the forefront.

One of these questions was posed first to DNS resolver operators in the middle of the last decade, and is now being brought to authoritative name server operators: "to encrypt or not to encrypt?" It's a question that Verisign has been considering for some time as part of our commitment to security, stability and resiliency of our DNS operations and the surrounding DNS ecosystem.

Because authoritative name servers operate at different levels of the DNS hierarchy, the answer is not a simple "yes" or "no." As I will discuss in the sections that follow, different information protection techniques fit the different levels, based on a balance between cryptographic and operational considerations.

Rather than asking whether to deploy encryption for a particular exchange, we believe it is more important to ask how best to address the information protection objectives for that exchange whether by encryption, alternative techniques or some combination thereof.

Information protection must balance three objectives:

The importance of balancing these objectives is well-illustrated in the case of encryption. Encryption can improve confidentiality and integrity by making it harder for an adversary to view or change data, but encryption can also impair availability, by making it easier for an adversary to cause other participants to expend unnecessary resources. This is especially the case in DNS encryption protocols where the resource burden for setting up an encrypted session rests primarily on the server, not the client.

The Internet-Draft "Authoritative DNS-Over-TLS Operational Considerations," co-authored by Verisign, expands on this point:

Initial deployments of [Authoritative DNS over TLS] may offer an immediate expansion of the attack surface (additional port, transport protocol, and computationally expensive crypto operations for an attacker to exploit) while, in some cases, providing limited protection to end users.

Complexity is also a concern because DNS encryption requires changes on both sides of an exchange. The long-installed base of DNS implementations, as Bert Hubert has parabolically observed, can only sustain so many more changes before one becomes the "straw that breaks the back" of the DNS camel.

The flowchart in Figure 1 describes a two-stage process for factoring in operational risk when determining how to mitigate the risk of disclosure of sensitive information in a DNS exchange. The process involves two questions.

Figure 1 Two-stage process for factoring in operational risk when determining how to address information protection objectives for a DNS exchange.

This process can readily be applied to develop guidance for each exchange in the DNS resolution ecosystem.

Three main exchanges in the DNS resolution ecosystem are considered here, as shown in Figure 2: resolver-to-authoritative at the root and TLD level; resolver-to-authoritative below these levels; and client-to-resolver.

Figure 2 Three DNS resolution exchanges: (1) resolver-to-authoritative at the root and TLD levels; (2) resolver-to-authoritative at the SLD level (and below); (3) client-to-resolver. Different information protection guidance applies for each exchange. The exchanges are shown with qname minimization implemented at the root and TLD levels.

The resolver-to-authoritative exchange at the root level enables DNS resolution for all underlying domain names; the exchange at the TLD level does the same for all names under a TLD. These exchanges provide global navigation for all names, benefiting all resolvers and therefore all clients, and making the availability objective paramount.

As a resolver generally services many clients, information exchanged at these levels represents aggregate interests in domain names, not the direct interests of specific clients. The sensitivity of this aggregated information is therefore relatively low to start with, as it does not contain client-specific details beyond the queried names and record types. However, the full domain name of interest to a client has conventionally been sent to servers at the root and TLD levels, even though this is more information than they need to know to refer the resolver to authoritative name servers at lower levels of the DNS hierarchy. The additional detail in the full domain name may be considered sensitive in some cases. Therefore, this data exchange merits consideration for protection.

The decision flow (as generally described in Figure 1) for this exchange is as follows:

Interestingly, while minimization itself is sufficient to address the disclosure risk at the root and TLD levels, encryption alone isn't. Encryption protects against disclosure to outside observers but not against disclosure to (or by) the name server itself. Even though the sensitivity of the information is relatively low for reasons noted above, without minimization, it's still more than the name server needs to know.

Summary: Resolvers should apply minimization techniques at the root and TLD levels. Resolvers and root and TLD servers should not be required to implement DNS encryption on these exchanges.

Note that at this time, Verisign has no plans to implement DNS encryption at the root or TLD servers that the company operates. Given the availability of qname minimization, which we are encouraging resolver operators to implement, and other minimization techniques, we do not currently see DNS encryption at these levels as offering an appropriate risk / benefit tradeoff.

The resolver-to-authoritative exchanges at the SLD level and below enable DNS resolution within specific namespaces. These exchanges provide local optimization, benefiting all resolvers and all clients interacting with the included namespaces.

The information exchanged at these levels also represents the resolver's aggregate interests, but in some cases, it may also include client-related information such as the client's subnet. The full domain names and the client-related information, if any, are the most sensitive parts.

