Category Archives: Encryption
That Encrypted Chat App the White House Liked? Full of Holes – WIRED
Slide: 1 / of 1. Caption: Caption: A woman would normally produce this photo and write this caption. She is not here because of the International Women's Day strike. WIRED
Leaks have plagued the Trump administration since he took office less than seven weeks ago. The presidents anger about these backchannels has grown, up to and including reported demands of an investigation into the source. Press secretary Sean Spicer has even apparently taken to doing random phone checks, supervised by White House attorneys, to see what staffers and aides are up to on their devices and whether they have secure communication apps.
In the midst of all of this, the end-to-end encrypted, disappearing messages app Confide has emerged as a popular choice among administration officials looking to discuss sensitive topics with coworkers, the press, or other groups. But in spite of Confides claims that it gives you the comfort of knowing that your private messages will now truly stay that way, researchers at security firm IOActive recently notified its developers of a number of critical vulnerabilities in the app. Those have since been resolved, but thats small consolation for White House staffers and general users who relied on Confide while it was exposed.
IOActive found vulnerabilities in numerous areas of the Confide app on Windows, macOS, and Android. By reverse-engineering the applications to see how they work and where they might have weaknesses and probing Confides public API to see what data could be accessible to anyone, the researchers discovered that they could alter messages and attachments in transit, decrypt messages, impersonate users, and reconstruct a database of all Confide users, their names, email addresses, and phone numbers. Its a concerning list of potential attacks for an app that touts security and privacy as its main offerings.
In total, the IOActive researchers laid out 11 vulnerabilities. For example, they were able to access over 7,000 records for users who joined Confide between February 22 and February 24, before Confide detected the intrusion. The database contains between 800,000 and 1 million user records in all. The app didnt have protection against brute-forcing account passwords and didnt even have strong minimum requirements for what a users password could be. It didnt notify recipients when senders sent unencrypted messages, and the system didnt require a valid web encryption certificate.
IOActive disclosed the bugs to Confide on February 28. Confide was already aware of some of the bugs after detecting the researchers probing, and by March 3 the company told IOActive that all the vulnerabilities had been patched. IOActive says that it was satisfied with Confides reaction. When our researchers connected with Confide to disclose the vulnerabilities, they were receptive to our research, quick to move on addressing critical issues found, and worked with us to share the information, IOActive CEO Jennifer Steffens said in a statement.
Confide has been around since 2014, though, so protecting the app going forward, while crucial, doesnt mitigate the risk its users have already faced. But Confide assures its users that the bugs were never exploited. Our security team is continuously monitoring our systems to protect our users integrity, says Confide president Jon Brod. IOActives attempt to gather account information was detected and stopped in real time. Not only has this particular issue been resolved, but we also have no detection of it being exploited by any other party. In addition, weve also ensured that the same or similar approaches will not be possible going forward.
Other researchers have piled on similar findings about the state of Confides security. Experts have also been calling the app out for a while for using proprietary cryptography and offering no evidence that it has invited independent code audits to check for vulnerabilities. Encrypted communication services that are open source, like Signal, garner more trust in the security community because of their transparency.
Public review of open source code can [reveal] such flaws, says Sven Dietrich, a cryptography researcher at CUNY John Jay College of Criminal Justice. He adds that code reviews allow experts to identify programming mistakes that jeopardize user messages or credentials, and protocol mistakes like improper exchange of keys or messages. Basically, all the issues Confide ran into.
Its difficult for consumers to know which security products to choose or even how to compare the options. This puts responsibility on software makers to secure their products. Encryption software assumes such an important role today. The only way to ensure that a piece of software does not contain back doors or gaping holes is to have independent trust experts audit the code. This is best practice, says Kevin Curran, a cybersecurity researcher at Ulster University and IEEE senior member. We all know that it is unreasonable to expect vulnerability-free software, but we need to look at risk mitigation.
Now that Confide has patched its vulnerabilities, users will have more protection. But without greater transparency, users may not have confidence that other flaws arent lurking in their favorite encrypted chat app. For a White House staffer leaking information critical to United States discourse and fearing retribution from a temperamental boss, theres no room for error.
Read more:
That Encrypted Chat App the White House Liked? Full of Holes - WIRED
What the CIA WikiLeaks Dump Tells Us: Encryption Works – New York Times
TechnoBuffalo | What the CIA WikiLeaks Dump Tells Us: Encryption Works New York Times NEW YORK If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works, and the industry should use more of it. Documents purportedly outlining a massive CIA surveillance program suggest ... No, the CIA hasn't cracked Signal and WhatsApp's encryption Android/iOS are what got hacked, not apps/encryption: Snowden on CIA hacking tools These messaging apps are safe from all of the CIA's known hacking ... |
Read the original post:
What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times
No, you shouldn’t delete Signal or other encrypted apps – TechCrunch
As alarm bells sound around the latest document dump from WikiLeaks, misinformation can spread like wildfire. Journalists are just starting to pore over the files, but a number of security researchers and privacy advocates are hoping to quash the misconception that encrypted chat apps like Signal and WhatsApp have been compromised.
A now corrected tweet by The New York Times seems to have set some of this speculation in motion.
I think a lot of people look at the headlines from this morning and think Oh well, I shouldnt use those apps,' Ross Schulman of the Open Technology Institute explained in a call with TechCrunch. What is actually true is that those apps are really important for people to use, they protect a lot of people.
The main distinction here is that if a device like your smartphone is compromised, say through malware in iOS for example, no amount of encryption can make it safe again.
Theres nothing that the app can do, it has to decrypt the message in order for you to read it, otherwise it would be kind of useless, Schulman explains. And when that happens, thats when malware on the computer or on the handset can kick in and read the plain text just as well as you can.
In spite of the misconceptions, somein security still see the WikiLeaks Vault7 data as awake-up call for those who dont yet take privacy seriously. Signal, WhatsApp and other encrypted messaging services are still functioning exactly as originally intended as the hackers arent breaking that encryption,Ajay Arora, CEO and co-founder of security firmVera, told TechCrunch.
Security is all about a series of layers concentrating on depth and breadth. The encryption of the apps themselves isnt whats in question and people who want to continue to use their favorite apps, should. However they should also consider other measures of security, as there is no one silver bullet to solve all security issues.
According to Joseph Hall, chief technologist for the Center for Democracy & Technology, the WikiLeaks files do not appear to contain any evidence that apps like Signal have been compromised. Its one of these unfortunate collisions of a whole lot of data and a whole lot of interests all at once, Hall told TechCrunch. Theres nothing that seems to indicate that the crypto is broken.
Hall thinks the documents might contain some interesting details that further confirm ongoing concerns around the kind of poorly secured IoT devices we bring into our homes, but the worryover Signal is misguided. They seem to be getting into the devices before the encryption is applied, Hall explains.
If the CIA (or anyone else) gains access to your device, it gains total control. Hall explains how this would work with hypothetical spying malware:
They can install a little thing that can take a picture of your screen every half a second or something like that. And that would be pretty useful for one reading anything that you type into one of these encrypted messaging apps, but also reading anything you readin these encrypted messaging apps. Its not just about your messages but about anyone you communicate with as well.
Ultimately, encrypted apps like Signal remain one of the most robust ways to protect your private communications todays WikiLeaks news didnt change that.
Unfortunately, you have to keep very, very good control over your phone, Hall said. Theres just no perfect answer in terms of being 100% unexploitable by these powerful, powerful governments.
More:
No, you shouldn't delete Signal or other encrypted apps - TechCrunch
Best encryption software: Top 5 – Computer Business Review
This list of five of the best encryption software on the market includes examples of platforms that enable a cutting edge, interactive experience by harnessing the storage capabilities of the cloud, and special decoy, deterrent features.
Also included in our list are systems that might be less high-tech and intuitive to use, but will equip a user with high-level, industry standard protection by incorporating multiple encryption methods. Some examples in this list are rooted in a specific operating system, while there are also systems included that provide maximum mobility.