The decision flow for this exchange is as follows:

Summary: Resolvers and SLD servers (and below) should implement DNS encryption on their exchanges if they are sending sensitive full domain names or client-specific information. Otherwise, they should not be required to implement DNS encryption.

The client-to-resolver exchange enables navigation to all domain names for all clients of the resolver.

The information exchanged here represents the interests of each specific client. The sensitivity of this information is therefore relatively high, making confidentiality vital.

The decision process in this case traverses the first and second steps:

Summary: Clients and resolvers should implement DNS encryption on this exchange, unless the exchange is otherwise adequately protected, for instance as part of the network connection provided by an enterprise or internet service provider.

The following table summarizes the guidance for how to protect the various exchanges in the DNS resolution ecosystem.

In short, the guidance is "minimize at root and TLD, encrypt when needed elsewhere."

If the guidance suggested here were followed, we could expect to see more deployment of minimization techniques on resolver-to-authoritative exchanges at the root and TLD levels; more deployment of DNS encryption, when needed, at the SLD levels and lower; and more deployment of DNS encryption on client-to-resolver exchanges.

In all these deployments, the DNS will serve the same purpose as it already does in today's unencrypted exchanges: enabling general-purpose navigation to information and resources on the internet.

DNS encryption also brings two new capabilities that make it possible for the DNS to serve two new purposes. Both are based on concepts developed in Verisign's research program.

You can read more about these two applications in my recent blog post on this topic, Authenticated Resolution and Adaptive Resolution: Security and Navigational Enhancements to the Domain Name System.

The rest is here:
A Balanced DNS Information Protection Strategy: Minimize at Root, TLD; Encrypt When Needed Elsewhere - CircleID

LONDON--(BUSINESS WIRE)--The cloud encryption software market is expected to grow by $ 2.82 bn, progressing at a CAGR of over 38% during the forecast period.

Click & Get Free Sample Report in Minutes

The increasing use of in-built cloud encryption solutions is one of the major factors propelling market growth. However, factors such as high capital investment for deployment will hamper the market growth.

More details: https://www.technavio.com/report/cloud-encryption-software-market-industry-analysis

Cloud Encryption Software Market: End-user Landscape

Based on the end-user, the BFSI segment is expected to witness lucrative growth during the forecast period.

Cloud Encryption Software Market: Geographic Landscape

By geography, North America is going to have a lucrative growth during the forecast period. About 38% of the markets overall growth is expected to originate from North America. The US is the key market for cloud encryption software market in North America.

Buy 1 Technavio report and get the second for 50% off. Buy 2 Technavio reports and get the third for free.View market snapshot before purchasing

Related Reports on Information Technology Include:

Companies Covered:

What our reports offer:

Technavio suggests three forecast scenarios (optimistic, probable, and pessimistic) considering the impact of COVID-19. Technavios in-depth research has direct and indirect COVID-19 impacted market research reports.

Register for a free trial today and gain instant access to 17,000+ market research reports.Technavio's SUBSCRIPTION platform

Key Topics Covered:

Executive Summary

Market Landscape

Market Sizing

Five Forces Analysis

Market Segmentation by End-user

Customer landscape

Geographic Landscape

Vendor Landscape

Vendor Analysis

Appendix

About Us

Technavio is a leading global technology research and advisory company. Their research and analysis focuses on emerging market trends and provides actionable insights to help businesses identify market opportunities and develop effective strategies to optimize their market positions. With over 500 specialized analysts, Technavios report library consists of more than 17,000 reports and counting, covering 800 technologies, spanning across 50 countries. Their client base consists of enterprises of all sizes, including more than 100 Fortune 500 companies. This growing client base relies on Technavios comprehensive coverage, extensive research, and actionable market insights to identify opportunities in existing and potential markets and assess their competitive positions within changing market scenarios.

View post:
Insights on the Cloud Encryption Software Market 2020-2024: COVID-19 Industry Analysis, Market Trends, Market Growth, Opportunities and Forecast 2024...

This article originally appeared in LawNews (ADLS) and is here with permission.

By Diana Clement

The New Zealand government, along with its Five Eyes intelligence partners, has called for tech firms to open a back door to encrypted communications to make it easier for law enforcement to access information.

What are the implications for law firms and their clients data?

Just five days before this years election, when the countrys attention was fixated on politics, Andrew Little then Justice Minister and now the minister responsible for both the GCSB and NZSIS signed a controversial statement asking technology companies such as Facebook, Google and Apple to allow access to encrypted communications and data passing through their services.