Price is also factored into this list of the best options, with some of the free options presenting extremely effective safeguards from the free version of the system.
In contrast to systems such as Veracrypt, the only free element of this encryption software is the trial, however the product is widely considered robust, with capabilities to support small teams and individuals within a business setting.
AxCrypt was launched in 2001 with the intention of addressing the sharing of confidential data over the Internet, and to find security solutions for Internet services while aiming to make an easy to use design and appearance.
The specs behind the software include 128-bit or 256-bit advanced encryption standard (AES), and differs to some of the competition in that the software utilises cloud storage. This will mean the protection you receive with the product sill also span files saved on Dropbox or Google Drive.
A high level of interaction and control is made available with the software, as encrypted files can be accessed through a smartphone app. The software can also be used widely on a global scale, as advanced multilingual abilities are integrated within the software; some of these are Korean, Portuguese and Swedish.
Read the original:
Best encryption software: Top 5 - Computer Business Review
Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC – Yahoo Finance
HOUSTON--(BUSINESS WIRE)--
Ironclad Encryption Corporation (the Company) (OTCQB: IRNC) today announced that it has changed its ticker symbol from BTHI to IRNC. The Company began trading under the ticker symbol IRNC under its new CUSIP number: 46302E107, effective March 2, 2017.
About Ironclad Encryption Corporation
On January 6, 2017, Butte Highland Mining Company changed the focus of the business by acquiring all of the ownership interests of InterLok Key Management, Inc., a Texas corporation engaged in the business of developing and licensing its patented key based encryption methods. To better reflect the new business, the name was changed to Ironclad Encryption Corporation. Ironclad Encryption Corporation focuses on providing global freedom to execute electronic transmissions and store electronic data absent the oppressive intrusion of cyber-terrorism that causes destruction and loss. The company offers cyber security encryption so advanced, it operates without performance degradation or significant band-width usage. To learn more about Ironclad Encryption Corporation, please visit http://ironcladencryption.com.
View source version on businesswire.com: http://www.businesswire.com/news/home/20170302006070/en/
See the original post here:
Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance
The Best Email Encryption Software of 2017 | Top Ten Reviews
Our editorial staff evaluates products and services independently, but Top Ten Reviews may earn money when you click on links. Learn More
Email security and encryption software does more than just encrypt emails. Depending on the solution, you can send compliant email transmissions, thwart data loss, secure proprietary information and instill client confidence. In addition, imposed encryption points range from one-click options to enforced policy-based encryption methods. Although many industries in the past required faxing of sensitive information, nowadays many email encryption services provide compliant encrypted email options that are even more secure than traditional faxing and much more convenient.
Beyond email security, secure email software also provides tools to help with compliance, legal inquiries and tracking. The best email security software provides an administration console, compliance reports, sortable email logs, email trackers, email expiration dating, and archiving technology. Many are also compatible with all email types, DLP filters, security software and mobile email.
To learn more about what email security services can offer check out our top rated products. See HP SecureMail, if you are looking to integrate email encryption with your established business applications. For exceptional ease of use from admin to recipient, see DataMotion. If you are looking for DLP tools combined with email encryption, see Proofpoint. To learn more about email encryption, see our articles on email encryption software.
The first consideration with email security software is the encryption point. Small businesses may trust employees to decide which emails need to be encrypted. In this situation, a desktop or cloud-based solution will work. Other companies may benefit from removing the decision from the employee by using policy-based filters. This encrypts emails after they leave the employee's desktop at the point where they pass through the mail server, gateway, appliance or web portal, based on your company's policy filters.
Other considerations include the integrations and compatibilities you require, such as Outlook plugins, mobile phone emailing, email protocols and archiving methods. You will also want to select a solution that provides the encryption methods your business and clients require. Most services support OpenPGP and S/MIME encryption methods and provide access to other types of email security, such as AES and certificates if requested. Another consideration is the recipient experience. You want to look for a secure email solution that provides a simple and quick way for your customers and recipients to access secure messages.
Here are the criteria we used to compare email encryption software:
Security If your company is bound by compliance or regulatory requirements, you need to ensure that the email encryption service you use can satisfy your security standards. All email encryption software secures emails. However, most secure email services offer a range of security options, such as user-initiated and policy-based encryption. Some will even block email from sending messages that contain non-sharable information. If the service stores your email data and interactions for your company, they should take precautions to secure their data center(s). We compared a wide range of security features and rated highest those that not only encrypt email, but also those that provide additional layers of security.
Recipient Experience While security is critical, you do not want it to inconvenience your customers. We looked for encryption software with features that make the recipients' experience hassle free. The encryption programs that are simplest to use do not require your customers to download software or maneuver through a complicated process to receive secure messages. We rated highest the software that also allows recipients to send secure return emails and easily request passwords without your administrator having to manage the request.
Administration Tools Competitive email encryption software for small businesses and larger companies should supply a powerful, simple to use administration console. We compared services and the tools they offer for managing emails, creating reports, sorting emails, deploying software and configuring policies. The best software provides simple or even automatic deployment options and preconfigured policies that support common regulatory constraints.
Integrations & Compatibility Most companies do not run email encryption software independently. To be truly useful and efficient, it should function alongside popular business solutions such as Salesforce, GroupWise and security software. It also ought to work across platforms with all email types, regardless of the device type (PC, mobile phone or tablet). Top encryption tools also work in conjunction with content and internet filters, as well as eDiscovery and archiving methods. We rated highest the encryption software that is compatible with all popular platforms and commonly used business applications.
Unless you only need encryption software for one seat, you will want to do your share of research before contracting with an email encryption service. We suggest that you peruse our reviews, identify your top three candidates and then contact those companies for a customized quote. Their sales teams and account managers should be able to help you identify the best method for providing the type of email security that would work best for your company and its regulatory requirements.
Continued here:
The Best Email Encryption Software of 2017 | Top Ten Reviews
How to Send Encrypted Nudes, a Guide for the Discerning Lover – Inverse
Right off the bat, sending nudes is always going to be a risky (but potentially delightful) activity. You cant eliminate all the privacy risks, and someone can always find a way to save the nudes you send, but there are tricks to enjoy nude-sharing with your significant other, or anybody for that matter, as securely as possible.
The good news is that there are now a few really good apps that let you send encrypted attachments for free, notably Viber and WhatsApp. The new WhatsApp status feature, announced in a company blog post, is a particularly good way to send nudes securely. Even with the most secure encryption, your phone itself is a weak link, so not only do you have to send your nudes safely, you and the recipient other have to take and store them securely as well. The main takeaways use messaging apps that use end-to-end encryption and dont save them in the cloud, or (best practice) really at all.
The main risk you cant control when sending nudes is that no matter how good your encryption, if your phone itself is hacked, theres not much you can do. A hacker can naturally see photos on the device where the intended recipient can see them, if that device is hacked, Karsten Nohl, founder of Security Research Labs, a hacking research firm in Berlin told Inverse.
So every time you send nudes, youre taking a risk most people arent going to have their phones directly hacked, but things like cloud storage and data carriers. So the best things you can do are avoid the cloud and use end-to-end encryption unless you invest in a phone designed for security.
WhatsApp launched end-to-end encryption in April 2016, so when you send a WhatsApp message, its automatically locked with unique keys, and then only unlocked when your recipient reads it. And although it used to be text-only, WhatsApp now lets you send encrypted photos and videos. The only thing to remember about WhatsApp is that it is now part of Facebook, so check to make sure that WhatsApp isnt sending info to Facebook for advertisements. You can just go into the account section in settings and turn off share my account info, and youre good.
The new status feature allows users to send encrypted photo and video status updates that disappear after 24 hours. You can add emojis, draw, add captions, send GIFs its basically an encrypted Snapchat now, has some attractive features for sending nudes. You can choose to share things only with a specific contact in the Status Privacy feature, which only effects posts you make after turning that on. Nothing is saved in your photo library and the whole status system is encrypted. The main downside is that you have to remember to set your status to only be seen by a specific contact.