Australia has already come to the party. The controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 enables Australian law enforcement and intelligence agencies to compel anyone providing a service or product that involves telecommunications or the internet to remove electronic protection, such as encryption.

Not only is it an offence not to comply but those required to turn over information are not permitted to disclose that the compulsion order even exists. New Zealand organisations which store information on Australian servers have been warned that their data might be at risk.Read more.

Tech companies encrypt ie, scramble - their users messages, audio and video communications from end to end, meaning they cant be accessed by others. This gives individuals, businesses and other organisations total privacy, but is a significant barrier to legal access to those messages by law enforcement.

The Five Eyes countries, along with Japan and India which also signed the agreement, argue that unbreakable encryption technology creates severe risks to public safety, in particular to vulnerable groups such as sexually exploited children. But any back door will affect all internet users.

And the statement Little signed is inconsistent with New Zealands cybersecurity strategy, which notes that secure data is fundamental to a robust and thriving society. It also warns that as more people use and do business on the internet, the payoffs from cyber and cyber-enabled crimes will increase, attracting greater numbers of cybercriminals

Client files

Lawyers whose eyes might glaze over at the mention of technology should pay attention. End-to-end encryption as a concept is simple to understand and among the data at risk are their client files and other confidential information.

ADLS Technology & Law committee member James Ting-Edwards likens unencrypted communications to a postcard that can be read by anyone whose hands it passes through. An encrypted communication would mean the postcard was placed inside an envelope.

Since whistle-blower Edward Snowden leaked classified information revealing the extent of global surveillance programs, technology companies have increasingly added security to their services, including unbreakable encryption.

End-to-end encryption is what enables business to thrive online.

Former Commerce & Consumer Affairs Minister Kris Faafoi, when launching New Zealands cybersecurity strategy in 2019, said encryption ranged from the basic functioning of New Zealands economy and society our jobs, banks and schools to the delivery of government and telecommunications and electricity services.

We need to know that our systems will keep running, that our personal and commercial information is safe and that we can trust the information that we use to make decisions, he said.

Ting-Edwards says anyone seeking to comply with privacy law and those with obligations of confidence, such as lawyers, needs encryption.

Its very easy to find people pushing a hard-line position on both sides of this. Now that the internet includes four billion people there are some difficult, nuanced problems about how the administration of social life, how the admin of government happens in a world where this exists.

We really do need access to encryption for all kinds of privacy and security reasons but thats not to say the policy and law enforcement concerns raised dont matter. They do matter.

Banks and professionals

Security breaches resulting from a back door could affect our communications with banks and commerce, and professionals such as lawyers and doctors who need security to ensure the confidentiality of their clients data, says Marcin Betkier, a law lecturer at Victoria University and a committee member of the Privacy Foundation NZ (whose patron is Dame Silvia Cartwright).

But it wont necessarily be safe if the Five Eyes governments have their way and a back door is opened to monitor those communications and data on organisations servers or in the cloud. Criminals and state-sponsored actors using cyber tools for geopolitical advantage could be given a new way to break encrypted communications for their own ends.

Andrew Littles signing of the document marked a change in our approach, Betkier says. In a report about the proposal, the foundation called for careful review and validation by the New Zealand public.

We are concerned that the New Zealand government has signed the statement without wider public consultation or discussion, the foundation wrote. This is critical in light of the direct impact that undermining encryption would have on New Zealanders privacy and cybersecurity.

In an interview withLawNewsBetkier added: It would be nave to think you could have some sort of private, exclusive access for Five Eyes. Not Russia, China or North Korea. Its not that easy. Systems leak sooner or later.

Betkier cites the case of Moscow-based cybersecurity company Kaspersky Lab, which in 2017 either actively or passively enabled the hack of a US National Security Agency contractors data. The contractor was working to replace hacking tools that had been leaked by Snowden. The hacked information ended up in the hands of the Russian government.

Ting-Edwards adds: It seems really important that New Zealand as a small participant in the multilateral order is careful not to sign up to precedents that we would be unhappy with other governments using to serve their own ends in their own ways.

Having signed the international statement doesnt mean it will come to fruition, however. Privacy law expert Tania Goatley, a partner at Bell Gully, says there is no legal requirement for the government to execute such statements on behalf of New Zealanders.

However, the general role of a government in any society is to ensure its citizens are protected and that parameters are put in place to ensure the safety of those citizens. Executing the international statement therefore might be seen by government representatives as necessary to protect the more vulnerable members of New Zealands society.