If youre not using the status feature, but are using WhatsApp messaging to send nudes, there are two things to think about. First, make sure that you are not saving your photos in the regular photo library on your phone. That library is only as secure as your phone, and if its backing up to the cloud, its not secure. The second thing is you can set WhatsApp to let you know if the key of the person youre sharing with changes. Unless your significant other has gotten a new phone, a changed key notice is a signal that its not safe to send nudes until you figure out if youre being spied on.
Viber has recently implemented end-to-end encryption as the default setting as well, and will also let you know if your line has been changed. If you dont have Whatsapp, its a good option for nude-sending. However, if youre an Apple user, attaching images through the iOS sharing feature isnt secure. Viber is working on that, and there is a Viber image feature which is probably what you should use even when the iOS feature becomes encrypted. Although iMessage is end-to-end encrypted iCloud is not, which ruins the whole point of sending encrypted nudes.
There are a few other messaging apps that feature end-to-end encryption, but they are less common namely Signal and Cyber Dust. You could also use Line or Telegram, but both you and your significant other have to have turned on the secret messaging feature.
In the end, no matter what app you use to send your nudes, if youre worried about doing it securely, talk with your significant other about best practices. End-to-end encryption will get you pretty far, but even then its never going to be 100 percent safe. And saving photos on your phone or taking screenshots will ruin all the work of even the best encryption.
Photos via Flickr / Aktiv Phil, WhatsApp, Flickr / s0crates82
Dyani Sabin is a science writer from small-town Ohio transplanted to New York City. Former biology researcher and library supervisor, you can also find her writing at Scienceline.
Read this article:
How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse
Encrypted Messaging Service ‘Signal’ Adds Video Call Option – Top Tech News
Users of the Signal encrypted messaging and voice calling service, famously employed by National Security Agency (NSA) contractor and whistleblower Edward Snowden, can now also use the app for encrypted video chats.
Open Whisper Systems, the software company that developed Signal, announced new public beta support for encrypted video calling yesterday. The release for both Android and iOS is built on "an entirely new calling infrastructure" that should also improve the voice call quality of the service, the company said.
First released in 2014, the Signal app is based on the Signal cryptographic protocol, which is also used for secure messaging by Google Allo, Facebook-owned WhatsApp and Facebook Messenger. Such encrypted services are often used to provide secure communications for news tips and conversations between sources and journalists, among other purposes.
'Entirely New Calling Infrastructure'
Being rolled out in stages to enable feedback about its performance, the latest version of Signal also brings together what were once two different Open Whisper Systems applications, one to support texting and one designed to enable real-time voice calls, company founder Moxie Marlinspike wrote yesterday in a blog post.
"This represents an entirely new calling infrastructure for Signal, and should increase voice call quality as well," Marlinspike said. "We think it's a big improvement, but we're rolling it out in stages to collect feedback from people with different devices, networks, and regions in order to ensure there are no surprises when it's enabled for everyone by default."
The new encrypted video calling will only work between two Signal users who have both enabled the beta application. iPhone users will also be able to take advantage of new capabilities introduced with last year's iOS 10 update so they can answer incoming Signal calls with one touch directly from the lock screen.
Encryption Controversies Back in the News
Media organizations, including The New York Times, use Signal to encourage encrypted news tips from readers and other sources. The application has also been endorsed by Snowden, who in 2013 provided journalists with a large cache of classified documents detailing the widespread use of surveillance by the NSA.
The mainstream use of encryption to protect electronically transmitted information has long been a source of frustration for many in the intelligence, law enforcement and political communities. FBI Director James Comey and former CIA Director James Woolsey are among officials who have pushed for security backdoors that would allow intelligence agencies to bypass encryption protections.
Controversies about encrypted communications have also erupted again in the news recently. For example, BuzzFeed reported yesterday that two Republicans in Congress have called for an investigation on the Environmental Protection Agency's use of encryption. Meanwhile, other news outlets reported this week that some White House staffers have been using an encrypted chat app called Confide that automatically deletes messages after they are received and read.
Go here to read the rest:
Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News
Germany, France lobby hard for terror-busting encryption backdoors … – The Register
The tech industry has hit back at France and Germany's demands for EU laws requiring secret backdoors in file and communications encryption.
Last week, Thomas de Maizire and Bruno Le Roux, respectively the German and French ministers of the interior, sent a letter to the European Commission calling for measures to stem what they see as a tide of terrorism sweeping the land.
These proposed measures include allowing the greater sharing of people's personal information between nations' police forces to fight crime; more reliance on biometrics; and as is depressingly predictable these days demands for technology companies to come up with impossible encryption systems that are secure, strong, and yet easily crackable by law enforcement on demand. That would allow investigators to decrypt suspects' intercepted messages and seized documents without needing the person's passphrase or private keys.
The German-French letter [PDF] calls for new legislation implementing these changes to be considered in October, after both countries have had their national elections.
This isn't the first time the pair have called for such measures, but this time they received support from the European Commission. "Encryption technology should not prevent law enforcement agencies or other competent authorities from intervening in the lawful exercise of their functions," an EC spokesman said in response to the letter, according to Politico.
The remarks brought a swift bite back from the Computer & Communications Industry Association, the non-profit think tank that lobbies for the technology industry. Christian Borggreen, its director of international policy in Brussels, slammed the idea as counterproductive late last week.
"Any backdoors to encrypted data would pose serious risks to the overall security and confidentiality of Europeans' communications, which seems inconsistent with existing legal protections for personal data," he said.
"Weakened security ultimately leaves online systems more vulnerable to all types of attacks, from terrorists to hackers. This should be a time to increase security not weaken it."
It looks as though the encryption wars have moved to Europe. For years now in the US, the FBI and others have been banging on about the need for crimefighters to have secret backdoors into encryption, or even a front door, as the director of the Feds likes to call it.
There may be British readers who are feeling rather smug about this latest European proposal, and think that Brexit UK will be immune from such silliness. Not so Blighty already has legislation that paves the way for mandatory backdoored encryption, it just hasn't worked out how to force the issue yet.
As has been pointed out many times, it isn't mathematically or technologically possible to build a backdoor into encryption that is completely exclusive to a select set of people, and can't be found and exploited by others. The only way under today's technology would be to have a key escrow system, and that would fall down if someone with access to the keys were to be bribed or coerced into handing them over.
Read the original:
Germany, France lobby hard for terror-busting encryption backdoors ... - The Register
Database-as-a-service platform introduces encryption-at-rest – BetaNews
While storing data in the cloud is undoubtedly convenient it also introduces risks and encryption is increasingly seen as a way of helping combat them.
Database-as-a-service company mLab is introducing encryption-at-rest as an opt-in data security measure for customers of its most popular plans, at no additional cost.
The mLab platform currently manages nearly 500,000 MongoDB deployments across Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Encryption-at-rest will be available to mLab's Database-as-a-Service customers on Dedicated Standard and High Storage plans, covering deployments across both Amazon Web Services and Google Cloud Platform.
The company already offers customers in-transit encryption via SSL to secure data transmission over networks. Adding encryption-at-rest boosts mLabs commitment to enterprise security by encrypting data on disks and wherever backups are stored. The feature is designed so that there will be minimal performance impact on the database.
"As the cloud services industry matures, many customers, especially enterprises, are developing programs to perform due diligence on their portfolio of service providers," says Jared D Cottrell, CTO of mLab. "Whether an industry regulation or best practice, encryption-at-rest is one of the most commonly-requested security features. Encryption-at-rest provides a layer of protection against unauthorized access to sensitive data, especially attacks directed at the physical devices on which the data is stored. mLab's encryption-at-rest feature gives our customers greater peace of mind."
You can find out more on the mLab website.
Photo credit: faithie / Shutterstock
Here is the original post:
Database-as-a-service platform introduces encryption-at-rest - BetaNews