Goatley says it indicates the signatories generally support encryption technologies, but that encryption that wholly precludes legal access to any content should be addressed, to enable access to illegal content in circumstances where access is authorised, necessary and proportionate, and subject to strong safeguards and oversight.

If the government introduced strong safeguards and oversight and supported encryption technologies as it stated, then there are some good policy arguments in favour of implementing the international statement, she said.

Privacy risks

But Goatley says several concerns might arise around implementation. These include a definition of what constitutes illegal content, who will monitor enforcement agencies to ensure their access and use of information is only for enforcement and safety purposes, and whether there would be penalties for non-compliance or unjustifiable intrusions into personal privacy.

Another concern, she says, may be the extent to which it is permissible to erode individual privacy rights to protect the vulnerable. This is particularly significant where organisations do not actually know what the relevant content is or might contain.

Implementation of the type called for in the international statement also raises privacy risks from an organisational perspective, says Goatley. These include mapping data flows and, in particular, understanding where data is collected, held, used and disclosed, understanding the legal obligations and access powers that may apply to organisations as a result, and ensuring customer data is properly protected and not illegally disclosed in that context.

Not a first

If the statement becomes reality it wouldnt be the first time a government has demanded access to end-to-end encryption. As discussed, Australia has passed legislation enabling lawmakers and enforcement to compel communications providers to provide certain assistance in accessing content.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 has been criticised for being inadequately debated, poorly drafted and draconian.

An amendment was passed in 2019 and the law was subsequently reviewed by an Independent National Security Legislation Monitor which has recommended extensive amendments. The Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS) is undertaking a review.

In the United States, the FBI has unsuccessfully attempted to require Apple to provide tools for bypassing the security restrictions on iPhones belonging to suspects.

The question is whether any of this legislation is necessary.

Undermining encryption is not the only way to access data, says Betkier. Law enforcement agencies can access communications when necessary even without this back door. He cites the example of EncroChat, a secure telephone network in Europe favoured by criminal groups. French police hacked into the network, broke the encryption and cracked open millions of messages. It was big news for law enforcement.

Playing on emotions

The Privacy Foundation expressed its concerns about the emotional language used in the Five Eyes statement and the fact that it offered little in terms of a solution.

Such discourse creates a false illusion that everyone who stands for privacy also supports individuals who use the internet for these sorts of illegal activities, it says. This is, of course, not the case and we agree that law enforcement agencies need to have tools and processes to protect individuals and vulnerable groups in society.

Betkier says we need to discuss this more rationally as a nation. What can law enforcement agencies do? Right now, it looks like they just want everything. If there is no easy way, they just keep reporting that emotional communication.

Translation into law?

As Goatley points out, the government has not brought in specific anti-encryption legislation and has not indicated it intends to do so. Rather, to date its focus appears to be engaging in constructive dialogue, which is likely to involve consultation with industry experts.

This approach, she says, is generally preferable and would help avoid shortfalls in the equivalent Australian law.

The Australians are struggling with the law of unintended consequences. So too, the foundation noted, could New Zealand if it were to enact similar legislation.

The foundation noted: It will reduce confidence in e-commerce, independent journalism, whistleblowing and many other sectors or scenarios where the confidentiality and integrity of information is essential. For example, it may be a direct threat to vulnerable communities (like LGBTQ) and to groups that oppose authoritarian regimes across the globe.

Another unintended consequence might be whether New Zealand could continue to be considered an adequate country under Europes General Data Protection Regulation (GDPR) privacy rules, says Goatley. This is soon to be reviewed by the European Commission.

Any weight the EU might place on a back door to end-to-end encryption remains uncertain, Goatley says.

How might it work?

The foundation says the statement does not present practical proposals for achieving its aims of maintaining public safety while protecting privacy and cybersecurity through encryption.

Law enforcement agencies may have a number of alternative means of accessing digital content that does not require them to break encryption through exploiting vulnerabilities in an individuals device or tracking their online activities to glean further information.

Ting-Edwards says it would help if the Five Eyes governments could publish technical designs so relevant parties could scrutinise and discuss them.

We can trust software systems only when the design is presented and people can independently look at them and test them and see what breaks to assure them the systems do what they say on the box and they dont have any surprising impacts.

Diana Clement is a freelance journalist.This articleoriginally appearedin LawNews (ADLS) and is here with permission.

See the original post:
Does opening a 'back door' to encrypted communications create a whole new raft of problems? How can firms promise privacy if there is official access?...